Mem Intune

Tell us about your PDF experience.
Microsoft Intune documentation

Official product documentation for Microsoft Intune
OVERVIEW OVERVIEW
What is Intune? What's new in Intune
OVERVIEW OVERVIEW
Features in development Microsoft Intune Suite add-ons
Get started with Microsoft Intune

Learn about Microsoft Intune, try and evaluate its features, plan your deployment, and deploy Intune.
Learn Try and evaluate

Microsoft Intune overview Walkthrough Microsoft Intune admin center
What is device management? Evaluate and try Intune tasks
Intune fundamentals Learning Path
Plan Deploy
Microsoft Intune planning guide Migrate: Set up or move to Intune
Supported operating systems and browsers Deploy: Steps to deploy Intune
Intune endpoints
Recommended levels of protection and
configuration
How-to guides Platform and industry guides

Guides to help you perform common tasks in Guides that consolidate information specific to a
Intune platform or industry.
Related services Intune community resources

Resource to find information about related services, Resources to help you connect with the Intune
such as Microsoft 365. community.
How-to guides
Set up Intune Manage apps App protection policies

subscription
ｐ App management overview ｐ App protection policies
ｃ Sign up or sign in to overview
ｃ Add apps to Intune
Microsoft Intune ｃ Create app protection
ｅ App configuration policies
ｐ Intune licensing policies
ｉ Role-based access control Browse all manage apps ｃ Monitor app protection
articles Ｔ policies
Browse all Intune subscription
articles Ｔ Browse all apps protection
policies articles Ｔ
Configure security for Use compliance rules Control device features

endpoints to protect data and and settings
devices
ｐ Manage device security ｐ Create a device
with endpoint security ｃ Create and deploy configuration policy
policies compliance policies ｃ Analyze your on-premises
ｐ Use Mobile Threat Defense ｐ Use custom compliance GPOs with Intune
software with Intune settings for Linux and ｃ Learn more about the
ｐ Deploy security baselines Windows settings catalog
to your Windows devices
Browse all articles for endpoint ｐ Enforce compliance with Browse all device configuration
security Ｔ Conditional Access articles Ｔ
Browse all articles for

compliance policies Ｔ
Assign and deploy Enroll devices Initiate remote actions

policies
ｐ Device enrollment ｐ Remote actions overview
ｃ Assign policies in Intune overview
ｃ Send custom notifications
ｃ Use filters when assigning ｐ Get started with ｃ Remove devices
apps, policies, and profiles iOS/iPadOS enrollment
ｃ Use policy sets to group ｐ Device enrollment Browse all articles in this area
collections of management restrictions overview Ｔ
objects
Browse all articles in this area
Browse all articles in this area Ｔ
Ｔ
View reports and Microsoft Intune Suite Developer guidance

monitor status add-ons
ｐ Access the Intune APIs in
ｃ Intune reports ｃ Use Intune Suite add-on Microsoft Graph
ｃ Use audit logs to track and capabilities ｐ Use PowerShell cmdlets to

monitor events ｃ Remote help automate actions
ｐ Endpoint analytics docs ｃ Microsoft Tunnel for ｐ Use the Microsoft Intune
Mobile Application Data Warehouse
Browse all reporting and Management
monitoring articles Ｔ Browse all developer articles Ｔ
Privacy and personal Get help and support Troubleshoot

data
ｐ How to get support for ｐ Troubleshoot device
ｐ Privacy and personal data Microsoft Intune? enrollment
in Intune ｐ Help users troubleshoot ｐ Troubleshoot app
ｐ Data collection in Intune problems installation issues
ｐ Data storage and ｐ Use audit logs to track and ｐ Troubleshoot policies and
processing in Intune monitor events profiles in Intune
Browse all privacy and personal Browse all help and support Browse all troubleshooting
data articles Ｔ articles Ｔ articles Ｔ
Platform and industry guides
Platform guides Education Government

ｃ Manage Windows 10/11 ｃ What is Intune for ｃ Intune US Government
devices Education? service description
ｃ Manage Android devices ｃ Microsoft Intune for ｉ US government endpoints
ｃ Manage iOS/iPadOS Education docs for Intune
devices
Browse all platform guides Ｔ
Related services
Azure Active Directory Windows client docs for IT Windows 365 docs
Azure Active Directory (Azure Pros Windows 365 is a cloud-based
AD) is a cloud-based identity Evaluate, plan, deploy, secure, service that automatically
and access management and manage devices running creates a new type of Windows
service. Windows 10 and Windows 11. virtual machine (Cloud PCs) f…
Windows Autopatch docs Microsoft Defender for

Windows Autopatch is a cloud Endpoint
service that automates Microsoft Defender for
Windows, Microsoft 365 Apps Endpoint delivers preventative
for enterprise, Microsoft Edge… protection, post-breach
detection, automated…
Intune community resources
Microsoft Q & A - Intune tech community Feedback for Intune

Microsoft Intune conversations Share product ideas with the
The home for technical Check out active conversations engineering team
questions and answers at from the technical community
Microsoft
#Intune on Twitter Intune Customer Success

Stay current with the active Get help on the Intune
Twitter community Customer Success site
Have feedback or want to contribute to docs? See this resource!
Microsoft Intune securely manages
identities, manages apps, and manages
devices
Article • 04/03/2023
As organizations move to support hybrid and remote workforces, they're challenged

with managing the different devices that access organization resources. Employees and
students need to collaborate, work from anywhere, and securely access and connect to
these resources. Admins need to protect organization data, manage end user access,
and support users from wherever they work.
To help with these challenges and tasks, use Microsoft Intune .

Microsoft Intune is a cloud-based endpoint management solution. It manages user
access and simplifies app and device management across your many devices, including
mobile devices, desktop computers, and virtual endpoints.
You can protect access and data on organization-owned and users personal devices.
And, Intune has compliance and reporting features that support the Zero Trust security
model.
This article lists some features and benefits of Microsoft Intune.
 Tip
To get Intune, go to Licenses available for Microsoft Intune and Intune 30-
day trial.
For more information on what it means to be cloud-native, go to Learn more
about cloud-native endpoints.
Key features and benefits

Some key features and benefits of Intune include:
You can manage users and devices, including devices owned by your organization
and personally owned devices. Microsoft Intune supports Android, Android Open
Source Project (AOSP), iOS/iPadOS, macOS, and Windows client devices. With
Intune, you can use these devices to securely access organization resources with
policies you create.
For more information, go to:

Manage identities using Microsoft Intune
Manage devices using Microsoft Intune
７ Note
If you manage on-premises Windows Server, you can use Configuration

Manager.
Intune simplifies app management with a built-in app experience, including app
deployment, updates, and removal. You can connect to and distribute apps from
your private app stores, enable Microsoft 365 apps, deploy Win32 apps, create app
protection policies, and manage access to apps and their data.
For more information, go to Manage apps using Microsoft Intune.
Intune automates policy deployment for apps, security, device configuration,

compliance, conditional access, and more. When the policies are ready, you can
deploy these policies to your user groups and device groups. To receive these
policies, the devices only need internet access.
Employees and students can use the self-service features in the Company Portal
app to reset a PIN/password, install apps, join groups, and more. You can
customize the Company Portal app to help reduce support calls.
For more information, go to Configure the Intune Company Portal apps, Company
Portal website, and Intune app.
Intune integrates with mobile threat defense services, including Microsoft

Defender for Endpoint and third party partner services. With these services, the
focus is on endpoint security and you can create policies that respond to threats,
do real-time risk analysis, and automate remediation.
For more information, go to Mobile Threat Defense integration with Intune.
You use a web-based admin center that focuses on endpoint management,

including data-driven reporting. Admins can sign into the Intune admin center
from any device that has internet access.
For more information, go to Walkthrough the Intune admin center. To sign in to

the admin center, go to Microsoft Intune admin center .
This admin center uses Microsoft Graph REST APIs to programmatically access the
Intune service. Every action in the admin center is a Microsoft Graph call. If you’re
not familiar with Graph, and want to learn more, go to Graph integrates with
Microsoft Intune.
Integrates with other Microsoft services and

apps
Microsoft Intune integrates with other Microsoft products and services that focus on
endpoint management, including:
Configuration Manager for on-premises endpoint management and Windows

Server, including deploying software updates and managing data centers
You can use Intune and Configuration Manager together in a co-management
scenario, use tenant attach, or use both. With these options, you get the benefits
of the web-based admin center and can use other cloud-based features available
in Intune.
For more specific information, go to:

What is co-management
Frequently asked questions about co-management
How to enable tenant attach
Windows Autopilot for modern OS deployment and provisioning
With Windows Autopilot, you can provision new devices and send these devices
directly to users from an OEM or device provider. For existing devices, you can
reimage these devices to use Windows Autopilot and deploy the latest Windows
version.

Windows Autopilot overview
Windows Autopilot deployment for existing devices
Endpoint analytics for visibility and reporting on end user experiences, including
device performance and reliability
You can use Endpoint analytics to help identify policies or hardware issues that
slow down devices. It also provides guidance that can help you proactively
improve end user experiences and reduce help desk tickets.

What is Endpoint analytics
Enroll Intune devices into Endpoint analytics
Microsoft 365 for end user productivity Office apps, including Outlook, Teams,
Sharepoint, OneDrive, and more
Using Intune, you can deploy Microsoft 365 apps to users and devices in your
organization. You can also deploy these apps when users sign in for the first time.

Add Microsoft 365 Apps to Windows 10/11 devices with Microsoft Intune
Microsoft 365 docs: Manage devices with Intune
Microsoft Defender for Endpoint to help enterprises prevent, detect, investigate,

and respond to threats
In Intune, you can create a service-to-service connection between Intune and
Microsoft Defender for Endpoint. When they're connected, you can create policies
that scan files, detect threats, and report threat levels to Microsoft Defender for
Endpoint. You can also create compliance policies that set an allowable level of
risk. When combined with conditional access, you can block access to organization
resources for devices that are noncompliant.

Enforce compliance for Microsoft Defender for Endpoint with Conditional
Access in Intune
Configure Microsoft Defender for Endpoint in Intune
Windows Autopatch for automatic patching of Windows, Microsoft 365 apps for
enterprise, Microsoft Edge, and Microsoft Teams
Windows Autopatch is a cloud based service. It keeps software current, gives users
the latest productivity tools, minimizes on-premises infrastructure, and helps free
up your IT admins to focus on other projects. Windows Autopatch uses Microsoft
Intune to manage patching for Intune-enrolled devices or devices using co-
management (Intune + Configuration Manager).

What is Windows Autopatch?
Frequently Asked Questions about Windows Autopatch
Integrates with third party partner devices and

apps
The Intune admin center makes it easy to connect to different partner services,
including:
Managed Google Play: When you connect to your Managed Google Play account,
admins can access your organization's private store for Android apps, and deploy
these apps to your devices.
For more information, go to Add Managed Google Play apps to Android Enterprise
devices with Intune.
Apple tokens and certificates: When they're added, your iOS/iPadOS and macOS
devices can enroll in Intune and receive policies from Intune. Admins can access
your volume purchased iOS/iPad and macOS app licenses, and deploy these apps
to your devices.
Get an Apple MDM push certificate
Automatically enroll iOS/iPadOS devices by using Apple's Automated Device
Enrollment
Manage iOS and macOS apps purchased through Apple Business Manager with
Microsoft Intune
TeamViewer: When you connect to your TeamViewer account, you can use
TeamViewer to remotely assist devices.
For more information, go to Use TeamViewer to remotely administer Intune

devices.
With these services, Intune:
Gives admins simplified access to third party partner app services.

Can manage hundreds of third party partner apps.
Supports public retail store apps, line of business (LOB) apps, private apps not
available in the public store, custom apps, and more.
For more platform-specific requirements to enroll third party partner devices in Intune,
go to:
Deployment guide: Enroll Android devices in Microsoft Intune

Deployment guide: Enroll iOS and iPadOS devices in Microsoft Intune
Deployment guide: Enroll Linux devices in Microsoft Intune
Deployment guide: Enroll macOS devices in Microsoft Intune
Enroll in device management, application

management, or both
Organization-owned devices are enrolled in Intune for mobile device management
(MDM). MDM is device centric, so device features are configured based on who needs
them. For example, you can configure a device to allow access to Wi-Fi, but only if the
signed-in user is an organization account.
In Intune, you create policies that configure features & settings and provide security &
protection. The devices are fully managed by your organization, including the user
identities that sign in, the apps that are installed, and the data that's accessed.
When devices enroll, you can deploy your policies during the enrollment process. When
enrollment completes, the device is ready to use.
For personal devices in bring-your-own-device (BYOD) scenarios, you can use Intune for
mobile application management (MAM). MAM is user centric, so the app data is
protected regardless of the device used to access this data. There's a focus on apps,
including securely accessing apps and protecting data within the apps.
With MAM, you can:
Publish mobile apps to users.

Configure apps and automatically update apps.
View data reports that focus on app inventory and app usage.
You can also use MDM and MAM together. If your devices are enrolled and there are
apps that need extra security, then you can also use MAM app protection policies.
What is device enrollment in Intune?

App protection policies overview
Create and assign app protection policies
Protect data on any device

With Intune, you can protect data on managed devices (enrolled in Intune) and protect
data on unmanaged devices (not enrolled in Intune). Intune can isolate organization
data from personal data. The idea is to protect your company information by controlling
the way users access and share information.
For organization-owned devices, you want full control over the devices, especially
security. When devices enroll, they receive your security rules and settings.
On devices enrolled in Intune, you can:
Create and deploy policies that configure security settings, set password
requirements, deploy certificates, and more.
Use mobile threat defense services to scan devices, detect threats, and remediate
threats.
View data and reports that measure compliance with your security settings and
rules.
Use conditional access to only allow managed and compliant devices access to
organization resources, apps, and data.
Remove organization data if a device is lost or stolen.
For personal devices, users might not want their IT admins to have full control. To
support a hybrid work environment, give users options. For example, users enroll their
devices if they want full access to your organization's resources. Or, if these users only
want access to Outlook or Microsoft Teams, then use app protection policies that
require multi-factor authentication (MFA).
On devices using application management, you can:
Use mobile threat defense services to protect app data by scanning devices,
detecting threats, and assessing risk.
Prevent organization data from being copied and pasted into personal apps.
Use app protection policies on apps and on unmanaged devices enrolled in a third
party or partner MDM.
Use conditional access to restrict the apps that can access organization email and
files.
Remove organization data within apps.
Protect data and devices with Microsoft Intune

Mobile Threat Defense integration with Intune
Simplify access
Intune helps organizations support employees who can work from anywhere. There are
features you can configure that allow users to connect to an organization, wherever they
might be.
This section includes some common features that you can configure in Intune.
Use Windows Hello for Business instead of passwords

Windows Hello for Business helps protect against phishing attacks and other security
threats. It also helps users sign in to their devices and apps more quickly and easily.
Windows Hello for Business replaces passwords using a PIN or biometrics, such as
fingerprint, facial recognition. This biometric information is stored locally on the devices
and is never sent to external devices or servers.
Windows Hello for Business Overview

Manage Windows Hello for Business on devices when they enroll in Intune
Create a VPN connection for remote users
VPN policies gives users secure remote access to your organization network.
Using common VPN connection partners, including Check Point, Cisco, Microsoft
Tunnel, NetMotion, Pulse Secure, and more, you can create a VPN policy with your
network settings. When the policy is ready, you deploy this policy to your users and
devices that need to connect to your network remotely.
In the VPN policy, you can use certificates to authenticate the VPN connection. When
you use certificates, your end users don't need to enter usernames and passwords.
Create VPN profiles to connect to VPN servers in Intune

Use certificates for authentication in Microsoft Intune
Microsoft Tunnel for Microsoft Intune
Create a Wi-Fi connection for on-premises users

For users who need to connect to your organization network on-premises, you can
create a Wi-Fi policy with your network settings. You can connect to a specific SSID,
select an authentication method, use a proxy, and more. You can also configure the
policy to automatically connect to Wi-Fi when the device is in range.
In the Wi-Fi policy, you can use certificates to authenticate the Wi-Fi connection. When
you use certificates, your end users don't need to enter usernames and passwords.
When the policy is ready, you deploy this policy to your on-premises users and devices
that need to connect to your on-premises network.
Create Wi-Fi policy to connect to Wi-Fi networks in Intune

Use certificates for authentication in Microsoft Intune
Enable single sign-on (SSO) to your apps and services

When you enable SSO, users can automatically sign in to apps and services using their
Azure AD organization account, including some mobile threat defense partner apps.
Specifically:
On Windows devices, SSO is automatically built in and used to sign in to apps and
websites that use Azure AD for authentication, including Microsoft 365 apps. You
can also enable SSO on VPN and Wi-Fi policies.
On iOS/iPadOS and macOS devices, you can use the Microsoft Enterprise SSO
plug-in to automatically sign in to apps and websites that use Azure Active
Directory (AD) for authentication, including Microsoft 365 apps.
On Android devices, you can use the Microsoft Authentication Library (MSAL) to
enable SSO to Android apps.

How SSO to on-premises resources works on Azure AD joined devices
Use the Microsoft Enterprise SSO plug-in on iOS/iPadOS and macOS devices in
Microsoft Intune
Enable cross-app SSO on Android using MSAL
Next steps
Manage devices using Microsoft Intune
Manage apps using Microsoft Intune
Manage user and group identities in
Microsoft Intune
Article • 04/03/2023
Managing and protecting user identities is a significant part of any endpoint

management strategy and solution. Identity management includes the user accounts
and groups that access your organization resources.
Admins have to manage account membership, authorize and authenticate access to

resources, manage settings that affect user identities, and secure & protect the identities
from malicious intent.
Microsoft Intune can do all these tasks, and more. Intune is a cloud-based service that
can manage user identities through policy, including security and authentication
policies. For more information on Intune and its benefits, go to What is Microsoft
Intune?.
From a service perspective, Intune uses Azure Active Directory (AD) for identity storage
and permissions. Using the Microsoft Intune admin center, you can manage these tasks
in a central location designed for endpoint management.
This article discusses concepts and features you should consider when managing your
identities.
Use your existing users and groups

A large part of managing endpoints is managing users and groups. If you have existing
users and groups or will create new users and groups, Intune can help.
In on-premises environments, user accounts and groups are created and managed in
on-premises Active Directory. You can update these users and groups using any domain
controller in the domain.
It's a similar concept in Intune.
The Intune admin center includes a central location to manage users and groups. The
admin center is web-based and can be accessed from any device that has an internet
connection. Admins just need to sign into the admin center with their Intune
administrator account.
An important decision is to determine how to get the user accounts and groups into
Intune. Your options:
If you currently use Microsoft 365 and have your users and groups in the
Microsoft 365 admin center, then these users and groups are also available in the
Intune admin center.
Azure AD and Intune use a "tenant", which is your organization, such as Contoso or
Microsoft. If you have multiple tenants, sign into the Intune admin center in the
same Microsoft 365 tenant as your existing users and groups. Your users and
groups will automatically be shown and available.
For more information on what a tenant is, go to Quickstart: Set up a tenant.
If you currently use on-premises Active Directory, then you can use Azure AD
Connect to synchronize your on-premises AD accounts to Azure AD. When these
accounts are in Azure AD, then they're also available in the Intune admin center.
For more specific information, go to What is Azure AD Connect sync?.
You can also import existing users and groups from a CSV file into the Intune
admin center, or create the users and groups from scratch. When adding groups,
you can add users and devices to these groups to organize them by location,
department, hardware, and more.
For more information on group management in Intune, go to Add groups to

organize users and devices.
By default, Intune automatically creates the All users and All devices groups. When your
users and groups are available to Intune, then you can assign your policies to these
users and groups.
Move from machine accounts
When a Windows endpoint, like a Windows 10/11 device, joins an on-premises Active
Directory (AD) domain, a computer account is automatically created. The
computer/machine account can be used to authenticate on-premises programs,
services, and apps.
These machine accounts are local to the on-premises environment and can't be used on
devices that are joined to Azure AD. In this situation, you need to switch to user-based
authentication to authenticate to on-premises programs, services, and apps.
For more information and guidance, go to Known issues and limitations with cloud-
native endpoints.
Roles and permissions control access

For the different admin-type of tasks, Intune uses role-based access control (RBAC). The
roles you assign determine the resources an admin can access in the Intune admin
center, and what they can do with those resources. There are some built-in roles focused
on endpoint management, such as Application Manager, Policy and Profile Manager,
and more.
Since Intune uses Azure AD, you also have access to the built-in Azure AD roles, such as
Global Administrator and Intune Service Administrator.
Each role has its own create, read, update or delete permissions as needed. You can also
create custom roles if your admins need a specific permission. When you add or create
your administrator-type of users and groups, you can assign these accounts to the
different roles. The Intune admin center has this information in a central location and
can be easily updated.
For more information, go to Role-based access control (RBAC) with Microsoft Intune
Create user affinity when devices enroll

When users sign into their devices the first time, the device becomes associated with
that user. This feature is called user affinity.
Any policies assigned or deployed to the user identity go with the user to all of their
devices. When a user is associated with the device, they can access their email accounts,
their files, their apps, and more.
When you don't associate a user with a device, then the device is considered user-less.
This scenario is common for kiosks devices dedicated to a specific task and devices that
are shared with multiple users.
In Intune, you can create policies for both scenarios on Android, iOS/iPadOS, macOS,
and Windows. When getting ready to manage these devices, be sure you know the
intended purpose of the device. This information helps in the decision making process
when devices are being enrolled.
For more specific information, go to the enrollment guides for your platforms:
Deployment guide: Enroll Android devices in Microsoft Intune

Deployment guide: Enroll iOS and iPadOS devices in Microsoft Intune
Deployment guide: Enroll macOS devices in Microsoft Intune
Deployment guide: Enroll Windows devices in Microsoft Intune
Assign policies to users and groups

On-premises, you work with domain accounts and local accounts, and then deploy
group policies and permissions to these accounts at the local, site, domain, or OU level
(LSDOU). An OU policy overwrites a domain policy, a domain policy overwrites a site
policy, and so on.
Intune is cloud-based. Policies created in Intune include settings that control device
features, security rules, and more. These policies are assigned to your users and groups.
There isn't a traditional hierarchy like LSDOU.
The settings catalog in Intune includes thousands of settings to manage iOS/iPadOS,

macOS, and Windows devices. If you currently use on-premises Group Policy Objects
(GPOs), then using the settings catalog is a natural transition to cloud-based policies.
For more information on policies in Intune, go to:
Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS
devices
Common questions and answers with device policies and profiles in Microsoft
Intune
Secure your user identities

Your user and group accounts access organization resources. You need to keep these
identities secure and prevent malicious access to the identities. Here are some things to
consider:
Windows Hello for Business replaces username and password sign-in and is part
of a password-less strategy.
Passwords are entered on a device and then transmitted over the network to the
server. They can be intercepted and used by anyone and anywhere. A server
breach can reveal stored credentials.
With Windows Hello for Business, users sign in and authenticate with a PIN or
biometric, such as facial and fingerprint recognition. This information is stored
locally on the device and isn't sent to external devices or servers.
When Windows Hello for Business is deployed to your environment, you can use
Intune to create Windows Hello for Business policies for your devices. These
policies can configure PIN settings, allowing biometric authentication, use security
keys, and more.

Windows Hello for Business Overview
Manage Windows Hello for Business on devices when devices enroll with Intune
Use identity protection profiles to manage Windows Hello for Business in
Microsoft Intune
Certificate-based authentication is also a part of a password-less strategy. You can

use certificates to authenticate your users to applications and organization
resources through a VPN, a Wi-Fi connection, or email profiles. With certificates,
users don't need to enter usernames and passwords, and can make access to these
resources easier.
For more information, go to Use certificates for authentication in Microsoft Intune.
Multi-factor authentication (MFA) is a feature available with Azure AD. For users
to successfully authenticate, at least two different verification methods are
required. When MFA is deployed to your environment, you can also require MFA
when devices are enrolling into Intune.

Plan an Azure Active Directory Multi-Factor Authentication deployment
Require multi-factor authentication for Intune device enrollments
Zero Trust verifies all endpoints, including devices and apps. The idea is to help
keep organization data in the organization, and prevent data leaks from accidental
or malicious intent. It includes different feature areas, including Windows Hello for
Business, using MFA, and more.
For more information, see Zero Trust with Microsoft Intune.
Next steps
Manage devices
Manage apps
Manage your devices and control device
features in Microsoft Intune
Article • 04/19/2023
Managing devices is a significant part of any endpoint management strategy and

solution. Organizations have to manage laptops, tablets, mobile phones, wearables, and
more. It can be a large task, especially if you're not sure where to start.
Enter Microsoft Intune. Intune is a cloud-based service that can control devices through
policy, including security policies. For more information on Intune and its benefits, go to
What is Microsoft Intune?.
The goal of any organization that's managing devices is to secure devices and the data
they access. This task includes organization owned devices and personally owned
devices that access your organization resources.
From a service perspective, Intune uses Azure Active Directory (AD) for device storage
and permissions. Using the Microsoft Intune admin center, you can manage device tasks
and policies in a central location designed for endpoint management.
This article discusses concepts and features you should consider when managing your
devices.
Manage organization owned and personal

devices
Many organizations allow personally owned devices to access organization resources,
including email, meetings, and so on. There are different options available and these
options depend on how strict your organization is.
You can require personal devices be enrolled in your organization's device management
services. On these personal devices, your admins can deploy policies, set rules, configure
device features, and more. Or, you can use app protection policies that focus on
protecting app data, such as Outlook, Teams, and Sharepoint. You can also use a
combination of device enrollment and app protection policies.
For organization owned devices, they should be fully managed by your organization,
and receive policies that enforce rules and protect data.
For more information and guidance, go to:
Microsoft Intune planning guide

Deployment guide: Setup or move to Microsoft Intune
Use your existing devices and use new devices

You can manage new devices and existing devices. Intune supports Android,
iOS/iPadOS, Linux, macOS, and Windows devices.
There are some things you should know. For example, if existing devices are managed
by another MDM provider, they may need to be factory reset. If the devices are using an
older OS version, they may not be supported.
If your organization is investing in new devices, then it's recommended to start with a
cloud approach using Intune.
For more information and guidance, go to:

Deployment guide: Setup or move to Microsoft Intune
For more specific information by platform, go to:
Android platform deployment guide

iOS/iPadOS platform deployment guide
Linux enrollment deployment guide
macOS platform deployment guide
Windows enrollment deployment guide
Check the compliance health of your devices
Device compliance is a significant part of managing devices. Your organization will want
to set password/PIN rules and check for security features on these devices. You'll want
to know which devices don't meet your rules. This task is where compliance comes in.
You can create compliance policies that block simple passwords, require a firewall, set
the minimum OS version, and more. You can use these policies and built-in reporting to
see noncompliant devices and see the noncompliant settings on these devices. This
information gives you an idea of the overall health of the devices accessing your
organization resources.
Conditional Access is a feature of Azure AD. With Conditional Access, you can enforce
compliance. For example, if a device doesn't meet your compliance rules, then you can
block access to organization resources, including Outlook, SharePoint, Teams, and more.
Conditional Access helps your organization secure your data and protect your devices.
Use compliance policies to set rules for devices you manage

Monitor results of your device compliance policies
Learn about Conditional Access and Intune
Control device features and assign policies to

device groups
All devices have features that you can control and manage using policies. For example,
you can block the built-in camera, allow Bluetooth pairing, manage the power button,
and more.
For many organizations, it's common to create device groups. Device groups are Azure
AD groups that only include devices. They don't include user identities.
When you have device groups, you create policies that focus on the device experience
or task, like running a single app or scanning bar codes. You can also create policies that
include settings that you want to always be on the device, regardless of who's using the
device.
You can group devices by OS platform, by function, by location, and anything else you
prefer.
Device groups can also include devices that are shared with many users or aren't
associated with a specific user. These dedicated or kiosk devices are typically used by
front line workers and can also be managed by Intune.
When the groups are ready, you can assign your policies to these device groups.
Get started with Microsoft 365 for frontline workers

Windows device settings to run as a dedicated kiosk using Intune
Control access, accounts, and power features on shared PC or multi-user devices
using Intune
Secure your devices

To help secure your devices, you can install antivirus, scan & react to malicious activity,
and enable security features.
In Intune, some common security tasks include:
Integrate with Mobile Threat Defense (MTD) partners to help protect organization
owned devices and personally owned devices. These MTD services scan the devices
and can help remediate vulnerabilities.
The MTD partners support different platforms, including Android, iOS/iPadOS,

macOS, and Windows.
For more specific information, go to Mobile Threat Defense integration with Intune
Use Security Baselines on your Windows devices. Security baselines are

preconfigured settings that you can deploy to your devices. These baseline
settings focus on security at a granular level and can also be changed to meet any
organization specific requirements.
If you're not sure where to start, then look at Security Baselines and the built-in
guided scenarios.

Use security baselines to configure Windows devices in Intune
Guided scenarios overview
Manage software updates, encrypt hard disks, configure built-in firewalls, and
more using built-in policy settings. You can also use Windows Autopatch for
automatic patching of Windows, including Windows quality updates and Windows
feature updates.

Manage endpoint security in Microsoft Intune
Manage device security with endpoint security policies in Microsoft Intune
Windows Autopatch overview
Manage devices remotely using the Intune admin center. You can remotely lock,
restart, locate a lost device, restore a device to its factory settings, and more. These
tasks are helpful if a device is lost or stolen, or if you're remotely troubleshooting a
device.
For more information, go to Remote actions in Intune.
Next steps
Manage identities in Intune
Manage apps
Manage your apps and app data in
Microsoft Intune
Article • 05/15/2023
Managing and protecting apps and their data is a significant part of any endpoint
management strategy and solution. In most environments, users can install public retail
apps and possibly access organization data from these apps. Many organizations also
have their own private apps and line-of-business apps that need to be deployed &
managed, and make sure this app data stays within the organization.
App management can be challenging and Intune can help. Microsoft Intune is a cloud-
based service that can manage many apps types. Using Intune, admins can deploy,
configure, protect, and update apps that access your organization resources. For more
information on Intune and its benefits, go to What is Microsoft Intune?.
Microsoft Intune supports Android, iOS/iPadOS, macOS and Windows client devices. So,
you can use Intune's app management features across your many devices.
From a service perspective, Intune uses Azure Active Directory (AD) for identity
management. To use some apps, these Azure AD user identities must have licenses
assigned to them. The Microsoft Intune admin center can also help you manage
licensing.
This article discusses concepts and features you should consider when managing and
securing apps.
Deploy apps your organization uses
Organizations use many different types of apps, including store apps, line-of-business
(LOB) apps, web apps, and more. You can add apps to Intune and then use its app policy
management to deploy these apps to your devices.
The app features in the Intune admin center make it easier to deploy these different
kinds of apps. Intune supports Android, iOS/iPadOS, macOS, and Windows client
devices:
For Android devices, the Intune admin center automatically connects to the public
Play Store and gives you the ability to search for apps. You can also sync with your
Managed Google Play account to access your Android Enterprise apps, including
private apps.
On Android devices, you can deploy:

Public and retail apps from the public Play Store
Managed Google Play apps to Android Enterprise devices
Web links to web apps
Built-in apps, which are apps automatically included and available in the Intune
admin center
Custom line-of-business apps your organization creates
Android Enterprise system apps, which are apps typically included on Android
devices
If you use Google Mobile Services (GMS) (opens Android's web site), you can
purchase licenses to GMS, which typically happens when you purchase Android
devices. GMS gives users access to the public Play Store and its public apps.
If your organization doesn't use Google Mobile Services (GMS) (opens Android's
web site), then Intune can also manage devices using the Android Open Source
Project (AOSP) platform.

How to use Intune in environments without Google Mobile Services
Add Managed Google Play apps to Android Enterprise devices
Manage private Android apps in Google Play (opens Google's web site)
Add built-in apps
For iOS/iPadOS devices, the Intune admin center automatically connects to the
public App Store and gives you the ability to search for apps. You can also sync
with your Apple Business Manager or Apple School Manager account to access
your volume-licensed apps. When you sync, the apps you purchase (your licensed
apps) are automatically shown in the admin center.
On iOS/iPadOS devices, you can deploy:

Public and retail apps from the public App Store
Volume-licensed apps using Apple Business Manager or Apple School Manager
Web clips, which are shortcuts to web site links that you can add to the home
screen
Built-in apps, which are apps automatically included and available in the Intune
admin center

Add iOS store apps
Manage iOS/iPadOS and macOS apps purchased through Apple Business
Manager
Add iOS/iPadOS LOB apps
Add built-in apps
For macOS devices, the Intune admin center has built-in features that include apps
commonly deployed to macOS, including Microsoft Edge and Microsoft 365 apps.
You can also sync with your Apple Business Manager or Apple School Manager
account to access your volume-licensed apps. When you sync, the apps you
purchase (your licensed apps) are automatically shown in the admin center.
On macOS devices, you can deploy:

Volume-licensed apps using Apple Business Manager or Apple School Manager
Microsoft 365 apps, which include Word, Excel, PowerPoint, Outlook, OneNote,
Teams, and OneDrive
Microsoft Edge version 77 and newer, which is the modern chromium version
Microsoft Defender for Endpoint, which is a cloud service that detects malicious
intent and can help remediate security threats
Apple disk image (DMG) apps, which is a file that includes one or more apps to
deploy

Manage iOS/iPadOS and macOS apps purchased through Apple Business
Manager
Assign Microsoft 365 to macOS devices
Add macOS LOB apps
For Windows devices, the Intune admin center automatically connects to the
public Microsoft Store and gives you the ability to search for apps. You can also
sync with your Microsoft Store for Business account to access your volume-
licensed apps. When you sync, the apps you purchase (your licensed apps) are
automatically shown in the admin center.
On Windows devices, you can deploy:

Volume-licensed apps using Microsoft Store for Business
Public and retail apps from the Microsoft Store
Microsoft 365 apps, which include Word, Excel, PowerPoint, Outlook, OneNote,
Teams, and OneDrive
Microsoft Edge version 77 and newer, which is the modern chromium version
Win32 apps

Manage volume purchased apps from the Microsoft Store for Business
Add Microsoft 365 apps to Windows client devices
Win32 app management
７ Note
Microsoft Store for Business is being retired. Starting with Windows 11, you
have a new option for your private volume-licensed apps. For more
information, go to Private app repository in Windows 11 and Update to
Microsoft Intune integration with the Microsoft Store on Windows .
Configure apps before they're installed

When an app is deployed to your users and devices, your users may be prompted for
configuration information. Users might not know what to enter or you may have
organization settings you want configured a certain way.
App configuration policies give you these features. You can create app configuration
policies that automatically configure apps. Depending on your policy settings, users
might not need to enter any configuration information when they open the app.
For example, in an app configuration policy, you can enter the app language, add your
organization's logo, block apps from using personal accounts, and more.
Your app configuration policies can be deployed at any time. If you want to configure
apps before users open them the first time, then you can include the app configuration
policy when users enroll their devices. During enrollment, your app configuration
policies are automatically deployed and the apps include your configuration settings.
For more specific information, go to App configuration policies in Intune.
Protect apps on organization owned and

personal devices
App protection policies are a key part to protecting data in apps that access
organization data. If user-owned personal devices are accessing your organization data,
then you need app protection policies. You can use these policies to protect email,
protect shared files, protect access to meetings, and more.
You can use Intune to create, configure, and deploy app protection policies to your
users and your devices, including personally owned devices and devices managed by
another MDM provider. Typically, organization owned devices are managed by your
organization. If there are apps on these managed devices that require extra security,
then you can also use app protection policies on these devices.
App protection policies also help separate personal data from organization data. For
example, you can create policies that block copy-and-paste between apps, require a PIN
when opening an app, block backups to personal cloud services, and more.
App protection policies overview and benefits

How to create and assign app protection policies
Update apps to the latest version

Apps are often updated to include bug fixes, feature improvements, security updates,
and more. When apps are deployed using Intune, most apps are automatically updated
when there's an app update available. So, it's recommended to use Intune to deploy
apps used by your organization.
You can also use Windows Autopatch for automatic patching of Microsoft 365 Apps for
enterprise, Microsoft Edge, and Microsoft Teams.
If users install apps themselves, including from a public app store, then these apps will
need updated manually. In this situation, you can use app protection policies to enforce
a minimum app version, and even wipe organization data on devices that don't meet
your standards.
Add and update apps

Windows Autopatch overview
Wipe corporate data from Intune-managed apps
Selectively wipe data using app protection policy conditional launch actions
Next steps
Manage identities
Manage devices
Frequently asked questions about application management and app protection
Zero Trust with Microsoft Intune
Article • 04/03/2023
Zero Trust is a security strategy for designing and implementing the following set of
security principles:
Verify explicitly Use least privilege access Assume breach
Always Limit user access with Just-In- Minimize blast radius and segment
authenticate and Time and Just-Enough-Access access. Verify end-to-end encryption and
authorize based (JIT/JEA), risk-based adaptive use analytics to get visibility, drive threat
on all available policies, and data protection. detection, and improve defenses.
data points.
Device and application authentication,

authorization, and protection for Zero Trust
You can use Intune to protect access and data on organization-owned and user's
personal devices and has compliance and reporting features that support Zero Trust.
Zero How Intune helps

Trust
principle
Verify Intune allows you to configure policies for apps, security settings, device
explicitly configuration, compliance, Azure Active Directory (AD) Conditional Access, and more.
These policies become part of the authentication and authorization process of
accessing resources.
Use least Intune simplifies app management with a built-in app experience, including app
privilege deployment, updates, and removal. You can connect to and distribute apps from your
access private app stores, enable Microsoft 365 apps, deploy Win32 apps, create app
protection policies, and manage access to apps and their data.
With Endpoint Privilege Management (EPM), your user base can run with least
privilege, and allow users to still run tasks allowed by your organization.
Assume Intune integrates with mobile threat defense services, including Microsoft Defender
breach for Endpoint and third party partner services. With these services, you can create
policies for endpoint protection that respond to threats, do real-time risk analysis, and
automate remediation.
Next steps
Learn more about Zero Trust and how to build an enterprise-scale strategy and
architecture with the Zero Trust Guidance Center.
For device-centric concepts and deployment objectives, see Secure endpoints with Zero
Trust
For Intune in Microsoft 365, see Manage devices with Intune Overview.
Learn more about other Microsoft 365 capabilities that contribute to a strong Zero Trust
strategy and architecture with Zero Trust deployment plan with Microsoft 365.
High-level architecture for Microsoft
Intune
Article • 05/04/2023
This reference architecture shows options for integrating Microsoft Intune in your Azure
environment with Azure Active Directory.

Service information for Microsoft Intune
release updates
Article • 02/22/2023
New feature releases for Intune typically have a six to eight week cadence, from
planning to release. This cadence is called a sprint. Intune releases use a YYMM naming
convention. For example, 2301 is the January 2023 release.
This article provides information about the frequency of the Microsoft Intune service
updates, the release cadence, and how to check your tenant release version.
How updates are released

The monthly release process involves many different environments and is deployed to
multiple Azure services. After it's deployed to Azure, the release updates are deployed
to the Intune admin center, which makes the release features available for you to use.
An internal environment called Self Host is the first environment to receive the release.
Self Host is used only by the Intune engineering teams. After Self Host, the service
release is deployed to the Microsoft tenant that manages many devices. Once it's
validated that there are no key issues with the service release, the release begins
deploying to customer environments in a phased approach. Once all tenants are
successfully updated, the Microsoft Intune admin center is updated. This phased
approach helps identify issues before they affect the service or our customers.
Updating the Company Portal app is a different process. Microsoft is subject to the
release requirements and processes of the Apple App Store, Google Play, and
sometimes mobile carriers. It isn’t always possible to align the Intune release updates
with updates to the Company Portal app. For more information on the Company Portal
app updates, go to UI updates for Intune end-user apps.
How can I tell if a service update is complete for my

tenant?
To check the release version of your tenant, use the following steps:
1. Sign in to the Microsoft Intune admin center .

2. Select Tenant administration > Tenant status. Your tenant’s name, location, MDM
authority, account status, and service release number are shown.
In the following example, the tenant has the 2104 (April 2021) service release:
Keep current with release features

Keeping up to date about releases and changes is an important part of your Intune
deployment. Intune provides several ways to stay current about latest updates:
What's new in Intune: Learn what’s new in a Microsoft Intune release. When a
feature is released, some information about that feature is added to this article. It
also includes an overview of the current release, any notices, information about
earlier releases, and other information.
Content is published at the end of the current sprint, which is when the UI updates
start deploying to the Microsoft Intune admin center.
In development for Microsoft Intune: Learn more about what features are in
development for Microsoft Intune. This article is updated regularly with upcoming
features and changes.
Microsoft 365 message center: When the service update finishes deploying, you’ll
see a message posted in the Message center. Or, you can view the same messages
in the Message Center at portal.office.com . Service APIs pull only the Microsoft
Intune messages from Microsoft 365 into the Microsoft Intune admin center.
Microsoft Intune tenant status: This message center is a centralized hub where
you can view current information and communications about the Intune service
and your tenant status.
Use the following steps to see the hub:

2. Go to Tenant administration > Tenant status > Service health and message
center.
3. Under Message center, select any message to read it.
Social media: Get the latest announcements on Twitter at @IntuneSuppTeam .

For more information from the Intune support team, go to the following blog posts:
Staying up to date on Intune new features, service changes, and service health
Tips and tricks for managing Intune
Privacy and personal data in Intune

You should understand how Intune collects, stores, retains, processes, secures, shares,
audits, and exports personal data. Microsoft Intune doesn't use any personal data
collected as part of providing the service for profiling, advertising, or marketing
purposes.
The following resources can help you understand privacy and personal data in Intune:
Privacy and personal data in Intune

Optional diagnostic data from Intune Client apps
Data collection in Intune
Data storage and processing in Intune
Audit, export, or delete personal data in Intune
Next steps
Planning guide to move to Microsoft Intune
What does device management mean?
Article • 06/07/2023
Device management enables organizations to administer and maintain devices,

including virtual machines, physical computers, mobile devices, and IoT devices. Device
management is a critical component of any organization's security strategy. It helps
ensure that devices are secure, up-to-date, and compliant with organizational policies,
with the goal of protecting the corporate network and data from unauthorized access.
As organizations support remote and hybrid workforces, it's more important than ever
to have a solid device management strategy. Organizations must protect and secure
their resources and data on any device.
This article describes the features and benefits of device management, and how it can
help organizations, including Microsoft 365 small & medium business, and enterprise. It
also describes the different approaches to device management, including mobile device
management (MDM) and mobile application management (MAM), and how Microsoft
Intune can help.
Features and benefits

Device management solutions have the following features and benefits:
The toolset to manage devices, including the ability to deploy and update
software, configure settings, enforce policies, and monitor with data and reports
The ability to administer and manage virtual and physical devices, regardless of
their physical location
Maintain a network of devices running common operating systems, including
Windows, macOS, iOS/iPadOS, and Android
Automate policy management and deployment for apps, device features, security,
and compliance
Optimize device features for business use
Provide a single point of management for devices, including the ability to manage
devices from a central console
Secure and protect data on devices, including safeguards and measures to prevent
unauthorized access
With device management solutions, organizations can make sure that only authorized
people and devices get access to proprietary information. Similarly, device users can feel
at ease accessing work data from their phone, because they know their device meets
their organization's security requirements.
As an organization, you might ask - What should we use to protect our resources?.
Microsoft Intune is a world class device

management solution
Many organizations, including Microsoft, use Intune to secure proprietary data that
users access from their company-owned and personally owned devices. Intune includes
device and app policies, software update policies, and installation statuses (charts,
tables, and reports). These resources help you secure and monitor data access.
With Intune, you can manage multiple devices per person, and the different platforms
that run on each device, including Android, iOS/iPadOS, Linux, macOS, and Windows.
Intune separates policies and settings by device platform. So it's easy to manage and
view devices of a specific platform.
For more information about Intune and its benefits, go to:

What is Intune?
Cloud attach your on-premises Configuration Manager

Many organizations use on-premises Configuration Manager to manage devices,
including desktops and servers. You can cloud-attach your on-premises Configuration
Manager to Microsoft Intune. When you cloud-attach, you get the benefits of Intune
and the cloud, including conditional access, running remote actions, using Windows
Autopilot, and more.
Configuration Manager tenant attach
Choose the device management solution that's

right for you
There are a couple of ways to approach device management.
✔️Mobile device management (MDM)

First, you can manage different aspects of devices using the features built in to Intune.
This approach is called mobile device management (MDM).
Users "enroll" their devices, and use certificates to communicate with Intune. As an IT
administrator, you push apps on devices, restrict devices to a specific operating system,
block personal devices, and more. If a device is ever lost or stolen, you can also remove
all data from the device.
✔️Mobile application management (MAM)

In the second approach, you manage apps on devices. This approach is called mobile
application management (MAM).
Users can use their personal devices to access organizational resources. When users
open an app, such as Outlook or SharePoint, they can be prompted to authenticate. If a
device is ever lost or stolen, you can remove all organization data from the Intune
managed applications.
You can also use a combination of MDM and MAM together.
What is Intune?
Next steps
Manage user and group identities in Microsoft Intune
Manage your devices and control device features in Microsoft Intune
Manage your apps and app data in Microsoft Intune
What's new in Microsoft Intune
Article • 08/30/2023
Learn what's new each week in Microsoft Intune.
You can also read:
Important notices
Past releases in the What's new archive
Information about how Intune service updates are released
７ Note
Each monthly update may take up to three days to rollout and will be in the
following order:
Day 1: Asia Pacific (APAC)

Day 2: Europe, Middle East, Africa (EMEA)
Day 3: North America
Day 4+: Intune for Government
Some features may roll out over several weeks and might not be available to all
customers in the first week.
For a list of upcoming Intune feature releases, see In development for Microsoft
Intune. For new information about Autopilot, see Windows Autopilot What's new.
You can use RSS to be notified when this page is updated. For more information, see
How to use the docs.
Week of August 28, 2023
Device configuration
Windows and Android support for 4096-bit key size for SCEP and
PFX certificate profiles
Intune SCEP certificate profiles and PKCS certificate profiles for Windows and Android
devices now support a Key size (bits) of 4096. This key size is available for new profiles
and existing profiles you choose to edit.
SCEP profiles have always included the Key size (bits) setting and now support
4096 as an available configuration option.
PKCS profiles don’t include the Key size (bits) setting directly. Instead, an admin
must modify the certificate template on the Certification Authority to set the
Minimum key size to 4096.
If you use a third-party Certificate Authority (CA), you might need to contact your
vendor for assistance with implementing the 4096-bit key size.
When updating or deploying new certificate profiles to take advantage of this new key
size, we recommend use of a staggered deployment approach to help avoid creating
excessive demand for new certificates across a large number of devices at the same
time.
With this update, be aware of the following limitations on Windows devices:
4096-bit key storage is supported only in the Software Key Storage Provider (KSP).
The following do not support storing keys of this size:
The hardware TPM (Trusted Platform Module). As a workaround you can use the
Software KSP for key storage.
Windows Hello for Business. There is no work around at this time.
Tenant administration
Access policies for multiple Administrator Approval are now

generally available
Access policies for multiple Administrator Approval are out of public preview and are
now generally available. With these policies you can protect a resource, like App
deployments, by requiring any change to the deployment be approved by one of a
group of users who are approvers for the resource, before that change is applied.
For more information, see Use Access policies to require multiple administrative
approval.
Week of August 21, 2023 (Service release 2308)
App management
Managed Home Screen end-users prompted to grant exact alarm
permission
Managed Home Screen uses the exact alarm permission to do the following actions:
Automatically sign users out after a set time of inactivity on the device
Launch a screen saver after a set period of inactivity
Automatically relaunch MHS after a certain period of time when a user exits kiosk
mode
For devices running Android 14 and higher, by default, the exact alarm permission will
be denied. To make sure critical user functionality is not impacted, end-users will be
prompted to grant exact alarm permission upon first launch of Managed Home Screen.
For more information, see Configure the Microsoft Managed Home Screen app for
Android Enterprise and Android's developer documentation .
Managed Home Screen notifications

For Android devices running Android 13 or higher that target API level 33, by default,
applications do not have permission to send notifications. In previous versions of
Managed Home Screen, when an admin had enabled automatic relaunch of Managed
Home Screen, a notification was displayed to alert users of the relaunch. To
accommodate change to notification permission, in the scenario when an admin has
enabled auto-relaunch of Managed Home Screen, the application will now display a
toast message alerting users of the relaunch. Managed Home Screen is able to auto-
grant permission for this notification, so no change is required for admins configuring
Managed Home Screen to accommodate the change in notification permission with API
level 33. For more information about Android 13 (API level 33) notification messages,
see the Android developer documentation . For more information about Managed
Home Screen, see Configure the Microsoft Managed Home Screen app for Android
Enterprise.
New macOS web clip app type
In Intune, end users can pin web apps to the dock on your macOS devices (Apps >
macOS > Add > macOS web clip). For related information about the settings you can
configure, see Add web apps to Microsoft Intune.
Applies to:
macOS
Win32 app configurable installation time
In Intune, you can set a configurable installation time to deploy Win32 apps. This time is
expressed in minutes. If the app takes longer to install than the set installation time, the
system will fail the app install. Max timeout value is 1440 minutes (1 day). For more
information about Win32 apps, see Win32 app management in Microsoft Intune.
Samsung Knox conditional launch check

You can add additional detection of device health compromises on Samsung Knox
devices. Using a conditional launch check within a new Intune App Protection Policy, you
can require that hardware-level device tamper detection and device attestation be
performed on compatible Samsung devices. For more information, see the Samsung
Knox device attestation setting in the Conditional launch section of Android app
protection policy settings in Microsoft Intune.
Remote Help for Android in public preview

Remote Help is available in public preview for Android Enterprise Dedicated devices
from Zebra and Samsung. With Remote Help, IT Pros can remotely view the device
screen and take full control in both attended and unattended scenarios, to diagnose and
resolve issues quickly and efficiently.
Applies to:
Android Enterprise Dedicated devices, manufactured by Zebra or Samsung
For more information, go to Remote Help on Android.
Group Policy analytics is generally available
Group Policy analytics is generally available (GA). Use Group Policy analytics to analyze
your on-premises group policy objects (GPOs) for their migration to Intune policy
settings.
For more information about Group Policy analytics, go to Analyze your on-premises
GPOs using Group Policy analytics in Microsoft Intune.
Applies to:
Windows 11
Windows 10
New SSO, login, restrictions, passcode, and tamper protection

settings available in the Apple settings catalog
The Settings Catalog lists all the settings you can configure in a device policy, and all in
one place.
There are new settings in the Settings Catalog. To see these settings, in the Microsoft
Intune admin center , go to Devices > Configuration profiles > Create profile >
iOS/iPadOS or macOS > Settings catalog for profile type.
Authentication > Extensible Single Sign On (SSO):
Account Display Name

Additional Groups
Administrator Groups
Authentication Method
Authorization Right
Group
Authorization Group
Enable Authorization
Enable Create User At Login
Login Frequency
New User Authorization Mode
Account Name
Full Name
Token To User Mapping
User Authorization Mode
Use Shared Device Keys
Applies to:
macOS 13.0 and later
Login > Login Window:
Autologin Password
Autologin Username
Restrictions:
Allow ARD Remote Management Modification

Allow Bluetooth Sharing Modification
Allow Cloud Freeform
Allow File Sharing Modification
Allow Internet Sharing Modification
Allow Local User Creation
Allow Printer Sharing Modification
Allow Remote Apple Events Modification
Allow Startup Disk Modification
Allow Time Machine Backup
Security > Passcode:
Password Content Description

Password Content Regex
Applies to:
Restrictions:
Allow iPhone Widgets On Mac
Applies to:
iOS/iPadOS 17.0 and later
Microsoft Defender > Tamper protection:
Process's arguments
Process path
Process's Signing Identifier
Process's Team Identifier
Process exclusions
Applies to:
macOS
For more information about configuring Settings Catalog profiles in Intune, go to Create
a policy using settings catalog.
Device enrollment
Just-in-time registration and compliance remediation for
iOS/iPadOS Setup Assistant with modern authentication now
generally available
Just in time registration and compliance remediation for Setup Assistant with modern
authentication are now out of preview and generally available. With just in time (JIT)
registration, the device user doesn't need to use the Company Portal app for Azure
Active Directory registration and compliance checking. JIT registration and compliance
remediation is embedded into the user's provisioning experience, so they can view their
compliance status and take action within the work app they're trying to access.
Additionally, this establishes single-sign on across the device. For more information
about how to set up JIT registration, see Set up Just in Time Registration.
Awaiting final configuration for iOS/iPadOS automated device

enrollment now generally available
Now generally available, awaiting final configuration enables a locked experience at the
end of Setup Assistant to ensure that critical device configuration policies install on
devices. The locked experience works on devices targeted with new and existing
enrollment profiles. Supported devices include:
iOS/iPadOS 13+ devices enrolling with Setup Assistant with modern authentication
iOS/iPadOS 13+ devices enrolling without user affinity
iOS/iPadOS 13+ devices enrolling with Azure AD shared mode
This setting is applied once during the out-of-box automated device enrollment
experience in Setup Assistant. The device user doesn't experience it again unless they
re-enroll their device. Awaiting final configuration is enabled by default for new
enrollment profiles. For information about how to enable awaiting final configuration,
see Create an Apple enrollment profile.
Device management
Changes to Android notification permission prompt behavior
We've updated how our Android apps handle notification permissions to align with
recent changes made by Google to the Android platform. As a result of Google changes,
notification permissions are granted to apps as follows:
On devices running Android 12 and earlier: Apps are permitted to send

notifications to users by default.
On devices running Android 13 and later: Notification permissions vary depending
on the API the app targets.
Apps targeting API 32 and lower: Google has added a notification permission
prompt that appears when the user opens the app. Management apps can still
configure apps so that they're automatically granted notification permissions.
Apps targeting API 33 and higher: App developers define when the notification
permission prompts appear. Management apps can still configure apps so that
they're automatically granted notification permissions.
You and your device users can expect to see the following changes now that our apps
target API 33:
Company Portal used for work profile management: Users see a notification
permission prompt in the personal instance of the Company Portal when they first
open it. Users don't see a notification permission prompt in the work profile
instance of Company Portal because notification permissions are automatically
permitted for Company Portal in the work profile. Users can silence app
notifications in the Settings app.
Company Portal used for device administrator management: Users see a
notification permission prompt when they first open the Company Portal app.
Users can adjust app notification settings in the Settings app.
Microsoft Intune app: No changes to existing behavior. Users don't see a prompt
because notifications are automatically permitted for the Microsoft Intune app.
Users can adjust some app notification settings in the Settings app.
Microsoft Intune app for AOSP: No changes to existing behavior. Users don't see
a prompt because notifications are automatically permitted for the Microsoft
Intune app. Users can't adjust app notification settings in the Settings app.
Device security
Defender Update controls to deploy updates for Defender is now

generally available
The profile Defender Update controls for Intune Endpoint security Antivirus policy,
which manages update settings for Microsoft Defender, is now generally available. This
profile is available for the Windows 10, Windows 11, and Windows Server platform. While
in public preview, this profile was available for the Windows 10 and later platform.
The profile includes settings for the rollout release channel by which devices and users
receive Defender Updates that are related to daily security intelligence updates, monthly
platform updates, and monthly engine updates.
This profile includes the following settings, which are all directly taken from Defender
CSP - Windows Client Management.
Engine Updates Channel

Platform Updates Channel
Security Intelligence Updates Channel
These settings are also available from the settings catalog for the Windows 10 and later
profile.
Elevation report by applications for Endpoint Privilege

Management
We’ve released a new report named Elevation report by applications for Endpoint
Privilege Management (EPM). With this new report you can view all managed and
unmanaged elevations, which are aggregated by the application that elevated. This
report can aid you in identifying applications that might require elevation rules to
function properly, including rules for child processes.
You’ll find the report in the Report node for EPM in the Intune admin center . Navigate
to Endpoint security > Endpoint Privilege Management and then select the Reports
tab.
New settings available for macOS Antivirus policy

The Microsoft Defender Antivirus profile for macOS devices has been updated with nine
additional settings, and three new settings categories:
Antivirus engine – The following settings are new in this this category:
Degree of parallelism for on-demand scans – Specifies the degree of parallelism

for on-demand scans. This corresponds to the number of threads used to perform
the scan and impacts the CPU usage, as well as the duration of the on-demand
scan.
Enable file hash computation – Enables or disables file hash computation feature.
When this feature is enabled Windows defender will compute hashes for files it
scans. This will help in improving the accuracy of Custom Indicator matches.
However, enabling Enable file hash computation may impact device performance.
Run a scan after definitions are updated – Specifies whether to start a process
scan after new security intelligence updates are downloaded on the device.
Enabling this setting will trigger an antivirus scan on the running processes of the
device.
Scanning inside archive files – If true, Defender will unpack archives and scan files
inside them. Otherwise archive content will be skipped, that will improve scanning
performance.
Network protection – A new category that includes the following setting:
Enforcement level – Configure this setting to specify if network protection is

disabled, in audit mode, or enforced.
Tamper protection - A new category that includes the following setting:
Enforcement level - Specify if tamper protection is disabled, in audit mode, or

enforced.
User interface preferences – A new category that includes the following settings:
Control sign-in to consumer version - Specify whether users can sign into the
consumer version of Microsoft Defender.
Show / hide status menu icon – Specify whether the status menu icon (shown in
the top-right corner of the screen) is hidden or not.
User initiated feedback – Specify whether users can submit feedback to Microsoft
by going to Help > Send Feedback.
New profiles that you create include the original settings as well as the new settings.
Your existing profiles automatically update to include the new settings, with each new
setting set to Not configured until you choose to edit that profile to change it.
For more information about how to set preferences for Microsoft Defender for Endpoint
on macOS in enterprise organizations, see Set preferences for Microsoft Defender for
Endpoint on macOS.
Intune apps
Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:
VerityRMS by Mackey LLC (iOS)
For more information about protected apps, see Microsoft Intune protected apps.
Monitor and troubleshoot

CloudDesktop log now collected with Windows diagnostics data
The Intune remote action to collect diagnostics from a Windows device now includes
data in a log file.
Log file:
%temp%\CloudDesktop*.log
Anomaly detection device cohorts in Intune Endpoint analytics is

generally available
Anomaly detection device cohorts in Intune Endpoint analytics is now generally

available.
Device cohorts are identified in devices associated with a high or medium severity
anomaly. Devices are correlated into groups based on one or more factors they have in
common like an app version, driver update, OS version, device model. A correlation
group will contain a detailed view with key information about the common factors
between all affected devices in that group. You can also view a breakdown of devices
currently affected by the anomaly and 'at risk' devices, those that haven't yet shown
symptoms of the anomaly.
For more information, go to Anomaly detection in Endpoint analytics.
Improved user experience for device timeline in Endpoint Analytics

The user interface (UI) for device timeline in Endpoint analytics is improved and includes
more advanced capabilities (support for sorting, searching, filtering, and exports). When
viewing a specific device timeline in Endpoint analytics, you can search by event name
or details. You can also filter the events and choose the source and level of events that
appear on the device timeline and select a time range of interest.
For more information, go to Enhanced device timeline.
Updates for compliance policies and reports

We’ve made several improvements to the Intune compliance policies and reports. With
these changes the reports more closely align to the experience in use for device
configuration profiles and reports. We’ve updated our compliance report
documentation to reflect the available compliance report improvements.
Compliance report improvements include:

Compliance details for Linux devices.
Redesigned reports that are up-to-date and simplified, with newer report versions
beginning to replace older report versions, which will remain available for some
time.
When viewing a policy for compliance, there is no more left-pane navigation.
Instead, the policy view opens to a single pane that defaults to the Monitor tab
and its Device status view.
This view provides a high-level overview of device status for this policy, and
supports drilling in to review the full report, as well as a per-setting status view
of the same policy.
The doughnut chart is replaced by a streamlined representation and count of
the different device status values returned by devices assigned the policy.
You can select the Properties tab to view the policy details, and review and edit
its configuration and assignments.
The Essentials section is removed with those details appearing in the policy's
Properties tab.
The updated status reports support sorting by columns, the use of filters, and
search. Combined, these enhancements enable you to pivot the report to display
specific subsets of details you want to view at that time. With these enhancements
we have removed the User status report as it has become redundant. Now, while
viewing the default Device status report you can focus the report to display the
same information that was available from User status by sorting on the User
Principal Name column, or searching for a specific username in the search box.
When viewing status reports, the count of devices that Intune displays now
remains consistent between different report views as you drill in for deeper
insights or details.
For more information about these changes, see the Intune Support Team blog at
https://aka.ms/Intune/device_compl_report .
App management
Use the Turn off the Store application setting to disable end user
access to Store apps, and allow managed Intune Store apps
In Intune, you can use the new Store app type to deploy Store apps to your devices.
Now, you can use the Turn off the Store application policy to disable end users' direct
access to Store apps. When it's disabled, end users can still access and install Store apps
from the Windows Company Portal app and through Intune app management. If you
want to allow random store app installs outside of Intune, then don't configure this
policy.
The previous Only display the private store within the Microsoft Store app policy
doesn't prevent end users from directly accessing the store using the Windows Package
Manager winget APIs. So, if your goal is to block random unmanaged Store application
installs on client devices, then it's recommended to use the Turn off the Store
application policy. Don't use the Only display the private store within the Microsoft
Store app policy.
For more information, go to Add Microsoft Store Apps to Microsoft Intune.
Applies to:
Windows 10 and later
Role-based access control
Introducing a new role-based access control (RBAC) permission

under the resource Android for work
Introducing a new RBAC Permission for creating a custom role in Intune, under the
resource Android for work. The permission Update Enrollment Profile allows the admin
to manage or change both AOSP and Android Enterprise Device Owner enrollment
profiles that are used to enroll devices.
For more information, go to Create custom role.
Week of July 31, 2023
Device security
New BitLocker profile for Intune's endpoint security Disk

encryption policy
We have released a new experience creating new BitLocker profiles for endpoint security
Disk Encryption policy. The experience for editing your previously created BitLocker
policy remains the same, and you can continue to use them. This update applies only for
the new BitLocker policies you create for the Windows 10 and later platform.
This update is part of the continuing rollout of new profiles for endpoint security
policies, which began in April 2022.
App management
Uninstall Win32 and Microsoft store apps using the Windows

Company Portal
End-users can uninstall Win32 apps and Microsoft store apps using the Windows
Company Portal if the apps were assigned as available and were installed on-demand by
the end-users. For Win32 apps, you have the option to enable or disable this feature (off
by default). For Microsoft store apps, it is always on and available for your end-users. If
an app can be uninstalled by the end-user, the end-user will be able to select Uninstall
for the app in the Windows Company Portal. For related information, see Add apps to
Microsoft Intune.
Week of July 24, 2023 (Service release 2307)
App management
Intune supports new Google Play Android Management API

Changes have been made to how Managed Google Play public apps are managed in
Intune. These changes are to support Google's Android Management APIs (opens
Google's web site).
To learn more about changes to the admin and user experience, go to Support Tip:
Intune moving to support new Google Play Android Management API .
Applies to:
Android Enterprise
App report for Android Enterprise corporate-owned devices

You can now view a report containing all apps found on a device for Android Enterprise
corporate-owned scenarios, including system apps. This report is available in Microsoft
Intune admin center by selecting Apps > Monitor > Discovered apps. You will see
Application Name and Version for all apps detected as installed on the device. It may
take up to 24 hours for app information to populate the report. For related information,
see Intune discovered apps.
Add unmanaged PKG-type applications to managed macOS

devices [Public Preview]
You can now upload and deploy unmanaged PKG-type applications to managed macOS
devices using the Intune MDM agent for macOS devices. This feature enables you to
deploy custom PKG installers, such as unsigned apps and component packages. You can
add a PKG app in the Intune admin center by selecting Apps > macOS > Add > macOS
app (PKG) for app type.
For more information, see Add an unmanaged macOS PKG app to Microsoft Intune. To
deploy managed PKG-type app, you can continue to add macOS line-of-business (LOB)
apps to Microsoft Intune. For more information about the Intune MDM agent for macOS
devices, see Microsoft Intune management agent for macOS.
Applies to:
macOS
New settings available for the iOS/iPadOS web clip app type
In Intune, you can pin web apps to your iOS/iPadOS devices (Apps > iOS/iPadOS > Add
> iOS/iPadOS web clip). When you add web clips, there are new settings available:
Full screen: If configured to Yes, launches the web clip as a full-screen web app
without a browser. Additionally, there's no URL or search bar, and no bookmarks.
Ignore manifest scope: If configured to Yes, a full screen web clip can navigate to
an external web site without showing Safari UI. Otherwise, Safari UI appears when
navigating away from the web clip's URL. This setting has no effect when Full
screen is set to No. Available in iOS 14 and later.
Precomposed: If configured to Yes, prevents Apple's application launcher
(SpringBoard) from adding "shine" to the icon.
Target application bundle identifier: Enter the application bundle identifier that
specifies the application that opens the URL. Available in iOS 14 and later.
For more information, go to Add web apps to Microsoft Intune.

Applies to:
iOS/iPadOS
Change to default settings when adding Windows PowerShell

scripts
In Intune, you can use policies to deploy Windows PowerShell scripts to your Windows
devices (Devices > Scripts > Add > Windows 10 and later). When you add a Windows
PowerShell script, there are settings you configure. To increase secure-by-default
behavior of Intune, the default behavior of the following settings has changed:
The Run this script using the logged on credentials setting defaults to Yes.
Previously, the default was No.
The Enforce script signature check setting defaults to Yes. Previously, the default
was No.
This behavior applies to new scripts you add, not existing scripts.
For more information about using Windows PowerShell scripts in Intune, go to Use
PowerShell scripts on Windows 10/11 devices in Intune.
Applies to:
Windows 10 and later (excluding Windows 10 Home)
Added Support for Scope tags

You can now add scope tags when creating deployments using Zebra LifeGuard Over-
the-Air integration (in public preview).
New settings available in the macOS settings catalog
one place.
A new setting is available in the Settings Catalog. In the Microsoft Intune admin
center , you can see these settings at Devices > Configuration profiles > Create
profile > macOS > Settings catalog for profile type.
Microsoft AutoUpdate (MAU):

Current Channel (Monthly)
Microsoft Defender > User interface preferences:
Control sign-in to consumer version
Microsoft Office > Microsoft Outlook:
Disable 'Do not send response'
User Experience > Dock:
MCX Dock Special Folders
Applies to:
macOS
Compliance Retrieval service support for MAC address endpoints

We've now added MAC address support to the Compliance Retrieval service.
The initial release of the CR service included support for using only the Intune device ID
with the intent to eliminate the need to manage internal identifiers like serial numbers
and MAC addresses. With this update, organizations that prefer to use MAC addresses
over certificate authentication may continue to do so while implementing the CR service.
While this update adds MAC address support to the CR service, our recommendation is
to use certificate-based authentication with the Intune device ID included in the
certificate.
For information about the CR service as a replacement for the Intune Network Access
Control (NAC) service, see the Intune blog at
https://techcommunity.microsoft.com/t5/intune-customer-success/new-microsoft-
intune-service-for-network-access-control/ba-p/2544696 .
Settings insight within Intune Security Baselines is generally

available
Announcing the general availability of Settings insight in Microsoft Intune.
The Settings insight feature adds insight to settings giving you confidence in
configurations that have been successfully adopted by similar organizations. Settings
insight is currently available for Security Baselines.
Navigate to Endpoint security > Security baselines. While creating and editing a
workflow these insights are available for all settings with light bulbs.
Device security
Tamper protection support for Windows on Azure Virtual Desktop

Intune now supports use of endpoint security Antivirus policy to manage Tamper
protection for Windows on Azure Virtual Desktop multi-session devices. Support for
Tamper protection requires devices to onboard to Microsoft Defender for Endpoint
before the policy that enables Tamper protection is applied.
EpmTools PowerShell module for Endpoint Privilege Management

The EpmTools PowerShell module is now available for use with Intune Endpoint Privilege
Management (EPM). EpmTools includes the cmdlets like Get-FileAttributes that you can
use to retrieve file details to help build accurate elevation rules, and additional cmdlets
you can use to troubleshoot or diagnose EPM policy deployments.
For more information, see EpmTools PowerShell module.
Endpoint Privilege Management support to manage elevation rules

for child processes
With Intune Endpoint Privilege Management (EPM) you can manage which files and
processes are allowed to Run as Administrator on your Windows devices. Now, EPM
elevation rules support a new setting, Child process behavior.
With Child process behavior, your rules can manage the elevation context for any child
processes created by the managed process. Options include:
Allowing all child processes created by the managed process to always run as
elevated.
Allow a child process to run as elevated only when it matches the rule that
manages its parent process.
Deny all child processes from running in an elevated context, in which case they
run as standard users.
Endpoint Privilege Management is available as an Intune add-on. For more information,
see Use Intune Suite add-on capabilities.
Intune apps
Dooray! for Intune
Updated reports for Setting compliance and Policy compliance are

in public preview
We've released two new reports as a public preview for Intune device compliance. You
can find these new preview reports in the Intune admin center at Reports > Device
compliance > Reports tab:
Setting compliance (preview)

Policy compliance (preview)
Both reports are new instances of existing reports, and deliver improvements over the
older versions, including:
Details for Linux settings and devices

Support for sorting, searching, filtering, exports, and paging views
Drill-down reports for deeper details, which are filtered based on the column you
select.
Devices are represented a single time, which is in contrast to the original reports
which could count a device more than once if multiple users used that device
Eventually, the older report versions that are still available in the admin center at Devices
> Monitor will be retired.
App management
Updates to app configuration policy reporting
As part of our continuing efforts to improve the Intune reporting infrastructure, there
have been several user interface (UI) changes for app configuration policy reporting. The
UI has been updated with the following changes:
There is no longer a User status tile or a Not applicable device tile on the
Overview section of the App configuration policies workload.
There is no longer a User install status report on the Monitor section of the App
configuration policies workload.
The Device install status report under the Monitor section of the App
configuration policies workload no longer shows the Pending state in the Status
column.
You can find configure policy reporting in Microsoft Intune admin center by selecting
Apps > App configuration policies.
Device management
Intune support for Zebra devices on Android 13
Zebra will be releasing support for Android 13 on their devices. You can read more at
Migrating to Android 13 (opens Zebra's web site).
Temporary issues on Android 13
The Intune team thoroughly tested Android 13 on Zebra devices. Everything

continues working as normal, except for the following two temporary issues for
device administrator (DA) devices.
For Zebra devices running Android 13 and enrolled with DA management:
1. App installations don't happen silently. Instead, users get a notification from
the Company Portal app (if they allow notifications) that asks for permission
to allow the app installation. If a user doesn't accept the app installation
when prompted, then the app doesn't install. Users will have a persistent
notification in the notification drawer until they allow the installation.
2. New MX profiles don't apply to Android 13 devices. Newly enrolled Android

13 devices don't receive configuration from MX profiles. MX profiles that
previously applied to enrolled devices continue to apply.
In an update coming later in July, these issues will be resolved and the behavior
will return to how it was before.
Update devices to Android 13
You will soon be able to use Intune's Zebra LifeGuard Over-the-Air integration to
update Android Enterprise dedicated and fully managed devices to Android 13. For
more information, go to Zebra LifeGuard Over-the-Air Integration with Microsoft
Intune.
Before you migrate to Android 13, review Migrating to Android 13 (opens

Zebra's web site).
OEMConfig for Zebra devices on Android 13
OEMConfig for Zebra devices on Android 13 requires using Zebra's new Zebra
OEMConfig Powered by MX OEMConfig app (opens the Google Play store). This
new app can also be used on Zebra devices running Android 11, but not earlier
versions.
For more information on this app, go to the New Zebra OEMConfig app for
Android 11 and later blog post.
The Legacy Zebra OEMConfig app (opens the Google Play store) can only be
used on Zebra devices running Android 11 and earlier.
For more general information about Intune Android 13 support, go to the Day Zero
support for Android 13 with Microsoft Intune blog post.
Device security
Defender for Endpoint security settings management

enhancements and support for Linux and macOS in public preview
With Defender for Endpoint security settings management, you can use Intune's
endpoint security policies to manage Defender security settings on devices that
onboard to Defender for Endpoint but aren't enrolled with Intune.
Now, you can opt-in to a public preview from within the Microsoft 365 Defender portal
to gain access to several enhancements for this scenario:
Intune's endpoint security policies become visible in and can be managed from
within the Microsoft 365 Defender portal. This enables security admins to remain in
the Defender portal to manage Defender and the Intune endpoint security policies
for Defender security settings management.
Security settings management supports deploying Intune endpoint security

Antivirus policies to devices that run Linux and macOS.
For Windows devices, the Windows Security Experience profile is now supported
with security settings management.
A new onboarding workflow removes the Hybrid Azure AD Join prerequisite.

Hybrid Azure AD Join requirements prevented many Windows devices from
successfully onboarding to Defender for Endpoint security settings management.
With this change, those devices can now complete enrollment and start processing
policies for security settings management.
Intune creates a synthetic registration in Azure AD for devices that can't fully
register with Azure AD. Synthetic registrations are device objects created in Azure
AD that enable devices to receive and report back on Intune policies for security
settings management. In addition, should a device with a synthetic registration
become fully registered, the synthetic registration is removed form Azure AD in
deference to the full registration.
If you don't opt-in to the Defender for Endpoint Public Preview, the previous behaviors
remain in place. In this case, while you can view the Antivirus profiles for Linux, you can't
deploy it as its supported only for devices managed by Defender. Similarly, the macOS
profile which is currently available for devices enrolled with Intune can't be deployed to
devices managed by Defender.
Applies to:
Linux
macOS
Windows
Week of June 26, 2023
Android (AOSP) supports assignment filters

Android (AOSP) supports assignment filters. When you create a filter for Android
(AOSP), you can use the following properties:
DeviceName
Manufacturer
Model
DeviceCategory
oSVersion
IsRooted
DeviceOwnership
EnrollmentProfileName
For more information on filters, go to Use filters when assigning your apps, policies, and
profiles in Microsoft Intune.
Applies to:
Android
On-demand remediation for a Windows device
A new device action that is in public preview allows you to run a remediation on-
demand on a single Windows device. The Run remediation device action allows you to
resolve issues without having to wait for a remediation to run on its assigned schedule.
You will also be able to view the status of remediations under Remediations in the
Monitor section of a device.
The Run remediation device action is rolling-out and may take a few weeks to reach all
customers.
Remediations
Device management
Windows Driver update management in Intune is generally

available
Announcing the general availability of Windows Driver update management in
Microsoft Intune. With driver update policies, you can view a list of driver updates that
are recommended and applicable to your Windows 10 and Windows 11 device that are
assigned to the policy. Applicable driver updates are those that can update a device's
driver version. Driver update policies update automatically to add new updates as they
are published by the driver manufacturer and remove older drivers that no longer apply
to any device with the policy.
Update policies can be configured for one of two approval methods:
With Automatic approval, each new recommended driver that's published by the
driver manufacturer and added to the policy is automatically approved for
deployment to applicable devices. Policies set for automatic approvals can be
configured with a deferral period before the automatically approved updates are
installed on devices. This deferral gives you time to review the driver and to pause
its deployment if necessary.
With manual approval, all new driver updates are automatically added to the
policy, but an admin must explicitly approve each update before Windows Update
deploys it to a device. When you manually approve an update, you choose the
date when Windows Update will begin to deploy it to your devices.
To help you manage driver updates, you review a policy and decline an update you
don't want to install, indefinitely pause any approved update, and reapprove a paused
update to restart its deployment.
This release also includes driver update reports that provide a success summary, per-
device update status for each approved driver, and error and troubleshooting
information. You can also select an individual driver update and view details about it
across all the policies that include that driver version.
To learn about using Windows Driver update policies, see Manage policy for Windows
Driver updates with Microsoft Intune.
Applies to:
Windows 10
Windows 11
Week of June 19, 2023 (Service release 2306)
App management
MAM for Microsoft Edge for Business [Preview]

You can now enable protected MAM access to org data via Microsoft Edge on personal
Windows devices. This capability uses the following functionality:
Intune Application Configuration Policies (ACP) to customize the org user

experience in Microsoft Edge
Intune Application Protection Policies (APP) to secure org data and ensure the
client device is healthy when using Microsoft Edge
Windows Defender client threat defense integrated with Intune APP to detect local
health threats on personal Windows devices
Application Protection Conditional Access to ensure the device is protected and
healthy before granting protected service access via Azure AD
For more information, see Preview: App protection policy settings for Windows.
To participate in the public preview, complete the opt-in form .
New settings available in the Apple settings catalog
one place.
profile > iOS/iPadOS or macOS for platform > Settings catalog for profile type.
Denied Bundle Identifiers
Registration Token
Full Disk Encryption > FileVault:
Output path
Username
Password
UseKeyChain
Applies to:
macOS
Networking > Network Usage Rules:
SIM Rules
Applies to:
iOS/iPadOS
Device Firmware Configuration Interface (DFCI) supports Asus

devices
For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS)
settings. In Microsoft Intune admin center , select Devices > Configuration profiles >
Create profile > Windows 10 and later for platform > Templates > Device Firmware
Configuration Interface for profile type.
Some Asus devices running Windows 10/11 are enabled for DFCI. Contact your device
vendor or device manufacturer for eligible devices.
For more information about DFCI profiles, go to:
Configure Device Firmware Configuration Interface (DFCI) profiles on Windows

devices in Microsoft Intune
Device Firmware Configuration Interface (DFCI) management with Windows
Autopilot
Applies to:
Windows 10
Windows 11
Saaswedo Datalert telecom expense management is removed in

Intune
In Intune, you could manage telecom expenses using Saaswedo's Datalert telecom
expense management. This feature is removed from Intune. This removal includes:
The Telecom Expense Management connector
Telecom expenses RBAC category

Read permission
Update permission
For more information from Saaswedo, go to The datalert service is unavailable (opens
Saaswedo's web site).
Applies to:
Android
iOS/iPadOS
Settings insight within Intune Security Baselines

The Settings insight feature adds insights to security baselines giving you confidence in
configurations that are successfully adopted by similar organizations.
Navigate to Endpoint security > Security baselines. When you create and edit the
workflow, these insights are available for you in the form of a light bulb.
Device management
New endpoint security Application Control policy in preview
As a public preview, you can use a new endpoint security policy category, Application
Control. Endpoint security Application Control policy includes:
Policy to set the Intune Management Extension as a tenant-wide managed

installer. When enabled as a managed installer, apps you deploy through Intune
(after enablement of Managed Installer) to Windows devices are tagged as
installed by Intune. This tag becomes useful when you use Application Control
policies to manage which apps you want to allow or block from running on your
managed devices.
Application Control policies that are an implementation of Defender Application

Control (WDAC). With Endpoint security Application Control policies, it's easy to
configure policy that allows trusted apps to run on your managed devices. Trusted
apps are installed by a managed installer or from the App store. In addition to
built-in trust settings, these policies also support custom XML for application
control so you can allow other apps from other sources to run to meet your
organizations requirements.
To get started with using this new policy type, see Manage approved apps for Windows
devices with Application Control policy and Managed Installers for Microsoft Intune
Applies to:
Windows 10
Windows 11
Endpoint analytics is available to tenants in Government cloud

With this release, Endpoint analytics is available to tenants in Government cloud.
Learn more about Endpoint analytics.
Introducing in-session connection mode switch in Remote Help
In Remote Help, you can now take advantage of the in-session connection mode switch
feature. This feature can help effortlessly transition between full control and view-only
modes, granting flexibility and convenience.
For more information on Remote Help, go to Remote Help.
Applies to:
Windows 10/11
Device security
Update to Endpoint Privilege Management reports
Intune's Endpoint Privilege Management (EPM) reports now support exporting the full
reporting payload to a CSV file. With this change, you can now export all events from an
elevation report in Intune.
Endpoint Privilege Managements run with elevated access option

now available on the top-level menu for Windows 11
The Endpoint Privilege Management option to Run with elevated access is now available
as a top-level right-click option on Windows 11 devices. Previous to this change,
standard users were required to select Show more options to view the Run with elevated
access prompt on Windows 11 devices.

Applies to:
Windows 11
Intune apps
Newly available protected apps for Intune
The following protected apps are now available for Microsoft Intune:
Idenprotect Go by Apply Mobile Ltd (Android)

LiquidText by LiquidText, Inc. (iOS)
MyQ Roger: OCR scanner PDF by MyQ spol. s r.o.
CiiMS GO by Online Intelligence (Pty) Ltd
Vbrick Mobile by Vbrick Systems
Microsoft Intune troubleshooting pane is now generally available

The Intune troubleshooting pane is now generally available. It provides details about
user's devices, policies, applications, and status. The troubleshooting pane includes the
following information:
A summary of policy, compliance, and application deployment status.

Support for exporting, filtering, and sorting all reports.
Support to filter by excluding policies and applications.
Support to filter to a user's single device.
Details about available device diagnostics and disabled devices.
Details about offline devices that haven't checked-in to the service for three or
more days.
You can find the troubleshooting pane in Microsoft Intune admin center by selecting
Troubleshooting + support > Troubleshoot.
Updated troubleshoot + support pane in Intune
The Troubleshooting + support pane in the Intune admin center has been updated by
consolidating the Roles and Scopes report into a single report. This report now includes
all relevant role and scope data from both Intune and Azure Active Directory, providing
a more streamlined and efficient experience. For related information, see Use the
troubleshooting dashboard to help users at your company.
Download mobile app diagnostics

Now generally available, access user-submitted mobile app diagnostics in the Intune
admin center, including app logs sent through Company Portal apps, which include
Windows, iOS, Android, Android AOSP, and macOS. In addition, you can retrieve app
protection logs via Microsoft Edge. For more information, see Company Portal app logs
and Use Edge for iOS and Android to access managed app logs.
Device management
New Devices from HTC and Pico supported on Microsoft Intune for
Android Open Source Devices
Microsoft Intune for Android open source project devices (AOSP) now supports the
following devices:
HTC Vive XR Elite

Pico Neo 3 Pro
Pico 4
Operating systems and browsers supported by Microsoft Intune
Android Open Source Project Supported Devices
Applies to:
Android (AOSP)
App management
Microsoft Store for Business or Microsoft Store for Education

Apps added from the Microsoft Store for Business or Microsoft Store for Education
won't deploy to devices and users. Apps show as "not applicable" in reporting. Apps
already deployed are unaffected. Use the new Microsoft Store app to deploy Microsoft
Store apps to devices or users. For related information, see Plan for Change: Ending
support for Microsoft Store for Business and Education apps for upcoming dates when
Microsoft Store for Business apps will no longer deploy and Microsoft Store for Business
apps will be removed.
For more information, see the following resources:
Update to Intune integration with the Microsoft Store on Windows

Embracing the Future of Microsoft Store with Intune: A Step-by-Step Guide
Embracing the Future of Microsoft Store with Intune for Education: A Step-by-Step
Guide
Android Enterprise 11+ devices can use Zebra's latest

OEMConfig app version
On Android Enterprise devices, you can use OEMConfig to add, create, and customize
OEM-specific settings in Microsoft Intune (Devices > Configuration profiles > Create
profile > Android Enterprise for platform > OEMConfig).
There's a new Zebra OEMConfig Powered by MX OEMConfig app that aligns more
closely to Google's standards. This app supports Android Enterprise 11.0 and newer
devices.
The older Legacy Zebra OEMConfig app continues to support devices with Android 11
and earlier.
In your Managed Google Play, there are two versions of Zebra OEMConfig app. Be sure
to select the correct app that applies to your Android device versions.
For more information on OEMConfig and Intune, go to Use and manage Android
Enterprise devices with OEMConfig in Microsoft Intune.
Applies to:
Android Enterprise 11.0 and newer

Week of May 29, 2023
Device management
Intune UI displays Windows Server devices as distinct from

Windows clients for the Security Management for Microsoft
Defender for Endpoint scenario
To support the Security Management for Microsoft Defender for Endpoint (MDE security
configuration) scenario, Intune now differentiates Windows devices in Azure Active
Directory as either Windows Server for devices that run Windows Server, or as Windows
for devices that run Windows 10 or Windows 11.
With this change, you can improve policy targeting for MDE security configuration. For
example, you can use dynamic groups that consist of only Windows Server devices, or
only Windows client devices (Windows 10/11).
For more information about this change, see the Intune Customer Success blog
Windows Server devices now recognized as a new OS in Microsoft Intune, Azure AD, and
Defender for Endpoint .
Organizational messages for Windows 11 now generally available

Use organizational messages to deliver branded, personalized call-to-actions to
employees. Select from more than 25 messages that support employees through device
onboarding and lifecycle management, in 15 different languages. Messages can be
assigned to Azure AD user groups. They're shown just above the taskbar, in the
notifications area, or in the Get started app on devices running Windows 11. Messages
continue to appear or reappear based on the frequency you configure in Intune, and
until the user has visited the customized URL.
Other features and functionality added in this release include:
Confirm licensing requirements prior to first message.

Choose from eight new themes for taskbar messages.
Give messages a custom name.
Add scope groups and scope tags.
Edit the details of a scheduled message.
Scope tags were previously unavailable for organizational messages. With the addition
of scope tag support, Intune adds the default scope tag to every message created
before June 2023. Admins that want access to those messages must be associated with
a role that has the same tag. For more information about available features and how to
set up organizational messages, see Overview of organizational messages.
Week of May 22, 2023 (Service release 2305)
App management
Update to macOS shell scripts maximum running time limit
Based on customer feedback, we're updating the Intune agent for macOS (version
2305.019) to extend the maximum script run time to 60 minutes. Previously, the Intune
agent for macOS only allowed shell scripts to run for up to 15 minutes before reporting
the script as a failure. The Intune agent for macOS 2206.014 and higher supports the 60-
minute timeout.
Assignment filters support app protection policies and app

configuration policies
Assignment filters support MAM app protection policies and app configuration policies.
When you create a new filter, you can fine tune MAM policy targeting using the
following properties:
Device Management Type

Device Manufacturer
Device Model
OS Version
Application Version
MAM Client Version
） Important
All new and edited app protection policies that use Device Type targeting are
replaced with assignment filters.
Update to MAM reporting in Intune
MAM reporting has been simplified and overhauled, and now uses Intune's newest
reporting infrastructure. Benefits of this include improved data accuracy and
instantaneous updating. You can find these streamlined MAM reports in the Microsoft
Intune admin center by selecting Apps > Monitor. All MAM data available to you is
contained within the new App protection status report and App configuration status
report.
Global quiet time app policy settings
The global quiet time settings allow you to create policies to schedule quiet time for
your end users. These settings automatically mute Microsoft Outlook email and Teams
notifications on iOS/iPadOS and Android platforms. These policies can be used to limit
end user notifications received after work hours. For more information, see Quiet time
notification policies.
Introducing enhanced chat in Remote Help
Introducing enhanced chat with Remote Help. With the new and enhanced chat you can
maintain a continuous thread of all messages. This chat provides support for special
characters and other languages including Chinese and Arabic.
Applies to:
Windows 10/11
Remote Help administrators can reference audit log sessions
For Remote Help, in addition to existing session reports, administrators can now
reference audit logs sessions created in Intune. This feature enables administrators to
reference past events for troubleshooting and analyzing log activities.
Applies to:
Windows 10
Windows 11
Turn on/off Personal data encryption on Windows 11 devices using

the settings catalog
The settings catalog includes hundreds of settings that you can configure and deploy to
your devices.
In the settings catalog, you can turn on/off Personal data encryption (PDE). PDE is a
security feature introduced in Windows 11 version 22H2 that provides more encryption
features for Windows.
PDE is different than BitLocker. PDE encrypts individual files and content, instead of
whole volumes and disks. You can use PDE with other encryption methods, such as
BitLocker.
For more information on the settings catalog, go to:
devices
Common Tasks you can complete using the Settings Catalog in Intune
This feature applies to:
Windows 11
Visual Studio ADMX settings are in the Settings Catalog and

Administrative Templates
Visual Studio settings are included in the Settings Catalog and Administrative Templates
(ADMX). Previously, to configure Visual Studio settings on Windows devices, you
imported them with ADMX import.
For more information on these policy types, go to:
Use the settings catalog to configure settings

Use Windows 10/11 templates to configure group policy settings in Microsoft
Intune
Visual Studio Administrative Templates (ADMX)
Applies to:
Windows 10
Windows 11
Group policy analytics supports scope tags
In Group Policy analytics, you import your on-premises GPO. The tool analyzes your
GPOs and shows the settings that can (and can't) be used in Intune.
When you import your GPO XML file in Intune, you can select an existing scope tag. If
you don't select a scope tag, then the Default scope tag is automatically selected.
Previously, when you imported a GPO, the scope tags assigned to you were
automatically applied to the GPO.
Only admins within that scope tag can see the imported policies. Admins not in that
scope tag can't see the imported policies.
Also, admins within their scope tag can migrate the imported policies that they have
permissions to see. To migrate an imported GPO into a Settings Catalog policy, a scope
tag must be associated with the imported GPO. If a scope tag isn't associated, then it
can't migrate to a Settings Catalog policy. If no scope tag is selected, then a default
scope tag is automatically applied.
For more information on scope tags and Group Policy analytics, go to:
Analyze your on-premises GPOs using Group Policy analytics in Microsoft Intune
Create a Settings Catalog policy using your imported GPOs
Use role-based access control (RBAC) and scope tags for distributed IT
Introducing Intune integration with the Zebra Lifeguard Over-the-

Air service (public preview)
Now available in public preview, Microsoft Intune supports integration with Zebra
Lifeguard Over-the-Air service, which allows you to deliver OS updates and security
patches over-the-air to eligible Zebra devices that are enrolled with Intune. You can
select the firmware version you want to deploy, set a schedule, and stagger update
downloads and installs. You can also set minimum battery, charging status, and network
conditions requirements for when the update can happen.
Available for Android Enterprise Dedicated and Fully Managed Zebra devices that are
running Android 8 or later, and requires an account with Zebra.
New Google domain allowlist settings for Android Enterprise

personally owned devices with a work profile
On Android Enterprise personally owned devices with a work profile, you can configure
settings that restrict device features and settings.
Currently, there's an Add and remove accounts setting that can allow Google accounts
be added to the work profile. For this setting, when you select Allow all accounts types,
you can also configure:
Google domain allow-list: Restricts users to add only certain Google account
domains in the work profile. You can import a list of allowed domains or add them
in the admin center using the contoso.com format. When left blank, by default, the
OS might allow adding all Google domains in the work profile.
For more information on the settings you can configure, go to Android Enterprise device
settings list to allow or restrict features on personally owned devices using Intune.
Applies to:
Android Enterprise personally owned devices with a work profile
Renaming Proactive remediation to Remediations and moving to a

new location
Proactive remediations are now Remediations and are available from Devices >
Remediations. You can still find Remediations in both the new location and the existing
Reports > Endpoint Analytics location until the next Intune service update.
Remediations are currently not available in the new Devices experience preview.
Applies to:
Windows 10
Windows 11
Remediations are now available in Intune for US Government GCC

High and DoD
Remediations (previously known as proactive remediations) are now available in

Microsoft Intune for US Government GCC High and DoD.
Applies to:
Windows 10
Windows 11
Create inbound and outbound network traffic rules for VPN

profiles on Windows devices
７ Note
This setting is coming in a future release, possibly the 2308 Intune release.
You can create a device configuration profile that deploys a VPN connection to devices
(Devices > Configuration profiles > Create profile > Windows 10 and later for platform
> Templates > VPN for profile type).
In this VPN connection, you can use the Apps and Traffic rules settings to create
network traffic rules.
There's a new Direction setting you can configure. Use this setting to allow Inbound and
Outbound traffic from the VPN connection:
Outbound (default): Allows only traffic to external networks/destinations to flow

using the VPN. Inbound traffic is blocked from entering the VPN.
Inbound: Allows only traffic coming from external networks/ sources to flow using
the VPN. Outbound traffic is blocked from entering the VPN.
For more information on the VPN settings you can configure, including the network
traffic rule settings, go to Windows device settings to add VPN connections using
Intune.
Applies to:

one place.
profile > macOS for platform > Settings catalog for profile type.
Microsoft Defender > Antivirus engine:
Scanning inside archive files

Enable file hash computation
Applies to:
macOS
Wipe device action and new obliteration behavior setting available

for macOS
You can now use the Wipe device action instead of Erase for macOS devices.
Additionally, you can configure the Obliteration Behavior setting as part of the Wipe
action.
This new key allows you to control the wipe fallback behavior on Macs that have Apple
Silicon or the T2 Security Chip. To find this setting, navigate to Devices > macOS >
[Select a device] > Overview > Wipe in the Device action area.
For more information on the Obliteration Behavior setting, go to Apple's Platform

Deployment site Erase Apple devices - Apple Support .
Applies to:
macOS
Device enrollment
Account driven Apple User Enrollment available for iOS/iPadOS 15+

devices (public preview)
Intune supports account driven user enrollment, a new and improved variation of Apple
User Enrollment for iOS/iPadOS 15+ devices. Now available for public preview, the new
option utilizes just-in-time registration, which eliminates the need for the Company
Portal app during enrollment. Device users can initiate enrollment directly in the Settings
app, resulting in a shorter and more efficient onboarding experience. You can continue
to target iOS/iPadOS devices using the existing profile-based user enrollment method
that uses Company Portal. Devices running iOS/iPadOS, version 14.8.1 and earlier remain
unaffected by this update and can continue to use the existing method. For more
information, see Set up account driven Apple User Enrollment.
Device security
New security baseline for Microsoft 365 Office Apps

We've released a new security baseline to help you manage security configurations for
M365 Office Apps. This new baseline uses an updated template and experience that
uses the unified settings platform seen in the Intune settings catalog. You can view the
list of settings in the new baseline at Microsoft 365 Apps for Enterprise baseline settings
(Office).
The new Intune security baseline format aligns the presentation of settings that are
available to the settings found in the Intune settings catalog. This alignment helps
resolve past issues for setting names and implementations for settings that could create
conflicts. The new format also improves the reporting experience for baselines in the
The Microsoft 365 Office Apps baseline can help you rapidly deploy configurations to
your Office Apps that meet the security recommendations of the Office and security
teams at Microsoft. As with all baselines, the default baseline represents the
recommended configurations. You can modify the default baseline to meet the
requirements of your organization.
To learn more, see Security baselines overview.
Applies to:
Windows 10
Windows 11
Security baseline update for Microsoft Edge version 112
We've released a new version of the Intune security baseline for Microsoft Edge, version
112. In addition to releasing this new version for Microsoft Edge, the new baseline uses
an updated template experience that uses the unified settings platform seen in the
Intune settings catalog. You can view the list of settings in the new baseline at Microsoft
Edge baseline settings (version 112 and higher).
Now that the new baseline version is available, all new profiles you create for Microsoft
Edge use the new baseline format and version. While the new version becomes the
default baseline version, you can continue to use the profiles you've previously created
for older versions of Microsoft Edge. But, you can't create new profiles for those older
versions of Microsoft Edge.
Applies to:
Windows 10
Windows 11
Intune apps
Achievers by Achievers Inc.

Board.Vision for iPad by Trusted Services PTE. LTD.
Global Relay by Global Relay Communications Inc.
Incorta (BestBuy) by Incorta, Inc. (iOS)
Island Enterprise Browser by Island (iOS)
Klaxoon for Intune by Klaxoon (iOS)
Week of May 8, 2023
Device Firmware Configuration Interface (DFCI) supports Dynabook

devices
Some Dynabook devices running Windows 10/11 are enabled for DFCI. Contact your
device vendor or device manufacturer for eligible devices.

Autopilot
Applies to:
Windows 10
Windows 11
eSIM bulk activation for Windows PCs via download server is now
available on the Settings Catalog
You can now perform at-scale configuration of Windows eSIM PCs using the Settings
Catalog. A download server (SM-DP+) is configured using a configuration profile.
Once the devices receive the configuration, they automatically download the eSIM
profile. For more information, go to eSIM configuration of a download server.
Applies to:
Windows 11
eSIM capable devices
Week of May 1, 2023
App management
macOS shell scripts maximum running time limit

We have fixed an issue that caused Intune tenants with long-running shell scripts to not
report back on the script run status. The macOS Intune agent stops any macOS shell
scripts that run longer than 15 minutes. These scripts report as failed. The new behavior
is enforced from macOS Intune agent version 2305.019.
DMG app installation for macOS

The DMG app installation feature for macOS is now generally available. Intune supports
required and uninstall assignment types for DMG apps. The Intune agent for macOS is
used to deploy DMG apps. For related information, see Deploy DMG-type applications
to managed macOS devices.
Deprecation of Microsoft Store for Business and Education
The Microsoft Store for Business connector is no longer accessible in the Microsoft
Intune admin center . Apps added from the Microsoft Store for Business or Microsoft
Store for Education won't sync with Intune. Apps that have previously synced continue
to be available and deploy to devices and users.
It's now also possible to delete Microsoft Store for Business apps from the Apps pane in
the Microsoft Intune admin center so that you can clean up your environment as you
move to the new Microsoft Store app type.
For related information, see Plan for Change: Ending support for Microsoft Store for
Business and Education apps for upcoming dates when Microsoft Store for Business
apps won't deploy and Microsoft Store for Business apps are removed.
Remote Help now supports conditional access capability
Administrators can now utilize conditional access capability when setting up policies and
conditions for Remote Help. For example, multi-factor authentication, installing security
updates, and locking access to Remote Help for a specific region or IP addresses.
Conditional access
Remote Help
Device security
Updated settings for Microsoft Defender in endpoint security

Antivirus policy
We've updated the available settings in the Microsoft Defender Antivirus profile for
endpoint security Antivirus policy. You can find this profile in the Intune admin center at
Endpoint security > Antivirus > Platform: Windows 10, Windows 11, and Windows
Server > Profile: Microsoft Defender Antivirus.
The following settings have been added:

Metered Connection Updates
Disable Tls Parsing
Disable Http Parsing
Disable Dns Parsing
Disable Dns Over Tcp Parsing
Disable Ssh Parsing
Allow Network Protection Down Level
Allow Datagram Processing On Win Server
Enable Dns Sinkhole
For more information about these settings, see the Defender CSP. The new settings
are also available through the Intune Settings Catalog.
The following setting has been deprecated:

Allow Intrusion Prevention System
This setting now appears with the Deprecated tag. If this deprecated setting was
previously applied on a device, the setting value is updated to NotApplicable and
has no effect on the device. If this setting is configured on a device, there's no
effect on the device.
Applies to:
Windows 10
Windows 11
Week of April 17, 2023 (Service release 2304)
App management
Changes to iCloud app backup and restore behavior on iOS/iPadOS

and macOS devices
As an app setting, you can select to Prevent iCloud app backup for iOS/iPadOS and
macOS devices. You can not backup managed App Store apps and line-of-business
(LOB) apps on iOS/iPadOS, as well as managed App Store apps on macOS devices
(macOS LOB apps don't support this feature), for both user and device licensed
VPP/non-VPP apps. This update includes both new and existing App Store/LOB apps
sent with and without VPP that are being added to Intune and targeted to users and
devices.
Preventing the backup of the specified managed apps ensures that these apps can be
properly deployed via Intune when the device is enrolled and restored from backup. If
the admin configures this new setting for new or existing apps in their tenant, then
managed apps can and will be reinstalled for devices. But, Intune doesn't allow them to
be backed up.
This new setting appears in Microsoft Intune admin center by modifying the
properties of an app. For an existing app, you can select Apps > iOS/iPadOS or macOS
> select the app > Properties > Assignment Edit. If no group assignment has been set,
select Add group to add a group. Modify either the setting under VPN, Uninstall on
device removal, or Install as removable. Then, select Prevent iCloud app backup. The
Prevent iCloud app backup setting is used to prevent backup of app data for the
application. Set to No to allow the app to be backed up by iCloud.
For more information, see Changes to applications' backup and restore behavior on
iOS/iPadOS and macOS devices and Assign apps to groups with Microsoft Intune.
Prevent automatic updates for Apple VPP apps
You can control the automatic update behavior for Apple VPP at the per-app
assignment level using the Prevent automatic updates setting. This setting is available
in Microsoft Intune admin center by selecting Apps > iOS/iPadOS or macOS > Select
a volume purchase program app > Properties > Assignments > Select an Azure AD
group > App settings.
Applies to:
iOS/iPadOS
macOS
Updates to the macOS Settings Catalog
one place.
The new setting is located under:

Microsoft AutoUpdate (MAU) > [targeted app]:
Update channel override
The following settings have been deprecated:
Channel Name (Deprecated)
Privacy > Privacy Preferences Policy Control > Services > Listen Event or Screen
Capture:
Allowed
Applies to:
macOS
The Microsoft Enterprise SSO plug-in for Apple devices is now

generally available
In Microsoft Intune, there's a Microsoft Enterprise SSO plug-in. This plug-in provides
single sign-on (SSO) to iOS/iPadOS and macOS apps and websites that use Microsoft
Azure AD for authentication.
This plug-in is now generally available (GA).
For more information about configuring the Microsoft Enterprise SSO plug-in for Apple
devices in Intune, go to Microsoft Enterprise SSO plug-in in Microsoft Intune.
Applies to:
iOS/iPadOS
macOS
Disable Activation Lock device action for supervised macOS devices
You can now use the Disable Activation Lock device action in Intune to bypass
Activation Lock on Mac devices without requiring the current username or password.
This new action is available in Devices > macOS > select one of your listed devices >
Disable Activation Lock.
More information on managing Activation Lock is available at Bypass iOS/iPadOS
Activation Lock with Intune or on Apple's website at Activation Lock for iPhone, iPad,
and iPod touch - Apple Support .
Applies to:
macOS 10.15 or later
ServiceNow Integration is now Generally Available (GA)

Now generally available, you can view a list of ServiceNow incidents associated with the
user you've selected in the Intune Troubleshooting workspace. This new feature is
available under Troubleshooting + Support > select a user > ServiceNow Incidents.
The incidents shown have a direct link back to the source incident and show key
information from the incident. All incidents listed link the "Caller" identified in the
incident with the user selected for Troubleshooting.
For more information, go to Use the troubleshooting portal to help users at your
company.
More permissions to support administrators in controlling delivery

of organization messages
With more permissions administrators can control delivery of content created and
deployed from Organizational messages and the delivery of content from Microsoft to
users.
The Update organizational message control RBAC permission for organizational

messages determines who can change the Organizational Messages toggle to allow or
block Microsoft direct messages. This permission is also added to the Organizational
Messages Manager built-in role.
Existing custom roles for managing Organizational Messages must be modified to add
this permission for users to modify this setting.
For more information, about role-based access control (RBAC), see RBAC with
Microsoft Intune.
For more information, about prerequisites for organization messages, see
Organizational messages prerequisites.
Device management
Endpoint security firewall rules support for ICMP type
You can now use the IcmpTypesAndCodes setting to configure inbound and outbound
rules for Internet Control Message Protocol (ICMP) as part of a firewall rule. This setting
is available in the Microsoft Defender Firewall rules profile for the Windows 10, Windows
11, and Windows Server platform.
Applies to:
Manage Windows LAPS with Intune policies (public preview)
Now available in a public preview, manage Windows Local Administrator Password

Solution (Windows LAPS) with Microsoft Intune Account protection policies. To get
started, see Intune support for Windows LAPS.
Windows LAPS is a Windows feature that allows you to manage and backs up the
password of a local administrator account on your Azure Active Directory-joined or
Windows Server Active Directory-joined devices.
To manage LAPS, Intune configures the Windows LAPS configuration service provider
(CSP) that is built in to Windows devices. It takes precedence over other sources of
Windows LAPS configurations, like GPOs or the Microsoft Legacy LAPS tool. Some of the
capabilities you can use when Intune manages Windows LAPS include:
Define password requirements like complexity and length that apply to the local
administrator accounts on a device.
Configure devices to rotate their local admin account passwords on a schedule.
And, back up the account and password in your Azure Active Directory or on-
premises Active Directory.
Use an Intune device action from the admin center to manually rotate the
password for an account on your own schedule.
View account details from within the Intune admin center, like the account name
and password. This information can help you recover devices that are otherwise
inaccessible.
Use Intune reports to monitor your LAPS policies, and when devices last rotated
passwords manually or by schedule.
Applies to:
Windows 10
Windows 11
New settings available for macOS software update policies
macOS software update policies now include the following settings to help manage
when updates install on a device. These settings are available when the All other updates
update type is configured to Install later:
Max User Deferrals: When the All other updates update type is configured to
Install later, this setting allows you to specify the maximum number of times a user
can postpone a minor OS update before it's installed. The system prompts the user
once a day. Available for devices running macOS 12 and later.
Priority: When the All other updates update type is configured to Install later, this
setting allows you to specify values of Low or High for the scheduling priority for
downloading and preparing minor OS updates. Available for devices running
macOS 12.3 and later.
For more information, see Use Microsoft Intune policies to manage macOS software
updates.
Applies to:
macOS
Introducing the new partner portals page
You can now manage hardware specific information on your HP or Surface devices from
our partner portals page.
The HP link takes you to HP Connect where you can update, configure, and secure the
BIOS on your HP devices. The Microsoft Surface link takes you to the Surface
Management Portal where you can get insights into device compliance, support activity,
and warranty coverage.
To access the Partner portals page, you must enable the Devices pane preview and then
navigate to Devices > Partner Portals.
Windows Update compatibility reports for Apps and Drivers are

now generally available
The following Microsoft Intune reports for Windows Update compatibility are out of
preview and now generally available:
Windows feature update device readiness report - This report provides per-
device information about compatibility risks that are associated with an upgrade or
update to a chosen version of Windows.
Windows feature update compatibility risks report - This report provides a

summary view of the top compatibility risks across your organization for a chosen
version of Windows. You can use this report to understand which compatibility
risks impact the greatest number of devices in your organization.
These reports can help you plan an upgrade from Windows 10 to 11, or for installing the
latest Windows feature update.
Device security
Microsoft Intune Endpoint Privilege Management is generally

available
Microsoft Endpoint Privilege Management (EPM) is now generally available and no
longer in preview.
With Endpoint Privilege Management, admins can set policies that allow standard users
to perform tasks normally reserved for an administrator. To do so, you configure policies
for automatic and user-confirmed workflows that elevate the run-time permissions for
apps or processes you select. You then assign these policies to users or devices that
have end users running without Administrator privileges. After the device receives a
policy, EPM brokers the elevation on behalf of the user, allowing them to elevate
approved applications without needing full administrator privileges. EPM also includes
built-in insights and reporting.
Now that EPM is out of preview, it requires another license to use. You can choose
between a stand-alone license that adds only EPM, or license EPM as part of the
Microsoft Intune Suite. For more information, see Use Intune Suite add-on capabilities.
While Endpoint Privilege Management is now generally available, the reports for EPM
will transition to a feature in preview, and will receive some more enhancements before
being removed from preview.
Support for WDAC Application ID tagging with Intune Firewall

Rules policy
Intune's Microsoft Defender Firewall Rules profiles, which are available as part of
endpoint security Firewall policy, now include the Policy App ID setting. This setting is
described in the MdmStore/FirewallRules/{FirewallRuleName}/PolicyAppId CSP and
supports specifying a Windows Defender Application Control (WDAC) Application ID
tag.
With this capability, you can scope your firewall rules to an application or a group of
applications and rely on your WDAC policies to define those applications. By using tags
to link to and rely on WDAC policies, your Firewall Rules policy won't need to rely on the
firewall rules option of an absolute file path, or use of a variable file path that can
reduce security of the rule.
Use of this capability requires you to have WDAC policies in place that include AppId
tags that you can then specify in your Intune Microsoft Defender Firewall Rules.
For more information, see the following articles in the Windows Defender Application
Control documentation:
About application control for Windows

WDAC Application ID (AppId) Tagging guide
Applies to:
Windows 10/11
New App and browser isolation profile for Intune's endpoint

security Attack Surface Reduction policy
We have released a new experience creating new App and Browser Isolation profiles for
endpoint security Attack Surface Reduction policy. The experience for editing your
previously created App and Browser isolation policies remains the same, and you can
continue to use them. This update applies only for the new App and Browser Isolation
policies you create for the Windows 10 and later platform.
Additionally, the new profile includes the following changes for the settings it includes:
Block external content from non-enterprise approved sites - This setting is

removed from the updated profile as it was supported only by Microsoft Edge
Legacy. Microsoft Edge Legacy support ended in March 2021. Microsoft 365 apps
say farewell to Internet Explorer 11 and Windows 10 sunsets Microsoft Edge
Legacy - Microsoft Community Hub .
Clipboard file type – This setting is added to the updated profile and determines
the type of content that can be copied from the host to Application Guard
environment and vice versa. You can view the CSP for this new setting at
Settings/ClipboardFileType in the WindowsDefenderApplicationGuard CSP
documentation.
Intune apps

ixArma by INAX-APPS (iOS)

myBLDNG by Bldng.ai (iOS)
RICOH Spaces V2 by Ricoh Digital Services
Firstup - Intune by Firstup, Inc. (iOS)
New Assign (RBAC) permissions for organizational messages

The Assign RBAC permissions for organizational messages determines who can assign
target Azure AD groups to an organizational message. To access RBAC permissions, sign
in to the Microsoft Intune admin center and go to Tenant administration > Roles.
This permission is also added to the Organizational Messages Manager built-in role.
Microsoft Intune.
Delete organizational messages

You can now delete organizational messages from Microsoft Intune. After you delete a
message, it's removed from Intune, and no longer appears in the admin center. You can
delete a message anytime, regardless of its status. Intune automatically cancels active
messages after you delete them. For more information, see Delete organizational
messages.
Review audit logs for organizational messages
Use audit logs to track and monitor organizational message events in Microsoft Intune.
To access the logs, sign in to the Microsoft Intune admin center and go to Tenant
administration > Audit logs. For more information, see Audit logs for Intune activities.
Week of April 10, 2023
User configuration support for Windows 10 multi-session VMs is

now GA
You can now:
Configure user scope policies using Settings catalog and assign to groups of
users.
Configure user certificates and assign to users.
Configure PowerShell scripts to install in the user context and assign to users.
Applies to:
Windows 10
Virtual machines created in Azure Public and Azure Government clouds
Add Google accounts to Android Enterprise personally owned

devices with a work profile
settings that restrict device features and settings. Currently, there's an Add and remove
accounts setting. This setting prevents accounts from being added in the work profile,
including preventing Google accounts.
This setting changed. You can now add Google accounts. The Add and remove
accounts setting options are:
Block all accounts types: Prevents users from manually adding or removing
accounts in the work profile. For example, when you deploy the Gmail app into the
work profile, you can prevent users from adding or removing accounts in this work
profile.
Allow all accounts types: Allows all accounts, including Google accounts. These
Google accounts are blocked from installing apps from the Managed Google Play
Store.
This setting requires:

Google Play app version 80970100 or higher
Allow all accounts types, except Google accounts (default): Intune doesn't change
or update this setting. By default, the OS might allow adding accounts in the work
profile.
Applies to:
Week of March 27, 2023
App management
Update macOS DMG apps
You can now update apps of type macOS apps (DMG) deployed using Intune. To edit a
DMG app that's already created in Intune, upload the app update with the same bundle
identifier as the original DMG app. For related information, see Add a macOS DMG app
to Microsoft Intune.
Install required apps during pre-provisioning

A new toggle is available in the Enrollment Status Page (ESP) profile that allows you to
select whether you want to attempt to install required applications during the pre-
provisioning (white glove) technician phase. We understand that installing as many
applications as possible during pre-provisioning is desired to reduce the end user setup
time. If there's an app install failure, ESP continues except for the apps specified in the
ESP profile. To enable this function, you need to edit your Enrollment Status Page profile
by selecting Yes on the new setting entitled Only fail selected apps in technician phase.
This setting only appears if you have blocking apps selected. For information about ESP,
go to Set up the Enrollment Status Page.
Week of March 20, 2023 (Service release 2303)
App management
More minimum OS versions for Win32 apps

Intune supports more minimum operating system versions for Windows 10 and 11 when
installing Win32 apps. In Microsoft Intune admin center , select Apps > Windows >
Add > Windows app (Win32). In the Requirements tab next to Minimum operating
system, select one of the available operating systems. Other OS options include:
Windows 10 21H2
Windows 10 22H2
Windows 11 21H2
Windows 11 22H2
Managed apps permission is no longer required to manage VPP

apps
You can view and manage VPP apps with only the Mobile apps permission assigned.
Previously, the Managed apps permission was required to view and manage VPP apps.
This change doesn't apply to Intune for Education tenants who still need to assign the
Managed apps permission. More information about permissions in Intune is available at
Custom role permissions.
New settings and setting options available in the macOS Settings

Catalog
one place.
New settings are available in the Settings Catalog. In the Microsoft Intune admin
New settings include:
Enforcement level
Microsoft Office > Microsoft OneDrive:
Automatic upload bandwidth percentage

Automatically and silently enable the Folder Backup feature (aka Known Folder
Move)
Block apps from downloading online-only files
Block external sync
Disable automatic sign in
Disable download toasts
Disable personal accounts
Disable tutorial
Display a notification to users once their folders have been redirected
Enable Files On-Demand
Enable simultaneous edits for Office apps
Force users to use the Folder Backup feature (aka Known Folder Move)
Hide dock icon
Ignore named files
Include ~/Desktop in Folder Backup (aka Known Folder Move)
Include ~/Documents in Folder Backup (aka Known Folder Move)
Open at login
Prevent users from using the Folder Backup feature (aka Known Folder Move)
Prompt users to enable the Folder Backup feature (aka Known Folder Move)
Set maximum download throughput
Set maximum upload throughput
SharePoint Prioritization
SharePoint Server Front Door URL
SharePoint Server Tenant Name
Applies to:
macOS
Add custom Bash scripts to configure Linux devices
In Intune, you can add existing Bash scripts to configure Linux devices (Devices > Linux
> Configuration Scripts).
When you create this script policy, you can set the context that the script runs in (user or
root), how frequently the script runs, and how many times execution should retry.
For more information on this feature, go to Use custom Bash scripts to configure Linux
devices in Microsoft Intune.
Applies to:
Linux Ubuntu Desktops
Device enrollment
Support for the await final configuration setting for iOS/iPadOS

Automated device enrollment (public preview)
Now in public preview, Intune supports a new setting called Await final configuration in
eligible new and existing iOS/iPadOS automated device enrollment profiles. This setting
enables an out-of-the-box locked experience in Setup Assistant. It prevents device users
from accessing restricted content or changing settings on the device until most Intune
device configuration policies are installed. You can configure the setting in an existing
automated device enrollment profile, or in a new profile (Devices > iOS/iPadOS >
iOS/iPadOS enrollment > Enrollment program tokens > Create profile). For more
information, see Create an Apple enrollment profile.
New setting gives Intune admins control over device-to-category

mapping
Control visibility of the device category prompt in Intune Company Portal. You can now
hide the prompt from end users and leave the device-to-category mapping up to Intune
admins. The new setting is available in the admin center under Tenant Administration >
Customization > Device Categories. For more information, see Device categories.
Support for multiple enrollment profiles and tokens for fully
managed devices
Create and manage multiple enrollment profiles and tokens for Android Enterprise fully
managed devices. With this new functionality, you can now use the
EnrollmentProfileName dynamic device property to automatically assign enrollment
profiles to fully managed devices. The enrollment token that came with your tenant
remains in a default profile. For more information, see Set up Intune enrollment of
Android Enterprise fully managed devices.
New Azure AD frontline worker experience for iPad (public

preview)
This capability begins to roll out to tenants in mid-April.
Intune now supports a frontline worker experience for iPhones and iPads using Apple
automated device enrollment. You can now enroll devices that are enabled in Azure AD
shared mode via zero-touch. For more information about how to configure automated
device enrollment for shared device mode, see Set up enrollment for devices in Azure
AD shared device mode.
Applies to:
iOS/iPadOS
Device management
Endpoint security firewall policy support for log configurations
You can now configure settings in endpoint security Firewall policy that configure
firewall logging options. These settings can be found in the Microsoft Defender Firewall
profile template for the Windows 10 and later platform, and are available for the
Domain, Private, and Public profiles in that template.
Following are the new settings, all found in the Firewall configuration service provider
(CSP):
Enable Log Success Connections

Log File Path
Enable Log Dropped Packets
Enable Log Ignored Rules
Applies to:
Windows 10
Windows 11
Endpoint security firewall rules support for Mobile Broadband

(MBB)
The Interface Types setting in endpoint security Firewall policy now include the option
for Mobile Broadband. Interface Types is available in the Microsoft Defender Firewall
Rules profile for all platforms that support Windows. For information about the use of
this setting and option, see Firewall configuration service provider (CSP).
Applies to:
Windows 10
Windows 11
Endpoint security firewall policy support for network list manager

settings
We've added a pair of network list manager settings to endpoint security Firewall policy.
To help determine when an Azure AD device is or isn't on your on-premises domain
subnets, you can use the network list manager settings. This information can help
firewall rules apply correctly.
The following settings are found in a new category named Network List Manager, that's
available in the Microsoft Defender Firewall profile template for the Windows 10,
Windows 11, and Windows Server platform:
Allowed Tls Authentication Endpoints

Configured Tls Authentication Network Name
For information about Network Categorization settings, see NetworkListManager CSP.
Applies to:
Windows 10
Windows 11
Improvements to Devices area in admin center (public preview)

The Devices area in the admin center now has a more consistent UI, with more capable
controls and an improved navigation structure so you can find the information you need
faster. To opt in to the public preview and try out the new experience, go to Devices and
flip the toggle at the top of the page. Improvements include:
A new scenario-focused navigation structure.

New location for platform pivots to create a more consistent navigation model.
A reduction in journey, helping you get to your destination faster.
Monitoring and reports are within the management workflows, giving you easy
access to key metrics and reports without having to leave the workflow.
A consistent way across list views to search, sort, and filter data.
For more information about the updated UI, see Try new Devices experience in
Microsoft Intune.
Device security
Microsoft Intune Endpoint Privilege Management (public preview)
As a public preview, you can now use Microsoft Intune Endpoint Privilege Management.
to perform tasks normally reserved for an administrator. Endpoint Privilege
Management can be configured in the Intune admin center at Endpoint security >
Endpoint Privilege Management.
With the public preview, you can configure policies for automatic and user-confirmed
workflows that elevate the run-time permissions for apps or processes you select. You
then assign these policies to users or devices that have end users running without
Administrator privileges. Once policy is received, Endpoint Privilege Management will
broker the elevation on behalf of the user, allowing them to elevate approved
applications without needing full administrator privileges. The preview also includes
built-in insights and reporting for Endpoint Privilege Management.
To learn how to activate the public preview and use Endpoint Privilege Management
policies, start with Use Endpoint Privilege Management with Microsoft Intune. Endpoint
Privilege Management is part of the Intune Suite offering, and free to try while it
remains in public preview.
Intune apps

EVALARM by GroupKom GmbH (iOS)

ixArma by INAX-APPS (Android)
Seismic | Intune by Seismic Software, Inc.
Microsoft Viva Engage by Microsoft (formally Microsoft Yammer)
Diagnostic data collection for Endpoint Privilege Management
To support the release of Endpoint Privilege Management, we've updated Collect

diagnostics from a Windows device to include the following data, which is collected
from devices enabled for Endpoint Privilege Management:
Registry keys:
HKLM\SOFTWARE\Microsoft\EPMAgent
Commands:
%windir%\system32\pnputil.exe /enum-drivers
Log files:
%ProgramFiles%\Microsoft EPM Agent\Logs\*.*
%windir%\system32\config\systemprofile\AppData\Local\mdm\*.log
View status for pending and failed organizational messages

We've added two more states to organizational message reporting details to make it
easier to track pending and failed messages in the admin center.
Pending: The message hasn't been scheduled yet and is currently in progress.
Failed: The message failed to schedule due to a service error.
For information about reporting details, see View reporting details for organizational
messages.
More reporting information related to tenant attach devices

You can now view information for tenant attach devices in the existing antivirus reports
under the Endpoint Security workload. A new column differentiates between devices
managed by Intune and devices managed by Configuration Manager. This reporting
information is available in Microsoft Intune admin center by selecting Endpoint
security > Antivirus.
Device management
Meta Quest 2 and Quest Pro are now in Open Beta (US only) on
Microsoft Intune for Android Open Source Devices
Microsoft Intune for Android open source project devices (AOSP) has welcomed Meta
Quest 2 and Quest Pro into Open Beta for the US market.
For more information, go to Operating systems and browsers supported by Microsoft

Intune
Applies to:
Android (AOSP)
App management
Trusted Root Certificates Management for Intune App SDK for

Android
If your Android application requires SSL/TLS certificates issued by an on-premises or
private certificate authority to provide secure access to internal websites and
applications, the Intune App SDK for Android now has support for certificate trust
management. For more information and examples, see Trusted Root Certificates
Management.
System context support for UWP apps

In addition to user context, you can deploy Universal Windows Platform (UWP) apps
from the Microsoft Store app (new) in system context. If a provisioned .appx app is
deployed in system context, the app auto-installs for each user that logs in. If an
individual end user uninstalls the user context app, the app still shows as installed
because it's still provisioned. In addition, the app must not already be installed for any
users on the device. Our general recommendation is to not mix install contexts when
deploying apps. Win32 apps from the Microsoft Store app (new) already support
system context.
App management
Deploy Win32 apps to device groups

You can now deploy Win32 apps with Available intent to device groups. For more
information, see Win32 app management in Microsoft Intune.
Device management
New URL for Microsoft Intune admin center
The Microsoft Intune admin center has a new URL: https://intune.microsoft.com . The
previously used URL, https://endpoint.microsoft.com , continues to work but will
redirect to the new URL in late 2023. We recommend taking the following actions to
avoid issues with Intune access and automated scripts:
Update login or automation to point to https://intune.microsoft.com .

Update your firewalls, as needed, to allow access to the new URL.
Add the new URL to your favorites and bookmarks.
Notify your helpdesk and update IT administrator documentation.
Add CMPivot queries to Favorites folder
You can add your frequently used queries to a Favorites folder in CMPivot. CMPivot
allows you to quickly assess the state of a device managed by Configuration Manager
via Tenant Attach and take action. The functionality is similar to one already present in
the Configuration Manager console. This addition helps you keep all your most used
queries in one place. You can also add tags to your queries to help search and find
queries. The queries saved in the Configuration Manager console aren't automatically
added to your Favorites folder. You need to create new queries and add them to this
folder. For more information about CMPivot, see Tenant attach: CMPivot usage
overview.
Device enrollment
New Microsoft Store apps now supported with the Enrollment

Status Page
The Enrollment Status Page (ESP) now supports the new Microsoft store applications
during Windows Autopilot. This update enables better support for the new Microsoft
Store experience and should be rolling out to all tenants starting with Intune 2303. For
related information, see Set up the Enrollment Status Page.
Week of February 27, 2023
Support for Locate device on Android Enterprise corporate owned

fully managed and Android Enterprise corporate owned work
profile devices
You can now use "Locate device" on Android Enterprise corporate owned fully managed
and Android Enterprise corporate owned work profile devices. With this feature, admins
are able to locate lost or stolen corporate devices on-demand.
In Microsoft Intune admin center , you need to turn the feature on using Device
Restrictions in Device Configuration for Android Enterprise.
Select Allow on the Locate device toggle for fully managed and corporate owned work
profile devices and select applicable groups. Locate device is available when you select
Devices, and then select All devices. From the list of devices you manage, select a
supported device, and choose the Locate device remote action.
For information on locating lost or stolen devices with Intune, go to:
Locate lost or stolen devices with Intune
Applies to:
Android Enterprise corporate owned fully managed

Android Enterprise corporate owned dedicated devices
Android Enterprise corporate owned work profile
Intune add-ons
Microsoft Intune Suite provides mission-critical advanced endpoint management and
security capabilities into Microsoft Intune.
You can find add-ons to Intune in the Microsoft Intune admin center under Tenant
administration > Intune add-ons.
For detailed information, see Use Intune Suite add-on capabilities.
View ServiceNow Incidents in the Intune Troubleshooting

workspace (Preview)
In public preview, you can view a list of ServiceNow incidents associated with the user
you've selected in the Intune Troubleshooting workspace. This new feature is available
under Troubleshooting + Support > select a user > ServiceNow Incidents. The list of
incidents shown have a direct link back to the source incident and show key information
from the incident. All incidents listed link the "Caller" identified in the incident with the
user selected for Troubleshooting.
company.
Device security
Microsoft Tunnel for MAM is now generally available

Now out of preview and generally available, you can add Microsoft Tunnel for Mobile
Application Management to your tenant. Tunnel for MAM supports connections from
unenrolled Android and iOS devices. This solution provides your tenant with a
lightweight VPN solution that allows mobile devices access to corporate resources while
adhering to your security policies.
In addition, MAM Tunnel for iOS now supports Microsoft Edge.
Previously, Tunnel for MAM for Android and iOS was in public preview and free for use.
With this release as generally available, this solution now requires an add-on license for
its use.
For licensing details, see Intune add-ons.
Applies to:
Android
iOS
Organizational messages now support custom destination URLs

You can now add any custom destination URL to organizational messages in the taskbar,
notifications area, and Get Started app. This feature applies to Windows 11. Messages
created with Azure AD-registered domains that are in a scheduled or active state are still
supported. For more information, see Create organizational messages.
What's new archive

For previous months, see the What's new archive.
Notices
These notices provide important information that can help you prepare for future Intune
changes and features.
Plan for change: Intune is moving to support iOS/iPadOS

15 and later
Later this year, we expect iOS 17 to be released by Apple. Microsoft Intune, including
the Intune Company Portal and Intune app protection policies (APP, also known as
MAM), will require iOS 15/iPadOS 15 and higher shortly after iOS 17’s release.
How does this affect you or your users?
If you're managing iOS/iPadOS devices, you might have devices that won't be able to
upgrade to the minimum supported version (iOS/iPadOS 15).
Because Office 365 mobile apps are supported on iOS/iPadOS 15.0 and later, this
change might not affect you. You've likely already upgraded your OS or devices.
To check which devices support iOS 15 or iPadOS 15 (if applicable), see the following
Apple documentation:
Supported iPhone models

Supported iPad models
７ Note
Userless iOS and iPadOS devices enrolled through Automated Device Enrollment
(ADE) have a slightly nuanced support statement due to their shared usage. The
minimum supported OS version will change to iOS 15/iPadOS 15 while the allowed
OS version will change to iOS 12/iPadOS 12 and later. See this statement about
ADE Userless support for more information.
How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices
with mobile device management (MDM), go to Devices > All devices and filter by OS.
For devices with app protection policies, go to Apps > Monitor > App protection status
and use the Platform and Platform version columns to filter. Note that there's a current
known issue where several columns are missing from the App protection status report.
We expect a fix soon.
To manage the supported OS version in your organization, you can use Microsoft Intune
controls for both MDM and APP. For more information, see Manage operating system
versions with Intune.
Plan for change: Intune is moving to support macOS 12

and higher later this year
Later this year, we expect macOS 14 Sonoma to be released by Apple. Microsoft Intune,
the Company Portal app and the Intune mobile device management agent will be
moving to support macOS 12 and later. Since the Company Portal app for iOS and
macOS are a unified app, this change will occur shortly after the release of iOS/iPadOS
17.

This change only affects you if you currently manage, or plan to manage, macOS devices
with Intune. This change might not affect you because your users have likely already
upgraded their macOS devices. For a list of supported devices, see macOS Monterey is
compatible with these computers .
７ Note
Devices that are currently enrolled on macOS 11.x or earlier will continue to remain
enrolled even when those versions are no longer supported. New devices will be
unable to enroll if they are running macOS 11.x or earlier.

Check your Intune reporting to see what devices or users might be affected. Go to
Devices > All devices and filter by macOS. You can add more columns to help identify
who in your organization has devices running macOS 11.x or earlier. Ask your users to
upgrade their devices to a supported OS version.
Plan for Change: Ending support for Microsoft Store for

Business and Education apps
In April 2023, we'll begin ending support for the Microsoft Store for Business experience
in Intune. This occurs in several stages. For more information, see: Adding your
Microsoft Store for Business and Education apps to the Microsoft Store in Intune

If you're using Microsoft Store for Business and Education apps:
1. On April 30, 2023, Intune will disconnect Microsoft Store for Business services.
Microsoft Store for Business and Education apps won't be able to sync with Intune
and the connector page will be removed from the Intune admin center.
2. On June 15, 2023, Intune will stop enforcing online and offline Microsoft Store for
Business and Education apps on devices. Downloaded applications remain on the
device with limited support. Users may still be able to access the app from their
device, but the app won't be managed. Existing synced Intune app objects remain
to allow admins to view the apps that had been synced and their assignments.
Additionally, you'll not be able to sync apps via the Microsoft Graph API
syncMicrosoftStoreForBusinessApps and related API properties will display stale
data.
3. On September 15, 2023, Microsoft Store for Business and Education apps will be
removed from the Intune admin center. Apps on the device remain until
intentionally removed. The Microsoft Graph API microsoftStoreForBusinessApp will
no longer be available about a month later.
Note that the retirement of Microsoft Store for Business and Education was announced
in 2021 . When the Microsoft Store for Business and Education portals are retired,
admins will no longer be able to manage the list of Microsoft Store for Business and
Education apps that are synced or download offline content from the Microsoft Store for
Business and Education portals.

We recommend adding your apps through the new Microsoft Store app experience in
Intune. If an app isn't available in the Microsoft Store, you need to retrieve an app
package from the vendor and install it as a line-of-business (LOB) app or Win32 app. For
instructions read the following articles:
Add Microsoft Store apps to Microsoft Intune

Add a Windows line-of-business app to Microsoft Intune
Add, assign, and monitor a Win32 app in Microsoft Intune
Related information

Unpacking Endpoint Management: The future of app management in Intune
Plan for Change: Ending support for Windows

Information Protection
Microsoft Windows announced they're ending support for Windows Information
Protection (WIP). The Microsoft Intune family of products will be discontinuing future
investments in managing and deploying WIP. In addition to limiting future investments,
we removed support for WIP without enrollment scenario at the end of calendar year
2022.

If you have enabled WIP policies, you should turn off or disable these policies.

We recommend disabling WIP to ensure users in your organization do not lose access to
documents that have been protected by WIP policy. Read the blog Support tip: End of
support guidance for Windows Information Protection for more details and options
for removing WIP from your devices.
Plan for Change: Ending support for Windows 8.1

Microsoft Intune will be ending support for devices running Windows 8.1 on October 21,
2022. Additionally, the sideloading key scenario for line-of-business apps will stop being
supported since it's only applicable to Windows 8.1 devices.
Microsoft strongly recommends that you move to a supported version of Windows 10

or Windows 11, to avoid a scenario where you need service or support that is no longer
available.

If you're managing Windows 8.1 devices those devices should be upgraded to a
supported version of Windows 10 or Windows 11. There is no impact to existing devices
and policies, however, you'll not be able to enroll new devices if they are running
Windows 8.1.

Upgrade your Windows 8.1 devices, if applicable. To determine which users’ devices are
running Windows 8.1 navigate to Microsoft Intune admin center > Devices >
Windows > Windows devices, and filter by OS.
Additional information
Manage operating system versions with Intune
Update your certificate connector for Microsoft Intune

As of June 1, 2022, Intune certificate connectors earlier than version 6.2101.13.0 may no
longer work as expected and stop connecting to the Intune service. For more
information on the certificate connector lifecycle and support see, Certificate Connectors
for Microsoft Intune.

If you're impacted by this change, see MC393815 in the Message center.
Download, install, and configure the latest certificate connector. For more information
see, Install the Certificate Connector for Microsoft Intune.
To check which version of the certificate connector you are using, follow these steps:
1. On a Windows Server running the Intune Certificate Connector, launch "Add or
Remove programs".
2. A list of installed programs and applications will be displayed.
3. Look for an entry related to the Microsoft Intune Certificate Connector. There will
be a "Version" associated with the connector. Note that names for older
connectors may vary.
Plan for change: Intune is moving to support Android 8.0

and later in January 2022
Microsoft Intune will be moving to support Android version 8.0 (Oreo) and later for
mobile device management (MDM) enrolled devices on or shortly after January 7, 2022.

After January 7, 2022, MDM enrolled devices running Android version 7.x or earlier will
no longer receive updates to the Android Company Portal or the Intune App. Enrolled
devices will continue to have Intune policies applied but are no longer supported for
any Intune scenarios. Company Portal and the Intune App will not be available for
devices running Android 7.x and lower beginning mid-February; however, these devices
won't be blocked from completing enrollment if the requisite app has been installed
prior to this change. If you have MDM enrolled devices running Android 7.x or below,
update them to Android version 8.0 (Oreo) or higher or replace them with a device on
Android version 8.0 or higher.
７ Note
Microsoft Teams devices are not impacted by this announcement and will
continue to be supported regardless of their Android OS version.
Notify your helpdesk, if applicable, of this upcoming change in support. You can identify
how many devices are currently running Android 7.x or below by navigating to Devices
> All devices > Filter. Then filter by OS and sort by OS version. There are two admin
options to help inform your users or block enrollment.
Here's how you can warn users:

Create an app protection policy and configure conditional launch with a min OS
version requirement that warns users.
Utilize a device compliance policy for Android device administrator or Android
Enterprise and set the action for noncompliance to send an email or push
notification to users before marking them noncompliant.
Here's how you can block devices running on versions earlier than Android 8.0:
version requirement that blocks users from app access.
Enterprise to make devices running Android 7.x or earlier noncompliant.
Set enrollment restrictions that prevent devices running Android 7.x or earlier from
enrolling.
７ Note
Intune app protection policies are supported on devices running Android 9.0 and
later. See MC282986 for more details.
Plan for change: Intune APP/MAM is moving to support

Android 9 and higher
With the upcoming release of Android 12, Intune app protection policies (APP, also
known as mobile application management) for Android will move to support Android 9
(Pie) and later on October 1, 2021. This change will align with Office mobile apps for
Android support of the last four major versions of Android.
Based on your feedback, we've updated our support statement. We're doing our best to
keep your organization secure and protect your users and devices, while aligning with
Microsoft app lifecycles.
７ Note
This announcement doesn't affect Microsoft Teams Android devices . Those

devices will continue to be supported regardless of their Android OS version.

If you're using app protection policies (APP) on any device that's running Android
version 8.x or earlier, or you decide to enroll any device that's running Android version
8.x or earlier, these devices will no longer be supported for APP.
APP policies will continue to be applied to devices running Android 6.x to Android 8.x.
But if you have problems with an Office app and APP, support will request that you
update to a supported Office version for troubleshooting. To continue to receive
support for APP, update your devices to Android version 9 (Pie) or later, or replace them
with a device on Android version 9.0 or later before October 1, 2021.

Notify your helpdesk, if applicable, about this updated support statement. You also have
two admin options to warn users:
Configure a conditional launch setting for APP with a minimum OS version

requirement to warn users.
Use a device compliance policy for an Android device administrator or Android
Enterprise. Set the action for noncompliance to send a message to users before
marking them as noncompliant.
Upgrade to the Microsoft Intune Management Extension

We've released an upgrade to the Microsoft Intune Management Extension to improve
handling of Transport Layer Security (TLS) errors on Windows 10 devices.
The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune
automatically upgrades all versions of the extension that are earlier than 1.43.203.0 to
this latest version. To check the version of the extension on a device, review the version
for Microsoft Intune Management Extension in the program list under Apps &
features.
For more information, see the information about security vulnerability CVE-2021-31980
in the Microsoft Security Response Center .

No action is required. As soon as the client connects to the service, it automatically
receives a message to upgrade.
Update to Endpoint Security antivirus Windows 10
profiles
We've made a minor change to improve the antivirus profile experience for Windows 10.
There's no user effect, because this change affects only what you'll see in the UI.

Previously, when you configured a Windows security profile for the Endpoint Security
antivirus policy, you had two options for most settings: Yes and Not configured. Those
settings now include Yes, Not configured, and a new option of No.
Previously configured settings that were set to Not configured remain as Not
configured. When you create new profiles or edit an existing profile, you can now
explicitly specify No.
In addition, the setting Hide the Virus and threat protection area in the Windows
Security app has a child setting, Hide the Ransomware data recovery option in the
Windows Security app. If the parent setting is set to Not configured and the child
setting is set to Yes, both the parent and child settings are set to Not configured. That
change takes effect when you edit the profile.

No action is needed. However, you might want to notify your helpdesk about this
change.
Plan for change: Intune is ending Company Portal

support for unsupported versions of Windows
Intune follows the Windows 10 lifecycle for supported Windows 10 versions. We're now
removing support for the associated Windows 10 Company Portals for Windows
versions that are out of the Modern Support policy.
Because Microsoft no longer supports these operating systems, this change might not
affect you. You've likely already upgraded your OS or devices. This change only affects
you if you're still managing unsupported Windows 10 versions.
Windows and Company Portal versions that this change affects include:
Windows 10 version 1507, Company Portal version 10.1.721.0
Windows 10 version 1709, any Company Portal version
We won't uninstall these Company Portal versions, but we will remove them from the
Microsoft Store and stop testing our service releases with them.
If you continue to use an unsupported version of Windows 10, your users won't get the
latest security updates, new features, bug fixes, latency improvements, accessibility
improvements, and performance investments. You won't be able to co-manage users by
using System Center Configuration Manager and Intune.

In the Microsoft Intune admin center, use the discovered apps feature to find apps with
these versions. On a user's device, the Company Portal version is shown on the Settings
page of the Company Portal. Update to a supported Windows and Company Portal
version.
UI updates for Intune end-user apps
Article • 04/10/2023
Learn about the most recent updates to the Microsoft Intune apps. We regularly add to
and improve the Intune Company Portal app and website. If you're an Intune
administrator or support person, this article provides the information you need to:
Alert students and employees to app and enrollment changes.

Update your organization's documentation or helpdesk procedures.
If you're an employee or student, be sure to check out the screenshots and links to the
Company Portal help documentation. For more information about how to use the
Company Portal app, see the Company Portal user help documentation.
Company Portal for Windows bulk app install

The Company Portal for Windows now allows users to select multiple apps and install in
bulk. We recommend that users use the multi-app installation option for better
performance when installing more than one app. From the Apps tab of the Company
Portal for Windows, select the multi-select view button on the top right corner of the
page. Then, select the checkbox next to each app that you need to install. Next, select
the Install Selected button to start installation. All selected apps will install at the same
time without requiring users to right-click each app or navigate to each app's page. For
related information, see Install and share apps on your device and How to configure the
Intune Company Portal apps, Company Portal website, and Intune app.
UI improvements show Android enrollment is available,

not required
We updated the iconography in the Company Portal for Android app to make it easier
for users to recognize when device enrollment is available but not required. The new
iconography appears in scenarios where the device enrollment availability is set to
Available, no prompts in the Microsoft Intune admin center (Tenant admin >
Customization > Create or Edit a policy > Settings).
Changes include:
On the Devices screen, users will no longer see a red exclamation point next to
non-enrolled devices.
On the Device Details screen, users will no longer see a red exclamation point next
to the enrollment message. Instead, they will see the info (i) icon.
Updated Devices screen Previous Devices screen
Updated Device Details screen Previous Device Details screen

Updated Device Details screen Previous Device Details screen
Week of November 15, 2021
New privacy consent screen during Company Portal

installation
We've added a new privacy consent screen to Company Portal to meet privacy
requirements for certain app stores, such as those in China. People installing Company
Portal for the first time from those stores will see the new screen during installation. The
screen explains what information Microsoft collects and how it's used. A person must
agree to the terms before they can use the app. Users who installed Company Portal
prior to this release will not see the new screen.
Improvements to work profile messaging in Company

Portal for Android
We've updated messaging in Company Portal for Android to better introduce and
explain how work profile works. After the work profile setup flow, users see a new
informational screen explaining where to find work apps, with links to help
documentation.
When a user accidentally re-enables the Company Portal app in the personal profile,
they'll see a screen (formerly Your device now has a profile just for work) that guides
them to their work apps, with links to help documentation.
Updated Previous
Updated Previous
When they swipe right, they'll learn how to get more work apps from the Google Play
Store. `
Finally, on the Help page > Frequently Asked Questions section, there's a new link to a
Microsoft technical article about how to find work profile apps.
Week of September 28, 2020
Improved work profile messaging in Company Portal for

Android
The Company Portal screen previously titled "You're Halfway There!" has been updated
to better explain how work profile management works. Users will see this screen if they
re-enable Company Portal in the personal profile after they've already gone through
work profile enrollment. They may also see this screen during work profile enrollment
on some Android OS versions, as shown in the help doc, Enroll with Android work
profile.
Updated Previous
Updated Previous
Improvement to Update device settings page in Company

Portal app for Android to shows descriptions
In the Company Portal app on Android devices, the Update device settings page lists
the settings that need updated to be compliant. Users expand the issue to see more
information, and see the Resolve button.
This user experience is improved. The listed settings are expanded by default to show
the description, and show the Resolve button, when applicable. Previously, the issues
were collapsed by default. This new default behavior reduces the number of clicks, so
users can resolve issues more quickly.
Updates to informational screen in Company Portal for

iOS/iPadOS
We've updated an informational screen in Company Portal for iOS/iPadOS to better
explain what an admin can see and do on devices. These clarifications are only about
corporate-owned devices. Only the text has been updated, no actual modifications have
been made to what the admin can see or do on user devices. To learn more about
what's visible to an admin, see What information can my organization see when I enroll
my device?

Update to icons in Company Portal app for iOS/iPadOS

and macOS
We've updated the icons in Company Portal to create a more modern look and feel
that's supported on dual screen devices and aligns with the Microsoft Fluent Design
System.
Updated for iOS/iPadOS Previously for iOS/iPadOS

Updated for iOS/iPadOS Previously for iOS/iPadOS
Updated for macOS

Updated for macOS
Week of May 4, 2020
Company Portal for Android guides users to get apps

after work profile enrollment
We've improved the in-app guidance in Company Portal to make it easier for users to
find and install apps. After they enroll in work profile management, users will get a
message explaining how to find suggested apps in the badged version of Google Play.
The last step in Enroll device with Android profile has been updated to show the new
message.
Users will also see a new Get Apps link in the Company Portal drawer on the left.
To make way for these new and improved experiences, the APPS tab shown in the
following image has been removed.
Improved sign-in experience in Company Portal for

Android
We've updated the layout of several sign-in screens in the Company Portal app for
Android to make the experience more modern, simple, and clean for users. To see all
Company Portal for Android enrollment instructions, go to Enroll your Android device or
Enroll with Android work profile.
Updated Previous
Updated Previous
Updated Previous
Screen removed from Company Portal, Android work

profile enrollment
The What's next? screen has been removed from the Android work profile enrollment
flow in Company Portal to streamline the user experience. Go to Enroll with Android
work profile to see the updated Android work profile enrollment flow.
Web apps launched from the Windows Company Portal

app
End-users can now launch web apps directly from the Windows Company Portal app.
End-users can select the web app and then choose the option Open in browser. The
published web URL is opened directly in a web browser. This functionality will be rolled
out over the next week. For more information about Web apps, see Add web apps to
Microsoft Intune.
Improved macOS enrollment experience in Company

Portal
The Company Portal for macOS enrollment experience has a simpler enrollment process
that aligns more closely with the Company Portal for iOS enrollment experience. Device
users now see:
A sleeker user interface.

An improved enrollment checklist.
Clearer instructions about how to enroll their devices.
Improved troubleshooting options.
Week of October 28, 2019
Improved checklist design in Company Portal app for

Android
The setup checklist in the Company Portal app for Android has been updated with a
lightweight design and new icons. The changes align with the recent updates made to
the Company Portal app for iOS/iPadOS. For a look at the updated enrollment steps, see
Enroll with Android work profile and Enroll your Android device.
The following screens show the updated checklist for Android work profile enrollment:
Updated Previous
The following screens show the updated checklist for Android device administrator
enrollment:
Updated Previous
Updated Previous
Updates to Microsoft Intune app

The Microsoft Intune app for Android has been updated with the following
improvements:
Updated and improved the layout to include bottom navigation for the most
important actions.
Added an additional page that shows the user's profile.
Added the display of actionable notifications in the app for the user, such as the
need to update their device settings.
Added the display of custom push notifications, aligning the app with the support
recently added in the Company Portal app for iOS and Android. For more
information, see Send custom notifications in Intune.
User profile example:
Notifications and bottom navigation example:

The Company Portal website's new Installed Apps page lists all managed apps (both
required and available) that are installed on a user's devices. In addition to assignment
type, users can see the app's publisher, date published, and current installation status. If
you haven't made any apps required or available to your users, they'll see a message
explaining that no company apps have been installed. To see the new page on the web,
go to the Company Portal website and click Installed Apps.
New view lets app users see all managed apps installed
on device
The Company Portal app for Windows now lists all managed apps (both required and
available) that are installed on a user's device. Users can also see attempted and
pending app installations, and their current statuses. If you haven't made apps required
or available to your users, they'll see a message explaining that no company apps have
been installed. To see the new view, go to the Company Portal navigation pane and
select Apps > Installed Apps.

New features in Microsoft Intune app
We've added new features to the Microsoft Intune app (preview) for Android. Users on
fully managed Android devices can now:
View and manage the devices they've enrolled through the Intune Company Portal
or Microsoft Intune app.
Contact their organization for support.
Send their feedback to Microsoft.
View terms and conditions, if set by their organization.
New end user app (Microsoft Intune app)

There's a new end-user app for Android fully managed devices called Microsoft Intune.
This new app is light-weight and modern, and provides similar functionally as the
Company Portal app, but for fully managed, corporate devices. For more information,
see Microsoft Intune app on Google Play .
Example screenshot of the device details screen:

Example screenshot the Setup access screen:
Example screenshot of the app menu:
Example screenshot of the Help screen:
Changes to Company Portal enrollment for iOS 12 device

users
The Company Portal for iOS enrollment screens and steps have been updated to align
with the MDM enrollment changes released in Apple iOS 12.2. The updated workflow
prompts users to:
Allow Safari to open the Company Portal website and download the management
profile before returning to the Company Portal app.
Open the Settings app to install the management profile on their device.
Return to the Company Portal app to complete enrollment.
For updated enrollment steps and screens, see Enroll iOS device in Intune.
User experience update for the Company Portal app for

iOS
The home page of the Company Portal app for iOS devices has been redesigned. With
this change, the home page will better follow iOS UI patterns, and also provide
improved discoverability for apps and ebooks.
New App categories screen in the Company Portal app

for Windows 10
A new screen called App categories has been added to improve the app browsing and
selection experience in Company Portal for Windows 10. Users will now see their apps
sorted under categories such as Featured, Education, and Productivity. This change
appears in Company Portal versions 10.3.3451.0 and later. For more information about
installing apps in Company Portal, see Install and share apps on your device.
Windows Company Portal keyboard shortcuts

End users will now be able to trigger app and device actions in the Windows Company
Portal using keyboard shortcuts (accelerators).
Add custom brand image for Company Portal app

As the Microsoft Intune admin, you can upload a custom brand image which will be
displayed as a background image on the user's profile page in the iOS Company Portal
app. For more information about configuring the Company Portal app, see How to
configure the Microsoft Intune Company Portal app.
New user experience update for the Company Portal

website
We've added new features, based on feedback from customers, to the Company Portal
website. You'll experience a significant improvement in existing functionality and
usability from your devices. Specific areas of the site, such as device details, feedback
and support, and device overview, now have a new, modern, responsive design. The
Intune Company Portal website documentation has been updated to reflect these
changes.
Updates you'll see include:
Streamlined workflows across all device platforms

Improved device identification and enrollment flows
More helpful error messages
Friendlier language, less tech jargon
Ability to share direct links to apps
Improved performance for large app catalogs
Increased accessibility for all users
Updated Previous
Updated Previous
More opportunities to sync in the Company portal app

for Windows
The Company Portal app for Windows now lets you initiate a sync directly from the
Windows taskbar and Start menu. This feature is especially useful if your only task is to
sync devices and get access to corporate resources. To access the new feature, right-
click the Company portal icon pinned to your taskbar or Start menu. In the menu
options (also referred to as a jump list), select Sync this device. The Company Portal will
open to the Settings page and initiate your sync.
New browsing experiences in the Company portal app for
Windows
Now when browsing or searching for apps in the Company Portal app for Windows, you
can toggle between the existing Tiles view and the new Details view. This new view lists
application details such as name, publisher, publication date, and installation status.
The Apps page's Installed view lets you see details about completed and in-progress
app installations.
Example screenshot showing the Tiles view:

Example screenshot showing the Details view:

Updated navigation view in the Company Portal app for
Windows 10
The Intune Company Portal app for Windows 10 has been updated with the Fluent
Design System's navigation view. Along the side of the app, you'll notice a static, vertical
list of all top-level pages. Click any link to quickly view and switch between pages. This is
the first of several updates you'll see as part of our ongoing effort to create a more
adaptive, empathetic, and familiar experience in Intune.
User experience update for the Company Portal app for

iOS
We've released a major user experience update to the Company Portal app for
iOS/iPadOS. The update features a complete visual redesign that includes a modernized
look and feel. We've maintained the functionality of the app, but increased its usability
and accessibility.
You'll also see:
Support for iPhone X.

Faster app launch and loading responses, to save users time.
Additional progress bars to provide users with the most up-to-date status
information.
Improvements to the way users upload logs, so if something goes wrong, it's
easier to report.
Before After
Before After
Combined with previous step

Improvements to the language in the Company Portal
app for Windows
We've improved the language in the Company Portal for Windows 10 to be more user-
friendly and specific to your company.
Before After
Company Portal for Android visual updates

We've updated the Company Portal app for Android to follow Android's Material
Design guidelines.
Before After
Before After
Before After
Before After
Before After
New "Device Categories" step in guided setup for the

Company Portal app for Windows 10
If you've enabled device group mapping, the Company Portal app for Windows 10 now
walks your users through selecting a device category after enrolling their device.
Improvements to device setup workflow in the Company

Portal for iOS in version 2.9.0
We've improved the device setup workflow in the Company Portal app for iOS/iPadOS.
The language is more user-friendly and we've combined screens where possible. We
have also made the language more specific to your company by using your company
name throughout the setup text.
７ Note
We use the company name you have set in the Azure Portal in Microsoft Intune >
Client Apps > Company Portal branding > Company name. If you have not set
this value, we will use the tenant name set in Azure Active Directory > Properties
> Name. If you have not set a company name in Company Portal branding and
don't want your tenant name to be displayed, we recommend that you set the
company name in the Company Portal branding tab. If you don't want this string to
show in the header in Company Portal, you can deselect the checkbox to "Show
company name next to logo."
Before After
Before After

Before After
Before After
Before After
Updates to the Company Portal app for Windows 10

The Settings page in the Company Portal app for Windows 10 has been updated to
make the settings and intended user actions to be more consistent across all settings. It
has also been updated to match the layout of other Windows apps.
Before After
Before After
Search improvements to the Company Portal apps and

website
The Company Portal apps now use searches across app categories, names, and
descriptions. The results are sorted in decreasing order of relevance. These updates are
also available on the Company Portal website .
We're still fine-tuning the way relevance is tracked, so please let us know how it's
working using the "Feedback" link at the bottom of the Company Portal website.
Search improvements to the Company Portal website

We're improving our app search capabilities, starting with the Company Portal
website . Searches will now be performed on app categories in addition to the Name
and Description fields. The results will be sorted, by default, in decreasing order of
relevance.
iOS users will also receive this change, as the Company Portal website is also used as
part of the Company Portal app for iOS/iPadOS. The Company Portal apps for Android
and Windows will receive similar updates in the coming months.
We're still fine-tuning the way relevance is tracked, so please let us know how it's
working using the "Feedback" link at the bottom of the Company Portal website.
iOS Company Portal displays large icons

This release fixes a known issue with how the iOS Company Portal displays icons in the
app tile. If you upload app icons of 120x120 pixels or larger, they now display in the
Company Portal website and the iOS Company Portal's apps pages at the full size of
the app tile.
Improvements to device setup workflow in Company

Portal
We've improved the device setup workflow in the Company Portal app for Android. The
language is more user-friendly and specific to your company, and we've combined
screens where possible.
Before After
Before After

Before After
Additional steps have been improved on Android work profile devices.
Before After
Before After

Before After
Before After
We've also updated the Conditional Access email activation screen.
Before After
Before After
Easier-to-understand phrasing for the Company Portal

app for Android
The enrollment process for the Company Portal app for Android has been simplified
with new text to make it easier for end-users to enroll. If you have custom enrollment
documentation, you will want to update it to reflect the new screens. You can find
sample images below:
Before After
Before After
Before After
Before After
August 2017
iOS 11 Mail app will support OAuth

Conditional Access with Intune supports more secure authentication on iOS devices with
OAuth. To support this, there will now be a different flow on the Company Portal app for
iOS to allow for more secure authentication. When end users try to sign in to a new
Exchange account in the Mail app, they will see a web view prompt. Upon enrollment in
Intune, users will see a prompt to allow the native Mail app to access a certificate. Most
end users will not see any more quarantined emails. Existing mail accounts will continue
to use basic authentication protocol, so these users will still have quarantine emails
delivered to them. This sign in experience for end users is similar to the one on Office
mobile apps.
Intune Mobile Application Management (MAM) dialog
boxes will have a modern interface
Intune Mobile Application Management (MAM) dialog boxes will be updated to a
modern look and feel. The dialog boxes will function in the same way as the previous
style.
Previous experience
Modern experience
Updates to the "Device Details" page on the Company

Portal app for Windows 10
The Company Portal app for Windows 10 is moving the Category tag from below the
title to a property on the Device Details page.
July 2017
Apps details pages will display new information for
Android devices
The apps details page of the Company Portal app for Android will now display the app
categories that the IT admin has defined for that app.
Improved sign in experience across Company Portal apps

for all platforms
We are announcing a change that is coming in the next few months that will improve
the sign-in experience for the Intune Company Portal apps for Android, iOS/iPadOS, and
Windows. The new user experience will automatically appear across all platforms for the
Company Portal app when Azure AD makes this change. In addition, users can now sign
in to the Company Portal from another device with a generated, single-use code. This is
especially useful in cases when users need to sign in without credentials.
Below you can see the previous sign-in experience, the new sign-in experience with
credentials, and the new sign-in experience from another device.
Previous sign in experience

New sign in experience
New sign in experience when signing in from another device
Tap the Sign-in from another device link.
Launch a browser and go to https://aka.ms/devicelogin .

Enter the code you saw in the Company Portal app. When you select Continue, you will
be able to authenticate in the using any method that is supported by your company,
such as a smartcard.
The Company Portal app will begin signing in.
June 2017
Company Portal app for Android now has a new end-user

experience for App Protection Policies
Based on customer feedback, we've modified the Company Portal app for Android to
show an Access Company Content button. The intent is to prevent end users from
unnecessarily going through the enrollment process when they only need to access
apps that support App Protection Policies, a feature of Intune mobile application
management.
The user will tap on the Access Company Content button instead of beginning to enroll
the device.
The user then is taken to the Company Portal website to authorize the app for use on
their device, where the Company Portal website verifies their credentials.
The device can still be enrolled into full management by tapping on the action menu.
Improvements to app syncing with Windows 10 Creators
Update
The Company Portal app for Windows 10 will now automatically initiate a sync for app
install requests for devices with Windows 10 Creators Update (version 1709). This will
reduce the issue of app installs stalling during the "Pending Sync" state. In addition,
users will be able to manually initiate a sync from within the app.
New guided experience for Windows 10 Company Portal

The Company Portal app for Windows 10 will include a guided Intune walkthrough
experience for devices that have not been identified or enrolled. The new experience
provides step-by-step instructions that guide the user through registering into Azure
Active Directory (required for Conditional Access features) and MDM enrollment
(required for device management features). The guided experience will be accessible
from the Company Portal home page. Users can continue to use the app if they do not
complete registration and enrollment, but will experience limited functionality.
This update is only visible on devices running Windows 10 Anniversary Update (build
1607) or higher.
New menu action to easily remove Company Portal
Based on user feedback, the Company Portal app for Android has added a new menu
action to initiate the removal of Company Portal from your device. This action removes
the device from Intune management so that the app can be removed from the device by
the user.
Improvements to the app tiles in the Company Portal app
for iOS
We updated the design of the app tiles on the homepage to reflect the branding color
you set for the Company Portal.
Before
After
Account picker now available for the Company Portal app
for iOS
If users have used their work or school account to sign in to other Microsoft apps on
their iOS device, then they may see our new account picker when signing into the
Company Portal for the first time.
April 2017
New icons for the Managed Browser and the Company

Portal
The Managed Browser is receiving updated icons for both the Android and iOS versions
of the app. The new icon will contain the updated Intune badge to make it more
consistent with other apps in Enterprise Mobility + Security (EM+S).
Before
After
The Company Portal is also receiving updated icons for the Android, iOS, and Windows
versions of the app to improve consistency with other apps in EM+S. These icons will be
gradually released across platforms from April to late May.
Sign in progress indicator in Android Company Portal

An update to the Android Company Portal app shows a sign-in progress indicator when
the user launches or resumes the app. The indicator progresses through new statuses,
beginning with "Connecting...", then "Signing in...", then "Checking for security
requirements..." before allowing the user to access the app.
Before
After
Improved app install status for the Windows 10 Company

Portal app
The Windows 10 Company Portal app now provides an install progress bar on the app
details page. This is supported for modern apps on devices running the Windows 10
Anniversary Update and up.
Before
After
February 2017
New user experience for the Company Portal app for
Android
Beginning in March, the Company Portal app for Android will follow material design
guidelines to create a more modern look and feel. This improved user experience
includes:
Colors: tab headers can be colored according to your custom color palette.
Interface: Featured Apps and All Apps buttons have been updated in the Apps
tab. The Search button is now a floating action button.
Navigation: All Apps shows a tabbed view of Featured, All and Categories for
easier navigation. Contact IT has been streamlined for improved readability.
January 2017
Modernizing the Company Portal website

Beginning in February, the Company Portal website will support apps that are targeted
to users who do not have managed devices. The website will align with other Microsoft
products and services by using a new contrasting color scheme, dynamic illustrations,
and a "hamburger menu," which will contain helpdesk contact details and
information on existing managed devices. The landing page will be rearranged to
emphasize apps that are available to users, with carousels for Featured and Recently
Updated apps.
Coming soon in the UI
These are the plans for ways we will be improving the user experience by updating our
user interface.
７ Note
The images below may be previews, and the announced product may differ from
the presented versions.
See also
Microsoft Intune Blog
Cloud Platform roadmap
What's new in Intune
In development for Microsoft Intune
Article • 08/28/2023
To help in your readiness and planning, this article lists Intune UI updates and features
that are in development but not yet released. Also:
If we anticipate that you'll need to take action before a change, we'll publish a
complementary post in the Office message center.
When a feature enters production, whether it's in preview or generally available,
the feature description will move from this article to What's new.
Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.
This article and the What's new article are updated periodically. Check back for more
updates.
７ Note
This article reflects our current expectations about Intune capabilities in an

upcoming release. Dates and individual features might change. This article doesn't
describe all features in development. It was last updated on the date shown under
the title.
You can use RSS to be notified when this article is updated. For more information, see
App management
Intune migrating from SafetyNet Attestation API to

Google Play Integrity API
Google has deprecated the SafetyNet Attestation API and replaced it with the Play
Integrity API . Intune will be migrating to the new API for app protection policies. The
"SafetyNet device attestation" setting name will be updated to align with the new
Google Play Integrity API for all policies in the Intune user interface (UI). For related
information, see Discontinuing the SafetyNet Attestation API and Migrating from the
SafetyNet Attestation API .
Advanced application management

Advanced application management provides you with an enterprise catalog of
applications that are easily accessible. It also provides application update capabilities.
The enterprise catalog is planned to be available in public preview in late Q2 2023. The
application update capabilities are planned to be available in early Q3 2023.
Company Portal automatically installed on Android

Enterprise dedicated devices
Intune Company Portal will now be automatically installed on all Android Enterprise
dedicated devices to ensure the appropriate handling of app protection policies. Users
won't be able to see or launch the Company Portal, and there are no requirements for
users to interact with it. Admins will notice that the Company Portal is automatically
installed on their Android Enterprise dedicated devices, without the ability to uninstall.
Support for multi-SIM iOS/iPadOS device inventory

You'll be able to view the service subscription fields on devices that have multiple SIM
cards installed under the per-device Hardware section. The inventory fields that are
capable of reporting multiple values to Intune are:
ICCID
IMEI
MEID
Phone number
These fields will default to using labels returned by the device, such as: Primary,
Secondary, CTSubscriptionSlotOne, and CTSubscriptionSlotTwo. These returned labels
may be displayed in the language of the local device that is reporting its inventory to
Intune.
Applies to:
iOS/iPadOS
Config Refresh will be in the Settings Catalog for Windows Insiders
In the Windows Settings Catalog, you can configure Config Refresh. This feature lets you
set a cadence for Windows devices to reapply previously received policy settings,
without requiring devices to check-in to Intune.
For more information on the Settings Catalog, go to Use the settings catalog to
configure settings on Windows, iOS/iPadOS and macOS devices.
Applies to:
Managed Settings now available in the Apple settings

catalog
one place.
The settings within the Managed Settings command are available in the Settings
Catalog. In the Microsoft Intune admin center , you can see these settings at Devices >
Configuration profiles > Create profile > iOS/iPadOS > Settings catalog for profile
type.
Managed Settings > App Analytics:
Enabled: If true, enable sharing app analytics with app developers. If false, disable
sharing app analytics.
Applies to:
Shared iPad
Managed Settings > Accessibility Settings:
Bold Text Enabled

Grayscale Enabled
Increase Contrast Enabled
Reduce Motion Enabled
Reduce Transparency Enabled
Text Size
Touch Accommodations Enabled
Voice Over Enabled
Zoom Enabled
Managed Settings > Personal Hotspot:
Enabled: If true, enable Personal Hotspot. If false, disable Personal Hotspot.
Managed Settings > Software Update Settings:

Recommendation Cadence: This value defines how the system presents software
updates to the user.
Managed Settings > Time Zone:
Time Zone: The Internet Assigned Numbers Authority (IANA) time zone database
name.
Applies to:
iOS/iPadOS
Managed Settings > Bluetooth:
Enabled: If true, enable the Bluetooth setting. If false, disable the Bluetooth setting.
Managed Settings > MDM Options:
Activation Lock Allowed While Supervised: If true, a supervised device registers

itself with Activation Lock when the user enables Find My.
Applies to:
iOS/iPadOS
macOS
For more information on these settings, go to Apple's developer website . For more
information about configuring Settings Catalog profiles in Intune, go to Create a policy
using settings catalog.
New setting available in the macOS settings catalog

one place.
There is a new setting in the Settings Catalog. To see this setting, in the Microsoft Intune
admin center , go to Devices > Configuration profiles > Create profile > macOS >
Settings catalog for profile type.
Microsoft Defender > Cloud delivered protection preferences:
Cloud Block Level
Applies to:
macOS
Device enrollment
SSO support for fully managed and corporate-owned

Intune will support single sign-on (SSO) on Android Enterprise devices that are fully
managed or corporate-owned with a work profile. With the addition of SSO, people
enrolling their devices will only need to sign in once with their work or school account
during enrollment.
Device management
Introducing Remote Help on macOS

The Remote Help web app allows users to connect to macOS devices and join a view-
only remote assistance session.
Applies to:
Safari 16.4+
macOS 11 Big Sur
Government tenant support for endpoint security

Application Control policy and Managed Installer
We’re adding support to use endpoint security Application Control policies, and to
configure a Managed Installer, to both tenants in US Government and tenants in
21Vianet in China.
Support for Application Control policy and Managed installers was originally released in
preview in June 2023 as part of the Intune 2306 service release. Application Control
policies in Intune are an implementation of Defender Application Control (WDAC).
Management certificate expiration date

Management certificate expiration date will be available as a column in the Devices
workload. You will be able to filter on a range of expiration dates for the management
certificate and also export a list of devices with an expiration date matching the filter.
You will find this information listed in Microsoft Intune admin center by selecting
Devices > All devices.
Intune will support iOS/iPadOS 15.x as the minimum

version
Later this year, Apple is expected to release iOS/iPadOS version 17. After the release of
iOS/iPadOS 17, the minimum version supported by Intune will be iOS/iPadOS 15.x.
For more information on this change, go to Plan for change: Intune is moving to support
iOS/iPadOS 15 and later.
７ Note
(ADE) have a slightly nuanced support statement due to their shared usage. For
more information, go to Support statement for supported versus allowed
iOS/iPadOS versions for user-less devices .
Applies to:
iOS/iPadOS
Device security
Endpoint Privilege Management support for Windows

365 devices
We are adding support to manage application elevations on Windows 365 devices (also
known as Cloud PCs) to Endpoint Privilege Management.
Linux support with Intune Endpoint security policies for

Endpoint detection and response
Intune Endpoint security policies for Endpoint detection and response (EDR) will soon
support Linux. We’re adding a new profile template that you can use with both the Linux
devices enrolled with Intune and macOS devices managed through the opt-in public
preview of the Defender for Endpoint security settings management scenario.
The Linux EDR template will include the following settings for the Device tags category
from Defender for Endpoint:
Group tag – The GROUP tag, tags the device with the specified value. The tag is
reflected in the admin center on the device page and can be used for filtering and
grouping devices.
Value of tag - Only one value per tag can be set. The Type of a tag is unique and
shouldn’t be repeated in the same profile.
You can learn more about Defender for Endpoint settings that are available for Linux in
Set preferences for Microsoft Defender for Endpoint on Linux in the Defender
documentation.
macOS support with Intune Endpoint security policies for

Intune Endpoint security policies for Endpoint detection and response (EDR) will soon
support macOS. We’re adding a new profile template that you can use with both the
macOS devices enrolled with Intune and macOS devices managed through the opt-in
public preview of the Defender for Endpoint security settings management scenario.
The macOS EDR template will include the following settings for the Device tags category
from Defender for Endpoint:
Type of tag – The GROUP tag, tags the device with the specified value. The tag is
reflected in the admin center on the device page and can be used for filtering and
grouping devices.
Value of tag - Only one value per tag can be set. The Type of a tag is unique and
shouldn’t be repeated in the same profile.
You can learn more about Defender for Endpoint settings that are available for macOS in
Set preferences for Microsoft Defender for Endpoint on macOS in the Defender
documentation.
Notices
15 and later


７ Note
17.

７ Note



data.


Related information


2022.




available.

Windows 8.1.





Remove programs".


７ Note

enrolling.
７ Note

７ Note




features.


profiles


change.



version.
See also
For details about recent developments, see What's new in Microsoft Intune.
What's new in Microsoft Intune
Article • 08/30/2023
Learn what's new each week in Microsoft Intune.
You can also read:
Important notices
Past releases in the What's new archive
Information about how Intune service updates are released
７ Note
Each monthly update may take up to three days to rollout and will be in the
following order:
Day 1: Asia Pacific (APAC)

Day 2: Europe, Middle East, Africa (EMEA)
Day 3: North America
Day 4+: Intune for Government
Some features may roll out over several weeks and might not be available to all
customers in the first week.
For a list of upcoming Intune feature releases, see In development for Microsoft
Intune. For new information about Autopilot, see Windows Autopilot What's new.
You can use RSS to be notified when this page is updated. For more information, see
Windows and Android support for 4096-bit key size for SCEP and
PFX certificate profiles
Intune SCEP certificate profiles and PKCS certificate profiles for Windows and Android
devices now support a Key size (bits) of 4096. This key size is available for new profiles
and existing profiles you choose to edit.
SCEP profiles have always included the Key size (bits) setting and now support
4096 as an available configuration option.
PKCS profiles don’t include the Key size (bits) setting directly. Instead, an admin
must modify the certificate template on the Certification Authority to set the
Minimum key size to 4096.
If you use a third-party Certificate Authority (CA), you might need to contact your
vendor for assistance with implementing the 4096-bit key size.
When updating or deploying new certificate profiles to take advantage of this new key
size, we recommend use of a staggered deployment approach to help avoid creating
excessive demand for new certificates across a large number of devices at the same
time.
With this update, be aware of the following limitations on Windows devices:
4096-bit key storage is supported only in the Software Key Storage Provider (KSP).
The following do not support storing keys of this size:
The hardware TPM (Trusted Platform Module). As a workaround you can use the
Software KSP for key storage.
Windows Hello for Business. There is no work around at this time.
Access policies for multiple Administrator Approval are now

generally available
Access policies for multiple Administrator Approval are out of public preview and are
now generally available. With these policies you can protect a resource, like App
deployments, by requiring any change to the deployment be approved by one of a
group of users who are approvers for the resource, before that change is applied.
For more information, see Use Access policies to require multiple administrative
approval.
Week of August 21, 2023 (Service release 2308)
App management
Managed Home Screen end-users prompted to grant exact alarm
permission
Managed Home Screen uses the exact alarm permission to do the following actions:
Automatically relaunch MHS after a certain period of time when a user exits kiosk
mode
For devices running Android 14 and higher, by default, the exact alarm permission will
be denied. To make sure critical user functionality is not impacted, end-users will be
prompted to grant exact alarm permission upon first launch of Managed Home Screen.
For more information, see Configure the Microsoft Managed Home Screen app for
Android Enterprise and Android's developer documentation .
Managed Home Screen notifications

For Android devices running Android 13 or higher that target API level 33, by default,
applications do not have permission to send notifications. In previous versions of
Managed Home Screen, when an admin had enabled automatic relaunch of Managed
Home Screen, a notification was displayed to alert users of the relaunch. To
accommodate change to notification permission, in the scenario when an admin has
enabled auto-relaunch of Managed Home Screen, the application will now display a
toast message alerting users of the relaunch. Managed Home Screen is able to auto-
grant permission for this notification, so no change is required for admins configuring
Managed Home Screen to accommodate the change in notification permission with API
level 33. For more information about Android 13 (API level 33) notification messages,
see the Android developer documentation . For more information about Managed
Home Screen, see Configure the Microsoft Managed Home Screen app for Android
Enterprise.
New macOS web clip app type
In Intune, end users can pin web apps to the dock on your macOS devices (Apps >
macOS > Add > macOS web clip). For related information about the settings you can
configure, see Add web apps to Microsoft Intune.
Applies to:
macOS
Win32 app configurable installation time
In Intune, you can set a configurable installation time to deploy Win32 apps. This time is
expressed in minutes. If the app takes longer to install than the set installation time, the
system will fail the app install. Max timeout value is 1440 minutes (1 day). For more
information about Win32 apps, see Win32 app management in Microsoft Intune.
Samsung Knox conditional launch check

You can add additional detection of device health compromises on Samsung Knox
devices. Using a conditional launch check within a new Intune App Protection Policy, you
can require that hardware-level device tamper detection and device attestation be
performed on compatible Samsung devices. For more information, see the Samsung
Knox device attestation setting in the Conditional launch section of Android app
protection policy settings in Microsoft Intune.
Remote Help for Android in public preview

Remote Help is available in public preview for Android Enterprise Dedicated devices
from Zebra and Samsung. With Remote Help, IT Pros can remotely view the device
screen and take full control in both attended and unattended scenarios, to diagnose and
resolve issues quickly and efficiently.
Applies to:
Android Enterprise Dedicated devices, manufactured by Zebra or Samsung
For more information, go to Remote Help on Android.
Group Policy analytics is generally available
Group Policy analytics is generally available (GA). Use Group Policy analytics to analyze
your on-premises group policy objects (GPOs) for their migration to Intune policy
settings.
For more information about Group Policy analytics, go to Analyze your on-premises
GPOs using Group Policy analytics in Microsoft Intune.
Applies to:
Windows 11
Windows 10
New SSO, login, restrictions, passcode, and tamper protection

settings available in the Apple settings catalog
one place.
There are new settings in the Settings Catalog. To see these settings, in the Microsoft
Intune admin center , go to Devices > Configuration profiles > Create profile >
iOS/iPadOS or macOS > Settings catalog for profile type.
Account Display Name

Additional Groups
Administrator Groups
Authorization Right
Group
Authorization Group
Enable Authorization
Enable Create User At Login
Login Frequency
New User Authorization Mode
Account Name
Full Name
Token To User Mapping
User Authorization Mode
Use Shared Device Keys
Applies to:
Login > Login Window:
Autologin Password
Autologin Username
Restrictions:
Allow ARD Remote Management Modification

Allow Bluetooth Sharing Modification
Allow Cloud Freeform
Allow File Sharing Modification
Allow Internet Sharing Modification
Allow Local User Creation
Allow Printer Sharing Modification
Allow Remote Apple Events Modification
Allow Startup Disk Modification
Allow Time Machine Backup
Security > Passcode:
Password Content Description

Password Content Regex
Applies to:
Restrictions:
Allow iPhone Widgets On Mac
Applies to:
iOS/iPadOS 17.0 and later
Process's arguments
Process path
Process's Signing Identifier
Process's Team Identifier
Process exclusions
Applies to:
macOS
Device enrollment
Just-in-time registration and compliance remediation for
iOS/iPadOS Setup Assistant with modern authentication now
generally available
Just in time registration and compliance remediation for Setup Assistant with modern
authentication are now out of preview and generally available. With just in time (JIT)
registration, the device user doesn't need to use the Company Portal app for Azure
Active Directory registration and compliance checking. JIT registration and compliance
remediation is embedded into the user's provisioning experience, so they can view their
compliance status and take action within the work app they're trying to access.
Additionally, this establishes single-sign on across the device. For more information
about how to set up JIT registration, see Set up Just in Time Registration.
Awaiting final configuration for iOS/iPadOS automated device

enrollment now generally available
Now generally available, awaiting final configuration enables a locked experience at the
end of Setup Assistant to ensure that critical device configuration policies install on
devices. The locked experience works on devices targeted with new and existing
enrollment profiles. Supported devices include:
iOS/iPadOS 13+ devices enrolling with Setup Assistant with modern authentication
iOS/iPadOS 13+ devices enrolling without user affinity
iOS/iPadOS 13+ devices enrolling with Azure AD shared mode
This setting is applied once during the out-of-box automated device enrollment
experience in Setup Assistant. The device user doesn't experience it again unless they
re-enroll their device. Awaiting final configuration is enabled by default for new
enrollment profiles. For information about how to enable awaiting final configuration,
see Create an Apple enrollment profile.
Device management
Changes to Android notification permission prompt behavior
We've updated how our Android apps handle notification permissions to align with
recent changes made by Google to the Android platform. As a result of Google changes,
notification permissions are granted to apps as follows:
On devices running Android 12 and earlier: Apps are permitted to send

notifications to users by default.
On devices running Android 13 and later: Notification permissions vary depending
on the API the app targets.
Apps targeting API 32 and lower: Google has added a notification permission
prompt that appears when the user opens the app. Management apps can still
configure apps so that they're automatically granted notification permissions.
Apps targeting API 33 and higher: App developers define when the notification
permission prompts appear. Management apps can still configure apps so that
they're automatically granted notification permissions.
You and your device users can expect to see the following changes now that our apps
target API 33:
Company Portal used for work profile management: Users see a notification
permission prompt in the personal instance of the Company Portal when they first
open it. Users don't see a notification permission prompt in the work profile
instance of Company Portal because notification permissions are automatically
permitted for Company Portal in the work profile. Users can silence app
notifications in the Settings app.
Company Portal used for device administrator management: Users see a
notification permission prompt when they first open the Company Portal app.
Users can adjust app notification settings in the Settings app.
Microsoft Intune app: No changes to existing behavior. Users don't see a prompt
because notifications are automatically permitted for the Microsoft Intune app.
Users can adjust some app notification settings in the Settings app.
Microsoft Intune app for AOSP: No changes to existing behavior. Users don't see
a prompt because notifications are automatically permitted for the Microsoft
Intune app. Users can't adjust app notification settings in the Settings app.
Device security
Defender Update controls to deploy updates for Defender is now

generally available
The profile Defender Update controls for Intune Endpoint security Antivirus policy,
which manages update settings for Microsoft Defender, is now generally available. This
profile is available for the Windows 10, Windows 11, and Windows Server platform. While
in public preview, this profile was available for the Windows 10 and later platform.
The profile includes settings for the rollout release channel by which devices and users
receive Defender Updates that are related to daily security intelligence updates, monthly
platform updates, and monthly engine updates.
This profile includes the following settings, which are all directly taken from Defender
CSP - Windows Client Management.

These settings are also available from the settings catalog for the Windows 10 and later
profile.
Elevation report by applications for Endpoint Privilege

Management
We’ve released a new report named Elevation report by applications for Endpoint
Privilege Management (EPM). With this new report you can view all managed and
unmanaged elevations, which are aggregated by the application that elevated. This
report can aid you in identifying applications that might require elevation rules to
function properly, including rules for child processes.
You’ll find the report in the Report node for EPM in the Intune admin center . Navigate
to Endpoint security > Endpoint Privilege Management and then select the Reports
tab.
New settings available for macOS Antivirus policy

The Microsoft Defender Antivirus profile for macOS devices has been updated with nine
additional settings, and three new settings categories:
Antivirus engine – The following settings are new in this this category:
Degree of parallelism for on-demand scans – Specifies the degree of parallelism

for on-demand scans. This corresponds to the number of threads used to perform
the scan and impacts the CPU usage, as well as the duration of the on-demand
scan.
Enable file hash computation – Enables or disables file hash computation feature.
When this feature is enabled Windows defender will compute hashes for files it
scans. This will help in improving the accuracy of Custom Indicator matches.
However, enabling Enable file hash computation may impact device performance.
Run a scan after definitions are updated – Specifies whether to start a process
scan after new security intelligence updates are downloaded on the device.
Enabling this setting will trigger an antivirus scan on the running processes of the
device.
Scanning inside archive files – If true, Defender will unpack archives and scan files
inside them. Otherwise archive content will be skipped, that will improve scanning
performance.
Network protection – A new category that includes the following setting:
Enforcement level – Configure this setting to specify if network protection is

disabled, in audit mode, or enforced.
Tamper protection - A new category that includes the following setting:
Enforcement level - Specify if tamper protection is disabled, in audit mode, or

enforced.
User interface preferences – A new category that includes the following settings:
Control sign-in to consumer version - Specify whether users can sign into the
consumer version of Microsoft Defender.
Show / hide status menu icon – Specify whether the status menu icon (shown in
the top-right corner of the screen) is hidden or not.
User initiated feedback – Specify whether users can submit feedback to Microsoft
by going to Help > Send Feedback.
New profiles that you create include the original settings as well as the new settings.
Your existing profiles automatically update to include the new settings, with each new
setting set to Not configured until you choose to edit that profile to change it.
For more information about how to set preferences for Microsoft Defender for Endpoint
on macOS in enterprise organizations, see Set preferences for Microsoft Defender for
Endpoint on macOS.
Intune apps

VerityRMS by Mackey LLC (iOS)

CloudDesktop log now collected with Windows diagnostics data
The Intune remote action to collect diagnostics from a Windows device now includes
data in a log file.
Log file:
%temp%\CloudDesktop*.log
Anomaly detection device cohorts in Intune Endpoint analytics is

generally available
Anomaly detection device cohorts in Intune Endpoint analytics is now generally

available.
Device cohorts are identified in devices associated with a high or medium severity
anomaly. Devices are correlated into groups based on one or more factors they have in
common like an app version, driver update, OS version, device model. A correlation
group will contain a detailed view with key information about the common factors
between all affected devices in that group. You can also view a breakdown of devices
currently affected by the anomaly and 'at risk' devices, those that haven't yet shown
symptoms of the anomaly.
For more information, go to Anomaly detection in Endpoint analytics.
Improved user experience for device timeline in Endpoint Analytics

The user interface (UI) for device timeline in Endpoint analytics is improved and includes
more advanced capabilities (support for sorting, searching, filtering, and exports). When
viewing a specific device timeline in Endpoint analytics, you can search by event name
or details. You can also filter the events and choose the source and level of events that
appear on the device timeline and select a time range of interest.
For more information, go to Enhanced device timeline.
Updates for compliance policies and reports

We’ve made several improvements to the Intune compliance policies and reports. With
these changes the reports more closely align to the experience in use for device
configuration profiles and reports. We’ve updated our compliance report
documentation to reflect the available compliance report improvements.
Compliance report improvements include:

Compliance details for Linux devices.
Redesigned reports that are up-to-date and simplified, with newer report versions
beginning to replace older report versions, which will remain available for some
time.
When viewing a policy for compliance, there is no more left-pane navigation.
Instead, the policy view opens to a single pane that defaults to the Monitor tab
and its Device status view.
This view provides a high-level overview of device status for this policy, and
supports drilling in to review the full report, as well as a per-setting status view
of the same policy.
The doughnut chart is replaced by a streamlined representation and count of
the different device status values returned by devices assigned the policy.
You can select the Properties tab to view the policy details, and review and edit
its configuration and assignments.
The Essentials section is removed with those details appearing in the policy's
Properties tab.
The updated status reports support sorting by columns, the use of filters, and
search. Combined, these enhancements enable you to pivot the report to display
specific subsets of details you want to view at that time. With these enhancements
we have removed the User status report as it has become redundant. Now, while
viewing the default Device status report you can focus the report to display the
same information that was available from User status by sorting on the User
Principal Name column, or searching for a specific username in the search box.
When viewing status reports, the count of devices that Intune displays now
remains consistent between different report views as you drill in for deeper
insights or details.
For more information about these changes, see the Intune Support Team blog at
https://aka.ms/Intune/device_compl_report .
App management
Use the Turn off the Store application setting to disable end user
access to Store apps, and allow managed Intune Store apps
In Intune, you can use the new Store app type to deploy Store apps to your devices.
Now, you can use the Turn off the Store application policy to disable end users' direct
access to Store apps. When it's disabled, end users can still access and install Store apps
from the Windows Company Portal app and through Intune app management. If you
want to allow random store app installs outside of Intune, then don't configure this
policy.
The previous Only display the private store within the Microsoft Store app policy
doesn't prevent end users from directly accessing the store using the Windows Package
Manager winget APIs. So, if your goal is to block random unmanaged Store application
installs on client devices, then it's recommended to use the Turn off the Store
application policy. Don't use the Only display the private store within the Microsoft
Store app policy.
For more information, go to Add Microsoft Store Apps to Microsoft Intune.
Applies to:
Introducing a new role-based access control (RBAC) permission

under the resource Android for work
Introducing a new RBAC Permission for creating a custom role in Intune, under the
resource Android for work. The permission Update Enrollment Profile allows the admin
to manage or change both AOSP and Android Enterprise Device Owner enrollment
profiles that are used to enroll devices.
For more information, go to Create custom role.
Device security
New BitLocker profile for Intune's endpoint security Disk

encryption policy
We have released a new experience creating new BitLocker profiles for endpoint security
Disk Encryption policy. The experience for editing your previously created BitLocker
policy remains the same, and you can continue to use them. This update applies only for
the new BitLocker policies you create for the Windows 10 and later platform.
App management
Uninstall Win32 and Microsoft store apps using the Windows

Company Portal
Company Portal if the apps were assigned as available and were installed on-demand by
the end-users. For Win32 apps, you have the option to enable or disable this feature (off
by default). For Microsoft store apps, it is always on and available for your end-users. If
an app can be uninstalled by the end-user, the end-user will be able to select Uninstall
for the app in the Windows Company Portal. For related information, see Add apps to
Microsoft Intune.
Week of July 24, 2023 (Service release 2307)
App management
Intune supports new Google Play Android Management API

Changes have been made to how Managed Google Play public apps are managed in
Intune. These changes are to support Google's Android Management APIs (opens
Google's web site).
To learn more about changes to the admin and user experience, go to Support Tip:
Intune moving to support new Google Play Android Management API .
Applies to:
Android Enterprise
App report for Android Enterprise corporate-owned devices

You can now view a report containing all apps found on a device for Android Enterprise
corporate-owned scenarios, including system apps. This report is available in Microsoft
Intune admin center by selecting Apps > Monitor > Discovered apps. You will see
Application Name and Version for all apps detected as installed on the device. It may
take up to 24 hours for app information to populate the report. For related information,
see Intune discovered apps.
Add unmanaged PKG-type applications to managed macOS

devices [Public Preview]
You can now upload and deploy unmanaged PKG-type applications to managed macOS
devices using the Intune MDM agent for macOS devices. This feature enables you to
deploy custom PKG installers, such as unsigned apps and component packages. You can
add a PKG app in the Intune admin center by selecting Apps > macOS > Add > macOS
app (PKG) for app type.
For more information, see Add an unmanaged macOS PKG app to Microsoft Intune. To
deploy managed PKG-type app, you can continue to add macOS line-of-business (LOB)
apps to Microsoft Intune. For more information about the Intune MDM agent for macOS
devices, see Microsoft Intune management agent for macOS.
Applies to:
macOS
New settings available for the iOS/iPadOS web clip app type
In Intune, you can pin web apps to your iOS/iPadOS devices (Apps > iOS/iPadOS > Add
> iOS/iPadOS web clip). When you add web clips, there are new settings available:
Full screen: If configured to Yes, launches the web clip as a full-screen web app
without a browser. Additionally, there's no URL or search bar, and no bookmarks.
Ignore manifest scope: If configured to Yes, a full screen web clip can navigate to
an external web site without showing Safari UI. Otherwise, Safari UI appears when
navigating away from the web clip's URL. This setting has no effect when Full
screen is set to No. Available in iOS 14 and later.
Precomposed: If configured to Yes, prevents Apple's application launcher
(SpringBoard) from adding "shine" to the icon.
Target application bundle identifier: Enter the application bundle identifier that
specifies the application that opens the URL. Available in iOS 14 and later.
For more information, go to Add web apps to Microsoft Intune.

Applies to:
iOS/iPadOS
Change to default settings when adding Windows PowerShell

scripts
In Intune, you can use policies to deploy Windows PowerShell scripts to your Windows
devices (Devices > Scripts > Add > Windows 10 and later). When you add a Windows
PowerShell script, there are settings you configure. To increase secure-by-default
behavior of Intune, the default behavior of the following settings has changed:
The Run this script using the logged on credentials setting defaults to Yes.
Previously, the default was No.
The Enforce script signature check setting defaults to Yes. Previously, the default
was No.
This behavior applies to new scripts you add, not existing scripts.
For more information about using Windows PowerShell scripts in Intune, go to Use
PowerShell scripts on Windows 10/11 devices in Intune.
Applies to:
Added Support for Scope tags

You can now add scope tags when creating deployments using Zebra LifeGuard Over-
the-Air integration (in public preview).
one place.
profile > macOS > Settings catalog for profile type.
Microsoft AutoUpdate (MAU):

Current Channel (Monthly)
Microsoft Defender > User interface preferences:
Control sign-in to consumer version
Microsoft Office > Microsoft Outlook:
Disable 'Do not send response'
User Experience > Dock:
MCX Dock Special Folders
Applies to:
macOS
Compliance Retrieval service support for MAC address endpoints

We've now added MAC address support to the Compliance Retrieval service.
The initial release of the CR service included support for using only the Intune device ID
with the intent to eliminate the need to manage internal identifiers like serial numbers
and MAC addresses. With this update, organizations that prefer to use MAC addresses
over certificate authentication may continue to do so while implementing the CR service.
While this update adds MAC address support to the CR service, our recommendation is
to use certificate-based authentication with the Intune device ID included in the
certificate.
For information about the CR service as a replacement for the Intune Network Access
Control (NAC) service, see the Intune blog at
https://techcommunity.microsoft.com/t5/intune-customer-success/new-microsoft-
intune-service-for-network-access-control/ba-p/2544696 .
Settings insight within Intune Security Baselines is generally

available
Announcing the general availability of Settings insight in Microsoft Intune.
The Settings insight feature adds insight to settings giving you confidence in
configurations that have been successfully adopted by similar organizations. Settings
insight is currently available for Security Baselines.
Navigate to Endpoint security > Security baselines. While creating and editing a
workflow these insights are available for all settings with light bulbs.
Device security
Tamper protection support for Windows on Azure Virtual Desktop

Intune now supports use of endpoint security Antivirus policy to manage Tamper
protection for Windows on Azure Virtual Desktop multi-session devices. Support for
Tamper protection requires devices to onboard to Microsoft Defender for Endpoint
before the policy that enables Tamper protection is applied.
EpmTools PowerShell module for Endpoint Privilege Management

The EpmTools PowerShell module is now available for use with Intune Endpoint Privilege
Management (EPM). EpmTools includes the cmdlets like Get-FileAttributes that you can
use to retrieve file details to help build accurate elevation rules, and additional cmdlets
you can use to troubleshoot or diagnose EPM policy deployments.
Endpoint Privilege Management support to manage elevation rules

for child processes
With Intune Endpoint Privilege Management (EPM) you can manage which files and
processes are allowed to Run as Administrator on your Windows devices. Now, EPM
elevation rules support a new setting, Child process behavior.
With Child process behavior, your rules can manage the elevation context for any child
processes created by the managed process. Options include:
Allowing all child processes created by the managed process to always run as
elevated.
Allow a child process to run as elevated only when it matches the rule that
manages its parent process.
Deny all child processes from running in an elevated context, in which case they
run as standard users.
Intune apps
Dooray! for Intune
Updated reports for Setting compliance and Policy compliance are

in public preview
We've released two new reports as a public preview for Intune device compliance. You
can find these new preview reports in the Intune admin center at Reports > Device
compliance > Reports tab:
Setting compliance (preview)

Policy compliance (preview)
Both reports are new instances of existing reports, and deliver improvements over the
older versions, including:
Details for Linux settings and devices

Support for sorting, searching, filtering, exports, and paging views
Drill-down reports for deeper details, which are filtered based on the column you
select.
Devices are represented a single time, which is in contrast to the original reports
which could count a device more than once if multiple users used that device
Eventually, the older report versions that are still available in the admin center at Devices
> Monitor will be retired.
App management
Updates to app configuration policy reporting
As part of our continuing efforts to improve the Intune reporting infrastructure, there
have been several user interface (UI) changes for app configuration policy reporting. The
UI has been updated with the following changes:
There is no longer a User status tile or a Not applicable device tile on the
Overview section of the App configuration policies workload.
There is no longer a User install status report on the Monitor section of the App
configuration policies workload.
The Device install status report under the Monitor section of the App
configuration policies workload no longer shows the Pending state in the Status
column.
You can find configure policy reporting in Microsoft Intune admin center by selecting
Apps > App configuration policies.
Device management
Intune support for Zebra devices on Android 13
Zebra will be releasing support for Android 13 on their devices. You can read more at
Migrating to Android 13 (opens Zebra's web site).
Temporary issues on Android 13
The Intune team thoroughly tested Android 13 on Zebra devices. Everything

continues working as normal, except for the following two temporary issues for
device administrator (DA) devices.
For Zebra devices running Android 13 and enrolled with DA management:
1. App installations don't happen silently. Instead, users get a notification from
the Company Portal app (if they allow notifications) that asks for permission
to allow the app installation. If a user doesn't accept the app installation
when prompted, then the app doesn't install. Users will have a persistent
notification in the notification drawer until they allow the installation.
2. New MX profiles don't apply to Android 13 devices. Newly enrolled Android

13 devices don't receive configuration from MX profiles. MX profiles that
previously applied to enrolled devices continue to apply.
In an update coming later in July, these issues will be resolved and the behavior
will return to how it was before.
Update devices to Android 13
You will soon be able to use Intune's Zebra LifeGuard Over-the-Air integration to
update Android Enterprise dedicated and fully managed devices to Android 13. For
more information, go to Zebra LifeGuard Over-the-Air Integration with Microsoft
Intune.
Before you migrate to Android 13, review Migrating to Android 13 (opens

Zebra's web site).
OEMConfig for Zebra devices on Android 13
OEMConfig for Zebra devices on Android 13 requires using Zebra's new Zebra
OEMConfig Powered by MX OEMConfig app (opens the Google Play store). This
new app can also be used on Zebra devices running Android 11, but not earlier
versions.
For more information on this app, go to the New Zebra OEMConfig app for
Android 11 and later blog post.
The Legacy Zebra OEMConfig app (opens the Google Play store) can only be
used on Zebra devices running Android 11 and earlier.
For more general information about Intune Android 13 support, go to the Day Zero
support for Android 13 with Microsoft Intune blog post.
Device security
Defender for Endpoint security settings management

enhancements and support for Linux and macOS in public preview
With Defender for Endpoint security settings management, you can use Intune's
endpoint security policies to manage Defender security settings on devices that
onboard to Defender for Endpoint but aren't enrolled with Intune.
Now, you can opt-in to a public preview from within the Microsoft 365 Defender portal
to gain access to several enhancements for this scenario:
Intune's endpoint security policies become visible in and can be managed from
within the Microsoft 365 Defender portal. This enables security admins to remain in
the Defender portal to manage Defender and the Intune endpoint security policies
for Defender security settings management.
Security settings management supports deploying Intune endpoint security

Antivirus policies to devices that run Linux and macOS.
For Windows devices, the Windows Security Experience profile is now supported
with security settings management.
A new onboarding workflow removes the Hybrid Azure AD Join prerequisite.

Hybrid Azure AD Join requirements prevented many Windows devices from
successfully onboarding to Defender for Endpoint security settings management.
With this change, those devices can now complete enrollment and start processing
policies for security settings management.
Intune creates a synthetic registration in Azure AD for devices that can't fully
register with Azure AD. Synthetic registrations are device objects created in Azure
AD that enable devices to receive and report back on Intune policies for security
settings management. In addition, should a device with a synthetic registration
become fully registered, the synthetic registration is removed form Azure AD in
deference to the full registration.
If you don't opt-in to the Defender for Endpoint Public Preview, the previous behaviors
remain in place. In this case, while you can view the Antivirus profiles for Linux, you can't
deploy it as its supported only for devices managed by Defender. Similarly, the macOS
profile which is currently available for devices enrolled with Intune can't be deployed to
devices managed by Defender.
Applies to:
Linux
macOS
Windows
Android (AOSP) supports assignment filters

Android (AOSP) supports assignment filters. When you create a filter for Android
(AOSP), you can use the following properties:
DeviceName
Manufacturer
Model
DeviceCategory
oSVersion
IsRooted
DeviceOwnership
EnrollmentProfileName
Applies to:
Android
On-demand remediation for a Windows device
A new device action that is in public preview allows you to run a remediation on-
demand on a single Windows device. The Run remediation device action allows you to
resolve issues without having to wait for a remediation to run on its assigned schedule.
You will also be able to view the status of remediations under Remediations in the
Monitor section of a device.
The Run remediation device action is rolling-out and may take a few weeks to reach all
customers.
Remediations
Device management
Windows Driver update management in Intune is generally

available
Announcing the general availability of Windows Driver update management in
Microsoft Intune. With driver update policies, you can view a list of driver updates that
are recommended and applicable to your Windows 10 and Windows 11 device that are
assigned to the policy. Applicable driver updates are those that can update a device's
driver version. Driver update policies update automatically to add new updates as they
are published by the driver manufacturer and remove older drivers that no longer apply
to any device with the policy.
Update policies can be configured for one of two approval methods:
With Automatic approval, each new recommended driver that's published by the
driver manufacturer and added to the policy is automatically approved for
deployment to applicable devices. Policies set for automatic approvals can be
configured with a deferral period before the automatically approved updates are
installed on devices. This deferral gives you time to review the driver and to pause
its deployment if necessary.
With manual approval, all new driver updates are automatically added to the
policy, but an admin must explicitly approve each update before Windows Update
deploys it to a device. When you manually approve an update, you choose the
date when Windows Update will begin to deploy it to your devices.
To help you manage driver updates, you review a policy and decline an update you
don't want to install, indefinitely pause any approved update, and reapprove a paused
update to restart its deployment.
This release also includes driver update reports that provide a success summary, per-
device update status for each approved driver, and error and troubleshooting
information. You can also select an individual driver update and view details about it
across all the policies that include that driver version.
To learn about using Windows Driver update policies, see Manage policy for Windows
Driver updates with Microsoft Intune.
Applies to:
Windows 10
Windows 11
Week of June 19, 2023 (Service release 2306)
App management
MAM for Microsoft Edge for Business [Preview]

You can now enable protected MAM access to org data via Microsoft Edge on personal
Windows devices. This capability uses the following functionality:
Intune Application Configuration Policies (ACP) to customize the org user

experience in Microsoft Edge
Intune Application Protection Policies (APP) to secure org data and ensure the
client device is healthy when using Microsoft Edge
Windows Defender client threat defense integrated with Intune APP to detect local
health threats on personal Windows devices
Application Protection Conditional Access to ensure the device is protected and
healthy before granting protected service access via Azure AD
For more information, see Preview: App protection policy settings for Windows.
To participate in the public preview, complete the opt-in form .
New settings available in the Apple settings catalog
one place.
profile > iOS/iPadOS or macOS for platform > Settings catalog for profile type.
Denied Bundle Identifiers
Registration Token
Full Disk Encryption > FileVault:
Output path
Username
Password
UseKeyChain
Applies to:
macOS
Networking > Network Usage Rules:
SIM Rules
Applies to:
iOS/iPadOS
Device Firmware Configuration Interface (DFCI) supports Asus

devices
Some Asus devices running Windows 10/11 are enabled for DFCI. Contact your device
vendor or device manufacturer for eligible devices.

Autopilot
Applies to:
Windows 10
Windows 11
Saaswedo Datalert telecom expense management is removed in

Intune
In Intune, you could manage telecom expenses using Saaswedo's Datalert telecom
expense management. This feature is removed from Intune. This removal includes:
The Telecom Expense Management connector
Telecom expenses RBAC category

Read permission
Update permission
For more information from Saaswedo, go to The datalert service is unavailable (opens
Saaswedo's web site).
Applies to:
Android
iOS/iPadOS
Settings insight within Intune Security Baselines

The Settings insight feature adds insights to security baselines giving you confidence in
configurations that are successfully adopted by similar organizations.
Navigate to Endpoint security > Security baselines. When you create and edit the
workflow, these insights are available for you in the form of a light bulb.
Device management
New endpoint security Application Control policy in preview
As a public preview, you can use a new endpoint security policy category, Application
Control. Endpoint security Application Control policy includes:
Policy to set the Intune Management Extension as a tenant-wide managed

installer. When enabled as a managed installer, apps you deploy through Intune
(after enablement of Managed Installer) to Windows devices are tagged as
installed by Intune. This tag becomes useful when you use Application Control
policies to manage which apps you want to allow or block from running on your
managed devices.
Application Control policies that are an implementation of Defender Application

Control (WDAC). With Endpoint security Application Control policies, it's easy to
configure policy that allows trusted apps to run on your managed devices. Trusted
apps are installed by a managed installer or from the App store. In addition to
built-in trust settings, these policies also support custom XML for application
control so you can allow other apps from other sources to run to meet your
organizations requirements.
To get started with using this new policy type, see Manage approved apps for Windows
devices with Application Control policy and Managed Installers for Microsoft Intune
Applies to:
Windows 10
Windows 11
Endpoint analytics is available to tenants in Government cloud

With this release, Endpoint analytics is available to tenants in Government cloud.
Learn more about Endpoint analytics.
Introducing in-session connection mode switch in Remote Help
In Remote Help, you can now take advantage of the in-session connection mode switch
feature. This feature can help effortlessly transition between full control and view-only
modes, granting flexibility and convenience.
Applies to:
Windows 10/11
Device security
Update to Endpoint Privilege Management reports
Intune's Endpoint Privilege Management (EPM) reports now support exporting the full
reporting payload to a CSV file. With this change, you can now export all events from an
elevation report in Intune.
Endpoint Privilege Managements run with elevated access option

now available on the top-level menu for Windows 11
The Endpoint Privilege Management option to Run with elevated access is now available
as a top-level right-click option on Windows 11 devices. Previous to this change,
standard users were required to select Show more options to view the Run with elevated
access prompt on Windows 11 devices.

Applies to:
Windows 11
Intune apps
Idenprotect Go by Apply Mobile Ltd (Android)

LiquidText by LiquidText, Inc. (iOS)
MyQ Roger: OCR scanner PDF by MyQ spol. s r.o.
CiiMS GO by Online Intelligence (Pty) Ltd
Vbrick Mobile by Vbrick Systems
Microsoft Intune troubleshooting pane is now generally available

The Intune troubleshooting pane is now generally available. It provides details about
user's devices, policies, applications, and status. The troubleshooting pane includes the
A summary of policy, compliance, and application deployment status.

Support for exporting, filtering, and sorting all reports.
Support to filter by excluding policies and applications.
Support to filter to a user's single device.
Details about available device diagnostics and disabled devices.
Details about offline devices that haven't checked-in to the service for three or
more days.
You can find the troubleshooting pane in Microsoft Intune admin center by selecting
Troubleshooting + support > Troubleshoot.
Updated troubleshoot + support pane in Intune
The Troubleshooting + support pane in the Intune admin center has been updated by
consolidating the Roles and Scopes report into a single report. This report now includes
all relevant role and scope data from both Intune and Azure Active Directory, providing
a more streamlined and efficient experience. For related information, see Use the
troubleshooting dashboard to help users at your company.
Download mobile app diagnostics

Now generally available, access user-submitted mobile app diagnostics in the Intune
admin center, including app logs sent through Company Portal apps, which include
Windows, iOS, Android, Android AOSP, and macOS. In addition, you can retrieve app
protection logs via Microsoft Edge. For more information, see Company Portal app logs
and Use Edge for iOS and Android to access managed app logs.
Device management
New Devices from HTC and Pico supported on Microsoft Intune for
Android Open Source Devices
Microsoft Intune for Android open source project devices (AOSP) now supports the
following devices:
HTC Vive XR Elite

Pico Neo 3 Pro
Pico 4
Operating systems and browsers supported by Microsoft Intune
Android Open Source Project Supported Devices
Applies to:
Android (AOSP)
App management
Microsoft Store for Business or Microsoft Store for Education

Apps added from the Microsoft Store for Business or Microsoft Store for Education
won't deploy to devices and users. Apps show as "not applicable" in reporting. Apps
already deployed are unaffected. Use the new Microsoft Store app to deploy Microsoft
Store apps to devices or users. For related information, see Plan for Change: Ending
support for Microsoft Store for Business and Education apps for upcoming dates when
Microsoft Store for Business apps will no longer deploy and Microsoft Store for Business
apps will be removed.

Embracing the Future of Microsoft Store with Intune: A Step-by-Step Guide
Embracing the Future of Microsoft Store with Intune for Education: A Step-by-Step
Guide
Android Enterprise 11+ devices can use Zebra's latest

OEMConfig app version
On Android Enterprise devices, you can use OEMConfig to add, create, and customize
OEM-specific settings in Microsoft Intune (Devices > Configuration profiles > Create
profile > Android Enterprise for platform > OEMConfig).
There's a new Zebra OEMConfig Powered by MX OEMConfig app that aligns more
closely to Google's standards. This app supports Android Enterprise 11.0 and newer
devices.
The older Legacy Zebra OEMConfig app continues to support devices with Android 11
and earlier.
In your Managed Google Play, there are two versions of Zebra OEMConfig app. Be sure
to select the correct app that applies to your Android device versions.
For more information on OEMConfig and Intune, go to Use and manage Android
Enterprise devices with OEMConfig in Microsoft Intune.
Applies to:
Android Enterprise 11.0 and newer

Device management
Intune UI displays Windows Server devices as distinct from

Windows clients for the Security Management for Microsoft
Defender for Endpoint scenario
configuration) scenario, Intune now differentiates Windows devices in Azure Active
With this change, you can improve policy targeting for MDE security configuration. For
example, you can use dynamic groups that consist of only Windows Server devices, or
only Windows client devices (Windows 10/11).
For more information about this change, see the Intune Customer Success blog
Windows Server devices now recognized as a new OS in Microsoft Intune, Azure AD, and
Defender for Endpoint .
Organizational messages for Windows 11 now generally available

Use organizational messages to deliver branded, personalized call-to-actions to
employees. Select from more than 25 messages that support employees through device
onboarding and lifecycle management, in 15 different languages. Messages can be
assigned to Azure AD user groups. They're shown just above the taskbar, in the
notifications area, or in the Get started app on devices running Windows 11. Messages
continue to appear or reappear based on the frequency you configure in Intune, and
until the user has visited the customized URL.
Other features and functionality added in this release include:
Confirm licensing requirements prior to first message.

Choose from eight new themes for taskbar messages.
Give messages a custom name.
Add scope groups and scope tags.
Edit the details of a scheduled message.
Scope tags were previously unavailable for organizational messages. With the addition
of scope tag support, Intune adds the default scope tag to every message created
before June 2023. Admins that want access to those messages must be associated with
a role that has the same tag. For more information about available features and how to
set up organizational messages, see Overview of organizational messages.
Week of May 22, 2023 (Service release 2305)
App management
Update to macOS shell scripts maximum running time limit
Based on customer feedback, we're updating the Intune agent for macOS (version
2305.019) to extend the maximum script run time to 60 minutes. Previously, the Intune
agent for macOS only allowed shell scripts to run for up to 15 minutes before reporting
the script as a failure. The Intune agent for macOS 2206.014 and higher supports the 60-
minute timeout.
Assignment filters support app protection policies and app

configuration policies
Assignment filters support MAM app protection policies and app configuration policies.
When you create a new filter, you can fine tune MAM policy targeting using the
Device Management Type

Device Manufacturer
Device Model
OS Version
Application Version
MAM Client Version
） Important
All new and edited app protection policies that use Device Type targeting are
replaced with assignment filters.
Update to MAM reporting in Intune
MAM reporting has been simplified and overhauled, and now uses Intune's newest
reporting infrastructure. Benefits of this include improved data accuracy and
instantaneous updating. You can find these streamlined MAM reports in the Microsoft
Intune admin center by selecting Apps > Monitor. All MAM data available to you is
contained within the new App protection status report and App configuration status
report.
Global quiet time app policy settings
end user notifications received after work hours. For more information, see Quiet time
notification policies.
Introducing enhanced chat in Remote Help
Introducing enhanced chat with Remote Help. With the new and enhanced chat you can
maintain a continuous thread of all messages. This chat provides support for special
characters and other languages including Chinese and Arabic.
Applies to:
Windows 10/11
Remote Help administrators can reference audit log sessions
For Remote Help, in addition to existing session reports, administrators can now
reference audit logs sessions created in Intune. This feature enables administrators to
reference past events for troubleshooting and analyzing log activities.
Applies to:
Windows 10
Windows 11
Turn on/off Personal data encryption on Windows 11 devices using

the settings catalog
The settings catalog includes hundreds of settings that you can configure and deploy to
your devices.
In the settings catalog, you can turn on/off Personal data encryption (PDE). PDE is a
security feature introduced in Windows 11 version 22H2 that provides more encryption
features for Windows.
PDE is different than BitLocker. PDE encrypts individual files and content, instead of
whole volumes and disks. You can use PDE with other encryption methods, such as
BitLocker.
For more information on the settings catalog, go to:
devices
Common Tasks you can complete using the Settings Catalog in Intune
Windows 11
Visual Studio ADMX settings are in the Settings Catalog and

Visual Studio settings are included in the Settings Catalog and Administrative Templates
(ADMX). Previously, to configure Visual Studio settings on Windows devices, you
imported them with ADMX import.
For more information on these policy types, go to:

Intune
Visual Studio Administrative Templates (ADMX)
Applies to:
Windows 10
Windows 11
Group policy analytics supports scope tags
In Group Policy analytics, you import your on-premises GPO. The tool analyzes your
GPOs and shows the settings that can (and can't) be used in Intune.
When you import your GPO XML file in Intune, you can select an existing scope tag. If
you don't select a scope tag, then the Default scope tag is automatically selected.
Previously, when you imported a GPO, the scope tags assigned to you were
automatically applied to the GPO.
Only admins within that scope tag can see the imported policies. Admins not in that
scope tag can't see the imported policies.
Also, admins within their scope tag can migrate the imported policies that they have
permissions to see. To migrate an imported GPO into a Settings Catalog policy, a scope
tag must be associated with the imported GPO. If a scope tag isn't associated, then it
can't migrate to a Settings Catalog policy. If no scope tag is selected, then a default
scope tag is automatically applied.
For more information on scope tags and Group Policy analytics, go to:
Analyze your on-premises GPOs using Group Policy analytics in Microsoft Intune
Create a Settings Catalog policy using your imported GPOs
Use role-based access control (RBAC) and scope tags for distributed IT
Introducing Intune integration with the Zebra Lifeguard Over-the-

Air service (public preview)
Now available in public preview, Microsoft Intune supports integration with Zebra
Lifeguard Over-the-Air service, which allows you to deliver OS updates and security
patches over-the-air to eligible Zebra devices that are enrolled with Intune. You can
select the firmware version you want to deploy, set a schedule, and stagger update
downloads and installs. You can also set minimum battery, charging status, and network
conditions requirements for when the update can happen.
Available for Android Enterprise Dedicated and Fully Managed Zebra devices that are
running Android 8 or later, and requires an account with Zebra.
New Google domain allowlist settings for Android Enterprise

personally owned devices with a work profile
settings that restrict device features and settings.
Currently, there's an Add and remove accounts setting that can allow Google accounts
be added to the work profile. For this setting, when you select Allow all accounts types,
you can also configure:
domains in the work profile. You can import a list of allowed domains or add them
in the admin center using the contoso.com format. When left blank, by default, the
OS might allow adding all Google domains in the work profile.
Applies to:
Renaming Proactive remediation to Remediations and moving to a

new location
Proactive remediations are now Remediations and are available from Devices >
Remediations. You can still find Remediations in both the new location and the existing
Reports > Endpoint Analytics location until the next Intune service update.
Remediations are currently not available in the new Devices experience preview.
Applies to:
Windows 10
Windows 11
Remediations are now available in Intune for US Government GCC

High and DoD
Remediations (previously known as proactive remediations) are now available in

Microsoft Intune for US Government GCC High and DoD.
Applies to:
Windows 10
Windows 11
Create inbound and outbound network traffic rules for VPN

profiles on Windows devices
７ Note
This setting is coming in a future release, possibly the 2308 Intune release.
You can create a device configuration profile that deploys a VPN connection to devices
(Devices > Configuration profiles > Create profile > Windows 10 and later for platform
> Templates > VPN for profile type).
In this VPN connection, you can use the Apps and Traffic rules settings to create
network traffic rules.
There's a new Direction setting you can configure. Use this setting to allow Inbound and
Outbound traffic from the VPN connection:
Outbound (default): Allows only traffic to external networks/destinations to flow

using the VPN. Inbound traffic is blocked from entering the VPN.
Inbound: Allows only traffic coming from external networks/ sources to flow using
the VPN. Outbound traffic is blocked from entering the VPN.
For more information on the VPN settings you can configure, including the network
traffic rule settings, go to Windows device settings to add VPN connections using
Intune.
Applies to:

one place.
Microsoft Defender > Antivirus engine:
Scanning inside archive files

Enable file hash computation
Applies to:
macOS
Wipe device action and new obliteration behavior setting available

for macOS
You can now use the Wipe device action instead of Erase for macOS devices.
Additionally, you can configure the Obliteration Behavior setting as part of the Wipe
action.
This new key allows you to control the wipe fallback behavior on Macs that have Apple
Silicon or the T2 Security Chip. To find this setting, navigate to Devices > macOS >
[Select a device] > Overview > Wipe in the Device action area.
For more information on the Obliteration Behavior setting, go to Apple's Platform

Deployment site Erase Apple devices - Apple Support .
Applies to:
macOS
Device enrollment
Account driven Apple User Enrollment available for iOS/iPadOS 15+

devices (public preview)
Intune supports account driven user enrollment, a new and improved variation of Apple
User Enrollment for iOS/iPadOS 15+ devices. Now available for public preview, the new
option utilizes just-in-time registration, which eliminates the need for the Company
Portal app during enrollment. Device users can initiate enrollment directly in the Settings
app, resulting in a shorter and more efficient onboarding experience. You can continue
to target iOS/iPadOS devices using the existing profile-based user enrollment method
that uses Company Portal. Devices running iOS/iPadOS, version 14.8.1 and earlier remain
unaffected by this update and can continue to use the existing method. For more
information, see Set up account driven Apple User Enrollment.
Device security
New security baseline for Microsoft 365 Office Apps

We've released a new security baseline to help you manage security configurations for
M365 Office Apps. This new baseline uses an updated template and experience that
uses the unified settings platform seen in the Intune settings catalog. You can view the
list of settings in the new baseline at Microsoft 365 Apps for Enterprise baseline settings
(Office).
The Microsoft 365 Office Apps baseline can help you rapidly deploy configurations to
your Office Apps that meet the security recommendations of the Office and security
teams at Microsoft. As with all baselines, the default baseline represents the
recommended configurations. You can modify the default baseline to meet the
requirements of your organization.
Applies to:
Windows 10
Windows 11
Security baseline update for Microsoft Edge version 112
We've released a new version of the Intune security baseline for Microsoft Edge, version
112. In addition to releasing this new version for Microsoft Edge, the new baseline uses
an updated template experience that uses the unified settings platform seen in the
Intune settings catalog. You can view the list of settings in the new baseline at Microsoft
Edge baseline settings (version 112 and higher).
Now that the new baseline version is available, all new profiles you create for Microsoft
Edge use the new baseline format and version. While the new version becomes the
default baseline version, you can continue to use the profiles you've previously created
for older versions of Microsoft Edge. But, you can't create new profiles for those older
versions of Microsoft Edge.
Applies to:
Windows 10
Windows 11
Intune apps
Achievers by Achievers Inc.

Board.Vision for iPad by Trusted Services PTE. LTD.
Global Relay by Global Relay Communications Inc.
Incorta (BestBuy) by Incorta, Inc. (iOS)
Island Enterprise Browser by Island (iOS)
Klaxoon for Intune by Klaxoon (iOS)
Week of May 8, 2023
Device Firmware Configuration Interface (DFCI) supports Dynabook

devices
Some Dynabook devices running Windows 10/11 are enabled for DFCI. Contact your
device vendor or device manufacturer for eligible devices.

Autopilot
Applies to:
Windows 10
Windows 11
eSIM bulk activation for Windows PCs via download server is now
available on the Settings Catalog
You can now perform at-scale configuration of Windows eSIM PCs using the Settings
Catalog. A download server (SM-DP+) is configured using a configuration profile.
Once the devices receive the configuration, they automatically download the eSIM
profile. For more information, go to eSIM configuration of a download server.
Applies to:
Windows 11
Week of May 1, 2023
App management
macOS shell scripts maximum running time limit

We have fixed an issue that caused Intune tenants with long-running shell scripts to not
report back on the script run status. The macOS Intune agent stops any macOS shell
scripts that run longer than 15 minutes. These scripts report as failed. The new behavior
is enforced from macOS Intune agent version 2305.019.
DMG app installation for macOS

The DMG app installation feature for macOS is now generally available. Intune supports
required and uninstall assignment types for DMG apps. The Intune agent for macOS is
used to deploy DMG apps. For related information, see Deploy DMG-type applications
to managed macOS devices.
Deprecation of Microsoft Store for Business and Education
Intune admin center . Apps added from the Microsoft Store for Business or Microsoft
Store for Education won't sync with Intune. Apps that have previously synced continue
to be available and deploy to devices and users.
It's now also possible to delete Microsoft Store for Business apps from the Apps pane in
the Microsoft Intune admin center so that you can clean up your environment as you
move to the new Microsoft Store app type.
For related information, see Plan for Change: Ending support for Microsoft Store for
Business and Education apps for upcoming dates when Microsoft Store for Business
apps won't deploy and Microsoft Store for Business apps are removed.
Remote Help now supports conditional access capability
Administrators can now utilize conditional access capability when setting up policies and
conditions for Remote Help. For example, multi-factor authentication, installing security
updates, and locking access to Remote Help for a specific region or IP addresses.
Conditional access
Remote Help
Device security
Updated settings for Microsoft Defender in endpoint security

Antivirus policy
We've updated the available settings in the Microsoft Defender Antivirus profile for
endpoint security Antivirus policy. You can find this profile in the Intune admin center at
Endpoint security > Antivirus > Platform: Windows 10, Windows 11, and Windows
Server > Profile: Microsoft Defender Antivirus.
The following settings have been added:

Metered Connection Updates
Disable Tls Parsing
Disable Http Parsing
Disable Dns Parsing
Disable Dns Over Tcp Parsing
Disable Ssh Parsing
Allow Network Protection Down Level
Allow Datagram Processing On Win Server
Enable Dns Sinkhole
For more information about these settings, see the Defender CSP. The new settings
are also available through the Intune Settings Catalog.
The following setting has been deprecated:

This setting now appears with the Deprecated tag. If this deprecated setting was
previously applied on a device, the setting value is updated to NotApplicable and
has no effect on the device. If this setting is configured on a device, there's no
effect on the device.
Applies to:
Windows 10
Windows 11
Week of April 17, 2023 (Service release 2304)
App management
Changes to iCloud app backup and restore behavior on iOS/iPadOS

and macOS devices
As an app setting, you can select to Prevent iCloud app backup for iOS/iPadOS and
macOS devices. You can not backup managed App Store apps and line-of-business
(LOB) apps on iOS/iPadOS, as well as managed App Store apps on macOS devices
(macOS LOB apps don't support this feature), for both user and device licensed
VPP/non-VPP apps. This update includes both new and existing App Store/LOB apps
devices.
Preventing the backup of the specified managed apps ensures that these apps can be
properly deployed via Intune when the device is enrolled and restored from backup. If
the admin configures this new setting for new or existing apps in their tenant, then
managed apps can and will be reinstalled for devices. But, Intune doesn't allow them to
be backed up.
This new setting appears in Microsoft Intune admin center by modifying the
properties of an app. For an existing app, you can select Apps > iOS/iPadOS or macOS
> select the app > Properties > Assignment Edit. If no group assignment has been set,
select Add group to add a group. Modify either the setting under VPN, Uninstall on
device removal, or Install as removable. Then, select Prevent iCloud app backup. The
Prevent iCloud app backup setting is used to prevent backup of app data for the
application. Set to No to allow the app to be backed up by iCloud.
For more information, see Changes to applications' backup and restore behavior on
iOS/iPadOS and macOS devices and Assign apps to groups with Microsoft Intune.
Prevent automatic updates for Apple VPP apps
assignment level using the Prevent automatic updates setting. This setting is available
in Microsoft Intune admin center by selecting Apps > iOS/iPadOS or macOS > Select
a volume purchase program app > Properties > Assignments > Select an Azure AD
group > App settings.
Applies to:
iOS/iPadOS
macOS
Updates to the macOS Settings Catalog
one place.
The new setting is located under:

Update channel override
The following settings have been deprecated:
Channel Name (Deprecated)
Privacy > Privacy Preferences Policy Control > Services > Listen Event or Screen
Capture:
Allowed
Applies to:
macOS
The Microsoft Enterprise SSO plug-in for Apple devices is now

generally available
Azure AD for authentication.
This plug-in is now generally available (GA).
For more information about configuring the Microsoft Enterprise SSO plug-in for Apple
devices in Intune, go to Microsoft Enterprise SSO plug-in in Microsoft Intune.
Applies to:
iOS/iPadOS
macOS
Disable Activation Lock device action for supervised macOS devices
You can now use the Disable Activation Lock device action in Intune to bypass
Activation Lock on Mac devices without requiring the current username or password.
This new action is available in Devices > macOS > select one of your listed devices >
Disable Activation Lock.
More information on managing Activation Lock is available at Bypass iOS/iPadOS
Activation Lock with Intune or on Apple's website at Activation Lock for iPhone, iPad,
and iPod touch - Apple Support .
Applies to:
ServiceNow Integration is now Generally Available (GA)

Now generally available, you can view a list of ServiceNow incidents associated with the
user you've selected in the Intune Troubleshooting workspace. This new feature is
available under Troubleshooting + Support > select a user > ServiceNow Incidents.
The incidents shown have a direct link back to the source incident and show key
information from the incident. All incidents listed link the "Caller" identified in the
incident with the user selected for Troubleshooting.
company.
More permissions to support administrators in controlling delivery

of organization messages
With more permissions administrators can control delivery of content created and
deployed from Organizational messages and the delivery of content from Microsoft to
users.
The Update organizational message control RBAC permission for organizational

messages determines who can change the Organizational Messages toggle to allow or
block Microsoft direct messages. This permission is also added to the Organizational
Messages Manager built-in role.
Microsoft Intune.
Device management
Endpoint security firewall rules support for ICMP type
You can now use the IcmpTypesAndCodes setting to configure inbound and outbound
rules for Internet Control Message Protocol (ICMP) as part of a firewall rule. This setting
is available in the Microsoft Defender Firewall rules profile for the Windows 10, Windows
11, and Windows Server platform.
Applies to:
Manage Windows LAPS with Intune policies (public preview)
Now available in a public preview, manage Windows Local Administrator Password

Solution (Windows LAPS) with Microsoft Intune Account protection policies. To get
started, see Intune support for Windows LAPS.
Windows LAPS is a Windows feature that allows you to manage and backs up the
password of a local administrator account on your Azure Active Directory-joined or
Windows Server Active Directory-joined devices.
To manage LAPS, Intune configures the Windows LAPS configuration service provider
(CSP) that is built in to Windows devices. It takes precedence over other sources of
Windows LAPS configurations, like GPOs or the Microsoft Legacy LAPS tool. Some of the
capabilities you can use when Intune manages Windows LAPS include:
Define password requirements like complexity and length that apply to the local
administrator accounts on a device.
Configure devices to rotate their local admin account passwords on a schedule.
And, back up the account and password in your Azure Active Directory or on-
Use an Intune device action from the admin center to manually rotate the
password for an account on your own schedule.
View account details from within the Intune admin center, like the account name
and password. This information can help you recover devices that are otherwise
inaccessible.
Use Intune reports to monitor your LAPS policies, and when devices last rotated
passwords manually or by schedule.
Applies to:
Windows 10
Windows 11
New settings available for macOS software update policies
macOS software update policies now include the following settings to help manage
when updates install on a device. These settings are available when the All other updates
update type is configured to Install later:
Max User Deferrals: When the All other updates update type is configured to
Install later, this setting allows you to specify the maximum number of times a user
can postpone a minor OS update before it's installed. The system prompts the user
once a day. Available for devices running macOS 12 and later.
Priority: When the All other updates update type is configured to Install later, this
setting allows you to specify values of Low or High for the scheduling priority for
downloading and preparing minor OS updates. Available for devices running
macOS 12.3 and later.
For more information, see Use Microsoft Intune policies to manage macOS software
updates.
Applies to:
macOS
Introducing the new partner portals page
You can now manage hardware specific information on your HP or Surface devices from
our partner portals page.
The HP link takes you to HP Connect where you can update, configure, and secure the
BIOS on your HP devices. The Microsoft Surface link takes you to the Surface
Management Portal where you can get insights into device compliance, support activity,
and warranty coverage.
To access the Partner portals page, you must enable the Devices pane preview and then
navigate to Devices > Partner Portals.
Windows Update compatibility reports for Apps and Drivers are

now generally available
The following Microsoft Intune reports for Windows Update compatibility are out of
preview and now generally available:

These reports can help you plan an upgrade from Windows 10 to 11, or for installing the
latest Windows feature update.
Device security
Microsoft Intune Endpoint Privilege Management is generally

available
Microsoft Endpoint Privilege Management (EPM) is now generally available and no
longer in preview.
to perform tasks normally reserved for an administrator. To do so, you configure policies
for automatic and user-confirmed workflows that elevate the run-time permissions for
apps or processes you select. You then assign these policies to users or devices that
have end users running without Administrator privileges. After the device receives a
policy, EPM brokers the elevation on behalf of the user, allowing them to elevate
approved applications without needing full administrator privileges. EPM also includes
built-in insights and reporting.
Now that EPM is out of preview, it requires another license to use. You can choose
between a stand-alone license that adds only EPM, or license EPM as part of the
Microsoft Intune Suite. For more information, see Use Intune Suite add-on capabilities.
While Endpoint Privilege Management is now generally available, the reports for EPM
will transition to a feature in preview, and will receive some more enhancements before
being removed from preview.
Support for WDAC Application ID tagging with Intune Firewall

Rules policy
Intune's Microsoft Defender Firewall Rules profiles, which are available as part of
endpoint security Firewall policy, now include the Policy App ID setting. This setting is
described in the MdmStore/FirewallRules/{FirewallRuleName}/PolicyAppId CSP and
supports specifying a Windows Defender Application Control (WDAC) Application ID
tag.
With this capability, you can scope your firewall rules to an application or a group of
applications and rely on your WDAC policies to define those applications. By using tags
to link to and rely on WDAC policies, your Firewall Rules policy won't need to rely on the
firewall rules option of an absolute file path, or use of a variable file path that can
reduce security of the rule.
Use of this capability requires you to have WDAC policies in place that include AppId
tags that you can then specify in your Intune Microsoft Defender Firewall Rules.
For more information, see the following articles in the Windows Defender Application
Control documentation:

Applies to:
Windows 10/11
New App and browser isolation profile for Intune's endpoint

security Attack Surface Reduction policy
We have released a new experience creating new App and Browser Isolation profiles for
endpoint security Attack Surface Reduction policy. The experience for editing your
previously created App and Browser isolation policies remains the same, and you can
continue to use them. This update applies only for the new App and Browser Isolation
policies you create for the Windows 10 and later platform.
Additionally, the new profile includes the following changes for the settings it includes:
Block external content from non-enterprise approved sites - This setting is

removed from the updated profile as it was supported only by Microsoft Edge
Legacy. Microsoft Edge Legacy support ended in March 2021. Microsoft 365 apps
say farewell to Internet Explorer 11 and Windows 10 sunsets Microsoft Edge
Legacy - Microsoft Community Hub .
Clipboard file type – This setting is added to the updated profile and determines
the type of content that can be copied from the host to Application Guard
environment and vice versa. You can view the CSP for this new setting at
Settings/ClipboardFileType in the WindowsDefenderApplicationGuard CSP
documentation.
Intune apps

ixArma by INAX-APPS (iOS)

myBLDNG by Bldng.ai (iOS)
RICOH Spaces V2 by Ricoh Digital Services
Firstup - Intune by Firstup, Inc. (iOS)
New Assign (RBAC) permissions for organizational messages

The Assign RBAC permissions for organizational messages determines who can assign
target Azure AD groups to an organizational message. To access RBAC permissions, sign
in to the Microsoft Intune admin center and go to Tenant administration > Roles.
This permission is also added to the Organizational Messages Manager built-in role.
Microsoft Intune.
Delete organizational messages

You can now delete organizational messages from Microsoft Intune. After you delete a
message, it's removed from Intune, and no longer appears in the admin center. You can
delete a message anytime, regardless of its status. Intune automatically cancels active
messages after you delete them. For more information, see Delete organizational
messages.
Review audit logs for organizational messages
Use audit logs to track and monitor organizational message events in Microsoft Intune.
To access the logs, sign in to the Microsoft Intune admin center and go to Tenant
administration > Audit logs. For more information, see Audit logs for Intune activities.
User configuration support for Windows 10 multi-session VMs is

now GA
You can now:
users.
Applies to:
Windows 10
Virtual machines created in Azure Public and Azure Government clouds
Add Google accounts to Android Enterprise personally owned

settings that restrict device features and settings. Currently, there's an Add and remove
accounts setting. This setting prevents accounts from being added in the work profile,
including preventing Google accounts.
This setting changed. You can now add Google accounts. The Add and remove
accounts setting options are:
Block all accounts types: Prevents users from manually adding or removing
accounts in the work profile. For example, when you deploy the Gmail app into the
work profile, you can prevent users from adding or removing accounts in this work
profile.
Allow all accounts types: Allows all accounts, including Google accounts. These
Google accounts are blocked from installing apps from the Managed Google Play
Store.

Allow all accounts types, except Google accounts (default): Intune doesn't change
or update this setting. By default, the OS might allow adding accounts in the work
profile.
Applies to:
App management
Update macOS DMG apps
You can now update apps of type macOS apps (DMG) deployed using Intune. To edit a
DMG app that's already created in Intune, upload the app update with the same bundle
identifier as the original DMG app. For related information, see Add a macOS DMG app
to Microsoft Intune.
Install required apps during pre-provisioning

A new toggle is available in the Enrollment Status Page (ESP) profile that allows you to
select whether you want to attempt to install required applications during the pre-
provisioning (white glove) technician phase. We understand that installing as many
applications as possible during pre-provisioning is desired to reduce the end user setup
time. If there's an app install failure, ESP continues except for the apps specified in the
ESP profile. To enable this function, you need to edit your Enrollment Status Page profile
by selecting Yes on the new setting entitled Only fail selected apps in technician phase.
This setting only appears if you have blocking apps selected. For information about ESP,
go to Set up the Enrollment Status Page.
Week of March 20, 2023 (Service release 2303)
App management
More minimum OS versions for Win32 apps

Intune supports more minimum operating system versions for Windows 10 and 11 when
installing Win32 apps. In Microsoft Intune admin center , select Apps > Windows >
Add > Windows app (Win32). In the Requirements tab next to Minimum operating
system, select one of the available operating systems. Other OS options include:
Windows 10 21H2
Windows 10 22H2
Windows 11 21H2
Windows 11 22H2
Managed apps permission is no longer required to manage VPP

apps
You can view and manage VPP apps with only the Mobile apps permission assigned.
Previously, the Managed apps permission was required to view and manage VPP apps.
This change doesn't apply to Intune for Education tenants who still need to assign the
Managed apps permission. More information about permissions in Intune is available at
Custom role permissions.
New settings and setting options available in the macOS Settings

Catalog
one place.
New settings are available in the Settings Catalog. In the Microsoft Intune admin
New settings include:
Enforcement level
Microsoft Office > Microsoft OneDrive:
Automatic upload bandwidth percentage

Automatically and silently enable the Folder Backup feature (aka Known Folder
Move)
Block apps from downloading online-only files
Block external sync
Disable automatic sign in
Disable download toasts
Disable personal accounts
Disable tutorial
Display a notification to users once their folders have been redirected
Enable Files On-Demand
Enable simultaneous edits for Office apps
Force users to use the Folder Backup feature (aka Known Folder Move)
Hide dock icon
Ignore named files
Include ~/Desktop in Folder Backup (aka Known Folder Move)
Include ~/Documents in Folder Backup (aka Known Folder Move)
Open at login
Prevent users from using the Folder Backup feature (aka Known Folder Move)
Prompt users to enable the Folder Backup feature (aka Known Folder Move)
Set maximum download throughput
Set maximum upload throughput
SharePoint Prioritization
SharePoint Server Front Door URL
SharePoint Server Tenant Name
Applies to:
macOS
Add custom Bash scripts to configure Linux devices
In Intune, you can add existing Bash scripts to configure Linux devices (Devices > Linux
> Configuration Scripts).
When you create this script policy, you can set the context that the script runs in (user or
root), how frequently the script runs, and how many times execution should retry.
For more information on this feature, go to Use custom Bash scripts to configure Linux
Applies to:
Linux Ubuntu Desktops
Device enrollment
Support for the await final configuration setting for iOS/iPadOS

Automated device enrollment (public preview)
Now in public preview, Intune supports a new setting called Await final configuration in
eligible new and existing iOS/iPadOS automated device enrollment profiles. This setting
enables an out-of-the-box locked experience in Setup Assistant. It prevents device users
from accessing restricted content or changing settings on the device until most Intune
device configuration policies are installed. You can configure the setting in an existing
automated device enrollment profile, or in a new profile (Devices > iOS/iPadOS >
iOS/iPadOS enrollment > Enrollment program tokens > Create profile). For more
information, see Create an Apple enrollment profile.
New setting gives Intune admins control over device-to-category

mapping
Control visibility of the device category prompt in Intune Company Portal. You can now
hide the prompt from end users and leave the device-to-category mapping up to Intune
admins. The new setting is available in the admin center under Tenant Administration >
Customization > Device Categories. For more information, see Device categories.
Support for multiple enrollment profiles and tokens for fully
managed devices
Create and manage multiple enrollment profiles and tokens for Android Enterprise fully
managed devices. With this new functionality, you can now use the
EnrollmentProfileName dynamic device property to automatically assign enrollment
profiles to fully managed devices. The enrollment token that came with your tenant
remains in a default profile. For more information, see Set up Intune enrollment of
Android Enterprise fully managed devices.
New Azure AD frontline worker experience for iPad (public

preview)
This capability begins to roll out to tenants in mid-April.
Intune now supports a frontline worker experience for iPhones and iPads using Apple
automated device enrollment. You can now enroll devices that are enabled in Azure AD
shared mode via zero-touch. For more information about how to configure automated
device enrollment for shared device mode, see Set up enrollment for devices in Azure
AD shared device mode.
Applies to:
iOS/iPadOS
Device management
Endpoint security firewall policy support for log configurations
You can now configure settings in endpoint security Firewall policy that configure
firewall logging options. These settings can be found in the Microsoft Defender Firewall
profile template for the Windows 10 and later platform, and are available for the
Domain, Private, and Public profiles in that template.
Following are the new settings, all found in the Firewall configuration service provider
(CSP):
Enable Log Success Connections

Log File Path
Enable Log Dropped Packets
Enable Log Ignored Rules
Applies to:
Windows 10
Windows 11
Endpoint security firewall rules support for Mobile Broadband

(MBB)
The Interface Types setting in endpoint security Firewall policy now include the option
for Mobile Broadband. Interface Types is available in the Microsoft Defender Firewall
Rules profile for all platforms that support Windows. For information about the use of
this setting and option, see Firewall configuration service provider (CSP).
Applies to:
Windows 10
Windows 11
Endpoint security firewall policy support for network list manager

settings
We've added a pair of network list manager settings to endpoint security Firewall policy.
To help determine when an Azure AD device is or isn't on your on-premises domain
subnets, you can use the network list manager settings. This information can help
firewall rules apply correctly.
The following settings are found in a new category named Network List Manager, that's
available in the Microsoft Defender Firewall profile template for the Windows 10,
Windows 11, and Windows Server platform:
Allowed Tls Authentication Endpoints

Configured Tls Authentication Network Name
For information about Network Categorization settings, see NetworkListManager CSP.
Applies to:
Windows 10
Windows 11
Improvements to Devices area in admin center (public preview)

The Devices area in the admin center now has a more consistent UI, with more capable
controls and an improved navigation structure so you can find the information you need
faster. To opt in to the public preview and try out the new experience, go to Devices and
flip the toggle at the top of the page. Improvements include:
A new scenario-focused navigation structure.

New location for platform pivots to create a more consistent navigation model.
A reduction in journey, helping you get to your destination faster.
Monitoring and reports are within the management workflows, giving you easy
access to key metrics and reports without having to leave the workflow.
A consistent way across list views to search, sort, and filter data.
For more information about the updated UI, see Try new Devices experience in
Microsoft Intune.
Device security
Microsoft Intune Endpoint Privilege Management (public preview)
As a public preview, you can now use Microsoft Intune Endpoint Privilege Management.
to perform tasks normally reserved for an administrator. Endpoint Privilege
Management can be configured in the Intune admin center at Endpoint security >
Endpoint Privilege Management.
With the public preview, you can configure policies for automatic and user-confirmed
workflows that elevate the run-time permissions for apps or processes you select. You
then assign these policies to users or devices that have end users running without
Administrator privileges. Once policy is received, Endpoint Privilege Management will
broker the elevation on behalf of the user, allowing them to elevate approved
applications without needing full administrator privileges. The preview also includes
built-in insights and reporting for Endpoint Privilege Management.
To learn how to activate the public preview and use Endpoint Privilege Management
policies, start with Use Endpoint Privilege Management with Microsoft Intune. Endpoint
Privilege Management is part of the Intune Suite offering, and free to try while it
remains in public preview.
Intune apps

EVALARM by GroupKom GmbH (iOS)

ixArma by INAX-APPS (Android)
Seismic | Intune by Seismic Software, Inc.
Microsoft Viva Engage by Microsoft (formally Microsoft Yammer)
Diagnostic data collection for Endpoint Privilege Management
To support the release of Endpoint Privilege Management, we've updated Collect

diagnostics from a Windows device to include the following data, which is collected
from devices enabled for Endpoint Privilege Management:
Registry keys:
HKLM\SOFTWARE\Microsoft\EPMAgent
Commands:
%windir%\system32\pnputil.exe /enum-drivers
Log files:
%ProgramFiles%\Microsoft EPM Agent\Logs\*.*
%windir%\system32\config\systemprofile\AppData\Local\mdm\*.log
View status for pending and failed organizational messages

We've added two more states to organizational message reporting details to make it
easier to track pending and failed messages in the admin center.
Pending: The message hasn't been scheduled yet and is currently in progress.
Failed: The message failed to schedule due to a service error.
For information about reporting details, see View reporting details for organizational
messages.
More reporting information related to tenant attach devices

You can now view information for tenant attach devices in the existing antivirus reports
under the Endpoint Security workload. A new column differentiates between devices
managed by Intune and devices managed by Configuration Manager. This reporting
information is available in Microsoft Intune admin center by selecting Endpoint
security > Antivirus.
Device management
Meta Quest 2 and Quest Pro are now in Open Beta (US only) on
Microsoft Intune for Android Open Source Devices
Microsoft Intune for Android open source project devices (AOSP) has welcomed Meta
Quest 2 and Quest Pro into Open Beta for the US market.
For more information, go to Operating systems and browsers supported by Microsoft

Intune
Applies to:
Android (AOSP)
App management
Trusted Root Certificates Management for Intune App SDK for

Android
If your Android application requires SSL/TLS certificates issued by an on-premises or
private certificate authority to provide secure access to internal websites and
applications, the Intune App SDK for Android now has support for certificate trust
management. For more information and examples, see Trusted Root Certificates
Management.
System context support for UWP apps

deployed in system context, the app auto-installs for each user that logs in. If an
deploying apps. Win32 apps from the Microsoft Store app (new) already support
system context.
App management
Deploy Win32 apps to device groups

You can now deploy Win32 apps with Available intent to device groups. For more
information, see Win32 app management in Microsoft Intune.
Device management
New URL for Microsoft Intune admin center
The Microsoft Intune admin center has a new URL: https://intune.microsoft.com . The
previously used URL, https://endpoint.microsoft.com , continues to work but will
redirect to the new URL in late 2023. We recommend taking the following actions to
avoid issues with Intune access and automated scripts:
Update login or automation to point to https://intune.microsoft.com .

Update your firewalls, as needed, to allow access to the new URL.
Add the new URL to your favorites and bookmarks.
Notify your helpdesk and update IT administrator documentation.
Add CMPivot queries to Favorites folder
You can add your frequently used queries to a Favorites folder in CMPivot. CMPivot
allows you to quickly assess the state of a device managed by Configuration Manager
via Tenant Attach and take action. The functionality is similar to one already present in
the Configuration Manager console. This addition helps you keep all your most used
queries in one place. You can also add tags to your queries to help search and find
queries. The queries saved in the Configuration Manager console aren't automatically
added to your Favorites folder. You need to create new queries and add them to this
folder. For more information about CMPivot, see Tenant attach: CMPivot usage
overview.
Device enrollment
New Microsoft Store apps now supported with the Enrollment

Status Page
The Enrollment Status Page (ESP) now supports the new Microsoft store applications
during Windows Autopilot. This update enables better support for the new Microsoft
Store experience and should be rolling out to all tenants starting with Intune 2303. For
related information, see Set up the Enrollment Status Page.
Support for Locate device on Android Enterprise corporate owned

fully managed and Android Enterprise corporate owned work
profile devices
You can now use "Locate device" on Android Enterprise corporate owned fully managed
and Android Enterprise corporate owned work profile devices. With this feature, admins
are able to locate lost or stolen corporate devices on-demand.
In Microsoft Intune admin center , you need to turn the feature on using Device
Restrictions in Device Configuration for Android Enterprise.
Select Allow on the Locate device toggle for fully managed and corporate owned work
profile devices and select applicable groups. Locate device is available when you select
Devices, and then select All devices. From the list of devices you manage, select a
supported device, and choose the Locate device remote action.
For information on locating lost or stolen devices with Intune, go to:
Locate lost or stolen devices with Intune
Applies to:
Android Enterprise corporate owned fully managed

Android Enterprise corporate owned dedicated devices
Android Enterprise corporate owned work profile
Intune add-ons
Microsoft Intune Suite provides mission-critical advanced endpoint management and
security capabilities into Microsoft Intune.
You can find add-ons to Intune in the Microsoft Intune admin center under Tenant
administration > Intune add-ons.
For detailed information, see Use Intune Suite add-on capabilities.
View ServiceNow Incidents in the Intune Troubleshooting

workspace (Preview)
In public preview, you can view a list of ServiceNow incidents associated with the user
you've selected in the Intune Troubleshooting workspace. This new feature is available
under Troubleshooting + Support > select a user > ServiceNow Incidents. The list of
incidents shown have a direct link back to the source incident and show key information
from the incident. All incidents listed link the "Caller" identified in the incident with the
user selected for Troubleshooting.
company.
Device security
Microsoft Tunnel for MAM is now generally available

Now out of preview and generally available, you can add Microsoft Tunnel for Mobile
Application Management to your tenant. Tunnel for MAM supports connections from
unenrolled Android and iOS devices. This solution provides your tenant with a
lightweight VPN solution that allows mobile devices access to corporate resources while
adhering to your security policies.
In addition, MAM Tunnel for iOS now supports Microsoft Edge.
Previously, Tunnel for MAM for Android and iOS was in public preview and free for use.
With this release as generally available, this solution now requires an add-on license for
its use.
For licensing details, see Intune add-ons.
Applies to:
Android
iOS
Organizational messages now support custom destination URLs

You can now add any custom destination URL to organizational messages in the taskbar,
notifications area, and Get Started app. This feature applies to Windows 11. Messages
created with Azure AD-registered domains that are in a scheduled or active state are still
supported. For more information, see Create organizational messages.
What's new archive

For previous months, see the What's new archive.
Notices

15 and later

７ Note


17.

７ Note



data.


Related information


2022.




available.

Windows 8.1.



Remove programs".


７ Note

enrolling.
７ Note

７ Note





features.

profiles


change.


version.
Public preview in Microsoft Intune
Article • 05/24/2023
Microsoft Intune releases features in "public preview". These features are being actively
developed, and may not be complete. They're made available on a "Preview" basis. You
can test and use these features in production environments and scenarios, and provide
feedback.
Preview features have a (preview) tag in the Microsoft Intune admin center:
What you need to know

When working with features in public preview, these features:
May have restricted or limited functionality. For example, the feature may only
apply to one platform.
Typically go through feature changes before they're generally available (GA).
Are fully supported by Microsoft.
May only be available in selected geographic regions or cloud environments. For
example, the feature may not exist in the Azure Government cloud.
Individual features in preview may have more usage and support restrictions. If so,
this information is typically noted in the feature documentation.
Next steps
Review the important notices.
See what's in development.
Tutorial: Walkthrough Microsoft Intune
admin center
Article • 05/25/2023
Microsoft Intune provides the cloud infrastructure, the cloud-based mobile device
management (MDM), cloud-based mobile application management (MAM), and cloud-
based PC management for your organization. Intune helps you ensure that your
company's devices, apps, and data meet your company's security requirements. You
have the control to set which requirements need to be checked and what happens when
those requirements aren't met. The Microsoft Intune admin center is where you can
find the Microsoft Intune service, as well as other device management related settings.
Understanding the features available in Intune will help you accomplish various Mobile
Device Management (MDM) and Mobile Application Management (MAM) tasks.
７ Note
Microsoft Intune is a single, integrated endpoint management platform for

managing all your endpoints. The Microsoft Intune admin center integrates
Microsoft Configuration Manager and Microsoft Intune.
In this tutorial, you will:
＂ Tour the Microsoft Intune admin center

＂ Customize your view of the Microsoft Intune admin center
If you don't have an Intune subscription, sign up for a free trial account.
Prerequisites
Before setting up Microsoft Intune, review the following requirements:
Supported operating systems and browsers

Network configuration requirements and bandwidth
Sign up for a Microsoft Intune free trial

Trying out Intune is free for 30 days. If you already have a work or school account, sign
in with that account and add Intune to your subscription. Otherwise, you can sign up for
a free trial account to use Intune for your organization.
） Important
You can't combine an existing work or school account after you sign up for a new
account.
Tour Microsoft Intune in the Microsoft Intune

admin center
Follow the steps below to better understand Intune in the Microsoft Intune admin
center. Once you complete the tour, you'll have a better understanding of some of the
major areas of Intune.
1. Open a browser and sign in to the Microsoft Intune admin center . If you are new
to Intune, use your free trial subscription.
When you open the Microsoft Intune admin center, the service is displayed in a
pane of your browser. Some of the first workloads you may use in Intune include
Devices, Apps, Users, and Groups. A workload is simply a sub-area of a service.
When you select the workload, it opens that pane as a full page. Other panes slide
out from the right side of the pane when they open, and close to reveal the
previous pane.
By default, when you open the Microsoft Intune admin center, you'll see the Home
page pane. This pane provides an overall visual snapshot of tenant status and
compliance status, as well as other helpful related links.
2. From the navigation pane, select Dashboard to display overall details about the
devices and client apps in your Intune tenant. If you are starting with a new Intune
tenant, you will not have any enrolled devices yet.
Intune lets you manage your workforce's devices and apps, including how they
access your company data. To use this mobile device management (MDM) service,
the devices must first be enrolled in Intune. When a device is enrolled, it is issued
an MDM certificate. This certificate is used to communicate with the Intune service.
There are several methods to enroll your workforce's devices into Intune. Each
method depends on the device's ownership (personal or corporate), device type
(iOS/iPadOS, Windows, Android), and management requirements (resets, affinity,
locking). However, before you can enable device enrollment, you must set up your
Intune infrastructure. In particular, device enrollment requires that you set your
MDM authority. For more information about getting your Intune environment
(tenant) ready, see Set up Intune. Once you have your Intune tenant ready, you can
enroll devices. For more information about device enrollment, see What is device
enrollment?
3. From the navigation pane, select Devices to display details about the enrolled
devices in your Intune tenant.
 Tip
If you have previously used Intune in the Azure portal, you found the above
details in the Azure portal by signing in to Intune and selecting Devices.
The Devices - Overview pane has several tabs that allow you to view a summary of
the following statuses and alerts:
Enrollment status - Review details about Intune enrolled devices by platform

and enrollment failures.
Enrollment alerts - Find more details about unassigned devices by platform.
Compliance status - Review compliance status based on device, policy,
setting, threats, and protection. Additionally, this pane provides a list of
devices without a compliance policy.
Configuration status - Review configuration status of device profiles, as well
as profile deployment., and
Software update status - See a visual of the deployment status for all devices
and for all users.
4. From the Devices - Overview pane, select Compliance policies to display details
about compliance for devices managed by Intune. You will see details similar to the
following image.
 Tip
details in the Azure portal by signing in to Intune and selecting Device
Compliance.
Compliance requirements are essentially rules, such as requiring a device PIN, or

requiring device encryption. Device compliance policies define the rules and
settings that a device must follow to be considered compliant. To use device
compliance, you must have:
An Intune and an Azure Active Directory (Azure AD) Premium subscription

Devices running a supported platform
Devices must be enrolled in Intune
Devices that are enrolled to either one user or no primary user.
For more information, see Get started with device compliance policies in Intune.
5. From the Devices - Overview pane, select Conditional Access to display details
about access policies.
 Tip
details in the Azure portal by signing in to Intune and selecting Conditional
Access.
Conditional Access refers to ways you can control the devices and apps that are
allowed to connect to your email and company resources. To learn about device-
based and app-based Conditional Access, and find common scenarios for using
Conditional Access with Intune, see What's Conditional Access?
6. From the navigation pane, select Devices > Configuration profiles to display
details about device profiles in Intune.
 Tip
details in the Azure portal by signing in to Intune and selecting Device
configuration.
Intune includes settings and features that you can enable or disable on different
devices within your organization. These settings and features are added to
"configuration profiles". You can create profiles for different devices and different
platforms, including iOS/iPadOS, Android, macOS, and Windows. Then, you can
use Intune to apply the profile to devices in your organization.
For more information about device configuration, see Apply features settings on
your devices using device profiles in Microsoft Intune.
7. From the navigation pane, select Devices > All devices to display details about
your Intune tenant's enrolled devices. If you are starting with a new Intune
enlistment, you will not have any enrolled devices yet.
This list of devices show key details about compliance, OS version, and last check-
in date.
 Tip
details in the Azure portal by signing in to Intune and selecting Devices >
All devices.
8. From the navigation pane, select Apps to display an overview of app status. This
pane provides app installation status based on the following tabs:
 Tip
details in the Azure portal by signing in to Intune and selecting Client apps.
The Apps - Overview pane has two tabs that allow you to view a summary of the
following statuses:
Installation status - View the top installation failures by device, as well as the
apps with installation failures.
App protection policy status - Find details about assigned users to app
protection policies, as well as flagged users.
As an IT admin, you can use Microsoft Intune to manage the client apps that your
company's workforce uses. This functionality is in addition to managing devices
and protecting data. One of an admin's priorities is to ensure that end users have
access to the apps they need to do their work. Additionally, you might want to
assign and manage apps on devices that are not enrolled with Intune. Intune offers
a range of capabilities to help you get the apps you need on the devices you want.
７ Note
The Apps - Overview pane also provides tenant status and account details.
For more information about adding and assigning apps, see Add apps to Microsoft
Intune and Assign apps to groups with Microsoft Intune.
9. From the Apps - Overview pane, select All apps to see a list of apps that have
been added to Intune.
 Tip
details in the Azure portal by signing in to Intune and selecting Client apps
> Apps.
You can add a variety of different app type based on platform to Intune. Once an
app has been added, you can assign it to groups of users.
For more information, see Add apps to Microsoft Intune.
10. From the navigation pane, select Users to display details about the users that you
have included in Intune. These users are your company's workforce.
 Tip
details in the Azure portal by signing in to Intune and selecting Users.
You can add users directly to Intune or synchronize users from your on-premises
Active Directory. Once added, users can enroll devices and access company
resources. You can also give users additional permissions to access Intune. For
more information, see Add users and grant administrative permission to Intune.
11. From the navigation pane, select Groups to display details about the Azure Active
Directory (Azure AD) groups included in Intune. As an Intune admin, you use
groups to manage devices and users.
 Tip
details in the Azure portal by signing in to Intune and selecting Groups.
You can set up groups to suit your organizational needs. Create groups to organize
users or devices by geographic location, department, or hardware characteristics.
Use groups to manage tasks at scale. For example, you can set policies for many
users or deploy apps to a set of devices. For more information about groups, see
Add groups to organize users and devices.
12. From the navigation pane, select Tenant administration to display details about
your Intune tenant.
 Tip
details in the Azure portal by signing in to Intune and selecting Tenant
status.
The Tenant admin - Tenant status pane provides tabs for Tenant details,
Connector status, and Service health dashboard. If there are any issues with your
tenant or Intune itself, you will find details available from this pane.
For more information, see Intune Tenant Status.
13. From the navigation pane, select Troubleshooting + support > Troubleshoot to
check status details on a specific user.
 Tip
details in the Azure portal by signing in to Intune and selecting
Troubleshoot.
From the Assignments dropdown list, you can choose to view the targeted
assignments of client apps, policies, update rings, and enrollment restrictions.
Additionally, this pane provides device details, app protection status, and
enrollment failures for a specific user.
For more information about troubleshooting within Intune, see Use the
troubleshooting portal to help users at your company.
14. From the navigation pane, select Troubleshooting + support > Help and support
to request help.
 Tip
details in the Azure portal by signing in to Intune and selecting Help and
support.
As an IT admin, you can use the Help and Support option to search and view
solutions, as well as file an on-line support ticket for Intune.
To create a support ticket, your account must be assigned as an administrator role

in Azure Active Directory. Administrator roles include, Intune administrator, Global
administrator, and Service administrator.
For more information, see How to get support in Microsoft Intune.
15. From the navigation pane, select Troubleshooting + support > Guided scenarios
to display available Intune guided scenarios.
A guided scenario is a customized series of steps centered around one end-to-end

use-case. Common scenarios are based on the role an admin, user, or device plays
in your organization. These roles typically require a collection of carefully
orchestrated profiles, settings, applications, and security controls to provide the
best user experience and security.
If you are not familiar with all the steps and resources needed to implement a
particular Intune scenario, guided scenarios may be used as your starting point.
For more information about guided scenarios, see Guided scenarios overview.
Configure the Microsoft Intune admin center

Microsoft Intune admin center allows you to customize and configure the view of the
portal.
Change the Dashboard

The Dashboard to display overall details about the devices and client apps in your
Intune tenant. Dashboards provide a way for you to create a focused and organized
view in the Microsoft Intune admin center. Use dashboards as a workspace where you
can quickly launch tasks for day-to-day operations and monitor resources. Build custom
dashboards based on projects, tasks, or user roles, for example. The Microsoft Intune
admin center provides a default dashboard as a starting point. You can edit the default
dashboard, create and customize additional dashboards, and publish and share
dashboards to make them available to other users.
To modify your current dashboard, select Edit. If you don't want to change your default
dashboard, you can also create a New dashboard. Creating a new dashboard gives you
an empty, private dashboard with the Tile Gallery, which lets you add or rearrange tiles.
You can find tiles by category or resource type. You can also search for particular tiles.
Select My Dashboard to select any of your existing custom dashboards.
Change the Portal settings

You can customize the Microsoft Intune admin center by choosing the default view, the
theme, the credentials timeout period, as well as language and region settings.
Next steps
To get running quickly on Microsoft Intune, step through the Intune Quickstarts by first
setting up a free Intune account.
Quickstart: Try Microsoft Intune for free

Evaluate Microsoft Intune
Article • 05/25/2023
Microsoft Intune, which is a part of the Microsoft Intune family of products, provides the
cloud infrastructure, the cloud-based mobile device management (MDM), cloud-based
mobile application management (MAM), and cloud-based PC management for your
organization. It lets you protect your organization by controlling features and settings
on Android, Android Enterprise, iOS/iPadOS, macOS, and Windows 10/11 devices. It
integrates closely with Azure Active Directory (Azure AD) for identity and access control
and Azure Information Protection and advanced threat protection products for data
protection. When you use it with Microsoft 365, you can enable your workforce to be
productive on all their devices while keeping your organization's information protected.
If you have on-premises infrastructure, such as Exchange or an Active Directory, you can
use Intune connectors to help you connect to external services. Intune is included in
Microsoft's Enterprise Mobility + Security (EMS) suite .
７ Note
Use the information provided in this series of topics to try and evaluate Microsoft
Intune. When you're ready, follow the complete process to set up Intune. For more
information, see Set up Microsoft Intune.
In the following diagram, you can see how Intune interacts with other components in
both your on-premises and cloud infrastructure:
Prerequisites
The following list includes recommended (but not required) prerequisites:
Available devices (iOS device, Android device, Windows device, macOS device)
Familiarity with Intune's supported operating systems
Familiarity with Network endpoints for Microsoft Intune
An app that you would like to add to Intune
Learning objectives
In this topic, you will set up a testing environment to evaluate Intune. Then, you will step
through specific actions to better understand and evaluate Intune.
Set up the Microsoft Intune free trial

Create users and groups
Set up device enrollment
Create compliance policies
Understand notifications
Add and assign apps
Create and assign app policies
Create and assign customer roles
Create a device profile
Benefits of Microsoft Intune

Microsoft Intune helps you and your organization by increasing security and
productivity, providing flexibility, and maximizing your management investment.
Microsoft Intune provides the following:
Intelligent and unified endpoint security

Flexible and unified endpoint management
Data protection without device enrollment
Greater end users productivity
Co-management for cloud and on-premises devices
Learn how the Microsoft Intune family of products helps you maximize your return on
investment. For more information see, Benefits of Microsoft Intune.
Next steps
Start by signing up for the Intune free trial. When you complete the sign up process,
you'll have a new tenant and you'll understand the basics of working with Microsoft
Intune.
Learn more
For more information about Microsoft Intune, see the following resources:
Microsoft Intune fundamentals

Modern management and security principles driving our Microsoft endpoint
management vision
Try Microsoft Intune for free
Article • 05/25/2023
Microsoft Intune helps you protect your workforce's corporate data by managing
devices and apps. In this topic, you will create a free subscription to try Intune in a test
environment.
７ Note
Intune provides mobile device management (MDM) and mobile app management
(MAM) from a secure cloud-based service that is administered using the Microsoft
Intune admin center. Using Intune, you ensure your workforce's corporate resources
(data, devices, and apps) are correctly configured, accessed, and updated, meeting your
company's compliance policies and requirements.
When you complete the signup process, you'll have a new tenant. A tenant is a
dedicated instance of Azure Active Directory (Azure AD) where your subscription to
Intune is hosted. You can then configure the tenant, add users and groups, and assign
licenses to users. When you're ready, you can help users enroll their devices and add
apps that they need to begin the modern endpoint management process. As you
continue, you can set configuration and protection policies, as well as other endpoint
management capabilities.
Prerequisites
Before setting up Microsoft Intune, review the following requirements:
Supported operating systems and browsers

Network configuration requirements and bandwidth
Sign up for a Microsoft Intune free trial

Trying out Intune is free for 30 days. If you already have a work or school account, sign
in with that account and add Intune to your subscription. Otherwise, you can sign up for
a new account to use Intune for your organization.
） Important
account.
To sign up for the Microsoft Intune free trial, follow the steps below:
1. Navigate to the Intune set up account page .
2. Enter your email address and click Next.
７ Note
If you already have an account set up with another Microsoft service using
your email address, you can choose to sign in to use the account with the
Intune trial, or you can create a new account. These steps assume you are
creating a new account.
3. Click Set up account to create a new account.

4. Add your name, phone number, company name, company size, and region. Review
the remaining information and click Next.
5. Click Send verification code to verify the phone number you added.
6. Enter the verification code you receive on your mobile device, then click Verify.
7. Add your Username and Domain name for your trial that represents your business
or organization. Your name will be added before .onmicrosoft.com. Click Save to
check availability. Click Next to continue. If you like, you can later change this
domain name to your custom domain name.
8. After your account has been created, you'll see your user name. You'll use this user
name to log in to Intune. Additionally, you receive an email message that contains
your account information at the email address that you provided during the sign-
up process. This email confirms your subscription is active.
７ Note
If you click Get Started, you'll open the Microsoft 365 admin center home
page. If you click Manage your subscription, you'll open Your products and
view details about your Microsoft Intune Trial subscription.
Sign in to Intune in the Microsoft Intune admin

center
If you're not already signed in to the admin center, complete the following steps:
1. Open a new browser window and enter https://intune.microsoft.com in the

address bar.
2. Use the user ID that you were given in the steps above to sign in. The user ID will
look similar to the following: yourID@yourdomain.onmicrosoft.com.
When you sign up for a trial, you will also receive an email message that contains your
account information and the email address that you provided during the sign-up
process. This email confirms your trial is active.
 Tip
When working with the Microsoft Intune, you may have better results working with
a browser in regular mode, rather than private mode.
Confirm the MDM authority in Microsoft

Intune
By default, the Mobile Device Management (MDM) authority is set when you create your
free trial. You can confirm that the MDM authority is set by using the following steps:
1. If you're not already signed in, sign in to the Microsoft Intune admin center .
2. Click Tenant administration.
3. View the tenant details. The MDM authority should be set to Microsoft Intune.
If after signing in to the Microsoft Intune admin center, you see an orange banner
indicating that you haven't yet set the MDM authority, you can activate it at this time.
The mobile device management (MDM) authority setting determines how you manage
your devices. The MDM authority must be set before users can enroll devices for
management.
Set the MDM authority to Intune

1. If you do not have the MDM authority set, sign in to the Microsoft Intune admin
center .
2. Select the orange banner to open the Mobile Device Management Authority
setting. The orange banner is only displayed if you haven't yet set the MDM
authority.
７ Note
If you have set the MDM Authority, you will see the MDM authority value on
the Tenant administration pane. The orange banner is only displayed if you
haven't yet set the MDM authority.
3. If your MDM Authority is not set, under Choose MDM Authority, set your MDM
authority to Intune MDM Authority.
For more information about the MDM authority, see Set the mobile device management
authority.
Configure your custom domain name

(Optional)
As mentioned above, if your organization has its own custom domain that you want to
use without .onmicrosoft.com, you can change it in the Microsoft 365 admin center. You
can add, verify, and configure your custom domain name using the following steps.
） Important
You cannot rename or remove the initial onmicrosoft.com part of the domain
name. However, you can add, verify or remove custom domain names used with
Intune to keep your business identity clear. For more information, see Configure a
custom domain name.
1. Go to Microsoft 365 admin center and sign in using your administrator account.
2. In the navigation pane, choose Setup > Domains > Add domain.
3. Type your custom domain name. Then, select Next.
4. Verify that you are the owner of the domain that you entered in the previous step.
Selecting send code via email will send an email to the registered contact of your
domain. After you receive the email, copy the code and enter it in the field labeled
Type your verification code here. If the verification code matches, the domain will
be added to your tenant. The email displayed may not look familiar. Some
registrars hide the real email address. Also, the email address may be different
than what was provided when the domain was registered.
７ Note
For TXT record verification details, see Create DNS records at any DNS
hosting provider for Microsoft 365 .
Confirm your licenses

A Microsoft Intune license is created for you when you sign up for the Intune free trial.
As part of this trial, you'll also have a trial Enterprise Mobility + Security (EMS)
subscription. An Enterprise Mobility + Security (EMS) subscription includes both Azure
Active Directory Premium and Microsoft Intune.
To confirm your Azure Active Directory Premium and Microsoft Intune, see Confirm your
licenses.
Admin experiences
There are two admin centers that you will use most often:
The Microsoft Intune admin center (https://intune.microsoft.com ) is where you
can explore the capabilities of Intune. This is where an admin would work with
Intune.
The Microsoft 365 admin center (https://admin.microsoft.com ) is where you can

add and manage users, if you are not using Azure Active Directory for this. You can
also manage other aspects of your account, including billing and support.
Next steps
In this topic, you've created a free subscription to try Intune in a test environment. For
more information about setting up Intune, see Set up Intune.
To continue to evaluate Microsoft Intune, go to the next step:
Step 2 - Create a user and assign a license to it

Step 2: Create a user in Intune and
assign the user a license
Article • 03/31/2023
In this topic, you'll create a user and then assign the user an Intune license. When you
use Intune, each person you want to have access to company data must have their own
user account. Intune admins can configure users later to manage access control.
７ Note
Prerequisites
A Microsoft Intune subscription. Sign up for a free trial account.
Sign in to the Microsoft Intune admin center

Sign in to Microsoft Intune admin center as a Global administrator or an Intune
Service administrator. If you've created an Intune trial subscription, the account you
created the subscription with is the Global administrator.
Create a user
A user must have a user account to enroll in Intune device management. To create a new
user:
1. In the Microsoft Intune admin center, select Users > All users > New user:
2. In the Name box, enter a name, such as Dewey Kellum:
3. In the User name box, enter a user identifier, such as

Dewey@contoso.onmicrosoft.com.
７ Note
If you haven't configured your customer domain name, use the verified
domain name you used to create the Intune subscription (or free trial).
4. Select Show password and be sure to remember the automatically generated

password so that you can sign in to a test device.
5. Select Create.
Assign a license to the user

After you've created a user, you must use the Microsoft 365 admin center to assign an
Intune license to the user. If you don't assign the user a license, they'll be unable to
enroll their device into Intune.
To assign an Intune license to a user:
1. Sign in to the Microsoft 365 admin center with the same credentials you used to
sign in to Intune.
2. Select Users > Active Users, and then select the user you just created.
3. Select the Licenses and Apps tab.
4. Under Select location, select a location for the user, if it's not already set.
5. Select the Intune check box in the Licenses section. If another license includes
Intune, you can select that license. The displayed product name is used as the
service plan in Azure management.
７ Note
This setting uses one of your licenses for the user. If you're using a trial
environment, you'll later reassign this license to a real user in a live
environment.
6. Select Save changes.
The new active Intune user will now show that they're using an Intune license.
Clean up resources
If you don't need this user anymore, you can delete the user by going to the Microsoft
365 admin center and selecting Users > the user > the delete user icon > Delete user
> Close.
Next steps
In this topic, you created a user and assigned an Intune license to that user. For more
information about adding users to Intune, see Add users and grant administrative
permission to Intune.
Step 3 - Create a group to manage users

Step 3: Create a group to manage users
Article • 03/31/2023
In this article, you'll use Intune to create a group based on an existing user. Groups are
used to manage your users and control your employees' access to your company
resources. These resources can be part of your company's intranet or can be external
resources, such as SharePoint sites, SaaS apps, or web apps.
７ Note
７ Note
Intune provides pre-created All Users and All Devices groups in the console with
built-in optimizations for your convenience.
Prerequisites
Microsoft Intune subscription - sign up for a free trial account.
To complete this step, you must create a user.
Sign in to the Microsoft Intune admin center

Sign in to Microsoft Intune admin center as a Global administrator or an Intune
Service administrator. If you've created an Intune Trial subscription, the account you
Create a group
You'll create a group that will be used later in this evaluation series. To create a group:
1. Once you've opened the Microsoft Intune admin center , select Groups > New
group.
2. In the Group type dropdown box, select Security.
3. In the Group name field, enter the name for the new group (for example, Contoso
Testers).
4. Add a Group description for the group.
5. Set the Membership type to Assigned.
6. Under Members, select the link and add one or more members for the group from
the list.
7. Click Select > Create.
Once you've successfully created the group, it will appear in the list of All groups.
Next steps
In this article, you used Intune to create a group based on an existing user. For more
information about adding groups to Intune, see Add groups to organize users and
devices.
Step 4 - Set up automatic enrollment for Windows 10/11 devices

Step 4: Set up automatic enrollment for
Windows 10/11 devices
Article • 07/20/2023
Applies to:
Windows 10
Windows 11
In this task, you'll set up Microsoft Intune to automatically enroll corporate owned or
user owned devices. You can scope automatic enrollment to some Azure AD users, all
users, or none.
７ Note
If you don't have an Intune subscription, sign up for a free trial account to try out this
tutorial.
Prerequisites
To complete this evaluation step, you must:
1. Sign up for Microsoft Intune subscription or trial subscription.

2. Create a user.
3. Create a group.
4. Sign up for the Azure AD free Premium trial (this article describes how to sign up).
To access Microsoft Intune, sign in to the Microsoft Intune admin center with a Global
Administrator account. If you've already created an Intune Trial subscription, the account
you created the subscription with is a Global Administrator.
Set up automatic enrollment

For this example, you'll configure MDM enrollment settings so that both corporate and
bring-your-own-devices can be automatically enrolled in Intune. If your intent is to
enable automatic enrollment for Windows BYOD devices to an MDM, configure the
MDM user scope to All (or Some, and specify a group) and configure the MAM user
scope to None (or Some, and specify a group, ensuring that users are not members of a
group targeted by both MDM and MAM user scopes). For corporate devices, the MDM
user scope takes precedence if both MDM and MAM user scopes are enabled. The
device will be automatically enrolled in the configured MDM.
） Important
For Windows BYOD devices, the MAM user scope takes precedence if both the
MAM user scope and the MDM user scope (automatic MDM enrollment) are
enabled for all users or the same groups of users. The device will not be MDM
enrolled, and Microsoft Purview Information Protection policies will apply if you
configured them.
1. In the Microsoft Intune admin center , choose All services > M365 Azure Active
Directory > All services > Azure Active Directory > Mobility (MDM and MAM).
2. Select Get a free Premium trial to use this feature. Selecting this option will allow
auto enrollment using the Azure Active Directory free Premium trial.
3. Choose the Enterprise Mobility + Security E5 free trial option.
4. Select Free trial > Activate. It can take a minute to activate.
5. Select Microsoft Intune to configure Intune.

6. Select Some from the MDM user scope to use MDM auto-enrollment to manage
enterprise data on your employees' Windows devices. MDM auto-enrollment will
be configured for Azure AD joined devices and bring-your-own-device scenarios.
7. Choose Select groups > Contoso Testers > Select as the assigned group.
8. For MAM User scope, select None.
9. Use the default values for the remaining configuration values on the page.
10. Choose Save.
Clean up resources
To reconfigure Intune automatic enrollment, check out Set up enrollment for Windows
devices.
Next steps
In this task, you learned how to set up auto-enrollment for devices running Windows
10/11. For more information about device enrollment, see Device enrollment overview.
Step 5 - Enroll your Windows 10/11 device

Step 5: Enroll a device
Article • 03/31/2023
Applies to:
Windows 10
Windows 11
Employees and students who want remote access to work or school resources can enroll
their devices into Microsoft Intune. Enrollment ensures that all devices trying to access
data within your organization are secure and compliant with your policies and
requirements. Upon enrollment, the device gets access to resources like work email,
files, VPN, and Wi-Fi.
７ Note
In this task, you will:
Try out the device user experience by enrolling a device running Windows 10/11
into Microsoft Intune.
Try out the admin user experience by verifying the enrollment in the Microsoft
Prerequisites
To complete this evaluation step, you must:
Have a Microsoft Intune subscription: Sign up for a free trial account

Complete the evaluation step for setting up automatic enrollment in Intune.
Additionally, before you begin enrollment, confirm the version of Windows running on
your device.
1. Open the Settings app.
2. Select System > About.

3. Under Windows specifications, find Version.
4. Confirm that the device version is:
For Windows 10: 1607 or later
For Windows 11: 21H2 or later
） Important
The steps in this evaluation step are for these versions of Windows. For
information about enrolling earlier versions of Windows, see Enroll device
running Windows 10, version 1511 and earlier.
Enroll device
1. In the Settings app, select Accounts.
2. Select Access work or school.
3. Select Connect to add a work or school account.

4. Enter the username and password for your work account. If you followed the
create a user and assign a license evaluation step, you can use the user account
that you created.
5. Wait for your device to finish registering. When you see the You're all set! screen,
select Done. Your work account should now be visible under Accounts.
If you followed the previous steps, but still can't access your work or school email
account and files, see Troubleshoot Windows 10/11 device access.
Confirm device enrollment

1. Sign in to the Microsoft Intune admin center as a Global Administrator.
2. Select Devices > All devices to view the enrolled devices in Intune.
3. Verify that you have an additional device enrolled within Intune.

Clean up resources
To unenroll the device, see Remove your Windows device from management.
Next steps
In this task, you learned how to enroll a device running Windows 10/11 into Intune. For
more information about the device user experience, see these resources:
Windows device enrollment with Intune Company Portal

What info can your company see when you enroll your device?
Step 6: Set a required password length for Android devices

Step 6: Create a password compliance
policy for Android Enterprise devices
Article • 04/19/2023
In this topic, you'll use Microsoft Intune to require your workforce's Android users to
enter a password of a specific length before access is granted to information on their
Android Enterprise devices.
７ Note
An Intune device compliance policy specifies the rules and settings that devices must
meet to be considered compliant. You can use compliance policies with Conditional
Access to allow or block access to company resources. You can also get device reports
and take actions for non-compliance.
） Important
In addition to password settings, you should also consider other system security
settings to protect your workforce. For more information, see System security
settings.
Sign in to Intune
Sign in to the Microsoft Intune admin center as a Global administrator or an Intune
Service administrator.
Create a device compliance policy

Create a device compliance policy to require your workforce's Android users to enter a
password of a specific length before access is granted to information on their Android
Enterprise devices.
1. Sign in to Microsoft Intune admin center , select Devices > Compliance Policies
> Create Policy.
2. For Platform, select Android Enterprise.
3. For Profile type, select either Fully managed, dedicated, and corporate-owned
work profile or Personally-owned work profile, and then click Create.
4. On Basics step, enter Android compliance as the Name. Adding a Description is

optional. Click Next.
5. On Compliance settings step, expand System Security and configure the

following:
For Require a password to unlock mobile devices, select Require.

For Required password type, select At least numeric.
For Minimum password length, enter 6.
6. When done, select Next until you reach the Review + create step. Then, click
Create to create the policy.
When you've successfully created the policy, it appears in your list of device complice
policies.
Clean up resources
When no longer needed, delete the policy. To do so, select the compliance policy and
click Delete.
Next steps
In this topic, you used Intune to create a compliance policy for your workforce's Android
Enterprise devices to require a password of at least six characters in length. For more
information about creating compliance policies, see Get started with device compliance
policies in Intune.
Step 7: Send notifications to noncompliant devices

Step 7: Send notifications to
noncompliant devices
Article • 04/19/2023
In this topic, you'll use Microsoft Intune to send an email notification to the members of
your workforce that have noncompliant devices.
７ Note
７ Note
The remote action to send an email notification is not supported on devices that
are managed by a device compliance partner.
For localization, admin must configure the target language from Intune admin
center when creating the notification message template. The notification message
language sent to the user will be based on the preferred language configured for
the user in AAD.
By default, when Intune detects a device that isn't compliant, Intune immediately marks
the device as noncompliant. Azure Active Directory (Azure AD) Conditional Access then
blocks the device. When a device isn't compliant, Intune allows you to add actions for
noncompliance, which gives you flexibility to decide what to do. For example, you can
give users a grace period to be compliant before blocking noncompliant devices.
One action to take when a device doesn't meet compliance is to send email to the
devices user. You can also customize an email notification before sending it. Specifically,
you can customize the recipients, subject, and message body, including company logo,
and contact information. Intune also includes details about the noncompliant device in
the email notification.
Prerequisites
When using device compliance policies to block devices from corporate resources,
Azure AD Conditional Access must be set up. If you've completed the Create a device
compliance policy evaluation step, you're using Azure Active Directory. For more
information about Azure AD, see Conditional Access in Azure Active Directory and
common ways to use Conditional Access with Intune.
Sign in to Intune
Service administrator. If you've created an Intune Trial subscription, the account you
Create a notification message template

To send email to your users, create a notification message template. When a device is
noncompliant, the details you enter in the template is shown in the email sent to your
users.
1. In the Intune admin center, select Devices > Compliance policies > Notifications
> Create notification.
2. Enter the following information for the Basics step:
Name: Contoso Admin

Email header – Include company logo: Set to Enabled to show your
organization's logo.
Email footer – Include company name: Set to Enabled to show your
organization's name.
Email footer – Include contact information: Set to Enabled to show your
organization's contact information.
Company Portal Website Link: Set to Disabled.
3. Click Next.
4. Enter the following information for the Notification message templates step:
Subject: Device compliance

Message: Your device is currently not meeting our organization's compliance
requirements.
5. Click Next and review your notification.
6. Click Create. The notification message template is ready to use.

７ Note
You can also edit a Notification template that was previously created.
For details about setting your company name, company contact information, and
company logo, see the following articles:
Company information and privacy statement

Support information
Customizing the user experience.
Add a noncompliance policy

When you create a device compliance policy, Intune automatically creates an action for
noncompliance. Intune then marks devices as noncompliant when they fail to meet your
compliance policy. You can customize how long the device is marked as noncompliant.
You can also add another action when you create a compliance policy, or update an
existing compliance policy.
The following steps will create a compliance policy for Windows 10 devices:
1. In the Intune admin center, select Devices > Compliance Policies > Create Policy.
2. Under Platform, click Windows 10 and later.
3. Click Create.
4. Enter the following information in the Basics step followed by Next:
Name: Windows 10 compliance

Description: Windows 10 compliance policy
5. Select System Security to display the device security-related settings.
6. Configure the following options:
Set Require a password to unlock mobile devices to Require. This setting

specifies whether to require users to enter a password before access is
granted to information on their mobile devices.
Set Minimum password length to 6. This setting specifies the minimum
number of digits or characters in the password.
7. Select Next for each of the remaining steps until you reach the Review + create
step. Click Create to create your compliance policy.
Add an action for noncompliance
After you have created a noncompliance policy, you can set an action to take place with
the device is out of compliance.
The following steps will create an action for noncompliance for Windows 10 devices:
1. In the Intune admin center, select Devices > Windows > Compliance policies.
2. Select your Windows 10 compliance policy from the list.
3. In the Windows 10 compliance policy overview pane, select Properties.
4. Next to the Action for noncompliance section, click Edit.
5. In the Action drop-down box, select Send email to end users.
6. In the Schedule (days after noncompliance drop-down box, select 0.
7. Under Message template, click None selected to display the Notification message
templates pane.
8. Click the template you created earlier in this topic, and then click Select to select
the message template.
9. Click Review + save < Save to save your compliance policy.
Assign the policy

You can assign the compliance policy to a specific group of users or to all users. When
Intune recognizes that a device is noncompliant, the user is notified that they must
update their device to meet the compliance policy. Use the following steps to assign the
policy.
1. In Intune go to Devices > Compliance policies and select the Windows 10

compliance policy that you created earlier.
2. Select Properties.
3. Next to Assignments, click Edit.
4. In the Assign to drop-down box, select All Users. This will select all users. Any user
that has a Windows 10 and later device that doesn't meet this compliance policy
will be notified.
７ Note
You can include and exclude groups when assign compliancy policies.
5. Click Review + save > Save.

When you've successfully created and saved the policy, it will appear in the list of
Compliance policies - Policies. Notice in the list that Assigned is set to Yes.
Next steps
In this topic, you used Intune to create and assign a compliance policy for your
workforce's Windows 10 devices to require a password of at least six characters in
length. For more information about creating compliance policies for Windows devices,
see Add a device compliance policy for Windows devices in Intune.
Step 8: Add and assign a client app

Step 8: Add and assign an app
Article • 04/19/2023
In this topic, you will use Intune to add and assign an app to your company's workforce.
One of an admin's priorities is to ensure that end users have access to the apps they
need to do their work.
７ Note
Prerequisites
To complete this evaluation step, you must create a user, create a group, and enroll
a device.
Sign in to Intune
Service administrator. If you have created an Intune Trial subscription, the account you
Add the app to Intune

An app can be included so that Intune can manage aspects of the app.
Use the following steps to add an app to Intune:
1. Sign in to Microsoft Intune admin center , select Apps > All apps > Add.
2. In the App type drop-down box, select Windows 10 and later from Microsoft 365
Apps.
3. Click Select. The Add app steps are displayed.
4. Confirm the default details in the App suite information step and click Next.
5. Confirm the default settings in the App settings step and click Next.
6. Select the group assignments for the app. For more information, see Add groups
to organize users and devices.
7. Click Next to display the Review + create page. Review the values and settings you
entered for the app.
8. When you are done, click Create to add the app to Intune.
Assign the app to a group

After you've added an app to Microsoft Intune, you can assign the app to additional
groups of users or devices.
７ Note
This evaluation step builds on previous evaluation steps in this series. Please see
prerequisites in this topic for details.
Use the following steps to assign an app to a group:
1. In Intune , select Apps > All apps.

2. Select the app that you want to assign to a group.
3. Click Properties. Next to Assignments click Edit.
4. Click Add Group under the Required section. The Select group pane is displayed.
5. Find the group that you need to added and click Select at the bottom of the pane.
6. Click Review + save > Save to assign the group.
You now have assigned the app to an additional group.
Install the app on the enrolled device

End users must install and use the Company Portal app to install an app made available
by Intune. You, acting as an end user, can use the following steps to verify that the app
is available to the user of the enrolled device.
1. Log in to your enrolled Windows 10 Desktop device.
） Important
The device must be enrolled with Intune. Also, you must sign in to the device
using an account contained in the group you assigned to the app.
2. From the Start menu, open the Microsoft Store. Then, find the Company Portal
app and install it.
3. Launch the Company Portal app.
4. Click the app that you added using Intune. In this topic you added the Microsoft
365 Apps suite.
７ Note
If you did not successfully assign any apps to the Intune user, you will see the
following message:
Your IT administrator did not make any apps available to
you.
5. Click Install.
If your business needs require that you assign the Company Portal app to your
workforce, you can manually assign the Windows 10 Company Portal app directly from
Intune. For more information see, Manually add the Windows 10 Company Portal app by
using Microsoft Intune.
Next steps
In this topic, you added apps to Intune, assigned the apps to a group, and installed the
apps on the enrolled Windows 10 Desktop device. For more information about
managing apps in Intune, see What is Microsoft Intune app management?
Step 9: Create and assign an app protection policy

Step 9: Create and assign an app
protection policy
Article • 03/31/2023
In this article, you'll use Intune to create and assign an app protection policy to a client
app on an end user's device. Intune uses app protection policies to confirm that your
apps are meeting your organization's data protection requirements.
７ Note
Prerequisites
To complete this evaluation step, you must create a user, create a group, enroll a
device, and add and assign an app.
Sign in to Intune
Sign in to the Intune as a Global administrator or an Intune Service administrator. If
you've created an Intune Trial subscription, the account you created the subscription
with is the Global administrator.
Create an app protection policy

Use the following steps to create an app protection policy:
1. In Intune , select Apps > App protection policies > Create Policy > Windows 10.
2. Enter the following details:
Name: Windows 10 content protection

Description: Users associated with this policy won't be able to cut, copy, or
paste any content between the assigned app and other non-managed apps on
the device.
Enrollment state: With enrollment
3. Under Protected apps, select Add. The Add apps pane is displayed.
4. Choose the apps that must adhere to this policy and select OK.
5. Select Next to display the Required settings.
6. Select Allow Overrides to set the Windows Information Protection mode. Selecting
this option blocks enterprise data from leaving the protected app.
7. Select Next to display the Advanced settings.
8. Select Next to display the Assignments.
9. Select Select groups to include, select the group, and select Select.
10. Select Next to display the Review + create step.
11. Select Create to create your policy.
You'll see the app protection policy in Intune.
７ Note
App protection policies can only be applied to groups that contains users, not
groups that contain devices.
Next steps
In this article, you created and assigned an app protection policy. Users of the app that
have this policy assigned won't be able to cut, copy, or paste any content between the
assigned app and other non-managed apps on the device. This type of protection helps
protect your organization's data. For more information about app protection policies in
Intune, see What are app protection policies?
Step 10: Create and assign a custom role

Step 10: Create and assign a custom role
Article • 03/31/2023
In this Intune topic, you'll create a custom role with specific permissions for a security
operations department. Then you'll assign the role to a group of such operators. There
are several default roles that you can use right away. But by creating custom roles like
this one, you have precise access control to all parts of your mobile device management
system.
７ Note
Prerequisites
To complete this evaluation step, you must create a group.
Sign in to Intune
Sign in to Intune as a Global Administrator or an Intune Service Administrator. If you
have created an Intune Trial subscription, the account you created the subscription with
is the Global administrator.
Create a custom role

When you create a custom role, you can set permissions for a wide range of actions. For
the security operations role, we'll set a few Read permissions so that the operator can
review a device's configurations and policies.
1. In Intune, choose Roles > All roles > Add.
2. Under Add custom role, in the Name box, enter Security operations.
3. In the Description box, enter This role lets a security operator monitor device
configuration and compliance information.
4. Choose Configure > Corporate device identifiers > Yes next to Read > OK.
5. Choose Device compliance policies > Yes next to Read > OK.
6. Choose Device configurations > Yes next to Read > OK.
7. Choose Organization > Yes next to Read > OK.
8. Choose OK > Create.
Assign the role to a group

Before your security operator can use the new permissions, you must assign the role to
a group that contains the security user.
1. In Intune, choose Roles > All roles > Security operations.
2. Under Intune roles, choose Assignments > Assign.
3. In the Assignment name box, enter Sec ops.
4. Choose Member (Groups) > Add.
5. Choose the Contoso Testers group.
6. Choose Select > OK.
7. Choose Scope (Groups) > Select groups to include > Contoso Testers.
8. Choose Select > OK > OK.
Now everyone in the group is a member of the Security operations role and can review
the following information about a device: corporate device identifiers, device
compliance policies, device configurations, and organization information.
Clean up resources
If you don't want to use the new custom role anymore, you can delete it. Choose Roles
> All roles > choose the ellipses next to the role > Delete.
Next steps
In this quickstart, you created a custom security operations role and assigned it to a
group. For more information about roles in Intune, see Role-based administration
control (RBAC) with Microsoft Intune
Step 11: Create an email device profile for iOS/iPadOS

Step 11: Create an email device profile
for iOS/iPadOS
Article • 03/21/2023
In this topic, you'll see how to create an email device profile for iOS/iPadOS devices. This
profile specifies the settings that are required for the built-in email app on the
iOS/iPadOS device to connect to company email. Email device profiles help standardize
settings across devices, and they let end users access company email on their personal
devices without any required setup on their part. To further safeguard your email, you
can use an email profile to determine if devices are compliant, and then set up
Conditional Access to allow only compliant devices to access email. For details about
email profiles, see How to configure email settings in Microsoft Intune
７ Note
Sign in to Intune
Sign in to the Microsoft Intune admin center as a Global Administrator or an Intune
Service Administrator. If you have created an Intune Trial subscription, the account you
Create an iOS/iPadOS email profile

2. Select and go to Devices > Configuration profiles > Create profile.
3. Enter the following properties:
Platform: Select iOS/iPadOS

Profile: Select Email
4. Select Create.
5. In Basics, enter the following properties:
Name: Enter a descriptive name for the new profile. For this example, enter
iOS require work email.
Description: Enter Require iOS/iPadOS devices to use work email
6. Select Next.
7. In Configuration settings, enter the following settings (leave the defaults for other
settings):
Email server: For this evaluation step, enter outlook.office365.com. This

setting specifies the Exchange location (URL) of the email server that the
iOS/iPadOS mail app will use to connect to email.
Account name: Enter Company Email.
Username attribute from AAD: This name is the attribute Intune gets from
Azure Active Directory (Azure AD). Intune dynamically generates the
username for this profile using this name. For this evaluation step, we'll
assume that we want the User Principal Name to be used as the username
for the profile (for example, user1@contoso.com).
Email address attribute from AAD: This setting is the email address from
Azure AD that will be used to sign in to Exchange. For this evaluation step,
select User Principal Name.
Authentication method: For this evaluation step, select Username and
password. (You can also choose Certificate if you've already set up a
certificate for Intune.)
8. Select Next.
9. In Scope tags (optional), Select Next. We won't use a scope tag for this profile.
10. In Assignments, use the drop-down for Assign to and select All users and all
devices. Then, select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned.
Clean up resources
If you don't intend to use the profile you created for additional tutorials or testing, you
can delete it now.
1. In Intune, selectDevices > Device configuration.

2. Select the test profile you created, iOS/iPadOS require work email, and then select
Delete.
Next steps
In this topic, you created an email profile for iOS/iPadOS devices. Now you can use this
profile to determine whether an iOS/iPadOS device is compliant by creating a
compliance policy that marks as noncompliant any iOS/iPadOS devices that don't match
the profile. For further protection, you can create a Conditional Access policy that blocks
noncompliant iOS/iPadOS devices from accessing email. For more information about
device compliance policies, see Get started with device compliance policies in Intune.
Deploy or move to Microsoft Intune

Tutorial: Protect Exchange Online email
on managed devices
Article • 03/02/2023
Learn about using device compliance policies with Conditional Access to make sure that
iOS devices can access Exchange Online email only if they're managed by Intune and
using an approved email app.
In this tutorial, you'll learn how to:
＂ Create an Intune iOS device compliance policy to set the conditions that a device
must meet to be considered compliant.
＂ Create an Azure Active Directory (Azure AD) Conditional Access policy that requires
iOS devices to enroll in Intune, comply with Intune policies, and use the approved
Outlook mobile app to access Exchange Online email.
If you don't have an Microsoft Intune Plan 1 subscription, sign up for a free trial account.
Prerequisites
You'll need a test tenant with the following subscriptions for this tutorial:
Azure Active Directory Premium (free trial )
Microsoft 365 Apps for business subscription that includes Exchange (free trial )
Before you begin, create a test device profile for iOS devices by following the steps in
Quickstart: Create an email device profile for iOS/iPadOS.
Sign in to Intune
Service administrator. If you have created an Intune Trial subscription, the account you
Create the iOS device compliance policy

Set up an Intune device compliance policy to set the conditions that a device must meet
to be considered compliant. For this tutorial, we'll create a device compliance policy for
iOS devices. Compliance policies are platform-specific, so you need a separate
compliance policy for each device platform you want to evaluate.
1. In Intune, select Devices > Compliance policies > Create policy.
2. For Name, enter iOS compliance policy test.
3. For Description, enter iOS compliance policy test.
4. For Platform, select iOS/iPadOS.
5. Select Settings > Email.
a. Next to Require mobile devices to have a managed email profile, select

Require.
b. Select OK.
6. Select Device Health. Next to Jailbroken devices, select Block, and then select OK.
7. Select System Security and enter Password settings. For this tutorial, select the
following recommended settings:
For Simple passwords, select Block.
For Minimum password length, enter 4.
 Tip
Default values that are grayed out and italicized are only
recommendations. You must replace values that are recommendations
to configure a setting.
For Required password type, choose Alphanumeric.
For Maximum minutes after screen lock before password is required,

choose Immediately.
For Password expiration (days), enter 41.
For Number of previous passwords to prevent reuse, enter 5.
8. Select OK, and then select OK again.
9. Select Create.
Create the Conditional Access policy

Now we'll create a Conditional Access policy that requires all device platforms to enroll
in Intune and comply with our Intune compliance policy before they can access
Exchange Online. We'll also require the Outlook app for email access. Conditional Access
policies are configurable in either the Azure AD portal or the Microsoft Intune admin
center. Since we're already in the admin center, we'll create the policy here.
1. In Microsoft Intune admin center, select Endpoint security > Conditional Access >
New policy.
2. For Name, enter Test policy for Microsoft 365 email.
3. Under Assignments, select Users and groups. On the Include tab, select All users,
and then select Done.
4. Under Assignments, select Cloud apps or actions. Because we want to protect
Microsoft 365 Exchange Online email, we'll select it by following these steps:
a. On the Include tab, choose Select apps.
b. Choose Select.
c. In the applications list, select Office 365 Exchange Online, and then choose
Select.
d. Select Done.
5. Under Assignments, select Conditions > Device platforms.
a. Under Configure, select Yes.
b. On the Include tab, select Any device, and then select Done.
c. Select Done again.

6. Under Assignments, select Conditions > Client apps.
b. For this tutorial, select Mobile apps and desktop clients and Modern
authentication clients (which refers to apps like Outlook for iOS and Outlook
for Android). Clear all other check boxes.
c. Select Done, and then select Done again.

7. Under Access controls, select Grant.
a. On the Grant pane, select Grant access.
b. Select Require device to be marked as compliant.
c. Select Require approved client app.
d. Under For multiple controls, select Require all the selected controls. This
setting ensures that both requirements you selected are enforced when a device
tries to access email.
e. Choose Select.
8. Under Enable policy, select On.
9. Select Create.
Try it out
With the policies you've created, any iOS device that attempts to sign in to Microsoft
365 email will need to enroll in Intune and use the Outlook mobile app for iOS/iPadOS.
To test this scenario on an iOS device, try signing in to Exchange Online using
credentials for a user in your test tenant. You'll be prompted to enroll the device and
install the Outlook mobile app.
1. To test on an iPhone, go to Settings > Passwords & Accounts > Add Account >
Exchange.
2. Enter the email address for a user in your test tenant, and then press Next.
3. Press Sign In.
4. Enter the test user's password, and press Sign in.
5. A message appears that says your device must be managed to access the resource,
along with an option to enroll.
Clean up resources
When the test policies are no longer needed, you can remove them.
1. Sign in to the Microsoft Intune admin center as a Global Administrator or an

Intune Service Administrator.
2. Select Devices > Compliance policies.
3. In the Policy Name list, select the context menu (...) for your test policy, and then
select Delete. Select OK to confirm.
4. Select Endpoint security > Conditional access.
select Delete. Select Yes to confirm.
Next steps
In this tutorial, you created policies that require iOS devices to enroll in Intune and use
the Outlook app to access Exchange Online email. To learn about using Intune with
Conditional Access to protect other apps and services, including Exchange ActiveSync
clients for Microsoft 365 Exchange Online, see Set up Conditional Access.
Tutorial: Protect Exchange Online email
on unmanaged devices
Article • 03/02/2023
In this tutorial, you'll learn how to use app protection policies with Conditional Access to
protect Exchange Online, even when devices aren't enrolled in a device management
solution like Intune. In this tutorial, you'll learn how to:
＂ Create an Intune app protection policy for the Outlook app. You'll limit what the
user can do with app data by preventing "Save As" and restrict cut, copy, and paste
actions.
＂ Create Azure Active Directory (Azure AD) Conditional Access policies that allow only
the Outlook app to access company email in Exchange Online. You'll also require
multi-factor authentication (MFA) for Modern authentication clients, like Outlook
for iOS and Android.
Prerequisites

Microsoft Intune Plan 1 subscription (free trial)
Microsoft 365 Apps for business subscription that includes Exchange (free trial )
Sign in to Intune
For this tutorial, when you sign in to the Microsoft Intune admin center , sign in as a
Global administrator or an Intune Service administrator. If you've created an Intune Trial
subscription, the account you created the subscription with is the Global administrator.
Create the app protection policy

In this tutorial, we'll set up an Intune app protection policy for iOS for the Outlook app
to put protections in place at the app level. We'll require a PIN to open the app in a
work context. We'll also limit data sharing between apps and prevent company data
from being saved to a personal location.

2. Select Apps > App protection policies > Create policy, and select iOS/iPadOS for
the platform.
3. On the Basics page, configure the following settings:
Name: Enter Outlook app policy test.

Description: Enter Outlook app policy test.
The Platform value is set to your previous choice.
Click Next to continue.
4. The Apps page allows you to choose how you want to apply this policy to apps on
different devices. Configure the following options:
Click Select public apps. In the Apps list, select Microsoft Outlook, and then
choose Select. Microsoft Outlook now appears under Public apps.
5. The Data protection page provides settings that determine how users interact with
data in the apps that this app protection policy applies.Configure the following
options:
Below Data Transfer, configure the following settings, leaving all other settings at
their default values:
For Send org data to other apps, select None.

For Receive data from other apps, select None.
For Restrict cut, copy and paste between other apps, select Blocked.
Select Next to continue.
6. The Access requirements page provides settings to allow you to configure the PIN
and credential requirements that users must meet to access apps in a work
context. Configure the following settings, leaving all other settings at their default
values:
For PIN for access, select Require.

For Work or school account credentials for access, select Require.
7. The Conditional launch page provides settings to set the sign-in security
requirements for your app protection policy. For this tutorial, you don't need to
configure these settings.
8. Use the Assignments page to assign the app protection policy to groups of users.
For this tutorial, you won't assign this policy to a group.
9. On the Next: Review + create page, review the values and settings you entered for
this app protection policy. Click Create to create the app protection policy in
Intune.
The app protection policy for Outlook is created. Next, you'll set up Conditional Access
to require devices to use the Outlook app.
Create Conditional Access policies
Now we'll use the Microsoft Intune admin center to create two Conditional Access
policies to cover all device platforms. You integrate Conditional Access with Intune to
help control the devices and apps that can connect to your email and company
resources.
The first policy will require that Modern Authentication clients use the approved
Outlook app and multi-factor authentication (MFA). Modern Authentication clients
include Outlook for iOS and Outlook for Android.
The second policy will require that Exchange ActiveSync clients use the approved
Outlook app. (Currently, Exchange Active Sync doesn't support conditions other
than device platform). You can configure Conditional Access policies in either the
Azure AD portal or the Microsoft Intune admin center. Since we're already in the
admin center, we'll create the policy here.
When you configure Conditional Access policies in the Microsoft Intune admin center,
you're really configuring those policies in the Conditional Access blades from the Azure
portal. Therefore, the user interface is a bit different than when you configure other
policies for Intune.
Create an MFA policy for Modern Authentication clients

2. Select Endpoint security > Conditional access > New policy.
3. For Name, enter Test policy for modern auth clients.
5. Under Assignments, select Cloud apps or actions. Because we want to protect

Microsoft 365 Exchange Online email, we'll select it by following these steps:
b. Choose Select.
c. In the Applications list, select Office 365 Exchange Online, and then choose
Select.
d. Select Done to return to the New policy pane.
b. On the Include tab, choose Select device platforms and select Android and
iOS.
c. Select Done.
7. On the Conditions pane, select Client apps.

b. Select Mobile apps and desktop clients and Modern authentication clients.
c. Clear the other check boxes.
d. Select Done > Done to return to the New policy pane.
b. Select Require multi-factor authentication.
c. Select Require approved client app.
d. Under For multiple controls, select Require all the selected controls. This
setting ensures that both requirements you selected are enforced when a device
tries to access email.
e. Choose Select.
9. Under Enable policy, select On, and then select Create.
The Conditional Access policy for Modern Authentication clients is created. Now you can
create a policy for Exchange Active Sync clients.
Create a policy for Exchange Active Sync clients

2. Select Endpoint security > Conditional Access > New policy.
3. For Name, enter Test policy for EAS clients.

5. Under Assignments, select Cloud apps or actions. Select Microsoft 365 Exchange
Online email with these steps:
b. Choose Select.
c. From the list of Applications, select Office 365 Exchange Online, and then
choose Select, and then Done.

b. On the Include tab, select Any device, and then select Done.
7. On the Conditions pane, select Client apps.

b. Select Mobile apps and desktop clients.
c. Select Exchange ActiveSync clients.
d. Clear all other check boxes.
e. Select Done, and then select Done again.

b. Select Require approved client app. Clear all other check boxes.
c. Choose Select.
9. Under Enable policy, select On, and then select Create.
Your app protection policies and Conditional Access are now in place and ready to test.
Try it out
With the policies you've created, devices will need to enroll in Intune and use the
Outlook mobile app to access Microsoft 365 email. To test this scenario on an iOS
device, try signing in to Exchange Online using credentials for a user in your test tenant.
1. To test on an iPhone, go to Settings > Passwords & Accounts > Add Account >
Exchange.
3. Press Sign In.

4. Enter the test user's password, and press Sign in.
5. The message More information is required appears, which means you're being
prompted to set up MFA. Go ahead and set up an additional verification method.
6. Next you'll see a message that says you're trying to open this resource with an app
that isn't approved by your IT department. The message means you're being
blocked from using the native mail app. Cancel the sign-in.
7. Open the Outlook app and select Settings > Add Account > Add Email Account.
9. Press Sign in with Office 365. You'll be prompted for additional authentication and
registration. Once you've signed in, you can test actions such as cut, copy, paste,
and "Save As".
Clean up resources
When the test policies are no longer needed, you can remove them.
2. Select Devices Compliance policies.
select Delete. Select OK to confirm.
4. Select Endpoint security > Conditional access.
5. In the Policy Name list, select the context menu (...) for each of your test policies,
and then select Delete. Select Yes to confirm.
Next steps
In this tutorial, you created app protection policies to limit what the user can do with the
Outlook app, and you created Conditional Access policies to require the Outlook app
and require MFA for Modern Authentication clients. To learn more about using Intune
with Conditional Access to protect other apps and services, see Learn about Conditional
Access and Intune.
Tutorial: Configure Slack to use Intune
for EMM and app configuration
Article • 03/06/2023
Slack is a collaboration app that you can use with Microsoft Intune.
In this tutorial, you will:
＂ Set Intune as the Enterprise Mobility Management (EMM) provider on your Slack
Enterprise Grid. You'll be able to limit access to your Grid plan's workspaces to
Intune managed devices.
＂ Create app configuration policies to manage the Slack for EMM app on iOS/iPadOS
and the Slack app for Android personally-owned work profile devices.
＂ Create Intune device compliance policies to set the conditions Android and
iOS/iPadOS devices must meet to be considered compliant.
Prerequisites

Intune subscription (free trial)
You will also need a Slack Enterprise Grid plan.
Configure your Slack Enterprise Grid plan

Turn on EMM for your Slack Enterprise Grid plan by following Slack's instructions and
connect Azure Active Directory as your Grid plan's identity provider (IDP).
Sign in to Intune
Sign in to the Microsoft Intune admin center as a Global Administrator or an Intune
Service Administrator. If you have created an Intune Trial subscription, the account you
Set up Slack for EMM on iOS devices

Add the iOS/iPadOS app Slack for EMM to your Intune tenant and create an app
configuration policy to enable your organizations' iOS/iPadOS users to access Slack with
Intune as an EMM provider.
Add the iOS/iPadOS Slack for EMM app to Intune

Add Slack for EMM as a managed iOS/iPadOS app in Intune and assign your Slack users.
Apps are platform-specific, so you need to add a separate Intune app for your Slack
users on Android devices.
1. In Microsoft Intune admin center , select Apps > All apps > Add.
2. Under App type, choose iOS store app and click Select.
3. Click Search the App Store. Enter the search term "Slack for EMM" and select the
app. Click Select in the Search the App Store pane.
4. In the App information step, configure any changes as you see fit. Select Next to
set your app information.
5. In the Assignments step, click Add group under the Required section. Select one
or more groups to assign the app to. When complete, click Next to continue.
6. In the Review + create step, click Create once you have verified the app details.
Add an iOS/iPadOS app configuration policy for the Slack

for EMM app
Add an app configuration policy for the iOS/iPadOS Slack for EMM app.
> [!NOTE]
>
App configuration policies for managed devices are platform-specific, so you need to
add a separate policy for your Slack users on Android devices.
1. In Microsoft Intune admin center , select Apps > App configuration policies >
Add > Managed devices.
2. For Name, enter "Slack app configuration policy test".
3. For Device enrollment type, confirm Managed devices is set.
4. For Platform, select iOS/iPadOS.
5. For Targeted app, click Select app. The Associated app pane is displayed.
6. In the search bar, enter "Slack for EMM" and select the app. Click OK > Next.
7. In the Settings step, set the Configuration settings format to Use configuration
designer.
8. Add OrgDomain as the Configuration key. Set the Value type to String and set the
Configuration value to Y .
７ Note
The OrgDomain configuration key provides the ability to enter your
organization’s URL domain to help users sign in.
9. Click Next.
10. In the Assignments step, click All Users. Then, click Next.
11. In the Review + create step, click Create to create the configuration policy.
(Optional) Create an iOS device compliance policy

iOS/iPadOS devices. Compliance policies are platform-specific, so you need to create a
separate policy for your Slack users on Android devices.
1. In Microsoft Intune admin center , select Devices > Compliance policies >
Policies > Create Policy.
2. Select iOS/iPadOS as the Platform. Then, click Create.
3. In the Basics step, enter "iOS compliance policy test" as the Name and click Next.
4. In the Compliance settings, under Device Health and next to Jailbroken devices,
select Block.
5. Under System Security for this tutorial, select the following settings:

For Simple passwords, select Block.
For Minimum password length, enter 4 .
For Required password type, choose Alphanumeric.
For Maximum minutes after screen lock before password is required,
choose Immediately.
For Password expiration (days), enter 41 .
For Number of previous passwords to prevent reuse, enter 5 .
6. Click Next, and then select Next again.

7. In the Assignments step, click Add all users. Then, click Next.
8. In the Review + create step, click Create to create the compliance policy.
Set up Slack on Android personally-owned

work profile devices
Add the Slack Managed Google Play app to your Intune tenant and create an app
configuration policy to enable your organizations' Android users to access Slack with
Intune as an EMM provider.
Add the Android Slack app to Intune
Add Slack as a Managed Google Play app in Intune and assign your Slack users. Apps
are platform-specific, so you need to add a separate Intune app for your Slack users on
iOS/iPadOS devices.
1. In Microsoft Intune admin center , select Apps > All apps > Add.
2. Under App type, choose Managed Google Play app and click Select.
3. In the Search box, enter the search term "Slack" and select the app. Click Approve
in the Manage Google Play pane. Click Approve to also approve permissions of
the app. After verifying the app's approval settings, click Done. Click Select.
4. On the All apps pane, click Refresh to update the app list. Then, click the newly
added Slack app.
5. Next to Assignments, click Edit.
6. configure any changes as you see fit. Select Next to set your app information.
7. Click Add group under the Required section. Select one or more groups to assign
the app to. When complete, click Review + save.
8. In the Review + save step, click Save once you have verified the app details.
Add an Android app configuration policy for Slack

Add an app configuration policy for Slack. App configuration policies for managed
devices are platform-specific, so you need to add a separate policy for your Slack users
on iOS/iPadOS devices.
1. In Microsoft Intune admin center , select Apps > App configuration policies >
Add > Managed devices.
2. For Name, enter "Slack app configuration policy test".
3. For Device enrollment type, confirm Managed devices is set.
4. For Platform, select Android Enterprise.
5. For Profile Type, select Personally-Owned Work Profile Only.
6. For Targeted app, click Select app. The Associated app pane is displayed.
7. In the search bar, enter "Slack" and select the Manged Google Play store app. Click
OK > Next.
8. In the Settings step, set the Configuration settings format to Use configuration
designer.
9. Add Slack Enterprise Grid Domain URL as the Configuration key. Click OK.
７ Note
The Slack Enterprise Grid Domain URL configuration key provides the ability
to enter your organization’s URL domain to help users sign in.
10. Click Next.

12. In the Review + create step, click Create to create the configuration policy.
(Optional) Create an Android device compliance policy

Android devices. Compliance policies are platform-specific, so you need to create a
separate policy for your Slack users on iOS/iPadOS devices.
1. In Microsoft Intune admin center , select Devices > Compliance policies >
Policies > Create Policy.
2. Select Android Enterprise as the Platform and select Personally-owned work
profile as the Profile type. Then, click Create.
3. In the Basics step, enter "Android Enterprise compliance policy test" as the Name
and click Next.
4. In the Compliance settings, under Device Health and next to Rooted devices,
select Block.
5. Under System Security for this tutorial, select the following settings:

For Required password type, choose At least alphanumeric.
For Minimum password length, enter 4 .
For Number of days until password expires, enter 41 .
For Number of previous passwords to prevent reuse, enter 5 .
For Maximum minutes of inactivity before password is required, choose 15
Minutes.
6. Click Next, and then select Next again.

8. In the Review + create step, click Create to create the compliance policy.
Launch Slack
With the policies you've just created, any iOS/iPadOS or Android personally-owned work
profile devices that attempt to sign in to one of your workspaces will need to be Intune
enrolled. To test this scenario, try launching Slack for EMM on an Intune enrolled
iOS/iPadOS device or launching Slack on an Intune enrolled Android personally-owned
work profile device.
Next steps
In this tutorial:
You set Intune as the Enterprise Mobility Management (EMM) provider on your
Slack Enterprise Grid.
You created app configuration policies to manage the Slack for EMM app on
iOS/iPadOS and the Slack app for Android personally-owned work profile devices.
You created Intune device compliance policies to set the conditions Android and
iOS/iPadOS devices must meet to be considered compliant.
To learn more about app configuration policies, see App configuration policies for
Microsoft Intune. To learn more about device compliance policies, see Set rules on
devices to allow access to resources in your organization using Intune.
Tutorial: Set up Microsoft Intune
enrollment for iOS/iPadOS devices in
Apple Business Manager
Article • 03/27/2023
Use Apple Business Manager with Microsoft Intune to simplify and automate device
enrollment for iOS/iPadOS devices procured through Apple Business Manager.
Automated device enrollment, which we'll set up in this tutorial, enables secure
automatic enrollment the first time the user turns on the device by deploying the
enrollment profile to the device over-the-air.
In this tutorial, you'll learn how to:
＂ Get an Apple device enrollment token

＂ Sync managed devices to Intune
＂ Create an enrollment profile
＂ Assign the enrollment profile to devices
At the end of this tutorial, devices will be ready to distribute for enrollment.
Prerequisites
Set mobile device management (MDM) authority.
Get Apple MDM Push certificate.
Have new or wiped devices purchased from Apple Business Manager.
Add purchase information under device management settings in Apple Business
Manager .
Step 1: Add MDM server

Create an MDM server profile for Microsoft Intune in Apple Business Manager. The
token you download in this step will enable the connection between Microsoft Intune
and Apple Business Manager in a later step.
2. Go to Devices > iOS/iPadOS > iOS/iPadOS enrollment.

3. Select Enrollment program tokens.
4. Select Add.
5. Select I agree to grant permission to Microsoft to send user and device

information to Apple.
6. Select Download your public key to download the server's public key certificate (a
.pem file) to your local drive.
7. Select Create a token via Apple Business Manager and sign in to Apple Business
Manager with your company Apple ID.
） Important
While you're in Apple Business Manager, don't close the browser tab with
Microsoft Intune. You'll return to it later.
8. Add an MDM server called TestMDMServer and download the server token for it in
Apple Business Manager. For details and instructions, see Link to a third-party
MDM server (opens Apple Business Manager User Guide). Save the server token
locally as a P7M file (.p7m). Then continue to Step 2: Assign devices.
Step 2: Assign devices

While you're in Apple Business Manager, assign devices to your new MDM server
(TestMDMServer or whatever you named it). For details and instructions, see Assign,
reassign, or unassign devices in Apple Business Manager (opens Apple Business
Manager User Guide). When you're done assigning devices, continue to Step 3: Upload
MDM server token.
Step 3: Upload MDM server token

Return to the Microsoft Intune admin center to upload the MDM server token to Intune.
After you upload the token, Microsoft Intune can sync and enroll iOS/iPadOS devices
assigned to TestMDMServer.
1. In Apple ID, enter the Apple ID you used to create the token.
2. Under Apple token, upload the server token you saved earlier. The file must be in
P7M format.
3. Select Next.
4. Optionally, apply scope tags to the enrollment token to limit other admins from
accessing or making changes to it. For more information about scope tags, see Use
role-based access control (RBAC) and scope tags for distributed IT.
5. Select Next.
6. On Review + create, select Create to finish linking Microsoft Intune and Apple
Business Manager.
Microsoft Intune automatically syncs with Apple Business Manager. Devices can take up
to 12 hours to appear in the admin center. You can wait for these devices to sync, or
manually start the sync. To start the sync yourself, select your token from the list in the
admin center, and then choose Devices > Sync.
Step 4: Create an Apple enrollment profile

Create an enrollment profile for corporate-owned iOS/iPadOS devices. A device
enrollment profile defines the settings applied to a group of devices during enrollment.
1. Select your token in the admin center, and then choose Profiles > Create profile >
iOS/iPadOS.
2. On the Basics page, enter TestProfile for Name and Testing ADE for iOS/iPadOS
devices for Description. Users don't see these details.
3. Select Next.
4. On the Management Settings page, decide if you want your devices to enroll with
or without User Affinity. User Affinity is designed for devices that will be used by
particular users. If your users will want to use the Company Portal for services like
installing apps, choose Enroll with User Affinity. If your users don't need the
Company Portal or you want to provision the device for many users, choose Enroll
without User Affinity.
5. If you chose to enroll with User Affinity, the Select where users must authenticate
option appears. Decide if you want to Authenticate with Company Portal or Apple
Setup Assistant.
Company Portal: Select this option to use Multi-Factor Authentication, allow

users to change passwords upon first sign-in, or prompt users to reset their
expired passwords during enrollment. If you want the Company Portal
application to update automatically on end users' devices, separately deploy
the Company Portal as a required app to these users through Apple's Volume
Purchasing Program (VPP).
Setup Assistant: Select this option to use Apple's provided basic HTTP
authentication through Apple Setup Assistant
6. If you chose to enroll with User Affinity and Authenticate with Company Portal, the
Install Company Portal with VPP option appears. If you install the Company Portal
with a VPP token, your user won't have to enter an Apple ID and Password to
download the Company Portal from the app store during enrollment. Choose Use
Token: under Install Company Portal with VPP to select a VPP token that has free
licenses of the Company Portal available. If you don't want to use VPP to deploy
the Company Portal, choose Don't use VPP.
7. If you chose to enroll with User Affinity, Authenticate with Company Portal, and
Install Company Portal with VPP, decide if you want to run the Company Portal in
Single App Mode until Authentication. With this setting, you can ensure the user
doesn't have access to other apps until they finish the corporate enrollment. If you
want to restrict the user to this flow until enrollment is completed, choose Yes
under Run Company Portal in Single App Mode until authentication.
8. Under Device Management Settings, choose Yes under Supervised (if you chose
Enroll with User Affinity, this is automatically set to Yes). Supervised devices give
you the most management options for your corporate iOS/iPadOS devices.
9. Choose Yes under Locked enrollment to ensure your users can't remove
management of the corporate device.
10. Choose an option under Sync with Computers to determine if the iOS/iPadOS
devices will be able to sync with computers.
11. By default, Apple names the device with the device type, such as iPad. If you want
to provide a different name template, choose Yes under Apply device name
template. Enter the name you want to apply to the devices, where the strings
{{SERIAL}} and {{DEVICETYPE}} will substitute each device's serial number and
device type. Otherwise, choose No under Apply device name template.
12. Choose Next.
13. On the Setup Assistant page, Tutorial department for Department Name. This
string is what users see when they tap About configuration during device
activation.
14. Under Department Phone, enter a phone number. This number appears when
users tap the Need help button during activation.
15. You can Show or Hide various screens during device activation. For the most
seamless enrollment experience, set all screens to Hide.
16. Choose Next to go to the Review + Create page. Select Create.
Step 5: Assign an enrollment profile to

iOS/iPadOS devices
You must assign an enrollment program profile to devices before they can enroll. These
devices are synced to Intune from Apple, and must be assigned to the proper MDM
server token in the ABM, ASM, or ADE portal.
1. In the admin center, choose your token from the list.

2. Choose Devices > choose devices in the list > Assign profile.
3. Under Assign profile, choose a profile for the devices > Assign.
７ Note
Ensure that Device Type Restrictions under Enrollment Restrictions does not have
the default All Users policy set to block the iOS/iPadOS platform. This setting will
cause automated enrollment to fail and your device will show as Invalid Profile,
regardless of user attestation. To permit enrollment only by company-managed
devices, block only personally owned devices, which will permit corporate devices
to enroll. Microsoft defines a corporate device as a device that's enrolled via a
Device Enrollment Program or a device that's manually entered under Corporate
device identifiers.
Step 6: Distribute devices to users

You've set up management and syncing between Apple and Intune, and assigned a
profile to let your ADE devices enroll. You can now distribute devices to users. Devices
with user affinity require each user be assigned an Intune license.
Next steps
You can find more information about other options available for enrolling iOS/iPadOS
devices.
Technical docs for iOS/iPadOS automated device enrollment

Walkthrough: Use the cloud to
configure group policy on Windows
10/11 devices with ADMX templates and
Microsoft Intune
Article • 04/03/2023
７ Note
This walkthrough was created as a technical workshop for Microsoft Ignite. It has
more prerequisites than typical walkthroughs, as it compares using and configuring
ADMX policies in Intune and on-premises.
Group policy administrative templates, also known as ADMX templates, include settings
you can configure on Windows client devices, including PCs. The ADMX template
settings are available by different services. These settings are used by Mobile Device
Management (MDM) providers, including Microsoft Intune. For example, you can turn
on Design Ideas in PowerPoint, set a home page in Microsoft Edge, block ActiveX
controls in Internet Explorer, and more.
ADMX templates are available for the following services:
Microsoft Edge: Download at Microsoft Edge policy file .

Office: Download at Microsoft 365 Apps, Office 2019, and Office 2016 .
Windows: Built in to the Windows client OS.
For more information on ADMX policies, see Understanding ADMX-backed policies.
These templates are built in to Microsoft Intune, and are available as Administrative
templates profiles. In this profile, you configure the settings you want to include, and
then "assign" this profile to your devices.
In this walkthrough, you will:
＂ Get introduced to the Microsoft Intune admin center .

＂ Create user groups and create device groups.
＂ Compare the settings in Intune with on-premises ADMX settings.
＂ Create different administrative templates, and configure the settings that target the
different groups.
By the end of this lab, you'll have the skills to start using Intune and Microsoft 365 to
manage your users, and deploy administrative templates.
Windows 11
Windows 10 version 1709 and newer
 Tip
There are two ways to create an administrative template: Using a template, or using
the Settings Catalog. This article focuses on using the Administrative Templates
template. The Settings Catalog has more Administrative Template settings available.
For the specific steps to use the Settings Catalog, see Use the settings catalog to
configure settings.
Prerequisites
A Microsoft 365 E3 or E5 subscription, which includes Intune and Azure Active
Directory (AD) premium. If you don't have an E3 or E5 subscription, try it for free.
For more information on what you get with the different Microsoft 365 licenses,
see Transform your Enterprise with Microsoft 365 .
Microsoft Intune is configured as the Intune MDM Authority. For more

information, see Set the mobile device management authority.
On an on-premises Active Directory domain controller (DC):
1. Copy the following Office and Microsoft Edge templates to the Central Store
(sysvol folder) :
Office administrative templates
Microsoft Edge administrative templates > Policy file
2. Create a group policy to push these templates to a Windows 10/11 Enterprise
administrator computer in the same domain as the DC. In this walkthrough:
The group policy we created with these templates is called OfficeandEdge.
You'll see this name in the images.
The Windows 10/11 Enterprise administrator computer we use is called the
Admin computer.
In some organizations, a domain administrator has two accounts:

A typical domain work account
A different domain administrator account used only for domain
administrator tasks, such as group policy
The purpose of this Admin computer is for administrators to sign in with

their domain administrator account, and access tools designed for managing
group policy.
On this Admin computer:
Sign in with a Domain Administrator account.
Install the RSAT: Group Policy Management Tools:
1. Open the Settings app > Apps > Optional features > Add feature.
2. Select RSAT: Group Policy Management Tools > Install.
Wait while Windows installs the feature. When complete, it eventually

shows in the Windows Administrative Tools app.
Be sure you have internet access and administrator rights to the Microsoft 365
subscription, which includes the Intune admin center.
Open the Intune admin center

1. Open a chromium web browser, such as Microsoft Edge version 77 and later.
2. Go to the Microsoft Intune admin center . Sign in with the following account:
User: Enter the administrator account of your Microsoft 365 tenant subscription.
Password: Enter its password.
This admin center is focused on device management, and includes Azure services, such
as Azure AD and Intune. You might not see the Azure Active Directory and Intune
branding, but you're using them.
You can also open the Intune admin center from the Microsoft 365 admin center :
1. Go to https://admin.microsoft.com .
2. Sign in with the administrator account of your Microsoft 365 tenant subscription.
3. Select Show all > All admin centers > Endpoint management. The Intune admin
center opens.
Create groups, and add users

On-premises policies are applied in the LSDOU order - local, site, domain, and
organizational unit (OU). In this hierarchy, OU policies overwrite local policies, domain
policies overwrite site policies, and so on.
In Intune, policies are applied to users and groups you create. There isn't a hierarchy. For
example:
If two policies update the same setting, then the setting shows as a conflict.
If two compliance policies are in conflict, then the most restrictive policy applies.
If two configuration profiles are in conflict, then the setting isn't applied.
For more information, see Common questions, issues, and resolutions with device
policies and profiles.
In these next steps, you create security groups, and add users to these groups. You can
add a user to multiple groups. For example, it's normal for a user to have multiple
devices, such as a Surface Pro for work, and an Android mobile device for personal. And,
it's normal for a person to access organizational resources from these multiple devices.
1. In the Intune admin center, select Groups > New group.
2. Enter the following settings:
Group type: Select Security.

Group name: Enter All Windows 10 student devices.
Membership type: Select Assigned.
3. Select Members, and add some devices.
Adding devices is optional. The goal is to practice creating groups, and knowing
how to add devices. If you're using this walkthrough in a production environment,
then be aware of what you're doing.
4. Select > Create to save your changes.
Don't see your group? Select Refresh.
5. Select New group, and enter the following settings:
Group name: Enter All Windows devices.
Membership type: Select Dynamic Device.
Dynamic device members: Select Add dynamic query, and configure your
query:
Property: Select deviceOSType.
Operator: Select Equals.
Value: Enter Windows.
a. Select Add expression. Your expression is shown in the Rule syntax:

When users or devices meet the criteria you enter, they're automatically
added to the dynamic groups. In this example, devices are automatically
added to this group when the operating system is Windows. If you're
using this walkthrough in a production environment, then be careful. The
goal is to practice creating dynamic groups.
b. Save > Create to save your changes.
6. Create the All Teachers group with the following settings:
Group name: Enter All Teachers.
Membership type: Select Dynamic User.
Dynamic user members: Select Add dynamic query, and configure your
query:
Property: Select department.
Operator: Select Equals.
Value: Enter Teachers.
a. Select Add expression. Your expression is shown in the Rule syntax.
When users or devices meet the criteria you enter, they're automatically
added to the dynamic groups. In this example, users are automatically
added to this group when their department is Teachers. You can enter
the department and other properties when users are added to your
organization. If you're using this walkthrough in a production
environment, then be careful. The goal is to practice creating dynamic
groups.
b. Save > Create to save your changes.
Talking points
Dynamic groups are a feature in Azure AD Premium. If you don't have Azure AD
Premium, then you're licensed to only create assigned groups. For more
information on dynamic groups, see:
Dynamic Group Membership in Azure Active Directory (Part 1)
Dynamic Group Membership in Azure Active Directory (Part 2)
Azure AD Premium includes other services that are commonly used when
managing apps and devices, including multi-factor authentication (MFA) and
conditional access.
Many administrators ask when to use user groups and when to use device groups.
For some guidance, see User groups vs. device groups.
Remember, a user can belong to multiple groups. Consider some of the other
dynamic user and device groups you can create, such as:
All Students
All Android devices
All iOS/iPadOS devices
Marketing
Human Resources
All Charlotte employees
All Redmond employees
West coast IT administrators
East coast IT administrators
The users and groups created are also seen in the Microsoft 365 admin center , Azure
AD in the Azure portal, and Microsoft Intune in the Azure portal . You can create and
manage groups in all these areas for your tenant subscription. If your goal is device
management, use the Microsoft Intune admin center .
Review group membership

1. In the Intune admin center, select Users > select the name of any existing user.
2. Review some of the information you can add or change. For example, look at the
properties you can configure, such as Job Title, Department, City, Office location,
and more. You can use these properties in your dynamic queries when creating
dynamic groups.
3. Select Groups to see the membership of this user. You can also remove the user
from a group.
4. Select some of the other options to see more information, and what you can do.
For example, look at the assigned license, the user's devices, and more.
What did I just do?

In the Intune admin center, you created new security groups, and added existing users
and devices to these groups. We'll use these groups in later steps in this tutorial.
Create a template in Intune

In this section, we create an administrative template in Intune, look at some settings in
Group Policy Management, and compare the same setting in Intune. The goal is to
show a setting in group policy, and show the same setting in Intune.
1. In the Intune admin center, select Devices > Configuration profiles > Create
profile.
Platform: Select Windows 10 and later.

Profile: Select Administrative Templates.
3. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, enter Admin template - Windows
10 student devices.
Description: Enter a description for the profile. This setting is optional, but
recommended.
5. Select Next.
6. In Configuration settings, All settings show an alphabetical list of all the settings.
You can also filter settings that apply to devices (Computer configuration), and
settings that apply to users (User configuration):
7. Expand Computer configuration > Microsoft Edge > select SmartScreen settings.
Notice the path to the policy, and all the available settings:
8. In search, enter download. Notice the policy settings are filtered:

Open Group Policy Management
In this section, we show a policy in Intune and its matching policy in Group Policy
Management Editor.
Compare a device policy

1. On the Admin computer, open the Group Policy Management app.
This app gets installed with RSAT: Group Policy Management Tools, which is an
optional feature you install on Windows. Prerequisites (in this article) lists the steps
to install it.
2. Expand Domains > select your domain. For example, select contoso.net.
3. Right-click the OfficeandEdge policy > Edit. The Group Policy Management Editor
app opens.
OfficeandEdge is a group policy that includes the Office and Microsoft Edge
ADMX templates. This policy is described in prerequisites (in this article).
4. Expand Computer configuration > Policies > Administrative Templates > Control
Panel > Personalization. Notice the available settings.
Double-click Prevent enabling lock screen camera, and see the available options:
5. In the Intune admin center, go to your Admin template - Windows 10 student
devices template.
6. Select Computer configuration > Control Panel > Personalization. Notice the
available settings:
The setting type is Device, and the path is /Control Panel/Personalization. This
path is similar to what you just saw in Group Policy Management Editor. If you
open the Prevent enabling lock screen camera setting, you see the same Not
configured, Enabled, and Disabled options you see in Group Policy Management
Editor.
Compare a user policy
1. In your admin template, select Computer configuration > All settings, and search
for inprivate browsing. Notice the path.
Do the same for User configuration. Select All settings, and search for inprivate
browsing.
2. In Group Policy Management Editor, find the matching user and device settings:
Device: Expand Computer configuration > Policies > Administrative

Templates > Windows components > Internet Explorer > Privacy > Turn off
InPrivate Browsing.
User: Expand User configuration > Policies > Administrative Templates >
Windows components > Internet Explorer > Privacy > Turn off InPrivate
Browsing.
 Tip
To see the built-in Windows policies, you can also use GPEdit (Edit group policy
app).
Compare a Microsoft Edge policy

1. In the Intune admin center, go to your Admin template - Windows 10 student
devices template.
2. Expand Computer configuration > Microsoft Edge > Startup, homepage and
new tab page. Notice the available settings.
Do the same for User configuration.
3. In Group Policy Management Editor, find these settings:
Device: Expand Computer configuration > Policies > Administrative

Templates > Microsoft Edge > Startup, homepage and new tab page.
User: Expand User configuration > Policies > Administrative Templates >
Microsoft Edge > Startup, homepage and new tab page
What did I just do?

You created an administrative template in Intune. In this template, we looked at some
ADMX settings, and looked at the same ADMX settings in Group Policy Management.
Add settings to the Students admin template

In this template, we configure some Internet Explorer settings to lock down devices
shared by multiple students.
1. In your Admin template - Windows 10 student devices, expand Computer

configuration, select All settings, and search for Turn off InPrivate Browsing:
2. Select the Turn off InPrivate Browsing setting. In this window, notice the
description and values you can set. These options are similar to what you see in
group policy.
3. Select Enabled > OK to save your changes.
4. Also configure the following Internet Explorer settings. Be sure to select OK to save
your changes.
Allow drag and drop or copy and paste files

Type: Device
Path: \Windows Components\Internet Explorer\Internet Control
Panel\Security Page\Internet Zone
Value: Disabled
Prevent ignoring certificate errors
Type: Device
Path: \Windows Components\Internet Explorer\Internet Control Panel
Value: Enabled
Disable changing home page settings

Type: User
Path: \Windows Components\Internet Explorer
Value: Enabled
Home page: Enter a URL, such as contoso.com .
5. Clear your search filter. Notice the settings you configured are listed at the top:
Assign your template

1. In your template, select Next until you get to Assignments. Choose Select groups
to include:
2. A list of existing users and groups is shown. Select the All Windows 10 student
devices group you created earlier > Select.
If you're using this walkthrough in a production environment, then consider
adding groups that are empty. The goal is to practice assigning your template.
3. Select Next. In Review + create, select Create to save your changes.
As soon as the profile is saved, it applies to the devices when they check in with Intune.
If the devices are connected to the internet, it can happen immediately. For more
information on policy refresh times, see How long does it take for devices to get a
policy, profile, or app.
When assigning strict or restrictive policies and profiles, don't lock yourself out.
Consider creating a group that's excluded from your policies and profiles. The idea is to
have access to troubleshoot. Monitor this group to confirm it's being used as intended.
What did I just do?

In the Intune admin center, you created an administrative template device configuration
profile, and assigned this profile to a group you created.
Create a OneDrive template

In this section, you create a OneDrive admin template in Intune to control some
settings. These specific settings are chosen because they're commonly used by
organizations.
1. Create another profile (Devices > Configuration profiles > Create profile).

Profile: Select Administrative templates.
3. Select Create.
Name: Enter Admin template - OneDrive policies that apply to all Windows
10 users.
recommended.
5. Select Next.
6. In Configuration settings, configure the following settings. Be sure to select OK to
save your changes:
Computer configuration:
Silently sign in users to the OneDrive sync client with their Windows
credentials
Type: Device
Value: Enabled
Use OneDrive Files On-Demand
Type: Device
Value: Enabled
User configuration:
Prevent users from syncing personal OneDrive accounts
Type: User
Value: Enabled
Your settings look similar to the following settings:
For more information on OneDrive client settings, see Use Group Policy to control
OneDrive sync client settings.
Assign your template

1. In your template, select Next until you get to Assignments. Choose Select groups
to include:
2. A list of existing users and groups is shown. Select the All Windows devices group
you created earlier > Select.
If you're using this walkthrough in a production environment, then consider

adding groups that are empty. The goal is to practice assigning your template.
3. Select Next. In Review + create, select Create to save your changes.
At this point, you created some administrative templates, and assigned them to groups
you created. The next step is to create an administrative template using Windows
PowerShell and the Microsoft Graph API for Intune.
Optional: Create a policy using PowerShell and
Graph API
This section uses the following resources. We'll install these resources in this section.
Intune PowerShell SDK

Microsoft Graph API for Intune
1. On the Admin computer, open Windows PowerShell as administrator:

a. In your search bar, enter powershell.
b. Right-click Windows PowerShell > Run as administrator.
2. Get and set the execution policy.
a. Enter: get-ExecutionPolicy
Write down what it's set to, which may Restricted. When finished with the
walkthrough, set it back to its original value.
b. Enter: Set-ExecutionPolicy -ExecutionPolicy Unrestricted
c. Enter Y to change it.
PowerShell's execution policy helps prevent executing malicious scripts. For more
information, see About Execution Policies.
3. Enter: Install-Module -Name Microsoft.Graph.Intune
Enter Y if:
Asked to install the NuGet provider

Asked to install the modules from an untrusted repo
It can take several minutes to complete. When finished, a prompt similar to the
following prompt is shown:
4. In your web browser, go to https://github.com/Microsoft/Intune-PowerShell-
SDK/releases , and select the Intune-PowerShell-SDK_v6.1907.00921.0001.zip file.
a. Select Save as, and select a folder you'll remember. c:\psscripts is a good
choice.
b. Open your folder, right-click the .zip file > Extract all > Extract. Your folder
structure looks similar to the following folder:
5. On the View tab, check File name extensions:
6. In your folder, and go to c:\psscripts\Intune-PowerShell-

SDK_v6.1907.00921.0001\drop\outputs\build\Release\net471 . Right-click every .dll >
Properties > Unblock.
7. In your Windows PowerShell app, enter:
PowerShell
Import-Module c:\psscripts\Intune-PowerShell-
SDK_v6.1907.00921.0001\drop\outputs\build\Release\net471\Microsoft.Grap
h.Intune.psd1
Enter R if prompted to run from the untrusted publisher.
8. Intune administrative templates use the beta version of Graph:
a. Enter: Update-MSGraphEnvironment -SchemaVersion 'beta'
b. Enter: Connect-MSGraph -AdminConsent
c. When prompted, sign in with the same Microsoft 365 administrator account.
These cmdlets create the policy in your tenant organization.
User: Enter the administrator account of your Microsoft 365 tenant subscription.
Password: Enter its password.
d. Select Accept.
9. Create the Test Configuration configuration profile. Enter:
PowerShell
$configuration = Invoke-MSGraphRequest -Url

https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurat
ions -Content '{"displayName":"Test Configuration","description":"A
test configuration created through PS"}' -HttpMethod POST
When these cmdlets succeed, the profile is created. To confirm, go to the Intune
admin center > Configuration Profiles. Your Test Configuration profile should be
listed.
10. Get all the SettingDefinitions. Enter:
PowerShell
$settingDefinitions = Invoke-MSGraphRequest -Url

https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinition
s -HttpMethod GET
11. Find the definition ID using the setting display name. Enter:
PowerShell
$desiredSettingDefinition = $settingDefinitions.value | ?
{$_.DisplayName -Match "Silently sign in users to the OneDrive sync app
with their Windows credentials"}
12. Configure a setting. Enter:

PowerShell
$configuredSetting = Invoke-MSGraphRequest -Url

"https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigura
tions('$($configuration.id)')/definitionValues" -Content ("
{""enabled"":""true"",""configurationType"":""policy"",""definition@oda
ta.bind"":""https://graph.microsoft.com/beta/deviceManagement/groupPoli
cyDefinitions('$($desiredSettingDefinition.id)')""}") -HttpMethod POST
PowerShell
Invoke-MSGraphRequest -Url
tions('$($configuration.id)')/definitionValues('$($configuredSetting.id
)')" -Content ("{""enabled"":""false""}") -HttpMethod PATCH
PowerShell
$configuredSetting = Invoke-MSGraphRequest -Url

tions('$($configuration.id)')/definitionValues('$($configuredSetting.id
)')" -HttpMethod GET
See your policy

1. In the Intune admin center > Configuration Profiles > Refresh.
2. Select your Test Configuration profile > Settings.
3. In the drop-down list, select All products.
You see the Silently sign in users to the OneDrive sync client with their Windows
credentials setting is configured.
Policy best practices

When creating policies and profiles in Intune, there are some recommendations and
best practices to consider. For more information, see policy and profile best practices.
Clean up resources
When no longer needed, you can:
Delete the groups you created:

All Windows 10 student devices
All Windows devices
All Teachers
Delete the admin templates you created:

Admin template - Windows 10 student devices
Admin template - OneDrive policies that apply to all Windows 10 users
Test Configuration
Set the Windows PowerShell execution policy back to its original value. The
following example sets the execution policy to Restricted:
PowerShell
Set-ExecutionPolicy -ExecutionPolicy Restricted
Next steps
In this tutorial, you got more familiar with the Microsoft Intune admin center , used the
query builder to create dynamic groups, and created administrative templates in Intune
to configure ADMX settings. You also compared using ADMX templates on-premises
and in the cloud with Intune. As a bonus, you used PowerShell cmdlets to create an
administrative template.
For more information on administrative templates in Intune, see:
Use Windows 10/11 templates to configure group policy settings in Intune

Try new Devices experience in Microsoft
Intune
Article • 08/02/2023
） Important
This feature is in public preview. For more information, see Public preview in
Microsoft Intune.
Enroll devices, manage profiles and policies, and access monitoring and reports all in
one place in Microsoft Intune. Now in public preview, you can go to the Devices area in
the Microsoft Intune admin center to:
Get at-a-glance actionable information and key metrics about your devices.
Access workloads for device onboarding, management, and monitoring.
View, monitor, and drill down into active issues on the Overview page.
Manage devices by OS platform.
Access, apply, and view filters at the top of every list view.
This article describes how to opt in to the public preview and access these updated
workloads:
Devices > Overview

Devices > All devices
Devices > Configuration
Devices > Compliance
Devices > Windows 10 and later updates
Devices > Apple updates
Devices > Enrollment
Opt in to public preview

You can switch back and forth between the current UI and public preview without
impacting other admins in your tenant.

2. Select Devices.
3. On the Overview page, select the notification banner that says Preview upcoming
changes to Devices and provide feedback.
4. The Devices preview page opens. Select Try it now to opt in.
You remain in public preview until you switch it back, even if you close the browser. To
exit public preview and return to the current version of the admin center:
1. Go to Overview.
2. Flip the switch next to Use Devices preview. Wait while Intune refreshes the UI.
3. Optionally, when prompted, provide feedback about your experience with the
Devices public preview. Select x to return to the admin center without giving
feedback.
Overview
Go to Devices > Overview to access workloads by OS platform, view key metrics about
assigned policies, and access associated reports. Overview options include:
Manage devices by platform: Select an OS platform to pivot between

management workloads by platform.
Additional monitoring reports: Access reports associated with your key metrics.
Other devices: Access other device workloads, such as configuration for the
Chrome OS enterprise connector.
This page also highlights key metrics about active issues, such as enrollment failures and
Windows 365 provisioning failures, happening across devices. Select a metric for more
information about the issue.
All devices
Go to Devices > All devices to view a list of all Intune-managed devices in your tenant.
Select a device for more granular information, such as:
Hardware details
Installed apps
Assigned policies
Available remote actions
For more information about device details, see See device details in Intune.
Device onboarding
Under Device onboarding, you can access these onboarding options (workloads with UI
changes are marked as New):
Cloud PC creation
Enrollment - New
Go to Enrollment to access these subworkloads:
Monitor: Access reports and list views associated with enrollment profiles, policies,
and Windows Autopilot deployment.
Windows: Set up enrollment for devices running Windows 10 or Windows 11.
Apple: Set up enrollment for iOS/iPadOS and Mac devices.
Android: Set up enrollment for supported Android devices.
Corporate device identifiers: Add and manage corporate identifiers for devices
that should have corporate-owned status.
Device enrollment manager: Add and manage device enrollment managers that
oversee or help with enrolling devices.
For more information about getting started with enrollment, see Enrollment guide:
Microsoft Intune enrollment.
Manage devices
Under Manage devices, you can access these essential management workloads
(workloads with UI changes are marked as New):
Configuration - New
Compliance - New
Conditional access
Scripts
Windows 10 and later updates - New
Apple updates - New
Group Policy analytics
eSIM cellular profiles (preview)
Policy sets
Device clean-up rules
Device categories
Partner portals
Monitored data and relevant reports are located in the same place as your management
tasks to help you find and act on issues quickly. This section describes the public
preview experience for all updated workloads.
Configuration
Go to Devices > Configuration to monitor and manage device configuration policies in
Microsoft Intune. Within Configuration, you can access these subworkloads:
Monitor: Access key metrics, reports, and list views associated with device
configuration profiles.
Policies: Create and manage device configuration policies.
Import ADMX: Import custom and partner ADMX and ADML templates that you
can create device configuration policies from.
For more information about device configuration, see Apply features settings on your
devices using device profiles in Microsoft Intune.
Compliance
Go to Devices > Compliance to monitor and manage device compliance policies in
Microsoft Intune. Within Compliance, you can access these subworkloads:
Monitor: Access key metrics, reports, and list views associated with device
compliance.
Policies: Create and manage device compliance policies.
Notifications: Create and send custom notifications to device users on managed
iOS/iPadOS and Android devices.
Retire noncompliant devices: Remove all company data from a device and remove
the device from Intune management.
Scripts: Add and manage scripts used for custom compliance settings.
For more information about device compliance, see Compliance overview.
Windows 10 and later updates

Go to Devices > Windows 10 and later updates to monitor and manage software
update policies for devices running Windows 10 or Windows 11. Within this area, you
can access the following subworkloads:
Monitor: Access key metrics and active issues associated with Windows software
update policies.
Update rings: Create and manage update ring policies for Windows 10 and
Windows 11 updates.
Feature updates: Create and manage policies for feature updates.
Quality updates: Create and manage policies for quality updates.
Driver updates: Create and manage policies for driver updates.
For more information about Windows updates, see Manage Windows 10 and Windows
11 software updates in Intune.
Apple updates
Go to Devices > Apple updates to monitor and manage software update policies for
Apple devices. Within this area, you can access the following subworkloads:
Monitor: Access key metrics and active issues associated with Apple update
policies.
iOS/iPadOS updates: Create and manage policies for iOS/iPadOS updates.
macOS updates: Create and manage policies for macOS updates.
For more information about software update policies for Apple devices, see:
Manage iOS/iPadOS software updates in Intune

Manage macOS software updates in Intune
Next steps
For an overview of new features and features that are ready to try in public preview, see
What's New in Microsoft Intune.
Set up enrollment for devices in Azure
AD shared device mode
Article • 03/27/2023
Applies to iOS/iPadOS
） Important
Microsoft Intune.
Set up automated device enrollment for devices in Azure AD shared device mode.
Shared device mode enables frontline workers to securely share a single device
throughout the day, signing in and out as needed. The foundation for this experience is
made up of Azure Active Directory (Azure AD) shared device mode and the Microsoft
Enterprise SSO plug-in.
Corporate-owned devices purchased through Apple Business Manager or Apple School

Manager can be enrolled in Intune via automated device enrollment. Microsoft Intune
supports zero-touch provisioning for devices in Azure AD shared mode, which means
that the device can be set up and enrolled in Intune with minimal interaction from the
frontline worker.
This article describes how to enable automated device enrollment for devices in shared
device mode. You will:
Create an Apple enrollment profile

Create a dynamic Azure AD group for automatic grouping
Create an assignment filter for fast provisioning
Create a device configuration policy for single-sign on (SSO) app extension
Assign Microsoft Authenticator app (VPP version)
Prerequisites
Before you create an enrollment profile in Microsoft Intune:
Complete all prerequisites for Apple Automated Device Enrollment.

Read Before you begin for best practices and recommendations for automated
device enrollment.
Step 1: Create an Apple enrollment profile
Create an Apple automated device enrollment profile in Microsoft Intune for devices
enrolling in shared device mode. Include these configurations:
User affinity: Enroll with Azure AD shared mode

Locked enrollment: Yes
Apply device name template: Yes (optional)
Device Name Template (optional): {{DEVICETYPE}}-{{SERIAL}}
Toggle All (optional): Hide
Although optional, we recommend applying a device name template with the

recommended formatting. You can also hide all or some Setup Assistant screens to
speed up provisioning and user onboarding. When you're done configuring the rest of
the enrollment profile, assign it to devices.
For more information about how-to create an enrollment profile, see Create an Apple
enrollment profile.
Step 2: Create a dynamic Azure AD group

Create a dynamic Azure AD group using the enrollmentProfileName property to
automatically group devices that enroll with a specific enrollment profile. In this case, we
want to group devices that are in share device mode and enrolling with the profile you
created in Step 1. Include these configurations in your dynamic group policy:
Group type: Security

Membership type: Dynamic Device
Add a dynamic query with the following rule:
Property: enrollmentProfileName
Operator: Equals
Value: Enter the name of the enrollment profile you created for devices in Azure
AD shared mode.
For more information about how to create a dynamic group for shared devices in Azure
AD, see Create a group membership rule.
Step 3: Create an assignment filter

Create an assignment filter to quickly target devices assigned to your enrollment profile.
Add a rule with the following parameters:
Property: enrollmentProfileName
Operator: Equals
Value: Enter the name of the enrollment profile you created for devices in Azure
AD shared mode.
For more information about how to create an assignment filter rule, see Create a filter.
Step 4: Create a device configuration profile

Configure a single-sign on (SSO) app extension policy for shared device mode. Create a
device configuration profile and include these configurations:
Profile type: Templates

Template name: Device features
Expand Single sign-on app extension, and then configure:
SSO app extension type: Microsoft Azure AD
Enable shared device mode: Yes
Key: device_registration
Type: String
Value: {{DEVICEREGISTRATION}}
You can configure the rest of the profile to meet your organization's needs. When you're
done configuring the profile, assign it to All devices and then add the assignment filter
you created in Step 3.
For more information about creating an SSO app extension policy, see:
Create a device configuration profile

Single-sign on (SSO) app extension settings
Step 5: Assign the Microsoft Authenticator app

Assign the Microsoft Authenticator app to targeted devices. Assign the app as required
to All devices. Then add the assignment filter you created in Step 3. You must have
purchased the Microsoft Authenticator app through an Apple volume-purchase
program.
For more information about assigning a volume-purchased app, see Assign a volume
purchased app.
Step 6: Distribute devices

Shared devices, which are enrolled without user affinity, require minimal user interaction
from the frontline worker. Upon receiving the device, the frontline worker will need to
open the Microsoft Authenticator app to make sure the device is in shared device mode.
Users typically don't like enrolling themselves, and may not be familiar with the
Company Portal app. Be sure to provide guidance, including what information to enter.
For some guidance on communicating with your users, see Planning guide: Step 5 -
Create a rollout plan.
Article • 06/07/2023
A successful Microsoft Intune deployment or migration starts with planning. This guide
helps you plan your move or adoption of Intune as your unified endpoint management
solution.
Intune gives organizations options to do what's best for them and the many different
user devices. You can enroll devices in Intune for mobile device management (MDM) of
Android, iOS/iPadOS, Linux, macOS, and Windows devices. You can also use app
protection policies for mobile application management (MAM) that focuses on
protecting app data.
This guide:
Lists and describes some common objectives for device management

Lists potential licensing needs
Provides guidance on handling personally owned devices
Recommends reviewing current policies and infrastructure
Gives examples of creating a rollout plan
And more
Use this guide to plan your move or migration to Intune.
 Tip
The Intune Adoption Kit includes email templates, project plans, planning
spreadsheet, and more.
Want to print or save this guide as a PDF? In your web browser, use the Print
option, Save as PDF.
This guide is a living thing. So, be sure to add or update existing tips and
guidance you've found helpful.
Step 1 - Determine your objectives
Organizations use mobile device management (MDM) and mobile application
management (MAM) to control organization data securely, and with minimal disruption
to users. When evaluating an MDM/MAM solution, such as Microsoft Intune, look at
what the goal is, and what you want to achieve.
In this section, we discuss common objectives when using Intune.
Objective: Access organizational apps and email

Users expect to work on devices using organization apps, including reading and
responding to email, updating and sharing data, and more. In Intune, you can deploy
different types of apps, including:
Microsoft 365 apps

Win32 apps
Line-of-business (LOB) apps
Custom apps
Built-in apps or store apps
✔️Task: Make a list of the apps your users regularly use
These apps are the apps you want on their devices. Some considerations:
Many organizations deploy the Office suite of apps to PCs and tablets, such as
Word, Excel, OneNote, PowerPoint, and Teams. On smaller devices, such as mobile
phones, individual apps might be installed, depending on the user requirements.
For example, the sales team may require Teams, Excel, and SharePoint. On mobile
devices, you can deploy only these apps, instead of deploying the entire Office
suite.
Users expect to read and reply to email and join meetings on all devices, including
personal devices. On organization-owned devices, you can deploy Outlook and
Teams, and manage and control all device settings and all app settings, including
PIN and password requirements.
On personal devices, you might not have this control. So, determine if you want to
give users access to organization apps, such as email and meetings.
For more information and considerations, go to Personal devices vs Organization-

owned devices (in this article).
Objective: Secure access on all devices
When data is stored on mobile devices, it must be protected from malicious activity.
✔️Task: Determine how you want to secure your devices
Antivirus, malware scanning, responding to threats, and keep devices up-to-date are all
important considerations. You also want to minimize the impact of malicious activity.
Some considerations:
Antivirus (AV) and malware protection are a must. Intune integrates with
Microsoft Defender for Endpoint and different Mobile Threat Defense (MTD)
partners to help protect your managed devices, personal devices, and apps.
Microsoft Defender for Endpoint includes security features and a portal to help
monitor, and react to threats.
If a device is compromised, you want to limit malicious impact using Conditional

Access.
For example, Microsoft Defender for Endpoint scans a device, and determines it's
compromised. Conditional Access can automatically block organization access on
this device, including email.
Conditional Access helps protect your network and resources from devices, even
devices that aren't enrolled in Intune.
Update device, the OS, and apps to help keep your data secure. Create a plan on
how and when updates are installed. There are policies in Intune that help you
manage updates, including updates to store apps.
Determine how users will authenticate to organization resources from their many
devices. For example, you can:
Use certificates on devices to authenticate features and apps, such as

connecting to a virtual private network (VPN), opening Outlook, and more.
These certificates allow for a "password-less" user experience. Password-less is
considered more secure than requiring users to enter their organization
username and password.
If you're planning to use certificates, use a supported public key infrastructure

(PKI) infrastructure to create and deploy certificate profiles.
Use multi-factor authentication (MFA) for an extra layer of authentication on
organization-owned devices. Or, use MFA to authenticate apps on personal
devices. Biometrics, such as face recognition and fingerprints, can also be used.
If you plan to use biometrics for authentication, be sure your devices support
biometrics. Most modern devices do.
Implement a Zero Trust deployment. With Zero Trust, you use the features in
Azure AD and Microsoft Intune to secure all endpoints, uses password-less
authentication, and more. For more information, see Zero Trust with Microsoft
Intune.
Objective: Distribute IT
Many organizations want to give different admins control over locations, departments,
and so on. For example, the Charlotte IT Admins group controls and monitors the
policies in the Charlotte campus. These Charlotte IT Admins can only see and manage
policies for the Charlotte location. They can't see and manage policies for the Redmond
location. This approach is called distributed IT.
In Intune, distributed IT uses scope tags, device enrollment categories, and require
multiple admin approval.
Scope tags use role-based access control (RBAC). So, only users in a specific group
have permission to manage policies and profiles for users and devices in their
scope.
When you use device enrollment categories, devices are automatically added to
groups based on categories you create. This feature used Azure AD dynamic
groups, and helps make managing devices easier.
When users enroll their device, they choose a category, such as Sales, IT admin,
point-of-sale device, and so on. When they're added to a category, these device
groups are ready to receive your policies.
When admins create policies, you can require multiple admin approval for specific
policies, including policies that run scripts or deploy apps.
✔️Task: Determine how you want to distribute your rules and settings
Rules and settings are deployed using different policies. Some considerations:
Determine your admin structure. For example, you might want to separate by
location, such as Charlotte IT Admins or Cambridge IT Admins. You might want to
separate by role, such as Network Admins that control all network access,
including VPN.
These categories become your scope tags.
Sometimes organizations need to use Distributed IT in systems where a large

number of local admins connect to a single Intune tenant. For example, a large
organization has a single Intune tenant. The organization has a large number of
local admins, and each admin manages a specific system, region or location. Each
admin needs to manage only their location, and not the entire organization.
For more information, go to Distributed IT environment with many admins in the

same Intune tenant.
Many organizations separate groups by the device type, such as iOS/iPadOS,

Android, or Windows devices. Some examples:
Distribute specific apps to specific devices. For example, deploy the Microsoft
shuttle app to mobile devices in the Redmond network.
Deploy policies to specific locations. For example, deploy a Wi-Fi profile to
devices in the Charlotte network so they automatically connect when in range.
Control settings on specific devices. For example, disable the camera on
Android Enterprise devices used on a manufacturing floor, create a Windows
Defender antivirus profile for all Windows devices, or add e-mail settings to all
iOS/iPadOS devices.
These categories become your device enrollment categories.
Objective: Keep organization data inside the organization

When data is stored on mobile devices, the data should be protected from accidental
loss or sharing. This objective also includes wiping organization data from personal and
organization-owned devices.
✔️Task: Create a plan to cover different scenarios that impact your organization
Some sample scenarios:
A device is lost or stolen, or no longer being used. A user leaves the organization.
In Intune, you can remove devices by using wipe, retire, or manually unenroll
them. You can also automatically remove devices that haven't checked in for x
number of days.
At the app level, you can remove organization data from Intune-managed apps.
A selective wipe is great for personal devices, as it keeps personal data on the
device, and only removes organization data.
On personal devices, you may want to prevent users from copy/paste, taking
screenshots, or forwarding emails. App protection policies can block these features
on devices you don't manage.
On managed devices (devices enrolled in Intune), you can also control these
features using device configuration profiles. Device configuration profiles control
settings on the device, not the app. On devices that access highly sensitive or
confidential data, device configuration profiles can prevent copy/paste, taking
screenshots, and more.
For more information and considerations, go to Personal devices vs Organization-owned

devices (in this article).
Step 2 - Inventory your devices

Organizations have a range of devices, including desktop computers, laptops, tablets,
hand-held scanners, and mobile phones. These devices are owned by the organization,
or owned by your users. When planning your device management strategy, consider
everything that accesses your organization resources, including users personal devices.
This section includes device information that you should consider.
Supported platforms
Intune supports Android, iOS/iPadOS, macOS, Linux, and Windows devices. For the
specific versions, go to supported platforms.
✔️Task: Upgrade or replace older devices
If your devices use unsupported versions, which are primarily older operating systems,
then it's time to upgrade the OS or replace the devices. These older OS' and devices
might have limited support, and are a potential security risk. This task includes desktop
computers running Windows 7, iPhone 7 devices running the original v10.0 OS, and so
on.
Personal devices vs Organization-owned devices

On personal devices, it's normal and expected for users to check email, join meetings,
update files, and more. Many organizations allow personal devices, and many
organizations only allow organization-owned devices.
As an organization and as an admin, you decide if personal devices are allowed.
✔️Task: Determine how you want to handle personal devices

If being mobile or supporting remote workers is important to your organization,
consider the following approaches:
Option 1: On personal devices, give users the choice to enroll in Intune. Once
enrolled, admins fully manage these devices, including pushing policies,
controlling device features and settings, and even wiping devices. As an admin,
you may want this control, or you may think you want this control.
When users enroll their personal devices, they may not realize or understand that
admins can do anything on the device, including accidentally wiping or resetting
the device. As an admin, you may not want this liability or potential impact on
devices your organization doesn't own.
Also, many users refuse to enroll. They find other ways to access organization
resources. For example, you require devices be enrolled to use the Outlook app to
check organization email. To skip this requirement, users open any web browser on
the device, and sign in to Outlook web access, which may not be what you want.
Or, they create screenshots, and save the images on the device, which also isn't
what you want.
If you choose this option, be sure to educate users on the risks and benefits of
enrolling their personal devices. As an alternative, you can use app protection
policies.
Option 2: On personal devices, use app configuration policies and app protection
policies. Users don't enroll in Intune. For these devices, you manage app access.
Use a Terms and conditions statement with a conditional access policy. If users
don't agree, then they don't get access to apps. If users agree to the statement,
then a device record is added to Azure AD, and the device becomes a known
entity. When the device is known, you can track what's being accessed from the
device.
Next, control access and security using app policies.
Look at the tasks your organization uses the most, such as email and joining
meetings. Use app configuration policies to configure app-specific settings, such
as Outlook. Use app protection policies to control the security and access to these
apps.
For example, users can use the Outlook app on their personal device to check work
email. In Intune, admins create an Outlook app protection policy. This policy uses
multi-factor authentication (MFA) every time the Outlook app opens, prevents
copy and paste, and restricts other features.
Option 3: You want every device to be fully managed. In this scenario, give users
all the devices they need, including mobile phones. Invest in a hardware refresh
plan so users continue to be productive and effective. Enroll these organization-
owned devices in Intune, and manage them using policies.
This option prevents personal devices.
As a best practice, always assume data will leave the device. Be sure your tracking and
auditing methods are in place. For more information, see Zero Trust with Microsoft
Intune.
Manage desktop computers

Intune can manage desktop computers running Windows 10 and newer. The Windows
client OS includes built-in modern device management features, and removes
dependencies on local Active Directory (AD) group policy. You get the benefits of the
cloud when creating rules and settings in Intune, and deploying these policies to all your
Windows client devices, including desktop computers and PCs.
For more information, go to Guided scenario - Cloud-managed Modern Desktop.
If your Windows devices are currently managed using Configuration Manager, you can
still enroll these devices in Intune. This approach is called co-management. Co-
management offers many benefits, including running remote actions on the device
(restart, remote control, factory reset), conditional access with device compliance, and
more. You can also cloud-attach your devices to Intune.
Paths to co-management
Configuration Manager tenant attach
✔️Task: Look at what you currently use for mobile device management
Your adoption of a mobile device management can depend on what your organization
currently uses, including if that solution uses on-premises features or programs.
The setup deployment guide has some good information.

If you currently don't use any MDM service or solution, then going straight to
Intune may be best.
For new devices not enrolled in Configuration Manager, or any MDM solution,
then going straight to Intune may be best.
If you currently use Configuration Manager, then your options include:

If you want to keep your existing infrastructure, and move some workloads to
the cloud, then use co-management. You get the benefit of both services.
Existing devices can receive some policies from Configuration Manager (on-
premises), and other policies from Intune (cloud).
If you want to keep your existing infrastructure, and use Intune to help monitor
your on-premises devices, then use tenant-attach. You get the benefit of using
the Intune admin center, while still using Configuration Manager to manage
devices.
If you want a pure cloud solution to manage devices, then move to Intune.
Existing Configuration Manager users often prefer to continue using
Configuration Manager with tenant attach or co-management.
For more information, go to co-management workloads.
Step 3 - Determine costs and licensing

Managing devices is a relationship with different services. Intune includes the settings
and features you can control on different devices. There are also other services that play
a key role:
Azure Active Directory (AD) Premium includes several features that are key to
managing devices, including:
Windows Autopilot: Windows client devices can automatically enroll in Intune,
and automatically receive your policies.
Multi-factor authentication (MFA): Users must enter two or more verification
methods, such as a PIN, an authenticator app, a fingerprint, and more. MFA is a
great option when using app protection policies for personal devices, and
organization-owned devices that require extra security.
Conditional Access: If users and devices follow your rules, such as a 6-digit
passcode, then they get access to organization resources. If users or devices
don't meet your rules, then they don't get access.
Dynamic user groups and dynamic device groups: Add users or devices
automatically to groups when they meet criteria, such as a city, job title, OS
type, OS version, and more.
Microsoft 365 apps includes the apps that users rely on, including Outlook, Word,
SharePoint, Teams, OneDrive, and more. You can deploy these apps to devices
using Intune.
Microsoft Defender for Endpoint helps monitor and scan your Windows client
devices for malicious activity. You can also set an acceptable threat level. When
combined with conditional access, you can block access to organization resources
if the threat level is exceeded.
Microsoft Purview classifies and protects documents and emails by applying

labels. On Microsoft 365 apps, you can use this service to prevent unauthorized
access to organization data, including apps on personal devices.
All of these services are included in the Microsoft 365 E5 license.
Microsoft Intune licensing

Microsoft 365 for business
Microsoft 365 enterprise licensing
✔️Task: Determine the licensed services your organization needs

If your goal is to deploy policies (rules) and profiles (settings), without any
enforcement, at a minimum, you need:
Intune
Intune is available with different subscriptions, including as a stand-alone service.

For more information, go to Microsoft Intune licensing.
You currently use Configuration Manager, and want to set up co-management for
your devices. Intune is already included in your Configuration Manager license. If
you want Intune to fully manage new devices or existing co-managed devices,
then you need a separate Intune license.
You want to enforce the compliance or password rules you create in Intune. At a
minimum, you need:
Intune
Azure AD Premium
Intune and Azure AD Premium are available with Enterprise Mobility + Security.
For more information, go to Enterprise Mobility + Security pricing options .
You want to only manage Microsoft 365 apps on devices. At a minimum, you need:
Microsoft 365 Basic Mobility and Security

Choose between Basic Mobility and Security or Intune
Basic Mobility and Security frequently-asked questions (FAQ)
You want to deploy Microsoft 365 apps to your devices, and create policies to help
secure devices that run these apps. At a minimum, you need:
Intune
Microsoft 365 apps
You want to create policies in Intune, deploy Microsoft 365 apps, and enforce your
rules and settings. At a minimum, you need:
Intune
Microsoft 365 apps
Azure AD Premium
Since all these services are included in some Microsoft 365 plans, then it might be
cost effective to use the Microsoft 365 license.
For more information, go to
Microsoft 365 licensing plans .
Step 4 - Review existing policies and

infrastructure
Many organizations have existing policies and device management infrastructure that's
only being "maintained". For example, you might have 20-year-old group policies, and
don't know what they do. When considering a move to the cloud, instead of looking at
what you've always done, determine the goal.
With these goals in mind, create a baseline of your policies. If you have multiple device
management solutions, now might be the time to use a single mobile device
management service.
✔️Task: Look at tasks you run on-premises
This task includes looking at services that could move to the cloud. Remember, instead
of looking at what you've always done, determine the goal.
 Tip
Learn more about cloud-native endpoints is good resource.
Review existing policies and their structure. Some policies may apply globally,
some apply at the site level, and some are specific to a device. The goal is to know
and understand the intent of global policies, the intent of local policies, and so on.
On-premises AD group policies are applied in the LSDOU order - local, site,
domain, and organizational unit (OU). In this hierarchy, OU policies overwrite
domain policies, domain policies overwrite site policies, and so on.
In Intune, policies are applied to users and groups you create. There isn't a
hierarchy. If two policies update the same setting, then the setting shows as a
conflict. For more information on conflict behavior, go to Common questions,
issues, and resolutions with device policies and profiles.
When coming from AD group policy to Intune, and after reviewing your policies,
your AD global policies logically start to apply to groups you have, or groups you
need. These groups include users and devices you want to target at the global
level, site level, and so on. This task gives you an idea of the group structure you
need in Intune.
Be prepared to create new policies in Intune. Intune includes several features that
cover scenarios that may interest you. Some examples:
Security baselines: On Windows 10/11 devices, Security baselines are security

settings that are preconfigured to recommended values. If you're new to
securing devices, or want a comprehensive baseline, then look at security
baselines.
Administrative templates: On Windows 10/11 devices, use ADMX templates to

configure group policy settings for Windows, Internet Explorer, Office, and
Microsoft Edge version 77 and later. These ADMX templates are the same
ADMX templates used in AD group policy, but are 100% cloud-based in Intune.
Group policy: Use group policy analytics to import and analyze your GPOs. This
feature helps you determine how your GPOs translate in the cloud. The output
shows which settings are supported in MDM providers, including Microsoft
Intune. It also shows any deprecated settings, or settings not available to MDM
providers.
You might also be able to create an Intune policy based on your imported
settings. For more information, go to Create a settings catalog policy using your
imported GPOs.
Guided scenarios: Guided scenarios are a customized series of steps focused on

end-to-end use cases. These scenarios automatically include policies, apps,
assignments, and other management configurations.
Create a policy baseline that includes the minimum of your goals. For example:
Secure e-mail: At a minimum, you might want to:

Create Outlook app protection policies.
Enable conditional access for Exchange Online, or connecting to another on-
premises email solution.
Device settings: At a minimum, you might want to:

Require a six character PIN to unlock the device.
Prevent backups to personal cloud services, such as iCloud or OneDrive.
Device profiles: At a minimum, you might want to:

Create a Wi-Fi profile with the preconfigured settings that connect to the
Contoso Wi-Fi wireless network.
Create a VPN profile with a certificate to automatically authenticate, and
connect to an organization VPN.
Create an email profile with the preconfigured settings that connect to
Outlook.
Apps: At a minimum, you might want to:

Deploy Microsoft 365 apps with app protection policies.
Deploy line of business (LOB) with app protection policies.
For more information on minimum recommended settings, go to:

Step 3 - Create compliance policies
Step 4 - Create device configuration profiles
Review the current structure of your groups. In Intune, you can create and assign
policies to user groups, device groups, and dynamic user and device groups
(requires Azure AD Premium).
When you create groups in the cloud, such as Intune or Microsoft 365, they're
created in Azure AD. You might not see the Azure AD branding, but that's what
you're using.
Creating new groups can be an easy task. They can be created in the Microsoft
Intune admin center . For more information, go to add groups to organize
users and devices.
Moving existing distribution lists (DL) to Azure AD might be more challenging.

Once they DLs are in Azure AD, these groups are available to Intune and
Microsoft 365. For more information, go to:
What is hybrid identity with Azure Active Directory?
Azure AD Connect sync: Understand and customize synchronization
If you have existing Office 365 groups, you can move to Microsoft 365. Your
existing groups remain, and you get all the features and services of Microsoft
365. For more information, go to:
What is Microsoft 365?
Migration to Microsoft 365 Enterprise
Upgrade to Microsoft 365 Business
If you have multiple device management solutions, then move to a single mobile
device management solution. We recommend using Intune to help protect
organization data in apps and on devices.
For more information, go to Microsoft Intune securely manages identities,

manages apps, and manages devices.
Step 5 - Create a rollout plan

The next task is to plan how and when your users and devices receive your policies. In
this task, also consider:
Define your goals and success metrics. Use these data points to create other
rollout phases. Make sure goals are SMART (Specific, Measurable, Attainable,
Realistic, and Timely). Plan to measure against your goals at each phase so your
rollout project stays on track.
Have clearly-defined goals and objectives. Include these objectives in all awareness
and training activities so users understand why your organization chose Intune.
✔️Task: Create a plan to roll out your policies

And, choose how users enroll their devices in Intune. Some considerations:
Roll out your policies in phases. For example:
Start with a pilot or test group. These groups should know they're the first users,
and be willing to provide feedback. Use this feedback to improve configuration,
documentation, notifications, and make it easier for users in a future rollout.
These users shouldn't be executives or VIPs.
After initial testing, add more users to the pilot group. Or, create more pilot
groups that focus on a different rollout, such as:
Departments: Each department can be a rollout phase. You target an entire

department at a time. In this rollout, users in each department might use
their device in the same way, and access the same applications. Users likely
have the same types of policies.
Geography: Deploy your policies to all users in a specific geography, whether

it's the same continent, country/region, or same organization building. This
rollout lets you focus on the specific location of users. You could provide a
Windows Autopilot for pre-provisioned deployment approach, as the
number of locations deploying Intune at the same time is less. There are
chances of different departments or different use cases at the same location.
So, you could be testing different use cases simultaneously.
Platform: This rollout deploys similar platforms at the same time. For
example, deploy policies to all iOS/iPadOS devices in February, all Android
devices in March, and all Windows devices in April. This approach might
simplify help desk support, as they only support one platform at a time.
Using a staged approach, you can get feedback from a wide range of user
types.
After a successful pilot, you're ready to start a full production rollout. The
following example is an Intune rollout plan that includes targeted groups and
timelines:
Rollout July August September October

phase
Limited IT (50 users)

Pilot
Expanded IT (200 users), IT

Pilot Executives (10
users)
Production Sales and

rollout Marketing
phase 1 (2000 users)
Rollout July August September October
phase
Production Retail
rollout (1000
phase 2 users)
Production HR (50 users), Finance

rollout (40 users), Executives
phase 3 (30 users)
This template is also available to download at Intune deployment planning, design,

and implementation - Table templates .
Choose how users will enroll their personal and organization-owned devices.
There are different enrollment approaches you can use, including:
User self-service: Users enroll their own devices following steps provided by
their IT organization. This approach is most common, and is more scalable than
user-assisted enrollment.
User-assisted enrollment: In this pre-provisioned deployment approach, an IT
member helps users through the enrollment process, in person or using Teams.
This approach is common with executive staff and other groups that might need
more assistance.
IT tech fair: At this event, the IT group sets up an Intune enrollment assistance
booth. Users receive information on Intune enrollment, ask questions, and get
help enrolling their devices. This option is beneficial for IT and users, especially
during the early phases of an Intune rollout.
The following example includes the enrollment approaches:
Rollout phase July August September October
Limited Pilot
Self-service IT
Expanded Pilot
Self-service IT
Pre-provisioned IT
Executives
Production rollout Sales, Marketing

phase 1
Rollout phase July August September October
Self-service Sales and

Marketing
Production rollout Retail

phase 2
Self-service Retail
Production rollout Executives, HR,

phase 3 Finance
Self-service HR, Finance
Pre-provisioned Executives
For more information on the different enrollment methods for each platform, go to
Deployment guidance: Enroll devices in Microsoft Intune.
Step 6 - Communicate changes

Change management relies on clear and helpful communications about upcoming
changes. The idea is to smooth your Intune deployment, and make users aware of
changes and any disruption.
✔️Task: Your rollout communication plan should include important information
This information should include how to notify users, and when to communicate. Some
considerations:
Determine what information to communicate. Communicate in phases to your

groups and users, starting with an Intune rollout kickoff, pre-enrollment, and then
post-enrollment:
Kickoff phase: Broad communication that introduces the Intune project. It

should answer key questions, such as:
What is Intune?
Why the organization is using Intune, including benefits to the organization
and to users
Provide a high-level plan of the deployment and rollout.
If personal devices aren't allowed unless the devices are enrolled, then
explain why you made the decision.
Pre-enrollment phase: Broad communication that includes information about
Intune and other services (such as Office, Outlook, and OneDrive), user
resources, and specific timelines when users and groups will enroll in Intune.
Enrollment phase: Communication targets organization users and groups that

are scheduled to enroll in Intune. It should inform users that they're ready to
enroll, include enrollment steps, and who to contact for help and questions.
Post enrollment phase: Communication targets organization users and groups

that have enrolled in Intune. It should provide more resources that might be
helpful to users, and collect feedback about their experience during and after
enrollment.
The Intune Adoption Kit might be helpful. Use it as-is, or change it for your
organization.
Choose how to communicate Intune rollout information to your targeted groups

and users. For example:
Create an organization wide in-person meeting, or use Microsoft Teams.
Create an email for pre-enrollment, email for enrollment, and email for post-
enrollment. For example:
Email 1: Explain the benefits, expectations, and schedule. Take this
opportunity to showcase any other services whose access is granted on
devices managed by Intune.
Email 2: Announce that services are now ready for access through Intune. Tell
users to enroll now. Give users a timeline before their access is affected.
Remind users of benefits and strategic reasons for migration.
Use an organization web site that explains the rollout phases, what users can
expect, and who to contact for help.
Create posters, use organization social media platforms (such as Microsoft Viva
Engage), or distribute flyers to announce the pre-enrollment phase.
Create a timeline that includes when and who. The first Intune kickoff
communications can target the entire organization, or just a subset. They can take
place over several weeks before the Intune rollout begins. After that, information
could be communicated in phases to users and groups, aligned with their Intune
rollout schedule.
The following example is a high-level Intune rollout communications plan:

Communication July August September October
plan
Phase 1 All
Kickoff meeting First week
Phase 2 IT Sales and Retail HR, Finance, and

Marketing Executives
Pre-rollout Email 1 First week First week First week First week

Pre-rollout Email 2 Second Second week Second Second week

week week

Enrollment email Third week Third week Third week Third week

Post-enrollment Fourth Fourth week Fourth Fourth week

email week week
Step 7 - Support help desk and end users

Include your IT support and helpdesk in the early stages of Intune deployment planning
and pilot efforts. Early involvement exposes your support staff to Intune, and they gain
knowledge and experience in identifying and resolving issues more effectively. It also
prepares them for supporting the organization's full production rollout. Knowledgeable
help desk and support teams also help users adopt these changes.
✔️Task: Train your support teams
Validate the end-user experience with success metrics in your deployment plan. Some
considerations:
Determine who will support end users. Organizations may have different tiers or
levels (1-3). For example, tier 1 and 2 may be part of the support team. Tier 3
includes members of the MDM team responsible for the Intune deployment.
Tier 1 is typically the first level of support and the first tier to contact. If tier 1 can't
resolve the issue, then they escalate to tier 2. Tier 2 escalates it to tier 3. Microsoft
support may be considered as tier 4.
In the initial rollout phases, be sure all tiers in your support team document
issues and resolutions. Look for patterns, and adjust your communications for
the next rollout phase. For example:
If different users or groups are hesitant about enrolling their personal
devices, consider a Teams calls to answer common questions.
If users are having the same issues enrolling organization-owned devices,
then host an in-person event to help users enroll the devices.
Create a help desk workflow, and constantly communicate support issues,

trends, and other important information to all tiers in your support team. For
example, hold daily or weekly Teams meetings so all tiers are aware of trends,
patterns, and can get help.
The following example shows how Contoso implements their IT support or

helpdesk workflows:
1. End-user contacts IT support or helpdesk tier 1 with an enrollment issue.

2. IT support or helpdesk tier 1 can't determine the root cause and escalates to
tier 2.
3. IT support or helpdesk tier 2 investigates. Tier 2 can't resolve the issue and
escalates to tier 3, and provides additional information to help with the issue.
4. IT support or helpdesk tier 3 investigates, determines the root cause, and
communicates the resolution to tier 2 and 1.
5. IT support/helpdesk tier 1 then contacts the users, and resolves the issue.
This approach, especially in early stages of the Intune rollout, adds many benefits,
including:
Help learn the technology
Quickly identify issues and resolution
Improve the overall user experience
Train your help desk and support teams. Have them enroll devices running the
different platforms used in your organization so they're familiar with the process.
Consider using help desk and support teams as a pilot group for your scenarios.
There are training resources available, including YouTube videos , Microsoft

tutorials about Windows Autopilot scenarios, compliance, configuration, and
courses through training partners.
The following example is an Intune support training agenda:

Intune support plan review
Intune overview
Troubleshooting common issues
Tools and resources
Q&A
The community-based Intune forum and end-user documentation are also great
resources.
Next steps
Migration guide: Set up or move to Microsoft Intune
Get started with your Microsoft Intune deployment
Settings insight
Article • 07/24/2023
Settings insight is tailored insights powered by a Machine Learning model. This article
explains how Settings insight works. Settings insight is currently available within Intune
security baselines.
A security baseline comprises a set of expert recommended configurations to secure

devices, apps, and services. Settings insight adds insights to security baselines giving
you confidence in configurations that are successfully adopted by similar organizations.
Overview
The Settings insight feature provides confidence in configurations by adding insights
that similar organizations have successfully adopted. This article explains how Settings
insight can be accessed or viewed for policies that are created or that exist in Microsoft
security baselines.
For example, if an organization is in the manufacturing industry, we'll look at what

similar organizations with similar profiles are doing, and prepare a plan tailored to their
specific situation.
This feature is now generally available.
Prerequisites
Licensing/Subscriptions: You must have a Microsoft Intune Plan 1 license to use
Settings insight. For more information, see Licenses available for Microsoft Intune
Permissions: Global Admins or Endpoint Security Administrators can create a
profile using Baselines.
Viewing insights
2. Select Endpoint security > Security baselines to view the list of available baselines.
3. Select one of the following baselines you'd like to use, and then select Create
profile.
Microsoft Edge Baseline

Microsoft 365 Apps for Enterprise Security Baseline
4. On the Basics tab, specify the Name, and Description properties.
5. Select Next to go to the next tab.
6. On the Configuration settings tab, view the groups of Settings that are available.
You can expand a group to view the settings in that group, and the default values
for those settings. Insights are available beside some settings with a light bulb
icon.
7. You can also view these insights while editing a Profile.

Models used to categorize organizations
Similar organizations are identified using a K-means clustering model based on
customer attributes, such as industry, organization size, etc. Clustering algorithms and
key attributes are selected through experiments so that customers are grouped
appropriately. The model determines the optimal number of clusters at runtime based
on clustering performance.
Setting value recommendations are then made for similar organizations categorized in
the same cluster. Healthy organizations within a cluster are first identified based on
Endpoint analytic scores. For a common setting, the setting value used by most of the
organizations is recommended to other similar organizations within the same cluster.
The recommended setting value is only suggested if it aligns with the default setting
value that Microsoft baseline selects and functions as a positive reinforcement.
） Important
Customer Data is not being used in the model. Usage data is aggregated at
organization level and is converted to categorical format when possible. For
example, a Boolean attribute is used to reflect whether the customer has Microsoft
Exchange in use and categorical data is used to show the range of deployment
ratio rather than the actual deployment ratio. Data in use is signed off via privacy
and security reviews to ensure compliance and is securely stored with appropriate
protection and retention management.
Other safeguard measures are also applied to inhibit individual customer inference. For
example, no recommendation is made if the number of similar customers within one
cluster is below a given threshold or when the setting isn't adopted by the required
minimum number of organizations. Data aggregation and a set of thresholds are
applied to protect the confidentiality of individual organizations.
Model execution and performance are actively monitored to ensure quality and
reliability. A series of live monitors is set up to closely watch execution anomalies and
key performance metrics. Prompt investigation and regular maintenance are in place to
provide valuable recommendations to customers.
Why some settings may not have insights

Settings insight is powered by machine learning and heavily relies on underlying data
used to make recommendations. For reliable recommendations, we have set
considerable guardrails in place to only show recommendations when we have sufficient
data to support them. If the admin doesn't see recommendations for certain settings, it
could mean we didn't have sufficient data to provide an insight. However, this could
change over a period as more data becomes available.
Next steps
For more information about security baselines, go to:
Security baselines
Create security baseline profiles in Microsoft Intune
Supported operating systems and
browsers in Intune
Article • 06/05/2023
Before setting up Microsoft Intune, review the supported operating systems and
browsers.
For more information on configuration service provider support, visit the Configuration
service provider reference.
Intune supported operating systems

Intune supports devices running the following operating systems (OS):
Android
iOS/iPadOS
Linux
macOS
Windows
Chrome OS
Apple
Apple iOS 14.0 and later
Apple iPadOS 14.0 and later
７ Note
Intune requires iOS 14.x or later for device enrollment scenarios and app
configuration delivered through Managed devices app configuration policies.
For Intune app protection policies and app configuration delivered through
Managed apps App configuration policies, Intune requires iOS 14.x or later.
In the context of userless iOS/iPadOS devices, there's a difference between supported OS

versions and allowed OS versions. For more information, see Support statement for
supported versus allowed iOS/iPadOS versions for user-less devices .
Android
Android 8.0 and later (including Samsung KNOX Standard 3.0 and higher:
requirements )
Android enterprise: requirements
Android open source project device: requirements
７ Note
Intune requires Android 8.x or higher for device enrollment scenarios and app
configuration delivered through Managed devices app configuration policies. This
requirement does not apply to Microsoft Teams Android devices as these
devices will continue to be supported.
Managed apps app configuration policies, Intune requires Android 9.0 or higher.
Linux
Ubuntu Desktop 22.04 LTS with a GNOME graphical desktop environment
Ubuntu Desktop 20.04 LTS with a GNOME graphical desktop environment
７ Note
Ubuntu Desktop already has a GNOME graphical desktop environment installed.
Microsoft
Windows 10/11 (Home, S, Pro, Education, Enterprise, and IoT Enterprise editions)
Windows 10/11 Cloud PCs on Windows 365
７ Note
You can continue to use Microsoft Intune to manage devices running

Windows 11 the same as with Windows 10. If another article doesn't explicitly
reference Windows 11, assume that feature support for Windows 10 also
includes Windows 11.
Some features may not be available on Windows 11. This article lists some
known issues. As always, test your policies before broadly deploying them
across your devices.
Windows 10 LTSC 2019/2021 (Enterprise and IoT Enterprise editions)
For more information about managing devices running Windows 10 LTSC 2019,
see What's new in Windows 10 Enterprise LTSC 2019
Windows 10 version 1709 (RS3) and later, Windows 8.1 RT, PCs running Windows
8.1 (Sustaining mode)
Windows Holographic for Business
For more information about managing devices running Windows Holographic for
Business, see Windows Holographic for Business support.
Surface Hub
Windows 10 Teams (Surface Hub)
For more information about managing devices running Windows 10 Teams, see
Manage Surface Hub with MDM
７ Note
Not all Windows editions support all available operating system features being
configured through MDM. For more information, see the Windows configuration
service provider reference docs. Each CSP highlights which Windows editions are
supported.
Customers with Enterprise Management + Security (EMS) can also use Azure Active
Directory (Azure AD) to register Windows 10 devices.
For guidelines on using Windows 10 virtual machines with Intune, see Using Windows
10 virtual machines.
７ Note
Intune does not currently support managing UWF enabled devices. For more
information, see Unified Write Filter (UWF) feature.
Windows 11 known issues
Multi-app kiosk mode isn't currently available. Windows 11 only supports the use
of a single app in kiosk mode. For more information, see the following articles:
Set up a multi-app kiosk on Windows devices
Windows device settings to run as a dedicated kiosk using Intune
Management capabilities to deliver customized Start and Taskbar experiences are

currently limited. For more information, see the following articles:
Supported configuration service provider (CSP) policies for Windows 11 Start
menu
Supported configuration service provider (CSP) policies for Windows 11 taskbar
Windows device settings to allow or restrict features using Intune
Supported platforms for Microsoft Defender for Endpoint

Integration
For more information, see Microsoft Defender for Endpoint on devices with Microsoft
Intune
Supported Samsung Knox Standard devices

Microsoft Intune only attempts Samsung Knox activation during enrollment on
supported Knox devices. Devices that don't support Samsung Knox enroll as standard
Android devices. For a list of devices that support Samsung Knox, see Devices secured
by Knox on the Samsung Knox website. It's important to look for your device model
number when verifying support, because some device models support Knox while
others don't. Always verify Knox compatibility with your device reseller before you buy
and deploy Samsung devices.
７ Note
You may need to enable access to Samsung servers to enroll Samsung Knox
devices. For more information about enrollment, see Automatically enroll Android
devices by using Samsung's Knox Mobile Enrollment.
The Samsung device models in the following table don't support Knox solutions and
features. Intune enrolls them as native Android devices.
Device Name Device Model Numbers

Galaxy Avant SM-G386T
Galaxy Core 2/Core 2 Duos SM-G355H
SM-G355M
Galaxy Core Lite SM-G3588V
Galaxy Core Prime SM-G360H
Galaxy Core LTE SM-G386F
SM-G386W
Galaxy Grand GT-I9082L
GT-I9082
GT-I9080L
Galaxy Grand 3 SM-G7200
Galaxy Grand Neo GT-I9060I
Galaxy Grand Prime Value Edition SM-G531H
Galaxy J Max SM-T285YD
Galaxy J1 SM-J100H
SM-J100M
SM-J100ML
Galaxy J1 Ace SM-J110F
SM-J110H
Galaxy J1 Mini SM-J105M
Galaxy J2/J2 Pro SM-J200H
SM-J210F
Galaxy J3 SM-J320F
SM-J320FN
SM-J320H
SM-J320M
Galaxy K Zoom SM-C115
Galaxy Light SGH-T399N
Galaxy Note 3 SM-N9002
SM-N9009
Galaxy Note 7/Note 7 Duos SM-N930S
SM-N9300
SM-N930F
SM-N930T
SM-N9300
SM-N930F
SM-N930S
SM-N930T
Galaxy Note 10.1 3G SM-P602
Galaxy S2 Plus GT-I9105P
Galaxy S3 Mini SM-G730A
SM-G730V
Galaxy S3 Neo GT-I9300
GT-I9300I
Galaxy S4 SM-S975L
Galaxy S4 Neo SM-G318ML
Galaxy S5 SM-G9006W
Galaxy S6 Edge 404SC
Galaxy Tab A 7.0" SM-T280
SM-T285
Galaxy Tab 3 7"/Tab 3 Lite 7" SM-T116
SM-T210
SM-T211
Galaxy Tab 3 8.0" SM-T311
Galaxy Tab 3 10.1" GT-P5200
GT-P5210
GT-P5220
Galaxy Trend 2 Lite SM-G318H
Galaxy V Plus SM-G318HZ
Galaxy Young 2 Duos SM-G130BU
Intune supported web browsers

Device management and administrative tasks are done in the Microsoft Intune admin
center. Use these portals to access the admin center:
Microsoft 365 admin center

Azure portal
Microsoft Intune is supported with the following web browsers:
Microsoft Edge (latest version)

Safari (latest version, Mac only)
Chrome (latest version)
Firefox (latest version)
Next steps
For network configuration requirements, or to learn more about setting up devices
using the configuration service provider (CSP), see:
Intune network configuration requirements and bandwidth

Configuration service provider reference
Android Open Source Project Supported
Devices
Article • 08/08/2023
Before setting up Microsoft Intune for Android Open Source Project devices, ensure
you're using a supported device.
Intune for Android Open Source Supported

Devices
OEM Device Minimum Type of Restrictions
Firmware Device
HTC HTC Vive Focus 5.2 - 5.0.999.624 AR/VR

3 Headset
HTC HTC Vive XR Elite 4.0 - 1.0.999.350 AR/VR

Headset
Meta Quest 2 v49 AR/VR Open Beta, Available in select

Headset regions only
Meta Quest Pro v49 AR/VR Open Beta, Available in select

Headset regions only
PICO PICO Neo3 PUI 4.8.19 AR/VR

Pro/Eye Headset
PICO PICO 4 PUI 5.6.0 AR/VR

Enterprise Headset
Realwear HMT-1 11.2 AR/VR

Headset
Realwear HMT-1Z1 11.2 AR/VR

Headset
Realwear Navigator500 11.2 AR/VR

Headset
Software updates planning guide for
BYOD and personal devices in Microsoft
Intune
Article • 07/12/2023
As organizations embrace a hybrid and remote workforce, admins are challenged with
controlling and managing software updates on devices owned by users. These devices
are often called BYOD (bring your own device) or personally owned devices. When
devices are organization owned, IT admins manage software updates. On personal
devices, IT admins typically don't have any control of software updates.
By default, when a new update is available for unmanaged devices (not enrolled in
Intune), users receive notifications and/or see the latest updates available on their
devices (Settings > Software Updates). The timing of these updates varies depending on
the carrier, OEM, and the device itself. At any time, users can check for updates
themselves.
To help manage the software updates on unmanaged devices, there are Intune policies
and features that can help. This section lists the Microsoft-recommended policies to
install software updates on unmanaged devices.
This article applies to:
Android Enterprise
iOS/iPadOS
 Tip
If your devices are organization owned, then go to the software updates planning
guides for:
Managed Android devices

Supervised iOS/iPadOS devices
Managed macOS devices
Create enrollment restrictions

Users can enroll their personal devices in Microsoft Intune.
When users enroll their personal Android devices, these devices automatically get
a work profile. Any policies you create apply to the work profile, not the personal
profile. For information on the Android enrollment option for personal devices, go
to Android enrollment guide.
When they enroll iOS/iPadOS devices, the behavior depends on the enrollment
option you use. For information on the different iOS/iPadOS enrollment options
for personal devices, go to iOS/iPadOS enrollment guide.
✔️Create an enrollment restrictions policy that requires a minimum and maximum

operating system version. This policy helps create a good baseline for new enrollments.
The following example shows an enrollment device platform restrictions policy for
Android Enterprise devices:
When users enroll their personal devices, this policy checks the version info. If the
devices are outside the versions you enter, then they're prevented from enrolling.
For more information on this feature, go to Device platform restrictions in Intune.
Create compliance policies

Compliance policies help keep devices up-to-date. If a device isn't using a version you
define, then the device is marked as noncompliant. Noncompliant devices are shown in
the Microsoft Intune admin center.
✔️Create compliance policies. Use the built-in reporting to see noncompliant devices
and see the individual settings that aren't compliant.
In your compliance policy, you can:
Notify the user that the OS version doesn't meet your requirements.
Allow a grace period before the device is marked noncompliant, to allow them
time to upgrade.
If you combine your compliance policies with Conditional Access (CA), then you can
block users from resource access until they meet the OS version requirements.
For more information on compliance policies, go to:
Create a compliance policy in Intune

Configure actions for noncompliant devices in Intune
Monitor results of your compliance policies in Intune
Use app protection policies

✔️Use app protection policies on unmanaged personal devices that access
organization resources.
At the app level, you can use app protection policies to determine the minimum OS and
patch versions.
When users open or resume an app that's managed by you, the app protection policy
can prompt users to upgrade the OS. In the policy, if the version they're running doesn't
meet your requirements, then you can warn users that a new OS version is required, or
block access:
For more information on app protection policies, go to App protection policies
overview.
Use custom notifications

✔️Create a custom notification to alert users of upcoming OS version requirements.
Use this feature to proactively communicate to users to update their devices so they
don't lose access:
Remember, if the OS updates can't be forced or controlled, which is common on

personal devices, then end users need to update their own devices.
For more information on these features, go to:
Conditional launch actions with app protection policies in Intune

Using custom notifications in Intune
Next steps
Software updates planning guide for managed Android devices
Software updates planning guide and scenarios for supervised iOS/iPadOS devices
managed Android Enterprise devices in
Microsoft Intune
Article • 08/08/2023
Patches, major & minor updates, and new operating system versions are released
frequently. Organizations must keep devices updated to get the latest security updates.
Devices with Android Google Mobile Services (GMS) include all the Google apps and
Google services. These apps and services are on top of the OEMs own firmware features
and apps. These devices receive a different type of updates and they're updated
randomly, depending on the behaviors by Google, the OEM, and the service
carrier/telecommunication company.
Intune has built-in policies that can manage software updates.
This article includes an admin checklist for enrolled and managed Android Enterprise
devices. Use this information to help manage software updates on your organization-
owned devices.
Android Enterprise devices enrolled in Intune
 Tip
If your devices are personally owned, then go to the software updates planning
guide for personal devices.
Before you begin

To avoid delays in devices receiving updates, make sure devices are:
Powered on
Plugged in
Connected to the Internet
Idle and not actively being used
Admin checklist for corporate devices

Corporate or organization-owned devices should be enrolled and managed by the
organization. For Android Enterprise, you can manage software updates on the
following device types:
Dedicated devices
Fully managed devices
Fully managed devices with a work profile
This section lists the Microsoft-recommended policies to install software updates on

managed Android devices.
✔️Manage updates with policies

It's recommended you create policies that update your devices. It's not recommended
to put this responsibility on end users.
When users install their own updates (instead of admins managing the updates), it can
disrupt user productivity and business tasks. For example:
Users can start an update when they want, and might not be able to work while an
update is installing.
Users can apply updates that your organization hasn't approved. This decision can
cause issues with application compatibility, changes to the operating system, or
changes to the user experience that disrupt device use.
Users can avoid applying required updates that affect security or app compatibility.
This situation can leave the devices at risk and/or prevent the devices from
functioning.
✔️Configure the system update setting

For enrolled Android Enterprise devices, you can manage OS updates using the System
update setting. This setting is configurable in an Intune device restrictions configuration
profile.
When you configure this setting, you choose when the updates are installed. For
example, you can:
Use the device's default behavior, which automatically installs updates if the device
is connected to Wi-Fi, is charging, and is idle.
Automatically install updates without user interaction. Pending updates install

immediately.
Postpone updates for 30 days and then prompt users to install updates. Expect
your device manufacturer and/or carrier to prevent important security updates
from being postponed.
Create a maintenance window to automatically install updates during a specific

time frame.
For more specific information on this setting and the values you can configure, go to
Android Enterprise device settings list to allow or restrict features on corporate-owned
devices using Intune.
✔️Use freeze periods during critical times

During critical periods of the year, like holidays and other events, you can configure a
freeze period for system updates. During this time, the devices don't receive system
updates, security patches, and notifications about pending updates. Users can't
manually check for updates:
For more information on this setting, go to Android Enterprise device settings list to
allow or restrict features on corporate-owned devices using Intune.
✔️Use OEMConfig for firmware updates

For some rugged Android devices, you can use OEMConfig to configure firmware
updates and other settings that are specific to that OEM. If an OEM provides an
OEMConfig app, then in Intune, you can deploy the app and configure its settings using
a configuration profile.
To see the Intune-supported OEMConfig apps, go to Supported OEMConfig apps in

Intune. Contact the manufacturer for the firmware and other settings available in the
configuration schema.
For more information on OEMConfig in Intune, go to Use and manage Android
Enterprise devices with OEMConfig in Intune
Upgrade older devices

As of January 7, 2022, the minimum supported versions are:
Android 8.0 for mobile device management (MDM)

Android 9.0 for mobile application management (MAM)
Android devices running older versions that are currently enrolled in Intune don't
receive updates to the Android Company Portal app or the Intune app. These apps
aren't available in the Google Play Store. If these apps were downloaded before this
change, then the devices aren't blocked from enrollment. Policies applied to these
devices continue to be deployed, but the devices aren't in a supported state.
If you currently have devices running older Android versions in your organization, then
upgrade or replace them. Use the information in this article to help you define an
update strategy. Using newer OS versions provide better productivity and security to
your users and your organization.
For more version information, go to Supported operating systems and browsers in

Intune.
Next steps
Software updates planning guide and scenarios for BYOD and personal devices
Software updates planning guide for managed macOS devices
Software updates planning guide and
scenarios for supervised iOS/iPadOS
Article • 07/12/2023
Keeping your mobile devices current with software updates is critical. You need to
reduce the risk of security events and have minimal disruption to your organization and
your users. On iOS/iPadOS supervised devices, Intune has built-in policies that can
manage software updates.
This article includes an admin checklist to help you get started with software updates on
iOS/iPadOS supervised devices. It also lists common industry scenarios and sample
policies that you can configure in your environment.
For the specific steps to create a software update policy, go to Manage iOS/iPadOS
software update policies in Intune.
iOS/iPadOS supervised devices enrolled in Intune
 Tip
If your devices are personally owned, then go to the software updates planning
Admin checklist for organization owned

devices
This section lists the Microsoft-recommended guidance and strategies to install software
updates on your devices.

By default, users receive notifications and/or see the latest updates available on their
devices (Settings > General > Software Updates). Users can choose to download and
install updates whenever they want.
Users can start an update when they want, and might not be able to work while an
update is installing.
Users can apply updates that your organization hasn't approved. This decision can
cause issues with application compatibility, changes to the operating system, or
changes to the user experience that disrupt device use.
Users can avoid applying required updates that affect security or app compatibility.
This situation can leave the devices at risk and/or prevent the devices from
functioning.
✔️Keep automatic updates enabled

Starting with iOS/iPadOS 12, when updates are available, Apple devices automatically
install the updates. By default, this feature is enabled on new devices. Keep this feature
enabled.
To use this automatic patching and install updates faster, make sure the devices are:
Powered on
Plugged in
Connected to the Internet
When the devices are powered on, plugged in, and connected to the Internet, then the
updates automatically download & install, and the device reboots. If the device doesn't
meet these conditions, then the updates won't automatically download and install.
To keep your devices on the most current version and with minimal effort from you,
keep the automatic updates feature enabled:
Automatic updates work together with other update policies, which can provide a
positive experience for admins and end users.
Using Intune policies, you can also force users to update their devices:
Use Enrollment Restrictions to prevent users from enrolling devices that aren't
current.
Create compliance policies to determine the devices that aren't updated.
Create Conditional Access (CA) policies to block devices that aren't updated. The
CA policies can also prompt users to install current updates so they regain access.
If the automatic updates feature is disabled, then due to an OS limitation, it can't

be changed using policies. The setting must be manually changed on the device or
the device must be reset & reprovisioned.
If devices are configured with a PIN, then to start the software update, you must
enter the PIN. Entering the PIN typically isn't an issue for information worker 1:1
devices.
When planning for updates on kiosks, factory floor or userless scenarios, you may
need to adjust your processes to accommodate for the PIN behavior.
✔️Use the built-in settings

To manage updates, Apple has the following options:
Software update policies
These policies offer a controlled roll-out of a specific version. You can also force
devices on older versions to upgrade. Admins can enter the iOS/iPadOS version to
install and schedule the installation.
Software update deferral policies
These policies hide updates for up to 90 days. They prevent users from manually
updating their device to a version that hasn't been approved. This feature doesn't
control when the updates are applied.
With these features, admins can make sure their Apple devices are running a specific
software version and can control the release of updates across their devices.
These settings are configurable in the Microsoft Intune admin center. For more
information, go to Manage iOS/iPadOS software update policies in Intune.
✔️Create policies that support many time zones

All policy times use Coordinated Universal Time (UTC). The device's local timezone isn't
used.
To minimize the number of policies you have to create and manage, create a
configuration that supports many time zones. Don't create a separate policy for each
time zone.
For example, in the United States, there are four primary time zones: Pacific (UTC-8),
Mountain (UTC-7), Central (UTC-6) and Eastern (UTC-5). You can create separate policies
for each time zone. Or, create one or two policies that achieve the same result.
✔️Be careful with version settings

When you create software update policies, be aware of the broader impact of the
version details in all your policies.
For example:
You configure a policy that delays updates for 90 days. If there's an enrollment
restriction policy that requires devices have a recent iOS/iPadOS version, then after
a device reset, devices could be blocked from enrolling.
You create a compliance policy that requires a minimum iOS/iPadOS version that's
recent. With this policy, devices on older releases become noncompliant. If you use
Conditional Access to enforce compliance, then users are blocked and can't work.
Common industry scenarios

Apple devices are used in various industries, including enterprise, retail, manufacturing,
and education. Most device use cases can be categorized into the following types:
1:1: Devices are used by only one person.

Shared: Devices are used by more than one person.
Dedicated: Devices are used for a specific business purpose, like a kiosk or digital
signage.
The following table includes common industry terminology that's used in this article:
Industry Terminology Use case
Enterprise Knowledge worker 1:1
Retail Kiosk Dedicated
Manufacturing Factory machine Mission critical
Education Assigned device Shared
This section describes some common industry scenarios and gives examples of Intune
policies.
Knowledge workers
This group is people with gained knowledge that work in enterprise businesses and
organizations. Their knowledge and thinking ability are their job. Some examples include
engineers, content developers, programmers, accountants, communications,
consultants, and so on.
Knowledge workers typically have their own device that's only used by them. It's not
shared with other users or other knowledge workers.
In scenarios like knowledge worker devices, the primary goal is for the update process
to be as simple and quick as possible. Their apps are mostly store-based, and the apps
should remain compatible with the latest OS version. On these devices, users are
typically tolerant of prompts for updates and/or choosing a convenient time for reboots.
An update strategy and priorities for these devices typically include:
✔️Basic update configuration

✔️The latest most up-to-date version
✔️Automatic updates
Scenario example:
You're configuring an update profile for the knowledge workers at Contoso. These users
mostly use Microsoft 365 apps and several Volume Purchase Program (VPP) apps.
As an admin, you're comfortable with:
These devices running the latest released iOS/iPadOS version

Downloading and installing updates as soon as the devices check-in with Intune
Allowing end-users to decide when they install updates and reboot their devices to
apply the updates
To accomplish these goals, you can use a policy with the following default settings:
Kiosks
These devices are typically in-store retail devices, and can be a desktop computer or a
mobile device. They're used by employees to serve customers and used directly by
customers for self-service tasks. They can also be a visual display that all customers see
when they're on-premises.
In kiosk-like scenarios, the primary goals for updating the devices are:
Make sure devices are current with approved OS updates.

Admins manage the updates and any versioning.
The installation and reboots occur after business hours.
✔️Basic update configuration

✔️Predictable version control
✔️Predictable release cycles
Scenario example:
You're configuring an iOS/iPadOS update profile for the kiosk devices at Contoso. These
devices operate in a retail outlet. Your staff uses the devices to serve customers 7 days a
week, including extended retail hours. The devices run a single Line of Business (LOB)
kiosk app, which was developed in-house by Contoso. This internal application is only
tested and validated on a quarterly basis.
You want to deploy the specific iOS/iPadOS version that this LOB app was recently
tested with, which is iOS 16.3. If this kiosk application doesn't work correctly, then the
retail outlet can't serve customers. The devices are connected to Wi-Fi and charge
overnight when the retail outlet is closed to customers.
You chose an overnight servicing window of 10 hours where updates can be

downloaded and applied, before the store opens.
To accomplish this task, create a policy with the following settings:

Factory machines
These devices are often single purpose devices. They're used in mission critical areas,
like manufacturing lines or specialized equipment control & monitoring. For example, it
could be an Android tablet running control or monitoring software for a device that
welds components.
In factory machine scenarios, the primary goal is to make sure devices behave in a
consistent manner. Updates may need to be delayed so all application compatibility
testing can complete. Installation and reboots occur at specific times and are typically
deployed in a phased approach.
✔️Advanced policy configuration

✔️Strict version control
✔️Slow release cycles
Scenario example:
You're configuring an update profile for devices on the manufacturing floor at Contoso's
industrial facility. The facility runs 24x7, 365 days a year, except for a few hours of
mandatory stoppage for safety inspections. These inspections happen early Sunday
morning every week.
These devices run two vendor apps. To remain in a supported configuration, both apps
are updated infrequently, and must run a specific version of the app and OS.
You want to deploy a specific, older iOS/iPadOS version (15) to these devices, as the app
vendor doesn't support later releases yet. Since the devices are nearly always in use, you
only have a small maintenance window once a week on Sunday.
You want to schedule updates during a 2-hour downtime window overnight on a

Sunday.
To accomplish this task, create a policy with the following settings:

Shared devices
Shared devices are used by many users who typically sign in and out of the device,
including education environments. These devices can be terminal/desktop computers,
tablets, laptops, and smartphones. They're often used in offices, classrooms, and retail
stores.
For more information on managing shared iOS/iPadOS devices, go to Shared device

solutions for iOS/iPadOS.
For iOS/iPadOS shared devices, to apply updates, all users must be signed out. The users
can be signed out or the device can be rebooted, which automatically signs out users.
✔️Advanced policy configuration

✔️Predictable version control
✔️Controlled update behavior
Scenario example:
In the morning, UserA signs in to the device to check email before going out on the
floor. An hour later, UserB uses the same device to run some LOB apps.
You need to configure an update for this shared device. These shared devices are used
by general knowledge workers who are in the office from 8AM – 5PM, Monday through
Friday. You want the devices on the latest iOS/iPadOS version that supports all the apps
used on the shared devices.
To keep the policy as simple as possible, you want the updates to install outside typical
working hours, plus one hour for reboots or other actions.
To accomplish this task, this scenario involves two policies:
In the first policy, you want all users signed out or want to reboot the device after
a set amount of time. You can create an Apple Business Manager enrollment
profile to sign out any users who are idle for more than 15 minutes (900 seconds):
In the second policy, schedule the update using the following settings:
Next steps
Manage iOS/iPadOS software update policies in Intune
Software updates planning guide and scenarios for BYOD and personal devices
Software updates planning guide for managed Android devices
Software updates planning guide for managed macOS devices
managed macOS devices in Microsoft
Intune
Article • 08/08/2023
Keeping your devices current with updates is critical. Admins must do what they can to
reduce risk of security events, and reduce this risk with minimal disruption to the
business & users.
Intune has built-in policies that can manage software updates. For macOS devices, you
can use Intune to manage device updates, configure when devices are updated, and
review the device update status.
This article includes an admin guide for enrolled and managed macOS devices. Use this
information to help manage software updates on your organization-owned devices.
macOS 12.4+ devices enrolled in Intune
 Tip
If your devices are personally owned, then go to the software updates admin
Before you begin

To install updates faster and avoid delays, make sure the devices are:
Powered on
Plugged in
Connected to Internet
Not shut down but can be can a sleep state

By default, users receive notifications and/or see the latest updates available on their
devices (Settings > General > Software Updates). Users can choose to download and
install updates whenever they want.
They can also change the update behavior using the Automatic Updates feature on the
device (Settings > Software Updates):
Users can apply updates that the business hasn't approved for use. This situation
can cause issues with application compatibility or changes to the operating system
or user experience that disrupt device use.
Users can avoid applying updates that are required for security or app
compatibility reasons. This delay can leave the devices at risk and/or prevent them
from being able to function.
Users can disable checking for new updates entirely.
Because of these potential issues, Microsoft recommends that you evaluate your use
case scenarios and deploy policies to manage the update experience to minimize risk
and disruption to your business.
Admin steps for organization owned devices
To update macOS devices owned by your organization, Microsoft recommends the
following steps. These steps apply to most macOS devices. You can also use these steps
as a starting point for your own update strategy.
1. Create a managed software update policy: This policy forces updates to be

downloaded and installed at a convenient time. Depending on the settings you
enter, users aren't prompted and don't need to be using the device when the
updates are installed.
2. Create a Settings Catalog software update policy: This policy prevents end users
from disabling update checks. It also configures the device to check for updates
and prompt users regularly.
3. Configure and deploy Nudge: This community tool prompts users quickly when
an update is available. If the first two policies don't motivate end users to install
updates, then Nudge reminds them.
This section focuses on these steps.
✔️Step 1 - Use a software update policy to manage when

updates are installed
This Intune policy manages when updates are installed.
For example, you can manage when critical updates and firmware updates are installed.
You can also manage how many times the user can defer an update before it's force
installed.
For most organizations, Microsoft recommends you configure the following settings:
Update policy behavior settings

Critical updates: Install later
Firmware updates: Install later
Configuration file updates: Install later
All other updates (OS, built-in apps): Install later
Maximum user deferrals: 5
Priority: High
７ Note
On recent macOS builds, almost all updates show as Configuration data
files or All other updates. The All other updates settings are mostly legacy
updates for older builds of macOS.
The time specified in these settings is used by the Intune service. The time
isn't the local device time. Be aware of time differences when you configure
a maintenance window, espeically for a global environment.
Update policy schedule settings

Schedule type: Update at next check-in
You can change the values to your preferred scheduled times. Some of the values may
only affect minor updates, and not major updates. For the specific steps, and more
information on these settings & their values, go to Manage macOS software update
policies in Intune.
With these settings, this policy locks these settings so users can't change them. The
policy also:
1. Checks for updates each time the device checks in with the Intune service. If there
are updates available, then they're automatically downloaded.
2. The device finds a time period when the device isn't being used.
If the device isn't being used, then the policy tries to automatically install the
update.
If the device is being used, then end users can choose to install the update, or
defer the installation up to five times. Be sure to encourage your end users to
install updates when they're available.
The following images show the prompts that end users can see when updates are
available:
3. If end users use all the deferrals, then the update is force installed. For a forced
installation, a restart doesn't prompt the end user, and could result in data loss.
✔️Step 2 - Use a settings catalog policy to automatically

install updates
This Intune policy manages how updates are installed.
For example, you can configure the device to automatically install updates, including
app updates, when they're available.
This settings catalog policy works with Step 1 - Use a software update policy to manage
when updates are installed (in this article). It makes sure the devices are checking for
updates and prompting users to install them. End users still need to take action to finish
the installation.
In your settings catalog policy, Microsoft recommends the following settings:

1. In the settings picker, search for software update and select System Updates >
Software Update.
2. Select all these settings and close the settings picker.
3. Configure the following settings:
Allow Pre Release Installation: False

Automatic Download: True
Automatically Install App Updates: True
Critical Update Install: True
Restrict Software Update Require Admin To Install: False
Config Data Install: True
Automatically Install MacOS Updates: True
Automatic Check Enabled: True
This policy locks these settings so users can't change them. On the device, the software
update settings are greyed out:
For more information on the settings catalog, including how to create a settings catalog
policy, go to Use the settings catalog to configure settings.
✔️Step 3 - Consider using the Nudge community tool

This tool is optional, and can help you manage the end user experience.
A popular tool within the Microsoft macOS admin community is Nudge. Nudge is an
open source tool that encourages end users to install macOS updates. It provides a
rich configuration experience for admins.
When Nudge is configured and deployed, end users see the following sample message
when their device is ready to be updated. End users can also choose to update the
device or defer the update:
There's also a sample script and Intune configuration policy for Nudge in the
Microsoft shell script repository. This script includes everything you need to get started
with Nudge. Make sure you update the .mobileconfig file with your values.
Use built-in reporting for update status

After the update policies are deployed, in the Microsoft Intune admin center , you can
use the reporting feature to check the status of the updates.
For each device, you can see its current state of updates (Devices > macOS > select a
device > Update policies for macOS):
Next steps
Software updates planning guide for BYOD and personal devices in Microsoft
Intune
Software updates planning guide for managed Android Enterprise devices in
Microsoft Intune
in Microsoft Intune
Intune network configuration
requirements and bandwidth
Article • 02/21/2023
You can use this information to understand bandwidth requirements for your Intune
deployments.
Average network traffic

This table lists the approximate size and frequency of common content that travels
across the network for each client.
７ Note
To ensure devices receive the updates and content from Intune, they must
periodically connect to the Internet. The time required to receive updates or
content can vary, but they should remain continuously connected to the Internet
for at least one hour each day.
Content type Approximate Frequency and details

size
Intune client installation

125 MB One time
The following The size of the client download varies depending

requirements are in on the operating system of the client computer.
addition to the Intune
client installation
Client enrollment 15 MB One time
package
Additional downloads are possible when there are
updates for this content type.
Endpoint Protection 65 MB One time
agent
Operations Manager 11 MB One time
agent
Content type Approximate Frequency and details
size
Policy agent 3 MB One time

Remote Assistance via 6 MB One time
Microsoft Easy Assist

agent Additional downloads are possible when there are
Daily client operations 6 MB Daily
The Intune client regularly communicates with the

Intune service to check for updates and policies,
and to report the client's status to the service.
Endpoint Protection Varies

Daily
malware definition
updates Typically 40 KB Up to three times a day.
to 2 MB
Endpoint Protection 5 MB Monthly

engine update
Software updates Varies

Monthly
The size Typically, software updates release on the second

depends on the Tuesday of each month.
updates you
deploy. A newly enrolled or deployed computer can use
more network bandwidth while downloading the
full set of previously released updates.
Service packs Varies

Varies
The size varies Depends on when you deploy service packs.

for each service
pack you
deploy.
Software distribution Varies

Varies
The size Depends on when you deploy software.

depends on the
software you
deploy.
Ways to reduce network bandwidth use
You can use one or more of the following methods to reduce network bandwidth use for
Intune clients.
Use a proxy server to cache content requests

A proxy server can cache content to reduce duplicate downloads and reduce network
bandwidth from content from the Internet.
A caching proxy server that receives content requests from clients can retrieve that
content and cache both web responses and downloads. The server uses cached data to
answer subsequent requests from clients.
The following are typical settings to use for a proxy server that caches content for Intune
clients.
Setting Recommended Details

value
Cache 5 GB to 30 GB The value varies based on the number of client computers in your
size network and the configurations you use. To prevent files from
being deleted too soon, adjust the size of the cache for your
environment.
Individual 950 MB This setting might not be available in all caching proxy servers.
cache file
size
Object HTTP
Intune packages are CAB files retrieved by Background Intelligent
types to Transfer Service (BITS) download over HTTP.
cache HTTPS
BITS
７ Note
If you use a proxy server to cache content requests, communication is only

encrypted between the client and the proxy and from the proxy to Intune. The
connection from the client to Intune will not be encrypted end-to-end.
For information about using a proxy server to cache content, see the documentation for
your proxy server solution.
Delivery Optimization
Delivery Optimization lets you use Intune to reduce bandwidth consumption when your
Windows 10 devices download applications and updates. By using a self-organizing
distributed cache, downloads can be pulled from traditional servers and alternate
sources (like network peers).
To see the full list of Windows 10 versions and content types supported by Delivery
Optimization, see the Delivery Optimization for Windows 10 updates article.
You can set up Delivery Optimization as part of your device configuration profiles.
Background Intelligent Transfer Service (BITS) and

BranchCache
You can use Microsoft Intune to manage Windows PCs either as mobile devices with
mobile device management (MDM) or as computers with the Intune software client.
Microsoft recommends that customers use the MDM management solution whenever
possible. When managed this way, BranchCache and BITS aren't supported. For more
information, see Compare managing Windows PCs as computers or mobile devices.
Use (BITS) on computers (requires Intune software client)

During hours that you configure, you can use BITS on a Windows computer to reduce
the network bandwidth. You can configure BITS policy on the Network bandwidth page
of the Intune Agent policy.
７ Note
For MDM management on Windows, only the OS's management interface for the
MobileMSI app type uses BITS to download. AppX/MsiX use their own non-BITS
download stack and Win32 apps via the Intune agent use Delivery Optimization
rather than BITS.
To learn more about BITS and Windows computers, see Background Intelligent Transfer
Service in the TechNet Library.
Use BranchCache on computers (requires Intune software client)
Intune clients can use BranchCache to reduce wide area network (WAN) traffic. The
following operating systems support BranchCache:
Windows 7
Windows 8.0
Windows 8.1
Windows 10
To use BranchCache, the client computer must have BranchCache enabled, and then be
configured for distributed cache mode.
When the Intune client is installed on computers, BranchCache and distributed cache
mode are enabled by default. However, if Group Policy has disabled BranchCache,
Intune doesn't override that policy and BranchCache remains disabled.
If you use BranchCache, work with other administrators in your organization to manage
Group Policy and Intune Firewall policy. Ensure they don't deploy policy that disables
BranchCache or Firewall exceptions. For more about BranchCache, see BranchCache
Overview.
Next steps
Review endpoints for Intune
Using Windows 10 virtual machines with
Intune
Article • 03/02/2023
Intune supports managing virtual machines running Windows 10 Enterprise with certain
limitations. Intune management doesn't depend on, or interfere with Azure Virtual
Desktop management of the same virtual machine.
Enrollment
We recommend that you don't use Intune to manage on-demand, session-host
virtual machines, also known as non-persistent virtual desktop infrastructure (VDI).
Each VM must be enrolled when it's created. Also, regularly deleting VMs will leave
orphaned device records in Intune until they're cleaned up.
Windows Autopilot Self-deploying and pre-provisioning deployment types aren't
supported because they require a physical Trusted Platform Module (TPM).
Out of Box Experience (OOBE) enrollment isn't supported on VMs that can only be
accessed by using RDP (such as VMs that are hosted on Azure). This restriction
means:
Windows Autopilot and Commercial OOBE aren't supported.
Enrollment Status Page isn't supported.
Configuration
Intune doesn't support any configuration that utilizes a Trusted Platform Module or
hardware management, including:
BitLocker settings
Device Firmware Configuration Interface settings
Reporting
Intune automatically detects virtual machines and reports them as "Virtual Machine" in
Devices > All devices > choose a device > Overview > Model field.
Deallocated virtual machines may contribute to noncompliant device reports because

they're unable to check in with the Intune service.
Retirement
If you only have RDP access, don't use the Wipe action. The Wipe action will delete the
virtual machine's RDP settings and prevent you from ever connecting again.
Next steps
Learn about using Azure Virtual Desktop with Intune
Using Azure Virtual Desktop with Intune
Article • 02/21/2023
Azure Virtual Desktop is a desktop and app virtualization service that runs on Microsoft
Azure. It lets end users connect securely to a full desktop from any device. With
Microsoft Intune, you can secure and manage your Azure Virtual Desktop VMs with
policy and apps at scale, after they're enrolled.
Prerequisites
Currently, for single-session, Intune supports Azure Virtual Desktop VMs that are:
Running Windows 10 Enterprise, version 1809 or later, or running Windows 11.

Set up as personal remote desktops in Azure.
Hybrid Azure AD-joined and enrolled in Intune in one of the following methods:
Configure Active Directory group policy to automatically enroll devices that are
hybrid Azure AD joined.
Configuration Manager co-management.
User self-enrollment via Azure AD Join.
Azure AD-joined and enrolled in Intune by enabling Enroll the VM with Intune in
the Azure portal.
For more information on Azure Virtual Desktop licensing requirements, see What is
Azure Virtual Desktop?.
For information about working with multi-session remote desktops, see Windows 10 or
Windows 11 Enterprise multi-session remote desktops.
Intune treats Azure Virtual Desktop personal VMs the same as Windows 10 or Windows
11 Enterprise physical desktops. This treatment lets you use some of your existing
configurations and secure the VMs with compliance policy and conditional access.
Intune management doesn't depend on or interfere with Azure Virtual Desktop
management of the same virtual machine.
Limitations
There are some limitations to keep in mind when managing Windows 10 Enterprise
remote desktops:
Configuration
All VM limitations listed in Using Windows 10 virtual machines also apply to Azure
Virtual Desktop VMs.
Also, the following profiles aren't currently supported:
Domain Join
Wi-Fi
Make sure that the RemoteDesktopServices/AllowUsersToConnectRemotely policy isn't

disabled.
７ Note
Configuration and compliance policies for Secure Boot and features leveraging
vTPM (Virtual Trusted Platform Module) are not supported at this time for Azure
Virtual Desktop VMs.
Remote actions
The following Windows 10 desktop device remote actions aren't
supported/recommended for Azure Virtual Desktop VMs:
Autopilot reset
BitLocker key rotation
Fresh Start
Remote lock
Reset password
Wipe
Retirement
Deleting VMs from Azure leaves orphaned device records in Intune. They'll be
automatically cleaned up according to the cleanup rules configured for the tenant.
Known issues
The following table provides a set of known issues along with more information about
each issue.
Issue More information

Issue More information
Cannot auto-enroll if tenant has more This issue will be fixed in the future.
than one MDM provider
Modern apps, such as Universal Using FSLogix and Modern apps could cause
Windows Platform (UWP) apps, are not compatibility issues. We recommend that you don’t
working correctly if FSLogix is configure Modern apps when FSLogix is configured.
configured
Next steps
Learn more about Azure Virtual Desktops.
Use Azure Virtual Desktop multi-session with Intune
Windows 10 or Windows 11 Enterprise
multi-session remote desktops
Article • 07/21/2023
Azure Virtual Desktop multi-session with Microsoft Intune is now generally available.
You can now use Microsoft Intune to manage Windows 10 or Windows 11 Enterprise
multi-session remote desktops in the Microsoft Intune admin center just as you can
manage a shared Windows 10 or Windows 11 client device. When managing such virtual
machines (VMs), you'll be able to use both device-based configuration targeted to
devices or user-based configuration targeted to users.
Windows 10 or Windows 11 Enterprise multi-session is a new Remote Desktop Session

Host exclusive to Azure Virtual Desktop on Azure. It provides the following benefits:
Allows multiple concurrent user sessions.

Gives users a familiar Windows 10 or Windows 11 experience.
Supports use of existing per-user Microsoft 365 licensing.
You can manage Windows 10 and Windows 11 Enterprise multi-session VMs created in
Azure Government Cloud in US Government Community (GCC), GCC High, and DoD.
） Important
Microsoft Intune support for Azure Virtual Desktop multi-session is not currently
available for Citrix DaaS and VMware Horizon Cloud.
Overview
Device configuration support in Microsoft Intune for Windows 10 or Windows 11
Enterprise multi-session is generally available (GA). This means policies defined in the
OS scope and apps configured to install in the system context can be applied to Azure
Virtual Desktop multi-session VMs when assigned to device groups.
７ Note
Device-based configuration cannot be assigned to users and user-based

configuration cannot be assigned to devices. It will be reported as Error or Not
applicable.
User configuration support in Microsoft Intune for Windows 10 or Windows 11 multi-
session VMs is generally available. With this you are able to:
users. You can use the search bar to search all configurations with scope set to
"user".
Prerequisites
This feature supports Windows 10 or Windows 11 Enterprise multi-session VMs, which
are:
Running Windows 10 multi-session, version 1903 or later, or running Windows 11

multi-session.
Set up as remote desktops in pooled host pools that have been deployed through
Azure Resource Manager.
Running an Azure Virtual Desktop agent version of 1.0.2944.1400 or later.
Hybrid Azure AD-joined and enrolled in Microsoft Intune using one of the
following methods:
Configured with Active Directory group policy, set to use Device credentials, and
set to automatically enroll devices that are Hybrid Azure AD-joined.
Configuration Manager co-management.
Azure AD-joined and enrolled in Microsoft Intune by enabling Enroll the VM with
Intune in the Azure portal.
Licensing: The appropriate Azure Virtual Desktop and Microsoft Intune license is
required if a user or device benefits directly or indirectly from the Microsoft Intune
service, including access to the Microsoft Intune service through a Microsoft API.
For more information, go to Microsoft Intune licensing.
７ Note
If you're joining session hosts to Azure Active Directory Domain Services, you can't
manage them using Intune.
） Important
If you're using Windows 10, versions 2004, 20H2, or 21H1 builds, make sure
that you install the July 2021 Windows Update or a later Windows update.
Otherwise, remote actions in the Microsoft Intune admin center, like remote
sync, won't work correctly. As a result, pending policies assigned to devices
might take up to 8 hours to be applied.
Intune does not currently support token roaming functionality between
devices. If FSLogix, or a similar technology, is used to manage Windows user
profiles and settings, you must ensure that tokens are not unexpectedly
roamed or duplicated across devices. To confirm that you are running a
supported version and configuration of FSLogix with token roaming disabled,
please see the FSLogix RoamIdentity Configuration Settings Reference.
See What is Azure Virtual Desktop? for more information about Azure Virtual Desktop
licensing requirements.
Windows 10 or Windows 11 Enterprise multi-session VMs are treated as a separate OS

edition and some Windows 10 or Windows 11 Enterprise configurations won't be
supported for this edition. Using Microsoft Intune doesn't depend on or interfere with
Azure Virtual Desktop management of the same VM.
Create the configuration profile

To configure configuration policies for Windows 10 or Windows 11 Enterprise multi-
session VMs, you'll need to use the Settings catalog in the Microsoft Intune admin
center.
The existing device configuration profile templates aren't supported for Windows 10 or
Windows 11 Enterprise multi-session VMs, except for the following templates:
Trusted certificate - Device (machine) when targeting devices and User when
targeting users
SCEP certificate - Device (machine) when targeting devices and User when
targeting users
PKCS certificate - Device (machine) when targeting devices and User when
targeting users
VPN - Device Tunnel only
Microsoft Intune won't deliver unsupported templates to multi-session devices, and

those policies appear as Not applicable in reports.
７ Note
If you use co-management for Intune and Configuration Manager, in Configuration

Manager, set the workload slider for Resource Access Policies to Intune or Pilot
Intune. This setting allows Windows 10 and Windows 11 clients to start the process
of requesting the certificate.
To configure policies
1. Sign in to the Microsoft Intune admin center and choose Devices > Windows >
Configuration profiles > Create Profile.
2. For Platform, select Windows 10 and later.
3. For Profile type, select Settings catalog, or when deploy settings by using a
Template, select Templates and then the name of the supported Template.
4. Select Create.
5. On the Basics page, provide a Name and (optionally) Description > Next.
6. On the Configuration settings page, select Add settings.
7. Under Settings picker, select Add filter and select the following options:
Key: OS edition
Operator: ==
Value: Enterprise multi-session
Select Apply. The filtered list now shows all configuration profile categories
that support Windows 10 or Windows 11 Enterprise multi-session. The scope
for a policy is shown in parentheses. For user scope it shows as (User) and all
the rest are policies with device scope.
8. From the filtered list, pick the categories that you want.
For each category you pick, select the settings that you want to apply to your
new configuration profile.
For each setting, select the value that you want for this configuration profile.
9. Select Next when you're done adding settings.

10. On the Assignments page, choose the Azure AD groups containing the devices to
which you want this profile assigned > Next.
11. On the Scope tags page, optionally add the scope tags you want to apply to this
profile > Next. For more information about scope tags, see Use role-based access
control and scope tags for distributed IT.
12. On the Review + create page, choose Create to create the profile.
Administrative templates
Windows 10 or Windows 11 Administrative Templates are supported for Windows 10 or
Windows 11 Enterprise multi-session via the Settings catalog with some limitations:
ADMX-backed policies are supported. Some policies aren't yet available in the
Settings catalog.
ADMX-ingested policies are supported, including Office and Microsoft Edge
settings available in Office administrative template files and Microsoft Edge
administrative template files. For a complete list of ADMX-ingested policy
categories, see Win32 and Desktop Bridge app policy configuration. Some ADMX
ingested settings won't be applicable to Windows 10 or Windows 11 Enterprise
multi-session.
Compliance and Conditional access

You can secure your Windows 10 or Windows 11 Enterprise multi-session VMs by
configuring compliance policies and Conditional Access policies in the Microsoft Intune
admin center. The following compliance policies are supported on Windows 10 or
Windows 11 Enterprise multi-session VMs:
Minimum OS version
Maximum OS version
Valid operating system builds
Simple passwords
Password type
Minimum password length
Password Complexity
Password expiration (days)
Number of previous passwords to prevent reuse
Microsoft Defender Antimalware
Microsoft Defender Antimalware security intelligence up-to-date
Firewall
Antivirus
Antispyware
Real-time protection
Microsoft Defender Antimalware minimum version
Defender ATP Risk score
All other policies report as Not applicable.

） Important
You'll need to create a new compliance policy and target it to the device group
containing your multi-session VMs. User-targeted compliance configurations aren't
supported.
Conditional Access policies support both user and device based configurations for
Windows 10 or Windows 11 Enterprise multi-session.
７ Note
Conditional Access for Exchange on-premises isn't supported for Windows 10 or

Windows 11 Enterprise multi-session VMs.
７ Note
Configuration and compliance policies for BitLocker, Secure Boot, and features
leveraging vTPM (Virtual Trusted Platform Module) are not supported at this time
for Azure Virtual Desktop VMs.
Endpoint security
You can configure profiles under Endpoint security for multi-session VMs by selecting
Platform Windows 10, Windows 11, and Windows Server. If that Platform is not
available, the profile is not supported on multi-session VMs.
For more information, see Manage device security with endpoint security policies in
Microsoft Intune
Application deployment
All Windows 10 or Windows 11 apps can be deployed to Windows 10 or Windows 11
Enterprise multi-session with the following restrictions:
All apps must be configured to install in the system/device context and be

targeted to devices. Web apps are always applied in the user context by default so
they won't apply to multi-session VMs.
All apps must be configured with Required or Uninstall app assignment intent. The
Available apps deployment intent isn't supported on multi-session VMs.
If a Win32 app configured to install in the system context has dependencies or
supersedence relationship on any apps configured to install in the user context,
the app won't be installed. To apply to a Windows 10 or Windows 11 Enterprise
multi-session VM, create a separate instance of the system context app or make
sure all app dependencies are configured to install in the system context.
Azure Virtual Desktop RemoteApp and MSIX app attach aren't currently supported
in Microsoft Intune.
Script deployment
Scripts configured to run in the system context and assigned to devices are supported
on Windows 10 or Windows 11 Enterprise multi-session. This can be configured under
Script settings by setting Run this script using the logged on credentials to No.
Scripts configured to run in the user context and assigned to users are supported on
Windows 10 and Windows 11 Enterprise multi-session. This can be configured under
Script settings by setting Run this script using the logged on credentials to Yes.
Windows Update for Business

You can use the settings catalog to manage Windows Update settings for quality
(security) updates for Windows 10 or Windows 11 Enterprise multi-session VMs. To find
the supported settings in the catalog, configure a settings filter for Enterprise multi-
session and then expand the Windows Update for Business category.
The following settings are available in the catalog, with the links opening the Windows
CSP documentation:
Active Hours End

Active Hours Max Range
Active Hours Start
Block "Pause Updates" ability
Configure Deadline Grace Period
Defer Quality Updates Period (Days)
Pause Quality Updates Start Time
Quality Update Deadline Period (Days)
Remote actions
The following Windows 10 or Windows 11 desktop device remote actions aren't
supported and will be grayed out in the UI and disabled in Graph for Windows 10 or
Windows 11 Enterprise multi-session VMs:
Autopilot reset
BitLocker key rotation
Fresh Start
Remote lock
Reset password
Wipe
Retirement
Deleting VMs from Azure will leave orphaned device records in the Microsoft Intune
admin center. They'll be automatically cleaned up according to the cleanup rules
configured for the tenant.
Security baselines
Security baselines aren't available for Windows 10 or Windows 11 Enterprise multi-
session at this time. We recommend that you review the Available security baselines and
configure the recommended policies and values in the Settings catalog.
Additional configurations that aren't supported

on Windows 10 or Windows 11 Enterprise multi-
session VMs
Out of Box Experience (OOBE) enrollment isn't supported for Window 10 or Windows 11
Enterprise multi-session. This restriction means that:
Windows Autopilot and Commercial OOBE aren't supported.

Enrollment status page isn't supported.
Windows 10 or Windows 11 Enterprise multi-session managed by Microsoft Intune isn't

currently supported for China Sovereign Cloud.
Troubleshooting
The following sections provide troubleshooting guidance for common issues.
Enrollment issues
Issue Detail
Enrollment of hybrid Auto-enrollment is configured to use user credentials.

Azure AD joined virtual Windows 10 or Windows 11 Enterprise multi-session virtual
machine fails machines must be enrolled using device credentials.
The Azure Virtual Desktop agent you're using must be version
1.0.2944.1400 or later.
You've more than one MDM provider, which isn't supported.
Windows 10 or Windows 11 Enterprise multi-session VM is
configured outside of a host pool. Microsoft Intune only
supports VMs provisioned as part of a host pool.
The Azure Virtual Desktop host pool wasn't created through
the Azure Resource Manager template.
Enrollment of Azure AD The Azure Virtual Desktop agent you're using isn't updated.
joined virtual machine The agent must be version 1.0.2944.1400 or above.
fails Azure Virtual Desktop host pool wasn't created through the
Azure Resource Manager template.
Configuration issues
Issue Detail
Settings catalog policy fails Confirm the VM is enrolled using device credentials.
Enrollment with user credentials isn't currently
supported for Windows 10 or Windows 11 Enterprise
multi-session.
Configuration policy didn't apply Templates (except for Certificates) aren't supported on
Windows 10 or Windows 11 Enterprise multi-session.
All policies must be created via the settings catalog.
Configuration policy reports as Not Some policies aren't applicable to Azure Virtual
applicable Desktop VMs.
Microsoft Edge/Microsoft Office ADMX Applicability for these settings isn't based on the
policy doesn't show up when I apply Windows version or edition but on whether those apps
the filter for Windows 10 or Windows have been installed on the device. To add these
11 Enterprise multi-session edition settings to your policy, you may have to remove any
filters applied in the settings picker.
App configured to install in system Confirm the app doesn't have a dependency or
context didn't apply supersedence relationship on any apps configured to
install in user context. User context apps aren't
currently supported on Windows 10 or Windows 11
Enterprise multi-session.
Issue Detail
Update rings for Windows 10 and later Windows Update for Business policies aren't currently
policy didn't apply supported.
Next steps
Learn more about Azure Virtual Desktops.
Network endpoints for Microsoft Intune
Article • 08/10/2023
This article lists IP addresses and port settings needed for proxy settings in your
Microsoft Intune deployments.
As a cloud-only service, Intune doesn't require an on-premises infrastructure such as

servers or gateways.
Access for managed devices

To manage devices behind firewalls and proxy servers, you must enable communication
for Intune.
７ Note
The information in this section also applies to the Microsoft Intune Certificate
Connector. The connector has the same network requirements as managed
devices.
The endpoints in this article should be accessible via TCP port 80 and 443 via
whatever method you use to allow access. Windows Information Protection uses
port 444.
For some tasks, Intune requires unauthenticated proxy server access to
manage.microsoft.com, *.azureedge.net, and graph.microsoft.com.
７ Note
The inspection of SSL traffic is not supported on 'manage.microsoft.com',

'a.manage.microsoft.com', or 'dm.microsoft.com' endpoints.
７ Note
Allow HTTP Partial response is required for Scripts & Win32 Apps endpoints.
You can modify proxy server settings on individual client computers. You can also use
Group Policy settings to change settings for all client computers located behind a
specified proxy server.
Managed devices require configurations that let All Users access services through
firewalls.
To make it easier to configure services through firewalls, we have onboarded with the
Office 365 Endpoint service. At this time, the Intune services are accessed through a
PowerShell script. There are other dependent services for Intune, which are already
covered as part of the Microsoft 365 Service and are marked as 'required'. Services
already covered by Microsoft 365 aren't included in the script to avoid duplication. By
using the following PowerShell script, you can retrieve the list of IP addresses for the
Intune service. This provides the same list as the subnets indicated in the IP address
table below.
PowerShell
(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?

ServiceAreas=MEM`&`clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?
{$_.ServiceArea -eq "MEM" -and $_.ips} | select -unique -ExpandProperty ips
By using the following PowerShell script, you can retrieve the list of FQDNs used by
Intune and dependent services.
PowerShell
(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?

ServiceAreas=MEM`&`clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?
{$_.ServiceArea -eq "MEM" -and $_.urls} | select -unique -ExpandProperty
urls
The script provides a convenient method to list and review all services required by
Intune and Autopilot in one location. Additional properties can be returned from the
endpoint service such as the category property, which indicates whether the FQDN or IP
should be configured as Allow, Optimize or Default.
You'll also need FQDNs that are covered as part of Microsoft 365 Requirements. For
reference, the following table is the list of URLs returned, and the service they're tied to.
FQDN Associated Service
*.manage.microsoft.com Intune Service
manage.microsoft.com Intune Service
*.prod.do.dsp.mp.microsoft.com Windows Update and Delivery

Optimization
*.windowsupdate.com Windows Update and Delivery

Optimization
*.dl.delivery.mp.microsoft.com Windows Update and Delivery

Optimization
*.update.microsoft.com Windows Update and Delivery

Optimization
*.delivery.mp.microsoft.com Windows Update and Delivery

Optimization
tsfe.trafficshaping.dsp.mp.microsoft.com Windows Update and Delivery

Optimization
emdl.ws.microsoft.com Delivery Optimization
*.do.dsp.mp.microsoft.com Delivery Optimization
*.emdl.ws.microsoft.com Delivery Optimization
*.notify.windows.com Push Notifications
*.wns.windows.com Push Notifications
devicelistenerprod.microsoft.com Windows Update for Business deployment

service
devicelistenerprod.eudb.microsoft.com Windows Update for Business deployment

service
login.windows.net Windows Update for Business deployment

service
payloadprod*.blob.core.windows.net Windows Update for Business deployment

service
time.windows.com NTP Sync
www.msftconnecttest.com NTP Sync
www.msftncsi.com NTP Sync
*.s-microsoft.com Windows Notifications & Store
clientconfig.passport.net Windows Notifications & Store
windowsphone.com Windows Notifications & Store
approdimedatahotfix.azureedge.net Scripts & Win32 Apps

approdimedatapri.azureedge.net Scripts & Win32 Apps
approdimedatasec.azureedge.net Scripts & Win32 Apps
euprodimedatahotfix.azureedge.net Scripts & Win32 Apps
euprodimedatapri.azureedge.net Scripts & Win32 Apps
euprodimedatasec.azureedge.net Scripts & Win32 Apps
naprodimedatahotfix.azureedge.net Scripts & Win32 Apps
naprodimedatapri.azureedge.net Scripts & Win32 Apps
swda01-mscdn.azureedge.net Scripts & Win32 Apps
swda02-mscdn.azureedge.net Scripts & Win32 Apps
swdb01-mscdn.azureedge.net Scripts & Win32 Apps
swdb02-mscdn.azureedge.net Scripts & Win32 Apps
swdc01-mscdn.azureedge.net Scripts & Win32 Apps
swdc02-mscdn.azureedge.net Scripts & Win32 Apps
swdd01-mscdn.azureedge.net Scripts & Win32 Apps
swdd02-mscdn.azureedge.net Scripts & Win32 Apps
swdin01-mscdn.azureedge.net Scripts & Win32 Apps
swdin02-mscdn.azureedge.net Scripts & Win32 Apps
ekcert.spserv.microsoft.com Autopilot Self-deploy
ekop.intel.com Autopilot Self-deploy
ftpm.amd.com Autopilot Self-deploy
*.itunes.apple.com Apple Device Management
*.mzstatic.com Apple Device Management
*.phobos.apple.com Apple Device Management
5-courier.push.apple.com Apple Device Management
ax.itunes.apple.com.edgesuite.net Apple Device Management
itunes.apple.com Apple Device Management

ocsp.apple.com Apple Device Management
phobos.apple.com Apple Device Management
phobos.itunes-apple.com.akadns.net Apple Device Management
intunecdnpeasd.azureedge.net
*.channelservices.microsoft.com Remote Help
*.go-mpulse.net Remote Help
*.infra.lync.com Remote Help
*.resources.lync.com Remote Help
*.support.services.microsoft.com Remote Help
*.trouter.skype.com Remote Help
*.vortex.data.microsoft.com Remote Help
edge.skype.com Remote Help
remoteassistanceprodacs.communication.azure.com Remote Help
lgmsapeweu.blob.core.windows.net Collect Diagnostics
fd.api.orgmsg.microsoft.com Organizational messages
ris.prod.api.personalization.ideas.microsoft.com Organizational messages
contentauthassetscdn-prod.azureedge.net Organizational messages
contentauthassetscdn-prodeur.azureedge.net Organizational messages
contentauthrafcontentcdn-prod.azureedge.net Organizational messages
contentauthrafcontentcdn-prodeur.azureedge.net Organizational messages
The following tables list the ports and services that the Intune client accesses:
Domains IP address
login.microsoftonline.com More information Office 365 URLs and IP address ranges

*.officeconfig.msocdn.com
config.office.com
graph.windows.net
enterpriseregistration.windows.net
Domains IP address
*.manage.microsoft.com 104.46.162.96/27
manage.microsoft.com 13.67.13.176/28
13.67.15.128/27
13.69.231.128/28
13.69.67.224/28
13.70.78.128/28
13.70.79.128/27
13.71.199.64/28
13.73.244.48/28
13.74.111.192/27
13.77.53.176/28
13.86.221.176/28
13.89.174.240/28
13.89.175.192/28
20.189.172.160/27
20.189.229.0/25
20.191.167.0/25
20.37.153.0/24
20.37.192.128/25
20.38.81.0/24
20.41.1.0/24
20.42.1.0/24
20.42.130.0/24
20.42.224.128/25
20.43.129.0/24
20.44.19.224/27
20.49.93.160/27
20.192.174.216/29
20.192.159.40/29
20.204.193.12/30
20.204.193.10/31
40.119.8.128/25
40.67.121.224/27
40.70.151.32/28
40.71.14.96/28
40.74.25.0/24
40.78.245.240/28
40.78.247.128/27
40.79.197.64/27
40.79.197.96/28
40.80.180.208/28
40.80.180.224/27
40.80.184.128/25
40.82.248.224/28
40.82.249.128/25
52.150.137.0/25
52.162.111.96/28
Domains IP address
52.168.116.128/27
52.182.141.192/27
52.236.189.96/27
52.240.244.160/27
Network requirements for PowerShell scripts

and Win32 apps
If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also need to
grant access to endpoints in which your tenant currently resides.
To find your tenant location (or Azure Scale Unit (ASU)), sign in to the Microsoft Intune
admin center , choose Tenant administration > Tenant details. The location is under
Tenant location as something like North America 0501 or Europe 0202. Look for the
matching number in the following table. That row will tell you which storage name and
CDN endpoints to grant access to. The rows are differentiated by geographic region, as
indicated by the first two letters in the names (na = North America, eu = Europe, ap =
Asia Pacific). Your tenant location is one of these three regions although your
organization’s actual geographic location might be elsewhere.
Azure Scale Unit (ASU) Storage name CDN
AMSUA0601 naprodimedatapri naprodimedatapri.azureedge.net

AMSUA0602 naprodimedatasec naprodimedatasec.azureedge.net
AMSUA0101 naprodimedatahotfix naprodimedatahotfix.azureedge.net
AMSUA0102
AMSUA0201
AMSUA0202
AMSUA0401
AMSUA0402
AMSUA0501
AMSUA0502
AMSUA0601
AMSUA0701
AMSUA0702
AMSUA0801
AMSUA0901
AMSUB0101 euprodimedatapri euprodimedatapri.azureedge.net

AMSUB0102 euprodimedatasec euprodimedatasec.azureedge.net
AMSUB0201 euprodimedatahotfix euprodimedatahotfix.azureedge.net
AMSUB0202
AMSUB0301
AMSUB0302
Azure Scale Unit (ASU) Storage name CDN
AMSUB0501
AMSUB0502
AMSUB0601
AMSUB0701
AMSUC0101 approdimedatapri approdimedatapri.azureedge.net

AMSUC0201 approdimedatasec approdimedatasec.azureedge.net
AMSUC0301 approdimedatahotifx approdimedatahotfix.azureedge.net
AMSUC0501
AMSUC0601
AMSUD0101
Microsoft Store
Managed Windows devices using the Microsoft Store – either to acquire, install, or
update apps – will need access to these endpoints.
Microsoft Store API (AppInstallManager):
displaycatalog.md.mp.microsoft.com
purchase.md.mp.microsoft.com
licensing.mp.microsoft.com
storeedgefd.dsx.mp.microsoft.com
Windows Update Agent:
For details, see the following resources:
Manage connection endpoints for Windows 11 Enterprise

Manage connection endpoints for Windows 10 Enterprise, version 21H2
Win32 content download:
Win32 content download locations and endpoints are unique per application and are
provided by the external publisher. You can find the location for each Win32 Store app
using the following command on a test system (you can obtain the [PackageId] for a
Store app by referencing the Package Identifier property of the app after adding it to
Microsoft Intune):
winget show [PackageId]
The Installer Url property will either show the external download location or the region-
based (Microsoft-hosted) fallback cache based on whether the cache is in-use. Note that
the content download location can change between the cache and external location.
Microsoft-hosted Win32 app fallback cache:
Varies by region, example: sparkcdneus2.azureedge.net,

sparkcdnwus2.azureedge.net
Delivery Optimization (optional, required for peering): For details, see the following
resource:
Microsoft Connected Cache content and services endpoints
Windows Push Notification Services (WNS)

For Intune-managed Windows devices managed using Mobile Device Management
(MDM), device actions and other immediate activities require the use of Windows Push
Notification Services (WNS). For more information, see Allowing Windows Notification
traffic through enterprise firewalls.
Migrating device health attestation compliance policies

to Microsoft Azure attestation
If a customer enables any of the Windows 10/11 Compliance policy - Device Health
settings, then Windows 11 devices will begin to use a Microsoft Azure Attestation (MAA)
service based on their Intune tenant location. However, Windows 10 and GCCH/DOD
environments will continue to use the existing Device Health Attestion DHA endpoint
'has.spserv.microsoft.com' for device health attestation reporting and isn't impacted by
this change.
If a customer has firewall policies that prevent access to the new Intune MAA service for
Windows 11, then Windows 11 devices with assigned compliance policies using any of
the device health settings (BitLocker, Secure Boot, Code Integrity) will fall out of
compliance as they're unable to reach the MAA attestation endpoints for their location.
Ensure there are no firewall rules blocking outbound HTTPS/443 traffic to the endpoints
listed in this section based on your Intune tenant's location. To find your tenant location
navigate to the Intune admin center > Tenant administration > Tenant status > Tenant
details, see Tenant location.
North America based locations
'https://intunemaape1.eus.attest.azure.net'
'https://intunemaape2.eus2.attest.azure.net'
'https://intunemaape3.cus.attest.azure.net'
'https://intunemaape4.wus.attest.azure.net'
'https://intunemaape5.scus.attest.azure.net'
'https://intunemaape6.ncus.attest.azure.net'
Europe based locations
'https://intunemaape7.neu.attest.azure.net'
'https://intunemaape10.weu.attest.azure.net'
Asia pacific locations
'https://intunemaape13.jpe.attest.azure.net'
Delivery Optimization port requirements
Port requirements
For peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP or 3544 for NAT
traversal (optionally Teredo). For client-service communication, it uses HTTP or HTTPS
over port 80/443.
Proxy requirements
To use Delivery Optimization, you must allow Byte Range requests. For more
information, see Proxy requirements for Windows Update.
Firewall requirements
Allow the following hostnames through your firewall to support Delivery Optimization.
For communication between clients and the Delivery Optimization cloud service:
*.do.dsp.mp.microsoft.com
For Delivery Optimization metadata:
*.dl.delivery.mp.microsoft.com
*.emdl.ws.microsoft.com
Apple device network information

Used for Hostname (IP address/subnet) Protocol Port
Retrieving and displaying content itunes.apple.com HTTP 80

from Apple servers *.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*.phobos.itunes-
apple.com.akadns.net
Communications with APNS servers #-courier.push.apple.com TCP 5223

'#' is a random number from 0 to and
50. 443
Various functionalities including phobos.apple.com HTTP/HTTPS 80 or

accessing the World Wide Web, ocsp.apple.com 443
iTunes store, macOS app store, ax.itunes.apple.com
iCloud, messaging, etc. ax.itunes.apple.com.edgesuite.net
For more information, see Use Apple products on enterprise networks , TCP and UDP
ports used by Apple software products , About macOS, iOS/iPadOS, and iTunes server
host connections and iTunes background processes , and If your macOS and
iOS/iPadOS clients aren't getting Apple push notifications .
Android port information

Depending on how you choose to manage Android devices, you may need to open the
Google Android Enterprise ports and/or the Android push notification. For more
information on Android management methods supported, see the Android enrollment
documentation.
７ Note
Because Google Mobile Services isn't available in China, devices in China managed
by Intune can't use features that require Google Mobile Services. These features
include: Google Play Protect capabilities such as SafetyNet device attestation,
Managing apps from the Google Play Store, Android Enterprise capabilities (see this
Google documentation ). Additionally, the Intune Company Portal app for
Android uses Google Mobile Services to communicate with the Microsoft Intune
service. Because Google Play services isn't available in China, some tasks can
require up to 8 hours to finish. For more information, see this article.
Android (AOSP)
Used for Hostname (IP Protocol Port

address/subnet)
Downloading and installing Microsoft Intune intunecdnpeasd.azureedge.net HTTPS 443

and Microsoft Authenticator apps
Google Android Enterprise

Google provides documentation of required network ports and destination host names
in their Android Enterprise Bluebook , under the Firewall section of that document.
Android push notification

Intune leverages Google Firebase Cloud Messaging (FCM) for push notification to
trigger device actions and check-ins. This is required by both Android Device
Administrator and Android Enterprise. For information on FCM network requirements,
see Google's FCM ports and your firewall .
Endpoint analytics
For more information on the required endpoints for endpoint analytics, see Endpoint
analytics proxy configuration.
Microsoft Defender for Endpoint

For more information about configuring Defender for Endpoint connectivity, see
Connectivity Requirements
Allow the following hostnames through your firewall to support Security Management
for Defender for Endpoint. For communication between clients and the cloud service:
*.dm.microsoft.com - The use of a wildcard supports the cloud-service endpoints

that are used for enrollment, check-in, and reporting, and which can change as the
service scales.
） Important
SSL Inspection is not supported on the 'dm.microsoft.com' endpoint.
Microsoft Intune Endpoint Privilege

Management
Allow the following hostnames through your firewall to support Endpoint Privilege
Management.
For communication between clients and the cloud service:

service scales.
） Important
SSL Inspection is not supported on the 'dm.microsoft.com' endpoint.
For more information, see the Overview of Endpoint Privilege Management
Related topics
Office 365 URLs and IP address ranges
Microsoft 365 network connectivity overview
Content delivery networks (CDNs)
Other endpoints not included in the Office 365 IP Address and URL Web service
Managing Office 365 endpoints
China endpoints for Microsoft Intune
Article • 04/05/2023
This page lists the China endpoints needed for proxy settings in your Intune
deployments.
To manage devices behind firewalls and proxy servers, you must enable communication
for Intune.
The proxy server must support both HTTP (80) and HTTPS (443) because Intune
clients use both protocols
For some tasks (like downloading software updates), Intune requires
unauthenticated proxy server access to manage.microsoft.com
You can modify proxy server settings on individual client computers. You can also use
Group Policy settings to change settings for all client computers located behind a
specified proxy server.
Managed devices require configurations that let All Users access services through
firewalls.
For more information about Windows 10 auto-enrollment and device registration for
U.S. customers, see Windows auto enrollment and device registration .
The following tables list the ports and services that the Intune client accesses:
Endpoint IP address
*.manage.microsoftonline.cn 40.73.38.143
139.217.97.81
52.130.80.24
40.73.41.162
40.73.58.153
139.217.95.85
Intune customer designated endpoints in China

Azure portal: https://portal.azure.cn/
Microsoft 365: https://portal.partner.microsoftonline.cn/
Intune Company Portal: https://portal.manage.microsoftonline.cn/
Microsoft Intune admin center: https://intune.microsoftonline.cn/
Network requirements for PowerShell scripts
and Win32 apps
If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also need to
grant access to endpoints in which your tenant currently resides.
Azure Scale Unit Storage name CDN

(ASU)
CNPASU01 sovereignprodimedatapri
sovereignprodimedatapri.azureedge.net
sovereignprodimedatasec
sovereignprodimedatasec.azureedge.net
sovereignprodimedatahotfix sovereignprodimedatahotfix.azureedge.net
Partner service endpoints

Intune operated by 21Vianet depends on the following partner service endpoints:
Azure AD Sync service:

https://syncservice.partner.microsoftonline.cn/DirectoryService.svc
Evo STS: https://login.chinacloudapi.cn/
Azure AD Graph: https://graph.chinacloudapi.us
MS Graph: https://microsoftgraph.chinacloudapi.cn
ADRS: https://enterpriseregistration.partner.microsoftonline.cn
Windows Push Notification Services

On Intune-managed devices managed by using Mobile Device Management (MDM),
Windows Push Notification Services (WNS) is required for device actions and other
immediate activities. For more information, see Enterprise Firewall and Proxy
Configurations to Support WNS Traffic
Apple device network information

Retrieving and displaying content from itunes.apple.com

HTTP 80
Apple servers *.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*.phobos.itunes-
apple.com.akadns.net
Communication with APNS servers #-courier.push.apple.com

TCP 5223
'#' is a random number from 0 to and
50. 443
Various functions including accessing phobos.apple.com

HTTP/HTTPS 80
the internet, iTunes store, macOS app ocsp.apple.com
or
store, iCloud, messaging, etc. ax.itunes.apple.com
443
ax.itunes.apple.com.edgesuite.net
For more information, see:
TCP and UDP ports used by Apple software products

About macOS, iOS/iPadOS, and iTunes server host connections and iTunes
background processes
If your macOS and iOS/iPadOS clients aren't getting Apple push notifications
Next steps
Learn more about Intune operated by 21Vianet in China
Intune operated by 21Vianet in China
Article • 02/21/2023
Intune operated by 21Vianet is designed to meet the needs for secure, reliable, and
scalable cloud services in China. Intune as a service is built on top of Microsoft Azure.
Microsoft Azure operated by 21Vianet is a physically separated instance of cloud
services located in China. It's independently operated and transacted by 21Vianet. This
service is powered by technology that Microsoft has licensed to 21Vianet.
Microsoft doesn't operate the service itself. 21Vianet operates, provides, and manages
delivery of the service. 21Vianet is an Internet data center services provider in China. It
provides hosting, managed network services, and cloud computing infrastructure
services. By licensing Microsoft technologies, 21Vianet operates local datacenters to
provide you the ability to use Intune service while keeping your data within China.
21Vianet also provides your subscription, billing, and support services.
７ Note
If you're interested in viewing or deleting personal data, please see the Azure Data
Subject Requests for the GDPR article. If you're looking for general info about
GDPR, see the GDPR section of the Service Trust portal .
Feature differences in Intune operated by

21Vianet
Because the China services are operated by a partner from inside China, there are some
feature differences with Intune.
Intune operated by 21Vianet only supports standalone deployments. Customers

can use co-management to attach their existing Configuration Manager
deployment to the Microsoft Intune cloud.
Migrations from public clouds to sovereign clouds aren't supported. Customers
interested in moving to Intune operated by 21Vianet must migrate manually.
The tenant attach feature (syncing devices to Intune without enrollment to support
cloud console scenarios) isn't currently supported.
Derived Credentials are not supported with Intune operated by 21Vianet.
Management of Windows 10 is supported by using the modern MDM channel.
Intune operated by 21Vianet doesn't support on-premises Exchange Connector.
Windows Autopilot and Business Store features aren't currently available.
Microsoft Endpoint Manager Endpoint Analytics and Log Analytics features aren't
currently available.
Because Google Mobile Services isn't available in China, customers in Intune
operated by 21Vianet can't use features that require Google Mobile Services. These
features include:
Google Play Protect capabilities such as SafetyNet device attestation.
Managing apps from the Google Play Store.
Android Enterprise capabilities. For more information, see this Google
documentation .
The Intune Company Portal app for Android uses Google Mobile Services to
communicate with the Microsoft Intune service. Because Google Play services isn't
available in China, some tasks can require up to 8 hours to finish. For more
information, see this article.
To follow local regulations and provide improved functionality, the Intune client
experience (Company Portal app) may differ in China.
Fencing isn't available.
Mobile Application Management (MAM) availability is conditional on those apps
being available in People's Republic of China.
Intune operated by 21Vianet doesn't support Android (AOSP) management for
corporate devices.
Intune operated by 21Vianet doesn't support Mobile Threat Defense (MTD)
connector for Android and iOS devices with MTD vendors.
Intune operated by 21Vianet doesn't support partner device management
integration with Jamf for macOS devices.
You control customer data

In Microsoft Azure, Intune, Microsoft 365, and Power BI operated by 21Vianet, you have
full control of your data:
You know where customer data is located.

You control access to your customer data.
You control your customer data if you leave the service.
You have options to control the security of your customer data.
With Microsoft Azure, Intune, Microsoft 365, and Power BI operated by 21Vianet, you’re
the owner of your data:
21Vianet doesn’t use customer data for advertising.

You control who has access to your customer data.
We use logical isolation to segregate each customer’s data.
We provide simple, transparent data-use policies, and get independent audits.
Our subcontractors are under contract to meet our privacy requirements.
Data subject requests

The Tenant Administrator role for Intune operated by 21Vianet can request data for data
subjects in the following ways:
Using the Azure Active Directory Admin Center, a Tenant Administrator can
permanently delete a data subject from Azure Active Directory and related
services. For more information, see Azure Data Subject Requests - Delete
System-generated logs for Microsoft services operated by 21Vianet can be
exported by Tenant Administrators using the Data Log Export. For more
information, see Azure Data Subject Requests - Export.
Next steps
Learn more about Intune supported configurations
Migration guide: Set up or move to
Microsoft Intune
Article • 04/20/2023
After you've planned for the move to Microsoft Intune, the next step it to choose the
migration approach that's right for your organization. These decisions depend on your
current mobile device management (MDM) environment, business goals, and technical
requirements.
This migration guide lists and describes your options to adopt or move to Intune, which
include:
You don't use a mobile device management solution

You use a third party partner MDM solution
You use Configuration Manager
You use on-premises group policy
You use Microsoft 365 Basic Mobility and Security
Use this guide to determine the best migration approach, and get some guidance &
recommendations.
 Tip
This guide is a living thing. So, be sure to add or update existing tips and
guidance you've found helpful.
As a companion to this article, the Microsoft 365 admin center also has some
setup guidance. The guide customizes your experience based on your
environment. At Microsoft Intune setup guide , sign in with the Global
Reader (at a minimum) to access the deployment guides. For more
information on these deployment guides and the roles needed, go to
Advanced deployment guides for Microsoft 365 and Office 365 products.
To review best practices without signing in and activating the automated

setup features, go to the M365 Setup portal .
Before you begin

Microsoft Intune is a cloud native solution that helps manage identities, devices,
and apps. If your goal is to become cloud native, then you can learn more at the
following articles:
Learn about cloud-native endpoints
What is Intune?
Your Intune deployment might be different from a previous MDM deployment.

Intune uses identity-driven access control. It doesn't require a network proxy to
access organization data from devices outside your network.
Review the common ways to use Intune.
Currently don't use anything

If you currently don't use any MDM or mobile application management (MAM) provider,
then you have some options:
Microsoft Intune: If you want a cloud solution and ready for full device
management, then go straight to Intune. You can use Intune to check for
compliance, configure device features, deploy apps, and install system & app
updates. You also get the benefits of the Microsoft Intune admin center, which is a
web-based console.
Get started with Intune
Step 1 - Set up Intune
Step 2 - Add, configure, and protect apps with Intune
Step 3 – Plan for compliance policies
Step 4 - Create device configuration profiles to secure devices
Step 5 - Enroll devices
Configuration Manager: If you want the features of Configuration Manager (on-

premises) combined with Intune (cloud), then consider tenant attach or co-
management.
Configuration Manager can:

Manage on-premises Windows Server and some client devices.
Manage partner or third party software updates.
Create custom task sequences when deploying the Windows operating system.
Deploy and manage many app types.
Currently use a third party MDM provider

Devices should only have one MDM provider. If you use another MDM provider, like
Workspace ONE (previously called AirWatch), MobileIron, or MaaS360, then you can
move to Intune.
Users must unenroll their devices from the current MDM provider before they enroll in
Intune.
1. Set up Intune, including setting the MDM Authority to Intune.
Get started with your Microsoft Intune deployment

Step 1 - Set up Intune.
2. Deploy apps and create app protection policies. The idea is to help protect
organization data in your apps during the migration and until devices are enrolled
& managed by Intune.
For more information, go to Step 2 - Add, configure, and protect apps with Intune.
3. Unenroll devices from the current MDM provider.
When devices are unenrolled, they aren't receiving your policies, including policies
that provide protection. They're vulnerable until they enroll in Intune and start
receiving your new policies.
Give users specific unenroll steps. Include guidance from your existing MDM
provider on how to unenroll devices. Clear and helpful communication minimizes
end user downtime, dissatisfaction, and helpdesk calls.
4. Optional, but recommended. If you have Azure AD Premium, also use conditional
access to block devices until they enroll in Intune.
For more information, go to Step 3 – Plan for compliance policies.
5. Optional, but recommended. Create a baseline of compliance and device settings

that all users and devices must have. These policies can be deployed when users
enroll in Intune.

Step 4 - Configure device features and settings to secure devices and access
resources
Levels of protection and configuration in Microsoft Intune
6. Enroll in Intune. Be sure you give users specific enrollment steps.
Step 5 – Enroll devices in Microsoft Intune

Intune enrollment deployment guide
） Important
Don't configure Intune and any existing third party MDM solution simultaneously
to apply access controls to resources, including Exchange or SharePoint.
Recommendations:
If you're moving from a partner MDM/MAM provider, then note the tasks you're
running and the features you use. This information gives an idea of what tasks to
also do in Intune.
Use a phased approach. Start with a small group of pilot users, and add more
groups until you reach full scale deployment.
Monitor the helpdesk load and enrollment success of each phase. Leave time in
the schedule to evaluate success criteria for each group before migrating the next
group.
Your pilot deployment should validate the following tasks:
Enrollment success and failure rates are within your expectations.
User productivity:
Corporate resources are working, including VPN, Wi-Fi, email, and
certificates.
Deployed apps are accessible.
Data security:
Review compliance reports, and look for common issues and trends.
Communicate issues, resolutions, and trends with your help desk.
Mobile app protections are applied.
When you're satisfied with the first phase of migrations, repeat the migration cycle
for the next phase.
Repeat the phased cycles until all users are migrated to Intune.
Confirm the helpdesk is ready to support end users throughout the migration.
Run a voluntary migration until you can estimate the support call workload.
Don't set deadlines for enrollment until your helpdesk can handle all remaining
users.
Helpful information:

Intune enrollment deployment guide
Step 1 - Set up Intune and your tenant
Currently use Configuration Manager

Configuration Manager supports Windows Servers, and Windows & macOS client
devices. If your organization uses other platforms, you may need to reset the devices,
and then enroll them in Intune. Once enrolled, they receive the policies and profiles you
create. For more information, see the Intune enrollment deployment guide.
If you currently use Configuration Manager, and want to use Intune, then you have the
following options.
Option 1 - Add tenant attach

Tenant attach allows you to upload your Configuration Manager devices to your
organization in Intune, also known as a "tenant". After you attach your devices, you use
the Microsoft Intune admin center to run remote actions, like sync machine and user
policy. You can also see your on-premises servers, and get OS information.
Tenant attach is included with your Configuration Manager co-management license at

no extra cost. It's the easiest way to integrate the cloud (Intune) with your on-premises
Configuration Manager setup.
For more information, see enable tenant attach.
Option 2 - Set up co-management

This option uses Configuration Manager for some workloads, and uses Intune for other
workloads.
1. In Configuration Manager, set up co-management.

Devices are ready to be enrolled in Intune, and receive your policies.
Helpful information:
What is co-management?
Co-management workloads
Switch Configuration Manager workloads to Intune
Configuration Manager product and licensing FAQ
Option 3 - Move from Configuration Manager to Intune

Most existing Configuration Manager customers want to keep using Configuration
Manager. It includes services that are beneficial for on-premises devices.
These steps are an overview, and are only included for those users who want a 100%
cloud solution. With this option, you:
Register existing on-premises Active Directory Windows client devices as devices in

Azure Active Directory (AD).
Move your existing on-premises Configuration Manager workloads to Intune.
This option is more work for administrators, but can create a more seamless experience
for existing Windows client devices. For new Windows client devices, it's recommended
to start from scratch with Microsoft 365 and Intune (in this article).
1. Set up hybrid Active Directory and Azure AD for your devices. Hybrid Azure AD
joined devices are joined to your on-premises Active Directory, and registered with
your Azure AD. When devices are in Azure AD, they're also available to Intune.
Hybrid Azure AD support Windows devices. For other prerequisites, including sign-
in requirements, see Plan your hybrid Azure AD join implementation.
2. In Configuration Manager, set up co-management.
4. In Configuration Manager, slide all the workloads from Configuration Manager to

Intune.
5. On the devices, uninstall the Configuration Manager client. For more information,
see uninstall the client.
Once Intune is set up, you can create an Intune app configuration policy that
uninstalls the Configuration Manager client. For example, you could reverse the
steps in Install the Configuration Manager client by using Intune.

） Important
Hybrid Azure AD supports only Windows devices. Configuration Manager supports

Windows and macOS devices. For macOS devices managed in Configuration
Manager, you can:
1. Uninstall the Configuration Manager client. When you uninstall, the devices
aren't receiving your policies, including policies that provide protection.
They're vulnerable until they enroll in Intune and start receiving your new
policies.
2. Enroll the devices in Intune to receive policies.
To help minimize vulnerabilities, move macOS devices after Intune is set up, and
when your enrollment policies are ready to be deployed.
Option 4 - Start from scratch with Microsoft 365 and

Intune
This option applies to Windows client devices. If you use Windows Server, such as
Windows Server 2022, then don't use this option. Use Configuration Manager.
To manage your Windows client devices:
1. Deploy Microsoft 365, including creating users and groups. Don't use or configure
Microsoft 365 Basic Mobility and Security.
Helpful links:
Microsoft 365 Enterprise deployment guide

Set up Microsoft 365 Business
3. On existing devices, uninstall the Configuration Manager client. For more

information, see uninstall the client.
Currently use on-premises group policy

In the cloud, MDM providers, like Intune, manage settings and features on devices.
Group policies objects (GPO) aren't used. When you manage devices, Intune device
configuration profiles replace on-premises GPO. Device configuration profiles use
settings exposed by Apple, Google, and Microsoft.
Specifically:
On Android devices, these profiles use the Android Management API and EMM
API .
On Apple devices, these profiles use the Device management payloads .
On Windows devices, these profiles use the Windows configuration service
providers (CSPs).
When moving devices from group policy, use Group policy analytics. In Intune, you
import your GPOs, and see which policies are available (and not available) in Intune. For
the policies that are available in Intune, you can create a settings catalog policy using
the settings you imported. For more information on this feature, go to Create a Settings
Catalog policy using your imported GPOs in Microsoft Intune.
Next, Step 1: Set up Microsoft Intune.
Currently use Microsoft 365 Basic Mobility and

Security
If you created and deployed Microsoft 365 Basic Mobility and Security policies, then you
can migrate the users, groups, and policies to Microsoft Intune.
For more information, go to Migrate from Microsoft 365 Basic Mobility and Security to
Intune.
Tenant to tenant migration

A tenant is your organization in Azure Active Directory (AD), like Contoso. It includes a
dedicated Azure AD service instance that Contoso receives when it gets a Microsoft
cloud service, like Microsoft Intune or Microsoft 365. Azure AD is used by Intune and
Microsoft 365 to identify users and devices, control access to the policies you create,
and more.
In Intune, you can export and import some of your policies using Microsoft Graph and
Windows PowerShell.
For example, you create a Microsoft Intune trial subscription. In this subscription trial
tenant, you have policies that configure apps and features, check compliance, and more.
You'd like to move these policies to another tenant.
This section shows how to use the Microsoft Graph scripts for a tenant to tenant
migration, and lists some policy types that can or can't be exported.
） Important
These steps use the Intune beta Graph samples on GitHub. The sample
scripts make changes to your tenant. They're available as-is, and should be
validated using a non-production or "test" tenant account. Be sure the scripts
meet your organization security guidelines.
The scripts don't export and import every policy, such as certificate profiles.
Expect to do more tasks than what's available in these scripts. You will have to
recreate some policies.
To migrate a user's device, the user must unenroll the device from the old
tenant, and then re-enroll in the new tenant.
Download the samples, and run the script

This section includes an overview of the steps. Use these steps as guidance, and know
that your specific steps may be different.
1. Download the samples, and use Windows PowerShell to export your policies:
a. Go to microsoftgraph/powershell-intune-samples , select Code > Download

ZIP. Extract the contents of the .zip file.
b. Open the Windows PowerShell app as administrator, and change the directory
to your folder. For example, enter the following command:
cd C:\psscripts\powershell-intune-samples-master
c. Install the AzureAD PowerShell module:
Install-Module AzureAD
Select Y to install the module from an untrusted repository. The install can take
a few minutes.
d. Change the directory to the folder with the script you want to run. For example,
change the directory to the CompliancePolicy folder:
cd C:\psscripts\powershell-intune-samples-master\powershell-intune-samples-
master\CompliancePolicy
e. Run the export script. For example, enter the following command:
.\CompliancePolicy_Export.ps1
Sign in with your account. When prompted, enter the path to put the policies.
For example, enter:
C:\psscripts\ExportedIntunePolicies\CompliancePolicies
In your folder, the policies are exported.
2. Import your policies in your new tenant:
a. Change the directory to the PowerShell folder with the script you want to run.
For example, change the directory to the CompliancePolicy folder:
cd C:\psscripts\powershell-intune-samples-master\powershell-intune-samples-
master\CompliancePolicy
b. Run the import script. For example, enter the following command:
.\CompliancePolicy_Import_FromJSON.ps1
Sign in with your account. When prompted, enter the path to the policy .json
file you want to import. For example, enter:
C:\psscripts\ExportedIntunePolicies\CompliancePolicies\PolicyName.json
3. Sign in to the Intune admin center . The policies you imported are shown.
What you can't do

There are some policy types that can't be exported. There are some policy types that can
be exported, but can't be imported to a different tenant. Use the following list as a
guide. Know there are other policy types that aren't listed.
Policy or Information
profile type
Applications
Android line- ❌ Export
of-business ❌ Import
apps
To add your LOB app to a new tenant, you also need the original .apk
application source files.
profile type
Apple – ❌ Export
Volume ❌ Import
Purchase
Program (VPP) These apps are synced with the Apple VPP. In the new tenant, you add your VPP
token, which shows your available apps.
iOS/iPadOS ❌ Export
line-of- ❌ Import
business apps
To add your LOB app to a new tenant, you also need the original .ipa
Managed ❌ Export
Google Play ❌ Import
These apps and weblinks are synced with Managed Google Play. In the new
tenant, you add your Managed Google Play account, which shows your available
apps.
Microsoft ❌ Export
Store for ❌ Import
Business
These apps are synced with the Microsoft Store for Business. In the new tenant,
you add your Microsoft Store for Business account, which shows your available
apps.
Windows app ❌ Export
(Win32) ❌ Import
To add your LOB app to a new tenant, you also need the original .intunewin
Compliance
policies
Actions for ❌ Export
Non- ❌ Import
Compliance
It's possible there could be a link to an e-mail template. When you import a
policy that has non-compliance actions, the default actions for non-compliance
are added instead.
Assignments ✔️Export
❌ Import
Assignments are targeted to a group ID. In a new tenant, the group ID is

different.
profile type
Configuration
profiles
Email ✔️Export
✔️If an email profile doesn't use certificates, then the import should work.
❌ If an email profile uses a root certificate, then the profile can't be imported
to a new tenant. The root certificate ID is different in a new tenant.
SCEP ✔️Export
certificate
❌ Import
SCEP certificate profiles use a root certificate. The root certificate ID is different
in a new tenant.
VPN ✔️Export
✔️If a VPN profile doesn't use certificates, then the import should work.
❌ If a VPN profile uses a root certificate, then the profile can't be imported to a
new tenant. The root certificate ID is different in a new tenant.
Wi-Fi ✔️Export
✔️If a Wi-Fi profile doesn't use certificates, then the import should work.
❌ If a Wi-Fi profile uses a root certificate, then the profile can't be imported to
a new tenant. The root certificate ID is different in a new tenant.
Assignments ✔️Export
❌ Import
Assignments are targeted to a group ID. In a new tenant, the group ID is

different.
Endpoint
Security
Endpoint ❌ Export
detection and ❌ Import
response
This policy is linked to Microsoft Defender for Endpoint. In the new tenant, you
configure Microsoft Defender for Endpoint, which automatically includes the
Endpoint detection and response policy.
Next steps
Enrollment deployment guides
Migrate from Microsoft 365 Basic
Mobility and Security to Intune
Article • 03/07/2023
Microsoft 365 includes a basic set of policies that protect devices and protect Microsoft
365 apps, like Outlook. These policies are managed in the Microsoft 365 Defender portal
and are called Basic Mobility and Security. For more information on what Basic Mobility
and Security offers, go to Capabilities of Basic Mobility and Security.
Many organizations want more or next-level device management features. Specifically,

they want the features that are included with Microsoft Intune. For a comparison of the
features, go to Choose between Basic Mobility and Security or Intune.
You can migrate from Basic Mobility and Security to Microsoft Intune. Migrating to
Intune requires the following major steps:
1. Prepare:
Review your Intune licenses, Basic Mobility and Security policies, group
memberships, and devices to streamline the migration.
2. Evaluate and migrate your existing policies:
Use the Migration evaluation in the Microsoft Intune admin center . The output
shows Intune policy and group recommendations that replace the Basic Mobility
and Security policies.
3. Assign the policies and complete the migration:
Assign licenses to users or groups, which will automatically switch the users to
Intune device management at the next refresh cycle.
This article will help you migrate your mobile device management (MDM) from
Microsoft 365 Basic Mobility and Security to Microsoft Intune.
Before you begin

When you sign in to the Intune admin center , use an account that has Azure AD
Global or License administrator rights.
Test the steps in this article on a test users group that have devices enrolled in
Basic Mobility and Security. Confirm that the policies behave as you expect.
After you migrate to Intune, the existing device security policies deployed with
Basic Mobility and Security are permanently frozen.
Assigning Intune licenses impacts the migration process. The license assignment
controls the migration of devices from Basic Mobility and Security to Intune.
Users with Intune licenses already assigned can start receiving policies
immediately, possibly sooner than you expect. The policies can happen even if the
users or devices weren't previously managed by Basic Mobility and Security.
If you want to prevent this behavior, you can unassign the Intune licenses before
the migration. You can also create separate groups to help manage when the
policies are deployed:
Group 1: Users with Intune licenses already assigned
Group 2: Users without Intune licenses assigned
Then, you can assign the migrated Basic Mobility and Security device security
policies to users who aren't assigned Intune licenses.
Step 1 - Prepare
Before you migrate from Basic Mobility and Security device management to Intune
device management:
1. Be sure you have enough Intune licenses to cover all your users managed by Basic
Mobility and Security.
2. Review the device security policies in the Microsoft 365 Defender portal. Delete
any policies that are no longer needed. Deleting unneeded policies reduces the
number of recommendations created by the Intune migration evaluation. The idea
is to have fewer recommendations to review after the migration evaluation.
3. Review the membership of groups that are currently assigned device security
policies.
If these groups include users that are already licensed for Intune, then they can get
policies assigned sooner than expected. For more information on the impact of
existing Intune licenses, go to Before you begin (in this article).
4. Review the types of devices currently enrolled in Basic Mobility and Security.
Unsupported OS versions and variants may continue to work, but they won’t be
supported if migrated to Intune.
Settings applied to unsupported operating systems won’t be moved to Intune. And
if the user is already licensed for Intune, then their devices will lose any
configuration set by device security policies in the Microsoft 365 Defender portal.
5. Before migration:
Don’t assign Intune licenses to users whose devices are managed by Basic
Don't assign Intune licenses to enable app protection policies, also known as
mobile application management (MAM).
Only assign Intune licenses to users after the policy migration is complete. For
more information on the impact of Intune licenses, go to Before you begin (in this
article).
6. You may have to create new Intune policies to replace Basic Mobility and Security
policies. For more information on a minimum base set of policies, go to Get started
with Intune.
After the migration evaluation process activates, you can't make changes to your device
security policies in the Microsoft 365 Defender portal. The existing Basic Mobility and
Security policies are still enforced, but changes to these existing policies aren't saved.
） Important
If you have any of the following products or service, then contact the support team
before you proceed:
Enterprise Mobility + Security A3 for Faculty

Enterprise Mobility + Security A3 for Students
Enterprise Mobility + Security A3 for students use benefit
Enterprise Mobility + Security A5 for Faculty
Enterprise Mobility + Security A5 for Students
Enterprise Mobility + Security A5 for students use benefit
Intune for Education
Intune for Education Add-On
Microsoft Intune for Education for Faculty
Microsoft Intune for Education for Student
Microsoft Intune for Education Prepaid Device
Step 2 - Evaluate and migrate your existing
policies
After you’ve prepared your licenses and reviewed the information in Step 1 - Prepare,
use the Microsoft Intune admin center Migration evaluation to get Intune policy
recommendations.
The tool can migrate your existing Basic Mobility and Security device security policies to
Intune as compliance policies and device configuration profiles. It also makes
recommendations for which groups the new policies should be assigned.
These Intune recommendations are designed to replicate the Basic Mobility and Security
policies. You need to review these recommendations to make sure they reflect the old
policies.
To evaluate and migrate policies from Basic Mobility and Security to Intune:
1. Complete the steps in the Step 1 - Prepare section (in this article).
2. Open the Migration evaluation > select Start. It will take a few minutes to
complete the evaluation.
７ Note
If you navigate away from the Migration evaluation, the only way to
return is to open the Migration evaluation link again.
After you start the migration evaluation, you can't create new or edit
existing device security policies in the Microsoft 365 Defender portal.
3. Select Recommendations.
This page displays the Intune policy recommendations based on your Basic
Mobility and Security policies. The recommendations are read only and can't be
changed.
The name of each recommendation has a prefix based on the Basic Mobility and
Security policy name. You need to review each item in the list, like the following
example:
Not all device settings correspond exactly to Intune settings and values. So,
they can’t be moved with precise one-to-one mapping. You need to review
and possibly adjust these settings.
The conditional access (CA) settings that control the Office 365 services are
the same CA policies in Azure Active Directory. So, you don’t need to review
or make changes to them unless you want to.
4. Select an item in the list. The Compliance policy recommendation overview page
opens. Review the instructions.
5. Select Details to review the recommended settings and group assignments:

The policy recommendations on this page are a read-only report documenting the
suggested settings and assignments to use. They aren't Intune policies yet.
While reviewing the recommendations, keep the following points in mind:
If the groups listed in the recommendation already have Intune policies

assigned to them, then these policies may conflict with the recommended
settings. To learn how conflicts are handled in Intune, go to Common
questions and answers with device policies and profiles in Microsoft Intune.
７ Note
If you make any changes to migrated email profiles or fail to assign

them to recommended groups, then users may be asked to re-enter
their username and password to access email on their devices when the
device migrates to Intune. For more information, go to policy mapping
for Configuration.
If there are already Intune-licensed users in the recommended groups, then

verify that the recommended policies are appropriate for these users. After
you assign the policies to these groups, all Intune licensed users in the
groups receive the policies, even users not previously managed by Basic
７ Note
For the Windows operating system, only Windows 10/11 desktop

devices will have policy migrated for them. Other versions of Windows
won't have policy migrated. For more information, see the Policy
mapping for Access Requirements and Policy mapping for
Configuration.
6. If you want to implement the recommended policy, then select Open policy. The
policy page opens and the Intune policy is created. You can change or update the
migrated policies.
７ Note
If you delete the policy, the Open policy link from the recommendation page
won’t work.
At this point, the policy is created, but it’s not doing anything yet. The next step is to
assign the policy to the recommended groups or other groups you choose.
Step 3 - Assign the policies and complete the

migration
After the policies are created, they're ready to be assigned. For this migration to
complete, all three have to be complete: assign groups, enable coexistence, and assign
Intune licenses.
1. Assign the recommended groups to the policy. Select Open policy > Properties >
Edit (next to Assignments) > use the assignments workflow to assign the groups.
When you assign groups, your newly migrated Intune policies replace the device
settings configured in Basic Mobility and Security. If you don’t assign the groups,
then devices managed by Basic Mobility and Security could lose settings and email
configuration when their users are licensed for Intune. Remember, the Intune
license assignment is a key step in the migration of devices from Basic Mobility
and Security to Intune device management.
For more information on the impact of existing Intune licenses, go to Before you
begin (in this article).
2. Sign in to the Microsoft Intune admin center with Azure AD Global or License
administrator rights.
3. Enable coexistence. When enabled:
Users with existing Intune licenses are immediately moved to Intune and the
newly migrated policies are applied at the next Intune refresh cycle.
For users without Intune licenses, coexistence is the second step in the
migration process. They'll be moved to Intune in the next step.
4. For users without Intune licenses, assign Intune licenses to the users you want to
migrate. Your options:
Assign licenses to Users. For more information, go to Assign licenses to users.

Assign licenses to Groups. For more information, go to Assign licenses to a
group.
For more information on assigning licenses in Intune, go to Assign licenses to users

so they can enroll devices in Intune.
At this point, the key steps are complete:
1. The policies are assigned to your groups.

2. Coexistence is enabled in Intune.
3. Intune licenses are assigned.
At the next Intune device refresh cycle, the devices will automatically switch to Intune
management and the new policies will start affecting user devices.
What did I just do?

This section describes what happens behind the scenes when you migrate from Basic
Mobility and Security to Intune.
The policies are mapped to Intune policies. For a mapping reference of the policies
migrated by the Migration evaluation, go to:
Access requirements policy mapping from Basic Mobility and Security to Intune
Configurations policy mapping from Basic Mobility and Security to Intune
Miscellaneous policy mapping from Basic Mobility and Security to Intune
When you complete the migration, your migrated policies are in Microsoft Intune
admin center. The new policies include compliance policies, device configuration
profiles, and conditional access policies. The new policies are in the following
locations:
Intune policy type Intune location
Compliance policies
Microsoft Intune Microsoft Intune admin
center > Devices > Compliance policies
Specify the device settings as access
requirements.
Configuration profiles
Microsoft Intune admin center >
Devices > Configuration profiles
Specify other settings that aren’t part of the
access requirements, including email profiles.
Conditional access policies

Microsoft Intune admin center >
Devices > Conditional access > Classic
Azure AD conditional access blocks access if policies
the settings aren't compliant.
Known issues
Start button always appears

Each time you open the Microsoft Intune admin center Migration evaluation , the Start
button shows, even if the evaluation is already generated. If you dismiss the Start
prompt, then the previously generated recommendations won’t load.
Workaround: Start the evaluation again. It won’t create more or duplicate

recommendations or policies. Rerunning the migration detects that the evaluation has
already succeeded and loads the previous recommendations.
Number of sign-in failures before device is wiped setting

isn’t migrated
The Number of sign-in failures before device is wiped setting isn’t migrated to Intune.
Workaround: If this setting was enabled in the Basic Mobility and Security policy, then
this setting must be manually added to Intune device configuration profiles. For more
information on the similar settings you can configure in Intune, go to:
Android Enterprise corporate-owned devices: Settings list to allow or restrict

features
Android Enterprise personally owned devices: Settings list to allow or restrict
features
iOS/iPadOS devices: Settings list to allow or restrict features
Windows 10/11 device: Settings list to allow or restrict features
Next steps
What is Intune?
Access requirements policy mapping
from Basic Mobility and Security to
Intune
Article • 02/22/2023
This article provides mapping details between Basic Mobility and Security to Intune.
Specifically, this page maps Office 365 Security and Compliance portal Access
Requirement policies to the equivalent policies in Microsoft Intune admin center.
Because Intune offers more flexibility, each Office policy will translate into multiple
Intune and Azure Active Directory (Azure AD) policies to achieve the same result.
If you’re migrating from Basic Mobility and Security to Intune, you can use the Migration
evaluation tool to automate much of this mapping.
To see these settings in the Office 365 Security and Compliance portal, sign in to the
portal at https://protection.office.com/devicev2 and under the list of Device security
policies select policy name > Edit policy > Access Requirements.
） Important
The If a device doesn't meet the requirements above, then... setting determines if
you should use Intune compliance policies or configuration profiles for all access
requirement settings. Make sure to review the details for this setting first.
If a device doesn't meet the requirements

above, then...
This setting determines if you should use compliance policies or configuration profiles in
Intune for all the access requirement settings.
７ Note
Basic Mobility and Security never supported enforcing conditional access on

Windows.
Allow access and report violation (one-time enrollment
will still be enforced)
All Access Requirements will be deployed in an Intune device configuration profile.
Block access and report violation

All Access Requirements will be deployed in an Intune compliance policy and the groups
assigned will also be assigned to classic conditional access policies:
[GraphAggregatorService] Device policy

[Office 365 Exchange Online] Device policy
[Outlook Service for Exchange] Device policy
[Office 365 SharePoint Online] Device policy
[Outlook Service for OneDrive] Device policy.
Require a password
７ Note
All password-related settings only impact local accounts on Windows. User

accounts sourced from Azure Active Directory are not managed by these policies.
When If a device doesn't meet the requirements above, then… is set to Block access
and report violation, use Intune compliance policies as shown below. If the setting is set
to Allow…, use configuration profiles instead.
Three compliance policies:
Devices > Windows > Compliance policies > policy name_O365_W > Properties
> Compliance settings Edit > System Security > Require a password to unlock
mobile devices
Devices > iOS/iPadOS > Compliance policies > policy name_O365_i > Properties
> Compliance settings Edit > System Security > Require a password to unlock
mobile devices
Devices > Android > Compliance policies > policy name_O365_A > Properties >
Compliance settings Edit > System Security > Require a password to unlock
mobile devices
Prevent simple passwords

For Android devices, this setting and multiple other Office settings are covered by one
Android compliance setting. So this setting alone doesn't determine a specific Android
compliance value.
> Compliance settings Edit > System Security > Simple passwords
> Compliance settings Edit > System Security > Simple passwords
Compliance settings Edit > System Security > Required password type.
If Prevent simple passwords is selected, choose Numeric complex, Alphabetic,
Alphanumeric, or Alphanumeric with symbols (based on other Office settings).
If Prevent simple passwords isn't selected, choose Numeric or a higher type in
the list (based on other Office settings).
Require an alphanumeric password

For Android devices, this setting and multiple other Office settings are covered by one
Android compliance setting. So this setting alone doesn't determine a specific Android
compliance value.
> Compliance settings Edit > System Security > Required password type
> Compliance settings Edit > System Security > Required password type
If Prevent simple passwords is selected, choose Numeric complex, Alphabetic,
Alphanumeric, or Alphanumeric with symbols (based on other Office settings).
If Prevent simple passwords isn't selected, choose Numeric or a higher type in
the list (based on other Office settings).
Password must include at least [1-4] character

sets
Four compliance policies:
> Compliance settings Edit > System Security > Password complexity.
Office Intune value

value
1 Require digits and lowercase letters. The Windows compliance policy doesn’t
allow only one character set, so an Office setting of 1 translates to Require digits
and lowercase letters.
2 Require digits and lowercase letters
3 Require digits, lowercase and uppercase letters
4 Require digits, lowercase, uppercase, and special characters
> Compliance settings Edit > System Security > Number of non-alphanumeric
characters in password. The iOS compliance policy doesn’t enforce the number of
character sets but only the number of non-alphanumeric characters that must be
used. So Office values are translated to the same number of non-alphanumeric
characters required.
Office value Intune value
Disabled (0) Not configured
1 1
2 2
3 3
4 4
Compliance settings Edit > System Security > Required password type. Android
doesn’t support distinguishing lowercase and uppercase as different character sets,
and so the Office value of 4 cannot be enforced. Instead it translates to at least
Alphanumeric with symbols.
1 At least Numeric or Numeric complex (based on other Office settings)
2 At least Alphanumeric
3 At least Alphanumeric with symbols
4 At least Alphanumeric with symbols
policy-name_OfficeMDM > Access controls > Grant > Require device to be

marked as compliant

> Compliance settings Edit > System Security > Minimum password length
> Compliance settings Edit > System Security > Minimum password length
Compliance settings Edit > System Security > Required password type and
Minimum password length.
Office value for Require an alphanumeric Intune value for Required password type
password
Selected At least Numeric (based on other Office

settings)
Not selected At least Numeric (based on other Office

settings)
Number of sign-in failures before the device is
wiped
Although this setting is listed under Access requirements in Basic Mobility and Security,
access is still allowed even if this setting hasn't yet been enabled on the device, and this
setting isn't a device compliance criterion.
Three configuration profiles:
Devices > Windows > Configuration profiles > policy name_O365_W >
Properties > Compliance settings Edit > Password > Number of sign-in failures
before wiping device
Devices > iOS/iPadOS > Configuration profiles > policy name_O365_i >
Properties > Compliance settings Edit > Password > Number of sign-in failures
before wiping device
Devices > Android > Configuration profiles > policy name_O365_A > Properties
> Compliance settings Edit > Password > Number of sign-in failures before
wiping device
Lock devices if they are inactive for this many

minutes
The Windows, iOS/iPadOS, and Android compliance policies don’t offer the same
granularity of values, so the Office setting range is mapped to fewer Intune values.
> Compliance settings Edit > System Security > Maximum minutes of inactivity
before password is required
1 through 4 1 minute
5 through 14 5 minutes
15 or more 15 minutes
> Compliance settings Edit > System Security > Maximum minutes of inactivity
before password is required
1 1 minute
2 2 minutes
3 3 minutes
4 4 minutes
5 through 9 5 minutes (maximum for iOS)
10 through 14 10 minutes (iPadOS only)
15 or more 15 minutes (iPadOS only)
1 through 4 1 minute
60 60 minutes
Password expiration
> Compliance settings Edit > System Security > Password expiration (days)
> Compliance settings Edit > System Security > Password expiration (days)
Compliance settings Edit > System Security > Number of days until password
expires.
Remember password history and prevent reuse

> Compliance settings Edit > System Security > Number of previous passwords
to prevent reuse
> Compliance settings Edit > System Security > Number of previous passwords
to prevent reuse
Compliance settings Edit > System Security > Number of previous passwords to
prevent reuse and Required password type
Office value for Require an alphanumeric Intune value for Required password type
password
Selected At least Numeric (based on other Office

settings)
Not selected At least Numeric (based on other Office

settings)
Require data encryption on devices

This setting was never configurable for Windows or iOS/iPadOS in Basic Mobility and
Security.
One compliance policy:

Compliance settings Edit > System Security > Encryption of data storage on
device
Prevent jail broken or rooted devices from

connecting
This setting was never configurable for Windows in Basic Mobility and Security.
For Android devices, Intune only supports this setting for Android device administrator
devices.
Two compliance policies:
> Compliance settings Edit > Device Health > Jailbroken devices
Compliance settings Edit > Device Health > Rooted devices
Require managing email profile (required for

selective wipe on iOS)
Requiring this setting was never supported for Windows or Android compliance in Basic
Windows email was never supported for Windows 10 in Basic
For Android, this setting was only supported on Samsung Knox devices in Basic Mobility
and Security.
Intune requires additional settings be configured when deploying email that weren’t
available in device security policies. For more information, see Additional settings
required by Intune for email profiles.
Three configuration profiles and one compliance policy

Devices > Windows > Configuration profiles > policy name_O365_W_Email >
Properties > Configuration settings Edit
Setting Value
Email server outlook.office365.com
Account name Office 365 email
Username attribute from AAD User Principal Name
Email address attribute from AAD User Principal Name
SSL Enable
Devices > iOS/iPadOS > Configuration profiles > policy name_O365_i_Email >
Properties > Configuration settings Edit
Setting Value
Authentication name Username and password
SSL Enable
> Compliance settings Edit > Email > Unable to set up email on the device >
Require
Devices > Android ** > Configuration profiles > policy name_O365_A_Email >
Properties > ** Configuration settings Edit
Setting Value

Setting Value
Authentication name Username and password
SSL Enable
Additional settings required by Intune for email profiles

The following settings aren't deployed by device security policies, but Intune requires
that they have a value when deploying email profiles.
Platform Setting Value in migration
Android Require S/mime false
Android Sync Contacts true
Android Sync Calendar true
Android Sync Tasks true
Android Sync Notes false
iOS Block moving messages to other email accounts false
iOS Block sending Email from third party addresses false
iOS Block syncing recently used email addresses false
iOS Require S/mime false
Windows 10 Sync Contacts true
Windows 10 Sync Calendar true
Windows 10 Sync Tasks true

Configurations policy mapping from
Basic Mobility and Security to Intune
Article • 02/22/2023
Specifically, this page maps Office 365 Security and Compliance portal Configurations
policies to the equivalent policies in Microsoft Intune admin center. Because Intune
offers more flexibility, each Office policy will translate into multiple Intune and Azure
Active Directory (Azure AD) policies to achieve the same result.
To see these settings in the Office 365 Security and Compliance portal, sign in to the
portal and then select Device security policies > policy name > Edit policy >
Configurations.
Require encrypted backup

This setting was never supported for Windows or Android in Basic Mobility and Security.
One configuration profile:
Devices > iOS/iPadOS > Configuration profiles > profile name > Properties >
Compliance settings Edit > Cloud and Storage > Force encrypted backup
Block cloud backup

This setting is only supported on supervices iOS devices.
Configuration settings Edit > Cloud and Storage > various Block iCloud settings
Block document synchronization

This setting is only supported on supervices iOS devices.
Configuration settings Edit > Cloud and Storage > Block iCloud document and
data sync
Block photo synchronization

Configuration settings Edit > Cloud and Storage > Block My Photo Stream
Block screen capture

For Android devices, this setting is only supported on Samsung Knox devices in Basic
Devices > Windows > Configuration profiles > profile name > Properties >
Configuration settings Edit > General > Screen capture (mobile only)
Configuration settings Edit > General > Block screenshots and screen recording
Devices > Android > Configuration profiles > profile name > Properties >
Configuration settings Edit > General > Screen capture (Samsung KNOX only)
Block video conferences on device

This setting is only supported on supervised iOS devices.
Configuration settings Edit > Built-in Apps > Block FaceTime
Block sending diagnostic data from device
For Windows 10 devices, the most restrictive value prevents sending security-related
data.
Configuration settings Edit > Reporting and Telemetry > Share usage data
Block sending diagnostic data from device value Share usage data value
Selected Security
Not selected Not configured
Configuration settings Edit > General > Block sending diagnostic and usage data
to Apple
Devices > Android > Configuration profiles > profile name > Properties >
Configuration settings Edit > General > Diagnostic data (Samsung Knox only)
Block access to application store

For iOS, this setting is only supported on supervised iOS devices.
Configuration settings Edit > App store > App store (mobile only)
Configuration settings Edit > App store, Doc Viewing, Gaming > Block App store
Devices > Android > Configuration profiles > choose a profile with type Device
administrator > Properties > Configuration settings Edit > Google Play Store >
Google Play store (Samsung Knox only)
Require password when accessing application
store
Apple doesn't block accessing the app store without a password, but blocks purchases
without a password.
Configuration settings Edit > App store, Doc Viewing, Gaming > Require iTunes
Store password for all purchases
Block connection with removable storage

This setting was never supported for iOS/iPadOS in Basic Mobility and Security.
Two configuration profiles:
Configuration settings Edit > General > Removable storage
administrator > Properties > Configuration settings Edit > Cloud and Storage >
Removable storage (Samsung Knox only)
Block Bluetooth connection

This setting was never supported for iOS/iPadOS in Basic Mobility and Security.
Two configuration profiles:
Configuration settings Edit > > Cellular and connectivity > Bluetooth
administrator > Properties > Configuration settings Edit > Cellular and
connectivity > Bluetooth (Samsung Knox only)
Next steps
To migrate these policies, you can use the Migration evaluation tool.
Miscellaneous policy mapping from
Basic Mobility and Security to Intune
Article • 02/22/2023
Specifically, this page maps the following Office 365 Security and Compliance portal
policies and device properties to the equivalent policies and properties in Microsoft
Intune admin center:
Device properties and actions

Organization-wide device access settings
Device security policies Name and Description
Because Intune offers more flexibility, each Office policy will translate into multiple
Intune and Azure Active Directory (Azure AD) policies to achieve the same result.
Device properties and actions

To see these settings, sign in to the Microsoft 365 admin center and then select a
device.
User
Devices > All devices > device name > Overview > Enrolled by
Device type
Devices > All devices > device name > Overview > Operating system
State
This isn't a default column in the Intune portal device list. You can show it by using the
Columns picker.
Devices > All devices > Device state column

OS version
Devices > All devices > device name > Hardware > Operating system version
Factory reset
Devices > All devices > device name > Overview > Wipe
Remove company data

Devices > All devices > device name > Overview > Retire
Organization-wide device access settings

To see these settings in the office 365 Security and Compliance portal, sign in to the
portal and then select Device security policies > Manage organization-wide device
access settings.
These settings are backed by the conditional access policy [GraphAggregatorService]

Device policy. It includes:
Device platforms: iOS, Android

Target client apps: Mobile app desktop clients
Access controls: require compliant device
If a device isn't supported by MDM for Office 365, do you

want to allow or block it from using an Exchange account
to access your organization's email?
This setting modifies one classic conditional access policy:
Endpoint security > Conditional access > Classic policies >

[GraphAggregatorService] Device policy > Conditions > Client apps (Preview) >
Mobile apps and desktop clients > Exchange ActiveSync clients > Apply policy
only to supported platform
Are there any security groups you want to exclude from

access control?
This setting modifies five classic conditional access policies:
[GraphAggregatorService] Device policy
[Office 365 Exchange Online] Device policy
[Outlook Service for Exchange] Device policy
[Office 365 SharePoint Online] Device policy
[Outlook Service for OneDrive] Device policy
Endpoint security > Conditional access > policy name > Users and groups >
Exclude
Device security policy Name and Description

To see these settings in the office 365 Security and Compliance portal, sign in to the
portal and then select Device security policies > policy name > Edit policy > Name.
Name
Up to three compliance policies and up to six configuration profiles (three for
restrictions and three for email):
> Basics Edit > Name
Basics Edit > Name
Properties > Basics Edit > Name
Devices > iOS/iPadOS > Configuration profiles> policy name_O365_i >
Devices > iOS/iPadOS > Configuration profiles> policy name_O365_i_Email >
Devices > Android > Configuration profiles > policy name_O365_A_Email >
Description
Up to three compliance policies and up to six configuration profiles (three for
restrictions and three for email):
> Basics Edit > Description
Basics Edit > Description
Properties > Basics Edit > Description
Devices > iOS/iPadOS > Configuration profiles> policy name_O365_i >
Devices > iOS/iPadOS > Configuration profiles> policy name_O365_i_Email >
Devices > Android > Configuration profiles > policy name_O365_A_Email >
Next steps
To migrate these policies, you can use the Migration evaluation tool.
Get started with your Microsoft Intune
deployment
Article • 04/20/2023
Microsoft Intune is a cloud-based service that helps you manage your devices and apps.
For more information about what Microsoft Intune can do for your organization, go to
What is Microsoft Intune.
This article provides an overview of the steps to start your Intune deployment.
 Tip
As a companion to this article, the Microsoft 365 admin center also has some setup
guidance. The guide customizes your experience based on your environment. At
Microsoft Intune setup guide , sign in with the Global Reader (at a minimum) to
access the deployment guides. For more information on these deployment guides
and the roles needed, go to Advanced deployment guides for Microsoft 365 and
Office 365 products.
To review best practices without signing in and activating the automated setup
features, go to the M365 Setup portal .
Before you begin

To help plan your Intune deployment, use the Planning guide to move to Microsoft
Intune. It covers personal devices, licensing considerations, creating a rollout plan,
communicating changes to your users, and more.
The following articles are good resources:

Move to cloud-native endpoints
Planning guide to move to Microsoft Intune
Deployment guide: Set up or move to Microsoft Intune
For some online training, go to:

Microsoft Intune fundamentals
Plan your migration to Intune
Determine your endpoint management implementation
Determine your license needs and any other prerequisites for your Intune
deployment. The following list provides some of the most common prerequisites:
Intune subscription: Included with some Microsoft 365 subscriptions. You also
get access to the Microsoft Intune admin center , which is a web-based
console for managing your devices, apps, and users.
Microsoft 365 apps : Included with Microsoft 365 and is used for productivity
apps, including Outlook and Teams.
Azure Active Directory (Azure AD) : Included with some Microsoft 365
subscriptions. Azure AD is used for the identity management for users, groups,
and devices, which comes with your Intune and Microsoft 365 subscription.
Azure AD Premium, which might cost extra, gives you more features commonly
used by organizations, including Conditional Access, multi factor authentication
(MFA), and dynamic groups.
Windows Autopilot: Included with some Microsoft 365 subscriptions. Windows

Autopilot gives you modern OS deployment for Windows 10/11 client devices.
Platform specific prerequisites: Depending on the platforms of your devices,

there will probably be other requirements.
For example, if you manage iOS/iPadOS and macOS devices, you need an Apple
MDM push certificate and possibly an Apple token. If you manage Android
devices, you may need a managed Google Play account. If you use certificate
authentication, you may need a SCEP or PKCS certificate.

Android enrollment deployment guide
iOS/iPadOS enrollment deployment guide
macOS enrollment deployment guide
Windows enrollment deployment guide
Step 1 - Set up Intune
In this step:
✔️Confirm your devices are supported, create your Intune tenant, add users &
groups, assign licenses, and more.
This step focuses on setting up Intune and getting it ready for you to manage your user
identities, apps, and devices. Intune uses many features in Azure AD, including your
domain, your users, and your groups.
For more information, go to Step 1 - Set up Microsoft Intune.
Step 2 - Add and protect apps

In this step:
✔️On devices that will enroll in Intune, create a baseline of apps that all devices must
have, and then assign these app policies during enrollment. On apps that need extra
security, also use app protection policies.
✔️On devices that won't enroll in Intune, use app protection policies and multi-factor
authentication (MFA):
App protection policies help protect organization data on personal devices.

MFA helps protect your organization's data from unauthorized access.
For more information, go to Step 2 - Add, configure, and protect apps with Intune.
Every organization has a base set of apps that should be installed on devices. Before
users enroll their devices, you can use Intune to assign these apps to their devices.
During enrollment, the app policies are automatically deployed. When enrollment
completes, the apps install and are ready to use.
If you prefer, you can enroll your devices, and then assign apps. It's your choice. The
next time users check for new apps, they'll see the new apps available.
If users with their own personal devices will access organization resources, then you
need to protect any apps that access your organization data using mobile application
management (MAM), at a minimum. You can create MAM policies for Outlook, Teams,
SharePoint, and other apps. The Microsoft Intune planning guide has some guidance on
managing personal devices.
７ Note
MFA is a feature of Azure AD that must be enabled in your Azure AD tenant. Then,
you configure MFA for your apps. For more information, go to:
How it works: Azure AD multi-factor authentication

Tutorial: Secure user sign-in events with Azure AD multi-factor
authentication
Step 3 - Check for compliance and turn on

Conditional Access
In this step:
✔️Create a baseline of compliance policies that all devices must have, and then assign
these compliance policies during enrollment.
✔️Enable Conditional Access to enforce your compliance policies.
For more information, go to Step 3 – Plan for compliance policies.
MDM solutions like Intune can set rules that devices should meet, and can report the
compliance states of these rules. These rules are called compliance policies. When you
combine compliance policies with Conditional Access, you can require devices meet
certain security requirements before they can access your organization's data.
When users enroll their devices in Intune, the enrollment process can automatically
deploy your compliance policies. When enrollment completes, admins can check the
compliance status and get a list of devices that don't meet your rules.
If you prefer, you can enroll your devices before checking compliance. It's your choice.
At the next Intune check-in, the compliance policies are assigned.
７ Note
Conditional Access is a feature of Azure AD that must be enabled in your Azure AD

tenant. Then, you can create Conditional Access policies for your user identities,
apps, and devices. For more information, go to:
Learn about Conditional Access and Intune

App-based Conditional Access with Intune
Conditional Access scenarios
Step 4 - Configure device features
In this step:
✔️Create baseline of security features and device features that should be enabled or
blocked. Assign these profiles during enrollment.
For more information, go to Step 4 - Create device configuration profiles to secure

devices and access organization resources.
Your organization may have a base set of device and security features that should be
configured or should be blocked. These settings are added to device configuration and
endpoint security profiles. It's recommended to assign key security and device
configuration policies during enrollment. When enrollment starts, the device
configuration profiles are automatically assigned. When enrollment completes, these
device and security features are configured.
If you prefer, you can enroll your devices before creating the configuration profiles. It's
your choice. At the next Intune check-in, the profiles are assigned.
In the Microsoft Intune admin center , you can create different profiles based on your
device platform - Android, iOS/iPadOS, macOS, and Windows.
The following articles are good resources:
Apply features and settings on your devices using device profiles

Manage endpoint security in Microsoft Intune
Security configuration framework with recommendations for Android Enterprise
and iOS/iPadOS
Windows security baselines
Step 5 - Enroll your devices

In this step:
✔️Enroll your devices in Intune.

For more specific information, go to Step 5 - Deployment guidance: Enroll devices in
Microsoft Intune.
To fully manage devices, the devices must be enrolled in Intune to receive the
compliance & Conditional Access policies, app policies, device configuration policies,
and security policies you create. As an admin, you create enrollment policies for your
users and devices. Each device platform (Android, iOS/iPadOS, macOS, Windows, and
Linux) has different enrollment options. You choose what's best for your environment,
your scenarios, and how your devices are used.
Depending on the enrollment option you choose, users can enroll themselves. Or, you
can automate enrollment so users only need to sign in to the device with their
organization account.
When a device enrolls, it's issued a secure MDM certificate. This certificate
communicates with the Intune service.
Different platforms have different enrollment requirements. The following articles can
help you learn more about device enrollment, including platform-specific guidance:
What is device enrollment in Intune?

Enrolled device management capabilities of Microsoft Intune
Deployment guidance: Enroll devices in Microsoft Intune
Deployment guide: Enroll Android devices
Deployment guide: Enroll iOS/iPadOS devices
Deployment guide: Enroll macOS devices
Deployment guide: Enroll Windows devices
Deployment guide: Enroll Linux desktop devices
Cloud attach with Configuration Manager

Microsoft Configuration Manager helps protect on-premises Windows Server, devices,
apps, and data. If you need to manage a combination of cloud and on-premises
endpoints, you can cloud attach your Configuration Manager environment to Intune.
If you use or will use Configuration Manager, there are two steps to cloud attach your
on-premises devices:
1. Tenant attach: Register your Intune tenant with your Configuration Manager
deployment. Your Configuration Manager devices are shown in the Microsoft
Intune admin center . On these devices, you can run different actions, including
installing apps and run Windows PowerShell scripts using the web-based Intune
admin center.
2. Co-management: Manage Windows client devices with Configuration Manager

and Microsoft Intune. Some workloads are managed by Configuration Manager,
and some workloads are managed by Intune.
For example, you can use Configuration Manager to manage Windows updates,
and use Intune to manage Conditional Access policies.
If you currently use Configuration Manager, you get immediate value through tenant
attach, and you get more value through co-management.
For guidance on the Microsoft Intune setup that's right for your organization, go to
Deployment guide: Set up or move to Microsoft Intune.
Next steps
Step 1 - Set up Microsoft Intune
Step 2 - Add, configure, and protect apps with Intune
Step 4 - Configure device features and settings to secure devices and access
organization resources
Step 5 - Deployment guidance: Enroll devices in Microsoft Intune
Levels of protection and configuration
in Microsoft Intune
Article • 03/02/2023
Microsoft Intune gives admins the ability to create policies that are applied to users,
devices, and apps. These policies can range from a minimum set to more secure or
controlled policies. These policies depend on the organization needs, the devices that
are used, and what the devices will do.
When you're ready to create policies, you can use the different levels of protection and
configuration:
Level 1 - Minimum protection and configuration

Level 2 - Enhanced protection and configuration
Level 3 - High protection and configuration
Your environment and business needs may have different levels defined. You can use
these levels as a starting point and then customize them to fit your needs. For example,
you can use the device configuration policies in level 1 and the app policies in level 3.
Choose the levels that are right for your organization. There isn't a wrong choice.
 Tip
On Android and iOS/iPadOS devices, the Enterprise security configuration

framework includes a granular list of settings and their recommended values. If you
use these platforms, then Microsoft recommends using the framework settings.
Android enterprise security configuration framework

iOS/iPadOS enterprise security configuration framework
Level 1 - Minimum protection and

configuration
This level includes policies that every organization should have, at a minimum. The
policies in this level create a minimum baseline of security features and give users access
to the resources they need to do their jobs.
Apps (level 1)
This level enforces a reasonable amount of data protection and access requirements
while minimizing the impact to users. This level ensures that apps are protected with a
PIN and encrypted and performs selective wipe operations. For Android devices, this
level validates Android device attestation. This level is an entry level configuration that
provides similar data protection control in Exchange Online mailbox policies. It also
introduces IT and the user population to app protection policies.
In this level, Microsoft recommends you configure the following protection and access
for apps:
Enable basic data protection requirements:

Allow app basic data transfer
Enforce basic app encryption
Allow basic access functionality
Enable basic access requirements:

Require PIN, face ID, and biometric access
Enforce supporting basic access settings
Enable basic conditional application launch:

Configure app basic access attempts
Block app access based on jailbroken/rooted devices
Restrict app access based on basic integrity of devices
For more information, see Level 1 basic app protection.
Compliance (level 1)
In this level, device compliance includes configuring the tenant-wide settings that apply
to all devices, and deploying minimal compliance policies to all devices to enforce a core
set of compliance requirements. Microsoft recommends that these configurations be in
place before you allow devices to access your organization’s resources. Level 1 device
compliance includes:
Compliance policy settings are a few tenant-wide settings that affect how the Intune
compliance service works with your devices.
Platform-specific compliance policies include settings for common themes across

platforms. The actual setting name and implementation can be different between
different platforms:
Require antivirus, antispyware, and antimalware (Windows only)
Operating system version:
Maximum OS
Minimum OS
Minor and Major build versions
OS patch levels
Password configurations
Enforce lock screen after period of inactivity, requiring a password or pin to
unlock
Require complex passwords with combinations of letters, numbers, and symbols
Require a password or PIN to unlock devices
Require minimum password length
Actions for noncompliance are automatically included with each platform specific policy.
These actions are one or more time-ordered actions you configure that apply to devices
that fail to meet the compliance requirements of the policy. By default, marking a device
as non-compliant is an immediate action that’s included in each policy.
For more information, see Level 1 - Minimal device compliance.
Device configuration (level 1)

In this level, the profiles include settings that focus on security and resource access.
Specifically, in this level, Microsoft recommends you configure the following features:
Enable basic security, including:

Antivirus and scanning
Threat detection and response
Firewall
Software updates
Strong PIN and password policy
Give users access to the network:

Email
VPN for remote access
Wi-Fi for on-premises access
For more information on these policies in this level, go to Step 4 - Create device
configuration profiles to secure devices and create connections to organization
resources.
Level 2 - Enhanced protection and
configuration
This level expands on the minimum set of policies to include more security and expand
your mobile device management. The policies in this level secure more features, provide
identity protection, and manage more device settings.
Use the settings in this level to add what you've done in Level 1.
Apps (level 2)
This level recommends a standard level of application protection for devices where users
access more sensitive information. This level introduces app protection policy data
leakage prevention mechanisms and minimum OS requirements. This level is the
configuration that is applicable to most mobile users accessing work or school data.
In addition to Level 1 settings, Microsoft recommends you configure the following

protection and access for apps:
Enable enhanced data protection requirements:

Transfer organization related data
Exempt selected apps data transfer requirements (iOS/iPadOS)
Transfer telecommunication data
Restrict cut, copy, and paste between apps
Block screen capture (Android)
Enable enhanced conditional application launch:

Block disabling application accounts
Enforce minimum device OS requirements
Require minimum patch version (Android)
Require SafetyNet evaluation type (Android)
Require device lock (Android)
Allow app access based on increased integrity of device
For more information, see Level 2 enhanced app protection.
At this level, Microsoft recommends adding more complex options to your compliance
policies. Many of the settings at this level have platform-specific names that all deliver
similar results. The following are the categories or types of settings that Microsoft
recommends you use when they're available:
Applications:
Manage where devices get apps, like Google Play for Android
Allow apps from specific locations
Block apps from unknown sources
Firewall settings
Firewall settings (macOS, Windows)
Encryption:
Require encryption of data storage
BitLocker (Windows)
FileVault (macOS)
Passwords
Password expiration and reuse
System level file and boot protection:

Block USB debugging (Android)
Block rooted or jailbroken devices (Android, iOS)
Require system integrity protection (macOS)
Require code integrity (Windows)
Require secure boot to be enabled (Windows)
Trusted Platform Module (Windows)
For more information, see Level 2 - Enhanced device compliance settings.

In this level, you're expanding on the settings and features you configured in level 1.
Microsoft recommends you create policies that:
Add another layer of security by enabling disk encryption, secure boot, and TPM
on your devices.
Configure your PINs & passwords to expire and manage if/when passwords can be
reused.
Configure more granular device features, settings, and behaviors.
If you have on-premises GPOs, then you can determine if these GPOs are available
in Intune.
For more specific information on device configuration policies at this level, go to Level 2
- Enhanced protection and configuration.
This level includes enterprise-level policies and may involve different admins in your
organization. These policies continue moving to password-less authentication, have
more security, and configure specialized devices.
Use the settings in this level to add what you've done in Levels 1 and 2.
Apps (level 3)
This level recommends a standard level of application protection for devices where users
access more sensitive information. This level introduces advanced data protection
mechanisms, enhanced PIN configuration, and app protection policy Mobile Threat
Defense. This configuration is desirable for users that are accessing high risk data.
In addition to level 1 and 2 settings, Microsoft recommends you configure the following
protection and access for apps:
Enable high data protection requirements:

High protection when transferring telecommunication data
Receive data from only policy managed apps
Block opening data into organization documents
Allow users to open data from selected services
Block third-party keyboards
Require/select approved keyboards (Android)
Block printing organization data
Enable high access requirements:

Block simple PIN and require specific minimum PIN length
Require PIN reset after number of days
Require class 3 Biometrics (Android 9.0+)
Require override of Biometrics with PIN after biometric updates (Android)
Enable high conditional application launch:

Require device lock (Android)
Require max allowed threat level
Require Max OS version
For more information, see Level 3 high app protection.
At this level, you can expand on Intune’s built-in compliance capabilities through the
following capabilities:
Integrate data from Mobile Threat Defense (MTD) partner

With an MTD partner, your compliance policies can require devices be at or
under a device threat level or machine risk score, as determined by that partner
Use a third-party compliance partner with Intune
Use scripts to add custom compliance settings to your policies for settings that
aren't available from within the Intune UI. (Windows, Linux)
Use compliance policy data with Conditional Access policies to gate access to your
organization’s resources
For more information, see Level 3 - Advanced device compliance configurations.

This level focuses on enterprise-level services and features, and can require an
infrastructure investment. In this level, you can create policies that:
Expand password-less authentication to other services in your organization,

including certificate based authentication, single-sign on for apps, multi-factor
authentication (MFA), and the Microsoft Tunnel VPN gateway.
Configure device features that apply to the Windows firmware layer. Use Android
common criteria mode.
Configure specialized devices like kiosks and shared devices.
Deploy scripts, if needed.
For more specific information on device configuration policies at this level, go to Level 3
- High protection and configuration.
Next steps
For a complete list of all the device configuration profiles you can create, go to Apply
features and settings on your devices using device profiles in Microsoft Intune.
Step 1: Set up Microsoft Intune
Article • 03/29/2023
The first step when deploying Microsoft Intune is to set up your Intune environment.
In this article, you'll step through the process of setting up Microsoft Intune. Also, this
article will provide the choices and considerations you need to make when setting up an
endpoint-management solution such as Intune.
By the end of this article, you'll have a better understanding of Intune's supported
configurations. You'll have signed up for the Microsoft Intune's free trial. You'll add end
users, define user groups, assign licenses to users, and set up the other needed settings
to begin using Microsoft Intune. All of these steps will prepare you to add and manage
devices and apps using Intune.
Prerequisites
Before you begin setting up Microsoft Intune, review the Planning guide. Use this guide
to plan your move or migration to Intune.
The planning guide also includes the following:
Lists and describes some common objectives for device management

Lists potential licensing needs
Provides guidance on handling personally owned devices
Recommends reviewing current policies and infrastructure
Gives examples of creating a rollout plan
And more
1 - Review the Supported Configurations

✔️Get started with supported configurations
Before you begin setting up Microsoft Intune, you should:
Review the device platforms and operating systems that Intune supports.
Review which web browsers are supported when accessing Intune using Microsoft
Be familiar with the network bandwidth requirements to perform installations and
updates using Intune.
For guidance and need-to-know information before you start, go to Supported

configurations.
 Tip
By default, all device platforms can enroll in Intune. If you want to prevent specific
platforms, then create a restriction. For more information, go to Create a device
platform restriction.
2 - Sign up for Microsoft Intune

✔️Get started with sign up, or sign in to Intune
Sign in to the Microsoft Intune admin center .
Before you sign up for Intune, determine whether you already have a Microsoft Online
Services account, Enterprise Agreement, or equivalent volume licensing agreement. A
Microsoft volume licensing agreement or other Microsoft cloud services subscription
like Microsoft 365 usually includes a work or school account.
If you already have a work or school account, sign in with that account and add Intune
to your subscription. Otherwise, you can sign up for a new account to use Intune for
your organization.
For guidance, go to Sign in to Intune.

3 - Configure a custom domain name for your
Intune tenant
✔️Get started with configuring a custom domain name for your Intune tenant
When your organization signs up for Microsoft Intune, you're given an initial domain
name hosted in Azure Active Directory (Azure AD) that looks like your-
domain.onmicrosoft.com.
The onmicrosoft.com suffix is assigned to all accounts added to subscriptions.
You can optionally configure your organization's custom domain in Intune, such as
contoso.com . If you don't add your domain account, then, for example,
contoso.onmicrosoft.com may be used.
Set DNS registration to connect your company's domain name with Intune. This
gives users a familiar domain when connecting to Intune and using resources.
If you are simply evaluating Intune using the free trial, you can skip this step.
If you're moving to Microsoft 365 from an Office 365 subscription, your domain
may already be in Azure AD. Intune uses the same Azure AD, and can use your
existing domain.
For guidance, go to Configure domain name.
4 - Add users to Intune

✔️Get started with adding users to Intune
Users are stored in Azure AD, which is also included with Microsoft 365. Azure AD
controls access to resources, and authenticates users.
You can add users, or connect Active Directory to sync with Intune. This step is required
unless your devices are "userless" kiosk devices.
For guidance, go to Add users.
The people in your organization each need a user account before they can sign in and
access Microsoft Intune. To create user accounts, you can add users to Intune. Once
added, you can grant permissions and assign licenses to users. Then later, you can
assign different types of policies to users to help and protect them.
As an administrator, you can add users individually or in bulk to Intune.

You must be an admin (global, license, or a user admin) to add users to Intune. If you set
up Intune using the free trial, you are a global admin.
5 - Create groups in Intune

✔️Get started with adding groups to Intune
Add groups to assign apps, settings, and other resources. For some guidance, go to Add
groups.
Intune uses Azure Active Directory (Azure AD) groups to organize and manage devices
and users. As an Intune admin, you can set up groups to suit your organizational needs.
For instance, you can create groups to organize users or devices by geographic location,
department, or hardware characteristics. Also, you can use groups to manage tasks at
scale. For example, you can set policies for many users or deploy apps to a set of
devices based on groups.
6 - Manage licenses
Intune is available with different subscriptions, including as a stand-alone service.
Determine the licensed services your organization needs and then continue to assign
each user an Intune license before users can enroll their devices in Intune.
✔️Determine your license needs
Microsoft Intune is available for different organization sizes and needs, from a simple-
to-use management experience for schools and small businesses, to more advanced
functionality required by enterprise customers. An admin must have a license assigned
to them to administer Intune (unless you have selected to allow unlicensed admins).
For guidance, go to Microsoft Intune licensing.
✔️Get started with assigning licenses to users

Whether you added users one at a time or all at once, you must assign each user an
Intune license before users can enroll their devices in Intune. The Microsoft Intune free
trial provides 25 Intune licenses. For a list of licenses, see Licenses that include Intune.
Give users permission to use Intune. Each user or userless device requires an Intune
license to access the service.
For guidance, go to Assign licenses.
✔️Unlicensed admins
You can give administrators access to Microsoft Endpoint Manager without them
requiring an Intune license. This feature applies to any administrator, including Intune
administrators, global administrators, Azure AD administrators, and so on.
For guidance, go to Unlicensed admins.
7 - Manage Roles and grant admin permissions

for Intune
After you've added users to your Intune tenant, we recommend that you create your
administrative team.
Microsoft Intune includes a set of admin roles that you can assign to users in your
organization using the Microsoft Intune admin center. Each admin role maps to
common business functions and gives people in your organization permissions to do
specific tasks in the admin centers.
✔️Get started with managing roles
1. Role-based access control (RBAC) helps you manage who has access to your
organization's resources and what they can do with those resources. For guidance,
go to Role-based access control (RBAC) with Microsoft Intune.
2. By assigning roles to your Intune users, you can limit what they can see and
change. For guidance, go to Assign a role to an Intune user.
3. You can use both the built-in and custom roles. Built-in roles cover some common
Intune scenarios. You can create your own custom roles with the exact set of
permissions you need. For guidance, go to Create a custom role in Intune.
4. You can use role-based access control and scope tags to make sure that the right
admins have the right access and visibility to the right Intune objects. Roles
determine what access admins have to which objects. Scope tags determine which
objects admins can see. For guidance, go to Use role-based access control (RBAC)
and scope tags for distributed IT
8 - Set the mobile device management

authority
✔️Get started with MDM authority
your devices. By default, the Intune free trial sets your MDM authority to Intune. As an IT
admin, you must set an MDM authority before users can enroll devices for management.
With the MDM authority set, you can start enrolling devices.
If you are changing your tenant to support Intune, you will need to change your MDM
authority configuration.
For guidance, go to Set the mobile device management authority.
9 - Customize the Intune company portal

The Company Portal apps, Company Portal website, and Intune app on Android are
where users access company data and can do common tasks. Common task may include
enrolling devices, installing apps, and locating information (such as for assistance from
your IT department).
✔️Get started with configuring the company portal
Customize the Intune Company Portal that users use to enroll devices and install apps.
These settings appear in both the Company Portal app and the Intune Company Portal
website. You can also customize the Company Portal app so it includes your
organization details.
For guidance, go to Configure the company portal.
Follow the minimum recommended baseline

policies
1. 🡺 Set up Microsoft Intune (You are here)
2. Add, configure, and protect apps
3. Plan for compliance policies
4. Configure device features
5. Enroll devices
Step 2 - Add, configure, and protect
apps with Intune
Article • 04/25/2023
The next step when deploying Intune is to add and protect apps that access
organization data.
Managing applications on devices in your organization is a central part to a secure and

productive enterprise ecosystem. You can use Microsoft Intune to manage the apps that
your company's workforce uses. By managing apps, you help control which apps your
company uses, as well as the configuration and protection of the apps. This functionality
is called mobile application management (MAM). MAM in Intune is designed to protect
organization data at the application level, including custom apps and store apps. App
management can be used on organization-owned devices and personal devices. When it
is used with personal devices, only organization-related access and data is managed.
This type of app management is called MAM without enrollment (MAM-WE), or from an
end-user perspective, bring your own device (BYOD).
MAM configurations
When apps are used without restrictions, company and personal data can get
intermingled. Company data can end up in locations like personal storage or transferred
to apps beyond your purview and result in data loss. One of the primary reasons to use
either MAM without device enrollment or Intune MDM + MAM is to help protect your
organization's data.
Microsoft Endpoint Manager supports two MAM configurations:
MAM without device management

MAM with device management

This configuration allows your organization's apps to be managed by Intune, but
doesn't enroll the devices to be managed by Intune. This configuration is commonly
referred to as MAM without device enrollment, or MAM-WE. IT administrators can
manage apps using MAM by using Intune configuration and protection policies on
devices not enrolled with Intune mobile-device management (MDM).
７ Note
This configuration includes managing apps with Intune on devices enrolled with
third-party enterprise mobility management (EMM) providers. You can use Intune
app protection policies independent of any MDM solution. This independence
helps you protect your company's data with or without enrolling devices in a device
management solution. By implementing app-level policies, you can restrict access
to company resources and keep data within the purview of your IT department.
Mobile Application Management (MAM) is ideal to help protect organization data on

mobile devices used by members of your organization for both personal and work tasks.
While making sure your members of your organization can be productive, you want to
prevent data loss, intentional and unintentional. You also want to protect company data
that is accessed from devices that are not managed by you. MAM allows you to manage
and protect your organization's data within an application.
 Tip
Many productivity apps, such as the Microsoft Office apps, can be managed by
Intune MAM. See the official list of Microsoft Intune protected apps available for
public use.
For BYOD devices not enrolled in any MDM solution, app protection policies can help
protect company data at the app level.
However, there are some limitations to be aware
of, such as:
You can't deploy apps to the device. The end user has to get the apps from the
store.
You can't provision certificate profiles on these devices.
You can't provision company Wi-Fi and VPN settings on these devices.
For more information about app protection in Intune, see App protection policies
overview.

This configuration allows your organization's apps and devices to be managed. This
configuration is commonly referred to as MAM + MDM. IT administrators can manage
apps using MAM on devices that are enrolled with Intune MDM.
MDM, in addition to MAM, makes sure that the device is protected. For example, you
can require a PIN to access the device, or you can deploy managed apps to the device.
You can also deploy apps to devices through your MDM solution, to give you more
control over app management.
There are additional benefits to using MDM with app protection policies, and companies
can use app protection policies with and without MDM at the same time. For example, a
member of your organization could have both a phone issued by the company and their
own personal tablet. The company phone could be enrolled in MDM and protected by
app protection policies while the personal device is protected by app protection policies
only.
On enrolled devices that use an MDM service, app protection policies can add an extra
layer of protection. For example, a user signs in to a device with their organization
credentials. As that organization data is used, app protection policies control how the
data is saved and shared. When users sign in with their personal identity, those same
protections (access and restrictions) aren't applied. In this way, IT has control of
organization data, while end users maintain control and privacy over their personal data.
The MDM solution adds value by providing the following:
Enrolls the device

Deploys the apps to the device
Provides ongoing device compliance and management
The App protection policies add value by providing the following:
Help protect company data from leaking to consumer apps and services
Apply restrictions like save-as, clipboard, or PIN, to client apps
Wipe company data when needed from apps without removing those apps from
the device
Benefits of MAM with Intune

When apps are managed in Intune, administrators can do the following:
Protect company data at the app level. You can add and assign mobile apps to
user groups and devices. This allows your company data to be protected at the
app level. You can protect company data on both managed and unmanaged
devices because mobile app management doesn't require device management.
The management is centered on the user identity, which removes the requirement
for device management.
Configure apps to start or run with specific settings enabled. In addition, you can
update existing apps already on the device.
Assign policies to limit access and prevent data from being used outside your
organization. You choose the setting for these policies based on your
organization's requirements. For example, you can:
Require a PIN to open an app in a work context.
Block managed apps from running on jailbroken or rooted devices
Control the sharing of data between apps.
Prevent the saving of company app data to a personal storage location by using
data relocation policies, like Save copies of org data, and Restrict cut, copy,
and paste.
Support apps on a variety of platforms and operating systems. Each platform is
different. Intune provides available settings specifically for each supported
platform.
See reports about which apps are used, and track their usage. In addition, Intune
provides endpoint analytics to help you assess and resolve problems.
Do a selective wipe by removing only organization data from apps.
Ensure personal data is kept separate from managed data. End-user productivity
isn't affected and policies don't apply when using the app in a personal context.
The policies are applied only in a work context, which gives you the ability to
protect company data without touching personal data.
Add apps to Intune

The first step when providing apps to your organization is to add the apps to Intune
before assigning them to devices or users from Intune. While you can work with many
different app types, the basic procedures are the same. With Intune, you can add
different app types, including apps written in-house (line-of-business), apps from the
store, apps that are built in, and apps on the web.
The users of apps and devices at your company (your company's workforce) might have
several app requirements. Before adding apps to Intune and making them available to
your workforce, you may find it helpful to assess and understand a few app
fundamentals. There are various types of apps that are available for Intune. You must
determine app requirements that are needed by the users at your company, such as the
platforms and capabilities that your workforce needs. You must determine whether to
use Intune to manage the devices (including apps) or have Intune manage the apps
without managing the devices. Also, you must determine the apps and capabilities that
your workforce needs, and who needs them. The information in this article helps you get
started.
Before adding apps to Intune, consider reviewing the support app types and assess your
app requirements. For more information, see Add apps to Microsoft Intune.
 Tip
To better understand app types, app purchases, and app licenses for Intune, see the
solution Purchase and add apps for Microsoft Intune. This solution content also
provides recommended steps to assess app requirements, create app categories,
purchases apps, and add apps. Additionally, this solution content explains how to
manage apps and app licenses.
Add Microsoft apps

Intune includes a number of Microsoft apps based on the Microsoft license that you use
for Intune. To learn more about the different Microsoft enterprise licenses available that
include Intune, see Microsoft Intune licensing. To compare the different Microsoft apps
that are available with Microsoft 365, see the licensing options available with Microsoft
365 . To see all the options for each plan (including the available Microsoft apps),
download the full Microsoft subscription comparison table and locate the plans that
include Microsoft Intune.
One of the available app types is Microsoft 365 apps for Windows 10 devices. By
selecting this app type in Intune, you can assign and install Microsoft 365 apps to
devices you manage that run Windows 10. You can also assign and install apps for the
Microsoft Project Online desktop client and Microsoft Visio Online Plan 2, if you own
licenses for them. The available Microsoft 365 apps are displayed as a single entry in the
list of apps in the Intune console within Azure.
Add the following core Microsoft apps to Intune:
Microsoft Edge
Microsoft Excel
Microsoft Office
Microsoft OneDrive
Microsoft OneNote
Microsoft Outlook
Microsoft PowerPoint
Microsoft SharePoint
Microsoft Teams
Microsoft To Do
Microsoft Word
For more information about adding Microsoft apps to Intune, go to the following topics:
Add apps to Microsoft Intune

Add Microsoft 365 Apps to Windows 10/11 devices with Microsoft Intune
Add store apps (optional)

Many of the standard store apps displayed within the Intune console are freely available
for you to add and deploy to members of your organization. In addition, you can
purchase store apps for each device platform.
The following table provides the different categories available for store apps:
Store app Description

category
Free store You can freely add these apps to Intune and deploy them to the members of your
apps organization. These apps do not require any additional cost to use.
Purchased You must purchase licenses for these apps before adding to Intune. Each device
apps platform (Windows, iOS, Android) offers a standard method to purchase licenses
for these apps. Intune provides methods to manage the app license for each end
user.
Apps You can freely add and deploy these apps from Intune, however the app may
requiring an require an account, subscription, or license from the app vendor. For a list of apps
account, that support Intune management functionality, see Partner productivity apps and
subscription, Partner UEM apps. NOTE: For apps that may require an account, subscription, or
or license license, you must contact the app vendor for specific app details.
from the app
developer
category
Apps The license you use with Microsoft Intune may include the app licenses you
included with require.
your Intune
license
７ Note
In addition to purchasing app licenses, you can create Intune policies that allow
end users to add personal accounts to their devices to purchase unmanaged apps.
For more information about adding Microsoft apps to Intune, go to the following topics:

Add iOS store apps to Microsoft Intune
Add Android store apps to Microsoft Intune
Configure apps using Intune

App configuration policies can help you eliminate app setup problems by letting you
select configuration settings for a policy. That policy is then assigned to end users
before they run a specific app. The settings are then supplied automatically when the
app is configured on the end user's device. End users don't need to take action. The
configuration settings are unique for each app.
You can create and use app configuration policies to provide configuration settings for
both iOS/iPadOS or Android apps. These configuration settings allow an app to be
customized by using app configuration and management. The configuration policy
settings are used when the app checks for these settings, typically the first time the app
is run.
An app configuration setting, for example, might require you to specify any of the
following details:
A custom port number

Language settings
Security settings
Branding settings such as a company logo
If end users were to enter these settings instead, they could do this incorrectly. App
configuration policies can help provide consistency across an enterprise and reduce
helpdesk calls from end users trying to configure settings on their own. By using app
configuration policies, the adoption of new apps can be easier and quicker.
The available configuration parameters are ultimately decided by the developers of the
app. Documentation from the application vendor should be reviewed to see if an app
supports configuration and what configurations are available. For some applications,
Intune will populate the available configuration settings.
For more information about app configuration, go to the following topics:
App configuration policies for Microsoft Intune

Add app configuration policies for managed iOS/iPadOS devices
Add app configuration policies for managed Android Enterprise devices
Configure Microsoft Outlook

The Outlook for iOS and Android app is designed to enable users in your organization
to do more from their mobile devices, by bringing together email, calendar, contacts,
and other files.
The richest and broadest protection capabilities for Microsoft 365 data are available
when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft
Intune and Azure Active Directory Premium features, such as conditional access. At a
minimum, you will want to deploy a conditional access policy that allows connectivity to
Outlook for iOS and Android from mobile devices and an Intune app protection policy
that ensures the collaboration experience is protected.
For more information about configuring Microsoft Outlook, go to the following topic:
Manage messaging collaboration access by using Outlook for iOS and Android
with Microsoft Intune
Configure Microsoft Edge

Edge for iOS and Android is designed to enable users to browse the web and supports
multi-identity. Users can add a work account, as well as a personal account, for
browsing. There is complete separation between the two identities, which is like what is
offered in other Microsoft mobile apps.
For more information about configuring Microsoft Edge, go to the following topic:
Manage Microsoft Edge on iOS and Android with Intune

Configure VPN
Virtual private networks (VPN) allow users to access organization resources remotely,
including from home, hotels, cafes, and more. In Microsoft Intune, you can configure
VPN client apps on Android Enterprise devices using an app configuration policy. Then,
deploy this policy with its VPN configuration to devices in your organization.
You can also create VPN policies that are used by specific apps. This feature is called
per-app VPN. When the app is active, it can connect to the VPN, and access resources
through the VPN. When the app isn't active, the VPN isn't used.
For more information about configuring email, go to the following topic:
Use a VPN and per-app VPN policy on Android Enterprise devices in Microsoft
Intune
Protect apps using Intune

App protection policies (APP) are rules that ensure an organization's data remains safe
or contained in a managed app. A policy can be a rule that is enforced when the user
attempts to access or move "corporate" data, or a set of actions that are prohibited or
monitored when the user is inside the app. A managed app is an app that has app
protection policies applied to it, and can be managed by Intune.
Mobile Application Management (MAM) app protection policies allows you to manage
and protect your organization's data within an application. Many productivity apps, such
as the Microsoft Office apps, can be managed by Intune MAM. See the official list of
Microsoft Intune protected apps available for public use.
One of the primary ways that Intune provides mobile app security is through policies.
App protection policies allow you to do the following actions:
Use Azure AD identity to isolate organization data from personal data. So personal
information is isolated from organizational IT awareness. Data accessed using
organization credentials are given additional security protection.
Help secure access on personal devices by restricting actions users can take with
organizational data, such as copy-and-paste, save, and view.
Create and deploy on devices that are enrolled in Intune, enrolled in another
mobile device management (MDM) service, or not enrolled in any MDM service.
７ Note
App protection policies are designed to apply uniformly across a group of apps,
such as applying a policy across all Office mobile apps.
Organizations can use app protection policies with and without MDM at the same time.
For example, consider an employee that uses both a tablet issued by the company, and
their own personal phone. The company tablet is enrolled in MDM and protected by
app protection policies while their personal phone is protected by app protection
policies only.
For more information about app protection in Intune, go to the following topics:

How to create and assign app protection policies.
Levels of app protection

As more organizations implement mobile device strategies for accessing work or school
data, protecting against data leakage becomes paramount. Intune's mobile application
management solution for protecting against data leakage is App Protection Policies
(APP). APP are rules that ensure an organization's data remains safe or contained in a
managed app, regardless of whether the device is enrolled.
When configuring App Protection Policies, the different settings and options available
allow organizations to customize the protection to their specific needs. Due to this
flexibility, it may not be obvious which permutation of policy settings are required to
implement a complete scenario. To help organizations prioritize client endpoint
hardening endeavors, Microsoft has introduced a new taxonomy for security
configurations in Windows 10 , and Intune is leveraging a similar taxonomy for its APP
data protection framework for mobile app management.
The APP data protection configuration framework is organized into three distinct
configuration scenarios:
Level 1 enterprise basic data protection – Microsoft recommends this configuration

as the minimum data protection configuration for an enterprise device.
Level 2 enterprise enhanced data protection – Microsoft recommends this

configuration for devices where users access sensitive or confidential information.
This configuration is applicable to most mobile users accessing work or school
data. Some of the controls may impact user experience.
Level 3 enterprise high data protection – Microsoft recommends this configuration

for devices run by an organization with a larger or more sophisticated security
team, or for specific users or groups who are at uniquely high risk (users who
handle highly sensitive data where unauthorized disclosure causes considerable
material loss to the organization). An organization likely to be targeted by well-
funded and sophisticated adversaries should aspire to this configuration.
Basic app protection (level 1)
Basic app protection in Intune (level 1) is the minimum data protection configuration for
an enterprise mobile device. This configuration replaces the need for basic Exchange
Online device access policies by requiring a PIN to access work or school data,
encrypting the work or school account data, and providing the capability to selectively
wipe the school or work data. However, unlike Exchange Online device access policies,
the below App Protection Policy settings apply to all the apps selected in the policy,
thereby ensuring data access is protected beyond mobile messaging scenarios.
The policies in level 1 enforce a reasonable data access level while minimizing the
impact to users and mirror the default data protection and access requirements settings
when creating an App Protection Policy within Microsoft Endpoint Manager.
For specific data protection, access requirements, and conditional launch settings for
basic app protection, go to the following topic:
Level 1 enterprise basic data protection.
Enhanced app protection (level 2)

Enhanced app protection in Intune (level 2) is the data protection configuration
recommended as a standard for devices where users access more sensitive information.
These devices are a natural target in enterprises today. These recommendations do not
assume a large staff of highly skilled security practitioners, and therefore should be
accessible to most enterprise organizations. This configuration expands upon the
configuration in Level 1 by restricting data transfer scenarios and by requiring a
minimum operating system version.
The policy settings enforced in level 2 include all the policy settings recommended for
level 1 but only lists those settings below that have been added or changed to
implement more controls and a more sophisticated configuration than level 1. While
these settings may have a slightly higher impact to users or to applications, they enforce
a level of data protection more commensurate with the risks facing users with access to
sensitive information on mobile devices.
For specific data protection and conditional launch settings for enhanced app
protection, go to the following topic:
Level 2 enterprise enhanced data protection.
High app protection (level 3)

High app protection for Intune (level 3) is the data protection configuration
recommended as a standard for organizations with large and sophisticated security
organizations, or for specific users and groups who will be uniquely targeted by
adversaries. Such organizations are typically targeted by well-funded and sophisticated
adversaries, and as such merit the additional constraints and controls described. This
configuration expands upon the configuration in Level 2 by restricting additional data
transfer scenarios, increasing the complexity of the PIN configuration, and adding
mobile threat detection.
implement more controls and a more sophisticated configuration than level 2. These
policy settings can have a potentially significant impact to users or to applications,
enforcing a level of security commensurate with the risks facing targeted organizations.
For specific data protection, access requirements, and conditional launch settings for
basic app protection, go to the following topic:
Level 3 enterprise high data protection.
Protect Exchange Online email on managed devices

You can use device compliance policies with Conditional Access to make sure that your
organization's devices can access Exchange Online email only if they're managed by
Intune and using an approved email app. You can create an Intune device compliance
policy to set the conditions that a device must meet to be considered compliant. You
can also create an Azure Active Directory (Azure AD) Conditional Access policy that
requires devices to enroll in Intune, comply with Intune policies, and use the approved
Outlook mobile app to access Exchange Online email.
For more information about protecting Exchange Online, go to the following topic:
Tutorial: Protect Exchange Online email on managed devices
End-user requirements to use app protection policies

The following list provides the end-user requirements to use app protection policies on
apps managed by Intune include the following:
The end user must have an Azure Active Directory (Azure AD) account. See Add
users and give administrative permission to Intune to learn how to create Intune
users in Azure Active Directory.
The end user must have a license for Microsoft Intune assigned to their Azure
Active Directory account. See Manage Intune licenses to learn how to assign Intune
licenses to end users.
The end user must belong to a security group that is targeted by an app
protection policy. The same app protection policy must target the specific app
being used. App protection policies can be created and deployed in the Microsoft
Intune admin center . Security groups can currently be created in the Microsoft
365 admin center .
The end user must sign into the app using their Azure AD account.

policies
1. Set up Microsoft Intune
2. 🡺 Add, configure, and protect apps (You are here)
5. Enroll devices
Article • 03/08/2023
Previously, you’ve set up your Intune subscription and created app protection policies.
Next, plan for and configure device compliance settings and policies to help protect
organizational data by requiring devices to meet requirements that you set.
If you’re not yet familiar with compliance policies, see Compliance overview.
Android Enterprise (Fully Managed, and Personally owned work profiles)

Android Open-Source Project (AOSP)
iOS/iPadOS
Linux
macOS
Windows
You deploy compliance policies to groups of devices or users. When deployed to users,
any device the user signs into must then meet the policies requirements. Some common
examples of compliance requirements include:
Requiring a minimum operating system version.

Use of a password or PIN that meets certain complexity and length requirements.
A device being at or below a threat level as determined by mobile threat defense
software you use. Mobile threat defense software includes Microsoft Defender for
Endpoint or one of Intune’s other supported partners.
When devices fail to meet the requirements of a compliance policy, that policy can apply
one or more actions for noncompliance. Some actions include:
Remotely locking the noncompliant device.

Send email or notifications to the device or user about the compliance issue, so a
device user can bring it back into compliance.
Identify a device that might be ready for retirement should it remain out of
compliance for an extended time.
When you're planning for and deploying your
compliance policies, it can help to approach compliance policies through our
recommendations through different levels. We recommend starting with the
minimal compliance settings, which are common to most or all platforms, and then
expanding by adding more advanced configurations and integrations that provide
more capabilities.
Because different device platforms support different compliance capabilities or use

different names for similar settings, listing each option is beyond this deployment plan.
Instead, we’ll provide categories and examples of settings in those categories for each of
the following levels:
Level 1 – Minimal device compliance. These are configurations that we

recommend all tenants have in place.
Level 2 – Enhanced device compliance settings. These include common device
configurations such as encryption, or system level file protections.
Level 3 – Advanced device compliance configurations. High level
recommendations include those that require deeper integration with other
products, such as Conditional Access from Azure AD.
Generally, our recommendations place settings that are considered key configurations
that are common across platforms at the minimal compliance level, providing a strong
return for your investment. Settings listed for at higher levels can involve more
complexity, such as settings that require integration of third-party products. Be sure to
review all the range recommendations and be ready to adjust your own deployment
plan to fit your organization’s needs and expectations.
The following articles can help you understand the settings that Intune policies natively
support:
Android device administrator

Android Enterprise
Android Open-Source Project (AOSP)
iOS
macOS
Windows 10/11
Level 1 - Minimal device compliance

✔️Configure tenant-wide Compliance policy settings
✔️Set up responses for noncompliance devices (Actions for noncompliance)
✔️Understand how device compliance and device configuration policies interact
✔️Use a core set of minimal compliance settings across platforms you support
The minimal device compliance settings include the following subjects that all tenants
who plan to use compliance policies should understand and be prepared to use:
Compliance policy settings – Tenant-wide settings that affect how the Intune
compliance service works with your devices.
Actions for noncompliance – These configurations are common to all device
compliance policies.
Minimal device compliance policy recommendations – These are the platform
specific device compliance settings we believe every tenant should implement to
help keep their organizations resources safe.
In addition, we recommend you be familiar with how device compliance policies and
device configuration policies are related and interact.
Compliance policy settings

All organizations should review and set the tenant-wide compliance policy settings.
These settings are foundational to supporting platform specific policies. They can also
mark devices that haven't evaluated a compliance policy as noncompliant, which can
help you protect your organization from new or unknown devices that might fail to
meet your security expectations.
Compliance policy settings are a few configurations you make at the tenant-level
that then apply to all devices. They establish how the Intune compliance service
functions for your tenant.
These settings are configured directly in the Microsoft Intune admin center and are
distinct from device compliance policies that you create for specific platforms and
deploy to discreet groups of devices or users.
To learn more about Compliance Policy Settings at the tenant level, and how to
configure them, see Compliance policy settings.
Actions for noncompliance
Each device compliance policy includes actions for noncompliance, which are one or
more time-ordered actions that are applied to devices that fail to meet the compliance
requirements of the policy. By default, marking a device as noncompliant is an
immediate action that’s included in each policy.
For each action you add, you define how long to wait after a device is marked as
noncompliant before that action runs.
Available actions you can configure include the following, but not all are available for
each device platform:
Mark device non-compliant (default action for all policies)

Send push notification to end user
Send email to end user
Remotely lock the noncompliant device
Retire the noncompliant device
Policy administrators should understand the available options for each action and
complete supporting configurations before deploying a policy that requires them. For
example, before you can add the send email action, you must first create one or more
email templates with the messages you might want to send. Such an email might
include resources to help the user bring their device into compliance. Later, when
defining an email action for a policy you can select one of your templates to use with a
specific action.
Because each non-default action can be added to a policy multiple times, each with a
separate configuration, you can customize how the actions will apply.
For example, you could configure several related actions to occur in a sequence. First,
immediately upon being noncompliant you might have Intune send an email to the
device’s user, and perhaps an administrator as well. Then a few days later, a second
action could send a different email reminder, with details about a deadline for
remediating the device. You might also configure a final action to add a device to a list
of devices you might want to retire, with the action set to run only after a device
continues to remain noncompliant for an excessive period.
While compliance policy can mark a device as noncompliant, you’ll also need a plan for
how to remediate noncompliant devices. This could include admins using noncompliant
device status to request updates or configurations be made to a device. To provide
general guidance to device users, you can configure the send email to end user action
for noncompliance to include useful tips or contacts for resolving a device compliance
issue.
To learn more, see Actions for noncompliance.
Understand how device compliance and device

configuration policies interact
Before diving into compliance policy recommendations by levels, it’s important to
understand the sometimes-close relationship between compliance policies and device
configuration policies. With awareness of these interactions, you can better plan for and
deploy successful policies for both feature areas.
Device configuration policies configure devices to use specific configurations.

These settings can range across all aspects of the device.
Device compliance policies focus on a subset of device configurations that are
related to security.
Devices that receive compliance policies are evaluated against the compliance policy
configurations with results returned to Intune for possible actions. Some compliance
configurations like password requirements result in enforcement on the device, even
when device configurations are more lenient.
When a device receives conflicting configurations for a setting either different or similar
policy types, conflicts can occur. To help prepare for this scenario, see Compliance and
device configuration policies that conflict
Consider synchronizing any planned configurations between device configuration and

device compliance teams to help identify configuration overlaps. Ensure the two policy
types agree on the same configuration for targeted devices as this can help avoid policy
conflicts or leaving a device without the configuration or resource access you expect.
Minimal compliance settings

After you establish tenant-wide compliance policy settings and establish
communications or rules for actions for noncompliant devices, you're likely ready to
create and deploy device compliance policies to discrete groups of devices or users.
Review the platform specific policies in the Microsoft Intune admin center to identify
which compliance settings are available for each platform and more details about their
use. To configure policies, see Create a compliance policy.
We recommend using the following settings in your minimal device compliance policies:
Minimal device compliance Information
categories and examples
Antivirus, Antispyware, and Active solutions for Antivirus, Antispyware, and Antimalware
Antimalware
solutions are important.
Windows:
Windows compliance policy can assess the state of these
Evaluate devices for solutions solutions when they're active and registered register with
that register with Windows Windows Security Center on a device.
Security Center to be on and

monitoring for:
Non-Windows platforms should still run solutions for antivirus,
- Antivirus
antispyware, and antimalware, even though Intune compliance
- Antispyware
policies lack options to evaluate their active presence.
- Microsoft Defender
Antimalware
Other platforms:
Compliance policies for

platforms other than Windows
don't include evaluation for
these solutions.
Operating System versions Use available settings that define a minimum allowed OS
version or build and important patch levels to ensure device
All devices:
operating systems are current and secure.
Evaluate settings and values for

operating system versions, Maximum OS settings can help identify new but untested
including:
results, and beta or developer OS builds that could introduce
- Maximum OS
unknown risks.
- Minimum OS
- Minor and Major build versions Linux supports an option to define the Linux distribution type,
- OS patch levels like Ubuntu.
Windows supports another setting to set supported build

ranges.
Minimal device compliance Information
categories and examples
Password configurations
Use compliance to evaluate devices for password structure
and length, and to identify devices that lack passwords or use
All devices:
simple passwords. These settings can help protect access to
- Enforce settings that lock the the device.
screen after a period of

inactivity, requiring a password Other options like password reuse or length of time before a
or PIN to unlock.
password must be changed are explicitly included at the
- Require complex passwords enhanced compliance level.
that use combinations of letters,
numbers, and symbols.
- Require a password or Pin to

unlock devices.
- Set requirements for a

minimum password length.
Level 2 - Enhanced device compliance settings

✔️Use enhanced device configuration policies for supported platform types
Enhanced compliance settings

Support for enhanced level compliance settings varies greatly by platform as compared
to the settings found in the minimal recommendations. Some platforms might not
support settings that are supported by related platforms. For example, Android AOSP
lacks options that exist for Android Enterprise platforms to configure compliance for
system level file and boot protections.
We recommend using the following settings in your enhanced device compliance

policies:
Enhanced device Information

compliance
categories and
examples
compliance
categories and
examples
Applications
Configure requirements for various applications.
Android Enterprise:
For Android, manage the use and operation of applications like Google
- Block apps from Play, SafteyNet, and evaluation of the Company Portal app runtime
unknown sources
integrity.
- Company Portal app

runtime integrity
For all platforms, when supported, manage where apps can be installed
- Manage source from, and which apps shouldn't be allowed on devices that access your
locations for apps
organizations resources.
- Google Play services

- SafteyNet options for For macOS and Windows, compliance settings support requiring an
attestation and active and configured Firewall.
evaluation
iOS/iPadOS
- Restricted apps
macOS:
- Allow apps from

specific locations
- Block apps from

unknown sources
- Firewall settings
Windows:
- Block apps from

unknown sources
- Firewall settings
compliance
categories and
examples
Encryption
Add compliance settings that require the encryption of data storage.
Windows also supports requiring use of BitLocker.
Android Enterprise:
- Require encryption of
data storage
Android AOSP:
data storage
macOS:
data storage
Linux:
data storage
Windows:
data storage
- BitLocker
Password Add password compliance settings to ensure passwords are rotated

configurations
periodically, and that passwords aren't reused frequently.
Android Enterprise:
- Password expiration,
and reuse
iOS/iPadOS:
and reuse
macOS:
and reuse
Windows:
and reuse
compliance
categories and
examples
System level file and Configure the platform specific options that evaluate devices for system
boot protection
level or kernel level risks.
Android ASOP:
- Rooted devices
Android Enterprise:
- Block USB debugging

on device
- Rooted devices
iOS/iPadOS
- Jailbroken devices
macOS:
- Require system
integrity protection
Windows:
- Require code
integrity
- Require Secure Boot

to be enabled on the
device
- Trusted Platform
Module (TPM)
Level 3 - Advanced device compliance

configurations
✔️Add data from Mobile Threat Defense partners to your device compliance policies
✔️Integrate a third-party compliance partner with Intune
✔️Define custom compliance settings for Windows and Linux
✔️Use compliance data with Conditional Access to gate access to your organization’s
resources
✔️Use advanced device configuration policies for supported platform types

With robust device compliance policies in place, you can then implement more
advanced compliance options that go beyond only configuring settings in device
compliance policies, including:
Using data from Mobile Threat Defense partners as part of your device compliance
policies, and in your Conditional Access policies.
Integrating device compliance status with Conditional Access to help gate which
devices are allowed to access email, other cloud services, or on-premises
resources.
Including compliance data from third-party compliance partners. With such a

configuration, compliance data from those devices can be used with your
conditional access policies.
Expanding on built-in device compliance policies by defining custom compliance

settings that aren't available natively through the Intune compliance policy UI.
Integrate data from a Mobile Threat Defense partner

A Mobile Threat Defense (MTD) solution is software for mobile devices that helps to
secure them from various cyber threats. By protecting mobile devices, you help protect
your organization and resources. When integrated, MTD solutions provide an additional
information source to Intune for your device compliance policies. This information can
also be used by Conditional Access rules you can use with Intune.
When integrated, Intune supports use of MTD solutions with enrolled devices, and when
supported by the MTD solution, unenrolled devices by using Microsoft Intune protected
apps and app protection policies.
Be sure to use an MTD partner that is supported by Intune and that supports the
capabilities your organization needs on the full range of platforms you use.
For example, Microsoft Defender for Endpoint is a Mobile Threat Defense solution you
might already use that can be used with the Android, iOS/iPadOS, and Windows
platforms. Other solutions, typically support Android and iOS/iPadOS. See Mobile Threat
Defense partners to view the list of supported MTD partners.
To learn more about using Mobile Threat Defense software with Intune, start with
Mobile Threat Defense integration with Intune.
Use data from third-party compliance partners

Intune supports the use of third-party compliance partners where the partner serves as
the mobile device management (MDM) authority for a group of devices. When you use
a supported compliance partner, you use that partner to configure device compliance
for the devices that solution manages. You also configure that partner solution to pass
the compliance results to Intune, which then stores that data in Azure AD along with
compliance data from Intune. The third-party compliance data is then available for use
by Intune when evaluating device compliance policies, and for use by Conditional
Access policies.
In some environments, Intune might serve as the only MDM authority you need to use,
as by default, Intune is a registered compliance partner for the Android, iOS/iPadOS, and
Windows platforms. Other platforms require other compliance partners to serve as a
devices MDM authority, like use of Jamf Pro for macOS devices.
If you’ll use a third-party device compliance partner in your environment, ensure they're
supported with Intune. To add support, you’ll need to configure a connection for the
partner from within the Microsoft Intune admin center, and follow that partners
documentation to complete the integration.
For more information on this subject, see Support third-party device compliance
partners in Intune.
Use custom compliance settings

You can expand on Intune’s built-in device compliance options by configuring custom
compliance settings for managed Linux and Windows devices.
Custom settings give you the flexibility to base compliance on the settings that are
available on a device without having to wait for Intune to add these settings.
To use custom compliance, you must configure a .JSON file that defines values on the
device to use for compliance, and a discovery script that runs on the device to evaluate
the settings from the JSON.
To learn more about perquisites, supported platforms, and the JSON and script
configurations required for custom compliance, see [Use custom compliance policies
and settings for Linux and Windows devices with Microsoft Intune](../
protect/compliance-use-custom-settings.md).
Integrate compliance with Conditional Access

Conditional Access is an Azure Active Directory (Azure AD) capability that works with
Intune to help protect devices. For devices that register with Azure AD, Conditional
Access policies can use device and compliance details from Intune to enforce access
decisions for users and devices.
Combine Conditional Access policy with:

Device compliance policies can require a device be marked as compliant before
that device can be used to access your organization’s resources. The Conditional
Access policies specify apps services you want to protect, conditions under which
the apps or services can be accessed, and the users the policy applies to.
App protection policies can add a security layer that ensures only client apps that
support Intune app protection policies can access your online resources, like
Exchange or other Microsoft 365 services.
Conditional Access also works with the following to help you keep devices secure:
Microsoft Defender for Endpoint and third-party MTD apps

Device compliance partner apps
Microsoft Tunnel
To learn more, see Learn about Conditional Access and Intune.
Advanced compliance settings

To configure policies, see Create a compliance policy.
We recommend using the following settings in your enhanced device compliance

policies:
Advanced device Information

compliance categories
and examples
Advanced device Information
compliance categories
and examples
Runtime defenses
When you integrate Intune with a Mobile Threat Defense partner, you
can use that partners device threat level evaluation as criteria in your
Android Enterprise:
- Require the device to be
at or under the Device When you've integrated Microsoft Defender for Endpoint with Intune,
Threat Level
you can use the risk score from Defender as a compliance check.
at or under the machine
risk score
iOS/iPadOS:

at or under the Device
Threat Level

risk score
Windows:

risk score

policies
3. 🡺 Plan for compliance policies (You are here)
5. Enroll devices
Step 4 - Configure device features and
settings to secure devices and access
resources
Article • 03/22/2023
So far, you've set up your Intune subscription, created app protection policies, and
created device compliance policies.
In this step, you're ready to configure a minimum or baseline set of security and device
features that all devices must have.
Android
iOS/iPadOS
macOS
Windows
When you create device configuration profiles, there are different levels and types of
policies available. These levels are the minimum Microsoft recommended policies. Know
that your environment and business needs may be different.
Level 1 - Minimum device configuration: In this level, Microsoft recommends you

create policies that:
Focus on device security, including installing antivirus, creating a strong
password policy, and regularly installing software updates.
Give users access to their organization email and controlled secure access to
your network, wherever they are.
Level 2 - Enhanced device configuration: In this level, Microsoft recommends you

Expand device security, including configuring disk encryption, enabling secure
boot, and adding more password rules.
Use the built-in features and templates to configure more settings that are
important for your organization, including analyzing on-premises GPOs.
Level 3 - High device configuration: In this level, Microsoft recommends you

Move to password-less authentication, including using certificates, configuring
single sign-on (SSO) to apps, enabling multi-factor authentication (MFA), and
configuring Microsoft Tunnel.
Add extra layers of security using Android common criteria mode or creating
DFCI policies for Windows devices.
Use the built-in features to configure kiosk devices, dedicated devices, shared
devices, and other specialized devices.
Deploy existing shell scripts.
This article lists the different levels of device configuration policies that organizations
should use. Most of these policies in this article focus on access to organization
resources and security.
These features are configured in device configuration profiles in the Microsoft Intune
admin center . When the profiles are ready, they can be deployed from Intune to your
devices.
 Tip
Take a tour of Intune and the Microsoft Intune admin center.
Level 1 - Create your security baseline

To help keep your organization data and devices secure, you create different policies
that focus on security. You should create a list of security features that all users and/or
all devices must have. This list is your security baseline.
In your baseline, at a minimum, Microsoft recommends the following security policies:
Install antivirus (AV) and regularly scan for malware

Use detection and response
Turn on the firewall
Install software updates regularly
Create a strong PIN/password policy
This section lists the Intune and Microsoft services you can use to create these security
policies.
If you prefer a more granular list of settings and their recommended values, go to:
Android Enterprise security configuration framework

iOS/iPadOS personal device security configurations
Windows security baselines
Antivirus and scanning

✔️Install antivirus software and regularly scan for malware
All devices should have antivirus software installed and be regularly scanned for
malware. Intune integrates with third party partner mobile threat defense (MTD) services
that provide AV and threat scanning. For macOS and Windows, antivirus and scanning
are built in to Intune with Microsoft Defender for Endpoint.
Your policy options:
Platform Policy type
Android - Mobile threat defense partner
Enterprise - Microsoft Defender for Endpoint for Android can scan for malware
iOS/iPadOS Mobile threat defense partner
macOS Intune Endpoint Security antivirus profile (Microsoft Defender for Endpoint)
Windows client - Intune security baselines (recommended)
- Intune Endpoint Security antivirus profile (Microsoft Defender for Endpoint)

- Mobile threat defense partner
Android Enterprise:
Mobile threat defense integration
Microsoft Defender for Endpoint overview
iOS/iPadOS Mobile threat defense integration
macOS Antivirus policy
Windows:
Antivirus policy
Security baselines
Detection and response

✔️Detect attacks and act on these threats
When you detect threats quickly, you can help minimize the impact of the threat. When
you combine these policies with Conditional Access, you can block users and devices
from accessing organization resources if a threat is detected.
Android - Mobile threat defense partner
Enterprise - Microsoft Defender for Endpoint on Android
iOS/iPadOS - Mobile threat defense partner
- Microsoft Defender for Endpoint on iOS/iPadOS
macOS Not available
- Intune endpoint detection and response profile (Microsoft Defender for

Endpoint)
Android Enterprise:
Mobile threat defense integration with Intune
iOS/iPadOS:
Mobile threat defense integration with Intune
Windows:
Security baselines
Endpoint detection and response policy
Firewall
✔️Enable the firewall on all devices
Some platforms come with a built-in firewall and on others, you may have to install a
firewall separately. Intune integrates with third party partner mobile threat defense
(MTD) services that can manage a firewall for Android and iOS/iPadOS devices. For
macOS and Windows, firewall security is built in to Intune with Microsoft Defender for
Endpoint.
Android Enterprise Mobile threat defense partner
iOS/iPadOS Mobile threat defense partner
macOS Intune Endpoint Security firewall profile (Microsoft Defender for Endpoint)
- Intune Endpoint Security firewall profile (Microsoft Defender for Endpoint)
Android Enterprise Mobile threat defense integration

iOS/iPadOS Mobile threat defense integration
macOS Firewall policy
Windows:
Security baselines
Firewall policy
Password policy
✔️Create a strong password/PIN policy and block simple passcodes
PINs unlock devices. On devices that access organization data, including personally
owned devices, you should require strong PINs/passcodes and support biometrics to
unlock devices. Using biometrics is part of a password-less approach, which is
recommended.
Intune uses device restrictions profiles to create and configure password requirements.

Android Enterprise Intune device restrictions profile to manage the:
- Device password
- Work profile password
AOSP Intune device restrictions profile
iOS/iPadOS Intune device restrictions profile
macOS Intune device restrictions profile
- Intune device restrictions profile
For a list of the settings you can configure, go to:
Android Enterprise device restrictions profile:

Corporate owned devices > Device password and Work profile password
Personally owned devices with a work profile > Work profile password and
Password
Android AOSP Device restrictions profile > Device password
iOS/iPadOS Device restrictions profile > Password
macOS Device restrictions profile > Password
Windows:
Security baselines
Client device restrictions profile > Password
Manage Windows Hello for Business when devices enroll
Manage Windows Hello for Business after devices enroll
Software updates
✔️Regularly install software updates
All devices should be updated regularly and policies should be created to make sure
these updates are successfully installed. For most platforms, Intune has dedicated
policies that focus on managing and installing updates.
Android Enterprise organization System update settings using Intune device restrictions profile
owned devices
Android Enterprise personally Not available
owned devices
Can use compliance policies to set a minimum patch level,
min/max OS version, and more.
iOS/iPadOS Intune update policy
macOS Intune update policy
Windows client - Intune feature updates policy
- Intune expedited updates policy
For more information on these features and/or the settings you can configure, go to:
Android Enterprise Device restrictions profile > System update

iOS/iPadOS Software update policies
macOS Software update policies
Windows:
Feature updates policy
Expedited updates policy
Level 1 - Access organization email, connect to

VPN or Wi-Fi
This section focuses on accessing resources in your organization. These resources
include:
Email for work or school accounts

VPN connection for remote connectivity
Wi-Fi connection for on-premises connectivity
Email
Many organizations deploy email profiles with preconfigured settings to user devices.
✔️Automatically connect to user email accounts
The profile includes the email configuration settings that connect to your email server.
Depending on the settings you configure, the email profile can also automatically
connect the users to their individual email account settings.
✔️Use enterprise level email apps

Email profiles in Intune use common and popular email apps, like Outlook. The email
app is deployed to user devices. After it's deployed, you deploy the email device
configuration profile with the settings that configure the email app.
The email device configuration profile includes settings that connect to your Exchange.
✔️Access work or school email

Creating an email profile is a common minimum baseline policy for organizations with
users that use email on their devices.
Intune has built in email settings for Android, iOS/iPadOS, and Windows client devices.
When users open their email app, they can automatically connect, authenticate, and
synchronize their organizational email accounts on their devices.
✔️Deploy anytime
On new devices, it's recommended to deploy the email app during the enrollment
process. When enrollment completes, then deploy the email device configuration policy.
If you have existing devices, then deploy the email app at any time, and deploy the
email device configuration policy.
Get started with email profiles
To get started:
1. Deploy an email app to your devices. For some guidance, go to Add email settings
to devices using Intune.
2. Create an email device configuration profile in Intune. Depending on the email app
your organization uses, the email device configuration profile might not be
needed.
For some guidance, go to Add email settings to devices using Intune.
3. In the email device configuration profile, configure the settings for your platform:
Android Enterprise personally owned devices with a work profile email

settings
Android Enterprise organization-owned devices don't use email device

configuration profiles.
iOS/iPadOS email settings
Windows email settings
4. Assign the email device configuration profile to your users or user groups.
VPN
Many organizations deploy VPN profiles with preconfigured settings to user devices.
The VPN connects your devices to your internal organization network.
If your organization uses cloud services with modern authentication and secure
identities, then you probably don't need a VPN profile. Cloud-native services don't
require a VPN connection.
If your apps or services aren't cloud-based or aren't cloud-native, then it's

recommended to deploy a VPN profile to connect to your internal organization network.
✔️Work from anywhere
Creating a VPN profile is a common minimum baseline policy for organizations with
remote workers and hybrid workers.
As users work from anywhere, they can use the VPN profile to securely connect to your
organization's network to access resources.
Intune has built in VPN settings for Android, iOS/iPadOS, macOS, and Windows client
devices. On user devices, your VPN connection is shown as an available connection.
Users select it. And, depending on the settings in your VPN profile, users can
automatically authenticate and connect to the VPN on their devices.
✔️Use enterprise level VPN apps

VPN profiles in Intune use common enterprise VPN apps, like Check Point, Cisco,
Microsoft Tunnel, and more. The VPN app is deployed to user devices. After the app is
deployed, then you deploy the VPN connection profile with settings that configure the
VPN app.
The VPN device configuration profile includes settings that connect to your VPN server.
On new devices, it's recommended to deploy the VPN app during the enrollment
process. When enrollment completes, then deploy the VPN device configuration policy.
If you have existing devices, deploy the VPN app at any time, and then deploy the VPN
device configuration policy.
Get started with VPN profiles

To get started:
1. Deploy a VPN app to your devices.
For a list of supported VPN apps, go to Supported VPN connection apps in

Intune.
For the steps to add apps to Intune, go to Add apps to Microsoft Intune.
2. Create a VPN configuration profile in Intune.
3. In the VPN device configuration profile, configure the settings for your platform:
Android Enterprise VPN settings

iOS/iPadOS VPN settings
macOS VPN settings
Windows VPN settings
4. Assign the VPN device configuration profile to your users or user groups.
Wi-Fi
Many organizations deploy Wi-Fi profiles with preconfigured settings to user devices. If
your organization has a remote-only workforce, then you don't need to deploy Wi-Fi
connection profiles. Wi-Fi profiles are optional and are used for on-premises
connectivity.
✔️Connect wirelessly
As users work from different mobile devices, they can use the Wi-Fi profile to wirelessly
and securely connect to your organization's network.
The profile includes the Wi-Fi configuration settings that automatically connect to your
network and/or SSID (service set identifier). Users don't have to manually configure their
Wi-Fi settings.
✔️Support mobile devices on-premises

Creating a Wi-Fi profile is a common minimum baseline policy for organizations with
mobile devices that work on-premises.
Intune has built in Wi-Fi settings for Android, iOS/iPadOS, macOS, and Windows client
devices. On user devices, your Wi-Fi connection is shown as an available connection.
Users select it. And, depending on the settings in your Wi-Fi profile, users can
automatically authenticate and connect to the Wi-Fi on their devices.
On new devices, it's recommended to deploy the Wi-Fi device configuration policy when
devices enroll in Intune.
If you have existing devices, you can deploy the Wi-Fi device configuration policy at any
time.
Get started with Wi-Fi profiles

To get started:
1. Create a Wi-Fi device configuration profile in Intune.
2. Configure the settings for your platform:
Android Enterprise Wi-Fi settings

iOS/iPadOS Wi-Fi settings
macOS Wi-Fi settings
Windows Wi-Fi settings
3. Assign the Wi-Fi device configuration profile to your users or user groups.
Level 2 - Enhanced protection and

configuration
This level expands on what you've configured in level 1 and adds more security for your
devices. In this section, you create a level 2 set of policies that configure more security
settings for your devices.
Microsoft recommends the following level 2 security policies:
Enable disk encryption, secure boot, and TPM on your devices. These features
combined with a strong PIN policy or biometric unlocking are recommended at
this level.
Android
On Android devices, disk encryption and Samsung Knox might be built into
the operating system. Disk encryption might be automatically enabled when
you configure the lock screen settings. In Intune, you can create a device
restrictions policy that configures lock screen settings.
For a list of the password and lock screen settings you can configure, go to
the following articles:
Organization owned devices - Device password
Organization owned devices - Work profile password
Personally owned devices - Work profile password
Personally owned devices - Device password
Expire passwords and regulate reusing old passwords. In Level 1, you created a
strong PIN or password policy. If you haven't already, be sure you configure your
PINs & passwords to expire and set some password-reuse rules.
You can use Intune to create a device restrictions policy or a settings catalog policy
that configures these settings. For more information on the password settings you
can configure, go to the following articles:
Android
On Android devices, you can use device restrictions policies to set password
rules:
Organization owned devices - Device password settings
Organization owned devices - Work profile password settings
Personally owned devices - Work profile password settings
Personally owned devices - Device password settings
Intune includes hundreds of settings that can manage devices features and
settings, like disabling the built-in camera, controlling notifications, allowing
bluetooth, blocking games, and more.
You can use the built-in templates or the settings catalog to see and configure the
settings.
Device restrictions templates have many built-in settings that can control
different parts of the devices, including security, hardware, data sharing, and
more.
You can use these templates on the following platforms:

Android
iOS/iPadOS
macOS
Windows
Use the Settings catalog to see and configure all the available settings. You can
use the settings catalog on the following platforms:
iOS/iPadOS
macOS
Windows
Use the built-in administrative templates, similar to configuring ADMX

templates on-premises. You can use the ADMX templates on the following
platform:
Windows
If you use on-premises GPOs and want to know if these same settings are
available in Intune, then use Group Policy analytics. This feature analyzes your
GPOs and depending on the analysis, can import them into an Intune settings
catalog policy.
For more information, go to Analyze your on-premises GPOs and import them in
Intune.

This level expands on what you've configured in levels 1 and 2. It adds extra security
features used in enterprise level organizations.
Expand password-less authentication to other services used by your workforce. In

level 1, you enabled biometrics so users can sign in to their devices with a
fingerprint or facial recognition. In this level, expand password-less to other parts
of the organization.
Use certificates to authenticate email, VPN, and Wi-Fi connections. Certificates
are deployed to users and devices, and are then used by users to get access to
resources in your organization through these email, VPN, and Wi-Fi
connections.
To learn more about using certificates in Intune, go to:

Use PKCS or SCEP certificates for authentication
Use derived credentials
Configure single sign-on (SSO) for a more seamless experience when users
open business apps, like Microsoft 365 apps. Users sign-in once and then are
automatically signed-in to all the apps that support your SSO configuration.
To learn about using SSO in Intune and Azure AD, go to:

Android: Enable cross-app SSO on Android using MSAL in Azure AD
iOS/iPadOS, macOS: Use the Enterprise SSO plug-in in Intune and other
MDMs
Windows: Configure SSO with Azure AD
Use multi-factor authentication (MFA). When you move to password-less, MFA

adds an extra layer of security, and can help protect your organization from
phishing attacks. You can use MFA with authenticator apps, like Microsoft
Authenticator, or with a phone call or text message. You can also use MFA when
users enroll their devices in Intune.
Multi-factor authentication is a feature of Azure AD and can be used with Azure

AD accounts. For more information, go to:
Azure AD identity protection overview
Azure AD multi-factor authentication
Require multi-factor authentication for Intune device enrollments
Set up Microsoft Tunnel for your Android and iOS/iPadOS devices. Microsoft
Tunnel uses Linux to allow these devices access to on-premises resources using
modern authentication and Conditional Access.
Microsoft Tunnel uses Intune, Azure AD, and Active Directory Federation
Services (AD FS). For more information, go to Microsoft Tunnel for Microsoft
Intune.
Use Android Common Criteria mode on Android devices that are used by highly
sensitive organizations, like government establishments.
For more information on this feature, go to Android Common Criteria mode.

Create policies that apply to the Windows firmware layer. These policies can help
prevent malware from communicating with the Windows OS processes.
For more information on this feature, go to Use Device Firmware Configuration

Interface (DFCI) profiles on Windows devices.
Configure kiosks, shared devices, and other specialized devices:
Android

Use and manage Zebra devices with Zebra Mobility Extensions
Device settings to run as a kiosk
Android Enterprise:
Use and manage Android Enterprise devices with OEMConfig
Dedicated devices that run as a kiosk device settings
Deploy shell scripts:

macOS: Use shell scripts
Windows: Use Windows PowerShell scripts

policies
4. 🡺 Configure device features (You are here)
5. Enroll devices
Step 5 – Enroll devices in Microsoft
Intune
Article • 03/07/2023
In the final phase of deployment, devices are registered or joined in Azure Active
Directory (Azure AD), enrolled in Microsoft Intune, and checked for compliance.
During enrollment, Microsoft Intune installs a mobile device management (MDM)

certificate on the device, which enables Intune to enforce enrollment profiles,
enrollment restrictions, and the policies and profiles you created earlier in this guide.
This article describes:
How-to prepare enrollment in Microsoft Intune for corporate-owned and user-

owned devices.
Enrollment options for each OS platform.
Post-enrollment monitoring, troubleshooting, and resources.
Getting started
If this is your first time deploying enrollment profiles with Intune, or you're trying a new
configuration, start small and use a staged approach. Assign the enrollment profile to a
pilot or test group. After initial testing, add more users to the pilot group. If everything
is going well, assign the enrollment profile to more pilot groups. For more information
and suggestions, see the Planning guide: Step 5 - Create a rollout plan.
Registration in Azure AD is a required step for Intune management. Before a device can
enroll in Intune, the user of the device must authenticate and establish a device identity
in your org's Azure AD. This step grants the user single sign-on access to cloud-based
work apps and other resources. It's important to know which identity option you're
utilizing because it determines the enrollment methods you can use, and also
determines the sign-in experience for the device user. Identity options include:
Azure AD registration is the device identity option available for personal and
corporate-owned mobile devices. Users on these devices authenticate by signing
in to work resources, like apps and web browsers, using their Azure AD work
account.
Azure AD joined is the device identity option available for corporate-owned
Windows 10/11 devices utilizing co-management options. Users on these devices
authenticate by signing in to the device using their Azure AD work account.
Pre-enrollment configurations
Prepare devices for enrollment by configuring enrollment features, such as enrollment
restrictions, device categorization, and device enrollment managers. These
configurations help improve and simplify the enrollment experience for you and device
users, and help you stay organized in the admin center. Configure them before you
create the enrollment profile.
Setting availability varies by OS platform.
Unenroll and reset existing devices

If devices are currently enrolled in another MDM provider, unenroll the devices from the
existing MDM provider before enrolling them in Intune. The following table shows the
devices that require a factory reset before enrolling in Intune.
Platform Factory reset

required?
Android Enterprise personally owned devices with a work profile No

(BYOD)
Android Enterprise corporate-owned work profile (COPE) Yes
Android Enterprise fully managed (COBO) Yes

Platform Factory reset
required?
Android Enterprise dedicated devices (COSU) Yes
Android device administrator (DA) No
iOS/iPadOS Yes
Linux No
macOS Yes
Windows No
Devices that don't require a reset begin installing Intune profiles as soon as they enroll.
Previously configured settings may remain on devices if you don't change them in
Intune prior to enrollment.
Add device enrollment managers

We recommend utilizing device enrollment managers when you need to enroll and
prepare a large number of devices for distribution. A device enrollment manager
account can enroll and manage up to 1,000 devices, while a standard non-admin
account can only enroll 15 devices. A device enrollment manager is a non-administrator
Azure AD user who can:
Enroll up to 1000 corporate-owned devices in Intune

Sign in to Intune Company Portal to get company apps
Configure access to corporate data by deploying role-specific apps to devices
Some enrollment methods, such as Apple automated device enrollment, aren't

compatible with the device enrollment manager account, so be sure that the method
you choose is supported before you begin setup.
For more information and limitations, see Add device enrollment managers.
Create device enrollment restrictions

Use this feature in the Microsoft Intune admin center to restrict certain devices from
enrolling in Intune. There are two types of device enrollment restrictions you can
configure in Microsoft Intune:
Device platform restrictions: Restrict devices based on device platform, version,

manufacturer, or ownership type.
Device limit restrictions: Restrict the number of devices a user can enroll in Intune.
Enrollment restrictions aren't available for Linux and some Windows enrollment
scenarios. When you're setting up restrictions for Android Enterprise personal devices,
we recommend leveraging our Android security configuration framework. It includes the
device restrictions needed for basic security (level 1), which is the minimum security
configuration we recommend having on personal devices, and high security (level 3),
which is for devices used by specific users or groups who are uniquely high risk.
For more information, see:
What are enrollment restrictions?

Recommended device restrictions
Create terms and conditions policy

Use an Intune terms and conditions policy to disclose legal disclaimers and compliance
requirements to device users before enrollment. This policy requires the devices user to
accept your org's terms and conditions before they enroll their device or access
protected resources. The terms and conditions are shown to targeted users in the Intune
Company Portal app.
If you're looking for more control, including where the terms appear, consider
configuring Azure Active Directory (Azure AD) terms of use. Azure AD terms are shown to
users when they sign in to targeted apps and resources and offer more granular settings
than Intune terms and conditions.
For more information, see Terms and conditions for user access.
Require multifactor authentication

Require users to authenticate via multi-factor authentication (MFA) during enrollment. If
you require MFA, people wanting to enroll devices must authenticate with a second
device and two forms of credentials before they can enroll their device. This is a one-
time conditional step, and ensures that the person on the device is who they say they
are. You can enable this behavior for all platforms except Linux by using a conditional
access policy with an MFA policy. Azure AD Premium is required.
For more information, see Require multifactor authentication for Intune device
enrollments.
Categorize devices into groups

Create a device category in Intune, such as nursing or marketing, and Intune will
automatically add all devices that fall within that category to the corresponding device
group in Intune.
This feature is available for all platforms except Linux. For more information, see
Categorize devices into groups.
Enrollment for Android devices

You can enroll personal or corporate-owned Android devices in Intune. We recommend
Android Enterprise enrollment solutions for personal and corporate-owned devices that
use Google Mobile Services. For corporate-owned devices that don't have Google
Mobile Services and are built from the Android Open Source Project (AOSP), use the
AOSP enrollment methods.
Prerequisites
Connect Intune to your managed Google Play account. The connection is required for all
Android Enterprise management options, including:
Android Enterprise personally owned work profile

Android Enterprise corporate-owned work profile
Android Enterprise fully managed
Android Enterprise dedicated
Android enrollment methods

The following tabs describe the Intune-supported Android and AOSP enrollment
options.
Corporate owned
Corporate-owned devices with a work profile: Enroll corporate-owned devices

that are also approved for personal use. This method creates a separate work
profile on the device so that the user can switch between their personal apps
and work apps easily and securely. The device user enrolls the device through
the Microsoft Intune app. As an admin, you can manage the apps and data in
the work profile. This method aligns with the Android Enterprise corporate-
owned work profile management solution.
Fully managed: Enroll corporate-owned devices exclusively for work and not
personal use. There's one user associated with the enrolled device. You can
manage the entire device and enforce policy controls not available with the
Android Enterprise work profile method. This method aligns with the Android
Enterprise fully managed management solution.
Dedicated device: Enroll corporate-owned, single use or kiosk devices used for
things like digital signage, ticket printing, or inventory management. With this
method, you can limit the apps and web links available on the device, and
prevent people from using the device outside of the intended scope. This
method aligns with the Android Enterprise dedicated devices management
solution.
Corporate-owned, userless devices: Enroll devices that are built from the
Android Open Source Project (AOSP) and absent of Google Mobile services as
corporate-owned, userless devices. These devices don't have a user associated
with them and are intended to be shared, like in a library or lab.
Corporate-owned, user associated devices: Enroll devices that are built from
AOSP and absent of Google Mobile services as corporate-owned, user-
associated devices. These devices are associated with a single user and
intended to be exclusively for work use.
Zero-touch enrollment: We recommend using zero-touch enrollment for bulk

enrollments and to simplify enrollment for remote workers. This method lets
you prepare corporate-owned devices ahead of time so that they
automatically provision and enroll as fully manged devices when users turn
them on.
７ Note
Android Enterprise device management capabilities supersede Android device

administrator capabilities so we recommend using Android Enterprise management
solutions when possible. We still recommend the Android device administrator
management solution for these scenarios:
For Microsoft Teams certified Android devices.

When the device is in an area where Android Enterprise is unavailable.
When devices are incapable of integrating with Google Mobile Services, and
the AOSP enrollment options won't work with them. For more information
about using Android device administrator when Google Mobile Services is
unavailable, see How to use Intune in environments without Google Mobile
Services.
Enrollment for Apple devices

This section describes the enrollment options available for iOS/iPadOS and Mac devices
in Intune.
Prerequisites
Complete the following prerequisites before you create the enrollment profile for Apple
devices:
Upload an Apple MDM push certificate to Intune. For more information, see Get
MDM push certificate.
Get an Apple enrollment program token if you plan to enroll devices via Apple
automated device enrollment. For more information, see:
Get Apple enrollment program token for iOS/iPadOS
Get Apple enrollment program token for macOS
Apple enrollment solutions

The following table describes the enrollment solutions for devices running iOS/iPadOS
and macOS.
Corporate owned
Automated device enrollment for iOS/iPadOS and for Mac devices:

Enroll new
or wiped devices purchased from Apple Business Manager or Apple School
Manager with automated device enrollment. This automated enrollment
method for corporate-owned devices applies your organization's settings
from Apple Business Manager and Apple School Manager, supports
supervision mode, and enrolls devices without you needing to touch them.
When people turn on their devices, Apple Setup Assistant guides them
through setup and enrollment.
Apple Configurator for iOS/iPadOS and for Mac devices: Manually enroll new
or existing corporate-owned devices via Apple Configurator. This option is
ideal for bulk enrollments and when you don't have access to Apple School
Manager, Apple Business Manager, or when you require a wired network
connection. You must have physical access to the devices because you have to
connect to and configure devices on a Mac. There are two different paths you
can take:
Setup Assistant enrollment: This method wipes the device and prepares it
for enrollment in Apple Configurator. When users turn on their devices,
Setup Assistant begins, and then devices enroll in Intune. You must have
access to the device serial numbers, because you need to input them into
the admin center.
Direct enrollment: This method lets you enroll the device prior to
distribution, and doesn't wipe the device. Devices enrolled this way aren't
associated with a user so we recommend this option for shared or kiosk
devices. The instructions are different for macOS and iOS devices, so be
sure to use the correct how-to documentation for devices.
Enrollment for Linux

Employees and students in BYOD scenarios can enroll personal Linux devices in
Microsoft Intune. Enrollment enables them to access work resources in Microsoft Edge.
As an Intune admin, you don't need to do anything to enable Linux enrollment in the
admin center. It's automatically enabled. When users enroll their Linux devices, you'll see
them in the admin center. For more information, see Enroll Linux desktop devices in
Microsoft Intune.
Enrollment for Windows

This section describes the enrollment solutions available for personal and corporate-
owned devices running Windows 10 or Windows 11.
７ Note
Microsoft Intune enrollment is supported on devices in cloud environments. Co-

management with Configuration Manager is supported in on-premises
environments.
Windows enrollment methods

The following table describes the supported enrollment methods for devices running
Windows 10 and Windows 11.
Automatic enrollment
Make enrollment in Intune easier for employees and students by enabling

automatic enrollment for Windows. For more information, see Enable automatic
enrollment.
Azure Active Directory Join with automatic enrollment: This option is

supported on devices that are procured by you or the device user for work
use. Enrollment occurs during the out-of-box-experience, after the user signs
in with their work account and joins Azure AD. This solution is for when you
don't have access to the device, such as in remote work environments. When
these devices enroll, their device ownership changes to corporate-owned, and
you get access to management features that aren't available on devices
marked as personal-owned.
Windows Autopilot user-driven or self-deploying mode: Automatic enrollment

is supported with the user-driven or self-deploying Windows Autopilot out-of-
box-experience (OOBE), and is best for corporate-owned desktops, laptops,
and kiosks. Device users get desktop access after required software and
policies are installed. An Azure AD Premium license is required.
Windows Autopilot for Hybrid Azure AD join: Automatic enrollment is

supported with Windows Autopilot for hybrid Azure AD-joined devices.
During the Windows Autopilot out-of-box-experience, the Intune connector
for Active Directory enables devices in Active Directory domain services to join
to Azure AD, and then automatically enroll in Intune. You have to install the
Intune connector for Active Directory on an on-premises server and register
devices in Windows Autopilot. We recommend this enrollment solution for
on-premises environments that use Active Directory domain services and can't
currently move their identities to Azure AD.
Co-management with Configuration Manager: Co-management is best for

environments that already manage devices with Configuration Manager, and
want to integrate Microsoft Intune workloads. Co-management is the act of
moving workloads from Configuration Manager to Intune and telling the
Windows client who the management authority is for that particular workload.
For example, you can manage devices with compliance policies and device
configuration workloads in Intune, and utilize Configuration Manager for all
other features, like app deployment and security policies.
More Windows enrollment features
There are other Windows enrollment options in Intune to help improve or simplify the
device management experience for you and your employees:
Co-management settings: Enable co-management settings to integrate

Configuration Manager workloads with Intune. Co-management enables you to
use both Intune and Configuration Manager features to manage devices.
CNAME validation: Validate a domain name server (DNS) alias (CNAME record
type) you created to redirect enrollment requests to Intune servers. The alias
simplifies enrollment for users in the absence of Azure AD Premium and automatic
enrollment.
Enrollment Status Page: Enable the Enrollment Status Page so that people going
through device setup can view and track installation progress.
Report and troubleshoot

Track incomplete and abandoned user enrollments. This Microsoft Intune report tells
you where in the Company Portal users failed to complete the enrollment process.
For troubleshooting docs, see Troubleshoot device enrollment.
Resources
Additional enrollment guides are available throughout the Microsoft Intune
documentation. These guides include visual comparisons, how-to steps, tips, and
enrollment best practices for each supported platform.
Android enrollment guide

iOS/iPadOS enrollment guide
Linux enrollment guide
macOS enrollment guide
Windows enrollment guide
Next steps
4. Create device configuration profiles
5. 🡺 Enroll devices (You are here)
Sign up or sign in to Microsoft Intune
Article • 06/20/2023
This article tells system administrators how you can sign up for an Intune account.
Before you sign up for Intune, determine whether you already have a Microsoft Online
Services account, Enterprise Agreement, or equivalent volume licensing agreement. A
Microsoft volume licensing agreement or other Microsoft cloud services subscription
like Microsoft 365 usually includes a work or school account.
If you already have a work or school account, sign in with that account and add Intune
to your subscription. Otherwise, you can sign up for a new account to use Intune for
your organization.
２ Warning
account.
How to sign up for Intune

1. Visit the Intune Sign up page .
2. On the Sign up page, sign in or sign up to manage a new subscription of Intune.

Post sign up considerations
After you sign up for a new subscription, you receive an email message that contains
your account information at the email address that you provided during the sign up
process. This email confirms your subscription is active.
After completing the sign up process, you're directed to the Microsoft 365 admin center
to add users and assign them licenses. If you only have cloud-based accounts using your
default onmicrosoft.com domain name, then you can go ahead and add users and
assign licenses at this point. However, if you plan to use your organization's custom
domain name or synchronize user account information from on-premises Active
Directory, then you can close that browser window.
Sign in to Microsoft Intune

Once you have signed up for Intune, you can use any device with a supported browser
to sign in to the Microsoft Intune admin center to administer the service.
By default, your account must have one of the following permissions in Azure AD:
Global Administrator
Intune Service Administrator (also known as Intune Administrator)
To grant access to administer the service for users with other permissions, see Role
Based Access Control
Intune Admin portal URL

Microsoft Intune admin center: https://intune.microsoft.com
Intune for Education: https://intuneeducation.portal.azure.com
URLs for Intune services provided by Microsoft 365

Microsoft 365 Business: https://portal.microsoft.com/adminportal
Microsoft 365 Mobile Device Management:

https://admin.microsoft.com/adminportal/home#/MifoDevices
See also
You can't sign in to Microsoft 365, Azure, or Intune
Configure a custom domain name
Article • 03/02/2023
This topic tells administrators how you can create a DNS CNAME to simplify and
customize your logon experience using Microsoft Intune.
When your organization signs up for a Microsoft cloud-based service like Intune, you're
given an initial domain name hosted in Azure Active Directory (AD) that looks like your-
domain.onmicrosoft.com. In this example, your-domain is the domain name that you
chose when you signed up. onmicrosoft.com is the suffix assigned to the accounts you
add to your subscription. You can configure your organization's custom domain to
access Intune instead of the domain name provided with your subscription.
Before you create user accounts or synchronize your on-premises Active Directory, we
strongly recommend that you decide whether to use only the .onmicrosoft.com domain
or to add one or more of your custom domain names. Set up a custom domain before
adding users to simplify user management. Setting up a customer domain lets users
sign in with the credentials they use to access other domain resources.
When you subscribe to a cloud-based service from Microsoft, your instance of that
service becomes a Microsoft Azure AD tenant, which provides identity and directory
services for your cloud-based service. And, because the tasks to configure Intune to use
your organizations custom domain name are the same as for other Azure AD tenants,
you can use the information and procedures found in Add your domain.
 Tip
To learn more about custom domains, see Conceptual overview of custom domain
names in Azure Active Directory.
You cannot rename or remove the initial onmicrosoft.com domain name. You can add,
verify, or remove custom domain names used with Intune to keep your business identity
clear.
To add and verify your custom domain

1. Go to Microsoft 365 admin center and sign into your administrator account.
2. In the navigation pane, choose Setup > Domains.

3. Choose Add domain, and type your custom domain name. Select Next.
4. The Verify domain dialog box opens giving you the values to create the TXT
record in your DNS hosting provider.
GoDaddy users: Microsoft 365 admin center redirects you to GoDaddy's

login page. After you enter your credentials and accept the domain change
permission agreement, the TXT record is created automatically. You can
alternatively create the TXT record .
Register.com users: Follow the step-by-step instructions to create the TXT
record.
5. You may need to create additional DNS records for Intune enrollments. For more
information, see Enable auto-discovery of Intune enrollment server.
The steps to add and verify a custom domain can also be performed in Azure Active
Directory.
You can learn more about your initial onmicrosoft.com domain in Microsoft 365 .
Add users and grant administrative
permission to Intune
Article • 03/29/2023
As an administrator, you can add users directly or synchronize users from your on-
premises Active Directory. Once added, users can enroll devices and access company
resources. You can also give users additional permissions including global administrator
and service administrator permissions.
Add users to Intune

You can manually add users to your Intune subscription via the Microsoft 365 admin
center or the Microsoft Intune admin center . An administrator can edit user
accounts to assign Intune licenses. You can assign licenses in either the Microsoft 365
admin center or the Microsoft Intune admin center. For more information on using the
Microsoft 365 admin center, see Add users individually or in bulk to the Microsoft 365
admin center .
Add Intune users in the Microsoft 365 admin center

1. Sign in to Microsoft 365 admin center with a global administrator or user
management administrator account.
2. In the Microsoft 365 menu, select Users > Active users > Add a user.
3. Provide the following user details:
First name
Last name
Display name
User name - Universal principle name (UPN) stored in Azure Active Directory
used to access the service.
Password - Autogenerate or create.
4. Choose Next.
5. On the Assign product licenses page, select a Location and then choose a license
for this user. A license including Intune is required.
6. Choose Next.
7. On the Optional settings page, you can
Assign the new user additional roles (by default the new user is given the
User role).
Provide profile information.
8. Choose Next.
9. On the Review and finish page, select Finish adding to add the user. Choose Close
to close the Add a user page.
７ Note
If you're moving to Microsoft 365 from an Office 365 subscription, your users and
groups are already in Azure AD. Intune uses the same Azure AD, and can use the
existing users and groups.
Add Intune users in the Microsoft Intune admin center

1. In the Microsoft Intune admin center , choose Users > All users > New user >
Create user.
2. Specify the following user details:
User name - The new name that the user will use to sign in to Azure Active
Directory.
Name - The user's given name.
First name - The user's first name.
Last name - The user's last name.
3. Choose whether you want to create the password for the new user or have it
autogenerated.
4. To assign the new user to groups (optional), choose 0 groups selected to open the
Groups pane. Here you can select the groups you want to assign to the user. When
finished selecting groups, choose Select.
5. By default, the new user is assigned the role of User. If you want to add roles to
the user, select User under Groups and roles. In the Directory roles pane, select
the roles you want to assign to the user and then choose Select.
6. If you want to block the user from signing in, you can select Yes for Block sign in.
Make sure to switch this back to No when you're ready to let the user sign in.
7. Choose a Usage location for the new user. Usage location is required before you
can assign the new user an Intune license.
8. Optionally, you can provide information for the Job title, Department, Company
name, and Manager fields.
9. Select Create to add the new user to Intune.
Grant admin permissions
After you've added users to your Intune subscription, we recommend that you grant a
few users administrative permission. To grant admin permissions, follow these steps:
Give admin permissions in Microsoft 365

1. Sign in to the Microsoft 365 admin center with a global administrator account >
select Users > Active users > choose the user to give admin permissions.
2. In the user pane, choose Manage roles under Roles.
3. In the Manage roles pane, choose the admin permission to grant from the list of
available roles.
4. Choose Save changes.
Give admin permissions in Microsoft Intune admin center

1. Sign in to the Microsoft Intune admin center with a global administrator account
> Users > then choose the user you want to give admin permissions.
2. Select Assigned roles > Add assignments.
3. In the Directory roles pane, select the roles you want to assign to the user > Add.
Types of administrators
Assign users one or more administrator permissions. These permissions define the
administrative scope for users and the tasks they can manage. Administrator
permissions are common between the different Microsoft cloud services, and some
services might not support some permissions. Both the Azure portal and Microsoft 365
admin center list limited administrator roles that aren't used by Intune. Intune
administrator permissions include the following options:
Global administrator - (Microsoft 365 and Intune) Accesses all administrative

features in Intune. By default the person who signs up for Intune becomes a Global
admin. Global admins are the only admins who can assign other admin roles. You
can have more than one global admin in your organization. As a best practice, we
recommend that only a few people in your company have this role to reduce the
risk to your business.
Password administrator - (Microsoft 365 and Intune) Resets passwords, manages
service requests, and monitors service health. Password admins are limited to
resetting passwords for users.
Service support administrator - (Microsoft 365 and Intune) Opens support
requests with Microsoft, and views the service dashboard and message center.
They have "view only" permissions except for opening support tickets and reading
them.
Billing administrator - (Microsoft 365 and Intune) Makes purchases, manages
subscriptions, manages support tickets, and monitors service health.
User administrator - (Microsoft 365 and Intune) Resets passwords, monitors
service health, adds and deletes user accounts, and manages service requests. The
user management admin can't delete a global admin, create other admin roles, or
reset passwords for other admins.
Intune administrator - All Intune Global administrator permissions except
permission to create administrators with Directory Role options.
The account you use to create your Microsoft Intune subscription is a global
administrator. As a best practice, don't use a global administrator for day-to-day
management tasks. While an administrator doesn't require an Intune license to access
the Intune on Azure portal, in order to perform certain management tasks, such as
setting up the Exchange service Connector, an Intune license is required.
To access the Microsoft 365 admin center, your account must have a Sign-in allowed
set. In the Azure portal under Profile, set Block sign in to No to allow access. This status
is different from having a license to the subscription. By default, all user accounts are
Allowed. Users without administrator permissions can use the Microsoft 365 admin
center to reset Intune passwords.
Sync Active Directory and add users to Intune

You can configure directory synchronization to import user accounts from your on-
premises Active Directory to Microsoft Azure Active Directory (Azure AD) which includes
Intune users. Having your on-premises Active Directory service connected with all of
your Azure Active Directory-based services makes managing user identity much simpler.
You can also configure single sign-on features to make the authentication experience for
your users familiar and easy. When you link the same Azure AD tenant with multiple
services, the user accounts that you have previously synchronized are available to all
cloud-based services.
Be sure your AD admins have access to your Azure AD subscription, and are trained to
complete common AD and Azure AD tasks.
How to sync on-premises users with Azure AD

To move existing users from on-premises Active Directory to Azure AD, you can set
up hybrid identity. Hybrid identities exist in both services - on-premises AD and
Azure AD.
You can also export Active Directory users using the UI or through script. An
internet search can help you find the best option for your organization.
To synchronize your user accounts with Azure AD, use the Azure AD Connect
wizard . The Azure AD Connect wizard provides a simplified and guided
experience for connecting your on-premises identity infrastructure to the cloud.
Choose your topology and needs (single or multiple directories, password hash
sync, pass-through authentication, or federation). The wizard deploys and
configures all components required to get your connection up and running.
Including: sync services, Active Directory Federation Services (AD FS), and the
Azure AD PowerShell module.
 Tip
Azure AD Connect encompasses functionality that was previously released as

Dirsync and Azure AD Sync. Learn more about directory integration. To learn about
syncing user accounts from a local directory to Azure AD, see Similarities between
Active Directory and Azure AD.
Add groups to organize users and
devices
Article • 03/29/2023
Intune uses Azure Active Directory (Azure AD) groups to manage devices and users. As
an Intune admin, you can set up groups to suit your organizational needs. Create groups
to organize users or devices by geographic location, department, or hardware
characteristics. Use groups to manage tasks at scale. For example, you can set policies
for many users or deploy apps to a set of devices.
７ Note
Default groups created from Microsoft 365 admin center are not security
enabled. You must explicitly create security enabled Microsoft 365 groups in
Microsoft 365 admin center , the Azure AD admin center , or Microsoft Intune
admin center .
You can add the following types of groups:
Assigned groups - Manually add users or devices into a static group.
Dynamic groups (Requires Azure AD Premium) - Automatically add users or

devices to user groups or device groups based on an expression you create.
For example, when a user is added with the manager title, the user is automatically
added to an All managers users group. Or, when a device has the iOS/iPadOS
device OS type, the device is automatically added to an All iOS/iPadOS devices
devices group.
Add a new group

Use the following steps to create a new group.
2. Select Groups > New group:

3. In Group type, choose one of the following options:
Security: Security groups define who can access resources, and are
recommended for your groups in Intune. For example, you can create groups
for users, such as All Charlotte employees or Remote workers. Or, create
groups for devices, such as All iOS/iPadOS devices or All Windows 10
student devices.
 Tip
The users and groups created can also be seen in the Microsoft 365
admin center , Azure Active Directory admin center, and Microsoft
Intune in the Azure portal . In your organization tenant, you can create
and manage groups in all these areas.
If your primary role is device management, we recommend you use the

Microsoft Intune admin center .
Microsoft 365: Provides collaboration opportunities by giving members

access to a shared mailbox, calendar, files, SharePoint site, and more. This
option also lets you give people outside of your organization access to the
group. For more information, see Learn about Microsoft 365 Groups .
７ Note
Only security-enabled Microsoft 365 Groups are supported.
4. Enter a Group name and Group description for the new group. Be specific and
include information so others know what the group is for.
For example, enter All Windows 10 student devices for group name, and All
Windows 10 devices used by students in Contoso high school grades 9-12 for
group description.
5. Enter the Membership type. Your options:
Assigned: Administrators manually assign users or devices to this group, and

manually remove users or devices.
Dynamic User: Administrators create membership rules to automatically add

and remove members.
Dynamic Device: Administrators create dynamic group rules to automatically

add and remove devices.
For more information on these membership types, and creating dynamic

expressions, see:
Create a basic group and add members using Azure AD

Dynamic membership rules for groups in Azure AD
７ Note
In this admin center, when you create users or groups, you might not see the
Azure Active Directory branding. But, that's what you're using.
6. Choose Create to add the new group. Your group is shown in the list.
Consider some of the other dynamic user and device groups you can create, such as:
All Students in Contoso high school

All iOS 11 and older devices
Marketing
Human Resources
All Charlotte employees
Device groups
You can create device groups when you need to run administrative tasks based on the
device identity, not the user identity. They're useful for managing devices that don't
have dedicated users, such as kiosk devices, devices shared by shift workers, or devices
assigned to a specific location.
For example:
All Windows 10 Surface devices

CLT distribution center-Zebra devices
You can also use device categories to automatically join devices to groups when they
enroll.
Intune All users and All devices groups

When assigning policies and apps in the Intune admin center, you can choose to assign
to All users or All devices groups, which are automatically created by Intune.
The All devices group targets all devices that are enrolled into management. The All
users group is a simple way to target all users that are assigned an Intune license. These
groups are considered "virtual" because you don't create them or view them in Azure
Active Directory. They're convenient to use because they're already in your tenant, and
they're a faster targeting unit than Azure AD groups.
When assigning policies and applications to large groups, such as All users and All
devices, you may choose to use Filters, so that you can dynamically control which
devices the policy or app deployment should apply to.
For more guidance on using Filters, go to:
Use filters when assigning your apps, policies, and profiles in Microsoft Intune
Performance recommendations for Grouping, Targeting and Filtering in large
Microsoft Intune environments
See also
Role-based access control (RBAC) with Microsoft Intune
Manage access to resources with Azure AD groups
Assign apps to groups with Microsoft Intune
Article • 05/25/2023
Microsoft Intune is available for different customer needs and organization sizes, from a
simple-to-use management experience for schools and small businesses, to more
advanced functionality required by enterprise customers. Most licenses that include
Microsoft Intune also grant the rights to use Microsoft Configuration Manager, as long
as the subscription remains active. An admin must have a license assigned to them to
administer Intune (unless you allow unlicensed admins).
Microsoft Intune
The following plans are available for Microsoft Intune. For more information about the
plans and pricing, see Discover Microsoft Intune Plans and Pricing .
Microsoft Intune Plan 1

A cloud-based unified endpoint management solution that is included in the following
licenses:
Microsoft 365 E5
Microsoft 365 E3
Enterprise Mobility + Security E5
Enterprise Mobility + Security E3
Microsoft 365 Business Premium
Microsoft 365 F1
Microsoft 365 F3
Microsoft 365 Government G5
Microsoft 365 Government G3
Microsoft Intune for Education
７ Note
For additional licensing information about Intune for Education, see Microsoft 365
Education.

An add-on to Microsoft Intune Plan 1 that offers advanced endpoint management
capabilities. Intune Plan 2 is included in Microsoft Intune Suite.
For information about trial and purchasing, see Use Intune Suite add-on capabilities.
Microsoft Intune Suite

An add-on to Microsoft Intune Plan 1 that unifies mission-critical advanced endpoint
management and security solutions.
For information about trial and purchasing, see Use Intune Suite add-on capabilities.
Microsoft Intune for Education

Intune Plan 1 for Education is included in the following licenses:
Microsoft 365 Education A5

Microsoft 365 Education A3
Licensing for Configuration Manager-managed

devices in Intune
For existing Configuration Manager-managed devices to enroll into Intune for co-
management at scale without user interaction, co-management uses an Azure Active
Directory (Azure AD) feature called Windows 10 auto-enrollment. Auto-enrollment with
co-management requires licenses for both Azure AD Premium (AADP1) and Microsoft
Intune Plan 1. Starting on December 1, 2019, you no longer need to assign individual
Intune licenses for this scenario. Microsoft Intune now includes the Intune licenses for
co-management. The separate AADP1 licensing requirement remains the same for this
scenario to work. You still need to assign Intune licenses for other enrollment scenarios.
A Microsoft Intune user and device subscription is available as a standalone, in
addition to the bundles listed above.
A Microsoft Intune device-only subscription is available to manage kiosks,
dedicated devices, phone-room devices, IoT, and other single-use devices that
don't require user-based security and management features. For more information,
see Device-only licenses.
The appropriate Microsoft Intune license is required if a user or device benefits
directly or indirectly from the Microsoft Intune service, including access to the
Microsoft Intune service through a Microsoft API.
Intune isn't included in licenses not in the previous tables.
Unlicensed admins
For more information about giving administrators access to the Microsoft Intune admin
center without them having an Intune license, see Unlicensed admins.
Device-only licenses
Microsoft Intune offers a device-only subscription service that helps organizations
manage devices that aren't affiliated with specific users.
You can purchase device licenses based on your estimated usage. Microsoft Intune
device licenses are applicable when a device is enrolled through any of the following
methods:
Windows Autopilot Self-Deploying mode

Apple Device Enrollment Program without user affinity
Apple School Manager without user affinity
Apple Configurator without user affinity
Android Enterprise dedicated
Using a device enrollment manager account
７ Note
Visit the Microsoft Licensing page, or contact your account representative if you
have any questions or you would like to receive the latest information about
product editions, product licensing updates, volume licensing plans, and other
information related to your specific use cases.
Device-only license limitations

When a device is enrolled by using a device license, the following Intune functions aren't
supported:
Intune app protection policies

Conditional access
User-based management features, such as email and calendaring
Confirm your licenses

A Microsoft Intune license is created for you when you sign up for the Intune free trial.
As part of this trial, you'll also have a trial Enterprise Mobility + Security (EMS)
subscription. An Enterprise Mobility + Security (EMS) subscription includes both Azure
Active Directory Premium and Microsoft Intune.
７ Note
If you are unable to access this portal using the step below, or if you don't have an
Intune license, you can sign up now for the Intune free trial. When setting up
Intune, you can give an administrators access to the Microsoft Intune admin center
without them requiring an Intune license.
To confirm your Microsoft Intune license or trial, use the following steps:
1. Sign in to Microsoft Intune admin center .

2. Select Tenant administration > Tenant status.
Under the Tenant details tab, you will see the MDM authority, the Total licenses
users, and the Total Intune licenses.
3. Select Tenant administration > Roles > My permissions.
4. Confirm you are an administrator with full permissions to all Intune resources.
７ Note
For more in-depth information about Microsoft Intune, see the learning module:
Set up Microsoft Intune.
To check on your Azure AD Premium license, use the following steps:
1. Sign in to the Azure portal .

2. Select Azure Active Directory.
3. Select Overview. On the Overview pane, select the Overview tab if it isn't already
selected.
4. Under Basic information, view your license.
If you don't have a license for Azure AD Premium, see Sign up for Azure Active Directory
Premium editions.
Next steps
For the latest information about product editions, product licensing updates, volume
licensing plans, and other information related to your specific use cases, see the
Microsoft Licensing page.
For information about how user and device licenses affect access to services, as well as
how to assign a license to a user, see the Assign Intune licenses to your user accounts
article.
Assign licenses to users so they can
enroll devices in Intune
Article • 06/30/2023
Whether you manually add users or synchronize from your on-premises Active
Directory, you must first assign each user an Intune Plan 1 license before users can
enroll their devices in Intune. For a list of licenses, see Microsoft Intune licensing.
７ Note
Users assigned Intune app protection policy and not enrolling their devices into
Microsoft Intune will also require an Intune license to receive policy.
Assign an Intune license in the Microsoft Intune

admin center
You can use the Microsoft Intune admin center to manually add cloud-based users
and assign licenses to both cloud-based user accounts and accounts synchronized from
your on-premises Active Directory to Azure AD.
1. In the Microsoft Intune admin center , select Users > All Users > choose a user >
Licenses > Assignments.
2. Choose the box for Intune > Save. If you want to use the Enterprise Mobility +
Security E5 or other license, choose that box instead.
3. The user account now has the permissions needed to use the service and enroll
devices into management.
Assign an Intune license by using Azure Active

Directory
You can also assign Intune licenses to users by using Azure Active Directory. For more
information, see the License users in Azure Active Directory article.
Use School Data Sync to assign licenses to

users in Intune for Education
If you are an educational organization, you can use School Data Sync (SDS) to assign
Intune for Education licenses to synced users. Just choose the Intune for Education
checkbox when you're setting up your SDS profile.
When you assign an Intune for Education license, make sure that Intune A Direct license
is also assigned.
See this overview of School Data Sync to learn more about SDS.
How user and device licenses affect access to

services
Each user that you assign a user software license to may access and use the online
services and related software (including System Center software) to manage
applications and up to 15 MDM devices.
You can purchase licenses for any devices separately from user licenses. Device
licenses do not need to be assigned to the devices. Each device that accesses and
uses the online services and related software (including System Center software)
must have a device license available in the Microsoft 365 tenant.
If a device is used by more than one user, each device requires a device based
software license or all users require a user software license.
If you remove a license from a user that has managed devices, it may affect the
compliance or management of those devices.
How to restore users accidentally unlicensed
If you have accidentally removed the license for one or more users, you can restore
their device compliance and management by re-assigning the license for those
users. For more information, see Assign Microsoft Intune licenses.
Understanding the type of licenses you have

purchased
How you purchased Intune determines your subscription information:
If you purchased Intune through an Enterprise Agreement, you can find your
subscription information in the Volume License portal under Subscriptions.
If you purchased Intune through a Cloud Solution Provider, check with your
reseller.
If you purchased Intune with a CC# or Invoice, then your licenses will be user-
based.
Look up current licenses using PowerShell

To view the number of free and used licenses on a Microsoft Intune subscription, you
can use the following steps to run PowerShell commands.
1. From a PowerShell prompt, run the following command:
PowerShell
$creds = Get-Credential
2. A pop-up window will prompt for credentials. Enter your Microsoft Intune
credentials.
3. Run the following command:
PowerShell
Connect-MgGraph -Credential $creds
4. Run the following command:
PowerShell
Get-MgSubscribedSku
A list of the Account ID, the Active Units, and the Consumed Units will appear. Note
that this will also display any Microsoft Office 365 licenses on the subscription.
７ Note
To confirm your Azure Active Directory Premium and Microsoft Intune using
Microsoft Intune admin center, see Confirm your licenses.
Use PowerShell to selectively manage EMS user

licenses
Organizations that use Microsoft Enterprise Mobility + Security (formerly Enterprise
Mobility Suite) might have users who only require Azure Active Directory Premium or
Intune services in the EMS package. You can assign one or a subset of services using
Azure Active Directory PowerShell cmdlets.
To selectively assign user licenses for EMS services, open PowerShell as an administrator
on a computer with the Azure Active Directory Module for Windows PowerShell
installed. You can install PowerShell on a local computer or on an ADFS server.
You must create a new license SKU definition that applies only to the desired service
plans. To do this, disable the plans you don't want to apply. For example, you might
create a license SKU definition that does not assign an Intune license. To see a list of
available services, type:
PowerShell
(Get-MgSubscribedSku | Where {$_.SkuPartNumber -eq "EMS"}).ServiceStatus
You can run the following command to exclude the Intune service plan. You can use the
same method to expand to an entire security group or you can use more granular filters.
Example 1
Create a new user on the command line and assign an EMS license without enabling the
Intune portion of the license:
PowerShell
Connect-MgGraph
New-MgUser -DisplayName "Test User" -FirstName FName -LastName LName -

UserPrincipalName user@<TenantName>.onmicrosoft.com –Department DName -
UsageLocation US
$CustomEMS = Set-MgUserLicense -AccountSkuId "<TenantName>:EMS" -

DisabledPlans INTUNE_A
Set-MgUserLicense -UserPrincipalName user@<TenantName>.onmicrosoft.com -

AddLicenses <TenantName>:EMS -LicenseOptions $CustomEMS
Verify with:
PowerShell
(Get-MgUser -UserPrincipalName
"user@<TenantName>.onmicrosoft.com").Licenses.ServiceStatus
Example 2
Disable the Intune portion of EMS license for a user that is already assigned with a
license:
PowerShell
Connect-MgGraph
$CustomEMS = Set-MgUserLicense -AccountSkuId "<TenantName>:EMS" -

DisabledPlans INTUNE_A
Set-MgUserLicense -UserPrincipalName user@<TenantName>.onmicrosoft.com -

LicenseOptions $CustomEMS
Verify with:
PowerShell
(Get-MgUser -UserPrincipalName
"user@<TenantName>.onmicrosoft.com").Licenses.ServiceStatus
Unlicensed admins
Article • 02/22/2023
You can give administrators access to Microsoft Intune without them requiring an Intune
license. This feature applies to any administrator, including Intune administrators, global
administrators, Azure AD administrators, and so on. Other features or services, such as
those in Azure Active Directory (AD) Premium, may require a license for the
administrator.
The Unlicensed admins option has been enabled by default on all accounts created after
the 2006 release.
Allow access
1. Sign in to Microsoft Intune admin center > Tenant administration > Roles >
Administrator Licensing.
2. Select Allow access to unlicensed admins > Yes.
２ Warning
You can’t undo this setting after clicking Yes.
3. From now on, users who sign in to the Microsoft Intune admin center don’t require
an Intune license. Their scope of access is defined by the roles assigned to them.
Intune supports up to 350 unlicensed admins per security group, and only applies to
direct members. Admins above this limit will experience unpredictable behavior.
It can take up to 48 hours for access changes to take effect.
Next steps
Role-based access control (RBAC) with Microsoft Intune

Set the mobile device management
authority
Article • 08/25/2023
your devices. As an IT admin, you must set an MDM authority before users can enroll
devices for management. You should also be assigned an Intune license to set the MDM
Authority.
Possible configurations are:
Intune Standalone - Cloud-only management, which you configure by using the

Azure portal. Includes the full set of capabilities that Intune offers. Set the MDM
authority in the Microsoft Intune admin center.
Intune co-management - Integration of the Intune cloud solution with

Configuration Manager for Windows 10 devices. You configure Intune by using the
Configuration Manager console. Configure auto-enrollment of devices to Intune.
Basic Mobility and Security for Microsoft 365 - After this configuration is
activated, the MDM authority is set to "Office 365". If you want to start using
Intune, you're required to purchase Intune licenses.
Basic Mobility and Security for Microsoft 365 coexistence - You can add Intune to
your tenant if you're already using Basic Mobility and Security for Microsoft 365.
You can set the management authority to either Intune or Basic Mobility and
Security for Microsoft 365 for each user to dictate which service is used to manage
their MDM-enrolled devices. Each user's management authority is defined based
on the license assigned to the user:
Basic Mobility and Security for Microsoft 365 manages the devices of users who
only have a license for Microsoft 365 Basic or Standard.
Intune manages the devices of users who have a license entitling them to use it.
If you add a license entitling Intune to a user previously managed by Basic
Mobility and Security for Microsoft 365, their devices are switched to Intune
management. To avoid losing Basic Mobility and Security for Microsoft 365
configuration on users' devices, make sure to assign Intune configurations to
users before switching them to Intune.
Set MDM authority to Intune

For tenants using the 1911 service release and later, the MDM authority is automatically
set to Intune.
For tenants using the 1911 service release and later, if you activated Basic Mobility and
Security, follow the steps in this section.
For pre-1911 service release tenants, if you haven't yet set the MDM authority, follow
the steps in this section.
1. In the Microsoft Intune admin center , select the orange banner to open the
Mobile Device Management Authority setting. The orange banner is only
displayed if you haven't yet set the MDM authority.
2. Under Mobile Device Management Authority, choose your MDM authority from
the following options:
Intune MDM Authority

None
A message indicates that you have successfully set your MDM authority to Intune.
Workflow of Intune Administration UI

When Android or Apple device management is enabled, Intune sends device and user
information to integrate with these third-party services to manage their respective
devices.
Scenarios that add a consent to share data are included when:
You enable Android Enterprise personally-owned or corporate-owned work

profiles.
You enable and upload Apple MDM push certificates.
You Enable any of the Apple services, such as Device Enrollment Program, School
Manager, or Volume Purchasing Program.
In each case, the consent is strictly related to running a mobile device management
service. For example, confirming that an IT Admin has authorized Google or Apple
devices to enroll. Documentation to address what information is shared when the new
workflows go live is available from the following locations:
Data Intune sends to Google

Data Intune sends to Apple
Key Considerations
After you switch to the new MDM authority, there's some transition time (up to eight
hours) before the device checks in and synchronizes with the service. You're required to
configure settings in the new MDM authority to make sure that enrolled devices
continue to be managed and protected after the change.
Devices must connect with the service after the change so that the settings from
the new MDM authority (Intune standalone) replace the existing settings on the
device.
After you change the MDM authority, some of the basic settings (such as profiles)
from the previous MDM authority will remain on the device for up to seven days or
until the device connects to the service for the first time. You should configure
apps and settings (such as policies, profiles, and apps) in the new MDM authority
as soon as possible and deploy the setting to the user groups that contain users
who have existing enrolled devices. As soon as a device connects to the service
after the change in MDM authority, it will receive the new settings from the new
MDM authority and prevent gaps in management and protection.
Devices that don't have associated users (typically when you have iOS/iPadOS
Device Enrollment Program or bulk enrollment scenarios) aren't migrated to the
new MDM authority. For those devices, you need to call support for assistance to
move them to the new MDM authority.
Coexistence
By enabling coexistence, you can use Intune for a new set of users while continuing to
use Basic Mobility and Security for the existing users. You can control which devices are
managed by Intune through the user. Intune manages all the devices enrolled by a user,
if the user has an Intune license or uses Intune co-management with Configuration
Manager. Otherwise, the user is managed by Basic Mobility and Security.
There are three major steps to enable coexistence:
1. Preparation
2. Add Intune MDM authority
3. User and Device migration (optional).
Preparation
Before enabling coexistence with Basic Mobility and Security, consider the following
points:
Make sure you have sufficient Intune licenses for the users you intend to manage
through Intune.
Review which users are assigned Intune licenses. After you enable coexistence, any
user already assigned an Intune license will have their devices switch to Intune. To
avoid unexpected device switches, we recommend not assigning any Intune
licenses until you've enabled coexistence.
Create and deploy Intune policies to replace device security policies that were
originally deployed through the Office 365 Security & Compliance portal. This
replacement should be done for any users you expect to move from Basic Mobility
and Security to Intune. If there are no Intune policies assigned to those users,
enabling coexistence may cause them to lose Basic Mobility and Security settings.
These settings are lost without replacement, like managed email profiles. Even
when replacing device security policies with Intune policies, users may be
prompted to re-authenticate their email profiles after the device is moved to
Intune management.
You can't unprovision Basic Mobility and Security after you've set it up. However,
there are steps you can take to turn off the policies. For more information, see Turn
off Basic Mobility and Security.
Add Intune MDM authority

To enable coexistence, you must add Intune as the MDM authority for your
environment:
1. Sign in to the Microsoft Intune admin center with Azure AD Global or Intune
service administrator rights.
2. Navigate to Devices.
3. The Add MDM Authority blade displays.
4. To switch the MDM authority from Office 365 to Intune and enable coexistence,
select Intune MDM Authority > Add.
Migrate users and devices (optional)

After you enable Intune MDM authority, coexistence is activated and you can begin
managing users through Intune. You can optionally move devices that were previously
managed by Basic Mobility and Security to be managed by Intune by assigning those
users an Intune license. The users' devices will switch to Intune on their next MDM
check-in. Settings that were applied to these devices through Basic Mobility and
Security are no longer applied and are removed from the devices.
Mobile device cleanup after MDM certificate

expiration
The MDM certificate is renewed automatically when mobile devices are communicating
with the Intune service. If mobile devices are wiped, or they fail to communicate with the
Intune service for some period of time, the MDM certificate isn't renewed. The device is
removed from the Azure portal 180 days after the MDM certificate expires.
Remove MDM authority

The MDM authority can't be changed back to Unknown. The MDM authority is used by
the service to determine which portal enrolled devices report to (Microsoft Intune or
Basic Mobility and Security for Microsoft 365).
What to expect after changing the MDM
authority
When the Intune service detects a change in a tenant's MDM authority, it sends a
notification message to all enrolled devices. The notification message prompts the
devices to check in and synchronize with the service, outside of their regular
schedule. As a result, all powered on and online devices connect with the service
and receive the new MDM authority. The new authority manages and protects the
devices without any interruption. Therefore, after the MDM authority for the tenant
is changed from Intune standalone, the devices will continue to function normally
under the new MDM authority.
Devices that are powered on and online during or shortly after the change in MDM
authority experience a delay. The delay can last up to eight hours, depending on
the timing of the next scheduled regular check-in. During the delay, the devices
aren't registered with the service under the new MDM authority. After the delay,
the devices are fully registered and operational under the new MDM authority.
） Important
Between the time when you change the MDM authority and when the
renewed APNs certificate is uploaded to the new authority, new device
enrollments and device check-in for iOS/iPadOS devices fail. Therefore, it's
important that you review and upload the APNs certificate to the new
authority as soon as possible after the change in MDM authority.
Users can quickly change to the new MDM authority by manually starting a check-
in from the device to the service. Users can easily make this change by using the
Company Portal app and starting a device compliance check.
To validate that things are working correctly after devices have checked-in and
synchronized with the service after the change in MDM authority, look for the
devices in the new MDM authority.
There's an interim period when a device is offline during the change in MDM
authority and when that device checks in to the service. During the interim period,
it's important to protect and maintain the functionality of the device. To protect
and maintain the functionality of the device, the following profiles remain on the
device. These profiles stay on the device up to seven days or until the device
connects with the new MDM authority. Once the device connects and receives new
settings, the existing profiles are overwritten:
E-mail profile
VPN profile
Cert profile
Wi-Fi profile
Configuration profiles
After you change to the new MDM authority, the compliance data in the Microsoft
Intune admin center can take up to a week to accurately report. However, the
compliance states in Azure Active Directory and on the device are accurate so the
device is still protected.
Make sure the new settings intended to overwrite existing settings have the same
name as the previous ones to ensure that the old settings are overwritten.
Otherwise, the devices might end up with redundant profiles and policies.
 Tip
As a best practice, you should create all management settings and

configurations, as well as deployments, shortly after the change to the MDM
authority has completed. This helps ensure that devices are protected and
actively managed during the interim period.
After you change the MDM authority, perform the following steps to validate that
new devices are enrolled successfully to the new authority:
Enroll a new device
Make sure the newly enrolled device shows up in the new MDM authority.
Perform an action, such as Remote Lock, from the Microsoft Intune admin
center to the device. If it's successful, then the new MDM authority is managing
the device.
If you have issues with specific devices, you can unenroll and re-enroll the devices
to get them connected to the new authority and managed as quickly as possible.
Next steps
With the MDM authority set, you can start enrolling devices.
Use Access policies to require multiple
administrative approvals
Article • 08/28/2023
To help protect against a compromised administrative account, use Intune access policies
to require that a second administrative account is used to approve a change before the
change is applied. This capability is known as multiple administrative approval (MAA).
With MAA, you configure access policies that protect specific configurations, like Apps
or Scripts for devices. Access policies specify what is protected and which group of
accounts are permitted to approve changes to those resources.
When any account in the Tenant is used to make a change to a resource that’s protected
by an access policy, Intune won't apply the change until a different account explicitly
approves it. Only administrators who are members of an approval group that’s assigned
a protected resource in an access protection policy can approve changes. Approvers can
also reject change requests.
Access policies are supported for the following resources:
Apps – Applies to app deployments, but doesn't apply to app protection policies.
Scripts – Applies to deploying scripts to devices that run Windows.
Prerequisites for access policies and approvers

To use multi administrative approval, your tenant must have at least two administrator
accounts.
To create an access policy, your account must be assigned the Intune Service
Administrator or Azure Global Administrator role.
To be an approver, an account must be in the group that’s assigned to the access policy
for a specific type of resource.
How multi admin approval and Access policies

work
When an admin edits or creates a new object for an area that’s protected by an access
policy, they see an option on the Save + Review surface where they can enter a
description of the change as a business justification.
The business justification becomes part of the approval request for the change.
An admin who has submitted a change can view the status of their requests in the
Microsoft Intune admin center by going to Tenant administration > Multi
Admin Approval and viewing the My request page.
After a change is submitted, an approver navigates to the Received request page of the
Multi Admin Approval node. Here they’ll see a list of requests that are active, or
recently managed. This view provides some details about the request including when
and who submitted it, the type of operation involved like Create or Assign, and its status.
To manage the request:
The approver selects the Business justification link for the request. This action
opens the Access policy request pane where you can view more information about
the change, including the full details provided in the Business justification field of
the request.
On the Access policy request pane, the approver can enter notes in the Approver
notes field, and then select an option to Approve request or Reject request. These
notes are added to the request and are visible to the individual who requested the
change when they review their requests on the My request page. For example, if
the request is rejected, the reason for the rejection can be passed back to the
requestor through the Approver notes.
Individuals who submit a request and are also members of the approval group for
that can see their own requests on the Received request page. However, they can't
approve their own requests.
If a change is approved, Intune processes the requested change and updates the
object. While Intune processes the request, its status can display as Approved. After it’s
successfully processed, the status updates to Completed.
Each change of status remains visible for up to 30 days after the last change of status. If
a request isn’t processed further within 30 days, it becomes Expired, and must be
resubmitted.
Create an access policy

1. To create an access policy, in the Microsoft Intune admin center , go to Tenant
administration > Multi Admin Administration > Access policies and select Create.
2. On the Basics page, provide a Name, and optional Description, and for Profile type
select from available options. Each policy supports a single profile type.
3. On the Approvers page, select Add groups and then select a group as the group of
approvers for this policy. More complex configurations that exclude groups aren't
supported.
4. On the Review + Create page, review, and then save your changes. After Intune
applies this policy, configurations for the protected profile type will require
multiple admin approvals.
Submit a request
To submit a request when MAA is enabled, use your normal process to create or edit a
resource.
On the final page before you can save your changes, add details to the Business
justification field and then submit the request. For urgent requests, consider reaching
out to a known list of approvers to ensure your request is seen in a timely manner.
When there's a request for the same object that is already pending approval, you won't
be able to submit your request. Intune displays a message to alert you to this situation.
To monitor the status of your requests, in the Microsoft Intune admin center go to
Tenant administration > Multi Admin Approval > My requests.
You can cancel a request before it’s approved by selecting it from the My requests page,
and then selecting Cancel request.
Approve requests
1. To find requests to approve, in the Microsoft Intune admin center go to Tenant
administration > Multi Admin Administration > Received requests.
2. Select the Business justification link for a request to open the review page where
you can learn more about the request, and manage approval or rejection.
3. After reviewing the details, enter relevant details in the Approver notes field, and
then select Approve request or Reject request.
4. After you approve a request, the requestor needs select Complete. Intune will
process the change, and changes the status to Completed. Verify the approval
succeeded (or failed) by reviewing the console notification upon completion.
To verify if the approval succeeded (or failed), look at the notifications in the Intune
admin center. A message shows if the approval succeeded or failed.
More considerations
Intune doesn't send notifications when new requests are created, or the status of
an existing request changes. We recommend that when submitting an urgent
change request, you reach out to individuals who have permission to approve
those requests.
Plan to monitor the status of your requests through the My requests page of the
Multi Admin Approval node in the Microsoft Intune admin center.
When an approval is already pending for an object, a new request is can't be

submitted for it.
All actions for a protected resource are protected, including but not limited to:
Edit
Create
Modify
Delete
Assign
Actions for requests and the approval process are logged in the Intune audit logs.
For more information, see Audit logs for Intune activities.
The following status conditions are available for a request:

Needs approval – This request is pending action by an approver.
Approved – This request is being processed by Intune.
Completed – This request has been successfully applied.
Rejected – This request was rejected by an approver.
Canceled – This request was canceled by the admin who submitted it.
Next steps
Manage role-based access control
Role-based access control (RBAC) with
Microsoft Intune
Article • 06/08/2023
Role-based access control (RBAC) helps you manage who has access to your
organization's resources and what they can do with those resources. By assigning roles
to your Intune users, you can limit what they can see and change. Each role has a set of
permissions that determine what users with that role can access and change within your
organization.
To create, edit, or assign roles, your account must have one of the following permissions
in Azure AD:
Intune Service Administrator (also known as Intune Administrator)
Roles
A role defines the set of permissions granted to users assigned to that role.
You can use
both the built-in and custom roles. Built-in roles cover some common Intune scenarios.
You can create your own custom roles with the exact set of permissions you need.
Several Azure Active Directory roles have permissions to Intune.
To see a role in the
Intune admin center, go to Tenant administration > Roles > All roles > choose a role.
You can manage the role on the following pages:
Properties: The name, description, permissions, and scope tags for the role.
Assignments: A list of role assignments defining which users have access to which
users/devices. A role can have multiple assignments, and a user can be in multiple
assignments.
７ Note
To be able to administer Intune you must have an Intune license assigned.

Alternatively, you can allow non-licensed users to administer Intune by setting
Allow access to unlicensed admins to Yes.
Built-in roles
You can assign built-in roles to groups without further configuration. You can't delete or
edit the name, description, type, or permissions of a built-in role.
Application Manager: Manages mobile and managed applications, can read

device information and can view device configuration profiles.
Endpoint Privilege Manager: Manages Endpoint Privilege Management policies in
the Intune console.
Endpoint Privilege Reader: Endpoint Privilege Readers can view Endpoint Privilege
Management policies in the Intune console.
Endpoint Security Manager: Manages security and compliance features, such as
security baselines, device compliance, conditional access, and Microsoft Defender
for Endpoint.
Help Desk Operator: Performs remote tasks on users and devices, and can assign
applications or policies to users or devices.
Intune Role Administrator: Manages custom Intune roles and adds assignments
for built-in Intune roles. It's the only Intune role that can assign permissions to
Administrators.
Policy and Profile Manager: Manages compliance policy, configuration profiles,
Apple enrollment, corporate device identifiers, and security baselines.
Organizational Messages Manager: Manages organizational messages in Intune
console.
Read Only Operator: Views user, device, enrollment, configuration, and application
information. Can't make changes to Intune.
School Administrator: Manages Windows 10 devices in Intune for Education.
Cloud PC Administrator: A Cloud PC Administrator has read and write access to all
Cloud PC features located within the Cloud PC blade.
Cloud PC Reader: A Cloud PC Reader has read access to all Cloud PC features
located within the Cloud PC blade.
Custom roles
You can create your own roles with custom permissions. For more information about
custom roles, see Create a custom role.
Azure Active Directory roles with Intune access
Azure Active Directory role All Intune data Intune

audit
data
Global Administrator Read/write Read/write

Azure Active Directory role All Intune data Intune
audit
data
Intune Service Administrator Read/write Read/write
Conditional Access Administrator None None
Security Administrator Read only (full administrative Read only

permissions for Endpoint Security
node)
Security Operator Read only Read only
Security Reader Read only Read only
Compliance Administrator None Read only
Compliance Data Administrator None Read only
Global Reader (This role is equivalent to the Read Only Read Only
Intune Help Desk Operator role)
Helpdesk administrator (This role is Read Only Read Only

equivalent to the Intune Help Desk Operator
role)
Reports Reader Read Only None
 Tip
Intune also shows three Azure AD extensions: Users, Groups, and Conditional
Access, which are controlled using Azure AD RBAC. Additionally, the User Account
Administrator only performs AAD user/group activities and does not have full
permissions to perform all activities in Intune. For more information, see RBAC with
Azure AD.
Role assignments
A role assignment defines:
which users are assigned to the role

what resources they can see
what resources they can change.
You can assign both custom and built-in roles to your users. To be assigned an Intune
role, the user must have an Intune license.
To see a role assignment, choose Intune >
Tenant administration > Roles > All roles > choose a role > Assignments > choose an
assignment. On the Properties page you can edit:
Basics: The assignments name and description.

Members: All users in the listed Azure security groups have permission to manage
the users/devices that are listed in Scope (Groups).
Scope (Groups): Scope Groups are Azure AD security groups of users or devices or
both for which administrators in that role assignment are limited to performing
operations on. For example deployment of a policy or application to a user or
remotely locking a device. All users and devices in these Azure AD security groups
can be managed by the users in Members.
Scope (Tags): Users in Members can see the resources that have the same scope
tags.
７ Note
Scope Tags are freeform text values that an administrator defines and then adds to
a Role Assignment. The scope tag added on a role controls visibility of the role
itself, while the scope tag added in role assignment limits the visibility of Intune
objects (such as policies and apps) or devices to only administrators in that role
assignment because the role assignment contains one or more matching scope
tags.
Multiple role assignments

If a user has multiple role assignments, permissions, and scope tags, those role
assignments extend to different objects as follows:
Assign permissions and scope tags only apply to the objects (like policies or apps)
in that role's assignment Scope (Groups). Assign permissions and scope tags don't
apply to objects in other role assignments unless the other assignment specifically
grants them.
Other permissions (such as Create, Read, Update, Delete) and scope tags apply to
all objects of the same type (like all policies or all apps) in any of the user's
assignments.
Permissions and scope tags for objects of different types (like policies or apps),
don't apply to each other. A Read permission for a policy, for example, doesn't
provide a Read permission to apps in the user's assignments.
In case of no scope tags and some scope tags assigned from different
assignments, user will only be able to see devices that are part of some scope tags
and will not be able to see all devices.
Next steps
Assign a role to a user
Assign a role to an Intune user
Article • 02/22/2023
You can assign a built-in or custom role to an Intune user.
in Azure AD:
Intune Service Administrator
1. In the Microsoft Intune admin center , choose Tenant administration > Roles >
All roles.
2. On the Endpoint Manager roles - All roles blade, choose the built-in role you want
to assign > Assignments > + Assign.
3. On the Basics page, enter an Assignment name and optional Assignment

description, and then choose Next.
4. On the Admin Groups page, select the group that contains the user you want to
give the permissions to. Choose Next.
5. On the Scope (Groups) page, choose a group containing the users/devices that
the member above will be allowed to manage. You also have the option to choose
all users and/or all devices. Choose Next.
７ Note
The All users and All devices are Intune virtual groups and not Azure Active
Directory (Azure AD) security groups. As a result, for Scope (Groups)
assignment purposes you cannot use them as parents of Azure AD security
groups. If you need both All users and All devices and specific Azure AD
security groups for Scope (Groups) assignments, you must add them
separately with separate assignments. Otherwise, even if the Scope (Groups)
assignment for a role is set to All Users the admin in this role won't have
access to specific Azure AD user groups.
For Azure AD security groups, nesting is supported.
6. On the Scope (Tags) page, choose tags where this role assignment will be applied.
Choose Next.
7. On the Review + Create page, when you're done, choose Create. The new
assignment is displayed in the list of assignments.
７ Note
When you create scope groups and assign a scope tag, you can only target
groups that are listed in the Scope (Groups) of your role assignment.
Next steps
Learn more about role-based access control in Intune
Create a custom role in Intune
Article • 06/20/2023
You can create a custom Intune role that includes any permissions required for a specific
job function. For example, if an IT department group manages applications, policies, and
configuration profiles, you can add all those permissions together in one custom role.
After creating a custom role, you can assign
it to any users that need those permissions.
in Azure AD:
Intune Service Administrator
To create a custom role

All roles > Create.
2. On the Basics page, enter a name and description for the new role, then choose
Next.
3. On the Permissions page, choose the permissions you want to use with this role.
4. On the Scope (Tags) page, choose the tags for this role. When this role is assigned
to a user, that user can access resources that also have these tags. Choose Next.
5. On the Review + create page, when you're done, choose Create. The new role is
displayed in the list on the Intune roles - All roles blade.
Copy a role
You can also copy an existing role.
All roles > select the checkbox for a role in the list > Duplicate.
2. On the Basics page, enter a name. Make sure to use a unique name.
3. All the permissions and scope tags from the original role will already be selected.
You can subsequently change the duplicate role's Name, Description, Permissions,
and Scope (Tags).
4. After you've made all the changes that you want, choose Next to get to the
Review + create page. Select Create.
Custom role permissions
７ Note
You can view and manage VPP apps with only the Mobile apps permission
assigned. Previously, the Managed apps permission was required to view and
manage VPP apps. This change does not apply to Intune for Education tenants who
still need to assign the Managed apps permission.
The following permissions are available when creating custom roles.
Permission Description
Android FOTA/Assign Assign Android firmware over-the-air (FOTA) deployments to Azure AD

security groups.
Android FOTA/Delete Delete and cancel pending Android firmware over-the-air (FOTA)
deployments and delete deployment history.
Android FOTA/Create Create and manage all aspects of Android firmware over-the-air (FOTA)
deployments.
Android FOTA/Read View Android firmware over-the-air (FOTA) deployments, including

history and reporting.
Android FOTA/Update Change existing Android firmware over-the-air (FOTA) deployments and
cancel firmware deployments.
Android for View the Android for Work configuration used to sync applications with
work/Read the Play for Work store or view the Android for Work enrollment
prerequisites and enrollment profiles.
Android for Manage or change the Android for Work configuration used to sync
work/Update app sync applications with the Play for Work store, or sync the apps you've
approved from the store with Intune.
Android for Manage or change the Android for work configuration used to enroll
work/Update Android for Work devices or manage the Android for Work enrollment
onboarding profiles.
Audit data/Read View all Intune audit data for this tenant.
Certificate Add, remove, or modify certificate connectors required to support

Connector/Modify certificate issuance.
Certificate View certificate connectors required to support certificate issuance.

Connector/Read
Cloud attached Displays the Collections page for Configuration Manager cloud attached
devices\View devices
collections
Cloud attached Displays the Resource explorer page for Configuration Manager cloud
devices\View resource attached devices
explorer
Cloud attached Displays the Timeline page for Configuration Manager cloud attached
devices\View timeline devices
Cloud attached Displays the Software updates page for Configuration Manager cloud
devices\View software attached devices
updates
Cloud attached Displays the Scripts page for Configuration Manager cloud attached
devices\View scripts devices
Cloud attached Displays the Run script action and allows the user to run scripts on
devices\Run script Configuration Manager cloud attached devices
Cloud attached Displays the CMPivot page for Configuration Manager cloud attached
devices\Run CMPivot devices
query
Cloud attached Displays the Client details page for Configuration Manager cloud
devices\View client attached devices
details
Cloud attached Displays the Applications page for Configuration Manager cloud
devices\View attached devices
applications
Cloud attached Displays application actions in the Applications page and allows the user
devices\Take to take application actions on Configuration Manager cloud attached
application actions devices
Corporate device Create new corporate device identifiers or import a CSV file containing a
identifiers/Create list of corporate device identifiers.
Corporate device Delete IMEI or serial numbers used as corporate device identifiers.
identifiers/Delete
Corporate device View the IMEI or serial numbers used as corporate device identifiers.
identifiers/Read
Corporate device Change IMEI or serial numbers used as corporate device identifiers.
identifiers/Update
Customization/Assign Assign customization options for the Company Portal.
Customization/Create Create customization options for the Company Portal.
Customization/Delete Delete customization options for the Company Portal.
Customization/Read Read customization options for the Company Portal.
Customization/Update Update customization options for the Company Portal.
Derived Configure the Derived Credentials for your Microsoft Intune tenant.
Credentials/Modify
Derived View the Derived Credentials for your Microsoft Intune tenant.
Credentials/Read
Device compliance Assign device compliance policies to Azure AD security groups, and
policies/Assign assign Exchange on-premises access to Azure AD security groups.
Device compliance Create new device compliance policies.

policies/Create
Device compliance Delete device compliance policies or delete Exchange ActiveSync

policies/Delete connectors.
Device compliance View device compliance policies and the list of Exchange Active Sync
policies/Read Connectors, or view the settings for Exchange on-premises access.
Device compliance Change device compliance policies, Exchange ActiveSync connectors and
policies/Update Exchange on-premises access settings.
Device compliance View, generate, and export device compliance reports.

policies/View reports
Device Assign device configuration profiles or assign device enrollment

configurations/Assign restrictions to Azure AD security groups.
Device Create new device configuration profiles, or create new device

configurations/Create enrollment restrictions.
Device Delete device configuration profiles, or delete device enrollment

configurations/Delete restrictions.
Device View device configuration profiles, or view device enrollment restrictions.

configurations/Read
Device Change device configuration profiles, or change device enrollment

configurations/Update restrictions.
Device View, generate, and export device configuration reports.

configurations/View
Reports
Device enrollment View the list of device enrollment manager accounts.

managers/Read
Device enrollment Create new device enrollment manager accounts, or delete device
managers/Update enrollment manager accounts.
Endpoint Create new baselines and edit endpoint analytics settings.

Analytics/Create
Endpoint Edit endpoint analytics settings and delete baselines.

Analytics/Delete
Endpoint View endpoint analytics scores and performance reports.

Analytics/Read
Endpoint Edit endpoint analytics settings and baselines.

Analytics/Update
Endpoint protection View endpoint protection reports.

reports/Read
Enrollment Manage Windows Autopilot deployment profile assignment settings.

programs/Assign
profile
Enrollment Import Apple devices for the Device Enrollment Program, Apple School
programs/Create or Business Manager, Apple Configurator or Windows Autopilot devices.
device
Enrollment Create new profiles for the Device Enrollment Program, Apple School
programs/Create Manager, Apple Configurator, or Windows Autopilot.
profile
Enrollment Download the Apple Device Enrollment Program or Apple School

programs/Create Manager token .pem file.
token
Enrollment Delete Apple devices for the Device Enrollment Program, Apple School
programs/Delete or Business Manager, Apple Configurator or Windows Autopilot devices.
device
Enrollment Delete profiles for the Device Enrollment Program, Apple School
programs/Delete Manager, Apple Configurator, or Windows Autopilot.
profile
Enrollment Delete Apple Device Enrollment Program or Apple School Manager

programs/Delete token .pem file(s).
token
Enrollment View Apple devices for the Device Enrollment Program, Apple School
programs/Read device Manager, Apple Configurator, or Windows Autopilot devices.
Enrollment View profiles for the Device Enrollment Program, Apple School Manager,
programs/Read profile Apple Configurator, or Windows Autopilot.
Enrollment View the Apple Device Enrollment Program or Apple School Manager
programs/Read token token status.
Enrollment Initiate the Sync command for Windows Autopilot devices.

programs/Sync device
Enrollment Manage profiles for the Device Enrollment Program, Apple School
programs/Update Manager, Apple Configurator, or Windows Autopilot.
profile
Enrollment Upload the Apple Device Enrollment or Apple School Manager token
programs/Update and sync Apple Device Enrollment Program or Apple School Manager
token devices.
Filters/Create Create new filter.
Filters/Delete Delete filters.
Filters/Read View filters.
Filters/Update Edit filters.
Intune data View all data and reports from the data warehouse. Data can be used by
warehouse/Read Power BI or other reporting services.
Managed apps/Assign Assign application protection policies to Azure AD security groups.
Managed apps/Create Create new application protection policies.
Managed apps/Delete Delete application protection policies.
Managed apps/Read View application protection policies and status.
Managed Change application protection policies, or delete pending wipe requests

apps/Update for protected apps.
Managed apps/Wipe Create a wipe request to selectively remove company data from a
protected app.
Managed Delete Intune managed devices. Deleted devices can no longer be

devices/Delete managed by Intune, and the device can no longer access company
resources. Company data may be wiped from the device if a user tries to
check-in after it is deleted.
Managed View Intune managed devices.

devices/Read
Managed devices/Set Choose, change, or remove the primary user of a managed device. This
primary user permission must be used in combination with the managed devices read
and update permissions.
Managed Change settings or ownership properties of a managed device. This

devices/Update permission does not enable remote actions for devices. To perform
remote actions on the device, grant one or more of the Remote Task
permissions.
Managed Generate, view, or export reports for managed devices.

devices/View reports
Managed Google Modify the settings for synchronizing Managed Google Play apps with
Play/Modify Microsoft Intune.
Managed Google Display the settings for synchronizing Managed Google Play apps with
Play/Read Microsoft Intune.
Microsoft Defender View the connection between Microsoft Intune and Microsoft Defender
ATP/Read ATP.
Microsoft Store For Modify the settings for synchronizing Microsoft Store for Business apps
Business/Modify with Microsoft Intune.
Microsoft Store For View the settings for synchronizing Microsoft Store for Business apps
Business/Read with Microsoft Intune.
Microsoft Tunnel Create Microsoft Tunnel Gateway server configurations and sites. Server
Gateway/Create configurations include settings for IP address ranges, DNS servers, ports
and split tunneling rules. Sites are logical groupings of multiple servers
that support Microsoft Tunnel.
Microsoft Tunnel Delete Microsoft Tunnel Gateway server configurations and sites. Server
Gateway/Delete configurations include settings for IP address ranges, DNS servers, ports
Microsoft Tunnel View Microsoft Tunnel Gateway server configurations and sites. Server
Gateway/Read configurations include settings for IP address ranges, DNS servers, ports
Microsoft Tunnel Update Microsoft Tunnel Gateway server configurations and sites. Server
Gateway/Update configurations include settings for IP address ranges, DNS servers, ports
Mobile apps/Assign Assign mobile applications or eBooks to Azure AD security groups.
Mobile apps/Create Add new mobile applications to Intune such as store apps, line-of-
business apps, web-links or built-in apps. You can also add books
purchased through the Apple Volume Purchase Program or add eBook
categories. You can setup iOS VPP Tokens, Windows Symantec
certificates, Windows side loading keys, app categories, or the Android
for Work connection.
Mobile apps/Delete Delete mobile applications such as store apps, line-of-business apps,
web-links or built-in apps. You can also delete books purchased through
the Apple Volume Purchase Program or delete eBook categories. You
can delete iOS VPP Tokens, Windows Symantec certificates, Windows
side loading keys, app categories, or the Android for Work connection.
Mobile apps/Read View mobile applications such as store apps, line-of-business apps, web-
links or built-in apps. You can also view books purchased through the
Apple Volume Purchase Program or add eBook categories. You can view
iOS VPP Tokens, Windows Symantec certificates, Windows side loading
keys, app categories, or the Android for Work connection.
Mobile apps/Relate Create relationships with other managed apps using Dependencies and
Supersedence features. Without this permission, IT admins are not able
to add App dependency or supersedence relationships when creating or
editing Win32 apps.
Mobile apps/Update Manage mobile applications such as store apps, line-of-business apps,
web-links or built-in apps. You can also manage books purchased
through the Apple Volume Purchase Program or add eBook categories.
You can manage iOS VPP Tokens, Windows Symantec certificates,
Windows side loading keys, app categories, or the Android for Work
connection.
Mobile apps/View View reports on mobile applications such as store apps, line-of-business
reports apps, web links, and built-in apps.
Mobile Threat Add, remove, or modify the Mobile Threat Defense connectors between
Defense/Modify Intune and your chosen MTD vendors
Mobile Threat View the Mobile Threat Defense connectors between Intune and your
Defense/Read chosen MTD vendors
Organization/Create Create tenant settings such as device categories and Exchange

connectors.
Organization/Delete Delete tenant settings such as device categories and Exchange

Connectors.
Organization/Read View tenant settings such as device categories and Exchange

Connectors. This permission is required to activate all enrollment
workflows.
Organization/Update Manage tenant settings, device categories and Exchange Connectors.
Organizational Create organizational messages.

messages/Create
Organizational Read organizational messages.

messages/Read
Organizational Cancel organizational messages.

messages/Update
Organizational Delete organizational messages.

messages/Delete
Organization Assign organizational messages.

messages/Assign
Organizational Enable or block organizational messages directly from Microsoft, while

messages/Update allowing admin messages to display.
organizational
message control
Partner Device Configure the Compliance Connector for Jamf.

Management/Modify
Partner Device View the Compliance Connector for Jamf.

Management/Read
Policy Sets/Assign Assign Policy Sets to Azure AD security groups.
Policy Sets/Create Create a new Policy Set.
Policy Sets/Delete Delete Policy Sets.
Policy Sets/Read View Policy Sets.
Policy Sets/Update Change a Policy Set, or add items to a Policy Set.

Remote assistance View the status of the TeamViewer connector and Remote Help. This
connectors/Read permission is not required to initiate remote assistance requests for
devices.
Remote assistance Manage the state of the TeamViewer connector and Remote Help. This
connectors/Update permission also requires the Remote assistance connectors Read
permission to view the status of the TeamViewer connector and Remote
Help.
Remote assistance View, generate and export Remote Help sessions and monitor reports.
connectors/View
reports
Remote Help Elevation allows the helper to enter UAC credentials when prompted on
app/Elevation the sharer's device when Remote Help is enabled. Enabling elevation
also allows the helper to view and control the sharer's device when the
sharer grants the helper access.
Remote Help Take full control allows the helper to view and control the sharer's device
app/Take full control when Remote Help is enabled.
Remote Help View screen allows the helper to view the sharer's device when Remote
app/View screen Help is enabled.
Remote tasks/Bypass Remove the Activation Lock from supervised devices without requiring
activation lock the user's Apple ID and password. This may be required if a user leaves
the company and returns the device; without the user's Apple ID and
password, there is no way to reactivate the device. Or, you need to
reassign some devices to a different department during a device refresh
in your organization. You can only reassign devices that do not have
Activation Lock enabled. You must also have the Managed Device Read
permission to view devices in the Azure portal before initiating this
remote task.
Remote tasks/Clean Initiate a Fresh start device action. This action removes any apps that are
PC installed on a Windows 10 PC that is running the Creators Update. Then,
it automatically updates the PC to the latest version of Windows.
Remote tasks/Collect Collect device diagnostics

diagnostics
Remote tasks/Disable Turn off the lost mode for an iOS device.
lost mode
Remote tasks/Enable Initiate lost mode on lost or stolen iOS devices. This mode lets you enter
lost mode a message and a phone number that appears on the lock screen of the
device. To use lost mode, the device must be a corporate-owned iOS
device that is in supervised mode.
Remote tasks/Enable Enable Windows Intune agent.

Windows IntuneAgent
Remote tasks/Get Get Mac FileVault key.

filevault key.
Remote tasks/Initiate Initiate a remote action on a device managed by Configuration Manager.

Configuration
Manager action
Remote tasks/Locate View the location of a lost or stolen corporate-owned device on a map.
device Can locate supervised iOS/iPadOS devices, Android dedicated devices
(COSU), and Windows devices.
Remote tasks/Manage Log out the user with the current session on a shared device. This action
shared device users does not delete users from a shared device, it will only force the user
with a current session to be logged out.
Remote tasks/Offer Initiate a remote assistance session with a user's device by using a
remote assistance remote assistance provider. The remote assistance option for your
provider must be enabled for your tenant.
Remote tasks/Play lost Initiate the lost mode ring sound on a device that has been placed in
mode sound MDM Lost mode.
Remote tasks/Reboot Initiates a device restart. This causes the device you choose to be
now restarted. The device owner isn't automatically notified of the restart,
and they might lose work.
Remote tasks/Remote The Remote lock device action locks the device. To unlock the device, the
lock device owner enters their passcode. You can remotely lock devices that
have a PIN or password set. Devices that don't have a PIN or password
can't be remotely locked.
Remote tasks/Reset Initiates a forced removal of the passcode, and requires the device user
passcode to set a new passcode. Supported on iOS devices, and certain later
versions of Android and Android for work. Not supported on older
Android versions, macOS, or Windows.
Remote tasks/Retire Initiates a retire action for a device. Also called remove company data.
The Remove company data action removes managed app data (where
applicable), settings, and email profiles that were assigned by using
Intune. The device is removed from Intune management. This happens
the next time the device checks in and receives the remote Remove
company data action. Remove company data leaves the user's personal
data on the device.
Remote tasks/Revoke Revokes any iOS VPP application licenses that have been associated with
App Licenses the device.
Remote tasks/Rotate Initiates a key rotation for BitLocker Recovery Passwords on the device.
BitLockerKeys
(preview)
Remote tasks/Rotate Rotate Mac FileVault key.

filevault key.
Remote tasks/Send Allows admin to send customized notifications to devices. Devices

custom notifications receive notifications in Company Portal.
Remote tasks/Set Set or change the name of a device.

device name
Remote tasks/Shut Initiates a shutdown of the device, and will automatically close all
down applications and running services and leave the device in a powered-off
state.
Remote tasks/Sync Initiates a sync operation on the device and forces the selected device to
devices. immediately check in with Intune. When a device checks in, it
immediately receives any pending actions or policies that have been
assigned to it.
Remote tasks/Update Activate the data plan for cellular iOS/iPadOS devices that support eSIM.
cellular data plan
Remote tasks/Update Allows changing the device account associated with Surface Hub
device account devices, and set authentication options such as password rotation.
Remote Initiates a Windows Defender signature update.

tasks/Windows
defender
Remote tasks/Wipe Initiates a wipe of the device. Also called a factory reset. The Factory
reset action restores a device to its factory default settings. The user data
is kept or wiped depending on whether or not you choose the Retain
enrollment state and user account checkbox.
Roles/Assign Assign Intune built-in or custom roles to Azure AD security groups
Roles/Create Create new Intune custom roles. Built-in roles are created by Intune
automatically.
Roles/Delete Delete a custom Intune role. You cannot delete built-in roles.
Roles/Read View permissions, role assignments, member groups and scope groups
for any built-in or custom Intune role.
Roles/Update Update custom role permissions and role assignments for built-in or
custom roles. Role assignments define the administrators and end user
scope for the role.
Security Assign Security Baseline profiles to Azure AD security groups.

baselines/Assign
Security Create new Security Baseline profiles.

baselines/Create
Security Delete Security Baseline profiles.

baselines/Delete
Security View Security Baseline profiles or profiles reporting or Template

baselines/Read reporting for all Security Baseline workspace.
Security Update Security Baseline profiles.

baselines/Update
Security tasks/Read View security tasks.
Security tasks/Update Update security tasks.
Terms and Assign terms and conditions to Azure AD security groups.

conditions/Assign
Terms and Create new terms and conditions.

conditions/Create
Terms and Delete an existing terms and conditions.

conditions/Delete
Terms and View terms and conditions.

conditions/Read
Terms and Manage existing terms and conditions but not assignments.
conditions/Update
Windows Enterprise Add, remove, or modify the code-signing certificate used to distribute
Certificate/Modify line-of-business apps to your managed Windows devices.
Windows Enterprise View the code-signing certificate used to distribute line-of-business

Certificate/Read apps to your managed Windows devices.
Next steps
Assign a role to a user
Learn more about role-based access control in Intune
Use role-based access control (RBAC)
and scope tags for distributed IT
Article • 02/22/2023
You can use role-based access control and scope tags to make sure that the right
admins have the right access and visibility to the right Intune objects. Roles determine
what access admins have to which objects. Scope tags determine which objects admins
can see.
For example, let's say a Seattle regional office admin has the Policy and Profile Manager
role. You want this admin to see and manage only the profiles and policies that only
apply to Seattle devices. To set up this access, you would:
1. Create a scope tag called Seattle.

2. Create a role assignment for the Policy and Profile Manager role with:
Members (Groups) = A security group named Seattle IT admins. All admins in

this group will have permission to manage policies and profiles for
users/devices in the Scope (Groups).
Scope (Groups) = A security group named Seattle users. All users/devices in
this group can have their profiles and policies managed by the admins in the
Members (Groups).
Scope (Tags) = Seattle. Admins in the Member (Groups) can see Intune
objects that also have the Seattle scope tag.
3. Add the Seattle scope tag to policies and profiles that you want admins in
Members (Groups) to have access to.
4. Add the Seattle scope tag to devices that you want visible to admins in the
Members (Groups).
Default scope tag

The default scope tag is automatically added to all untagged objects that support scope
tags.
The default scope tag feature is similar to the security scopes feature in Microsoft
Configuration Manager.
To create a scope tag

Scope (Tags) > Create.
2. On the Basics page, provide a Name and optional Description. Choose Next.
3. On the Assignments page, choose the groups containing the devices that you
want to assign this scope tag. Choose Next.
4. On the Review + create page, choose Create.
） Important
Auto scope tags assignments will overwrite mannually assigned scope tags.
If
a device is assigned multiple scope tags through group assignment, all scope
tags will apply.
To assign a scope tag to a role

All roles > choose a role > Assignments > Assign.
2. On the Basics page, provide an Assignment name and Description. Choose Next.
3. On the Admin Groups page, choose Add groups, and select the groups that you
want as part of this assignment. Users in these groups will have permissions to
manage users/devices in the Scope (Groups). Choose Next.
4. On the Scope Groups page, select one of the following options for Included
groups:
Add groups: Select the groups containing the users/devices that you want to
manage. All users/devices in the selected groups will be managed by the
users in the Admin Groups.
Add All users: All users can be managed by the users in the Admin Groups.
Add All devices: All devices can be managed by the users in the Admin
Groups.
5. Choose Next
6. On the Scope tags page, select the tags that you want to add to this role. Users in
the Admin Groups will have access to Intune objects that also have the same scope
tag. You can assign a maximum of 100 scope tags to a role.
7. Choose Next to go to the Review + create page and then choose Create.
Assign scope tags to other objects

For objects that support scope tags, scope tags usually appear under Properties. For
example, to assign a scope tag to a configuration profile, follow these steps:
1. In the Microsoft Intune admin center , choose Devices > Configuration profiles
> choose a profile.
2. Choose Properties > Scope (Tags) > Edit > Select scope tags > choose the tags
that you want to add to the profile. You can assign a maximum of 100 scope tags
to an object.
3. Choose Select > Review + save.
Scope tag details

When working with scope tags, remember these details:
You can assign scope tags to an Intune object type if the tenant can have multiple
versions of that object (such as role assignments or apps).
The following Intune
objects are exceptions to this rule and don't currently support scope tags:
Corp Device Identifiers
Autopilot Devices
Device compliance locations
Jamf devices
Volume Purchase Program (VPP) apps and ebooks associated with the VPP token
inherit the scope tags assigned to the associated VPP token.
When an admin creates an object in Intune, all scope tags assigned to that admin
will be automatically assigned to the new object.
Intune RBAC doesn't apply to Azure Active Directory roles. So, the Intune Service
Admins and Global Admins roles have full admin access to Intune no matter what
scope tags they have.
If a role assignment has no scope tag, that IT admin can see all objects based on
the IT admins permissions. Admins that have no scope tags essentially have all
scope tags.
You can only assign a scope tag that you have in your role assignments.
You can only target groups that are listed in the Scope (Groups) of your role
assignment.
If you have a scope tag assigned to your role, you can't delete all scope tags on an
Intune object. At least one scope tag is required.
Next steps
Learn how scope tags behave when there are multiple role assignments.
Manage your
roles and profiles.
Distributed IT environment with many
admins in the same Microsoft Intune
tenant
Article • 05/25/2023
Many organizations use a distributed IT environment where they have a single Microsoft
Intune tenant with multiple local admins.
This article describes one way to scale
Microsoft Intune to support multiple local admins who manage their own users, devices,
and create their own policies all within a single Microsoft Intune tenant.
There's no right
or wrong answer on how many admins you can have in your tenant. The article focuses
on tenants that have many local administrators.
Distributed IT is needed in systems where a large number of local admins connect to a

single Intune tenant. For example, some school systems are organized so that you have
a local admin for every school in the system or region. Sometimes, this distributed
environment could be 15 or more different local admins who roll up to the same central
system or Microsoft Intune tenant.
Each local admin can set up groups to suit their organizational needs. The local admin
typically creates groups and organizes multiple users or devices by geographic location,
department, or hardware characteristics. The local admins also use these groups to
manage tasks at scale. For example, the local admins can set policies for many users or
deploy apps to a set of devices.
Roles you need to know

Central team: The Central team or group includes the global admins or primary
admins in your tenant. These admins can oversee all the local admins and can
provide guidance to the local admins.
Local admins: The local admins are local and focus on policies and profiles for their
specific locations; schools, hospitals and so on.
Role based access control

This section briefly describes the different models and proposes guidelines under each
model for managing policies, profiles, and apps between the Central team and the local
admins. The models are:
Partial delegation model
Full delegation model
Central model
Devolved model
Hybrid model
Partial delegation model

The partial delegation model proposes the following guidelines for policy management
between the Central team and the local admins.
✔️Permissions
Create, update and delete permissions for policies, enrollment profiles, and apps
should be held by the Central team.
Grant only read and assign permissions to the local admins.
✔️Reuse
Commonly configured policies, enrollment profiles, and apps should be made

available to the local admins to reuse, as much as possible.
Microsoft Intune uses many common configurations that fall into a few categories.
Review the recommendations listed for App Protection Policies.
As local admins onboard, they should review the existing policies and reuse them
as needed.
✔️Exceptions
The Central team can create certain new policies, enrollment profiles, and apps as
exceptions, when needed, on behalf of the local admins. Usually, these exceptions
include any type of profile that requires unique parameters.
A partial delegation model is proposed in these two areas:
Group and assignment guidelines for local admins: What are some of the best
practices for local admins to adopt while organizing groups for device management
through Microsoft Intune? To find out, read the article Intune grouping, targeting, and
filtering: Recommendations for best performance - Microsoft Tech Community
Feature specific guidelines: How are policies/profiles/apps managed between a central

authority and the local admins with specific permissions for the different features. For
more information, go to the section Feature specific guidelines.
Full delegation model
The full delegation model proposes the following guidelines for policy management
between the Central team and the local admins.
Each local admin should have their own scope tag to separate each object that
they fully manage.
When the local admin doesn't need to create, update or delete, then grant the
local admin a role with read and assign permissions and avoid assigning any other
role with full permission to them. With this approach, you can avoid combining
permissions across scope tags.
Sometimes the local admins may need to create their own policies, profiles, and
apps while sharing some common policies, profiles, and apps. In such cases, create
a special group and assign the common policies, profiles, and apps, to this group.
This group shouldn't be included in the Scope Group for any local admin. Scope
Group. This approach prevents the create, update and delete permissions assigned
to the local admins from applying to these common policies, profiles and apps.
Central model
In the central model, a single local admin team (parent) manages multiple child orgs.
Factors such as geography, business unit, or size, can relate Child orgs.
There's only one scope tag used to cover all the managed local admins.
If possible, the local admin team should standardize assignments across local
admins and place all their devices into a single Azure AD group for assignment.
When it isn't possible to create a single Azure AD group, the local admin team can
create different Azure AD groups to make different assignments.
If a different local admin team manages or moves an org, the following steps must
be taken:
All the org's devices and users must be extracted from common Azure AD
groups in scope of the original local admin team.
All policies/apps/profiles assigned uniquely for that org must have their scope
tag updated for the new local admin team.
Devolved model
In the devolved model, multiple local admins (children) are managed both by their
dedicated local admin and also overseen by an intermediary local admin team. Both the
parent and children admins have their own scope tags to represent management
boundaries.
If there are fewer than 50 children admins, the intermediate local admin team may
be granted access by assigning all the children's scope tags to the intermediate
local admin teams RBAC role assignment.
If there are more than 50 children admins, the intermediate local admin team
should be granted their own scope tag to represent the entire collection of
children admins they oversee.
Newly created policies under the children admin's scope tags must have the
intermediate tag added by a global admin role to prevent the intermediate local
admin team from losing visibility.
Hybrid model
In the hybrid model, the same parent admin is used in both Central and Devolved model
at the same time.
There are no special recommendations for this model.
Feature specific guidelines

Depending on the business requirements for each feature, guidelines provided in this
section may recommend that you create policies per local admin and/or delegate the
permissions needed for creating objects to the local administrators.
７ Note
The guidance provided in this section doesn't address every feature, but only
covers those areas for which we have special instructions.
App protection policy

App protection policies are rules that ensure an organization's data remains safe or
contained in a managed app. For more information, go to App protection policies.
The guidelines for App protection policies are split across the Central team and the local
admins as follows:
Central team - Tasks

Review the security and business needs across the organization and generate a set
of common App protection policies for local admins.
Review the recommendations listed to identify what security controls are
appropriate before creating any App protection policies.
Have an established method for local admins to request customized App
protection policies, if necessary, for specific business needs where the business
requirements can't be achieved with the existing common policies.
For specific recommendations about each configuration level and the minimum
apps that must be protected, review Data protection framework using App
protection policies, go to App protection policies
Local admins - Permissions and Tasks

Provide read and assign permissions, but not create, update, delete permissions on
Managed Apps, so they aren't able to create their own App protection policies.
Provide read and assign permissions for application configuration policy
assignment to their apps.
Provide read and assign permissions only when there are different protection
policies for managed devices and unmanaged devices. If the Central team chooses
to offer only one policy for both, then application configuration policy isn't
needed.
If application configuration policy is used, it's recommended that you assign the
application configuration policy to all App instances without exception.
Choose from common App protection policies. Local admins can request the
Central team to create custom app protection policies as an exception, and only if
necessary.
For more information, go to App protection policies
Compliance policy
Compliance policies in Intune define the rules and settings that users and devices must
meet to be compliant. For more information on compliance policies, go to Compliance
policies.
Central team
The Central team should create common compliance policies for local admins to choose
from and only, if necessary, create exception policies. For more information, go to
Compliance policies.
Creating policies includes the creation of custom compliance policy
scripts because they're subject to the same scale as normal compliance policy.
For more information on how to create a compliance policy, go to Compliance policies.
Local admins
Provide local admins with read and assign permissions, but not create, update or delete
permissions on Compliance policy. The read and assign permissions allow them to
choose from the common compliance policies created by the central team and assign
them to their users and devices.
In this section:
Device restrictions and general configuration

Resource access
Windows update rings
Feature updates
Quality updates
Device restrictions and general configuration

Grant local admins permission to create, update, delete within their own scope.
Use the Settings Catalog and Security Baselines to the maximum possible extent,
instead of profiles created in the Configuration profiles list, to mitigate scale in the
Microsoft Endpoint Manager admin center.
In general, the central team should try to centrally monitor the content of
configurations and replace lots of duplicate profiles where possible with a shared
profile.
Resource access
The Full delegation model is recommended.
Windows update rings

We recommend that Windows update rings are managed centrally. The Central
team should create as many common Windows update ring policies as they need
to support the variance of the local admins.
The local admins shouldn't create their own Windows update rings. When you
delegate to a large numbers of administrators, the total number of objects may
become large and difficult to manage. Best practices vary for each feature. For
more information, go to Windows update rings.
Feature updates
Quality updates
Certificates
We recommend you use permissions through the Central team to
onboard/offboard connectors as needed. Onboard connectors for each local
admin to support certificate issuance.
Don't grant the local admins permission to UPDATE or DELETE connectors.
Applications
Grant local admins full permissions to manage apps to the extent of their scope.
In this section:
Apple Volume Purchase Program
Windows
Android
For more information, go to Manage apps.
Apple Volume Purchase Program
Currently, there are no scale concerns for the supported number of Volume Purchase
Program tokens.
For more information, go to How many tokens can I upload..
Windows
Local admins can create Win32 apps as needed within the cross-platform, line-of-
business app and web-link limit. For more information, go to Win32 app
management.
Local admins can purchase Microsoft Store for Business (MSFB) apps as needed.
７ Note
Microsoft Store for Business is being retired. Starting with Windows 11, you
have a new option for your private volume-licensed apps. For more
information, go to Private app repository in Windows 11 and Update to
Microsoft Intune integration with the Microsoft Store on Windows .
Android
Local admins should choose from existing store apps or ask the central team to
add new Android store apps. Local admins shouldn't create new Android store
apps. The total number of objects may become large and difficult to manage.
Local admins can create Android line-of-business apps, as needed, within the
cross-platform, line-of-business app and web-link limit.
Central team must add Managed Google Play apps.

The central team can only see Managed Google Play apps available in their
tenant's country/region. If the central team needs a Managed Google Play app
only available in some countries/regions, they may need to work with the app
developer to get it listed correctly.
The central team should manage all content related to managed Google Play
apps, including private apps, web apps, and collections. For example, if a
customer plans on using the Managed Google Play iframe to publish private
apps , they have to do that with a single developer account owned by the
central team.
The central team can select a single scope tag as the Managed Google Play
scope tag. It has a special dropdown in the Managed Google Play connector
page. The scope tag will apply to all Managed Google Play apps after the
central team adds them to the console, but won't apply retroactively to apps
that have already been added. It's highly recommended that the central team
set the scope tag before they add apps and then assign each regional team that
scope tag. Otherwise, regional admins may not be able to see their Managed
Google Play apps.
Only one OEMConfig policy is supported per device, except for Zebra devices. With
Zebra devices, it's highly recommended that you have the smallest number of
policies possible because the time to enforce the policy is additive. For example, if
you assign six policies with the assumption that they'll layer on top of each other, it
takes around 6X longer to start working on the device than a single policy.
７ Note
Exercise extreme consideration and caution when setting high-priority update

mode on many different apps and groups. This is for multiple reasons:
Although many apps can be set to high-priority mode, only one app update
can be installed at a time. One large app update could potentially block many
smaller updates until the large app is done installing.
Depending on when apps release new updates, there could be a sudden spike
in your network usage if app releases coincide. If Wi-Fi is not available on
some devices, there could also be a spike in cellular usage.
Although disruptive user experiences have already been mentioned, the
problem grows as more apps are set to high-priority update mode.
For more information on scale concerns regarding Managed Google Play app updates
using high-priority update mode, go this Techcommunity article.
Enrollment profiles
In this section:
Autopilot
Enrollment status page (ESP)
Apple business manager (ABM)
Android Enterprise profiles
Enrollment restrictions
Device categories
Autopilot
Grant local admins the permissions to read Autopilot devices and upload new
Autopilot devices.
Local admins shouldn't create Autopilot profiles. When you delegate to a large
numbers of administrators, the total number of objects may become large and
difficult to manage. The best practice varies per feature area.
For more information
on Autopilot, go to Use Autopilot to enroll Windows devices in Intune.
Enrollment status page
Local admins should select from existing Enrollment status page profiles to assign,
or they should request the Central team to create an exception profile, only if
necessary.
Local admins shouldn't create Enrollment status page profiles. When you delegate
to a large numbers of administrators, the total number of objects may become
large and difficult to manage. The best practice varies per feature area. For
information on Enrollment status page, go to Set up the Enrollment Status Page.

If possible, local admins shouldn't be granted create, update or delete permissions on
enrollment profiles. If local admins are given permissions to create Apple Business
Manager profiles it also gives them create, update and delete permissions in Autopilot.
However, local admins shouldn't create Autopilot profiles.
When you delegate to a large numbers of administrators, the total number of objects
may become large and difficult to manage. The best practice varies per feature area. For
more information, go to Use Apple Business Manager to enroll Apple devices in Intune.
Android Enterprise profiles
The Central team should create Android Enterprise corporate-owned dedicated

devices enrollment profiles for each local admin for device grouping.
If possible, local admins shouldn't be granted create, update or delete permissions
on Android Enterprise devices. These restrictions prevent local admins from
modifying the tenant-wide Android Enterprise settings and the global fully
managed enrollment profile.
The same set of permissions govern both Device configuration and Enrollment
restrictions. When you grant permissions to create for device configuration, then
you're also granting permissions to create for enrollment restrictions. However,
local admins shouldn't be given permission to create enrollment restriction
profiles. So, they should be instructed not to create new Enrollment restrictions
profiles.
Enrollment device limit restrictions define how many devices each user can enroll.
The enrollment device limit restrictions should cover all possible device limits for
local admins to share. For more information, go to What are enrollment
restrictions.
The Central team should standardize Device Type restrictions as much as possible
and add new restrictions but only as special exceptions after a local admin has
reviewed existing restrictions.
Device categories
The Device categories (Devices > Device categories) feature doesn't have its own
permissions family. Instead, its permissions are governed by the permissions set under
Organization. Go to Tenant administration > Roles. Select a custom or built-in role and
select Properties. Here you can assign permissions, one of them being Organization. So,
if you need read permissions for Device categories, then set read permissions in
Organization.
Central teams can create Device Categories. However, local admins shouldn't be allowed
to create, update, or delete device categories, as it would require granting them
permissions on Organization, giving them access to other tenant-level features
governed by Organization permissions.
For more information, go to Device categories.
Endpoint analytics
The Central team should create as many common Endpoint Analytics baselines as
they need to support the variance of the Local admins.
If possible, local admins shouldn't create their own Endpoint Analytics baselines.
When you delegate to a large numbers of administrators, the total number of
objects may become large and difficult to manage. The best practice varies per
feature area.
For more information, go to Configuring settings in Endpoint analytics.
Built-in role permissions for Microsoft
Intune
Article • 06/08/2023
The following tables lists the built-in roles for Microsoft Intune. The tables also list the
permissions that are associated with each role.
７ Note
This article was partially created with the help of artificial intelligence. Before
publishing, an author reviewed and revised the content as needed. See Our
principles for using AI-generated content in Microsoft Learn .
Application Manager
Application Managers manage mobile and managed applications, can read device
information and can view device configuration profiles.
Permission Action
Android for work Read
Android for work Update app sync
Filters Create
Filters Delete
Filters Read
Filters Update
Certificate Connector Read
Cloud attached devices Take application actions
Cloud attached devices View applications
Cloud attached devices View client details
Cloud attached devices View collections
Cloud attached devices View resource explorer

Permission Action
Cloud attached devices View software updates
Cloud attached devices View timeline
Customization Read
Derived Credentials Read
Device configurations Read
Managed apps Assign
Managed apps Create
Managed apps Delete
Managed apps Read
Managed apps Update
Managed apps Wipe
Managed devices Read
Microsoft Defender ATP Read
Microsoft Store For Business Read
Mobile apps Assign
Mobile apps Create
Mobile apps Delete
Mobile apps Read
Mobile apps Relate
Mobile apps Update
Mobile Threat Defense Read
Organization Read
Partner Device Management Read
Policy Sets Assign
Policy Sets Create
Policy Sets Delete

Permission Action
Policy Sets Read
Policy Sets Update
Windows Enterprise Certificate Read
Endpoint Security Manager

Manages security and compliance features such as security baselines, device
compliance, conditional access, and Microsoft Defender ATP.
Permission Action
Android FOTA Read
Enrollment programs Read device
Enrollment programs Read profile
Filters Read
Audit data Read
Cloud attached devices Run CMPivot query
Cloud attached devices View scripts
Corporate device identifiers Read
Customization Read
Device compliance policies Assign

Permission Action
Device compliance policies Create
Device compliance policies Delete
Device compliance policies Read
Device compliance policies Update
Device compliance policies View reports
Device configurations View Reports
Device enrollment managers Read
Endpoint Analytics Read
Endpoint protection reports Read
Enrollment programs Read token
Endpoint Privilege Management Policy Authoring Assign
Endpoint Privilege Management Policy Authoring Create
Endpoint Privilege Management Policy Authoring Delete
Endpoint Privilege Management Policy Authoring Read
Endpoint Privilege Management Policy Authoring Update
Endpoint Privilege Management Policy Authoring View Reports
Managed apps Read
Managed devices Delete
Managed devices Set primary user
Managed devices Update
Managed devices View reports
Mobile apps Read

Permission Action
Mobile Threat Defense Modify
Organization Read
Policy Sets Read
Remote assistance connectors Read
Remote assistance connectors View reports
Remote tasks Initiate Configuration Manager action
Remote tasks Get filevault key.
Remote tasks Reboot now
Remote tasks Remote lock
Remote tasks Rotate BitLockerKeys (preview)
Remote tasks Rotate filevault key.
Remote tasks Shut down
Remote tasks Sync devices.
Remote tasks Windows defender
Intune data warehouse Read
Roles Read
Security baselines Assign
Security baselines Create
Security baselines Delete
Security baselines Read
Security baselines Update
Security tasks Read
Security tasks Update
Telecom expenses Read

Permission Action
Terms and conditions Read
Endpoint Privilege Manager

Endpoint Privilege Managers can manage Endpoint Privilege Management (EPM)
policies in the Intune console.
Permission Action
Endpoint Privilege Management Policy Authoring Assign
Endpoint Privilege Management Policy Authoring Create
Endpoint Privilege Management Policy Authoring Delete
Endpoint Privilege Management Policy Authoring Update
Organization Read
Read Only Operator

Read Only Operators view user, device, enrollment, configuration and application
information and cannot make changes to Intune.
Permission Action
Android FOTA Read
Filters Read
Audit data Read

Permission Action
Customization Read
Managed apps Read
Mobile apps Read

Permission Action
Organization Read
Organizational Messages Read
Policy Sets Read
Quiet Time policies Read
Quiet Time policies View Reports
Roles Read
ServiceNow View Incidents
Organizational Messages Manager

Organizational Messages Managers can manage organizational messages in Intune
console.
Permission Action
Organization Read
Organizational Messages Assign
Organizational Messages Create
Organizational Messages Delete

Permission Action
Organizational Messages Read
Organizational Messages Update
Organizational Messages Update organizational message control
School Administrator
School Administrators can manage apps and settings for their groups. They can take
remote actions on devices, including remotely locking them, restarting them, and
retiring them from management.
Permission Action
Enrollment programs Delete device
Enrollment programs Sync device
Enrollment programs Assign profile
Enrollment programs Create profile
Enrollment programs Delete profile
Enrollment programs Update profile
Filters Create
Filters Delete
Filters Read
Filters Update
Audit data Read
Certificate Connector Modify

Permission Action
Cloud attached devices Enroll Now
Cloud attached devices Run script
Customization Assign
Customization Create
Customization Delete
Customization Read
Customization Update
Device configurations Assign
Device configurations Create
Device configurations Delete
Device configurations Update
Device enrollment managers Update
Endpoint Analytics Create
Endpoint Analytics Delete
Endpoint Analytics Update

Permission Action
Enrollment programs Create token
Enrollment programs Delete token
Enrollment programs Update token
Managed apps Create
Managed apps Delete
Managed apps Read
Managed apps Update
Managed devices Delete
Microsoft Store For Business Modify
Mobile apps Assign
Mobile apps Create
Mobile apps Delete
Mobile apps Read
Mobile apps Relate
Mobile apps Update
Organization Read
Policy Sets Assign
Policy Sets Create

Permission Action
Policy Sets Delete
Policy Sets Read
Policy Sets Update
Remote assistance connectors Update
Remote Help app Elevation
Remote Help app Take full control
Remote Help app View screen
Remote tasks Update cellular data plan
Remote tasks Clean PC
Remote tasks Collect diagnostics
Remote tasks Disable lost mode
Remote tasks Enable lost mode
Remote tasks Recover MDM Key
Remote tasks Locate device
Remote tasks Run Remediation
Remote tasks Play sound to locate lost devices
Remote tasks Offer remote assistance
Remote tasks Reset passcode
Remote tasks Retire
Remote tasks Set device name

Permission Action
Remote tasks Wipe
Terms and conditions Assign
Terms and conditions Create
Terms and conditions Delete
Terms and conditions Update
Windows Enterprise Certificate Modify
Policy and Profile manager

Policy and Profile Managers manage compliance policy, configuration profiles, Apple
enrollment and corporate device identifiers.
Permission Action
Android FOTA Read
Android for work Update app sync
Android for work Update onboarding
Enrollment programs Create device
Enrollment programs Delete device
Enrollment programs Sync device
Enrollment programs Assign profile
Enrollment programs Create profile
Enrollment programs Delete profile

Permission Action
Enrollment programs Update profile
Filters Create
Filters Delete
Filters Read
Filters Update
Audit data Read
Corporate device identifiers Create
Corporate device identifiers Delete
Corporate device identifiers Update
Device compliance policies Assign
Device compliance policies Create
Device compliance policies Delete
Device compliance policies Update

Permission Action
Device configurations Assign
Device configurations Create
Device configurations Delete
Device configurations Update
Enrollment programs Create token
Enrollment programs Delete token
Enrollment programs Update token
Managed apps Assign
Managed apps Create
Managed apps Delete
Managed apps Read
Managed apps Update
Organization Read
Policy Sets Assign
Policy Sets Create
Policy Sets Delete
Policy Sets Read
Policy Sets Update
Quiet Time policies Assign
Quiet Time policies Create

Permission Action
Quiet Time policies Delete
Quiet Time policies Read
Quiet Time policies Update
Quiet Time policies View Reports
Help Desk Operator

Help Desk Operators perform remote tasks on users and devices and can assign
applications or policies to users or devices.
Permission Action
Android FOTA Read
Filters Read
Audit data Read
Cloud attached devices Enroll Now
Cloud attached devices Run script

Permission Action
Customization Read
Managed apps Assign
Managed apps Read
Managed apps Wipe
Mobile apps Assign
Mobile apps Read
Organization Read

Permission Action
Policy Sets Read
Remote Help app Elevation
Remote Help app Take full control
Remote Help app View screen
Remote tasks Update cellular data plan
Remote tasks Clean PC
Remote tasks Send custom notifications
Remote tasks Collect diagnostics
Remote tasks Disable lost mode
Remote tasks Enable lost mode
Remote tasks Enable Windows IntuneAgent
Remote tasks Recover MDM Key
Remote tasks Locate device
Remote tasks Manage shared device users
Remote tasks Run Remediation
Remote tasks Play sound to locate lost devices
Remote tasks Offer remote assistance
Remote tasks Reset passcode
Remote tasks Retire
Remote tasks Revoke App Licenses
Remote tasks Rotate BitLockerKeys (preview)

Permission Action
Remote tasks Rotate filevault key.
Remote tasks Set device name
Remote tasks Shut down
Remote tasks Update device account
Remote tasks Windows defender
Remote tasks Wipe
Roles Read
Endpoint Privilege Reader

Organizational Messages Readers can view Endpoint Privilege Management (EPM)
policies in the Intune console.
Permission Action
Organization Read
Intune Role Administrator

Intune Role Administrators manage custom Intune roles and add assignments for built-
in Intune roles. It is the only Intune role that can assign permissions to Administrators.
Permission Action
Permission Action
Organization Read
Roles Assign
Roles Create
Roles Delete
Roles Read
Roles Update
What is Microsoft Intune app
management?
Article • 03/31/2023
As an IT admin, you can use Microsoft Intune to manage the client apps that your
company's workforce uses. This functionality is in addition to managing devices and
protecting data. One of an admin's priorities is to ensure that end users have access to
the apps they need to do their work. This goal can be a challenge because:
There are a wide range of device platforms and app types.

You might need to manage apps on both company devices and users' personal
devices.
You must ensure that your network and your data remain secure.
Additionally, you might want to assign and manage apps on devices that are not
enrolled with Intune.
https://www.microsoft.com/en-us/videoplayer/embed/RE4MRyj?postJsllMsg=true
Mobile Application Management (MAM) basics

Intune mobile application management refers to the suite of Intune management
features that lets you publish, push, configure, secure, monitor, and update mobile apps
for your users.
MAM allows you to manage and protect your organization's data within an application.
Many productivity apps, such as the Microsoft Office apps, can be managed by Intune
MAM. See the official list of Microsoft Intune protected apps available for public use.
Intune MAM supports two configurations:
Intune MDM + MAM: IT administrators can manage apps using MAM on devices
that are enrolled with Intune mobile device management (MDM). To manage apps
using MDM + MAM, customers should use Intune in the Microsoft Intune admin
center .
Unenrolled devices with MAM managed applications: IT administrators can
manage org data and accounts in apps using MAM on unenrolled devices or
devices enrolled with third-party EMM providers. To manage apps using MAM,
customers should use Intune in the Microsoft Intune admin center . For more
information about BYOD and Microsoft's EMS, see Technology decisions for
enabling BYOD with Microsoft Enterprise Mobility + Security (EMS).
App management capabilities by platform
Intune offers a range of capabilities to help you get the apps you need on the devices
you want to run them on. The following table provides a summary of app management
capabilities.
App Management Capability Android/Android iOS/iPadOS macOS Windows

Enterprise 10/11
Add and assign apps to devices and Yes Yes Yes Yes
users
Assign apps to devices not enrolled Yes Yes No No

with Intune
Use app configuration policies to Yes Yes No No

control the startup behavior of apps
Use mobile app provisioning policies to No Yes No No

renew expired apps
Protect company data in apps with app Yes Yes No No 1

protection policies
Remove only corporate data from an Yes Yes No Yes

installed app (app selective wipe)
Monitor app assignments Yes Yes Yes Yes
Assign and track volume-purchased No Yes No Yes

apps from an app store
Mandatory install of apps on devices Yes Yes Yes Yes

(required) 2
Optional installation on devices from Yes 3 Yes Yes Yes

the Company Portal (available
installation)
Install shortcut to an app on the web Yes 4 Yes Yes Yes

(web link)
In-house (line-of-business) apps Yes 5 Yes Yes Yes
Apps from a store Yes Yes No Yes
Update apps Yes Yes No Yes
1 Consider using Microsoft Purview Information Protection and Microsoft Purview Data
Loss Prevention. Microsoft Purview simplifies the configuration set-up and provides an
advanced set of capabilities.
2
Applies to devices managed by Intune only.
3
Intune supports available apps from Managed Google Play store on Android Enterprise
devices.
4 Intune does not provide installing a shortcut to an app as a web link on standard
Android Enterprise devices. However, Web link support is provided for multi-app
dedicated Android Enterprise devices.
5 LOB for AE are supported, but the apps need to be published privately to Managed
Play.
Get started
You can find most app-related information in the Apps workload, which you can access
by doing the following:
2. Select Apps.
The apps workload provides links to access common app information and functionality.
The top of the App workload navigation menu provides commonly used app details:
Overview: Select this option to view the tenant name, the MDM authority, the
tenant location, the account status, app installation status, and app protection
policy status.
All apps: Select this option to display a list of all available apps. You can add
additional apps from this page. Additionally, you can see the status of each app, as
well as whether each app is assigned. For more information, see Add apps and
Assign apps.
Monitor apps
App licenses: View, assign, and monitor volume-purchased apps from the app
stores. For more information, see iOS volume-purchased program (VPP) apps
and Microsoft Store for Business volume-purchased apps.
Discovered apps: View apps that were assigned by Intune or installed on a
device. For more information, see Intune discovered apps.
App install status: View the status of an app assignment that you created. For
more information, see Monitor app information and assignments with Microsoft
Intune.
App protection status: View the status of an app protection policy for a user
that you select.
By Platform: Select these platforms to view the available apps by platform.
Windows
iOS
macOS
Android
Policy:
App protection policies: Select this option to associate settings with an app and
help protect the company data it uses. For example, you might restrict the
capabilities of an app to communicate with other apps, or you might require the
user to enter a PIN to access a company app. For more information, see App
protection policies.
App configuration policies: Select this option to supply settings that might be
required when a user runs an app. For more information, see App configuration
policies, iOS app configuration policies, and Android app configuration policies.
iOS app provisioning profiles: iOS apps include a provisioning profile and code
that is signed by a certificate. When the certificate expires, the app can no
longer be run. Intune gives you the tools to proactively assign a new
provisioning profile policy to devices that have apps that are nearing expiration.
For more information, see iOS app provisioning profiles.
S mode supplemental policies: Select this option to authorize additional
applications to run on your managed S mode devices. For more information,
see S mode supplemental policies.
Policies for Office apps: Select this option to create mobile app management
policies for Office mobile apps that connect to Microsoft 365 services. You can
also protect access to Exchange on-premises mailboxes by creating Intune app
protection policies for Outlook for iOS/iPadOS and Android enabled with hybrid
Modern Authentication. You must meet the requirements to use policies for
Office apps. For more information about requirements, see Requirements for
using the Office cloud policy service. App protection policies are not supported
for other apps that connect to on-premises Exchange or SharePoint services. For
related information, see Overview of the Office cloud policy service for
Microsoft 365 Apps for enterprise.
Policy sets: Select this option to create an assignable collection of apps, policies,
and other management objects you've created. For more information, see Policy
sets.
Other:
App selective wipe: Select this option to remove only corporate data from a
selected user's device. For more information, see App selective wipe.
App categories: Add, pin, and delete app category names.
E-books: Some app stores give you the ability to purchase multiple licenses for
an app or books that you want to use in your company. For more information,
see Manage volume-purchased apps and books with Microsoft Intune.
Help and support: Troubleshoot, request support, or view Intune status. For more
information, see Troubleshoot problems.
Try the interactive guide

The Manage and protect mobile and desktop applications with Microsoft Endpoint
Manager interactive guide steps you through the Microsoft Intune admin center to
show you how to manage devices enrolled in Intune, enforce compliance with policies,
and protect your organization's data.
54%
The following items within the console provide app related functionality:
Microsoft Store for Business: Set up integration to the Microsoft Store for
Business. Afterward, you can synchronize purchased applications to Intune, assign
them, and track your license usage. For more information, see Microsoft Store for
Business volume-purchased apps.
Windows enterprise certificate: Apply or view the status of a code-signing
certificate that's used to distribute line-of-business apps to your managed
Windows devices.
Windows Symantec certificate: Apply or view the status of a Symantec code-
signing certificate.
Windows side loading keys: Add a Windows side-loading key that can be used to
install an app directly to devices rather than publishing and downloading the app
from the Windows store. For more information, see Side-load a Windows app.
Microsoft Configuration Manager: Displays information about the Configuration
Manager connector including last successful synchronization time and the
connection status. Select a Configuration Manager hierarchy running version 2006,
or later to display additional information about it.
Apple Business Manager location tokens: Apply and view your iOS/iPadOS
volume purchased licenses. For more information, see How to manage iOS and
macOS apps purchased through Apple Business Manager with Microsoft Intune.
Managed Google Play: Managed Google Play is Google's enterprise app store and
sole source of applications for Android Enterprise. For more information, see Add
Managed Google Play apps to Android Enterprise devices with Intune.
Customization: Customize the Company Portal to give it your company branding.
For more information, see Company Portal configuration.
For more information about apps, see Add apps to Microsoft Intune.
Next steps
Add an app to Microsoft Intune
Deployment guide: Mobile Application
Management (MAM) for unenrolled
Article • 06/14/2023
MAM for unenrolled devices uses app configuration profiles to deploy or configure apps
on devices without enrolling the device. When combined with app protection policies,
you can protect data within an app.
MAM for unenrolled devices is commonly used for personal or bring your own devices
(BYOD). Or, used for enrolled devices that need extra security. MAM is an option for
users who don't enroll their personal devices, but still need access to organization email,
Teams meetings, and more.
MAM is available on the following platforms:
Android
iOS/iPadOS
７ Note
To deploy or assign apps to Windows devices, the Windows devices must be

enrolled in Microsoft Intune. For any additional requirements, including supported
app types, go to Windows 10/11 app deployment using Microsoft Intune.
This article provides recommendations on when to use MAM. It also includes an

overview of the administrator and user tasks. For more specific information on MAM,
see Microsoft Intune app management.
 Tip
This guide is a living thing. So, be sure to add or update existing tips and guidance
you've found helpful.
Before you begin

For an overview, including any Intune-specific prerequisites, see Deployment guidance:
Enroll devices in Microsoft Intune.
MAM
Use for personal or bring your own devices (BYOD). Or, use on organization-owned
devices that need specific app configuration, or extra app security.
Feature Use this enrollment option when
You want to configure ✔️

specific apps, and control
access to these apps, such
as Outlook or Microsoft
Teams.
Devices are personal or ✔️

BYOD.
You have new or existing ✔️

devices.
Need to manage a few ✔️

devices, or a large number
of devices (bulk enrollment).
Devices are associated with ✔️

a single user.
Devices are managed by ✔️

another MDM provider.
You use the device ✔️

enrollment manager (DEM)
account.
Devices are owned by the ❌
organization or school.
Not recommended as the only enrollment method for
organization-owned devices. Organization-owned devices should
be enrolled and managed by Intune. If you want extra security for
specific apps, then use enrollment and MAM together.
Devices are user-less, such ❌
as kiosk, or dedicated
device. Typically, user-less or shared devices are organization-owned.
These devices should be enrolled and managed by Intune.
MAM administrator tasks

This task list provides an overview. For more specific information, see Microsoft Intune
app management.
Be sure your devices are supported.
In the Intune admin center , add your apps or configure your apps. When the
apps are on the device, the apps are considered "managed" by Intune. After you
add or configure the app, create an app protection policy. For example, create a
policy that allows or blocks features within the app, such as copy and paste.
Tell users how to get different apps. For example, you can:
Direct users to the Company Portal web site at portal.manage.microsoft.com .
When they sign in with their organization credentials, they see a list of apps,
including required apps. They can get apps from this site.
Have users download and install the Company Portal app from the app store.
Once authenticated, users can install apps, including required apps.
MAM end user tasks

The specific tasks depend on how you tell users to install the apps.
To install the apps, users can:

Go to the app store, and download the app.
Go to the app store, and download the Company Portal app. The Company
Portal app authenticates the user. Open the Company Portal app, and sign in
with their organization credentials ( user@contoso.com ). They see a list of
available apps, including required apps.
Go to the Company Portal web site at portal.manage.microsoft.com , and sign in
with their organization credentials ( user@contoso.com ). After users sign in, they
see a list of available apps, including required apps.
After the app is installed, they open the app, and are prompted to sign in with
their organization credentials ( user@contoso.com ). When users sign in, they may
have to restart the app. After the restart, the app data is "managed" by Intune.
Some platforms may require specific apps to install other apps, such as Outlook or
Teams. For example, on iOS devices, users must install a broker app, such as the
Microsoft Authenticator app. On Android devices, users must install the Company
Portal app.
Next steps
Android enrollment guide
iOS/iPadOS enrollment guide
Linux enrollment guide
macOS enrollment guide
Windows enrollment guide
Purchase and add apps for Microsoft
Intune
Article • 03/28/2023
To help protect and secure your organization’s data, you can provide the members of
your organization with managed apps so they can safely collaborate and be productive.
Managed apps are a subset of client apps that you install and manage on the devices of
members of your organization. These apps that have been enhanced to support special
configuration and protection capabilities. These capabilities are managed and
maintained by an endpoint management solution, such as Microsoft Intune. Intune
provides a web-based console to manage, protect, and monitor all of your
organization's endpoints, whether those endpoints are devices or apps. The capabilities
provided by Intune helps to keep your organization's cloud and on-premises devices,
apps, and data secure. The Microsoft Intune product family integrates Microsoft Intune,
Microsoft Endpoint Configuration Manager, Desktop Analytics, and Windows Autopilot.
７ Note
Endpoints include the mobile devices, desktop computers, virtual machines,

embedded devices, servers, apps, and shared devices that your organization uses.
Examples of shared and specialized devices include retail point of sale devices,
ruggedized devices, digital interactive whiteboards, conference room devices, and
holographic wearable computers. Additionally, endpoints also include the apps
used by your organization.
Depending on the apps your organization needs, you may want to purchase licenses for
specific apps. This content helps you understand the different types of apps available to
Intune. Additionally, you can add apps to be managed using configuration and
protection policies, or apps that you can just deploy to members of your organization.
You'll learn about purchasing apps and app licenses. These concepts are all an important
part of the process to add apps to Intune.
What's in this solution

This solution steps you through the process of adding managed apps to Microsoft
Intune. Adding managed apps to Intune is the first step you take before you configure,
protect, and deploy the apps so that members of your organization can safely use them.
By managing apps at your organization, you help to protect and secure your
organization’s data.
Deploying Intune
You should understand how to set up and deploy the capabilities of Intune before you
start adding and assigning apps. Deploying Intune commonly involves the following
steps:
Step Action Description

Step Action Description
1 Set up Intune You can try Intune for free by following the steps to get started fast. When
you're finished with this step, you'll have completed the following:
Created a free Intune tenant. A tenant is a dedicated instance of

Azure Active Directory (Azure AD) where your subscription to Intune
is hosted.
Created a user in Intune and assign the user a license.
Created a group to manage users
Set up automatic enrollment for Windows 10/11 devices.
Understand how to enroll a device.
Understand how to create a password compliance policy for
Android Enterprise devices.
Understand how to send notifications to noncompliant devices.
Added and assign a app.
Created and assigned an app protection policy.
Created and assigned a custom role.
Created an email device profile for iOS/iPadOS.
2 Set up apps Add, configure, and protect the apps your organization uses. When you're
finished with this step, you'll have completed the following:
Understand how to add managed and unmanaged apps

Understand which apps to add to your tenant first
Understand how to configure apps in Intune
Understand how to protect apps using Intune
Understand the different levels of app protection
3 Create You'll understand how to create device compliance policies and

device conditional access policies. When you complete this step, you'll
compliance understand device compliance and conditional access, as well as
and understand how to handle noncompliance. Additionally, you'll understand
conditional the different levels of device compliance.
access
policies
4 Create You'll understand how to configure device features and settings to secure
device devices and access resources. When you complete this step, you'll
configuration understand the different levels of device configuration and protection.
policies
5 Enroll your When you complete this step, you'll understand the how to configure
devices to be devices for enrollment and understand enrollment policies and
managed restrictions. You'll also understand how to use enrollment profiles and
Windows Autopilot.
Mobile Application Management
configurations
to apps beyond your purview and result in data exposure and data loss. Managing the
apps that the members of your organization use on their devices is called Mobile
Application Management (MAM). MAM allows you to provide data protection on
unenrolled devices. Unenrolled devices are personal devices that are used by members
of your organization to access corporate data. It's important to understand that these
personal devices aren't managed, but still need protection. One of the primary reasons
to use either MAM without device enrollment or MAM with device enrollment is to
help protect your organization's data.
The Microsoft Intune service supports two Mobile Application Management (MAM)
configurations:


MAM in Intune is designed to protect organization data at the application level,
including custom apps and store apps. App management can be used on organization-
owned devices and personal devices. When it's used with personal devices, only
organization-related access and data are managed. This configuration allows your
organization's apps to be managed by Intune, but doesn't enroll the devices to be
managed by Intune. This configuration is commonly referred to as MAM without device
enrollment, or MAM-WE. IT administrators can manage apps using MAM by using
Intune configuration and protection policies on devices not enrolled with Intune Mobile
Device Management (MDM). In the MAM scenario, the apps are managed based on the
signed-in user of the app on the device. MAM is ideal to help protect organization data
on devices used by members of your organization for both personal and work tasks.
MAM without MDM is popular for organizations that enable members of their
organization to work remotely on their own devices (BYOD).
 Tip
Many productivity apps, such as the Microsoft Office apps, can be managed by
Intune MAM. See the official list of Microsoft Intune protected apps available for
public use.
If you choose to use MAM without device enrollment, there are some limitations to be
aware of, such as:
You can't specifically deploy apps directly to the device. The end user (member of
your organization) retrieves the apps from the store.
You can't provision certificate profiles on these unmanaged devices.
You can't provision company Wi-Fi and VPN settings on these unmanged devices.
７ Note
The MAM configuration includes managing apps with Intune on devices enrolled
with third-party enterprise mobility management (EMM) providers. You can use
Intune app configuration and protection policies independent of any MDM
solution. This independence helps you protect your company's data with or without
enrolling devices in a device management solution. By implementing app-level
policies, you can restrict access to company resources and keep data within the
purview of your IT department.

This configuration allows both your organization's apps and devices to be managed.
This configuration is commonly referred to as MAM + MDM. IT administrators can
manage apps using MAM on devices that are enrolled with Intune MDM.
MDM, in addition to MAM, makes sure that the device is protected. For example, you
can require a PIN to access the device, or you can deploy managed apps to the device.
There are additional benefits to using MDM with app protection policies. For example, a
member of your organization could have both a phone issued by the company, as well
as their own personal tablet. The company phone could be enrolled in MDM and
protected by app protection policies while the personal device is protected by app
protection policies only.
On enrolled devices that use an MDM service, app protection policies can add an extra
layer of protection. For example, a user signs in to a device with their organization
credentials. As that organization data is used, app protection policies control how the
data is saved and shared. When users sign in with their personal identity, those same
protections (access and restrictions) aren't applied. In this way, IT has control of
organization data, while end users maintain control and privacy over their personal data.
The MDM solution adds value by providing the following capabilities:

Enrolls the device
The App protection policies add value by providing the following capabilities:
the device
Benefits of MAM with Intune

When apps are managed in Intune, administrators can do the following actions:
Protect company data at the app level. You can add and assign mobile apps to
user groups and devices. This management allows your company data to be
protected at the app level. You can protect company data on both managed and
unmanaged devices because mobile app management doesn't require device
management. The management is centered on the user identity, which removes
the requirement for device management.
Configure apps to start or run with specific settings enabled. In addition, you can
update existing apps already on the device.
Assign policies to limit access and prevent data from being used outside your
organization. You choose the setting for these policies based on your
organization's requirements. For example, you can:
Require a PIN to open an app in a work context.
Block managed apps from running on jailbroken or rooted devices.
Control the sharing of data between apps.
Prevent the saving of company app data to a personal storage location by using
data relocation policies like Save copies of org data, and Restrict cut, copy, and
paste..
Support apps on a variety of platforms and operating systems. Each platform is
different. Intune provides available settings specifically for each supported
platform.
See reports about which apps are used, and track their usage. In addition, Intune
provides endpoint analytics to help you assess and resolve problems.
Do a selective wipe by removing only organization data from apps.
Ensure personal data is kept separate from managed data. End-user productivity
isn't affected and policies don't apply when using the app in a personal context.
The policies are applied only in a work context, which gives you the ability to
protect company data without touching personal data.
Understand app types
The users of apps and devices at your organization might have several app
requirements. Before adding apps to Intune and making them available to the members
of your organization, you may find it helpful to assess and understand a few app
determine app requirements that are needed by the users at your organization, such as
the platforms and capabilities that the members of your organization needs. You must
determine whether to use Intune to manage the devices (including apps) or have Intune
manage the apps without managing the devices. Also, you must determine the apps and
capabilities that the members of your organization needs, and who needs them. For
more information, see App types for managed environments or an overview.
Purchase apps
Often, before you can distribute an app to the members of your organization, you must
either purchase the app, purchase a license to use the app, or acquire a license to use
the app. Many apps are free, however you may still need to follow the purchase process
in order to distribute those apps to the members of your organization. Of those free
apps, most are not designed to be protected and configured with Intune. For more
information, see Purchase apps for Intune for an overview.
Add apps to Intune

Before you distribute a managed app to the members of your organization, you first
need to add the app to Intune. Once added, you can create both configuration and
protection policies to support the app. When you're ready, you can assign the apps to
the members of your organization. For more information, see Add apps to Microsoft
Intune Overview
App types for managed environments
Article • 03/28/2023
There are many types of apps you may want to use at your organization that can either
be acquired or created. By understanding and grouping apps based the types presented
in this article, you'll have a better understanding of apps that can be managed by
Microsoft Intune. An app that can be managed supports Intune's app protection
policies. App protection policies are rules that ensure that your organization's data
remains safe and contained in your managed apps. This overview provides a view of app
types based on how apps are acquired, created, used, installed, and run.
７ Note
Managed apps are enhanced by being integrated to support the Intune App SDK
or wrapped using the Intune App Wrapping Tool. This integration allows managed
apps to support Microsoft Intune's app protection policies and app configuration
policies.
There are several app types that you'll want to consider when determining which apps
you want to provide and manage at your organization. Understanding the complete
breadth of app types is an important step toward understanding apps that can be
assign, delivered, and managed using the Intune product family.
The users of apps and devices at your organization (your company's workforce) might
have several app requirements. Before adding apps to Intune and making them
available to the members of your organization, you may find it helpful to assess and
understand a few app fundamentals. You must determine app requirements that the
users at your company need, such as the platforms and capabilities that the members of
your organization needs. You must determine whether to use Intune to manage both
the devices and apps, or have Intune manage just the apps without managing the
devices. Also, you must determine the apps and capabilities that the members of your
organization needs, and who needs them. The information in this article helps you get
started by understanding app types. Later in this content set, you'll step through the
process of assessing your organization's app requirements.
Managed app types

You can add apps to Intune that support management capabilities using the Microsoft
Intune admin center . Once you add an app to Intune, you can assign the app to
devices and users. Intune helps install the app on your users' devices.
App Description
type
Apps Apps that are purchased or downloaded from a third-party, such as Google,
from the Microsoft, or Apple. These apps have been uploaded by the app developer to either
store the Google Play store store, the Microsoft app store , or Apple's app store . The
(store provider of a store app maintains and provides updates to the app. You select the app
apps) in the store list and add it by using Intune as an available app for your users.
Apps Apps that your organization creates or designed for your organization. These apps
created are often called Line-of-Business (LOB) apps. Intune installs the app on the device
in-house (you supply the installation file). These apps are created in-house or as a custom app.
or as a The functionality of this type of app has been created for one of the Intune supported
custom platforms, such as Windows, iOS/iPadOS, macOS, or Android. You must have a
app separate file to install this app type from Intune. Also, you provide updates of the app
(line-of- to users by adding and deploying the updates using Intune.
business)
Apps Curated managed apps that provide specific functionality. Intune installs the app on
that are the device.
built in
(built-in
apps)
Apps on Intune creates a shortcut to the web app on the device home screen. Web apps are
the web client-server applications. The server provides the web app, which includes the UI,
(web link content, and functionality. Additionally, modern web hosting platforms commonly
or web offer security, load balancing, and other benefits. This type of app is separately
app) maintained on the web. You use Intune to point to this app type. You also assign
which groups of users can access the app.
Specific Intune provides specific Microsoft apps with specialized settings that you can select
Microsoft when adding the apps to Intune.
apps
Each of these app types is described in detail:
Store apps
Line-of-business apps
Built-in apps
Web apps
Microsoft apps
Understand store apps for Intune
Article • 03/28/2023
Microsoft, Apple, and Google each provide an app store. You can use Intune to deploy
store apps to your organization's workforce. Deploying apps from the stores offers
increased protection over allowing end-users to install apps on their own. Also, many
store apps have been designed to support a managed environment such as Microsoft
Intune.
In addition to protecting app data, Intune supports configuring app settings, such as
email settings. Store apps are the most common type of apps that you would provide to
the members of your organization. Common types of store apps that support Intune
include Microsoft apps, partner productivity apps, and Partner unified endpoint
management (UEM) apps.
Apps from the store

You can add the following store app types to Intune.
App type Description
Android Android store apps are available to add to Intune from the Google Play store .
store apps Intune can deploy these apps to Android devices.
Managed Managed Google Play apps are available to add to Intune from the Managed
Google Google Play store . Intune can deploy these apps specifically to Android Enterprise
Play apps devices. Intune provides an app type specifically for Managed Google Play apps,
which makes it easy to add this type of app. There are three types of Managed
Google Play apps:
Managed Google Play store app

Managed Google Play private app
Managed Google Play web apps
iOS/iPadOS iOS store apps are available to add to Intune from Apple's app store . Intune can
store apps deploy these apps to iOS/iPadOS devices.
Microsoft Microsoft Store apps are available to add to Intune from the Microsoft app store .
Store apps Intune can deploy these apps to Windows devices.
Store app can be added to Intune by first selecting the app type.
７ Note
Microsoft Store for Business will be retired in the first quarter of 2023. However,
admins can still leverage the connection to Store for Business and Education from
their UEM solution to deploy apps to managed Windows 11 devices until they are
retired in 2023.
Intune integrates directly with the app stores when adding apps for many app scenarios.
In addition, Intune provides capabilities to assign, configure, protect, manage, and retire
the apps that you need to manage. Also, Intune provides several reports to keep track of
app protection, installation, and licensing.
Understand line-of-business apps for
Intune
Article • 03/28/2023
A line-of-business (LOB) app is an app that you add to Microsoft Intune from an app
installation file. Line-of-business (LOB) apps are commonly referred to as custom apps
and in-house apps because they're typically created by your organization. These apps
support a specific purpose for your organization. To include LOB apps in your managed
environment, you upload the app installation file to Intune and assign the app to
devices or groups from Intune. Intune supports LOB apps for Android devices,
iOS/iPadOS devices, Windows devices, and macOS devices.
When your organization initially creates an app for the members of your organization to
use, they can include support for Intune app configuration policies and app protection
policies. This support allows Intune to manage your LOB app. To to add this support to
your app, your organization must use either the Intune App SDK or the Intune App
Wrapping Tool.
Line-of-business apps types

You can create LOB apps that are supported by Intune for each Android, iOS/iPadOS,
Windows, and macOS devices.
Android Android LOB apps are typically developed in-house. This app type requires you to
line-of- upload an Android .apk file to Intune. Intune installs the LOB app on the user's
business device.
(LOB) apps
iOS/iPadOS iOS/iPadOS LOB apps are typically developed in-house. This app type requires you
LOB apps to upload an iOS .ipa file to Intune. Intune installs the LOB app on the user's device.
You need to join the Apple Developer Enterprise Program to use this specific app
type.
Windows Windows LOB apps are typically developed in-house. This app type requires you to
LOB apps upload a Windows app package file. The file extensions for Windows apps include
.msi, .appx, .appxbundle, .msix, and .msixbundle. Intune installs the LOB app on the
user's device using a process called sideloading, which allows an app to be installed
that isn't certified by the Microsoft Store using the Intune Management Extension).
macOS macOS LOB apps are typically developed in-house. This app type requires you to
LOB apps upload a .pkg file to Intune. Intune installs the LOB app on the user's device.
macOS macOS apps (DMG) are typically developed in-house. This app type requires you to
apps upload a .dmg file to Intune. Intune installs the LOB app on the user's device. The
(DMG) Microsoft Intune management agent is necessary to be installed on managed
macOS devices in order to enable advanced device management capabilities that
aren't supported by the native macOS operating system. The Apple disk image
(DMG) file can include one or more apps to deploy.
Windows Win32 apps are typically developed in-house. This app type requires you to upload
app a Windows app package file. Win32 apps must be contained in a .intunewin file to
(Win32) upload to Intune. Intune installs the Win32 app on the user's device using
sideloading, which allows an app that isn't certified by the Microsoft Store to be
installed. Intune supports both 32-bit and 64-bit operating system architecture for
this file type. Win32 apps offer more control within Intune than a Windows LOB app.
LOB apps can be added to Intune by first selecting either Line-of-business app or
specifically macOS app (DMG).
When you select Line-of-business app, you'll have the option to add your specific
installation package file. Also, you can choose to use Test Base to help you manage
the performance of your LOB app.
Understand built-in apps for Intune
Article • 03/28/2023
The built-in app type makes it easy for you to assign curated managed apps, such as
Microsoft 365 apps and third-party apps, to iOS/iPadOS and Android devices. You can
assign specific apps for this app type, such as Excel, OneDrive, Outlook, Skype, and
others. After you add an app to Intune, the app type is displayed as either Built-in iOS
app or Built-in Android app. By using the built-in app type, you can choose which of
these apps to publish to device users.
When possible, instead of using store app types, we recommend that you use the built-
in app type. By using the built-in app type, you have the additional flexibility to edit and
delete Microsoft 365 apps.
Apps that are built in

Built-in Built-in iOS/iPadOS apps are specific apps that have been designed to work
iOS/iPadOS app with Microsoft Intune.
Built-in Android Built-in Android apps are specific apps that have been designed to work with
app Microsoft Intune.
Built-in apps can be added to Intune by selecting Built-In app.

Understand web apps in Intune
Article • 03/28/2023
Intune supports various app types, including web apps and web links. A web app is
commonly an app that is displayed in a web browser and processes both locally on the
client device and in the cloud. A web link is simply a URL to a web page.
A web app can be complex when it's designed as a client-service application. The service
provides the web app, which includes the UI, content, and functionality. Additionally,
modern web-hosting platforms commonly offer security, load balancing, and other
benefits. A web app is separately maintained on the web. You use Microsoft Intune to
point to this app type. You also assign the groups of users that can access this app.
A web link (or web clip) is a URL that displays a web page within a protected browser on
the user's device. Intune creates a shortcut to the web app on the user's device. For
iOS/iPadOS devices, a shortcut to the web app is added to the home screen. For
Android Device Admin devices, a shortcut to the web app is added to the Intune
company portal widget, and the widget needs to be pinned manually by the user. For
Windows devices, a shortcut to the web app is placed on the Start Menu.
７ Note
A browser must be installed on the user's device to launch web apps.
iOS/iPadOS An iOS/iPadOS web clip is a shortcut that you assign to iOS users or devices. The
web clip shortcut contains a URL that opens a browser.
Windows A Windows web link is a shortcut that you assign to Windows users or devices. The
web link shortcut contains a URL that opens a browser. For Windows 10 and later devices,
the shortcut is added to the Start menu.
Web link A Web link is a shortcut that you assign to users or devices running iOS, Android, or
Windows. This link allows you to reach the same web location from multiple
platforms (cross platform web app). Web links (Web apps) aren’t supported on
Android Enterprise devices with work profiles.
Managed A Managed Google Play web app is a shortcut that you assign to users or devices
Google running Android. You create this web app from the Managed Google Play app store
Play web by selecting Managed Google Play app as the app type within Intune. This link is
link installable and manageable just like other Android apps.
Web apps can be added to Intune by selecting a web app type.

Understand Microsoft apps in Intune
Article • 03/28/2023
There are specific Microsoft app types that allow you to install and manage Microsoft
365 apps, Microsoft Edge, and Microsoft Defender for Endpoint. The app types are
specific to Windows 10 and later, and also macOS. Users must have an account and
license to use these apps, such as one of the license you can select for Microsoft Intune.
７ Note
For licensing and plan information related to device and app management, see
Microsoft 365 enterprise plans.
Microsoft apps that support Intune

You and the members of your organization may use Microsoft Office, OneDrive, Excel,
and Outlook regularly, which are all supported by Microsoft Intune. However, there are
dozens of other Microsoft apps for Android and iOS/iPadOS that support various app
capabilities supported by Intune. These include the following capabilities:
Core app protection policy settings

App configuration
Org allowed accounts (iOS, Android)
Sync policy managed app data with native apps (iOS, Android)
Org data notifications (iOS, Android)
Open data into Org documents (iOS, Android)
Save copies of org data (iOS, Android)
７ Note
Many of the Microsoft apps connect the user to services, such as OneDrive.
For complete list of supported Microsoft apps, see Microsoft Intune protected apps.
Specific Microsoft apps

App Description
type
App Description
type
Microsoft This app type allows you to choose one or more Microsoft 365 Apps for managed
365 apps devices running Windows 10 or later. Users must have an account and license to use
for these apps. When you add Microsoft 365 Apps to Intune, you can install your choice
Windows of Microsoft 365 Apps on managed devices running Windows 10 or later.
10 and
later
Microsoft This app type allows you to choose one or more Microsoft 365 Apps for managed
365 apps devices running macOS. Users must have an account and license to use these apps.
for
macOS
Microsoft You can assign and install Microsoft Edge version 77 and later to devices you manage
Edge for that run Windows 10 and macOS.
Windows
10 and
later
Microsoft You can assign and install Microsoft Edge version 77 and later to devices you manage
Edge for that run Windows 10 and macOS. These app types make it easy for you to assign
macOS Microsoft Edge to macOS devices without requiring you to use the macOS app
wrapping tool. To help keep the apps more secure and up to date, the app comes
with Microsoft AutoUpdate (MAU).
Microsoft You can also assign and install Microsoft Defender for Endpoint to devices you
Defender manage that run macOS. This app type makes it easy for you to assign Microsoft
for Defender for Endpoint to macOS devices without requiring you to use the macOS app
Endpoint wrapping tool. To help keep the apps more secure and up to date, the app comes
for with Microsoft AutoUpdate (MAU).
macOS
Microsoft apps can be added to Intune by selecting one of the Microsoft app types.
Purchase apps for Intune
Article • 03/28/2023
There are a variety of apps that you can use with Microsoft Intune. Some apps are free
for the members of your organization to use, while other apps require either a license
and/or an account for each user to use the app. For instance, Microsoft Outlook requires
both a license and an account to use the app. Within Microsoft Intune admin center ,
you can select store apps and freely add them to Intune. Based on the supported
integration with Intune, you can then configure these apps so that the members of your
organization can easily set them up and use them based on your unique company
requirements. Also, you can add app protection policies for each app to protect your
company's data on various levels.
７ Note
Many of the apps available from Intune are free to add to Intune and assign to
members of your organization. Apps that you must purchase to add to Intune are
available through a volume purchase program. For app licensing information, see
Understand app licenses used in Intune.
Apps available for purchase

Whether an app is freely available or you must purchase the app, you must follow
similar processes to obtain the app.
Common types of apps to purchase and/or add:
Individual store apps

Volume purchased apps
Partner productivity apps
Partner UEM apps
In-app purchases
Individual store apps

Intune integrates directly with the different supported platform stores. Within Intune,
you can find and select free store apps for Windows, iOS, and Android. Intune displays
the available store apps directly in Intune. When adding an app to Intune, you can select
each app by platform and choose the users and devices that will receive the app.
） Important
Intune only shows free store apps. Store apps that require a payment method will
not be displayed as an available store app from within Intune unless you have a
license for the app.
７ Note
Intune does support specific macOS application types, such as Microsoft 365 Apps,
Microsoft Edge, version 77 and later, Microsoft Defender for Endpoint, Web link",
Line-of-business app, and macOS app (DMG) .
For more information about store apps, see Purchase store apps for Intune.
Volume purchased apps

The Apple stores give you the ability to purchase multiple licenses for an app (or book)
that you want to distribute to the members of your organization. Buying licenses in bulk
can help you reduce the administrative overhead of tracking multiple purchased copies
of apps. Microsoft Intune helps you manage apps and books that you purchased
through such a program. You import license information from the store vendor, and
track how many licenses you've used. This process helps to ensure that you don't install
more copies of the app than you own.
７ Note
You can use Intune policies to block end-users from accessing the app store on
their devices. You can also remove purchase restriction by allowing end-users to
add new accounts to their device. Doing so will enable end-users to be able to
purchase store apps for their personal use.
the iOS/iPadOS device platforms have a method to purchase apps for your organization
in bulk:
Apple provides the Apple Business Manager
７ Note
Managed Google Play only supports free apps.

Microsoft Store for Business will be retired in the first quarter of 2023. However,
you can still leverage the connection to Store for Business and Education from your
UEM solution to deploy apps to managed Windows 11 devices until they are retired
in 2023.
For more information about volume purchased apps, see Purchase apps in volume for
Intune.

There are several Intune partner productivity apps that support Intune configuration and
protection. These apps are available from various sources and often provide support for
both iOS/iPadOS and Android devices. For apps that require you to purchase a license,
subscription, or account for each user to use the app, you'll need to work directly with
the app vendor.
Areas of support include the following settings:
Core Intune app protection policy settings

Advanced Intune app protection policy and app configuration policy settings
Partner UEM apps

In addition to standard store apps that can be managed, you can add specific partner
UEM apps to Intune. These apps are also available in either the Google Play Store or the
Apple App Store. However, these apps are capable of supporting advanced app
protection policy and app configuration policy settings. You may need to work directly
with the app vendor to purchase a license, subscription, or account for each user to use
the related app.
In-app purchases
Many apps offer core functionality for free, however there are those apps that provide
more capabilities that you can purchase from within the app. Purchasing additional app
functionality within an app is called "in-app purchases".
iOS in-app purchase settings
You can choose to block in-app purchases specifically for iOS devices using device
restriction settings. To force users to enter the Apple ID password for each in-app or
ITunes purchase, you can set Require iTunes Store password for all purchases to Yes.
However, the default is Not configured. Intune doesn't change or update this setting. By
default, the OS might allow purchases without prompting for a password every time. To
block in-app purchases from the Apple store, set Block in-app purchases to Yes. When
set to Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow store purchases within a running app.
Android in-app purchase settings

On Android devices, you can allow access to all apps in Google Play store by allowing
users to add new accounts to the device. However, doing so enables end users not only
to have the ability to conduct in-app purchases from the Google Play store using
personal accounts, but purchase apps as well.
Verify purchased apps in Intune

You can verify the apps that you've purchased to use with Intune by checking details
within Intune. You can manage app store tokens, view app store connectors, and
monitor app licenses from Intune. For more information, see Manage app licenses used
in Intune.
Purchase store apps in Intune
Article • 03/28/2023
Many of the standard store apps displayed from within Microsoft Intune are freely
available for you to add and deploy to members of your organization. In addition, you
can purchase store apps for each device platform.
The following table provides the different categories available for store apps:

category
Free store You can freely add these apps to Intune and deploy them to the members of your
apps organization. These apps don't require any additional cost to use. To add a free
store app to Intune, see Add apps to Microsoft Intune Overview.
Purchased You must purchase licenses for these apps before adding to Intune. The iOS
apps device platform offers a standard method to purchase licenses for apps that you
use with Intune. Intune provides methods to manage the app license for each end
user. For more information about purchasing apps for each device platform, see
Purchase apps in-volume for Intune.
Apps You can freely add and deploy these apps from Intune, however the app may
requiring an require an account, subscription, or license from the app vendor. For a list of apps
account, that support Intune management functionality, see Partner productivity apps and
subscription, Partner UEM apps. NOTE: For apps that may require an account, subscription, or
or license license, you must contact the app vendor for specific app details.
from the app
developer
category
Apps The license you use with Microsoft Intune may include the app licenses your
included with organization requires. For more information, see Microsoft app licenses included
your Intune with Intune.
license
７ Note
In addition to purchasing app licenses, you can create Intune policies that allow
end users to add personal accounts to their devices to purchase unmanaged apps.
Add store apps based on platform

You can use Intune to display apps that are either freely available, or available because
you have a license for the app.
The following table lists the specific store app types and how you can add them to
Intune from the Select app type pane:
App type General Device App-specific procedures

type platform
Android Store app Android Select Android store app as the App type, click Select,
store apps then enter the Google Play store URL for the app.
iOS/iPadOS Store app iOS/iPadOS Select iOS store app as the app type, search for the
store apps app, and select the app in Intune.
Microsoft Store app Windows Select Microsoft Store app as the app type, and search
Store apps the Microsoft Store for the app.
NOTE: For legacy store apps, you must enter a

Microsoft Store URL.
Managed Store app Android Select Managed Google Play as the app type, search
Google Play Enterprise for the app, and select the app in Intune. Managed
apps Google Play apps must be approved using your
Google account. Then, Intune must sync with the
Managed Google Play store before you can select
these apps in Intune.
Android Store app Android Select Managed Google Play as the app type, search
Enterprise for the app, and select the app in Intune.
apps
App type General Device App-specific procedures
type platform
Microsoft Store app Windows Select Windows 10 and later under Microsoft 365
365 apps for (Microsoft Apps as the app type, and then select the Microsoft
Windows 10 365) 365 app that you want to install.
and later
Microsoft Store app Windows Select macOS under Microsoft 365 Apps as the app
365 apps for (Microsoft type, and then select the Microsoft 365 app suite.
macOS 365)
Microsoft Store app Windows Select Windows 10 and later under Microsoft Edge,
Edge, version version 77 and later as the app type.
77 and later
for Windows
10 and later
Microsoft Store app Windows Select macOS under Microsoft Edge, version 77 and
Edge, version later as the app type.
77 and later
for macOS
Microsoft Store app macOS Select macOS under Microsoft Defender for Endpoint
Defender for (Microsoft as the app type and then continue by setting up the
Endpoint Defender app in Intune.
(macOS) ATP)
You can add an app in from Microsoft Intune admin center in the Apps workload. You
can find free apps in the apps store by selecting Search the App Store.
７ Note
The Managed Google Play store only supports free apps. Standard Google apps are
added to Intune as a Android store app. To add a Managed Google Play app, you
must find and approve the app from the Managed Google Play store, then sync the
app with Intune. For more information, see Managed Google Play.
Removing store limitations

An Android Enterprise fully managed device won't allow employees to install any apps
that aren't approved by the organization. Also, employees won't be able to remove any
installed apps against policy. If you wish to allow users to access the full Google Play
store to install apps rather than only having access to the approved apps in Managed
Google Play store, you can set the Allow access to all apps in Google Play store to
Allow. With this setting, the user can access all the apps in the Google Play store using
their corporate account, however purchases may be limited. You can remove the limited
purchases restriction by allowing users to add new accounts to the device. Doing so
enables end users to have the ability to purchase apps from the Google Play store using
personal accounts, and conduct in-app purchases. For more information, see Android
Enterprise device settings to allow or restrict features using Intune.
Purchase apps in-volume for Intune
Article • 03/28/2023
App licenses that you purchase in-volume are purchased through a volume purchase
program (VPP). Apple lets you purchase multiple app licenses using Apple Business
Manager](https://support.apple.com/guide/apple-business-manager/sign-up-
axm402206497 ). Depending on your Microsoft Intune license, you may already have
Microsoft app licenses available to add and deploy.
７ Note
The Managed Google Play store and Microsoft Store only supports free apps. For
more information, see Managed Google Play and Microsoft Store.

Apple Business Manager is a web-based portal that allows you to purchase apps that
can be managed by Intune. Apple lets you purchase multiple licenses for an app that
you can use for your organization on iOS/iPadOS and macOS devices. Once you set up
Apple Business Manager, you can purchase the apps that you need. After purchasing
apps, you can synchronize and manage your purchased licenses using Intune. In
addition to managing apps, you can use Intune to enroll and manage the Apple devices
used by your organization.
７ Note
If your organization is a school, you can use Apple School Manager to purchase
apps. Once the apps are purchased, you can sync Apple School Manager with
Microsoft Intune, where you can manage those apps. For Apple School Manager
set up details, see Set up Apple School Manager .
Set up Apple Business Manager

You can purchase app licenses from Apple Business Manager in-volume. Before
purchasing licenses, first determine the number of licenses you need. Once you've
purchased the app licenses, you can then synchronize your volume purchase
information with Intune and track your volume-purchased app use. Purchasing app
licenses helps you efficiently manage apps within your company and retain ownership
and control of purchased apps. Before you use Microsoft Intune to manage the
iOS/iPadOS and macOS apps that your organization would like to use, you must follow
Apple's guidelines to check requirements, sign-up, and purchase apps.
Follow Apple's guidelines to set up Apple Business Manager:
1. Confirm you meet the requirements to use Apple Business Manager.

2. Sign up for Apple Business Manager .
After you've signed up to use Apple Business Manager and purchased your app licenses,
you can sync from Microsoft Intune to manage your Apple apps on the Apple devices
used at your organization. Managing apps with Intune includes setting the app
configuration policies, setting the app protection policies, assigning the apps, and
monitor the apps.
Purchase apps using Apple Business Manager

Using Apple Business Manager, you can find and purchase standard apps , custom
apps , and unlisted apps . Custom and unlisted apps are apps that have been tailored
specifically for your organization by apps developers that you, or your organization,
have worked with directly.
Before you can purchase apps using Apple Business Manager, you must add a payment
method to Apple Business Manager. A payment method is required to purchase any
app, including free apps.
Follow Apple's guidelines to add payment information and purchase apps using Apple
Business Manager:
1. Add a payment method to Apple Business Manager

2. Find, select, and purchase apps from Apple Business Manager
 Tip
To see all available apps in Apple Business Manager, your Apple Business Manager
role must be Administrator or Content Manager.
For related information about purchasing apps, see Intro to purchasing content in Apple
Business Manager .
Sync purchased Apple app licenses with Microsoft Intune

Microsoft Intune helps you manage apps you purchased from Apple Business Manager
by synchronizing app license information (location tokens) you download from Apple
Business Manager. Location tokens are volume purchase licenses that were commonly
known as Volume Purchase Program (VPP) tokens. With VPP tokens, you can assign and
manage licenses purchased using Apple Business Manager. These tokens are then
downloaded from Apple Business Manager and uploaded (synched) into Microsoft
Intune. Each token is commonly valid for one year.
７ Note
VPP apps can only be added via a connector to the service. The connnector syncs
the location tokens.
Follow the Intune guidelines to upload and sync an Apple VPP token:
Upload multiple location tokens per tenant](/mem/intune/apps/vpp-apps-

ios#upload-an-apple-vpp-or-apple-business-manager-location-token) using
Intune.
In addition to synchronizing location tokens, Intune help you track how many licenses
are available and have been used for purchased apps, and helps you install apps up to
the number of licenses you own.
７ Note
You can also synchronize, manage, and assign books you purchased from Apple
Business Manager with Intune to iOS/iPadOS devices.
For more information, see How to manage iOS and macOS apps purchased through
Apple Business Manager with Microsoft Intune.
Assign a volume-purchase iOS/iPadOS app using Intune
Once Apple apps have been integrated and synced with Intune, you can deploy the app
to members of your organization by assigning the app to groups of users listed in
Intune. To assign an app, you must already have users added to Intune and groups of
uses created. For more information, see Add users and grant administrative permission
using Intune and Add groups to organize users and devices using Intune.
Follow the Intune guidelines to assign iOS/iPadOS apps:

Microsoft Store
Microsoft Store is a web-based portal that allows you to find apps that can be
managed by Intune. Admins can browse, deploy, and monitor Microsoft Store
applications inside Intune. Upon deployment, Intune automatically keeps the apps up to
date when a new version becomes available. The Microsoft Store supports UWP apps,
desktop apps packaged in .msix, and now Win32 apps packaged in .exe or .msi installers.
Access Microsoft Store

You can add free apps to Microsoft Intune from the Microsoft Store. Oftentimes, those
free apps that require a license can be added to Intune and distributed to your
organization. However, you may need a license, subscription, or user account to use the
app. Before you use Microsoft Intune to manage the apps your purchase, you should
check requirements.
Microsoft Store requirements:
Confirm that your mobile device management (MDM) authority is set to Microsoft
Intune.
７ Note
The Microsoft Store for Business no longer supports purchasing apps.
Acquiring apps using Microsoft Store

You can add apps from the Microsoft Store to Intune. You'll need to check with the app
vendor or developer to determine the licensing for your organization.
Select apps that you want to include in Intune:
1. Find and select the apps from Microsoft Store.

2. Add the apps to Intune.
3. Assign the apps to devices and groups.
Managed Google Play

Managed Google Play apps are available to add to Intune from the Managed Google
Play store . Intune can deploy these apps specifically to Android Enterprise devices.
You can use Intune to deploy apps through the Managed Google Play store for any
Android Enterprise device scenarios, including personally owned work profile, dedicated,
fully managed, and corporate-owned work profile enrollments.
There are three types of Managed Google Play apps:
Managed Google Play store app

Managed Google Play private app
Managed Google Play web apps
７ Note
The Managed Google Play store no longer supports purchasing apps. You can still
purchase apps from developers and add them to your private store.
Add a Managed Google Play store app to Intune

Managed Google Play apps are available to add to Intune from the managed Google
Play Store. Intune can deploy these apps specifically to Android Enterprise devices.
Intune provides the Managed Google Play app type as an option within Intune, which
makes it easy to add these apps to Intune. You can browse and approve Managed
Google Play apps in a view hosted within Intune. You don't have to reauthenticate with a
different account when adding these apps.
Follow the Intune guidelines to add Managed Google Play apps:
Confirm that your mobile device management (MDM) authority is set to Microsoft
Intune.
Ensure that Android Enterprise is available in your country or region. For more
information, see Is Android Enterprise available in my country?
Add a Managed Google Play store app directly in the Microsoft Intune.
７ Note
As an alternative, you can specifically connect Your Intune tenant to Managed

Google Play, approve Managed Google Play apps, and sync those apps with
Microsoft Intune. This process follows similar steps used to approve and sync apps
for other platforms. For more information, see Add a Managed Google Play store
app in the Managed Google Play console (Alternative).
To make it easier for you to configure and use Android Enterprise management, upon
connecting your Intune tenant to Managed Google Play, Intune will automatically add
four common Android Enterprise related apps to the Intune admin center. The four are
the following apps:
Microsoft Intune - Used for Android Enterprise fully managed scenarios. This
app is automatically installed to fully managed devices during the device
enrollment process.
Microsoft Authenticator - Helps you sign-in to your accounts if you use two-
factor verification. This app is automatically installed to fully managed devices
during the device enrollment process.
Intune Company Portal - Used for App Protection Policies and Android
Enterprise personally owned work profile scenarios. This app is automatically
installed to fully managed devices during the device enrollment process.
Managed Home Screen - Used for Android Enterprise dedicated multi-app kiosk
scenarios. IT admins should create an assignment to install this app on dedicated
devices that are going to be used in multi-app kiosk scenarios.
Understand app licenses used in Intune
Article • 03/28/2023
Before you can distribute managed apps to members of your organization, you must
add the apps to Intune. Many of the apps that you use with Intune can be added to
Intune and deployed to user's devices for free. However, some apps that you can deploy
to the members of your organization may require either a license, subscription, or
account for each user to use the app. Intune helps you manage app licenses as tokens.
Additionally, Intune uses Azure Active Directory (Azure AD) to help manage user
credentials that managed apps can utilize.
The following table provides the primary ways to obtain app licenses that you can use
with Intune:
App license type Description
Standard license included You can freely add these apps to Intune and deploy them to the
with app members of your organization. These apps don't require any
additional cost to use.
Purchased app license You must purchase licenses for these apps before adding them to
Intune and deploying them to members of your organization. Each
device platform (Windows, iOS, Android) offers a standard method to
purchase licenses for these apps. In addition, Intune provides
methods to manage the app license for each member (end user) of
your organization.
License for apps that You can freely add and deploy the app from Intune, but the app
requiring an account, requires an account, subscription, or license from the app vendor to
subscription, or license use.
from the app developer
Microsoft app license of Based on your Microsoft Intune license, you may already have
apps included with your Microsoft app licenses available, allowing you to add and deploy
Intune license apps to members of your organization.
Standard license included with app

As previously mentioned, many of the apps available to select within Microsoft Intune
admin center are free to use. You can add these apps to Intune and assign them to
the members of your organization without additional cost. The members of your
organization can use the app without any additional license, subscription, or account.
Each app may have their own standard use-license.
７ Note
Each app type for their related platform is added within Microsoft Intune admin
center by selecting Apps > All apps > Add.
For more information, see Add apps to Microsoft Intune Overview.
Acquire app licenses

For iOS apps, you can purchase or acquire app licenses in-volume through Apple's
volume purchase program (VPP). Apple lets you purchase multiple app licenses using
Apple Business Manager . Depending on your Microsoft Intune license, you may
already have Microsoft app licenses for specific apps available to add and deploy. Once
you've connected your VPP app license with Intune, you can find and add those apps
using the regular Add app process. For more information, see Understanding licensed
apps and Purchase apps in-volume for Intune.
Apps requiring account, subscription, or license

from the app vendor
You can freely add and deploy most apps provided within Microsoft Intune admin
center , but there are apps that require an account, subscription, or license from the
app vendor to use. After assessing your organization's app requirements, you must
contact the app vendor for apps that you can't purchase through a VPP program.
Microsoft app licenses included with Intune

Intune includes several Microsoft apps based on the Microsoft license that you use for
Intune. To learn more about the different Microsoft enterprise license available that
includes Intune, see Microsoft Intune licensing. To compare the different Microsoft apps
that are available with Microsoft 365, see the licensing options available with Microsoft
365 . To see all the options for each plan (including the available Microsoft apps),
download the full Microsoft subscription comparison table and locate the plans that
include Microsoft Intune.
App functionality included with Microsoft 365 E5 license

When you purchase a plan that includes Microsoft Intune, there are Microsoft apps
included with the license. For instance, common areas of functionality included with an
E5 Enterprise Mobility + Security license are displayed in the following table.
Capability / Feature Details
Microsoft 365 apps Includes online apps, such as Microsoft Word, Excel, PowerPoint,
OneNote, Outlook, and more
Email, calendar, and Includes Microsoft Exchange and Outlook desktop client
scheduling
Meetings, calling, and Includes Microsoft Teams

chat
Social, intranet, and Includes SharePoint, Viva Engage, and Viva Connections
storage
Content services Includes Microsoft Graph API, Microsoft Search, Microsoft Stream,
and more
Project and task Includes Microsoft Planning and Microsoft To-Do

management
Analytics Includes Productivity Score, Secure Score, Compliance

Management, and Power BI Pro
Viva Insights and Viva Includes Personal insights in Teams, Viva Learning in Teams, and
Learning more
Automation, app building, Power Apps for Microsoft 365, Power Automate for Microsoft 365,
and chatbots and more
Information protection Azure Information Protection, Automatic sensitivity labeling in

Office 365 apps, Endpoint Data Loss Prevention, and more
Threat protection Microsoft Defender Antimalware, Microsoft Defender Firewall,

Application Guard for Office 365, and more
Access and security Microsoft Defender for Cloud Apps Discovery, Microsoft Developer
for Cloud Apps, Office 365 Cloud App Security
Identity and access Azure Active Directory Premium, Multi Factor Authentication,
management Microsoft Advanced Threat Analytics, and more
Data lifecycle Rules-based Retention Policies, Machine Learning-bsaed Retention,

management and more
eDiscovery and auditing Content Search, eDiscovery, and more
Risk management Communication Compliance, Privileged Access Management, and

Capability / Feature Details
more
Windows Windows 11 Edition, Azure Virtual Desktop, and Universal Print

Manage app licenses used in Intune
Article • 03/28/2023
Before you can manage app licenses in Intune, you much first add the apps to Intune.
Part of adding the app to Intune may require you to purchase app licenses for your
organization. For iOS/iPadOS apps, this process involves first creating a business
account for the platform according to Apple's guidelines. This process is commonly
called a "volume purchase program" where you purchase app tokens. Each token
represents an individual user license for the related app. Once you've purchased the app
tokens that you need, you can sync those tokens with Intune. When the tokens have
been synched, you can add the app to Intune, and then assign the app to end users.
For more information about purchasing apps in-volume for each platform type, see
Purchase apps in-volume for Intune.
Manage app store licenses

Once you have purchases the licenses as tokens for the apps you want to assign to the
members of your organization, you can manage those tokens in Intune. As previously
mentioned, Intune provides volume purchased store apps as tokens for apps available in
the Apple Apps Store.
Manage tokens from Apple Apps Store

Apple Business Manager and Apple School Manager are the locations to find and
purchase apps for the iOS/iPadOS and macOS devices that are used by members of
your organization. Apple lets you purchase multiple licenses for an app that you want to
use in your organization from these locations. You can then synchronize your volume
purchase information with Intune and track your volume-purchased app use. Purchasing
app licenses helps you efficiently manage apps within your company and retain
ownership and control of purchased apps.
You must create an Apple ID and purchase the app license from Apple. Once you
complete the purchase process, you'll be able to download and synchronize the related
app tokens with Intune. This synchronization process allows you to track how many
licenses are available and have been used for iOS/iPadOS and macOS purchased apps.
Then, you can add the apps to Intune and assign the apps to members of your
organization in the same way you assign any other app. For more information, see How
to manage iOS and macOS apps purchased through Apple Business Manager with
Microsoft Intune.
７ Note
You can also synchronize, manage, and assign books you purchased from Apple
Business Manager with Intune to iOS/iPadOS devices. For more information, see
How to manage iOS/iPadOS eBooks you purchased through a volume-purchase
program.
View app store connector status

Your Intune tenant maintains a connection with each of the apps stores to ensure that
your app tokens for each store are update-to-date and correctly synched. The store
connections are called connectors. You can confirm the status of each connector by
viewing the Connector status tab listed in the Tenant status page (select Tenant
administration > Tenant status > Connector status). If you find that the connector isn't
in-sync, you can navigate within Intune to the Connectors and tokens workload to
manually sync the connector and tokens for each store.
Monitor app licenses used in Intune

Intune provides a list of all the app licenses your tenant currently has in use. You can see
the license name, the total number of licenses, the available licenses left to use, and the
current licenses in use. When you view this list, you can also sync your volume
purchased (VPP) licenses to be certain the list is up-to-date. For related information, see
[Monitor app information and assignments with Microsoft Intune](/mem/
intune/apps/apps-monitor).
Add apps to Microsoft Intune Overview
Article • 03/28/2023
Before you can add apps to Microsoft Intune, you must first set up Intune. If you're new
to Intune, start with the Microsoft Intune free trail. Trying out Intune is free for 30 days.
When you complete the sign-up process, you'll have a new tenant that you can use to
evaluate Intune. A tenant is a dedicated instance of Azure Active Directory (Azure AD)
where your subscription to Intune is hosted. You can then configure the tenant, which
involves many capabilities that you can use to protect your organization. One of those
involves adding apps to Intune.
As an IT admin, you can use Intune to manage the apps that members of your
organization use. This management functionality is in addition to managing devices and
protecting data. One of your priorities as an admin is to ensure that the members of
your organization have access to the apps they need to do their work. This goal can be a
challenge because:
There are a wide range of device platforms and app types.

You might need to manage apps on both organization (company) devices and
users' personal devices.
You must ensure that your network and your data remain secure.
Additionally, you might want to assign and manage apps on devices that aren't
enrolled with Intune.
The end users of apps and devices at your organization might have several app
requirements. Before adding apps to Intune and making them available to members of
your organization, you may find it helpful to assess the app capabilities your
organization needs. Are there specific apps that your organization needs? Do you
support multiple types of devices? Do you need to manage corporate devices only? Will
you manage the apps on personal devices used to access corporate resources? Are
there specific groups of users at your organization that needed different protection and
configuration of devices and apps?
This article helps you do the following tasks:
Determine app requirements and questions that you should consider

Provide categories of apps that the members of your organization use
Acquire and add apps to Intune individually and in-volume
Add apps based on recommended options
Understand how to manage apps and confirm app license use
Follow these steps to add apps to Intune:

1. Assess app requirements
2. Create categories for apps
3. Purchase apps
4. Add apps to Intune
5. Manage apps and licenses
Once you've completed the above steps, you are ready to configure, protect, assign, and
monitor the managed apps your organization uses.
Step 1. Assess app requirements
Article • 03/28/2023
As an IT admin, before adding apps to Intune and making them available to the
members of your organization, you may find it helpful to determine a few app
requirements for your organization up front. You must determine app requirements,
such as the platforms and capabilities that the members of your organization require.
You must determine whether to use Intune to manage the devices as well as the apps, or
have Intune manage just the apps without managing the devices. Intune supports both
of these types Mobile Application Management configurations. In addition, you should
determine the apps and capabilities that the members of your organization should use
and who needs those apps. This step helps you assess and consider how you'll provide
apps to your organization.
To start, first determine your organization's requirements by answering the following key
questions:
Questions Details
Does my Intune supports both MAM and MDM. MAM without device management
organization need allows just your organization's apps to be managed by Intune, without
to use Mobile enrolling the devices to be managed by Intune. MAM with device
Application management (also known as MDM) allows your organization's apps and
Management devices to be managed. There's advantages to each management method.
(MAM) or Mobile For more information, see Understanding MAM and MDM.
Device
Management
(MDM)?
What platforms do Intune supports a number of device platforms. You should consider
members of my supporting all possible device platforms that members of your organization
organization use? use to access corporate data. For more information, see Determine the
platforms needed for each app.
Which apps are Determine which apps are currently used by members of your organization
needed to access and which apps need to be available or added. For more information, see
organization Determine apps needed for your organization.
information and
data?
Which security Determine which apps are currently used to protect your organization.
apps are needed Check if the security apps, such as Microsoft Defender for Endpoint, is
by your available based on your licensing for Microsoft Intune.
organization?
Questions Details
Do any of the apps Intune allows you to create and assign app configuration policies. These
used by members types of policies are used to make sure the apps at your organization are
of your set up correctly from the start. For instance, members of your organization
organization need won't have to determine or input the email settings that are needed for
specific your organization. For more information, see App configuration policies for
configuration Microsoft Intune.
policies?
Which groups of Intune allows you to add users to be managed. You can create groups of
users need specific users to organize your devices and apps. For more information, see
apps? Determine who will use the app.
Understanding MAM and MDM

Managing the apps that the members of your organization use on their devices is called
mobile application management (MAM). MAM in Intune is designed to protect
organization data at the application level, including custom apps and store apps. App
management can be used on organization-owned devices and personal devices. When
it's used with personal devices, only organization-related access and data are managed.
This configuration allows your organization's apps to be managed by Intune, but
doesn't enroll the devices to be managed by Intune.
Managing devices at an organization is known as mobile device management (MDM).

When you manage both the apps and devices at your organization, it's often referred to
as MAM + MDM. There are additional benefits to using MDM with app protection
policies. For example, a member of your organization could have both a phone issued
by your organization, as well as their own personal tablet. The company phone could be
enrolled in MDM where it's protected at the device level and also protected by app
protection policies, while the personal device is protected by app protection policies
only.
For more information, see MAM configurations.
Determine the platforms needed for each app

Intune supports configuring and protecting the apps that the members of your
organization use. The mobile device type (such as Windows and Android) is referred to
as the device platform. Each device platform supports multiple operating systems (OS).
When it comes to apps, Intune supports the following platforms:
Windows
iOS/iPadOS
macOS
Android
For details about platforms for the apps your organization uses, see Deploy apps your
organization uses.
Determine apps needed for your organization

There are several types of apps that you can consider assigning to the members of your
organization. There are store apps, apps created specifically for your organization, apps
on the web, and apps that have been designed to work with Intune. You must determine
all the apps that your organization currently uses and will need to use.
Application that you may want to consider adding to Intune would commonly include
the following areas:
Communications
Email, meetings, calendar, tasks, messaging
Collaboration, communities, events, chats, channels
Sharing, booking, calling, sales
Productivity
Spreadsheets, presentations, writing, reading
Security
Authentication, verification, encryption, signatures, tokens
Tools and utilities
Editors, compression, file viewers
Printing, annotations, workspace management
Dev Ops, location services
Storage
Cloud storage, secure file store, inventory
Consider those apps that integrate with Intune by having built-in configuration and
protection capabilities. For a list of apps, see Microsoft Intune protected apps.
For more information, see Determine the type of app for your solution.
Determine who will use the app

Intune uses Azure Active Directory (Azure AD) groups to manage devices and users. As
an Intune admin, you can set up groups to suit your organizational needs. Create groups
to organize users or devices by geographic location, department, or hardware
characteristics. Use groups to manage tasks at scale. For example, you can set policies
for many users or deploy apps to a set of devices.
As you're determining which apps the members of your organization needs, consider
the various groups of users and the various apps they use. Knowing these groups is also
helpful after you've added an app. As you add an app to Intune, you assign a group of
users that can use the app.
To help determine the app users, see Determine who will use the app. For details about
adding groups of users, see Add groups to organize users and devices.
Next step
Continue with Step 2 to create and edit categories for apps in Microsoft Intune.
Step 2. Create and edit categories for
apps
Article • 03/28/2023
App categories can be used to help you sort apps to make them easier for members of
your organization (end users) to find in the Company Portal. The Company Portal app,
Company Portal website, and Intune app on Android are Microsoft apps that were
created to work with Microsoft Intune. These apps are where members of your
organization can do common tasks related to app management on their individual
devices. Common task may include enrolling devices, installing apps, and locating
information (such as for assistance from your IT department). Additionally, these apps
allow end-users to securely access company resources. The end user experience
provides several different pages, such as Home, Apps, App details, Devices, and Device
details. To quickly find available apps within the Company Portal, end-users can filter the
apps on the Apps page. As the admin of Intune, you can assign one or more categories
to an app.
Consider adding apps that fall into the following categories:
Featured
Education
Productivity
Developer
Communication
Security
Tools
Utilities
Storage
When you add an app to Intune, you're given the option to select the category you
want. Use the platform-specific articles to add an app and assign categories. For more
information, see Create and edit categories for apps.
Next step
Continue with Step 3 to purchase or acquire apps in Microsoft Intune.
Step 3. Purchase or acquire apps
Article • 03/28/2023
When your organization purchases a license to use Microsoft Intune, there are Microsoft
communication and productivity apps available that are included with your license.
Additionally, many of the store apps are free to add to Intune and assign to members of
your organization.
Determine if you need to purchase apps

If the app you need to add to Intune isn't freely available as a store app or as part of
your Intune license, you can consider purchasing the app.
There are three primary ways you would purchase an app:
Purchase Apple store apps in-volume using Apple Business Manager. Apple
Business Manager provides an app Volume Purchase Program (VPP) that enables
you to purchase apps in-volume for Intune.
Work with an app vendor to purchase a subscription or license to use a specific
app based on platform. For a list of apps that have been designed to work with
Intune, see Microsoft Intune protected apps.
Purchase a line-of-business (LOB) app from an app developer or vendor. You must
work directly with the app developer or vendor to purchase the app. LOB apps
commonly have the following characteristics:
A customized app that has been specifically designed or modified for your
organization.
An app that has been created specifically for your organization by an app
developer.
Purchase apps in-volume from Apple

App licenses that can be purchased in-volume are purchased through a volume
purchase program (VPP). Only Apple lets you purchase multiple app licenses using
Apple Business Manager.
） Important
Confirm that your mobile device management (MDM) authority is set to

Microsoft Intune before purchasing or adding apps to Intune in-volume.
Most apps offered through a volume purchase program are free to add to Intune,
however an app license (token) must be purchased through the volume purchase
program (VPP).

Apple Business Manager is a web-based portal that allows you to purchase apps that
can be managed by Intune.
Use the following steps to set up in-volume app purchases for iOS/iPadOS devices:
1. Set up Apple Business Manager.

2. Purchase apps using Apple Business Manager.
3. Sync purchased Apple app licenses with Microsoft Intune.
Purchase an app subscription or license

Before purchasing an app that can be managed by Intune, check whether the app is
already available to you:
1. Check whether the app is included with your Microsoft Intune subscription.
2. Check if the app is freely available to download and use by checking if the app is
available directly in the Microsoft Intune admin center .
3. Check if you can purchase the app through a volume-purchase program (VPP),
such as iOS/iPadOS apps.
You may need to work directly with an app developer or vendor to use an app that has
been designed to be managed by Intune.
Purchase a LOB app from an app developer or

vendor
A line-of-business (LOB) app is a custom app that you add to Microsoft Intune from an
app installation file. These apps are either developed in-house by your organization, or
designed and developed by a third-party for your organization. These apps are unique
to your organization. You need to work directly with the app developer to create the
app for your organization. For more information, see Understand line-of-business apps
for Intune.
Next step
Continue with Step 4 to add apps to Intune to Microsoft Intune.
Step 4. Add apps to Intune
Article • 03/28/2023
Once you've assessed your app requirements, created categories for your apps in
Intune, and purchased any needed apps that aren't freely available, you can add the
apps to Intune.
You use Microsoft Intune admin center to find, select, and add apps to Intune. When
you add an app to Intune, you start by selecting the app type, such as iOS store app.
Then, you can find and select the app that you need to add. Once you've select the app,
you can add information about the app the members of your organization will see, such
as app name, description, and minimum operating system needed. Additionally, if you
already have groups of users available, you can assign those. Lastly, you create the app,
which adds it to Intune.
７ Note
You can specify that an app is required on the end-user's device. If the user
modifies a required app (such as deleting it), Intune will automatically reinstall,
update, or remove a required app within 24 hours.
Add apps included with your Intune license

The first apps that you should consider adding to Intune are those apps included as part
of your Intune license.
For instance, if you have a Microsoft 365 E5 license, consider adding the following apps
to Intune first:
Microsoft Word
Microsoft Excel
Microsoft PowerPoint
Microsoft OneNote
Microsoft Outlook
Microsoft Teams
These apps support the core Intune app protection policy settings and are also capable
of supporting advanced app protection policy and app configuration policy settings.
Each app has a different protection and configuration capabilities. These include the
following capabilities:
Core app protection policy settings
App configuration
Org allowed accounts
Sync policy managed app data with native apps
Org data notifications
Open data into Org documents
Save copies of org data
Use the following steps to add Microsoft licensed apps to Intune:
Add Microsoft 365 Apps for Windows devices to Intune

Add Microsoft 365 Apps for macOS devices to Intune
Add Microsoft apps for iOS/iPadOS devices to Intune
Add Microsoft apps for Android devices to Intune
７ Note
In addition, consider adding the following Microsoft apps based on your existing
license:
Microsoft Exchange
Microsoft SharePoint
Microsoft Viva Engage
Microsoft Viva
Project Online Desktop Client
Visio Online Plan 2
Microsoft Intune protected apps

App functionality included with Microsoft 365 E5 license
Add volume purchased apps to Intune

Once you've added the apps included with you're Intune license to the Intune console,
consider adding the apps that the members of your organization use most often. Those
apps may be store apps, line-of-business apps, or web apps. Store apps can be
purchased or acquired in-volume for iOS/iPadOS devices.
Use the following steps to add in-volume apps to Intune:

1. Determine which apps are used by members of your organization.
2. Narrow your app list to focus on the apps that are most used and most needed.
3. Determine which apps require your organization to have a license for the apps and
that aren't already included as part of your Intune license.
4. Determine which apps are available in the Apple app stores as part of their volume
purchase program.
７ Note
Many apps that are part of a volume purchase program allow your
organization to obtain the app license for free.
5. Based on your organization's app platform needs, add your needed apps in-
volume:
a. Use Apple Business Manager to purchase or acquire apps in-volume:
i. Set up Apple Business Manager
ii. Purchase apps using Apple Business Manager
iii. Sync purchased Apple app licenses with Microsoft Intune
For more information, see Manage volume-purchased apps and books with Microsoft
Intune.
Add Windows, iOS, and Android store apps to

Intune
Many of the standard store apps displayed from within Microsoft Intune are freely
available for you to add and deploy to members of your organization. In addition, you
can purchase store apps for each device platform.
Use the following steps to add store apps to Intune:
1. Determine which apps are needed by members of your organization that haven't
already been added to Intune using the steps above.
2. Determine which of those apps require your organization to have a license for the
apps.
3. Determine each store app type that your organization requires.
4. Determine which apps are available in the Microsoft, Apple, or Google app stores.
5. Add store apps to Intune based on your organization's app platform needs.
For more information, see Android store apps, iOS/iPadOS store apps, Microsoft Store
apps, and Managed Google Play apps.
Add line-of-business apps to Intune

Line-of-business (LOB) apps are apps that you add to Microsoft Intune from an app
installation file. These apps are often created in-house for your organization and
support a specific purpose for your organization. To include LOB apps in your managed
environment, you upload the app installation file to Intune and assign the app to
devices or groups from Intune. LOB apps are supported by Intune for Android devices,
iOS/iPadOS devices, Windows, and macOS devices. For more information about line-of-
business apps, see Understand line-of-business apps for Intune.
Use the following steps to add line-of-business apps to Intune:
1. Determine the platform(s) your LOB app requires.

2. Determine your specific LOB app type.
3. Add your LOB apps to Intune based on app type:
a. Android LOB apps
b. iOS/iPadOS LOB apps
c. Windows LOB apps
d. Win32 apps
e. Mac LOB apps
Next step
Continue with Step 5 to manage apps and licenses in Microsoft Intune.

Step 5. Manage apps and licenses
Article • 03/28/2023
Microsoft Intune makes it easy to manage both apps and app licenses used by each
member of your organization.
Manage app licenses

There are two areas of Intune used to manage app licenses:
Connector status is used to keep your app license in sync with the app license
provider.
Monitor app licenses is used to keep your app instances in sync with Intune.
Connector status
Connectors are connections you configure from Intune to external services, such as the
Apple Volume Purchase Program service. Connector status is provided as part of the
tenant status in Intune. When you view the Connector status in Intune, you are provided
with connectors that are unhealthy, connectors with warnings, and connectors that are
healthy. In addition, Intune lists connectors that are Not Enabled.
 Tip
A tenant is an instance of Azure Active Directory (Azure AD). When you set up
Microsoft Intune a tenant is created for you. Your subscription to Intune is hosted
by an Azure AD tenant.
Monitor app licenses

Using Intune, you can view the licenses in-use, the available licenses, and the total
number of licenses for each app.
Manage apps
You can view a list of all apps that have been added to Intune. This list provides details
about each apps, such as the type, status, and verision. Also, the list shows whether the
app has been assigned to members of your organization.
App reports
Microsoft Intune reports allow you to more effectively and proactively monitor the
health and activity of endpoints across your organization, and also provides other
reporting data across Intune. For example, you'll be able to see reports about device
compliance, device health, and device trends. In addition, you can create custom reports
to obtain more specific data.
The following list provides Intune reports that are specific to apps:
Managed Apps report (Organizational)

Reporting tiles
App Install Status report (Operational)
Device Install Status report for apps (Operational)
User Install Status for apps report (Operational)
For additional app information, see Manage apps.
After adding apps to Intune

Once you have completed the above steps, you'll be ready to configure, protect, assign,
and monitor the managed apps your organization uses.
For more information about how to proceed, see the following topics:

Monitor app information and assignments with Microsoft Intune
Overview of the app lifecycle in
Microsoft Intune
Article • 03/07/2023
The Microsoft Intune app lifecycle begins when an app is added and progresses through
additional phases until you remove the app. By understanding these phases, you'll have
the details you need to get started with app management in Intune.
Add
The first step in app deployment is to add the apps, which you want to manage and
assign, to Intune. While you can work with many different app types, the basic
procedures are the same. With Intune you can add different app types, including apps
written in-house (line-of-business), apps from the store, apps that are built in, and apps
on the web. For more information about each of these app types, see How to add an
app to Microsoft Intune.
Deploy
After you've added the app to Intune, you can then assign it to users and devices that
you manage. Intune makes this process easy, and after the app is deployed, you can
monitor the success of the deployment from the Intune within the portal. Additionally,
in some app stores, such as the Apple and Windows app stores, you can purchase app
licenses in bulk for your company. Intune can synchronize data with these stores so that
you can deploy and track license usage for these types of apps right from the Intune
administration console.
Configure
As part of the app lifecycle, new versions of apps are regularly released. Intune provides
tools to easily update apps that you have deployed to a newer version. Additionally, you
can configure extra functionality for some apps, for example:
iOS/iPadOS app configuration policies supply settings for compatible iOS/iPadOS

apps that are used when the app is run. For example, an app might require specific
branding settings or the name of a server to which it must connect.
Managed browser policies help you to configure settings for the Microsoft Edge,
which replaces the default device browser and lets you restrict the websites that
your users can visit.
Protect
Intune gives you many ways to help protect the data in your apps. The main methods
are:
Conditional Access, which controls access to email and other services based on
conditions that you specify. Conditions include device types or compliance with a
device compliance policy that you deployed.
App protection policies works with individual apps to help protect the company
data that they use. For example, you can restrict copying data between
unmanaged apps and apps that you manage, or you can prevent apps from
running on devices that have been jailbroken or rooted.
Retire
Eventually, it's likely that apps that you deployed become outdated and need to be
removed. Intune makes it easy to uninstall apps. For more information, see Uninstall an
app.
Next steps
Learn about app management in Microsoft Intune
Mobile Application Management and
personally-owned work profiles on
Android Enterprise devices in Intune
Article • 03/06/2023
In many organizations, administrators are challenged to protect resources and data on

different devices. One challenge is protecting resources for users with personal Android
Enterprise devices, also known as bring-your-own-device (BYOD). Microsoft Intune
supports two Android deployment scenarios for bring-your-own-device (BYOD):
Mobile Application Management (MAM)

Android Enterprise personally-owned work profiles
The MAM and the Android Enterprise personally-owned work profile deployment
scenarios include the following key features important for BYOD environments:
Protection and segregation of organization-managed data: Both solutions

protect organization data by enforcing data loss prevention (DLP) controls on
organization-managed data. These protections prevent accidental leaks of
protected data, such as an end user accidentally sharing it to a personal app or
account. They also serve to ensure that a device accessing the data is healthy and
not compromised.
End-user privacy: MAM separates end user and organization content in managed
applications and Android Enterprise personally-owned work profiles separate end
users content on the device, and data managed by the mobile device management
(MDM) administrator. In both scenarios, IT admins enforce policies, such as PIN-
only authentication on organization-managed apps or identities. IT admins are
unable to read, access, or erase data that's owned or controlled by end users.
Whether you choose MAM or Android Enterprise personally-owned work profiles for
your BYOD deployment depends on your requirements and business needs. The goal of
this article is to provide guidance to help you decide. For more information related to
managed Android devices, see Manage Android personally-owned/corporate-owned
work profile devices with Intune.
About Intune app protection policies

Intune app protection policies (APP) are data protection policies targeted to users. The
policies apply data loss protection at the application level. Intune APP requires app
developers enable APP features on the apps they create.
Individual Android apps are enabled for APP in a few ways:
1. Natively integrated into Microsoft first-party apps: Microsoft Office apps for
Android, and a selection of other Microsoft apps, come with Intune APP built-in.
These Office apps, such as Word, OneDrive, Outlook, and so on, don't need any
more customization to apply policies. These apps can be installed by end users
directly from Google Play Store.
2. Integrated into app builds by developers using the Intune SDK: App developers
can integrate the Intune SDK into their source code and recompile their apps to
support Intune APP policy features.
3. Wrapped using the Intune app wrapping tool: Some customers compile Android
apps (.APK file) without access to source code. Without the source code, the
developer can't integrate with the Intune SDK. Without the SDK, they can't enable
their app for APP policies. The developer must modify or recode the app to
support APP policies.
To help, Intune includes the App Wrapping Tool tool for existing Android apps
(APKs), and creates an app that recognizes APP policies.
For more information on this tool, see prepare line-of-business apps for app
To see a list of apps enabled with APP, see managed apps with a rich set of mobile
application protection policies .
Deployment scenarios
This section describes the important characteristics of the MAM and Android Enterprise
personally-owned work profile deployment scenarios.
MAM
A MAM deployment defines policies on apps, not devices. For BYOD, MAM is often used
on unenrolled devices. To protect apps and access to organizational data, administrators
use APP-manageable apps, and apply data protection policies to these apps.
Android 4.4 and later

 Tip
For more information, see What are app protection policies?.
Android Enterprise personally-owned work profiles

Android Enterprise personally-owned work profiles are the core Android Enterprise
deployment scenario. The Android Enterprise personally-owned work profile is a
separate partition created at the Android OS level that can be managed by Intune.
An Android Enterprise personally-owned work profile includes the following features:
Traditional MDM functionality: Key MDM capabilities, such as app lifecycle

management using managed Google Play, is available in any Android Enterprise
scenario. Managed Google Play provides a robust experience to install and update
apps without any user intervention. IT can also push app configuration settings to
organizational apps. It also doesn't require end users to allow installations from
unknown sources. Other common MDM activities, such as deploying certificates,
configuring WiFi/VPNs, and setting device passcodes are available with Android
Enterprise personally-owned work profiles.
DLP on the Android Enterprise personally-owned work profile boundary: With an

Android Enterprise personally-owned work profile, DLP policies are enforced at the
work profile level, not the app level. For example, copy/paste protection is
enforced by the APP settings applied to an app, or enforced by the work profile.
When the app is deployed into a work profile, administrators can pause copy/paste
protection to the work profile by turning off this policy at the APP level.
Tips to optimize the work profile experience

You should consider how to use APP and multi-identity when working with Android
Enterprise personally-owned work profiles.
When to use APP within Android Enterprise personally-

owned work profiles
Intune APP and Android Enterprise personally-owned work profiles are complementary
technologies that can be used together or separately. Architecturally, both solutions
enforce policies at different layers – APP at the individual app layer, and work profile at
the profile layer. Deploying apps managed with an APP policy to an app in a work
profile is a valid and supported scenario. To use APP, work profiles, or a combination
depends on your DLP requirements.
Android Enterprise personally-owned Work profiles and APP complement each other's
settings by providing additional coverage if one profile doesn't meet your organization's
data protection requirements. For example, work profiles don't natively provide controls
to restrict an app from saving to an untrusted cloud storage location. APP includes this
feature. You may decide that DLP provided solely by the work profile is sufficient, and
choose not to use APP. Or you may require the protections from a combination of the
two.
Suppress APP policy for Android Enterprise personally-

owned work profiles
You may need to support individual users who have multiple devices - unenrolled
devices with MAM managed applications and managed devices with Android Enterprise
personally-owned work profiles.
For example, you require end users to enter a PIN when opening a work app. Depending
on the device, the PIN features are handled by APP or by the work profile. For MAM
managed applications, access controls including the PIN-to-launch behavior is enforced
by APP. For enrolled devices, the APP PIN may be disabled to avoid requiring both a
device PIN and an APP PIN. (APP PIN setting for Android. For work profile devices, you
can use a device or work profile PIN enforced by the OS. To accomplish this scenario,
configure APP settings so that they don't apply when an app is deployed into a work
profile. If you don't configure it this way, the end user gets prompted for a PIN by the
device, and again at the APP layer.
Control multi-identity behavior in Android Enterprise

personally-owned work profiles
Office applications, such as Outlook and OneDrive, have "multi-identity" behavior.
Within one instance of the application, the end user can add connections to multiple
distinct accounts or cloud storage locations. Within the application, the data retrieved
from these locations can be separate or merged. And, the user can context switch
between personal identities (user@outlook.com) and organization identities
(user@contoso.com).
When using Android Enterprise personally-owned work profiles, you may want to
disable this multi-identity behavior. When you disable it, badged instances of the app in
the work profile can only be configured with an organization identity. Use the Allowed
Accounts app configuration setting for supporting Office Android apps.
For more information, see deploy Outlook for iOS/iPadOS and Android app
configuration settings.
When to use Intune APP

There are several enterprise mobility scenarios where using Intune APP is the best
recommendation.
No MDM, no enrollment, Google services are unavailable

Some customers don't want any form of device management, including Android
Enterprise personally-owned work profile management, for different reasons:
Legal and liability reasons

For consistency of user experience
The Android device environment is highly heterogeneous
There isn't any connectivity to Google services, which is required for work profile
management.
For example, customers in or have users in China can't use Android device management
since Google services are blocked. In this case, use Intune APP for DLP.
Summary
Using Intune, both MAM and Android Enterprise personally-owned work profiles are
available for your Android BYOD program. You can choose to use MAM and/or work
profiles depending upon your business and usage requirements. In summary, use
Android Enterprise personally-owned work profiles if you need MDM activities on
managed devices, such as certificate deployment, app push, and so on. Use MAM if you
want to protect org data within applications.
Next steps
Start using app protection policies, or enroll your devices.
How to use Intune in environments
without Google Mobile Services
Article • 05/01/2023
Microsoft Intune uses Google Mobile Services (GMS) to communicate with the Microsoft
Intune company portal when managing Android devices. In some cases, devices may
temporarily or permanently not have access to GMS. For example, a device might ship
without GMS, or the device may be connecting to a closed network where GMS is not
available. This document summarizes the differences and limitations you may observe
when installing and using Intune to manage Android devices without GMS.
７ Note
These GMS related limitations also apply to Device Administrator management and
Android (AOSP) Management.
Install the Intune Company Portal app without

access to the Google Play Store
For users outside of People's Republic of China

If Google Play isn't available, Android devices can download the Microsoft Intune
Company Portal for Android and sideload the app. When installed this way, the app
doesn't receive updates or fixes automatically. You must be sure to regularly update and
patch the app manually.
For users in People's Republic of China

Because the Google Play Store is currently not available in People's Republic of China,
Android devices must obtain apps from Chinese app marketplaces. For more
information, see Install the Company Portal app in People's Republic of China.
Limitations of Intune management when GMS

is unavailable
Unavailable Intune features
Some Intune features rely on components of GMS such as the Google Play store or
Google Play services. Because these components are not available in environments
without GMS, the following features in the Microsoft Intune admin center may be
unavailable.
Scenario Features
Device When creating or editing compliance policies for Android device

compliance administrator, all options listed under Google Play Protect are unavailable.
policies
App protection SafetyNet device attestation, Require threat scan on apps, and Max
policies Company Portal version age (days) are device conditions that cannot be
(conditional used for conditional launch.
launch)
Client apps Apps of type Android are not available. Use Line-of-business app instead to
deploy and manage apps.
Mobile Threat Work with your MTD vendor to understand if their solution is integrated with
Defense Intune, if it is available in the region of interest, and if it relies on GMS.
Some tasks may be delayed

In environments where GMS is available, Intune relies on push notifications to speed
tasks to finish. For example, if you try to remotely wipe the device, notifications
generally get to the device in seconds. In conditions where GMS isn't available, push
notifications may also not be available.
All Android devices enrolled with device administrator or Android (AOSP) management
report to Intune every 8 hours. For example, if a device reports to Intune at 1 PM and the
remote tasks are issued at 1:05 PM, Intune will contact the device at 9 PM to complete
the tasks.
In conditions where GMS isn't available, if the device is enrolled with device
administrator and running Company Portal 5.0.5655.0 and above, Intune also attempts
to check for new tasks and notifications approximately every 15 minutes. Note that this
frequency may be affected by the device manufacturer, device usage patterns, and
whether battery optimization is enabled for the Company Portal app.
The following tasks can require up to 8 hours to finish:
Microsoft Intune admin center:

Full wipe
Selective wipe
New or updated app deployments
Remote lock
Passcode reset
Intune Company Portal app for Android:
Remote device removal

Device reset
Installation of available line-of-business apps
Intune app for Android (AOSP):
Remote device removal

Device reset
Intune Company Portal website:
Device removal (local and remote)

Device reset
Device passcode reset
If the device recently enrolled, the compliance, non-compliance, and configuration

check-in runs more frequently. For more information on device check-ins, see Common
questions, issues, and resolutions with device policies and profiles in Microsoft Intune.
Next steps
Frequently asked questions about
MAM and app protection
FAQ
This article provides answers to some frequently asked questions on Intune mobile
application management (MAM) and Intune app protection.
MAM Basics
What is MAM?
MAM Overview
App protection policies

What are app protection policies?
contained in a managed app. A policy can be a rule that is enforced when the user
monitored when the user is inside the app.
What are examples of app protection policies?

See the Android app protection policy settings and iOS/iPadOS app protection policy
settings for detailed information on each app protection policy setting.
Is it possible to have both MDM and MAM

policies applied to the same user at the same
time, for different devices? For example, if a user
could be able to access their work resources
from their own MAM-enabled machine, but also
come to work and use an Intune MDM-managed
device. Are there any caveats to this idea?
If you apply a MAM policy to the user without setting the device management state, the
user will get the MAM policy on both the BYOD device and the Intune-managed device.
You can also apply a MAM policy based on the device management state. So when you
create an app protection policy, next to Target to apps on all device types, you'd select
No. Then do any of the following:
Apply a less strict MAM policy to Intune managed devices, and apply a more
restrictive MAM policy to non MDM-enrolled devices.
Apply an equally strict MAM policy to Intune managed devices as to 3rd party
managed devices.
Apply a MAM policy to unenrolled devices only.
For more information, see How to monitor app protection policies.
Apps you can manage with app

protection policies
Which apps can be managed by app protection
policies?
Any app that has been integrated with the Intune App SDK or wrapped by the Intune
App Wrapping Tool can be managed using Intune app protection policies. See the
official list of Intune-managed apps available for public use.
What are the baseline requirements to use app

protection policies on an Intune-managed app?
365 admin center .
What if I want to enable an app with Intune App

Protection but it is not using a supported app
development platform?
The Intune SDK development team actively tests and maintains support for apps built
with the native Android, iOS/iPadOS (Obj-C, Swift), Xamarin, and Xamarin.Forms
platforms. While some customers have had success with Intune SDK integration with
other platforms such as React Native and NativeScript, we do not provide explicit
guidance or plugins for app developers using anything other than our supported
platforms.
Does the Intune APP SDK support Microsoft

Authentication Library (MSAL)?
The Intune App SDK can use the Microsoft Authentication Library for its authentication
and conditional launch scenarios. It also relies on MSAL to register the user identity with
the MAM service for management without device enrollment scenarios.
What are the additional requirements to use the

Outlook mobile app?
The end user must have the Outlook mobile app installed to their device.
The end user must have a Microsoft 365 Exchange Online mailbox and license
linked to their Azure Active Directory account.
７ Note
The Outlook mobile app currently only supports Intune App Protection for
Microsoft Exchange Online and Exchange Server with hybrid modern
authentication and does not support Exchange in Office 365 Dedicated.
What are the additional requirements to use the

Word, Excel, and PowerPoint apps?
The end user must have a license for Microsoft 365 Apps for business or
enterprise linked to their Azure Active Directory account. The subscription must
include the Office apps on mobile devices and can include a cloud storage account
with OneDrive for Business . Microsoft 365 licenses can be assigned in the
Microsoft 365 admin center following these instructions .
The end user must have a managed location configured using the granular save as
functionality under the "Save copies of org data" application protection policy
setting. For example, if the managed location is OneDrive, the OneDrive app
should be configured in the end user's Word, Excel, or PowerPoint app.
If the managed location is OneDrive, the app must be targeted by the app
protection policy deployed to the end user.
７ Note
The Office mobile apps currently only support SharePoint Online and not
SharePoint on-premises.
Why is a managed location (i.e. OneDrive)

needed for Office?
Intune marks all data in the app as either "corporate" or "personal." Data is considered
"corporate" when it originates from a business location. For the Office apps, Intune
considers the following as business locations: email (Exchange) or cloud storage
(OneDrive app with a OneDrive for Business account).
What are the additional requirements to use

Skype for Business?
See Skype for Business license requirements. For Skype for Business (SfB) hybrid and
on-prem configurations, see Hybrid Modern Auth for SfB and Exchange goes GA and
Modern Auth for SfB OnPrem with Azure AD , respectively.
App protection features

What is multi-identity support?
Multi-identity support is the ability for the Intune App SDK to only apply app protection
policies to the work or school account signed into the app. If a personal account is
signed into the app, the data is untouched.
What is the purpose of multi-identity support?

Multi-identity support allows apps with both "corporate" and consumer audiences (i.e.
the Office apps) to be released publicly with Intune app protection capabilities for the
"corporate" accounts.
What about Outlook and multi-identity?

Because Outlook has a combined email view of both personal and "corporate" emails,
the Outlook app prompts for the Intune PIN on launch.
What is the Intune app PIN?

The Personal Identification Number (PIN) is a passcode used to verify that the correct
user is accessing the organization's data in an application.
When is the user prompted to enter their PIN?

Intune prompts for the user's app PIN when the user is about to access "corporate" data.
In multi-identity apps such as Word/Excel/PowerPoint, the user is prompted for their PIN
when they try to open a "corporate" document or file. In single-identity apps, such as
line-of-business apps managed using the Intune App Wrapping Tool, the PIN is
prompted at launch, because the Intune App SDK knows the user's experience in the
app is always "corporate."
How often will the user be prompted for the

Intune PIN?
The IT admin can define the Intune app protection policy setting 'Recheck the access
requirements after (minutes)' in the Microsoft Intune admin center. This setting specifies
the amount of time before the access requirements are checked on the device, and the
application PIN screen is shown again. However, important details about PIN that affect
how often the user will be prompted are:
The PIN is shared among apps of the same publisher to improve usability: On
iOS/iPadOS, one app PIN is shared amongst all apps of the same app publisher.
On Android, one app PIN is shared amongst all apps.
The 'Recheck the access requirements after (minutes)' behavior after a device
reboot: A "PIN timer" tracks the number of minutes of inactivity that determine
when to show the Intune app PIN next. On iOS/iPadOS, the PIN timer is unaffected
by device reboot. Thus, device restart has no effect on the number of minutes the
user has been inactive from an iOS/iPadOS app with Intune PIN policy. On Android,
the PIN timer is reset on device reboot. As such, Android apps with Intune PIN
policy will likely prompt for an app PIN regardless of the 'Recheck the access
requirements after (minutes)' setting value after a device reboot.
The rolling nature of the timer associated with the PIN: Once a PIN is entered to
access an app (app A), and the app leaves the foreground (main input focus) on
the device, the PIN timer gets reset for that PIN. Any app (app B) that shares this
PIN will not prompt the user for PIN entry because the timer has reset. The prompt
will show up again once the 'Recheck the access requirements after (minutes)'
value is met again.
For iOS/iPadOS devices, even if the PIN is shared between apps from different
publishers, the prompt will show up again when the Recheck the access requirements
after (minutes) value is met again for the app that is not the main input focus. So, for
example, a user has app A from publisher X and app B from publisher Y, and those two
apps share the same PIN. The user is focused on app A (foreground), and app B is
minimized. After the Recheck the access requirements after (minutes) value is met and
the user switches to app B, the PIN would be required.
７ Note
In order to verify the user's access requirements more often (i.e. PIN prompt),
especially for a frequently used app, it is recommended to reduce the value of the
'Recheck the access requirements after (minutes)' setting.
How does the Intune PIN work with built-in app

PINs for Outlook and OneDrive?
The Intune PIN works based on an inactivity-based timer (the value of 'Recheck the
access requirements after (minutes)'). As such, Intune PIN prompts show up
independently from the built-in app PIN prompts for Outlook and OneDrive which often
are tied to app launch by default. If the user receives both PIN prompts at the same
time, the expected behavior should be that the Intune PIN takes precedence.
Is the PIN secure?

The PIN serves to allow only the correct user to access their organization's data in the
app. Therefore, an end user must sign in with their work or school account before they
can set or reset their Intune app PIN. This authentication is handled by Azure Active
Directory via secure token exchange and is not transparent to the Intune App SDK. From
a security perspective, the best way to protect work or school data is to encrypt it.
Encryption is not related to the app PIN but is its own app protection policy.
How does Intune protect the PIN against brute

force attacks?
As part of the app PIN policy, the IT administrator can set the maximum number of
times a user can try to authenticate their PIN before locking the app. After the number
of attempts has been met, the Intune App SDK can wipe the "corporate" data in the app.
Why do I have to set a PIN twice on apps from

same publisher?
MAM (on iOS/iPadOS) currently allows application-level PIN with alphanumeric and
special characters (called 'passcode') which requires the participation of applications (i.e.
WXP, Outlook, Managed Browser, Yammer) to integrate the Intune APP SDK for
iOS/iPadOS. Without this, the passcode settings are not properly enforced for the
targeted applications. This was a feature released in the Intune SDK for iOS/iPadOS v.
7.1.12.
In order to support this feature and ensure backward compatibility with previous
versions of the Intune SDK for iOS/iPadOS, all PINs (either numeric or passcode) in
7.1.12+ are handled separately from the numeric PIN in previous versions of the SDK.
Therefore, if a device has applications with Intune SDK for iOS/iPadOS versions before
7.1.12 AND after 7.1.12 from the same publisher, they will have to set up two PINs.
That being said, the two PINs (for each app) are not related in any way i.e. they must
adhere to the app protection policy that's applied to the app. As such, only if apps A and
B have the same policies applied (with respect to PIN), user may set up the same PIN
twice.
This behavior is specific to the PIN on iOS/iPadOS applications that are enabled with
Intune Mobile App Management. Over time, as applications adopt later versions of the
Intune SDK for iOS/iPadOS, having to set a PIN twice on apps from the same publisher
becomes less of an issue. Please see the note below for an example.
７ Note
For example, if app A is built with a version prior to 7.1.12 and app B is built with a
version greater than or equal to 7.1.12 from the same publisher, the end user will
need to set up PINs separately for A and B if both are installed on an iOS/iPadOS
device.
If an app C that has SDK version 7.1.9 is installed on the device, it will share the
same PIN as app A.
An app D built with 7.1.14 will share the same PIN as app B.
If only apps A and C are installed on a device, then one PIN will need to be set. The
same applies to if only apps B and D are installed on a device.
What about encryption?

IT administrators can deploy an app protection policy that requires app data to be
encrypted. As part of the policy, the IT administrator can also specify when the content
is encrypted.
How does Intune encrypt data?

settings for detailed information on the encryption app protection policy setting.
What gets encrypted?

Only data marked as "corporate" is encrypted according to the IT administrator's app
protection policy. Data is considered "corporate" when it originates from a business
location. For the Office apps, Intune considers the following as business locations: email
(Exchange) or cloud storage (OneDrive app with a OneDrive for Business account). For
line-of-business apps managed by the Intune App Wrapping Tool, all app data is
considered "corporate."
How does Intune remotely wipe data?

Intune can wipe app data in three different ways: full device wipe, selective wipe for
MDM, and MAM selective wipe. For more information about remote wipe for MDM, see
Remove devices by using wipe or retire. For more information about selective wipe
using MAM, see the Retire action and How to wipe only corporate data from apps.
What is wipe?
Wipe removes all user data and settings from the device by restoring the device to its
factory default settings. The device is removed from Intune.
７ Note
Wipe can only be achieved on devices enrolled with Intune mobile device
management (MDM).
What is selective wipe for MDM?

See Remove devices - retire to read about removing company data.
What is selective wipe for MAM?

Selective wipe for MAM simply removes company app data from an app. The request is
initiated using the Microsoft Intune admin center . To learn how to initiate a wipe
request, see How to wipe only corporate data from apps.
How quickly does selective wipe for MAM

happen?
If the user is using the app when selective wipe is initiated, the Intune App SDK checks
every 30 minutes for a selective wipe request from the Intune MAM service. It also
checks for selective wipe when the user launches the app for the first time and signs in
with their work or school account.
Why don't On-Premises (on-prem) services work

with Intune protected apps?
Intune app protection depends on the identity of the user to be consistent between the
application and the Intune App SDK. The only way to guarantee that is through modern
authentication. There are scenarios in which apps may work with an on-prem
configuration, but they are neither consistent nor guaranteed.
Is there a secure way to open web links from
managed apps?
Yes! The IT administrator can deploy and set app protection policy for the Microsoft
Edge app. The IT administrator can require all web links in Intune-managed apps to be
opened using the Microsoft Edge app.
App experience on Android

Why is the Company Portal app needed for
Intune app protection to work on Android
devices?
Company Portal app and Intune app protection
How do multiple Intune app protection access

settings that are configured to the same set of
apps and users work on Android?
Intune app protection policies for access will be applied in a specific order on end user
devices as they try to access a targeted app from their corporate account. In general, a
block would take precedence, and then a dismissible warning. For example, if applicable
to the specific user/app, a minimum Android patch version setting that warns a user to
take a patch upgrade will be applied after the minimum Android patch version setting
that blocks the user from access. So, in the scenario where the IT admin configures the
min Android patch version to 2018-03-01 and the min Android patch version (Warning
only) to 2018-02-01, while the device trying to access the app was on a patch version
2018-01-01, the end user would be blocked based on the more restrictive setting for
min Android patch version that results in blocked access.
When dealing with different types of settings, an app version requirement would take
precedence, followed by Android operating system version requirement and Android
patch version requirement. Then, any warnings for all types of settings in the same order
are checked.
Intune App Protection Policies provide the

capability for admins to require end user devices
to pass Google's SafetyNet Attestation for
Android devices. How often is a new SafetyNet
Attestation result sent to the service?
The Intune service will contact Google Play at a non-configurable interval determined by
service load. Any IT admin configured action for the Google SafetyNet Attestation
setting will be taken based on the last reported result to the Intune service at the time
of conditional launch. If the Google SafetyNet Attestation result is compliant, no action
is taken. If the Google SafetyNet Attestation result is non-compliant, the IT admin
configured action will be taken immediately. If the request to the Google SafetyNet
Attestation fails for any reason, the cached result from the previous request will be used
for up to 24 hours or the next device restart, which ever comes first. At that time Intune
App Protection Policies will block access until a current result can be obtained.
Intune App Protection Policies provide the

capability for admins to require end user devices
to send signals via Google's Verify Apps API for
Android devices. How can an end user turn on
the app scan so that they are not blocked from
access due to this?
The instructions on how to do this vary slightly by device. The general process involves
going to the Google Play Store, then clicking on My apps & games, clicking on the
result of the last app scan which will take you into the Play Protect menu. Ensure the
toggle for Scan device for security threats is switched to on.
What does Google's SafetyNet Attestation API

actually check on Android devices? What is the
difference between the configurable values of
'Check basic integrity' and 'Check basic integrity
& certified devices'?
Intune leverages Google Play Protect SafetyNet APIs to add to our existing root
detection checks for unenrolled devices. Google has developed and maintained this API
set for Android apps to adopt if they do not want their apps to run on rooted devices.
The Android Pay app has incorporated this, for example. While Google does not share
publicly the entirety of the root detection checks that occur, we expect these APIs to
detect users who have rooted their devices. These users can then be blocked from
accessing, or their corporate accounts wiped from their policy enabled apps. 'Check
basic integrity' tells you about the general integrity of the device. Rooted devices,
emulators, virtual devices, and devices with signs of tampering fail basic integrity. 'Check
basic integrity & certified devices' tells you about the compatibility of the device with
Google's services. Only unmodified devices that have been certified by Google can pass
this check. Devices that will fail include the following:
Devices that fail basic integrity

Devices with an unlocked bootloader
Devices with a custom system image/ROM
Devices for which the manufacturer didn't apply for, or pass, Google certification
Devices with a system image built directly from the Android Open Source Program
source files
Devices with a beta/developer preview system image
See Google's documentation on the SafetyNet Attestation for technical details.
There are two similar checks in the Conditional

Launch section when creating an Intune App
Protection Policy for Android devices. Should I
be requiring the 'SafetyNet device attestation'
setting or the 'jailbroken/rooted devices'
setting?
Google Play Protect's SafetyNet API checks require the end user being online, atleast for
the duration of the time when the "roundtrip" for determining attestation results
executes. If end user is offline, IT admin can still expect a result to be enforced from the
'jailbroken/rooted devices' setting. That being said, if the end user has been offline too
long, the 'Offline grace period' value comes into play, and all access to work or school
data is blocked once that timer value is reached, until network access is available.
Turning on both settings allows for a layered approach to keeping end user devices
healthy which is important when end users access work or school data on mobile.
The app protection policy settings that leverage

Google Play Protect APIs require Google Play
Services to function. What if Google Play
Services are not allowed in the location where
the end user may be?
Both the 'SafetyNet device attestation', and 'Threat scan on apps' settings require
Google determined version of Google Play Services to function correctly. Since these are
settings that fall in the area of security, the end user will be blocked if they have been
targeted with these settings and are not meeting the appropriate version of Google Play
Services or have no access to Google Play Services.
App experience on iOS

What happens if I add or remove a fingerprint or
face to my device?
Intune app protection policies allow control over app access to only the Intune licensed
user. One of the ways to control access to the app is to require either Apple's Touch ID
or Face ID on supported devices. Intune implements a behavior where if there is any
change to the device's biometric database, Intune prompts the user for a PIN when the
next inactivity timeout value is met. Changes to biometric data include the addition or
removal of a fingerprint, or face. If the Intune user does not have a PIN set, they are led
to set up an Intune PIN.
The intent of this is to continue keeping your organization's data within the app secure
and protected at the app level. This feature is only available for iOS/iPadOS, and
requires the participation of applications that integrate the Intune APP SDK for
iOS/iPadOS, version 9.0.1 or later. Integration of the SDK is necessary so that the
behavior can be enforced on the targeted applications. This integration happens on a
rolling basis and is dependent on the specific application teams. Some apps that
participate include WXP, Outlook, Managed Browser, and Yammer.
I am able to use the iOS share extension to open

work or school data in unmanaged apps, even
with the data transfer policy set to "managed
apps only" or "no apps." Doesn't this leak data?
Intune app protection policy cannot control the iOS share extension without managing
the device. Therefore, Intune encrypts "corporate" data before it is shared outside the
app. You can validate this by attempting to open the "corporate" file outside of the
managed app. The file should be encrypted and unable to be opened outside the
managed app.
How do multiple Intune app protection access

settings that are configured to the same set of
apps and users work on iOS?
Intune app protection policies for access will be applied in a specific order on end user
wipe would take precedence, followed by a block, and then a dismissible warning. For
example, if applicable to the specific user/app, a minimum iOS/iPadOS operating system
setting that warns a user to update their iOS/iPadOS version will be applied after the
minimum iOS/iPadOS operating system setting that blocks the user from access. So, in
the scenario where the IT admin configures the min iOS/iPadOS operating system to
11.0.0.0 and the min iOS/iPadOS operating system (Warning only) to 11.1.0.0, while the
device trying to access the app was on iOS/iPadOS 10, the end user would be blocked
based on the more restrictive setting for min iOS/iPadOS operating system version that
results in blocked access.
When dealing with different types of settings, an Intune App SDK version requirement
would take precedence, and then an app version requirement, followed by the
iOS/iPadOS operating system version requirement. Then, any warnings for all types of
settings in the same order are checked. We recommend the Intune App SDK version
requirement be configured only upon guidance from the Intune product team for
essential blocking scenarios.
See also
Deploy Intune
Create a rollout plan
Android mobile app management policy settings in Microsoft Intune
iOS/iPadOS mobile app management policy settings
App protection policies policy refresh
Validate your app protection policies
Add app configuration policies for managed apps without device enrollment
How to get support in Microsoft Intune
Add apps to Microsoft Intune
Article • 08/18/2023
Before you can configure, assign, protect, or monitor apps, you must add them to
Microsoft Intune.
The users of apps and devices at your company (your company's workforce) might have
several app requirements. Before adding apps to Intune and making them available to
your workforce, you may find it helpful to assess and understand a few app
determine app requirements that are needed by the users at your company, such as the
platforms and capabilities that your workforce needs. You must determine whether to
use Intune to manage the devices (including apps) or have Intune manage the apps
without managing the devices. Also, you must determine the apps and capabilities that
your workforce needs, and who needs them. The information in this article helps you get
started.
App types in Microsoft Intune

Intune supports a wide range of app types. The available options differ for each app
type. Intune lets you add and assign the following app types:
App types Installation Updates
Apps from the store (store Intune installs the app on the device. App updates are
apps) automatic.
Apps written in-house or Intune installs the app on the device (you supply You must
as a custom app (line-of- the installation file). update the app.
business)
Apps that are built-in Intune installs the app on the device. App updates are
(built-in apps) automatic.
Apps on the web (web link) Intune creates a shortcut to the web app on the App updates are
device home screen. automatic.
Apps from other Microsoft Intune creates a shortcut to the app in the App updates are
services Company Portal. For more information, see App automatic.
source setting options.
Specific app type details

The following table lists the specific app types and how you can add them in the Intune
Select app type pane:
App-specific type General type App-specific procedures
Android store apps Store app Select Android store app as the App type, click
Select, then enter the Google Play store URL for the
app.
iOS/iPadOS store apps Store app Select iOS store app as the app type, search for the
app, and select the app in Intune.
Microsoft store apps Store app Select Microsoft store app as the app type, and enter
the Microsoft store URL for the app.
Managed Google Play Store app Select Managed Google Play as the app type, search
apps for the app, and select the app in Intune.
Android Enterprise Store app Select Managed Google Play as the app type, search
apps for the app, and select the app in Intune. 1
Microsoft 365 apps for Store app Select Windows 10 and later under Microsoft 365
Windows 10 and later (Microsoft 365) Apps as the app type, and then select the Microsoft
365 app that you want to install.
Microsoft 365 apps for Store app Select macOS under Microsoft 365 Apps as the app
macOS (Microsoft 365) type, and then select the Microsoft 365 app suite.
Microsoft Edge, Store app Select Windows 10 and later under Microsoft Edge,
version 77 and later version 77 and later as the app type.
for Windows 10 and
later
Microsoft Edge, Store app Select macOS under Microsoft Edge, version 77 and
version 77 and later later as the app type.
for macOS
Android line-of- LOB app Select Line-of-business app app as the app type,
business (LOB) apps select the App package file, and then enter an
Android installation file with the extension .apk.
iOS/iPadOS LOB apps LOB app Select Line-of-business app as the app type, select
the App package file, and then enter an iOS/iPadOS
installation file with the extension .ipa.
Windows LOB apps LOB app Select Line-of-business app app as the app type,
select the App package file, and then enter a
Windows installation file with the extension .msi,
.appx, .appxbundle, .msix, and .msixbundle.
App-specific type General type App-specific procedures
Built-in iOS/iPadOS Built-in app Select Built-In app as the app type, and then select
app the built-in app in the list of provided apps.
Built-in Android app Built-in app Select Built-In app as the app type, and then select
the built-in app in the list of provided apps.
Web apps Web app Select Web link as the app type, and then enter a
valid URL pointing to the web app.
iOS/iPadOS web clip Web app Select iOS/iPadOS web clip as the app type, and then
enter a valid URL pointing to the web app. Note that
this app type applies only for the iOS/iPadOS
platform.
macOS web clip Web app Select macOS web clip as the app type, and then
this app type applies only for the macOS platform.
Windows web link Web app Select Windows web link as the app type, and then
this app type applies only for the Windows platform.
Cross platform web Web app Select Web link as the app type, and then enter a
apps valid URL pointing to the web app.
Android Enterprise Store app Select Android Enterprise system app as the app
system apps type, and then enter the app name, publisher, and
package file.
Windows app (Win32) LOB app Select Windows app (Win32) as the app type, select
the App package file, and then select an installation
file with the extension .intunewin.
macOS LOB apps LOB app Select Line-of-business app as the app type, select
the App package file, and then select an installation
file with the extension .pkg.
macOS apps (DMG) LOB app (non- Select macOS app (DMG) as the app type, select the
store app) App package file, and then select an installation file
with the extension .dmg.
macOS apps (PKG) LOB app Select macOS app (PKG) as the app type, select the
App package file, and then select an installation file
with the extension .pkg. This app type is used to add
an unmanaged macOS PKG app to Intune.
Microsoft Defender Store app Select macOS under Microsoft Defender for Endpoint
for Endpoint (macOS) (Microsoft as the app type and then continue by setting up the
Defender ATP) app in Intune.
1
For more information about Android Enterprise and Android work profiles, see
Understanding licensed apps.
You can add an app in Microsoft Intune by selecting Apps > All apps > Add. The Select
app type pane is displayed and allows you to select the App type.
 Tip
An LOB app is one that you add from an app installation file. For example, to install
an iOS/iPadOS LOB app, you add the application by selecting Line-of-business app
as the App type in the Select app type pane. You then select the app package file
(extension .ipa). These types of apps are typically written in-house or as a custom
app.
Assess app requirements

As an IT Admin, you determine not only which apps your group must use, but you also
determine the capabilities needed for each group and subgroup. For each app, you
determine the platforms needed, the groups of users that need the app, the
configuration policies to apply for those groups, and the protection policies to apply.
For example, for enrollment types including Android personally-owned work profile, you
may want to deploy a web browsing app to make sure users will have a way to open
links.
Additionally, you must determine whether to focus on Mobile Device Management

(MDM) or only on Mobile Application Management (MAM).
Using Intune to manage the device with MDM is useful when:
Users need a Wi-Fi or a VPN corporate connectivity profile to be productive.

Users need a set of apps to be pushed to their device.
Your organization needs to comply with regulatory or other policies that call out
specific MDM controls, such as security or encryption.
Using Intune to manage apps with MAM without managing the device is useful when:
You want to allow users to use their own device (BYOD).

You want to provide a one-time pop-up message to let users know that MAM
protections are in place, rather than continual device-level notification.
You want to comply with policies that require less management capability on
personal devices. For instance, you want to manage the corporate data for the
apps, rather than manage the corporate data for the entire device.
For more information, Compare MDM and MAM.
Determine who will use the app

As you're determining which apps your workforce needs, consider the various groups of
users and the various apps they use. Knowing these groups is also helpful after you've
added an app. After you add an app, you assign a group of users that can use the app.
First, you must determine which group should have access to the app, based on the
sensitivity of the data the app contains. You might need to include or exclude certain
types of roles within your organization. For example, only certain LOB apps might be
required for your sales group, whereas people focused on engineering, finance, HR, or
legal might not need to use the LOB apps. In addition, your sales group might need
additional data protection and access to internal corporate services on their mobile
devices. You must determine how this group will connect to resources using the app.
Will the data that the app accesses live in the cloud or on-premises? Also, how will the
users connect to resources by using the app?
Intune also supports enabling access to client apps that require secure access to on-
premises data, such as line-of-business app servers. You ordinarily provide this type of
access by using Intune-managed certificates for access control, combined with a
standard VPN gateway or proxy in the perimeter, such as Azure Active Directory
Application Proxy. The Intune App Wrapping Tool and App SDK can help contain the
accessed data within your line-of-business app, so that it can't pass corporate data to
consumer apps or services.
Use the Intune deployment planning, design and implementation guide to help
determine how you identify the organizational groups. For information about assigning
apps to groups, see Assign apps to groups with Microsoft Intune.
Determine the type of app for your solution

You can choose from the following app types:
Apps from the store: Apps that have been uploaded to either the Microsoft store,
the iOS/iPadOS store, or the Android store are store apps. The provider of a store
app maintains and provides updates to the app. You select the app in the store list
and add it by using Intune as an available app for your users.
Apps written in-house or as a custom app (line-of-business): Apps that are
created in-house or as a custom app are line-of-business (LOB) apps. The
functionality of this type of app has been created for one of the Intune supported
platforms, such as Windows, iOS/iPadOS, macOS, or Android. Your organization
creates and provides you with updates as a separate file. You provide updates of
the app to users by adding and deploying the updates using Intune.
Apps on the web: Web apps are client-server applications. The server provides the
web app, which includes the UI, content, and functionality. Additionally, modern
web hosting platforms commonly offer security, load balancing, and other benefits.
This type of app is separately maintained on the web. You use Intune to point to
this app type. You also assign which groups of users can access the app.
Apps from other Microsoft services: Apps that have been sourced from either
Azure AD or Office Online. Azure AD Enterprise applications are registered and
assigned via the Microsoft Intune admin center . Office Online applications are
assigned using the licensing controls available in the M365 Admin Center . You
can hide or show Azure AD Enterprise and Office Online applications to end-users
in the Company Portal. From the Microsoft Intune admin center , select Tenant
administration > Customization to find this configuration setting. Select to Hide
or Show either Azure AD Enterprise applications or Office Online applications in
the Company Portal for each end-user. Each end-user will see their entire
application catalog from the chosen Microsoft service. By default, each additional
app source will be set to Hide. For more information, see App source setting
options.
As you're determining which apps your organization needs, consider how the apps
integrate with cloud services, what data the apps access, whether the apps are available
to BYOD users, and whether the apps require internet access.
For more information about the types of apps that your organization needs, Create a
design.
Understanding app management and protection policies

Intune lets you modify the functionality of apps that you deploy to help align them with
your company's compliance and security policies. This control allows you to determine
how your company data is protected. Intune-managed apps are enabled with a rich set
of mobile application protection policies, such as:
Restricting copy-and-paste and save-as functions.

Configuring web links to open inside the Microsoft Edge app.
Enabling multi-identity use and app-level Conditional Access.
Intune-managed apps can also enable app protection without requiring enrollment,
which gives you the choice of applying data loss-prevention policies without managing
the user's device. Additionally, you can incorporate mobile-app management in your
mobile and line-of-business apps by using the Intune App SDK and App Wrapping Tool.
For more information about these tools, see Intune App SDK overview.
Understanding licensed apps

In addition to understanding web apps, store apps, and LOB apps, you should also be
aware of the destination of volume-purchase-program apps and licensed apps, such as:
Apple Volume Purchasing Program for Business (iOS): The iOS/iPadOS App Store
lets you purchase multiple licenses for an app that you want to run in your
company. Purchasing multiple copies helps you to efficiently manage apps in your
company. For more information, see Manage iOS/iPadOS volume-purchased apps.
Android Enterprise fully managed work profile: How you assign apps to Android
Enterprise fully managed work profile devices differs from how you assign them to
standard Android devices. All apps you install for Android Enterprise fully managed
work profiles come from the Managed Google Play store. You use Intune to
browse for the apps you want and approve them. The app then appears in the
Licensed apps node of the portal, and you can manage assignment of the app as
you would any other app.
Microsoft Store for Business (Windows 10): Microsoft Store for Business gives you
a place to find and purchase apps for your organization, individually or in volume.
By connecting the store to Microsoft Intune, you can manage volume-purchased
apps in the portal. For more information, see Manage apps from Microsoft Store
for Business.
７ Note
The file extensions for Windows apps include .msi, .appx, .appxbundle, .msix
and .msixbundle.
Before you add apps

Before you begin to add and assign apps, consider the following points:
When you add and assign an app from a store, your users must have an account
with that store to be able to install the app.
Some apps or items that you assign might depend on built-in iOS/iPadOS apps.
For example, if you assign a book in the iOS/iPadOS store, the iBooks app must be
present on the device. If you have removed the iBooks built-in app, you cannot use
Intune to reinstate it.
） Important
If you change the name of the app through Intune after you have deployed and
installed the app, the app will no longer be able to be targeted using commands.
Cloud storage space

All apps that you create by using the software installer installation type (for example, a
line-of-business app) are packaged and uploaded to Intune cloud storage. A trial
subscription of Intune includes 2 gigabytes (GB) of cloud-based storage that is used to
store managed apps and updates. A full subscription does not limit the total amount of
storage space.
Requirements for cloud storage space are as follows:
All app installation files must be in the same folder.
The maximum file size for any file that you upload is 8 GB.
７ Note
Windows Line-of-business (LOB) apps, including Win32, Windows Universal

AppX, Windows Universal AppX bundle, Windows Universal MSI X, and
Windows Universal MSI X bundle, have a maximum size limit of 8 GB per app.
All other LOB apps, including iOS/iPadOS LOB apps, have a maximum size
limit of 2 GB per app.
Create and edit categories for apps

App categories can be used to help you sort apps to make them easier for users to find
in the company portal. You can assign one or more categories to an app, for example,
Developer apps or Communication apps.
When you add an app to Intune, you're given the option to select the category you
want. Use the platform-specific articles to add an app and assign categories. To create
and edit your own categories, use the following procedure:

2. Select Apps > App categories.
The App categories pane displays a list of current categories.
3. Do either of the following:
To add a category, in the Create category pane, select Add, and then enter a
name for the category.
Names can be entered in one language only, and they aren't translated by
Intune.
To edit a category, select the ellipsis (...) next to the category, and then select
Pin to dashboard or Delete.
4. Select Create.
Apps that are added automatically by Intune

Previously, Intune contained a number of built-in apps that you could quickly assign.
Based on Intune customer feedback, we removed this list, and the built-in apps are no
longer displayed. However, if you have already assigned any built-in apps, the apps
remain visible in the list of apps. You can continue to assign the apps as required.
７ Note
For the installation of a required non-Line-of-Business app, Intune will attempt to

install the app by sending an install command whenever the device checks-in, given
that the app is not detected and the app's install state is not Install Pending.
Installing, updating, or removing required apps

Intune will automatically reinstall, update, or remove a required app within 24 hours,
rather than waiting for the 7 day re-evaluation cycle.
Intune will automatically reinstall, update, or remove a required app based on the
following conditions:
If an end user uninstalls an app that you have required to be installed on the end
user's device, Intune will automatically reinstall the app when this schedule elapses.
If a required app install fails or somehow the app isn't present on the device,
Intune evaluates compliance and reinstalls the app when this schedule elapses.
An admin targets an app as available to a user group and an end user installs the
app from the company portal on the device. Later, the admin updates the app
from v1 to v2. Intune will update the app when this schedule elapses, provided that
any previous version of the app is still present on the device.
If the admin deploys uninstall intent and the app is present on the device and
failed to uninstall, Intune evaluates compliance and uninstalls the app when this
schedule elapses.
７ Note
Using the Windows Company Portal, end users can restart an app installation if the
progress seems to have stalled or is frozen. This functionality is allowed if the app
installation progress has not changed in two hours.
From the Installed apps page of the Windows Company Portal or the Company
Portal website, end users can view the installation status and details for device-
assigned required apps. This functionality is provided in addition to the installation
status and details of user-assigned required apps.
Uninstall an app
When you need to uninstall an app from user's devices, use the following steps.

2. Select Apps > All apps > the app > Assignments > Add group.
3. In the Add group pane, select Uninstall.
4. Select Included Groups to select the groups of users that are affected by this app
assignment.
5. Select the groups that you want to apply the uninstall assignment.
6. Click Select on the Select groups pane.
7. Click OK on the Assign pane to set the assignment.
8. If you want to exclude any groups of users from being affected by this app
assignment, select Exclude Groups.
9. If you have chosen to exclude any groups, in Select groups, select Select.
10. Select OK in the Add group pane.
11. Select Save in the app Assignments pane.
） Important
To uninstall the app successfully, make sure to remove the members or group
assignment for install before assigning them to be uninstalled. If a group is
assigned to both install an app and uninstall an app, the app will remain and not be
removed.
７ Note
Company Portal if the apps were assigned as available and were installed on-
demand by the end-users. For Win32 apps, you have the option to enable or
disable this feature (off by default). For Microsoft store apps, it is always on and
available for your end-users. If an app can be uninstalled by the end-user, the end-
user will be able to select Uninstall for the app in the Windows Company Portal.
Delete an app from Intune

Once you have removed assignments for an app and revoked any app licenses for an
app associated with a token, you can delete the app from Intune. Delete the app in
Microsoft Intune admin center by selecting Apps > All apps > right-click on the app to
delete > Delete.
App installation errors

For details about Intune app installation errors, see App installation errors.
Next steps
To learn how to add apps for each platform to Intune, see:
Android store apps

Android LOB apps
iOS store apps
iOS LOB apps
macOS LOB apps
Web apps (for all platforms)
Microsoft store apps
Windows LOB app
Microsoft 365 apps for Windows 10
Microsoft 365 apps for macOS
Managed Google Play apps
Microsoft Edge for Windows 10
Microsoft Edge for macOS
Built-in apps
Android Enterprise system app
Win32 apps
Microsoft Intune protected apps
Article • 08/09/2023
The apps listed in this topic are supported partner and Microsoft apps that are commonly used with
Microsoft Intune. Intune protected apps are enabled with a rich set of mobile application protection
policies.
７ Note
For your client line-of-business apps, you can incorporate mobile app management using the
Intune App Software Development Kit (SDK), or the App Wrapping Tool for iOS and the App
Wrapping Tool for Android.
Core app settings

The following tables provide details of supported partner and Microsoft apps that are commonly used
with Microsoft Intune. These apps support the core App Protection Policy settings which are defined
as:
Protecting work or school account data while leaving personal data untouched in apps that
support multi-identity
Restricting data transfer and copy-and-paste functions
Encrypting work or school account data
Configuring work or school account web links to open inside a managed browser, like Microsoft
Edge
Enforcing access requirements to access work or school account data
Enforcing conditional launch behaviors to protect the work or school account data
Applying data loss prevention policies without managing the user's device
Enabling app protection without requiring enrollment
Enabling app protection on devices managed with third-party unified endpoint management
solutions
Advanced app settings

In addition to supporting the core App Protection Policy settings, apps are also capable of supporting
advanced App Protection Policy and App Configuration Policy settings. These settings require app
investment:
App Configuration Policies can be used by apps to customize app behavior and/or App
Protection Policy settings.
On enrolled devices, managed apps can leverage org allowed accounts mode to require sign-in
with a specific identity and disable multi-identity functionality.
The Sync policy managed app data with native apps App Protection Policy setting can be utilized
by apps to restrict the synchronization of contact or calendar data to the native apps.
The Org data notifications App Protection Policy setting can be utilized by apps to limit the
exposure of sensitive data in notifications.
The Open data into Org documents App Protection Policy setting can be utilized by apps to
restrict importing data from unmanaged locations.
The Save copies of org data App Protection Policy setting can be utilized by apps to restrict which
locations can be used when saving work or school account data.
Microsoft apps
７ Note
For more information on Conditional Access support, see App protection policy requirement.
The below apps support the Core Intune App Protection Policy settings and are also capable of
supporting advanced App Protection Policy and App Configuration Policy settings:
App Platform Core App App Org Sync Org data Open data Save
Protection configuration allowed policy notifications into Org copies
Policy accounts managed (iOS, documents of org
settings (iOS, app data Android) (iOS, data
Android) with Android) (iOS,
native Android)
apps
(iOS,
Android)
Microsoft Android ✔ ✔ see Edge ✔ N/A N/A N/A ✔

Edge app config
Microsoft iOS ✔ ✔ see Edge ✔ N/A N/A N/A ✔

Edge app config
Microsoft Android ✔ No settings ✔ N/A ✖ ✖ ✔

Excel
Microsoft iOS ✔ No settings ✔ N/A ✖ ✖ ✔

Excel
Microsoft Android ✔ ✔ see ✖ N/A ✖ ✖ N/A

Launcher Launcher app
config
Microsoft Android ✖ No settings ✖ N/A ✖ ✖ N/A

Lens - PDF
Scanner
Microsoft iOS ✖ No settings ✖ N/A ✖ ✖ N/A

Lens - PDF
Scanner
Microsoft iOS ✔ No settings ✔ N/A N/A ✔ ✔

Lists
native Android)
apps
(iOS,
Android)
Microsoft Android ✖ No settings ✖ N/A N/A ✖ ✖

Lists
Office Android ✔ ✔ see Office ✔ N/A ✖ ✖ ✔

(Microsoft app config
365)
Office iOS ✔ ✔ see Office ✔ N/A ✖ ✖ ✔

(Microsoft app config
365)
Microsoft Android ✔ No settings ✔ N/A ✖ ✔ N/A

OneDrive
Microsoft iOS ✔ No settings ✔ N/A ✖ ✔ N/A

OneDrive
Microsoft Android ✔ No settings ✔ N/A ✖ ✖ N/A

OneNote
Microsoft iOS ✔ No settings ✔ N/A ✖ ✖ N/A

OneNote
Microsoft Android ✔ ✔ see Outlook ✔ ✔ ✔ ✔ ✖

Outlook app config
Microsoft iOS ✔ ✔ see Outlook ✔ ✔ ✔ ✔ ✔

Outlook app config
Microsoft Android ✔ No settings ✖ N/A ✖ ✖ N/A

Planner
Microsoft iOS ✔ No settings ✖ N/A ✖ ✖ N/A

Planner

PowerPoint

PowerPoint

SharePoint

SharePoint
Microsoft Android ✔ No settings ✔ N/A ✔ ✔ ✔

Teams
native Android)
apps
(iOS,
Android)
Microsoft iOS ✔ No settings ✔ N/A ✔ ✔ ✔

Teams

To-Do

To-Do

Word

Word

Viva
Engage

Viva
Engage
The below apps support the core Intune App Protection Policy settings.
App Platform Core App Protection Policy App

settings configuration
Dynamics 365 Remote Assist Android ✔ No settings
Dynamics 365 Remote Assist iOS ✔ No settings
Dynamics 365 Sales Android ✔ No settings
Dynamics 365 Sales iOS ✔ No settings
Dynamics 365 for phone iOS ✔ No settings
Dynamics 365 for phone Android ✔ No settings
Field Service (Dynamics 365) Android ✔ No settings
Field Service (Dynamics 365) iOS ✔ No settings
Field Service Mobile Android ✔ No settings
Field Service Mobile iOS ✔ No settings

App Platform Core App Protection Policy App
settings configuration
Microsoft 365 Admin Android ✔ No settings
Microsoft 365 Admin iOS ✔ No settings
Microsoft Azure Information Protection Android ✔ No settings

Viewer
Microsoft Azure Information Protection iOS ✔ No settings

Viewer
Microsoft Dynamics CRM Android ✔ No settings
Microsoft Dynamics CRM iOS ✔ No settings
Microsoft Kaizala Android ✔ No settings
Microsoft Kaizala iOS ✔ No settings
Microsoft PowerApps Android ✔ No settings
Microsoft PowerApps iOS ✔ No settings
Microsoft Power Automate Android ✔ No settings
Microsoft Power Automate iOS ✔ No settings
Microsoft Power BI Android ✔ No settings
Microsoft Power BI iOS ✔ No settings
Microsoft Skype for Business Android ✔ No settings
Microsoft Skype for Business iOS ✔ No settings
Microsoft Stream Android ✔ No settings
Microsoft Stream iOS ✔ No settings
Microsoft Visio Viewer iOS ✔ No settings
Microsoft Whiteboard iOS ✔ No settings
Microsoft Whiteboard Android ✔ No settings
７ Note
For Office (Microsoft 365) for Android, add the Office Hub, Office Hub (HL), and Office Hub (ROW)
apps to Android App Protection Policies.

The following apps support the core Intune App Protection Policy settings. Apps are also capable of
supporting advanced App Protection Policy and App Configuration Policy settings. For more
information, contact the app vendor.
） Important
Contact the app vendor for specific details on Intune related support.
App title App description App store

links for
supported
platform(s)
Achievers The Achievers app puts the power of recognition in your hands. Achieving great Google Play
things is a challenge. Recognizing someone for great achievements is easy. link
Engage, align, and recognize colleagues with the touch of a screen at any time (Android) ,
and anywhere. App Store
link (iOS)
Acronis Access Safely access your business files from anywhere and any device with Acronis App Store
Access. Easily share documents with colleagues, customers, and vendors while link (iOS)
keeping files and data secure and private, where only you and your organization
can touch them. The app is designed for extreme ease of use with unparalleled
security, privacy, and management capabilities.
Adobe Acrobat Open, view, and work with PDFs in a Microsoft Intune managed environment Google Play
Reader with Adobe Acrobat Reader. Available for iOS/iPadOS and Android. link
(Android) ,
App Store
link (iOS)
Appian for Appian empowers business users to monitor, collaborate, and take action on the Google Play
Intune go, enabling your mobile workforce to stay connected to key business link
processes and enterprise data. (Android) ,
Appian’s Business Process Management and Case Management Suite delivers App Store
mobile access to event notifications, forms, tasks, information, reports, content, link (iOS)
and ad-hoc collaboration.
Appian provides the following:
Mobile access to the Appian platform

Mobile task management
Collaborative activity feed
Enterprise data discovery
Offline forms processing
Access to enterprise reports and analytics
This application requires authorized access to an instance of Appian.
ArcGIS Indoors ArcGIS Indoors for Intune provides an indoor mapping experience for Google Play
for Intune understanding the location of things and activities happening within your link
organization’s indoor environment. Use the wayfinding, location sharing, and (Android) ,
workspace reservation capabilities to feel more connected to your workplace or
links for
supported
platform(s)
campus, see increased levels of productivity and collaboration, and less time App Store
feeling the stress of being lost. link (iOS)
ArchXtract ArchXtract is used to decompress zip files between Microsoft Intune managed Google Play
(MDM) applications. The ArchXtract app is the upgraded version of the Intune managed link
decompression app known as ZipExtractor. ArchXtract supports a wide variety of (Android) ,
compression methods. App Store
link (iOS)
Characteristic:
Microsoft Intune policies can be applied to protect company information

Supports Zip files can be created with major compression tools such as 7-
zip, Lhaplus, WinZip, and WinRAR
Archive files, other than zip, can now be decompressed
Compression methods such as Deflate, Deflate64, BZip2, LZMA (no
password), and PPMd can be decompressed
Devices which use the ArchXtract can be managed from web
Archive files with password can be decompressed on mobile devices
Open the file by changing the Encoding to prevent garbled characters
Text and Image files can be viewed.
Supported file types: bmp, jpeg, png, gif, PDF, txt, csv, html, xml
Supported compression methods include Deflate64, BZip2, LZMA (no

password), PPMd.
Important: To use the full functionality of this application, you need a connect to
a company work account and a valid subscription for Microsoft Intune. Some
functions may not be available in some countries or regions.
AssetScan For AssetScan is a proprietary application linked to the Asset Point tool suite. App Store
Intune AssetScan supports technology inventory gathering and verification for both link (iOS)
data centers and desktop locations.
AventX Mobile AventX Mobile Work Orders allows maintenance users of Oracle eAM to view App Store
Work Orders work order packets on the go with an iPhone or iPad – even offline. As with link (iOS)
paper, users can mark-up electronic work orders with the added benefit of
attaching rich media, like pictures and audio files, as context to the completed
work. Adding to the efficiency of mobile, AventX allows technicians to route,
close and upload completed work orders from anywhere, increasing time in the
field and decreasing time spent manually entering the same information after
the work is done.
Bluejeans BlueJeans delivers a premium video conferencing experience that is optimized Google Play
Video for the mobile workforce. With amazing features, like Dolby Voice® audio, link
Conferencing (Android) ,
links for
supported
platform(s)
BlueJeans helps make every meeting more productive regardless of where the App Store
participants are located. link (iOS)
Features:
Participate in BlueJeans video meetings with up to 150 attendees.

Experience HD video and Dolby Voice® audio for the highest fidelity
meetings.
Share and receive content for maximum productivity on-the-go.
Facilitate professional meetings with intuitive controls that make meeting
moderation a breeze.
Integrate your calendar to enable one touch to join and easily jump from
meeting-to-meeting.
Eliminate low-bandwidth spots with intelligent bandwidth management
that optimize network settings.
Select safe driving mode while on the road for distraction-free meetings.
Board Papers Board Papers is a board portal solution that combines an iPad application with App Store
Microsoft SharePoint® integration. link (iOS)
Box - Cloud Box helps you get work done on the go. It's fast, secure and simple to use, so App Store
Content you can be productive from anywhere, which is the reason 97,000 businesses, link (iOS)
Management including Eli Lilly and Company, General Electric, KKR & Co., P&G and The GAP
securely access and manage their critical information with Box. The Box app
integrates with Intune SDK and supports a number of Intune Mobile Application
Management policies without using Mobile Device Management.
Board.Vision Board.Vision is the next generation board portal designed with industry-leading Google Play
features to accelerate the board’s decision-making process. Built in the Cloud link
and offered as a SaaS product, Board.Vision efficiently connects related parties (Android) ,
to the corporate governance ecosystem to accelerate collaboration and App Store
decision-making. link
Board.Vision is developed in collaboration with the Board.Vision team's in- (iPadOS) ,
house corporate secretarial subject matter experts (SMEs), contributing App Store
centuries of experience in corporate governance, corporate administration and link (iOS)
secretarial services. The Board.Vision team's SMEs not only possess in-depth
knowledge and understanding of the latest conventions and regulations
governing businesses and entities, they have influenced the development of
corporate governance standards in Singapore. Board.Vision is unique, enabling
the best practices in corporate governance in the Singaporean context.
The Board.Vision team understands their customers' pain points and what
boards need today to uphold their profound governance responsibilities.
Board.Vision enables boards to work more efficiently and effectively by offering
features and functionality that streamline board processes.
links for
supported
platform(s)
Box for EMM Keep your employees connected and collaborative while you centrally manage App Store
security, policy, and provisioning across any mobile device using Box for EMM. link (iOS)
Breezy for Breezy For Intune provides secure print capabilities for your iOS device. Our App Store
Intune integration with Intune ensures that your data stays secure while on-device, and link (iOS)
own our end-to-end encryption and enterprise grade security ensure that it
stays that way on its way to the printer.
CAPTOR™ for CAPTOR is used by organizations to securely capture content on iOS/iPadOS Google Play
Intune and Android devices, especially in regulated industries such as healthcare, legal, link
government, law enforcement, insurance, real estate, manufacturing, and (Android) ,
financial services. CAPTOR combines the productivity functions of document App Store
scanning, audio/video recording, photo/document annotating, and QR-Code link (iOS)
reading. CAPTOR requires a license key from Inkscreen .
Key Features:
Scan multi-page documents using smart edge detection, as well as edit,

annotate, and save as PDF capabilities.
Combine/merge PDF files and rearrange or delete pages.
Use e-Signature annotation for signing PDF documents.
Capture high resolution photos and videos.
Record ambient audio.
Read QR codes and a launch secure browser.
Annotate photos and documents with arrows, drawings, highlighters, and
text labels.
Apply informative captions to media.
Enhanced search for photos and documents containing text, audio, and
video using speech recognition.
Configure IT policies to enforce authentication, PDF version, Open In,
default browser, file naming, and much more.
Support for BYOD/COPE (completely separate work content from
personal) and enable personal privacy.
CellTrust SL2™ CellTrust SL2™ for Microsoft Intune is an enterprise-level application that works Google Play
for Microsoft by assigning a secure Mobile Business Number (MBN) on bring-your-own link
Intune devices to keep personal and business communications separate on a single (Android) ,
device. The seamless solution secures SMS messages and business calls on the App Store
device without using the personal number. This capability is vital for enterprises link (iOS)
that require greater security for business communications, as well as archiving
for eDiscovery and compliance needs.
Microsoft Intune is a cloud-based service in the enterprise mobility

management (EMM) space that helps enable your workforce to be productive
links for
supported
platform(s)
while keeping your corporate data protected.
CellTrust SL2™ for Microsoft Intune delivers a powerful enterprise mobility

platform, allowing employees to work on the go—with easy access to secure
business applications, and voice and text messaging. The app was developed
with Microsoft Intune SDKs and customized features to allow organizations to
tailor it based on their industry and IT needs.
CiiMS GO CiiMS Go allows for mobile access to your CiiMS Lite, integrated Occurrence Google Play
Book application used to record and manage occurrence related information in link
environments where manual occurrence books and registers are used. CiiMS Go (Android) ,
allows you to do the following: App Store
Report incidents and collect specific information relating to the type of link (iOS)
incident
Conduct inspections, assessments or audits using structured checklists
Attach photos, files or voice notes
Offline ability allows for recording of information while uploading of data
occurs once connectivity is available
Receive rule-based and proximity alerts as push notifications (requires
background location access)
Make and share comments on alerts
Initiate proximity based proactive or reactive roll-call (requires
background location access)
Cisco Jabber Cisco Jabber for Intune is for admins to organize and protect BYOD Google Play
for Intune environments with mobile application management (MAM). This app allows link
admins to protect corporate data while keeping employees connected. (Android) ,
App Store
link (iOS)
Webex for Webex for Intune brings together your teams, your customers, and your work in Google Play
Intune real-time and anytime. You can call, message, and meet. link
(Android) ,
Capabilities: App Store
link (iOS)
Calling built into the app for deeper conversations
Messaging and file sharing integrated with your content and workflow
Upgraded meeting experiences with personalized layouts & virtual
backgrounds
Smart presence lets you know when people are available
Control Webex Devices directly from the app
Built-in Intelligence:
Notes, highlights and live translation in 10 languages

Unlock revolutionary people insights with Webex Graph
Reduce disruptions with noise removal & speech enhancements
Auto adjust meeting quality for the best experience
Equal experiences for everyone:

links for
supported
platform(s)
Reactions to allow everyone to participate in their own way

Work on any device from anywhere: desktop, mobile, web or Cisco
Devices
Citrix Secure Citrix Secure Mail is a containerized email, calendar, and contacts app with a rich App Store
Mail user experience. link (iOS)
Comfy Comfy is the workplace experience app that empowers you to get the most out Google Play
of your office. link
(Android) ,
App Store
link (iOS)
Condeco The Condeco app allows you to book work spaces. With a few taps you can Google Play
book a workstation or a meeting room, along with other areas like parking, link (Android)
lockers, quiet spaces, breakout zones, and more.
Confidential The Confidential File Viewer (HIBUN) app is used to decrypt and reference Google Play
File Viewer password-protected encrypted files. Use the confidential file viewer to link
decrypted confidential files that have been created and encrypted using HIBUN (Android) ,
Data Encryption. Confidential files encrypted with HIBUN AE Information Cypher App Store
can also be decrypted using the confidential file viewer. link (iOS)
Diligent With Diligent Boards, organizations can conduct board, committee, and App Store
Boards leadership meetings. Diligent Boards provides executives and senior leaders a link (iOS)
secure way to access critical meeting and governance information. Diligent
provides immediate access to sensitive meeting materials, along with the tools
to review, discuss and collaborate on business topics.
Dooray! for Dooray! is the all-in-one collaboration solution including Task management, Google Play
Intune Messenger, Mail, Meeting, Calendar, Drive, Wiki, Workflow, Board, and more. link
Admins can manage policies to protect corporate data while keeping employees (Android) ,
connected through the Microsoft Intune admin center for Dooray! for Intune. App Store
link (iOS)
Dooray! for Intune includes the following:
Project: Task, file, and wiki management in one place

links for
supported
platform(s)
Messenger: Efficient communication for collaboration

Mail: Smart mail system integrated with tasks and schedules
Meeting: Anytime, anywhere, anyone!
Calendar: Effective task and schedule management
Drive: Easy and secure file storage solution
Wiki: Collaboration on ideas and knowledge with your team
Workflow: Streamlined decision-making system
Board: Information sharing and communication
Stream: Notifications for important updates
Egnyte for The Egnyte mobile app allows you to extend the office by working from App Store
Intune anywhere with ease. You can securely access data, preview files, upload new link (iOS)
content, collaborate on folders and file links, and edit and co-edit files in
popular formats. You can also set up permissions for authorized access, create
link expirations, and receive notifications when files are accessed.
Egnyte for Intune works with workspaces and devices managed by Microsoft
Intune. Intune enables companies to control how the organization’s devices are
used and also to configure specific policies.
Egress Secure Send and receive encrypted emails and files from your mobile device. Egress Google Play
Mail for Intune Secure Email provides user-friendly tools to secure sensitive data, with end-to- link (Android)
end encryption, access revocation and message restrictions to empower users
to stay in control of the information they share.
The Egress Secure Email app requires you to be a licensed user of the Egress
platform, with a valid subscription and appropriate infrastructure.
Enterprise Files Integrated with Intune Mobile Application Management, the Enterprise Files for App Store
for Intune Intune app provides safe document access to multiple back-end file stores. You link (iOS)
can provide secure access to cloud and on-premises storage with enforceable
MAM Protection Polices for your data. Users can have as much control over file
actions as your business needs dictate, from viewing only to edit, copy, move
and delete. Whether it’s PDF annotation, video, audio or image presentations,
folder management, or document review and edit, Enterprise Files for Intune is
an ideal tool for the task.
EVALARM EVALARM is a mobile crisis communication system that automatically informs App Store
the right group of people about a crisis and provides them with individual link (iOS)
instructions and contact lists.
This application supports crisis communication processes as part of hazard
prevention management in companies, authorities, universities, schools,
kindergartens, hospitals and public institutions.
To configure the EVALARM platform, you define your individual crisis scenarios,
determine which people or groups of people are alerted, and determine which
instructions and contact lists are to be transmitted.
F2 Manager F2 Manager offers a combined calender and list view to view meetings and their App Store
Intune related items. F2 Manager supports inline annotation and submittal handling link (iOS)
(approval process).
links for
supported
platform(s)
Note: To use the F2 Manager app with your business data, you must be a user
of the F2 eGovernment platform, with mobile services enabled by your IT
department.
F2 Touch With the F2 Touch app, you can access and edit corporate case and document Google Play
Intune information. The app accesses the cBrain F2 eGovernment platform and enables link
employees and corporate management to securely perform their daily tasks (Android) ,
while away from the office. App Store
link (iOS)
Key features of the F2 Touch app:
Manage your inbox

Read and approve submittals
Read and create matters and documents
Chat
Search the corporate document archive
Note: To use the F2 Touch Intune app with your business data, you must be a
user of the F2 eGovernment platform, with mobile services and Intune enabled
by your IT department.
FactSet 3.0 FactSet delivers superior analytics, service, content, and technology to help Google Play
investment professionals see and seize opportunity sooner. Our Factset 3.0 app link
is a phone optimized experience that allows our subscribing users to leverage (Android) ,
the power and intelligence of the FactSet workstation anytime, anywhere. App Store
link (iOS)
Firstup - Firstup for Intune is a workforce communications app that helps companies App Store
Intune reach employees with relevant, personalized information that they need to do link (iOS)
their best work. Firstup for Intune allows Intune admins to create policies that
secure the application in a bring-your-own-device (BYOD) environment.
Firstup solves the problem of poor employee engagement by keeping all
workers informed and connected. Employees have one place to find out what’s
happening at work. Companies have an easier, faster way to publish content
and news and can measure how many employees engaged with their content.
Firstup for Intune includes the following features:
An official source for all workforce communications, allowing you to reach

every worker with the information they need to know to do their best
work.
Push notifications and reminders for breaking news or time-sensitive tasks
Ability to upload and share videos, photos, documents, or articles
Personalized user experience with profiles and the ability to choose
channels to follow
A simple way to save and find important information with bookmarking
and powerful search
The ability for users to comment and share
A powerful way to connect everyone at your company and create a better
digital employee experience
links for
supported
platform(s)
IMPORTANT:
This software requires your company’s work account and a Microsoft managed
environment. Some functionality may not be available in all countries/regions.
Please contact your company’s IT administrator if you have issues or questions
about the use of the software.
FleetSafer FleetSafer is a risk measurement and mitigation tool that enforces Google Play
communications policies and monitors safe driving practices. FleetSafer requires link
a Cogosense enterprise account. FleetSafer uses GPS or a connected cogoB (Android) ,
smart device to automatically engage when driving movement is detected, App Store
disabling access to the device and silencing all calls and notifications. Calling, link (iOS)
text, social, and email functionality is disabled. Driving behavior is monitored.
Fuze Mobile Fuze Mobile for Intune allows end users to communicate using voice calling, Google Play
for Intune video meetings, contact center, chat messaging, and content sharing. Admins link
can deploy Fuze Mobile securely and at scale in a BYOD context. Fuze Mobile for (Android) ,
Intune requires both a Fuze account and a Microsoft managed environment. App Store
link (iOS)
Global Relay Put compliance at the heart of your communication with one powerful app. Google Play
Global Relay is an enterprise unified communication platform purpose-built for link
financial and other regulated industries to meet collaboration, compliance, (Android) ,
privacy, and security requirements. App Store
Global Relay supports BYOD and corporate programs, ensuring compliant link (iOS)
communication with customers, colleagues, and industry peers via text, voice,
WhatsApp, and other preferred channels.
The Global Relay App is available for mobile, desktop, and web. And, Global
Relay is fully integrated with Microsoft Intune SDK to provide MDM/MAM policy
control for IT Administrators.
NOTE: You must be a Global Relay customer or partner to use this app.
Groupdolists Groupdolists helps to coordinates incident response teams, whether corporate Google Play
or public sector, in a single organization or across multiple organizations. link
Groupdolists creates a common operating picture between all responders, (Android) ,
wherever they are, and synchronizes their efforts in real time. App Store
link (iOS)
Benefits include the following:
Groupdolists brings emergency (and everyday) operating procedures to

interactive life.
Groupdolists pushes task lists to response teams, regardless of their
location or device, instantly synchronizing what needs to be done and by
whom, as well as confirming completed tasks in chronological order.
Groupdolists increases transparency, provides greater accountability, and
offers a "leadership view" for those who need to see but not touch.
Groupdolists instantly synchronizes not just tasks, but photos, videos,
links, comments, and documents to all team members. Everything you use
links for
supported
platform(s)
is available for reference and action.

Groupdolists provides complete after-action documentation in both PDF
and Excel formats.
Hearsay Relate Hearsay Relate for Intune enables advisors to manage and nurture their book of Google Play
for Intune business in a protected BYOD environment with mobile application link
management (MAM). This version of Hearsay Relate allows IT administrators to (Android) ,
protect corporate data while keeping advisors in touch with their book of App Store
business. link (iOS)
Hearsay Relate, a mobile application that enables financial services professionals

to move business forward. Leverage compliant texting and seamless voice
calling to connect with your entire book of business. Stay productive with
calendar integration to set appointments, and schedule reminder messages for
upcoming meetings, birthday greetings, and more.
Hearsay Relate for Intune gives enterprise users all the features they expect from
Hearsay Relate, while providing IT administrators the MAM functionality they
need to keep corporate data safe. In the event of a lost or stolen device, IT can
remove Hearsay Relate for Intune from the device along with any sensitive data
associated with it.
HowNow Use HowNow to get all the knowledge you need, everywhere you work. You can Google Play
bring together the knowledge, business intelligence, and insights you need from link
a variety of internal and external sources. HowNow is tailored to you by (Android) ,
personalizing learning for you based on your role, business goals, skill App Store
requirements, performance, and work you’re doing. You can teach, learn, and link (iOS)
share knowledge with your team in any format you like at any time, from
anywhere.
iAnnotate for Designed for Microsoft Intune enterprise users, iAnnotate for Intune/O365 App Store
Intune/O365 allows you to read, annotate, and share PDFs, Office (Microsoft 365) files, link (iOS)
images and web pages. Seamlessly integrate with OneDrive and Outlook, while
easily converting all MS documents to PDFs for quick markup. IT administrators
must visit https://enterprise.iannotate.com/ to activate a 30-day free trial and
to view the iAnnotate for Intune deployment guide.
iBabs for ISEC7 Mobile Exchange Delegate allows authorized representatives via iPhone App Store
Intune and iPad to agree to appointments for their colleagues, to manage their link (iOS)
contacts, and to answer emails on behalf of other users.
Idenprotect Go Idenprotect Go is an Identity Driven internet browser designed specifically for Google Play
enterprise mobile users to access both Intranet and Internet web pages. link
Idenprotect Go’s unique use of PKI technology allows biometric-based (Android) ,
password-less authentication to Mutual TLS and Kerberos secured websites and App Store
services. Integration with Microsoft’s Intune SDK provides full app protection link (iOS)
links for
supported
platform(s)
policy control via the Microsoft Intune platform providing MAM control of the
application giving the ultimate balance of usability and security.
Island Island is the browser designed for the enterprise that makes work fluid, while App Store
Enterprise keeping it fundamentally secure. With core security controls naturally link (iOS)
Browser embedded in the browser itself, Island enables organizations to control, see,
and govern how users, apps, and underlying data interact. This is done all while
delivering the same smooth Chromium-based experience users expect.
iManage Work Confidently and securely access content from iManage Work with Work Mobility App Store
10 For Intune for Intune. Empower users to find, edit, collaborate, and share documents and link (iOS)
emails from their iOS device. iManage Mobility enables users to be productive
from anywhere, with a consistent user experience and the same security
protections as iManage Work 10.
Incorta With on-the-go business intelligence using your iOS device and Incorta Mobile App Store
(BestBuy) App, dive deep into your operational analytics and favorite dashboards anytime, link (iOS)
anywhere.
Fuel your curiosity, explore insights, and stay current with near real-time trends
that impact business success.
The Incorta Mobile App includes the following features:
Interactive dashboards and insights

Dynamic filtering and drill down navigation
Bookmarks and favorites
Export and share dashboards
ISEC7 MED for ISEC7 Mobile Exchange Delegate provides mobile access to authorized Google Play
Intune Microsoft® Exchange Mailboxes and Public Folders. link (Android)
ixArma IxArma app 6 is the mobile part of alarm server management for ixArma 6, Google Play
enabling comprehensive business continuity management for any alarm link
scenario. Users of the ixArma 6 app can rapidly respond to incidents and (Android) ,
emergencies in real time and on the go. The ixArma 6 app is browser App Store
independent and simple to operate. link (iOS)
The IxArma provides the following functionality:
links for
supported
platform(s)
Alarms of different priorities according to predefined alarm scenarios and

plans
Alarms of various priorities with visual and acoustic signaling
Interactive alarms with updates in real time
Acknowledge or reject alarm, also with PIN
Alarm progress and control monitoring in real time
Fully server-based app management
Mass SMS notification
Multilingual (DE, FR, IT, EN)
MDM version available on request
NOTE: ixArma 6 app does not work with older version of ixArma 5. Do not
upgrade your app unless your ixArma is version 6.
Klaxoon for Klaxoon for Intune is for Klaxoon customers that have enabled Microsoft Intune App Store
Intune Mobile Application Management (MAM). Every day, workshops replace link (iOS)
traditional meetings and are becoming a more efficient way to drive
performance. Klaxoon is a hybrid and complete workspace that enables every
type of workshop to be more engaging, mindful, and efficient: ideation
workshops, design thinking, project management, customer meetings, team
rituals, training sessions, business reviews, and more.
Leap Work for Leap Work is a B2C communication app. Employees can call or send text, voice, Google Play
Intune and file messages to client's messengers of their choice: WhatsApp™, WeChat™, link
Telegram™, Line™, SMS and others. Leap Work is a part of LeapXpert's (Android) ,
Federated Messaging Orchestration Platform (FMOP). FMOP concept allows the App Store
promotion of messaging to a formal business communication channel, similar to link (iOS)
calling or emailing.
Use Leap Work to:
Reach clients on their messengers

Own and control all company's communication data
Gather employees and clients communication on one platform
Allow group chats between employees and clients
Keep company communication history always available for monitoring
and compliance purposes
LiquidText LiquidText offers a fast, natural way to review, gather, and organize information App Store
across all your documents and webpages—then apply the results to writing link (iOS)
reports, meeting prep, or simply studying. Pull out key facts and connect them
together, squeeze a document to compare sections, draw a line to connect
ideas in different documents, comment on multiple pages at once, build upon
your thoughts, and much more.
NOTE: To use LiquidText with InTune, you need a LiquidText Enterprise account.
Visit LiquidText to learn more.
LumApps for LumApps for Intune allows Intune admins to organize and protect Bring Your Google Play
Intune Own Device (BYOD) environments. From Microsoft Intune admin center, admins link
can create policies to protect corporate data while keeping employees (Android) ,
connected. The LumApps platform provides corporate news, business tools, App Store
essential documents, and social communities. link (iOS)
links for
supported
platform(s)
LumApps for Intune includes several features:
Browse listed content, including company news and targeted information

streams
View detailed content and comments with attached files
React to content in real-time
Like and respond to posts and comments
View all communities at a glance and follow your favorites
Check your preferred communities’ activity
Create your own community post with attached files, links, and tags
Quick access to LumApps Help page
To use LumApps for Intune, your company’s active subscription plan to

LumApps must include the mobile option, with valid login credentials.
Additionally, LumApps for Intune requires a Microsoft managed environment.
Please contact your company’s IT administrator if you have issues or questions
about using LumApps for Intune.
M-Files for M-Files® is content management (ECM) and document management solution Google Play
Intune that helps to manages, find, track, and secure information for companies of all link
sizes. (Android) ,
The M-Files mobile application lets you access your M-Files documents anytime App Store
and anywhere – even when you’re on the go or not connected to your office link (iOS)
network. The application enables you to find documents from your M-Files
Vaults via search functions and various customizable views, as well as view and
approve documents and workflows.
To be able to utilize the mobile application, you need to have an M-Files system
set up and to possess the required access rights. To get started, you need an M-
Files server address and login credentials.
MangoApps - MangoApps - Work from Anywhere makes teamwork, file sharing, and Google Play
Work from collaboration easy. It is a comprehensive business collaboration tool for Mobile link
Anywhere and offers advanced team and company communication, project management, (Android) ,
and information sharing features that help companies and their employees stay App Store
organized while working together and sharing information. Collaboration link (iOS)
features such as chat, company intranet, and wikis, among other convenient task
management tools, can all be used from your phone while you're on the go or
from your desktop computer while you're in the office. It's a cross-platform
social collaboration app, so no matter where you are and which device you are
using, you can use MangoApps - Work from Anywhere to access work-related
information and stay in touch with colleagues and clients.
Meetings by Meetings by Decisions is a solution for Microsoft Teams and Microsoft Office Google Play
Decisions 365. With Decisions, users improve collaboration, engagement, and productivity link
by using agenda builder, Teams in-meeting extensions, secure voting, minutes (Android) ,
templates, task management, and more. App Store
link (iOS)
Meetio Meetio's mobile app for organizations using Meetio room management Google Play
Enterprise solutions. Meetio Enterprise simplifies your workday by allowing you to link
links for
supported
platform(s)
schedule meetings and meeting rooms - all at once, while you're on the go. (Android) ,
App Store
link (iOS)
MultiLine for MultiLine for Intune is a secure, carrier-agnostic business application that Google Play
Intune enables employees to compliantly communicate with external clients through a link
separate business number on their own personal devices (BYOD) within the (Android) ,
Microsoft Intune environment. This version of MultiLine allows IT and mobility App Store
managers to secure their client communication data while ensuring employees link (iOS)
are not using their personal number or other consumer messengers for business
communications. MultiLine for Intune works over any iOS/Android device and
can be deployed over any global carrier. MultiLine’s technology allows
employees to make and receive calls on their business number over WiFi,
mobile data and/or GSM (not VoIP-only) ensuring employees are always
accessible and connected with their clients no matter where they work. The
solution unifies voice, SMS, and other consumer messaging channels through a
single inbox within the MultiLine mobile and desktop application, allowing
employees to reach their clients on their preferred channels. All voice and
messaging conversations can be automatically captured and ingested into any
CRM or archival/surveillance platform, ensuring firms are meeting their
regulatory requirements.
MURAL - MURAL is a collaborative intelligence company powering ideation, innovation, Google Play
Visual alignment, and team building. Use the MURAL - Visual Collaboration app to link
Collaboration work together in either real-time or asynchronously using digital whiteboard (Android) ,
and collaboration features that are designed to inspire better collaboration and App Store
lead to business-driving outcomes. link (iOS)
myBLDNG myBLDNG makes it easy to navigate your virtual office space, book a workplace, Google Play
and share your workday with your colleagues. It makes co-working easier. link
(Android) ,
App Store
link (iOS)
My Portal By My Portal is an all-in-one app for a mobile-first workplace. It brings Google Play
MangoApps communication, collaboration, engagement, and training tools into one link
comprehensive portal for your company. (Android) ,
This unified portal makes it easy to create a central location for fast access to all App Store
the tools that members need to connect, communicate, collaborate, and link (iOS)
manage.
MyITOps for With the MyITOps for Intune app you can do the following: Google Play
Intune link
Visualize business service health, at a glance via Sunburst, Cards and (Android) ,
ServiceTree widgets
links for
supported
platform(s)
Create your own, branded custom mobile friendly dashboards App Store
Subscribe to push notifications for instant visibility of IT alerts and link (iOS)
incidents
See the status, severity, and business impact of alerts, clustered into
correlation scenarios and drill down to root cause
Take actions to assign, accept and close alerts and incidents
Work collaboratively in Service Outage Rooms to resolve issues by
leveraging ChatOps with seamless integration for Microsoft Teams and
Slack
Keep communications in sync with your ITSM tooling throughout the
incident/alert lifecycle
Securely deploy and configure the MyITOps for Intune app through
Microsoft's Intune Mobile Device Management platform
NOTE:
The MyITOps for Intune app requires active credentials for the Interlink Software
AIOps Platform.
MyQ Roger: Scan all your documents with a few clicks using a smartphone, save them in Google Play
OCR scanner your device or to your favorite cloud services (OneDrive, iCloud, Google Drive, link
PDF Dropbox, or Box), and carry them wherever you go. MyQ Roger is your digital (Android) ,
workplace assistant, allowing you to have the office in your pocket. This free app App Store
simplifies your life: at work, during studies, and on daily personal activities. link (iOS)
Download MyQ Roger now and scan your own way.
Nexis Newsdesk delivers relevant news from all media types – online, print, social, and Google Play
Newsdesk™ broadcast – in a single destination. With the Newsdesk mobile app you will: link
Mobile (Android) ,
Be in the know while on the go App Store
Enjoy a seamless experience between mobile and web link (iOS)
Access headlines and extracts of articles right in the app
Easily share articles
Tag favorite feeds or save articles to read later
See which favorite searches have new coverage
Nine Work for Nine is a full-fledged email application for Android based on Direct Push Google Play
Intune technology to synchronize with Microsoft Exchange Server using Microsoft link
Exchange ActiveSync, and also designed for entrepreneurs or ordinary people (Android) ,
who want to have efficient communication with their colleagues, friends, and App Store
family members at any time, anywhere. link (iOS)
Notate for Notate is the ultimate Exchange Information Manager. Go paperless and App Store
Intune improve collaboration. Let Notate advance your digital transformation. link (iOS)
links for
supported
platform(s)
Now Mobile - Now employees can find answers and get work done across IT, HR, Facilities, Google Play
Intune Finance, Legal and other departments, all from a modern mobile app powered link
by the Now Platform®. (Android) ,
App Store
The Now Platform® delivers employee experiences and productivity through link (iOS)
digital workflows across departments, systems and people.
Examples of things you can do in the app:
IT: Request a laptop or a reset password

Facilities: Find and book a conference room
Finance: Request a corporate credit card
Legal: Have a new vendor sign a non-disclosure agreement (NDA)
HR: Find the next company holiday and check the vacation policy
Now® Mobile powered by the Now Platform® - finally work life can be as great
as real life
Omnipresence Omnipresence is a Customer Experience Management platform for Life Sciences Google Play
Go companies. You can use Omnipresence CXM to engage with customers and link
patients of Life Sciences companies. (Android) ,
Omnipresence is built by life sciences experts who understand pharma, biotech, App Store
and med-device business needs and compliance requirements. As a unified link (iOS)
platform, functional teams can work together using a shared view of their
customers and plans across devices, online and offline, in harmony with their
Microsoft applications. By using Omnipresence, you can focus on enabling great
customer experiences based on advanced analytics and AI that deliver insights
to enrich every stage of the customer journey.
PenPoint PenPoint works with PenLink’s on-premises software, PLX, to conduct lawful Google Play
communications surveillance operations in the support of law enforcement link
investigations. PenPoint for Intune provides secure mobile access to (Android) ,
communications surveillance data collected and stored by a PLX system. App Store
link (iOS)
PrinterOn for PrinterOn's wireless mobile printing solutions enable users to remotely print Google Play
Microsoft from anywhere at any time over a secure network. link (Android)
Qlik Sense Qlik Sense is a market leading, next generation application for self-service Google Play
Mobile oriented analytics. Qlik's patented associative technology allows people to easily link
(Android) ,
links for
supported
platform(s)
combine data from many different sources and explore it freely, without the App Store
limitations of query-based tools. link (iOS)
Re:Work Re:Work Enterprise, an email client app using ActiveSync, is a secure, safe, and Google Play
Enterprise convenient email client. Features include a shared mailbox and calendars for link
collaboration with colleagues. Re:Work Enterprise supports Microsoft Exchange (Android) ,
Server and Office (Microsoft 365), as well Microsoft Exchange email, calendar, App Store
contacts, tasks, and notes. link (iOS)
RICOH Spaces RICOH Spaces is a cloud hosted workplace enhancement platform designed to Google Play
optimize your business with areas such as desk bookings, space bookings, link
wayfinding, workplace insights, and more. (Android) ,
App Store
link (iOS)
RingCentral for RingCentral for Intune gives users messaging, video, and phone services in one Google Play
Intune simple app, while allowing IT admins to enforce granular security controls to link
protect corporate data. (Android) ,
App Store
link (iOS)
SAP Fiori Increase your daily productivity by tackling your most common business tasks
anywhere and anytime with the SAP Fiori Client mobile app for iPhone and iPad.
Deliver a next-level mobile experience with enhanced attachment handling and
full-screen operations using this enhanced mobile runtime for the Web version
of over 750 SAP Fiori app. Plus, access custom SAP Fiori mobile apps—built by
customers using SAP Fiori mobile service—that are ready to support Intune
mobile app management.
Secure The Secure Contacts app allows you to synchronize your business contacts on App Store
Contacts iOS devices from various corporate data sources in a compliant way. link (iOS)
Features:
Access to all business contacts

Personal Microsoft Exchange Online address book
Company address book
Further data sources (Microsoft Dynamics CRM, Salesforce, etc.)
Favorites list, including the most important contacts
Caller identification without synchronization with the device address book
Starting phone calls, chats, SMS (via Microsoft Teams and the iPhone's
native apps)
Encrypted and compliant storage of all data
links for
supported
platform(s)
Mobile Application Management via Microsoft Intune (App Protection

Policies)
Access control via Azure AD Conditional Access (Compliant Device and
App Protection Policy)
Requirements:
For the full range of functions, an activation by Provectus Technologies

GmbH is required.
To use the Secure Contacts app a Microsoft Azure AD user account must
be present and activated with following functions:
Azure Active Directory Premium P1 (or higher)
Exchange Online P1 (or higher)
Microsoft Intune
In order to use the Microsoft Teams integration, the Microsoft Teams
function must be activated
Seismic | Seismic | Intune is for administrators to add security and protection policies to Google Play
Intune protect corporate data while enabling employees to sell. Seismic provides the link
following capabilities: (Android) ,
Find content fast with fast search results App Store
Get buyer-specific recommendations when you need them, where you link (iOS)
need them
Access sales content, training, and communications online and offline
Stay informed with a real-time newsfeed you dial in to your specific
interests
Collaborate with your team and stay in the loop, wherever you are
Delight buyers with a modern, eloquent engagement experience
Gain insights by tracking buyer engagement, down to which pages and
how long
Seismic solves the individual challenges of Sales, Marketing, and Sales

Enablement teams by making all three teams more effective together. Your
Marketing team builds useful content with brand protection and scalability, and
mines data intelligence to continuously improve ROI over time. The Sales
Enablement team distributes targeted sales content, news, and training in apps
for mobile, CRM, email, and browsers. Sellers find, learn, connect, and close
from any device, anywhere, and are more knowledgeable and productive than
ever.
Senses Senses is a cloud sales support tool. Senses helps manage sales and customer App Store
success, and proposes best practices based on accumulated customer link (iOS)
information.
ServiceNow ServiceNow Mobile Agent app delivers out-of-the-box, mobile-first experiences Google Play
Agent - Intune for the most common service desk agent workflows, making it easy for agents link
to triage, act on and resolve requests on the go. The app enables service desk (Android) ,
agents to promptly manage and resolve end user issues from their mobile App Store
devices. Agents use the app’s intuitive interface to accept and update work even link (iOS)
App title without Internet connectivity. The app greatly simplifies work by leveraging
App description App store
native device capabilities for tasks like navigation, barcode scanning, or links for
collecting a signature. supported
platform(s)
The app comes with out-of-the-box workflows for service desk agents in IT,
Customer Service, HR, Field Services, Security Ops and IT Asset Management.
Organizations can easily configure and extend the workflows to meet their own
unique needs.
With Mobile Agent you can:
Manage the work assigned to your teams.

Triage incidents and cases.
Act on approvals with swipe gestures and quick actions.
Complete work while offline.
Access the full issue details, activity stream, and related lists of records.
Optimize workflows with location, camera, and touchscreen hardware
Slack for Slack for Intune is for Slack customers that have enabled Microsoft Intune Google Play
Intune Mobile Application Management (MAM). link
(Android) ,
App Store
link (iOS)
PK Protect for PK Protect for Intune is specifically designed for existing PKWARE customers Google Play
Intune operating in an Intune environment. PK Protect lets you get your work done on link
the go. It's fast, secure and simple to use so you can be productive from (Android) ,
anywhere. If you are unsure if you have PK Protect, contact your company's IT App Store
administrator. With PK Protect, you can: Encrypt and decrypt files using link (iOS)
Smartkeys, Decrypt archives with X.509 Digital Certificates, Create and manage
Smartkeys, Perform digital signing and authentication of data with X.509 Digital
Certificates, Encrypt and decrypt files with Strong Passphrase encryption,
including AE2, Log in with existing Active Directory credentials, Create and view
unencrypted zip archives. PK Protect armors data at its core, eliminating
vulnerabilities everywhere data is used, shared or stored. For nearly three
decades, PKWARE has provided encryption and compression software to more
than 30,000 enterprise customers and over 200 government agencies. Available
for iOS/iPadOS and Android.
Speaking Email Get more time in your day by having your email read to you on the move. Voice App Store
commands and simple gestures designed to be safe to use while driving give link (iOS)
you the ability to archive, flag or even reply on the move.
Smart content detection skips over disclaimers, reply headers, and email
signatures to speak only the content without the clutter.
Employees can sign in via Intune to access Microsoft 365 Exchange email.
Synergi Life Synergi Life Mobile App, an extension of Synergi Life, lets users easily create Google Play
observations and incident reports anytime and from anywhere, using their link
phones to take a snapshot and make a voice recording. (Android) ,
Synergi Life (previously named Synergi) is a complete business solution for risk App Store
and QHSE management, managing all non-conformances, incidents, risk, risk link (iOS)
analyses, audits, assessments and improvement suggestions.
links for
supported
platform(s)
The Synergi Life Mobile App requires you to be a licensed user of the Synergi
Life risk and QHSE management system, and have the necessary back-end
licensed software and services.
Tableau Mobile Tableau Mobile gives you the freedom to stay on top of your data, no matter Google Play
for Intune where you are or when you need it. With a fast, intuitive, and interactive link
experience, explore your dashboards and find just what you’re looking for, all (Android) ,
from the convenience of your mobile device. App Store
The Tableau Mobile app requires a Tableau Server or Tableau Online account. link (iOS)
Please note, it does not work with Tableau Public.
Features:
Interactive previews let you access your data even when you’re offline.
Mark your favorite dashboards or views to always have them at your
fingertips.
Scroll, search, and browse your organization’s dashboards with a
navigation experience that’s both intuitive and familiar.
Interact with your data to ask and answer questions on the go.
Varicent Varicent helps sellers understand which activities provide the best results. Google Play
Reports, dashboards, and workflows help sales to understand: link
Achievement (Android) ,
Bonus App Store
Commission link (iOS)
Credits
Disputes
Key Performance Indicators (KPIs)
Opportunity potential
Plan approval
Plan assignment
Quota
Ranking
Rewards
Territory
Transactional payout
If you’re an individual seller, manager, or leader, Varicent can help you

understand the right information at the right time. Full views of charts, graphs,
dashboards and workflow execution (including information input) are right at
your fingertips. Realize a better time-to-value for your go-to-market strategy
with Varicent Sales Performance Management.
NOTE:
This application requires that you are a client of Varicent to utilize all features
and functionalities and maximize seller performance.
Vbrick Mobile Customers using Vbrick Enterprise Video Platform (EVP) can upload and view Google Play
on-demand videos using the Vbrick mobile app. Customers can use Microsoft link
Intune to manage access to the Vbrick mobile app. The Vbrick mobile app (Android) ,
includes the following features: App Store
View a carousel of featured videos link (iOS)
links for
supported
platform(s)
Browse feeds of recommended and most recent content

Search for videos
Scan categories and channels to find videos of interest
Approved that Media Contributors can upload videos captured on your
mobile device
NOTE: The Vbrick app requires users to have an active account and email
address in their company’s cloud-hosted Vbrick tenant.
Vera for Intune Encrypt, track, and revoke access to files and email attachments directly from Google Play
your mobile device with Vera for Intune. Protect your most valuable information, link
no matter what apps you use: Microsoft, Box, Google, Dropbox, and more. (Android) ,
App Store
link (iOS)
VerityRMS VerityRMS for iOS offers Asset Managers and Investment Professionals a full- App Store
featured and modern mobile experience. Equipped with a full suite of link (iOS)
consumption and authoring tools, users can harness their firm’s investment
process from anywhere.
Voltage Send and receive Voltage encrypted secure email and attachments in the Google Play
SecureMail Microsoft Intune managed environment with Voltage SecureMail Mobile. Any link
user can receive and read Voltage encrypted messages. However, replying to (Android) ,
messages and composing new secure emails requires these features to be App Store
enabled by the sending organization. Users can also compose, send, reply to, link (iOS)
forward, and print encrypted messages, according to the SecureMail Mobile
policy for their organization or for the organization sending the secure message.
Zero for Intune The ZERØ for Intune application is specifically designed for MDM deployment App Store
via Microsoft Intune. This app allows both ZERØ and Microsoft Intune customers link (iOS)
to take advantage of a secure Intune MDM deployment, as well as organize and
protect BYOD environments with mobile application management (MAM).
Zoom for Zoom is your communications hub for meetings, webinars, chat and cloud Google Play
Intune phone. Start or join meetings with flawless video, crystal clear audio and instant link
screen sharing from desktop, mobile or conference rooms. (Android) ,
App Store
link (iOS)
Partner UEM apps

The following apps enable coexistence between apps that support Intune App Protection Policies and
partner unified endpoint management (UEM) solutions. These apps support the core Intune App
Protection Policy settings. Apps are also capable of supporting advanced App Protection Policy and
App Configuration Policy settings. For more information, contact the app vendor.
App title App description App store links

for supported
platform(s)
Blackberry BlackBerry Enterprise BRIDGE allows you to securely view, edit, and save Google Play link
Enterprise documents using Intune-managed Microsoft apps, such as Microsoft Word, (Android) ,
BRIDGE Microsoft PowerPoint, and Microsoft Excel from BlackBerry Dynamics. You can App Store link
share your documents as email attachments and maintain data encryption (iOS)
during the document-sharing process between BlackBerry Dynamics and
Intune-managed mobile apps.
Workspace Workspace ONE Send provides seamless editing and sending capabilities for Google Play link
ONE Send customers using Microsoft Intune to manage Microsoft 365 apps using (Android) ,
VMware productivity apps. App Store link
(iOS)
Next steps
To learn how to add apps for each platform to Intune, see:
Android store apps

Android LOB apps
iOS store apps
iOS LOB apps
Web apps (for all platforms)
Microsoft store apps
Windows LOB app
Microsoft 365 apps for Windows 10
Microsoft 365 apps for macOS
Built-in apps
Win32 apps
Add Android store apps to Microsoft
Intune
Article • 03/06/2023
Before you assign an app to a device or a group of users, you must first add the app to
Microsoft Intune.
Add an app
You can add an Android store app to Intune from the portal by doing the following:

2. Select Apps > All apps > Add.
3. In the Select app type pane, under the available Store app types, select Android
store app.
4. Click Select.
The Add app steps are displayed.

5. To configure the App information for the Android app, navigate to the Google
Play store and search for the app you want to deploy. Display the app page and
make a note of the app details.
6. In the App information page, add the app details:
Name: Enter the name of the app as it is to be displayed in the company

portal. Make sure that any app name that you use is unique. If an app name
is duplicated, only one name is displayed to users in the company portal.
Description: Enter a description for the app. This description is displayed to
users in the company portal.
Publisher: Enter the name of the publisher of the app.
Appstore URL: Enter the app store URL of the app that you want to create.
Use the URL of the app page when the details of the app are displayed in the
store.
Minimum operating system: In the list, select the earliest operating system
version on which the app can be installed. If you assign the app to a device
with an earlier operating system, it will not be installed.
Category: Optionally, select one or more of the built-in app categories, or a
category that you created. Doing so makes it easier for users to find the app
when they browse the company portal.
Show this as a featured app in the Company Portal: Select this option to
display the app suite prominently on the main page of the company portal
when users browse for apps. Applies to apps deployed with Available intent.
Information URL: Optionally, enter the URL of a website that contains
information about this app. The URL is displayed to users in the company
portal.
Privacy URL: Optionally, enter the URL of a website that contains privacy
information for this app. The URL is displayed to users in the company portal.
Developer: Optionally, enter the name of the app developer.
Owner: Optionally, enter a name for the owner of this app, for example, HR
department.
Notes: Optionally, enter any notes that you want to associate with this app.
Logo: Optionally, upload an icon that will be associated with the app. This
icon is displayed with the app when users browse the company portal.
7. Click Next to display the Scope tags page.

8. Click Select scope tags to optionally add scope tags for the app. For more
information, see Use role-based access control (RBAC) and scope tags for
distributed IT.
9. Click Next to display the Assignments page.
The Overview blade of the app you've created is displayed.
Next steps
Assign apps to groups
Related topics
Add Managed Google Play apps to Android Enterprise devices with Intune
Add iOS store apps to Microsoft Intune
Article • 03/06/2023
Use the information in this article to help you add iOS store apps to Microsoft Intune.
iOS store apps are apps that Intune installs on your users' devices. A user is part of your
company's workforce. iOS store apps are automatically updated.
７ Note
Although users of iOS/iPadOS devices can remove some built-in iOS/iPadOS apps,
such as Stocks and Maps, you cannot use Intune to redeploy those apps. If your
users delete these apps, they must go to the App Store and manually reinstall
them.
Before you start

You can assign apps by using this method only if they are free of charge in the App
Store. If you want to assign paid apps by using Intune, consider using the iOS/iPadOS
volume-purchase program.
７ Note
When you work with Microsoft Intune, we recommend that you use either the
Microsoft Edge or Google Chrome browser.
3. In the Select app type pane, under the available Store app types, select iOS store
app.
4. Click Select.
The Add app steps are displayed.
5. Select Search the App Store.
6. In the Search the App Store pane, select the App Store country/region locale.
7. In the Search box, type the name (or part of the name) of the app.
Intune searches the store and returns a list of relevant results.

8. In the results list, select the app you want, and then select Select.
The App information page will be displayed in the Add app pane. When possible,
app information will be added based on the app you selected from the store.
9. In the App information page, add the app details. Depending on the app you have
chosen, some of the values in this pane might have been automatically filled in:

Appstore URL: Type the App Store URL of the app that you want to create.
Minimum operating system: In the list, select the earliest operating system
version on which the app can be installed. If you assign the app to a device
with an earlier operating system, it will not be installed.
Applicable device type: In the list, select the devices that are used by the
app.
when users browse for apps.
portal.
Developer: Optionally, enter the name of the app developer. This field is
visible only to administrators and is not visible to your users.
department. This field is visible only to administrators and is not visible to
your users.
This field is only visible an administrator and will not be visible to end users.

distributed IT.
Next steps
Add Microsoft Store apps to Microsoft
Intune
Article • 08/28/2023
Admins can browse, deploy, and monitor Microsoft Store applications inside Intune.
Upon deployment, Intune automatically keeps the apps up to date when a new version
becomes available. The Microsoft Store supports Universal Windows Platform (UWP)
apps, desktop apps packaged in .msix , and now Win32 apps packaged in .exe or .msi
installers.
） Important
There are key improvements to the most recent Microsoft Store apps functionality
over legacy functionality. Specifically, the following differences:
You can browse and search for store apps within Intune
You can install and uninstall with required app deployments
You can monitor the installation progress and results for store apps
Win32 store apps are supported (in preview)
System context and user context are supported for UWP apps
When a device is enrolled by being Azure AD registered, system context
must be used.
Prerequisites
To use Microsoft Store apps, be sure the following criteria are met:
Client devices must support at least two core processors to successfully install and
run Microsoft Store apps.
Client device need to be able to support the Intune Management Extension (IME)
to install Microsoft Store apps.
Client device need access to both the Microsoft Store and the destination content
to install Microsoft Store apps. For more information, see Microsoft Store proxy
configuration.
Add and deploy a Microsoft Store app

Use the following steps to add and deploy a Microsoft Store app.
Step 1: Add an app from the Microsoft Store

1. In the Microsoft Intune admin center , select Apps > All apps > Add.
2. In Select app type pane, select Microsoft Store app (new) under the Store app
section.
3. Choose Select at the bottom of the page to begin creating an app from the
Microsoft Store. The app creation experience has three steps:
App information
Assignments
Review + create
Step 2: Search the Microsoft Store

The Microsoft Store provides a large variety of apps designed to work on your Microsoft
devices. Within Intune, you can search and add the apps you want to assign to your
workforce at your organization.
1. Select Search the Microsoft Store app to display the search panel which features a
search bar and includes the following columns:
Name – The name of the app.

Publisher – The publisher of the app.
Type – The app package type: Win32 or Universal Windows Platform (UWP).
2. In the search bar, type the name of the app that you want to find. You can also
search by other app details, such as publisher, type, or store app ID. Once you
search, a list of apps are displayed.
７ Note
Specific Microsoft Store apps may not be displayed and available in Intune.
Common reasons an app doesn't appear when searching within Intune
include the following:
The app is not available in your region

The app is not available if there is an age restriction
The app is a paid app, which is not supported
The app is an Android app
The app is a Microsoft Store for Business app that is not available
publicly in the consumer store
3. Choose the app that you want to deploy and choose Select.
The app information is presented with the selected app's metadata. Specific fields
are prepopulated.
The following table shows the fields that are supported:
Name of the Description Required

field
Name The name of the app is prepopulated from the store's Required
metadata and you have the choice to edit the field.
Enter the name of the app as it appears in the Company
Portal. Make sure all app names that you use are
unique. If the same app name exists twice, only one of
the apps appears in the company portal.
Description The description of the app is prepopulated from the Required

store's metadata and you have the choice to edit the
field. The description appears in the Company Portal.
Publisher The publisher of the app is prepopulated from the Required

store's metadata and you have the choice to edit the
field.
Installer Type The installer type of the application package is the UWP N/A Prefilled
or Win32 installer types. For related information, see
Universal Windows Platform (UWP) apps.
Package The app's unique ID in the Microsoft Store. This value is N/A Prefilled
Identifier read-only and is displayed before Installer Type in the
UI.
Install behavior The install behavior of the app. If the app to be installed Admin must
has the option of either System or User install select
behaviors, you must ensure that the installation works System or
on devices as expected. NOTE: If the option is greyed User
out, the specific store application only supports the
selected install behavior.
Category Optionally, select one or more of the built-in app Optional

categories, or select a category that you created.
Categories make it easier for users to find the app when
they browse through the Company Portal.
Name of the Description Required
field
Show this as a Display the app prominently on the main page of the Admin must
featured app in company portal when users browse for apps. select Yes or
the Company No
Portal
Information URL Optionally, enter the URL of a website that contains Optional
information about this app. The URL appears in the
company portal.
Privacy URL Optionally, enter the URL of a website that contains N/A Prefilled
privacy information for this app. The URL appears in the
company portal.
Developer Optionally, enter the name of the app developer. Optional
Owner Optionally, enter a name for the owner of this app. An Optional
example is HR department.
Notes Enter any notes that you want to associate with this Optional
app.
Logo Upload an icon that is associated with the app. This icon Optional
is displayed with the app when users browse through
the company portal.
4. Select Next after you have finished populating the fields.
Step 3: Creating assignments

You can choose how you want to assign Microsoft Store apps to users and devices.
The following table provides assignment type details:
Assignment type Assignment options Description
Required Add group, Add all users, The app is installed on devices in the selected
Add all devices groups.
Available for Add group, Add all users Users install the app from the Company Portal
enrolled devices app or the Company Portal website.
Uninstall Add group, Add all users, The app is uninstalled from devices in the
Add all devices selected groups.
1. Select Add group and assign the groups that use this app.
2. On the Select groups pane, select groups to assign based on users or devices.
3. After you select your groups, choose whether to set End user notifications, Restart
grace period, and Installation deadline.
4. If you don't want the app assignment to affect groups of users, select Included
under the Filter mode column. In the Edit assignment pane, change the Filter
mode value from Included to Excluded. Select OK to close the Edit assignment
pane.
5. Select Next to display the Review + create page after you finish setting the
assignments for the apps.
Step 4: Review and create

1. Review the values and settings that you entered for the app. Verify that you
configured the app information correctly.
2. Select Create to add the app to Intune.
App update
Apps that are deployed from the Microsoft Store are automatically kept up to date to
the latest version of the app. For this feature to work properly for UWP apps, the Turn
off Automatic Download and Install of updates shouldn't be enabled.
Microsoft Store Win32 apps
） Important
Win32 apps that are in the Microsoft Store are currently in preview. Not all Win32
apps will be available or searchable. The Win32 apps that are in preview will be
identifiable with Win32 and a banner.
Third party vendors or publishers that add Win32 apps to the Microsoft Store are
responsible for hosting their own content in their respective infrastructure. If your
devices are behind a firewall, please reach out to application owner to understand
and confirm network requirements.
Intune management of Microsoft Store Win32 apps

When a Microsoft Store Win32 app is published to a device as Required, but it's already
installed (either manually or via the Microsoft Store for Business), Intune takes over the
management of the application.
For available Microsoft Store Win32 apps, the end user must select install in the
Company Portal before Intune takes over management and automatic updates for the
app. Intune doesn't try to reinstall the app.
The Microsoft Store supports Win32 app types including .exe and .msi installers. These
apps have external content sourcing hosted by the app publisher. Based on their
installer definition in the store, each Win32 app supports either User or System context
installation.For related information, see Traditional desktop apps in the Microsoft Store
on Windows.
７ Note
Microsoft Store Win32 apps are kept up to date by Intune, therefore in order for
the app to be updated it must be assigned in Intune. App updates are not affected
by the Store's update policies.
Microsoft Store UWP apps

deployed in system context, the app autoinstalls for each user that logs in. If an
deploying apps.
７ Note
Assigning a UWP app using the "Microsoft Store app (new)" type with the
installation behavior set as "System" to a device which already has that app
installed will result in this error: "The application was not detected after installation
completed successfully (0x87D1041C)". However, the app will still install correctly
on the device.
When a device is enrolled as Azure AD Registered, the installation behavior should

be set to "System". If an app with the installation behavior set to "User" is assigned
as Available, the end user will receive the following error when selecting install in
the Company Portal: "Requirements Not Met". Make sure the device is joined to
Azure, or use System context to rectify this situation.
UWP apps are kept up to date by the Store. The UWP app will stay up to date with
or without Intune assignment once it is installed, unless the Store policy is set to
block auto-update.
Common Store policy settings and their impact

on Microsoft Store apps
Some Store policies may affect app deployments from the Microsoft Store. The
following policy list provides details on how some Store policies can affect app
deployments.
For more information on the Microsoft Store integration with Intune due to the
Microsoft Store for Business and Education retirement, go to the Adding your Microsoft
Store for Business and Education apps to the Microsoft Store in Intune blog post.
Disable all apps from the Microsoft Store policy

Recommended values: Not configured or Enabled. To prevent end users from
blocking or turning off this feature, set the value to Enabled.
CSP Intune On-premises

GPO
ApplicationManagement/DisableStoreOriginatedApps Settings Administrative

Catalog | Templates >
Microsoft App Windows
Store > Components >
Disable Store Store
Originated
Apps
Turn off Automatic Download and Install of updates policy

Recommended values: Not configured or Disabled. To prevent end users from
blocking or turning off this feature, set the value to Disabled.

GPO
ApplicationManagement/AllowAppStoreAutoUpdate Settings Administrative

Catalog | Templates >
Microsoft App Windows
Store > Allow Components >
apps from the Store
Microsoft app
GPO
store to auto
update
Enable App Installer Microsoft Store Source policy

CSP Intune On-premises GPO
DesktopAppInstaller/EnableMicrosoftStoreSource Not built in; use Administrative

a custom Templates >
configuration Windows
profile. Components >
Desktop App
Installer
Enable App Installer policy

DesktopAppInstaller/EnableAppInstaller Not built in; use a Administrative Templates

custom > Windows Components
configuration > Desktop App Installer
profile.
Turn off the Store application policy: Your options:
Not configured: This policy isn't changed or updated. By default, the OS might
allow end users to install arbitrary store apps outside of Intune.
Enabled: When enabled, this setting:

Blocks end users from installing arbitrary apps from the Microsoft Store app.
Blocks end users from installing arbitrary apps using winget.exe .
Blocks end users from using the Microsoft Store to manually install app
updates.
Disabled: When disabled, this setting:

Allows end users to install arbitrary apps from the Microsoft Store app.
Allows end users to install arbitrary apps using winget.exe .
Allows end users to use the Microsoft Store to manually install app updates.
- - Settings Administrative
ADMX_WindowsStore/RemoveWindowsStore_1 Catalog Templates > Windows
- - Administrative Components > Store
ADMX_WindowsStore/RemoveWindowsStore_2 templates

The Turn off the Store application setting:
Doesn't affect Intune's ability to install Microsoft Store apps. In all cases, the
new Intune integration with the Microsoft Store is allowed.
Doesn't affect the Microsoft Store's ability to automatically update UWP apps.
As long as the Turn off Automatic Download and Install of updates
(AllowAppStoreAutoUpdate CSP) policy isn't enabled, the Microsoft Store
automatically updates UWP apps.
If you want to allow automatic UWP app updates from the Microsoft Store,
including built-in Windows apps, and block users from installing apps from the
Microsoft Store or winget.exe , then:
Set Turn off Automatic Download and Install of updates to Disabled or Not
configured, AND
Set Turn off the Store application to Enabled or Not configured.
For Win32 Store apps, if Turn off Automatic Download and Install of updates is
set, then the Win32 apps with an active Intune assignment are still automatically
updated.
 Tip
Using the Only display the private store within the Microsoft Store app policy
(RequirePrivateStoreOnly CSP) is still valid. This policy:
Blocks end user access to the Microsoft Store.

Allows the Windows Package Manager winget command line interface (CLI)
access to the Microsoft Store.
So, it's not the preferred choice to prevent end user access to the Microsoft Store.
Instead, it's recommended to use the Turn off the Store application policy.
Unsupported functionality for Microsoft Store
apps
Microsoft Store apps don't support the following features:
Any app that has an ARM64 installer isn't supported.
Next step
Add Microsoft Store apps to Intune
(legacy)
Article • 08/31/2023
Before you can assign, monitor, configure, or protect apps, you must add them to
Intune.
） Important
The steps provided in this topic refer to adding Microsoft Store apps using the
legacy method. For the latest method, see Add Microsoft Store apps to Microsoft
Intune.
Add an app to Intune

You can add a Microsoft Store app to Intune by doing the following:

3. In the Select app type pane, under the available Store app types, select Microsoft
store app (new).
5. To configure the App information for Microsoft store apps, click Select app, and
search for the app you want to assign to members of your organization. Display
the app page and make a note of the app details.
6. In the App information page, add the app details:

Package Identifier: The app Package Identifier is the unique value that
identifies the app.
Installer Type: The installer type of the application package.
Install behavior: Select System to install this app for all users, if supported.
Select User to install this app for the logged-in user on the device.
portal.
department.
distributed IT.
The app that you've created is displayed in the apps list, where you can assign it to the
groups that you select.
） Important
Microsoft Store apps can only be assigned to groups with the assignment type
Available for enrolled devices (users install the app from the Company Portal app
or website).
Next steps
How to manage volume purchased apps
from the Microsoft Store for Business
Article • 05/22/2023
） Important
Intune admin center . Apps added from the Microsoft Store for Business or
Microsoft Store for Education will no longer sync with Intune. Apps that have
previously synced will continue to be available and deploy to devices and users. For
related information, see Deprecation of Microsoft Store for Business and
Education.
The Microsoft Store for Business gives you a place to find and purchase apps for your
organization, individually, or in volume. By connecting the store to Microsoft Intune, you
can manage volume-purchased apps from the portal. For example:
You can synchronize the list of apps you have purchased (or that are free) from the
store with Intune.
Apps that are synchronized appear in the Microsoft Intune admin center; you can
assign these apps like any other apps.
Both Online and Offline licensed versions of Apps are synchronized to Intune. App
names will be appended with "Online" or "Offline" in the portal.
You can track how many licenses are available, and how many are being used in
the admin center.
Intune blocks assignment and installation of apps if there are an insufficient
number of licenses available.
Intune will revoke app licenses for apps managed by Microsoft Store for Business
when the user is deleted from Azure AD.
Before you start
） Important
The retirement of the Microsoft Store for Business and the Microsoft Store for
Education, originally scheduled for March 31, 2023, has been postponed. Until they
are retired, admins can still leverage the connection to Store for Business and
Education from their UEM solution to deploy apps to managed Windows 11
devices.
Review the following information before you start syncing and assigning apps from the
Microsoft Store for Business:
Configure Intune as the mobile device management authority for your

organization.
You must have signed up for an account on the Microsoft Store for Business.
Once you have associated a Microsoft Business Store account with Intune, you
cannot change to a different account in the future.
Apps purchased from the store cannot be manually added to or deleted from
Intune. They can only be synchronized with the Microsoft Store for Business.
Both online and offline licensed apps that you have purchased from the Microsoft
Store for Business are synced into Intune. You can then deploy these apps to
device groups or user groups.
Online app installations are managed by the store.
Offline apps that are free of charge can also be synced to Intune. These apps are
installed by Intune, not by the store.
To use this capability, devices must be joined to Active Directory Domain Services,
Azure AD joined, or workplace-joined.
Enrolled devices must be using the 1511 release of Windows 10 or later.
７ Note
Online Microsoft Store for Business apps can be used only for user context install;
that is, when deployed through Intune, you need to target user groups. Device
licensed offline Microsoft Store for Business apps can be installed in device context;
that is, when deployed through Intune, you can target device groups as well as user
groups.
７ Note
If you disable access to the Store on managed devices (either manually, via policy
or Group Policy), Online licensed apps will fail to install.
Associate your Microsoft Store for Business
account with Intune
Before you enable synchronization in the Microsoft Intune admin center, you must
configure your store account to use Intune as a management tool:
1. Ensure that you sign into the Microsoft Store for Business using the same tenant
account you use to sign into Intune.
2. In the Business Store, choose the Manage tab, select Settings, and choose the
Distribute tab.
3. If you don't specifically have Microsoft Intune available as a mobile device
management tool, choose Add management tool to add Microsoft Intune. If you
don't have Microsoft Intune activated as your mobile device management tool,
click Activate next to Microsoft Intune. Note that you should activate Microsoft
Intune rather than Microsoft Intune Enrollment.
７ Note
Previously you could associate only one management tool to assign apps with the
Microsoft Store for Business. Now you can associate multiple management tools
with the store, for example, Intune and Configuration Manager.
Continue to set up synchronization in the Microsoft Intune admin center.
Configure synchronization
2. Select Tenant administration > Connectors and tokens > Microsoft Store for
Business.
3. Click Enable.
4. If you haven't already done so, click the link to sign up for the Microsoft Store for
Business and associate your account as detailed previously.
5. From the Language drop-down list, choose the language in which apps from the
Microsoft Store for Business are displayed in the portal. Regardless of the language
in which they are displayed, they are installed in the end user's language when
available.
6. Click Sync to get the apps you've purchased from the Microsoft Store into Intune.
Synchronize apps
If you've already associated your Microsoft Store for Business account with your Intune
admin credentials, you can manually sync your Microsoft Store for Business apps with
Intune using the following steps.
Business.
７ Note
Apps with encrypted app packages are currently not supported and will not be
synchronized to Intune.
Assign apps
You assign apps from the store in the same way you assign any other Intune app. For
more information, see How to assign apps to groups with Microsoft Intune.
Offline apps can be targeted to user groups, device groups, or groups with users and
devices.
Offline apps can be installed for a specific user on a device or for all users on a
device.
When you assign a Microsoft Store for Business app, a license is used by each user who
installs the app. If you use all of the available licenses for an assigned app, you cannot
assign any more copies. Take one of the following actions:
Uninstall the app from some devices.

Reduce the scope of the current assignment, targeting only the users you have
sufficient licenses for.
Buy more copies of the app from the Microsoft Store for Business.
Remove apps
To remove an app that is synced from the Microsoft Store for Business, you need to log
into the Microsoft Store for Business and complete the following steps. The process is
the same whether the app is free or not.
2. Look for the app that you want to remove by selecting Products & services >
Apps & software and select it.
3. In the Users pane select all users, click on the ... symbol under the Actions column
and choose to Reclaim license.
4. Open the Private store availability tab of the app and change its availability to No
one.
5. Select the Product details link on the top and then select the ... button next to
Install. If the previous steps have been completed successfully, a Remove product
option will be available. Select Remove product to remove the app from the
Microsoft Store for Business.
6. Sync the apps using the Microsoft for Business Store connector in Intune in order
to remove the app from the list of Windows apps in Intune.
Next steps
Manage volume-purchased apps and books with Microsoft Intune
Add Managed Google Play apps to
Android Enterprise devices with Intune
Article • 07/20/2023
Managed Google Play is Google's enterprise app store and sole source of applications
for Android Enterprise in Intune. You can use Intune to orchestrate app deployment
through Managed Google Play for any Android Enterprise scenario (including personally
owned work profile, dedicated, fully managed, and corporate-owned work profile
enrollments). How you add Managed Google Play apps to Intune differs from how
Android apps are added for non-Android Enterprise scenarios. Store apps, line-of-
business (LOB) apps, and web apps are approved in or added to Managed Google Play,
and then synchronized into Intune so that they appear in the Client Apps list. Once they
appear in the Client Apps list, you can manage assignment of any Managed Google Play
app as you would any other app.
To make it easier for you to configure and use Android Enterprise management, upon
connecting your Intune tenant to Managed Google Play, Intune automatically adds four
common Android Enterprise related apps to the Intune admin center. The four apps are
follow:
Microsoft Intune - Used for Android Enterprise fully managed scenarios. This
app is automatically installed to fully managed devices during the device
enrollment process.
Microsoft Authenticator - Helps you sign-in to your accounts if you use two-
factor verification. This app is automatically installed to fully managed devices
during the device enrollment process.
Intune Company Portal - Used for App Protection Policies (APP) and Android
Enterprise personally owned work profile scenarios. This app is automatically
installed to fully managed devices during the device enrollment process.
Managed Home Screen - Used for Android Enterprise dedicated multi-app kiosk
scenarios. IT admins should create an assignment to install this app on dedicated
devices that are going to be used in multi-app kiosk scenarios.
７ Note
When an end user enrolls their Android Enterprise fully managed device, the Intune
Company Portal app is automatically installed and the application icon may be
visible to the end user. If the end user attempts to launch the Intune Company
Portal app, the end user will be redirected to the Microsoft Intune app and the
Company Portal app icon will be subsequently hidden. Additionally, the Microsoft
Intune and Authenticator apps will not be able to have an uninstall issued to them
as they are crucial applications for multiple Android Enterprise enrollment
scenarios.
Before you start

Make sure you have connected your Intune tenant to Managed Google Play. For
more information, see Connect your Intune account to your Managed Google Play
account.
If you intend to enroll personally owned work profile devices, make sure you have
configured Intune and Android personally owned work profiles to work together in
the Device enrollment workload of the portal. For more information, see Enroll
Android devices.
７ Note
When you work with Microsoft Intune, we recommend that you use either the
Microsoft Edge or Google Chrome browser.
Managed Google Play app types

There are three types of apps that are available with Managed Google Play:
Managed Google Play store app - Public apps that are generally available in the
Play Store. Manage these apps in Intune by browsing for the apps you want to
manage, approving them, and then synchronizing them into Intune.
Managed Google Play private app - These are LOB apps published to Managed
Google Play by Intune admins. These apps are private and are available only to
your Intune tenant. This is how LOB apps are managed and deployed with
Managed Google Play and Android Enterprise.
Managed Google Play web link - Web links with IT admin-defined icons that are
deployable to Android Enterprise devices. These links appear on devices in the
device's app list just like regular apps.
Managed Google Play store apps
７ Note
Most newly-created items in Intune take on the scope tags of the creator. This is
not the case for Managed Google Play Store apps. Admins can assign a scope tag
to apply to all newly-synced Managed Google Play apps on the Managed Google
Play connector pane. For more information, see Connect your Intune Account to
your Managed Google Play account.
There are two ways to browse and approve Managed Google Play store apps with
Intune:
1. Directly in the Intune admin center - Browse and approve store apps in a view
hosted within Intune. This view opens directly in the Microsoft Intune admin
center and doesn't require you to reauthenticate with a different account.
2. In Managed Google Play console - You can optionally open the Managed Google
Play console directly and approve apps there. See Sync a Managed Google Play
app with Intune for more information. This option requires a separate login using
the account you used to connect your Intune tenant to Managed Google Play.
Add a Managed Google Play store app directly in the

Microsoft Intune admin center
3. In the Select app type pane, under the available Store app types, select Managed
Google Play app.
4. Click Select. The Managed Google Play app store is displayed.
７ Note
You can create an app collection to organize apps and control the order that
collections are displayed for your organization. For more information, see Use
Collections in Managed Google Play.
Your Intune tenant account must be connected to your Android Enterprise

account to browse Managed Google Play store apps. For more information,
see Connect your Intune account to your Managed Google Play account.
5. Select an app to view the app details.
6. Click Select to select the app.

7. Click Sync at the top of the blade to sync the app with the Managed Google Play
service.
8. Click Refresh to update the app list and display the newly added app.
Add a Managed Google Play store app in the Managed

Google Play console (Alternative)
If you prefer to synchronize a Managed Google Play app with Intune rather than adding
it directly using Intune, use the following steps.
） Important
The information in this section is an alternative method to adding a Managed

Google Play app using Intune.
1. Go to the Managed Google Play store . Sign in with the same account you used
to configure the connection between Intune and Android Enterprise.
2. Search the store and select the app you want to assign by using Intune.
3. On the page that displays the app, click Approve. In the following example, the
Microsoft Excel app has been chosen.
A window for the app opens asking you to give permissions for the app to perform
various operations.
4. Select Approve to accept the app permissions and continue.

5. Select an option for handling new app permission requests, and then select Save.
The app is approved, and it is displayed in your IT admin console. Next, you can
Sync a Managed Google Play app with Intune.
Managed Google Play private (LOB) apps
There are two ways to add LOB apps to Managed Google Play:
1. Directly in the Microsoft Intune admin center - This allows you to add LOB apps by
submitting just the app APK and a title, directly within Intune. This method does
not require you to have a Google developer account and does not require you to
pay the fee to register with Google as a developer. This method is simpler and has
a significantly reduced number of steps, and makes LOB apps available for
management in as little as ten minutes.
2. In the Google Play Developer Console - If you have a Google developer account or
want to configure advanced distribution features that are only available in the
Google Play Developer Console (like adding additional app screenshots), you can
use the Google Play Developer Console .
Managed Google Play private (LOB) app publishing

directly in the Microsoft Intune admin center
Google Play app.
4. Click Select. The Managed Google Play app store is displayed within Intune.
5. Select Private apps (next to the lock icon) in the Google Play window.
6. Click the "+" button at the lower right to add a new app.
7. Add an app Title and click Upload APK add the APK app package.
７ Note
Your app's package name must be globally unique in Google Play (not just
unique within your enterprise or Google Play Developer account). Otherwise,
you will receive the Upload a new APK file with a different package name
error.
8. Click Create.
9. Close the Managed Google Play pane if you are done adding apps.
10. Click Sync on the App app pane to sync with the Managed Google Play service.
７ Note
Private apps may take several minutes to become available to sync. If the app
does not appear the first time you perform a sync, wait a couple minutes and
initiate a new sync. You can also sync apps from the Managed Google Play
store. For related information, see Sync a Managed Google Play app with
Intune.
For more information about Managed Google Play private apps including a FAQ, see
Google's support article: https://support.google.com/googleplay/work/answer/9146439
） Important
Private apps added using this method can never be made public. Only use this
publishing option if you are sure that this app will always be private to your
organization.
Managed Google Play private (LOB) app publishing using

the Google Developer Console
1. Sign in to the Google Play Developer Console with the same account you used
to configure the connection between Intune and Android Enterprise.
７ Note
If you are signing in for the first time, you must register and pay a fee to
become a member of the Google Developer program.
2. In the console, add new application. For details, see Google's support doc: Publish
Private apps .
3. You upload and provide information about your app in the same way as you
publish any app to the Google Play store. However, you must specifically add your
organization using the Google Play Console. For details, see Google's support doc
Publish to your own organization .
７ Note
Follow Google's support documentation to make the app available only to
your organization. The app won't be available on the public Google Play store.
For more information about uploading and publishing Android apps, see Google
Developer Console Help .
4. After you've published your app, sign in to the Managed Google Play store with
the same account that you used to configure the connection between Intune and
Android Enterprise.
5. In the Apps node of the store, verify that the app you've published is displayed.
The app is automatically approved to be synchronized with Intune.
Managed Google Play web links

Managed Google Play web links are installable and manageable just like other Android
apps. When installed on a device, they will appear in the user's app list alongside the
other apps they have installed. When selected, they will launch in the device's browser.
７ Note
Web links pushed down from Managed Google Play will not open in the corporate
context of Microsoft Edge if you have configured your Intune application
protection policy setting Receive data from other apps to be Policy managed
apps. When a web link is pushed down through Managed Google Play, it’s not
recognized as a MAM-managed app, which is why Microsoft Edge will open in the
personal context or InPrivate mode if the user is not signed in with a personal
account. For related information, see Android app protection policy settings in
Microsoft Intune.
Web links will open with Microsoft Edge or any other browser app you choose to
deploy. Be sure to deploy at least one browser app to devices in order for web links to
be able to open properly. However, all of the Display options available for web links (full
screen, standalone, and minimal UI) will only work with the Chrome browser.
To create a Managed Google Play web link:

Google Play app.
5. Select Web apps (next to the Globe icon) in the Google Play window.
6. Click the "+" button at the lower right to add a new app.
7. Add an app Title, the web app URL, select how the app should be displayed, and
select an app icon.
8. Click Create.
9. Close the Managed Google Play pane if you are done adding apps.
10. Click Sync on the App app pane to sync with the Managed Google Play service.
７ Note
Web apps may take several minutes to become available to sync. If the app
does not appear the first time you perform a sync, wait a couple minutes and
initiate a new sync.
Use collections in Managed Google Play

Collections are a way to group your Managed Google Play apps and determine the
order they appear in the end users' Play Store.
To create a Managed Google Play collection:

Google Play app.
5. Select Organize Apps in the Google Play window.
6. Select Create a collection. A text box will appear to name the collection.
7. Enter a collection name and click Next. Check the approved MGP apps to add to
the collection. If you need to approve additional apps for the collection, clicking
the Add apps button will take you back to the Managed Google Play app store.
Also, you can edit the order apps appear in the collection by clicking the arrows
next to each app. You can also edit the order of the collections you've created by
using the side arrow buttons. The order you set apps and collections in is the order
the end user will see them in their Play Store app.
8. When you're done editing, click save. A popup box will appear asking you to
confirm.
9. Click save on the popup box.
It may take some time after editing for the end user to see the changes made to their
collections. If the changes haven't finished syncing yet, the end user may see an empty
screen with no results text if they open the Play Store app. End users can still use the
search bar to search for and download apps, even if the screen appears. Once at least
one collection is created, all existing approved Managed Google Play apps that are not
in any other collection will appear in a default My work app collection. Apps approved
after initial collection creation will have no collection assignment and will not be
automatically added to the My work app collection.
Apps that are not part of any collection will not appear on the end users' Play Store
front page. However, the end user can still search for them and install in the Play Store.
You can add the same Managed Google Play app to multiple collections. Each collection
can contain up to 100 apps. For more information on collections, see Google's
documentation .
Sync a Managed Google Play app with Intune

If you have approved an app from the store and don't see it in the Apps workload, force
an immediate sync as follows:

2. Select Tenant administration > Connectors and tokens > Managed Google Play.
3. In the Managed Google Play pane, choose Sync. The page updates the time and
status of the last sync.
4. In the Microsoft Intune admin center select Apps > All apps. The newly available
Managed Google Play app is displayed.
Assign a Managed Google Play app to Android

Enterprise personally owned and corporate-
owned work profile devices
When the app is displayed in the App licenses node of the Apps workload pane, you
can assign it just as you would assign any other app by assigning the app to groups of
users.
After you assign the app, it is installed (or available for install) on the devices of the
users that you've targeted. The user of the device is not asked to approve the
installation. For more information about Android Enterprise personally owned work
profile devices, see Set up enrollment of Android Enterprise personally owned work
profile devices.
７ Note
Only apps that have been assigned will show up in the Managed Google Play store
for an end user. As such, this is a key step for the admin to take when setting up
apps with Managed Google Play.
Assign a Managed Google Play app to Android

Enterprise fully managed devices
Android Enterprise fully managed devices are corporate-owned devices associated with
a single user and used exclusively for work and not personal use. Users on fully
managed devices can get their available company apps from the Managed Google Play
app on their device.
By default, an Android Enterprise fully managed device will not allow employees to
install any apps that are not approved by the organization. Also, employees will not be
able to remove any installed apps against policy. If you wish to allow users to access the
full Google Play store to install apps rather than only having access to the approved
apps in Managed Google Play store, you can set the Allow access to all apps in Google
Play store to Allow. With this setting, the user can access all the apps in the Google Play
store using their corporate account, however purchases may be limited. You can remove
the limited purchases restriction by allowing users to add new accounts to the device.
Doing so will enable end users to have the ability to purchase apps from the Google
Play store using personal accounts, as well as conduct in-app purchases. For more
information, see Android Enterprise device settings to allow or restrict features using
Intune.
７ Note
The Microsoft Intune app, the Microsoft Authenticator app, and the Company
Portal app will be installed as required apps onto all fully managed devices during
onboarding. Having these apps automatically installed provides Conditional Access
support, and Microsoft Intune app users can see and resolve compliance issues.
Update a Managed Google Play app
By default, Managed Google Play apps will not update unless the following conditions
are met:
The device is connected to wi-fi

The device is charging
The device is not actively being used
The app to be updated is not running on the foreground
For more information, see the Manage App Updates documentation from Google.
You can choose to configure the wi-fi requirement for dedicated, fully managed, and
corporate-owned work profile devices by configuring app auto-updates in device
configurations policies.
For dedicated, fully managed, and corporate-owned work profile devices, you can
choose an app update mode when an app is assigned to groups. The update modes
available are:
Default: The app's updates are subject to default conditions (described above).
High Priority: The app will update as soon as possible from when a new update is
released, disregarding all of the default conditions. This may be disruptive for
some users since the update can occur while the device is being used.
Postpone: When the app receives a new update, a 90-day waiting period is
triggered. After 90 days, the app is updated to the newest version available, even if
that version was not the update that triggered the waiting period. Note that the
90-day window is not configurable. To terminate the waiting period early, change
the update mode to either Default or High Priority.
To edit the app update mode:

2. Select Apps > All apps.
3. Select the app from the apps list.
5. Select Edit by the Assignments section.
6. Find the group you'd like to edit the app update mode for by clicking the
corresponding group mode for that group.
7. Under app settings, select the desired update mode.
Manage Android Enterprise app permissions

Android Enterprise requires you to approve apps in the Managed Google Play web
console before you sync them with Intune and assign them to your users. Because
Android Enterprise allows you to silently and automatically push the apps to users'
devices, you must accept the app permissions on behalf of all your users. Users don't
see any app permissions when they install the apps, so it's important that you
understand the permissions.
When an app developer updates permissions with a new version of the app, the
permissions are not automatically accepted even if you approved the previous
permissions. Devices that run the previous version of the app can still use it. However,
the app is not upgraded until the new permissions are approved. Devices without the
app installed do not install the app until you approve the app's new permissions.
Update app permissions

Periodically visit the Managed Google Play console to check for new permissions. You
can configure Google Play to send you or others an email when new permissions are
required for an approved app. If you assign an app and observe that it isn't installed on
devices, check for new permissions following these steps:
1. Go to Google Play .
2. Sign in with the Google account that you used to publish and approve the apps.
3. Select the Updates tab, and check to see whether any apps require an update. Any
listed apps require new permissions and are not assigned until they are applied.
Alternatively, you can configure Google Play to automatically reapprove app

permissions on a per-app basis.
Additional Managed Google Play app reporting

for Android Enterprise personally owned work
profile devices
For Managed Google Play apps deployed to Android Enterprise personally owned work
profile devices, you can view the status and version number of the app installed on a
device using Intune.
Working with Managed Google Play closed

testing tracks
You can distribute a non-production version of a Managed Google Play app to devices
enrolled in an Android Enterprise scenario (Android Enterprise personally owned work
profile (BYOD), Android Enterprise fully managed (COBO), Android Enterprise
dedicated devices enrolled with Azure AD shared mode (aka COSU), and Android
Enterprise corporate-owned work profile (COPE)) in order to perform testing. In Intune,
you can see whether an app has a pre-production build test track published to it, as well
as be able to assign that track to Azure Active Directory user groups or device groups.
The workflow for assigning a production version to a group that currently exists is the
same as assigning a non-production channel. After deployment, the install status of
each track will correspond with the track's version number in Managed Google Play. For
more information, see Google Play's closed test tracks for app pre-release testing .
７ Note
Required app deployments for non-production app tracks are currently unavilable
for devices enrolled in Android Enterprise personally owned work profile (BYOD).
Delete Managed Google Play apps

When necessary, you can delete Managed Google Play apps from Microsoft Intune. To
delete a Managed Google Play app, open Microsoft Intune in the portal and select Apps
> All apps. From the app list, select the ellipses (...) to the right of the Managed Google
Play app, then select Delete from the displayed list. When you delete a Managed
Google Play app from the app list, the managed Google Play app is automatically
unapproved.
７ Note
If an app is unapproved or deleted from the managed Google Play store, it will not
be removed from the Intune client apps list. This allows you to still target an
uninstall policy to users even if the app is unapproved.
To turn off Android Enterprise enrollment and management, see Disconnect your
Android Enterprise administrative account.
Android Enterprise system apps

You can enable an Android Enterprise system app for Android Enterprise dedicated
devices or fully managed devices. For more information about adding an Android
Enterprise system app, see Add Android Enterprise system apps to Microsoft Intune.
MAM policies with AE dedicated devices

enrolled with Azure AD shared mode
Intune-managed Android Enterprise dedicated devices enrolled with Azure AD shared
mode can receive MAM policies and can be targeted separately from other Android
enterprise devices. ntune-managed Android Enterprise dedicated devices that are not in
Shared Device Mode will continue to be blocked from getting MAM. For more
information about Intune-managed Android Enterprise dedicated devices enrolled with
Azure AD shared mode, see Android Enterprise dedicated devices.
Next steps
Add Microsoft 365 Apps to Windows
10/11 devices with Microsoft Intune
Article • 08/31/2023
Before you can assign, monitor, configure, or protect apps, you must add them to
Intune. One of the available app types is Microsoft 365 apps for windows 10/11 devices.
By selecting this app type in Intune, you can assign and install Microsoft 365 apps to
devices you manage that run Windows 10/11. You can also assign and install apps for
the Microsoft Project Online desktop client and Microsoft Visio Online Plan 2, if you own
licenses for them. The available Microsoft 365 apps are displayed as a single entry in the
list of apps in the Microsoft Intune admin center .
７ Note
Microsoft Office 365 ProPlus has been renamed to Microsoft 365 Apps for
enterprise. In our documentation, we'll commonly refer to it as Microsoft 365
Apps.
You must use Microsoft 365 Apps licenses to activate Microsoft 365 Apps apps
deployed through Microsoft Intune. Microsoft 365 Apps for business edition is
supported by Intune, however you must configure the app suite of the Microsoft
365 Apps for business edition using XML data. For more information, see Configure
app suite using XML data.
Using the Office Deployment Tool (ODT) to install OneDrive through Intune is not
supported. However, OneDrive will install as a component of some Microsoft 365
App installations. For related information, see Configuration options for the Office
Deployment Tool.
Before you start
） Important
If there are .msi Office apps on the end-user device, you must use the Remove MSI
feature to safely uninstall these apps. Otherwise, the Intune delivered Microsoft 365
apps will fail to install.
Multiple required or available app assignments are not additive. A later app
assignment will overwrite pre-existing installed app assignments.
Devices to which you deploy these apps must be running the windows 10/11
Creators Update or later.
Intune supports adding Office apps from the Microsoft 365 Apps suite only.
If any Office apps are open when Intune installs the app suite, the installation
might fail, and users might lose data from unsaved files.
This installation method is not supported on Windows Home, Windows Team,
Windows Holographic, or Windows Holographic for Business devices.
Intune does not support installing Microsoft 365 desktop apps from the Microsoft
Store (known as Office Centennial apps) on a device to which you have already
deployed Microsoft 365 apps with Intune. If you install this configuration, it might
cause data loss or corruption.
Multiple required or available app assignments are not additive. A later app
assignment will overwrite pre-existing installed app assignments. For example, if
the first set of Office apps contains Word, and the later one does not, Word will be
uninstalled. This condition does not apply to any Visio or Project applications.
Multiple Microsoft 365 deployments are not currently supported. Only one
deployment will be delivered to the device.
Office version - Choose whether you want to assign the 32-bit or 64-bit version of
Office. You can install the 32-bit version on both 32-bit and 64-bit devices, but you
can install the 64-bit version on 64-bit devices only.
Remove MSI from end-user devices - Choose whether you want to remove pre-
existing Office .MSI apps from end-user devices. The installation won't succeed if
there are pre-existing .MSI apps on end-user devices. The apps to be uninstalled
are not limited to the apps selected for installation in Configure App Suite, as it
will remove all Office (MSI) apps from the end user device. For more information,
see Remove existing MSI versions of Office when upgrading to Microsoft 365
Apps. When Intune reinstalls Office on your end user's machines, end users will
automatically get the same language packs that they had with previous .MSI Office
installations.
Select Microsoft 365 Apps

3. Select Windows 10 and later in the Microsoft 365 Apps section of the Select app
type pane.
4. Click Select. The Add Microsoft 365 Apps steps are displayed.
Step 1 - App suite information
In this step, you provide information about the app suite. This information helps you to
identify the app suite in Intune, and it helps users to find the app suite in the company
portal.
1. In the App suite information page, you can confirm or modify the default values:
Suite Name: Enter the name of the app suite as it is displayed in the company
portal. Make sure that all suite names that you use are unique. If the same
app suite name exists twice, only one of the apps is displayed to users in the
company portal.
Suite Description: Enter a description for the app suite. For example, you
could list the apps you've selected to include.
Publisher: Microsoft appears as the publisher.
Category: Optionally, select one or more of the built-in app categories or a
category that you created. This setting makes it easier for users to find the
app suite when they browse the company portal.
portal.
Developer: Microsoft appears as the developer.
Owner: Microsoft appears as the owner.
Notes: Enter any notes that you want to associate with this app.
2. Click Next to display the Configure app suite page.
Step 2 - (Option 1) Configure app suite using

the configuration designer
You can choose a method for configuring app setting by selecting a Configuration
settings format. Setting format options include:
Configuration designer
Enter XML data
When you choose Configuration designer the Add app pane will change to offer three
additional settings areas:
Configure app suite

App suite information
Properties
1. On the Configuration app suite page choose Configuration designer.
Select Office apps: Select the standard Office apps that you want to assign to
devices by choosing the apps in the dropdown list.
Select other Office apps (license required): Select additional Office apps that
you want to assign to devices and that you have licenses for by choosing the
apps in the dropdown list. These apps include licensed apps, such as
Microsoft Project Online desktop client and Microsoft Visio Online Plan 2.
Architecture: Choose whether you want to assign the 32-bit or 64-bit version
of Microsoft 365 Apps. You can install the 32-bit version on both 32-bit and
64-bit devices, but you can install the 64-bit version on 64-bit devices only.
Default file format: Choose whether you want to use Office Open Document
Format or Office Open XML Format.
Update Channel: Choose how Office is updated on devices. For information

about the various update channels, see Overview of update channels for
Microsoft 365 Apps for enterprise. Choose from:
Monthly
Monthly (Targeted)
Semi-Annual
Semi-Annual (Targeted)
After you choose a channel, you can choose the following:
Remove other versions: Choose Yes to remove other versions of Office

(MSI) from user devices. Choose this option when you want to remove
pre-existing Office .MSI apps from end-user devices. The installation won't
succeed if there are pre-existing .MSI apps on end-user devices. The apps
to be uninstalled are not limited to the apps selected for installation in
Configure App Suite, as it will remove all Office (MSI) apps from the end
user device. For more information, see Remove existing MSI versions of
Office when upgrading to Microsoft 365 Apps. When Intune reinstalls
Office on your end user's machines, end users will automatically get the
same language packs that they had with previous .MSI Office installations.
Version to install: Choose the version of Office that should be installed.
Specific version: If you have chosen Specific as the Version to install in

the above setting, you can select to install a specific version of Office for
the selected channel on end user devices.
The available versions will change over time. Therefore, when creating a
new deployment, the versions available may be newer and not have
certain older versions available. Current deployments will continue to
deploy the older version, but the version list will be continually updated
per channel.
For devices that update their pinned version (or update any other
properties) and are deployed as available, the reporting status will show as
Installed if they installed the previous version until the device check-in
occurs. When the device check-in happens, the status will temporarily
change to Unknown, however it will not be shown to the user. When the
user initiates the install for the newer available version, the user will see
the status changed to Installed.
For more information, see Overview of update channels for Microsoft 365
Apps.
Use shared computer activation: Select this option when multiple users share
a computer. For more information, see Overview of shared computer
activation for Microsoft 365 Apps.
Automatically accept the app end user license agreement: Select this option
if you don't require end users to accept the license agreement. Intune then
automatically accepts the agreement.
Languages: Office is automatically installed in any of the supported

languages that are installed with Windows on the end-user's device. Select
this option if you want to install additional languages with the app suite.
You can deploy additional languages for Microsoft 365 Apps managed
through Intune. The list of available languages includes the Type of language
pack (core, partial, and proofing). In the portal, select Microsoft Intune >
Apps > All apps > Add. In the App type list of the Add app pane, select
Windows 10 and later under Microsoft 365 Apps. Select Languages in the
App Suite Settings pane. For additional information, see Overview of
deploying languages in Microsoft 365 Apps.
Step 2 - (Option 2) Configure app suite using

XML data
If you selected the Enter XML data option under the Setting format dropdown box on
the Configure app suite page, you can configure the Office app suite using a custom
configuration file.
1. Added your configuration XML.
７ Note
The Product ID can either be Business ( O365BusinessRetail ) or Proplus

( O365ProPlusRetail ). However, you can only configure the app suite of the
Microsoft 365 Apps for business edition using XML data. Note that Microsoft
Office 365 ProPlus has been renamed to Microsoft 365 Apps for enterprise.
For more information about entering XML data, see Configuration options for the Office
Deployment Tool.
Step 3 - Select scope tags (optional)

You can use scope tags to determine who can see client app information in Intune. For
full details about scope tags, see Use role-based access control and scope tags for
distributed IT.
1. Click Select scope tags to optionally add scope tags for the app suite.
Step 4 - Assignments
1. Select the Required, Available for enrolled devices, or Uninstall group
assignments for the app suite. For more information, see Add groups to organize
users and devices and Assign apps to groups with Microsoft Intune.
2. Click Next to display the Review + create page.
Step 5 - Review + create

1. Review the values and settings you entered for the app suite.
The Overview blade is displayed.
Deployment details
Once the deployment policy from Intune is assigned to the target machines through
Office configuration service provider (CSP), the end device will automatically download
the installation package from the officecdn.microsoft.com location. You will see two
directories appearing in the Program Files directory:
Under the Microsoft Office directory, a new folder is created where the installation files
are stored:
Under the Microsoft Office 15 directory, the Office Click-to-Run installation launcher files
are stored. The installation will start automatically if the assignment type is required:
The installation will be in silent mode if the assignment of Microsoft 365 is configured as
required. The downloaded installation files will be deleted once the installation
succeeded. If the assignment is configured as Available, the Office applications will
appear in the Company Portal application so that end-users can trigger the installation
manually.
Troubleshooting
Intune uses the Office Deployment Tool to download and deploy Microsoft 365 Apps to
your client computers using the Office 365 CDN. Reference the best practices outlined in
Managing Office 365 endpoints to ensure that your network configuration permits
clients to access the CDN directly rather than routing CDN traffic through central proxies
to avoid introducing unnecessary latency.
） Important
For custom Office Deployment Tool XML installs, the install status only reflects the
result of the installation attempt. The install status does not reflect whether the app
is currently installed on the machine.
Run the Microsoft Support and Recovery Assistant for Microsoft 365 on a targeted
device if you encounter installation or run-time issues.
Additional troubleshooting details

When you are unable to install the Microsoft 365 apps to a device, you must identify
whether the issue is Intune-related or OS/Office-related. If you can see the two folders
Microsoft Office and Microsoft Office 15 appearing in the Program Files directory of the
device, you can confirm that Intune has initiated the deployment successfully. If you
cannot see the two folders appearing under Program Files, you should confirm the
below cases:
The device is properly enrolled into Microsoft Intune.
There is an active network connection on the device. If the device is in airplane

mode, is turned off, or is in a location with no service, the policy will not apply until
network connectivity is established.
Both Intune and Microsoft 365 network requirements are met and the related IP
ranges are accessible based on the following articles:
Intune network configuration requirements and bandwidth
Office 365 URLs and IP address ranges
The correct groups have been assigned the Microsoft 365 app suite.
In addition, monitor the size of the directory C:\Program Files\Microsoft

Office\Updates\Download. The installation package downloaded from the Intune cloud
will be stored in this location. If the size does not increase or only increases very slowly,
it is recommended to double-check the network connectivity and bandwidth.
Once you can conclude that both Intune and the network infrastructure work as
expected, you should further analyze the issue from an OS perspective. Consider the
following conditions:
The target device must run on windows 10/11 Creators Update or later.
No existing Office apps are opened while Intune deploys the applications.
Existing MSI versions of Office have been properly removed from the device.
Intune utilizes Office Click-to-Run which is not compatible with Office MSI. This
behavior is further mentioned in this document:
Office installed with Click-to-Run and Windows Installer on same computer isn't
supported
The sign-in user should have permission to install applications on the device.
Confirm there are no issues based on the Windows Event Viewer log Windows
Logs > Applications.
Capture Office installation verbose logs during the installation. To do this, follow
these steps:
1. Activate verbose logging for Office installation on the target machines. To do

this, run the following command to modify the registry:
reg add HKLM\SOFTWARE\Microsoft\ClickToRun\OverRide /v LogLevel /t
REG_DWORD /d 3
2. Deploy the Microsoft 365 Apps to the target devices again.

3. Wait approximately 15 to 20 minutes and go to the %temp% folder and the
%windir%\temp folder, sort by Date Modified, pick the {Machine Name}-
{TimeStamp}.log files that are modified according to your repro time.
4. Run the following command to disable verbose log:
reg delete HKLM\SOFTWARE\Microsoft\ClickToRun\OverRide /v LogLevel /f
The verbose logs can provide further detailed information on the installation
process.
Errors during installation of the app suite

See How to enable Microsoft 365 Apps ULS logging for information on how to view
verbose installation logs.
The following tables list common error codes you might encounter and their meaning.
Status for Office CSP
Status Phase Description
1460 (ERROR_TIMEOUT) Download Failed to download the Office Deployment Tool
13 (ERROR_INVALID_DATA) - Cannot verify the signature of the downloaded

Office Deployment Tool
Error code from - Failed certification check for the downloaded

CertVerifyCertificateChainPolicy Office Deployment Tool
997 WIP Installing
0 After Installation succeeded

Status Phase Description
installation
1603 (ERROR_INSTALL_FAILURE) - Failed any prerequisite check, such as:SxS

(Tried to install when 2016 MSI is
installed)Version mismatchOthers
0x8000ffff (E_UNEXPECTED) - Tried to uninstall when there is no Click-to-Run

Office on the machine
17002 - Failed to complete the scenario (install).

Possible reasons:Installation canceled by
userInstallation canceled by another
installationOut of disk space during
installationUnknown language ID
17004 - Unknown SKUs
Office Deployment Tool error codes
Scenario Return code UI Note
Uninstall effort when there is no -2147418113, Error Code: 30088- Office

active Click-to-Run installation 0x8000ffff or 1008Error Code: Deployment Tool
2147549183 30125-1011 (404)
Install when there is MSI version 1603 - Office

installed Deployment Tool
Installation canceled by user, or 17002 - Click-to-Run

by another installation
Try to install 64-bit on a device 1603 - Office

that has 32-bit installed. Deployment Tool
return code
Try to install an unknown SKU (not 17004 - Click-to-Run

a legitimate use case for Office
CSP since we should only pass in
valid SKUs)
Lack of space 17002 - Click-to-Run
The Click-to-Run client failed to 17000 - Click-to-Run

start (unexpected)
The Click-to-Run client failed to 17001 - Click-to-Run

queue scenario (unexpected)
Next steps
To assign the app suite to additional groups, see Assign apps to groups.
Assign Microsoft 365 to macOS devices
Article • 05/01/2023
This app type makes it easy for you to assign Microsoft 365 apps to macOS devices. By
using this app type, you can install Word, Excel, PowerPoint, Outlook, OneNote, Teams,
and OneDrive. To help keep the apps more secure and up to date, the apps come with
Microsoft AutoUpdate (MAU). The apps that you want are displayed as one app in the
list of apps in the Intune admin center.
） Important
With Office for Mac update (16.67), macOS Big Sur 11 or later will be required to
receive updates to Office for Mac. If you continue with an older version of macOS,
your Office apps will still work, but you'll no longer receive any updates, including
security updates. Upgrading your operating system to macOS Big Sur 11 or later
will allow Office updates to be delivered for your apps. The October 2022 Office for
Mac update (16.66) will be the last build to support macOS Catalina 10.15. For
related information, see Upgrade macOS to continue receiving Microsoft 365 and
Office for Mac updates .
７ Note
Other versions of Office for Mac can be added to the Microsoft Intune admin
center. For more information, see Most current packages for Office for Mac.
Microsoft Office 365 ProPlus has been renamed to Microsoft 365 Apps for
enterprise. In our documentation, we'll commonly refer to it as Microsoft 365
Apps.
Before you start

Before you begin adding Microsoft 365 apps to macOS devices, understand the
following details:
Devices to which you deploy these apps must be running macOS 10.14 or later.
If any Office apps are open when Intune installs the app suite, users might lose
data from unsaved files.
Select Microsoft 365 Apps
3. Select macOS in the Microsoft 365 Apps section of the Select app type pane.
4. Click Select. The Add Microsoft 365 Apps steps are displayed.
Step 1 - App suite information

In this step, you provide information about the app suite. This information helps you to
identify the app suite in Intune, and it helps users to find the app suite in the company
portal.
1. In the App suite information page, you can confirm or modify the default values:
Suite Name: Enter the name of the app suite as it is displayed in the company
portal. Make sure that all suite names that you use are unique. If the same
app suite name exists twice, only one of the apps is displayed to users in the
company portal.
Suite Description: Enter a description for the app suite. For example, you
could list the apps you've selected to include.
app suite when they browse the company portal.
portal.
Logo: The Microsoft 365 Apps logo is displayed with the app when users
browse the company portal.

distributed IT.
1. Click Select scope tags to optionally add scope tags for the app suite.
1. Select the Required or Available for enrolled devices group assignments for the
app suite. For more information, see Add groups to organize users and devices
and Assign apps to groups with Microsoft Intune.
７ Note
You cannot uninstall the 'Microsoft 365 apps for macOS' app suite through
Intune.

1. Review the values and settings you entered for the app suite.
The Overview blade is displayed. The suite appears in the list of apps as a single
entry.
Next steps
To learn about adding Microsoft 365 apps to Windows 10 devices, see Assign
Microsoft 365 Apps to Windows 10 devices with Microsoft Intune.
To learn about including and excluding app assignments from groups of users, see
Include and exclude app assignments.
Manage Android Enterprise system apps
in Microsoft Intune
Article • 05/01/2023
Before you assign an Android Enterprise system app to a device, you must first enable
the app in Microsoft Intune. System apps are supported on Android Enterprise devices.
You can enable a system app for Android Enterprise dedicated devices, fully managed
devices, Android Enterprise corporate-owned with work profile, or Android Enterprise
personally-owned work profiles. When you no longer need the system app, you can
disable it. Android Enterprise system apps will enable or disable apps that are already
part of the platform. To enable an app, assign the system app as Required. To disable an
app, assign the system app as Uninstall. System apps cannot be assigned as available
for a user.
Enable a system app in Intune

You can enable an Android Enterprise system app in Intune using the following steps:

3. In the Select app type pane, under the available Other types, select Android
Enterprise system app.
In the App information page, add
the app details:
App Name: Enter the name of the app.

Package Name: Enter a package name. Intune will validate that the package
name is valid.

distributed IT.
8. Select the group assignments for the app. To enable the app, assign the app as
Required. For more information, see Add groups to organize users and devices.
10. When you are done, click Create to enable the app in Intune.
７ Note
You will need to work with the OEM of your device to find the package name of the
app you would like to enable/disable.
You cannot create an Android Enterprise system app when there is the same app in
Managed Google Play in Intune.
The Notes section will not appear for an Android Enterprise system app and is not
editable.
The app you've created is displayed in the apps list, where you can assign it to the
Disable a system app in Intune

You can disable an Android Enterprise system app in Intune using the following steps:

3. Select the system app from the app list.
4. Change the assignment for this app to Uninstalled and save.
Next steps
Add web apps to Microsoft Intune
Article • 07/24/2023
Intune supports a variety of app types, including web apps. A web app is a client-server
application. The server provides the web app, which includes the UI, content, and
functionality. Additionally, modern web-hosting platforms commonly offer security, load
balancing, and other benefits. A web app is separately maintained on the web. You use
Microsoft Intune to point to this app type. You also assign the groups of users that can
access this app.
Before you can manage and assign an app for your users, add the app to Intune.
Intune creates a shortcut to the web app on the user's device. For iOS/iPadOS devices, a
shortcut to the web app is added to the home screen. For Android Device Admin
devices, a shortcut to the web app is added to the Intune company portal widget and
the widget needs to be pinned manually by the user. For Windows devices, a shortcut to
the web app is placed on the Start Menu.
７ Note
A browser must be installed on the user's device to launch web apps.
For Android Enterprise devices, see Managed Google Play web links.
For iOS devices, new web clips (pinned web apps) will open in Microsoft Edge
instead of the Intune Managed Browser when required to open in a protected
browser. For older iOS web clips, you must retarget these web clips to ensure they
open in Microsoft Edge rather then the Managed Browser.
For legacy device admin Android devices, web links pinned through the Company
Portal widget can only open with the Intune Managed Browser if users' Company
Portal version is older than 5.0.4737.0.
Add a web app to Intune

To add an app to Intune as a shortcut to an app on the web, do the following:

3. In the Select app type pane, under the Other types, select Web link. Other options
include iOS/iPadOS web clip, macOS web clip, and Windows web link.
5. On the App information page, add the following information:

portal.
７ Note
If you change the name of the app through Intune after you have
deployed and installed the app, the app will no longer be able to be
targeted using commands.

Publisher: Enter the name of the publisher of this app.
App URL: Enter the URL of the website that hosts the app that you want to
assign.
Require a managed browser to open this link: Select this option to assign to
your users a link to a website or web app that they can open in the Intune
managed browser. This browser must be installed on their device.
Full screen: [iOS/iPadOS only] If configured to Yes, launches the web clip as a
full-screen web app without a browser. Additionally, there’s no URL or search
bar, and no bookmarks.
Ignore manifest scope: [iOS/iPadOS only] If configured to Yes, a full screen

web clip can navigate to an external web site without showing Safari UI.
Otherwise, Safari UI appears when navigating away from the web clip’s URL.
This setting has no effect when Full screen is set to No. Available in iOS 14
and later.
Precomposed: [iOS/iPadOS only] If configured to Yes, prevents Apple's

application launcher (SpringBoard) from adding "shine" to the icon.
Target application bundle identifier: [iOS/iPadOS only] Enter the application

bundle identifier that specifies the application that opens the URL. Available
in iOS 14 and later.
Information URL: Link people to a website or documentation that has more

information about the app. The information URL will be visible to users in
Company Portal.
Privacy URL: Provide a link for people who want to learn more about the
app's privacy settings and terms. The privacy URL will be visible to users in
Company Portal.
Developer: The name of the company or Individual that developed the app.
This information will be visible to people signed into the admin center.
Owner: The name of the person in your organization who manages licensing
or is the point-of-contact for this app. This name will be visible to people
signed in to the admin center.
Notes: Add additional notes about the app. Notes will be visible to people
signed in to the admin center.
Logo: Upload an icon that will be associated with the app. This icon is
displayed with the app when users browse the company portal.
distributed IT.

End-users can launch web apps directly from the Windows Company Portal app by
selecting the web app and then choosing the option Open in browser. The published
web URL is opened directly in the web browser.
Next steps
The app that you've created is displayed in the apps list, where you can assign it to the
groups that you select. For help, see Assign apps to groups.
Add built-in apps to Microsoft Intune
Article • 03/07/2023
The built-in app type makes it easy for you to assign curated managed apps, such as
Microsoft 365 apps and third-party apps, to iOS/iPadOS and Android devices. You can
assign specific apps for this app type, such as Excel, OneDrive, Outlook, Skype, and
others. After you add an app, the app type is displayed as either Built-in iOS app or
Built-in Android app. By using the built-in app type, you can choose which of these apps
to publish to device users.
In earlier versions of the Microsoft Intune admin center , Intune provided several
default managed Microsoft 365 apps, such as Outlook and OneDrive. The app types for
these managed apps were tagged as Managed iOS Store App or Managed Android App.
Instead of using these app types, we recommend that you use the built-in app type. By
using the built-in app type, you have the additional flexibility to edit and delete
Microsoft 365 apps.
７ Note
Default Microsoft 365 apps that are tagged as Managed iOS Store and Managed
Android App are removed from the app list when all assignments are deleted.
Add a built-in app

To add a built-in app to your available apps in Microsoft Intune, do the following:
3. In the Select app type pane, under the available Other types, select Built-In app.
5. In the Select Built-in apps page, click Select app to select the apps that you want
to include.
6. Select the built-in apps that you want to include.
7. Once you have selected the apps, click Select on the Select Built-in apps pane.

distributed IT.
Configure app information

You can modify information about the built-in app. This information helps you to
identify the app in Intune and helps users find the app in the company portal.
1. Select Apps > All apps and select the built-in app that you want to modify.
A pane for the built-in app is displayed.
3. Select Edit next to App information.
4. In the App information pane, you can modify the following information:
Name: Enter the name of the built-in app as it is displayed in the company
portal. Make sure all names that you use are unique. If the same app name
exists twice, only one of the apps is displayed to users in the company portal.
Description: Enter a description for the app.
Category: Optionally, select one or more of the built-in app categories.
Setting this option makes it easier for users to find the app when they browse
the company portal.
Show this as a featured app in the company portal: Display the app
prominently on the main page of the company portal when users browse for
apps.
portal.
Owner: Optionally, enter a name for the owner of this app (for example, HR
department).
Upload Icon: Upload an icon that is displayed with the app when users
5. Click Review + save to display the Review + create page. Review the values and
settings you entered for the app.
6. When you are done, click Save to update the app in Intune.
Next steps
You can now assign the apps to the groups that you choose. For more information,
see Assign apps to groups.
Add an Android line-of-business app to
Microsoft Intune
Article • 03/06/2023
A line-of-business (LOB) app is an app that you add to Intune from an app installation
file. This kind of app is typically written in-house. Intune installs the LOB app on the
user's device.
７ Note
For more information about LOB apps and the Google Play Developer Console, see
Managed Google Play private (LOB) app publishing using the Google Developer
Console.
７ Note
For Android Enterprise devices, see Add Managed Google Play apps to Android
Enterprise devices with Intune.
Select the app type

3. In the Select app type pane, under the Other app types, select Line-of-business
app.
Step 1 - App information
Select the app package file

1. In the Add app pane, click Select app package file.
2. In the App package file pane, select the browse button. Then, select an Android
installation file with the extension .apk.
The app details will be displayed.
3. When you're finished, select OK on the App package file pane to add the app.
Set app information
1. In the App information page, add the details for your app. Depending on the app
that you chose, some of the values in this pane might be automatically filled in.
Name: Enter the name of the app as it appears in the company portal. Make
sure all app names that you use are unique. If the same app name exists
twice, only one of the apps appears in the company portal.
Description: Enter the description of the app. The description appears in the
company portal.
Minimum Operating System: From the list, choose the minimum operating
system version on which the app can be installed. If you assign the app to a
device with an earlier operating system, it will not be installed.
Category: Select one or more of the built-in app categories, or select a
category that you created. Categories make it easier for users to find the app
when they browse through the company portal.
Show this as a featured app in the Company Portal: Display the app
apps.
information about this app. The URL appears in the company portal.
information for this app. The URL appears in the company portal.
Owner: Optionally, enter a name for the owner of this app. An example is HR
department.
Logo: Upload an icon that is associated with the app. This icon is displayed
with the app when users browse through the company portal.

distributed IT.
1. Click Select scope tags to optionally add scope tags for the app.
assignments for the app. For more information, see Add groups to organize users
and devices and Assign apps to groups with Microsoft Intune.

1. Review the values and settings you entered for the app.
The Overview blade for the line-of-business app is displayed.
Step 5: Update a line-of-business app

3. Find and select your app from the list of apps.
4. Select Properties under Manage from the app pane.
6. Click on the listed file next to Select file to update. The App package file pane is
displayed.
7. Select the folder icon and browse to the location of your updated app file. Select
Open. The app information is updated with the package information.
8. Verify that App version reflects the updated app package.
If Check apps from external sources is enabled on the Android device, the user will be
prompted before installing the update. Otherwise the update will be installed
automatically.
７ Note
For the Intune service to successfully deploy a new APK file to the device, you must
increment the android:versionCode string in the AndroidManifest.xml file in your
APK package.
Next steps
The app that you created appears in the list of apps. You can now assign it to
groups that you choose. For help, see How to assign apps to groups.
Learn more about the ways in which you can monitor the properties and
assignment of your app. See How to monitor app information and assignments.
Learn more about the context of your app in Intune. See Overview of device and
app lifecycles.
Add an iOS/iPadOS line-of-business app
to Microsoft Intune
Article • 05/25/2023
Use the information in this article to help you add an iOS/iPadOS line-of-business (LOB)
app to Microsoft Intune. A line-of-business (LOB) app is an app that you add to Intune
from an IPA app installation file. This kind of app is typically written in-house. You will
first need to join the iOS Developer Enterprise Program. For more information about
how to do this see Apple's website .
７ Note
Users of iOS/iPadOS devices can remove some of the built-in iOS/iPadOS apps, like
Stocks and Maps. You cannot use Intune to redeploy these apps. If users delete
these apps, they must go to the app store and manually reinstall them.
iOS/iPadOS LOB apps have a maximum size limit of 2 GB per app.
Bundle identifiers (for example, com.contoso.app) are meant to be unique identifiers

of an app. For example, to install a beta version of an LOB app next to the
production version for testing purposes, the beta version must have a different
unique identifier (for example, com.contoso.app-beta). Otherwise, the beta version
will overlap with the production and be treated as an upgrade. Renaming the .ipa
file has no effect on this behavior.
You can deploy LOB apps to Shared iPad devices. For Shared iPad devices, line-of-
business apps must be assigned as required to a device group containing Shared iPad
devices from the Microsoft Intune admin center.
Select the app type

app.

2. In the App package file pane, select the browse button. Then, select an
iOS/iPadOS installation file with the extension .ipa.
The app details will be
displayed.
Set app information

company portal.
apps.
department.

distributed IT.
1. Select the Required, Available for enrolled devices, Available with or without
enrollment, or Uninstall group assignments for the app. For more information, see
Add groups to organize users and devices and Assign apps to groups with
Microsoft Intune.

The app that you created now appears in the list of apps. From the list, you can assign
the apps to groups that you choose. For help, see How to assign apps to groups.
７ Note
Provisioning profiles for iOS/iPadOS LOB apps have a 30 day notice before they will
expire.
Step 5: Update a line-of-business app

displayed.
The update to the line-of-business app will be installed automatically.
７ Note
For the Intune service to successfully deploy a new IPA file to the device, you must
update the CFBundleVersion string in the Info.plist file in your IPA package. You are
allowed to upgrade an app by increasing the value, or downgrade an app by
decreasing the value, however you cannot upload a new version of
CFBundleVersion if the new app is identical to the existing one.
For an iOS LOB app targeted with available intent, auto-update of the application will
happen as long as the following conditions are met:
The end user must request the specific Intune app from the Company Portal and
the app must be successfully installed, or the app is already installed on the device.
The targeting for the user has not changed (app assignment with available intent is
not removed and user is not removed from the group membership in the life cycle
of the app assignment).
If the previous version of the app is installed through required intent, then the
available app update will not happen. The app will be updated automatically as
long as the user/device is part of required intent group.
If the app has both available and required deployments targeted, the resolved
intent becomes 'RequiredAndAvailable'. Note: You cannot create Available and
Required deployments to the same AAD Group, but you can use different AAD
group with same members in it. If the app was installed automatically on devices
after the Required deployment is created (not manually installed from Company
Portal) and the required deployment is later removed, the Available app update
won't happen automatically on those devices and the users have to request the
app from Company Portal.
Next steps
Learn more about the context of your app in Intune. See Overview of device and
app lifecycles.
Add a Windows line-of-business app to
Microsoft Intune
Article • 03/06/2023
A line-of-business (LOB) app is one that you add from an app installation file. This kind
of app is typically written in-house. The following steps provide guidance to help you
add a Windows LOB app to Microsoft Intune.
） Important
When deploying Win32 apps using an installation file with the .msi extension
(packaged in an .intunewin file using the Content Prep Tool), consider using Intune
Management Extension. If you mix the installation of Win32 apps and line-of-
business apps during Autopilot enrollment, the app installation may fail as they
both use the Trusted Installer service at the same time.
Select the app type

app.

2. In the App package file pane, select the browse button. Then, select a Windows
installation file with the extension .msi, .appx, or .appxbundle.
The app details will
be displayed.
７ Note
The file extensions for Windows apps include .msi, .appx, .appxbundle, .msix,
and .msixbundle. For more information about .msix, see MSIX
documentation and MSIX App Distribution.
Set app information

company portal.
App Install Context: Select the install context to be associated with this app.
For dual mode apps, select the desired context for this app. For all other
apps, this is pre-selected based on the package and cannot be modified.
Ignore app version: Set to Yes if the app developer automatically updates the
app. This option applies to mobile .msi apps and Windows apps with self-
updating installers (such as Google Chrome).
Command-line arguments: Optionally, enter any command-line arguments
that you want to apply to the .msi file when it runs. An example is /q. Do not
include the msiexec command or arguments, such as /i or /x, as they are
automatically used. For more information, see Command-Line Options. If the
.MSI file needs additional command-line options consider using Win32 app
management.
apps.
department.

distributed IT.

The app that you created now appears in the list of apps. From the list, you can assign
the apps to groups that you choose. For help, see How to assign apps to groups.
Update a line-of-business app

displayed.
７ Note
For the Intune service to successfully deploy a new APPX file to the device, you
must increment the Version string in the AppxManifest.xml file in your APPX
package.
Configure a self-updating mobile MSI app to

ignore the version check process
You can configure a known self-updating mobile MSI app to ignore the version check
process.
Some MSI installer-based apps are automatically updated by the app developer or
another update method. For these automatically updated MSI apps, you can configure
the Ignore app version setting in the App information pane. When you switch this
setting to Yes, Microsoft Intune will not enforce the app version that's installed on the
Windows client.
This capability is useful to avoid getting into a race condition. For instance, a race
condition can occur when the app is automatically updated by the app developer and is
updated by Intune. Both might try to enforce a version of the app on a Windows client,
which creates a conflict.
Next steps
Learn more about the context of your app in Intune. See Overview of the app
lifecycle in Microsoft Intune.
Learn more about Win32 apps. See Win32 app management.

Sign line-of-business apps so they can
be deployed to Windows devices with
Intune
Article • 03/31/2023
As an Intune administrator, you can deploy line-of-business (LOB) Universal apps to

Windows 8.1 Desktop or Windows 10/11 Desktop & Mobile devices, including the
Company Portal app. To deploy .appx apps to Windows 8.1 Desktop or Windows 10/11
Desktop & Mobile devices you can use code-signing certificate from a public
certification authority already trusted by your Windows devices, or you can use your
own certificate authority. This process is called sideloading. Sideloading is installing, and
then running or testing an app that isn't certified by the Microsoft Store. For example,
an app that is internal to your company only.
７ Note
Microsoft Intune will be ending support on October 21, 2022 for devices running
Windows 8.1. Intune will no longer support Windows 8.1 sideloading.
Windows 8.1 Desktop requires either an enterprise policy to enable sideloading or

the use of Sideloading Keys (automatically enabled for domain-joined devices). For
more information, see Windows 8 sideloading.
Windows 10/11 sideloading

In Windows 10/11, sideloading is different than in earlier versions of Windows:
You can unlock a device for sideloading using an enterprise policy. Intune provides
a device config policy called "Trusted app installation". Setting this to allow is all
that is needed for devices that already trust the certificate used to sign the appx
app.
Symantec Phone certificates and Sideloading License keys aren't required. However
if an on-premises certificate authority isn't available then you may need to obtain a
code signing certificate from a public certification authority. For more information,
see Introduction to Code Signing.
Code sign your app

The first step is to code sign your appx package. For details, see Sign app package using
SignTool.
Upload your app

Next, you must upload the signed appx file. For details, see Add a Windows line-of-
business app to Microsoft Intune.
If you deploy the app as required to users or devices then you don't need the Intune
Company Portal app. However if you deploy the app as available to users, then they can
either use the Company Portal app from the Public Microsoft Store, use the Company
Portal app from the Private Microsoft Store for Business, or you'll need to sign and
manually deploy the Intune Company Portal app.
Upload the code-signing certificate

If your Windows 10/11 device doesn't already trust the certificate authority, then after
you've signed your appx package and uploaded it to the Intune service, you need to
upload the code signing certificate to Intune using the following steps:

2. Click Tenant administration > Connectors and tokens > Windows enterprise
certificates.
3. Select a file under Code-signing certificate file.
4. Select your .cer file and click Open.
5. Click Upload to add your certificate file to Intune.
Now any Windows 10/11 Desktop & Mobile device with an appx deployment by the
Intune service will automatically download the corresponding enterprise certificate and
the application will be allowed to launch after installation.
Intune only deploys the latest .cer file that was uploaded. If you have multiple appx files
created by different developers that aren't associated with your organization, then you'll
need to either have them provide unsigned appx files for signing with your certificate, or
provide them with the code signing certificate used by your organization.
How to renew the Symantec enterprise code-

signing certificate
The certificate used to deploy Windows Phone 8.1 mobile apps was discontinued on
February 28 2019 and is no longer available for renewal from Symantec. Also, Intune has
ended support for Windows 10 mobile as of August 10, 2020.
How to install the updated certificate for line-

of-business (LOB) apps
Windows Phone 8.1
The Intune service can no longer deploy LOB apps for this platform once the existing
Symantec Mobile Enterprise code-signing certificate expires.
Windows 8.1 Desktop/Windows 10 Desktop & Mobile
If the cert period has expired, then the appx files may stop launching. You should obtain
a new .cer file and follow the instructions to code-sign each deployed appx file and
reupload all appx files and the updated .cer file to the Windows Enterprise Certificates
section of the Intune in the Microsoft Intune admin center .
Manually deploy Windows 10 Company Portal

app
If you don't want to provide access to the Microsoft Store, you can manually deploy the
Windows 10 Company Portal app directly from Intune even if you haven't integrated
Intune with the Microsoft Store for Business (MSFB). Alternatively, if you've integrated,
then you could deploy the Company Portal app using deploy apps using MSFB.
７ Note
This option will require deploying manual updates each time an app update is
released.
1. Sign in to your account in the Microsoft Store for Business and acquire the
offline license version of the Company Portal app.
2. Once the app has been acquired, select the app in the Inventory page.
3. Select Windows 10 all devices as the Platform, then the appropriate Architecture
and download. An app license file isn't needed for this app.
4. Download all the packages under "Required Frameworks". This must be done for
x86, x64, ARM, and ARM64 architectures – resulting in a total of 9 packages as
shown below.
5. Before uploading the Company Portal app to Intune, create a folder (for example,
C:\Company Portal) with the packages structured in the following way:
a. Place the Company Portal package into C:\Company Portal. Create a
Dependencies subfolder in this location as well.
b. Place the nine dependencies packages in the Dependencies folder.
If the dependencies aren't placed in this format, Intune won't be able to

recognize and upload them during the package upload, causing the upload to
fail with the following error.
6. Return to Intune, then upload the Company Portal app as a new app. Deploy it as a
required app to the desired set of target users.
See Deploying an appxbundle with dependencies via Microsoft Intune MDM for more
information about how Intune handles dependencies for Universal apps.
How do I update the Company Portal on my users'

devices if they've already installed the older apps from
the store?
If your users have already installed the Windows 8.1 Company Portal apps from the
Store, then they should be automatically updated to the new version with no action
required from you or your user. If the update doesn't happen, ask your users to check
that they have enabled autoupdates for Store apps on their devices.
How do I upgrade my sideloaded Windows 8.1 Company

Portal app to the Windows 10 Company Portal app?
Our recommended migration path is to delete the deployment for the Windows 8.1
Company Portal app by setting the deployment action to "Uninstall". Once this is done,
the Windows 10 Company Portal app can be deployed using any of the above options.
If you need to sideload the app and deployed the Windows 8.1 Company Portal without
signing it with the Symantec Certificate, follow the steps in the Deploy directly via Intune
section above to complete the upgrade.
If you need to sideload the app and you signed and deployed the Windows 8.1
Company Portal with the Symantec code-signing certificate, follow the steps in the
section below.
How do I upgrade my signed and sideloaded Windows

8.1 Company Portal app to the Windows 10 Company
Portal app?
Our recommended migration path is to delete the existing deployment for the Windows
8.1 Company Portal app by setting the deployment action to "Uninstall". Once this is
done, the Windows 10 Company Portal app can be deployed normally.
Otherwise, the Windows 10 Company Portal app needs to be appropriately updated and
signed to ensure that the upgrade path is respected.
If the Windows 10 Company Portal app is signed and deployed in this way, you'll need
to repeat this process for each new app update when it's available in the store. The app
won't automatically update when the store is updated.
Here's how you sign and deploy the app in this way:
1. Download the Microsoft Intune Signing Script for Windows 10 Company Portal .
This script requires the Windows SDK for Windows 10 to be installed on the host
computer. To download the Windows SDK, see Windows SDK for Windows 11.
2. Download the Windows 10 Company Portal app from the Microsoft Store for
Business, as detailed above.
3. Run the script with the input parameters detailed in the script header to sign the
Windows 10 Company Portal app (extracted below). Dependencies don't need to
be passed into the script. These are only required when the app is being uploaded
to the Microsoft Intune admin center .
Parameter Description
InputWin10AppxBundle The path to where the source appxbundle file is located.
OutputWin10AppxBundle The output path for the signed appxbundle file.
Win81Appx The path to where the Windows 8.1 Company Portal (.APPX) file is
located.
PfxFilePath The path to Symantec Enterprise Mobile Code Signing Certificate

(.PFX) file.
PfxPassword The password of the Symantec Enterprise Mobile Code Signing

Certificate.
PublisherId The Publisher ID of the enterprise. If absent, the 'Subject' field of the
Symantec Enterprise Mobile Code Signing Certificate is used.
SdkPath The path to the root folder of the Windows SDK for Windows 10. This
argument is optional and defaults to
${env:ProgramFiles(x86)}\Windows Kits\10
The script will output the signed version of the Windows 10 Company Portal app when it
has finished running. You can then deploy the signed version of the app as an LOB app
via Intune, which will upgrade the currently deployed versions to this new app.
How to add macOS line-of-business
(LOB) apps to Microsoft Intune
Article • 05/01/2023
Use the information in this article to help you add macOS line-of-business apps to
Microsoft Intune.
７ Note
macOS LOB apps have a maximum size limit of 2 GB per app.
macOS LOB apps need to have a logo. If they don't have a logo, they will not be
displayed in the apps section.
While users of macOS devices can remove some of the built-in macOS apps like
Stocks, and Maps, you cannot use Intune to redeploy those apps. If end users
delete these apps, they must go to the app store, and manually re install them.
App requirements
The .pkg file must satisfy the following requirements to successfully be deployed using
Microsoft Intune.
1. The .pkg file is a component package or a package containing multiple packages.

2. The .pkg file does not contain a bundle or disk image or .app file.
3. The .pkg file is signed using a "Developer ID Installer" certificate, obtained from an
Apple Developer account.
4. The .pkg file contains a payload. Packages without a payload will attempt to re-
install as long as the app remains assigned to the group.
Select the app type
７ Note
In August 2022, we removed the ability to upload wrapped .intunemac files in the
Microsoft Intune admin center. You can now upload .pkg files to the Microsoft
Intune admin center .
） Important
The .pkg file must be signed using "Developer ID Installer" certificate, obtained
from an Apple Developer account. Only .pkg files may be used to upload macOS
LOB apps to Microsoft Intune. However, conversion of other formats, such as .dmg
to .pkg is supported. For more information about converting non-pkg application
types, see How to deploy DMG or APP-format apps to Intune-managed Macs .

app.

2. In the App package file pane, select the browse button. Then, select an macOS
installation file with the extension .pkg.
The app details will be displayed.
Set app information

company portal.
Ignore app version: Select Yes to install the app if the app is not already
installed on the device. Select No to only install the app when it is not already
installed on the device, or if the deploying app's version number does not
match the version that's already installed on the device.
Install as managed: Select Yes to install the Mac LOB app as a managed app
on supported devices (macOS 11 and higher). A macOS LOB app can only be
installed as managed when the app distributable contains a single app
without any nested packages and installs to the /Applications directory.
Managed line-of-business apps will be able to be removed using the
uninstall assignment type on supported devices (macOS 11 and higher). In
addition, removing the MDM profile removes all managed apps from the
device. The default value is No.
Included apps: Review and edit the apps that are contained in the uploaded
file. Included app bundle IDs and build numbers are used for detecting and
monitoring app installation status of the uploaded file. The app listed first is
used as the primary app in app reporting.
Included apps list should only contain the application(s) installed by the
uploaded file in Applications folder on Macs. Any other type of file that is not
an application or an application that is not installed to Applications folder
should be removed from the Included apps list. If Included apps list contains
files that are not applications or if all the listed apps are not installed, app
installation status does not report success.
Mac Terminal can be used to look up and confirm the included app details of
an installed app.
For example, to look up the bundle ID and build number of a Company

Portal, run the following:
defaults read /Applications/Company\ Portal.app/Contents/Info

CFBundleIdentifier
Then, run the following:

CFBundleShortVersionString
apps.
department.

distributed IT.
７ Note
Uninstall intend will only be displayed for LOB apps created with Install as
managed set to Yes. For more information review App information section
earlier on this article.

The app you have created appears in the apps list where you can assign it to the groups
you choose. For help, see How to assign apps to groups.
７ Note
If the .pkg file contains multiple apps or app installers, then Microsoft Intune will
only report that the app is successfully installed when all installed apps are detected
on the device.
Update a line-of-business app

displayed.
To update a line-of-business app deployed as a .pkg file, you must increment the
CFBundleShortVersionString of the .pkg file.
Intune will update the app when this schedule elapses, provided that any previous
version of the app is still present on the device.
Next steps
The app you have created is displayed in the apps list. You can now assign it to the
groups you choose. For help, see How to assign apps to groups.
assignment of your app. For more information, see How to monitor app
information and assignments.
Learn more about the context of your app in Intune. For more information, see
Overview of device and app lifecycles
Microsoft Intune management agent for
macOS
Article • 08/16/2023
Why is the agent required?

The Microsoft Intune management agent is necessary to be installed on managed
macOS devices in order to enable advanced device management capabilities that aren't
supported by the native macOS operating system.
How is the agent installed?

The agent is automatically and silently installed on Intune-managed macOS devices that
you assign at least one shell script to in Microsoft Intune admin center . The agent is
installed at /Library/Intune/Microsoft Intune Agent.app when applicable and doesn't
appear in Finder > Applications on macOS devices. The agent appears as
IntuneMdmAgent in Activity Monitor when running on macOS devices.
What does the agent do?

The agent silently authenticates with Intune services before checking in to receive
assigned shell scripts for the macOS device.
The agent receives assigned shell scripts and runs the scripts based on the
configured schedule, retry attempts, notification settings, and other settings set by
the admin.
The agent checks for new or updated scripts with Intune services usually every 8
hours. This check-in process is independent of the MDM check-in.
How can I manually initiate an agent check-in

from a Mac?
On a managed Mac that has the agent installed, open Company Portal, select the local
device, select Check status. This initiates an MDM check-in as well as an agent check-in.
Alternatively, open Terminal, run the sudo killall IntuneMdmAgent command to

terminate the IntuneMdmAgent process. The IntuneMdmAgent process restarts
immediately, which will initiate a check-in with Intune.
７ Note
The Sync action for devices in Microsoft Intune admin center initiates an MDM
check-in and does not force an agent check-in.
When is the agent removed?

There are several conditions that can cause the agent to be removed from the device
such as:
Shell scripts are no longer assigned to the device.

The macOS device is no longer managed.
The agent is in an irrecoverable state for more than 24 hours (device-awake time).
Why are scripts running even though the Mac

is no longer managed?
When a Mac with assigned scripts is no longer managed, the agent isn't removed
immediately. The agent detects that the Mac isn't managed at the next agent check-in
(usually every 8 hours) and cancels scheduled script-runs. So, any locally stored scripts
scheduled to run more frequently than the next scheduled agent check-in will run.
When the agent is unable to check in, it retries checking in for up to 24 hours (device-
awake time) and then removes itself from the Mac.
How to turn off usage data sent to Microsoft

for shell scripts?
To turn off usage data sent to Microsoft from the Intune management agent, open
Company Portal, point to Menu, select Preferences, and then clear the allow Microsoft
to collect usage data checkbox. This turns off usage data sent for both the agent and
Company Portal.
Next steps
The app you've created is displayed in the apps list. You can now assign it to the
Add a macOS DMG app to Microsoft
Intune
Article • 08/10/2023
Use the information in this article to help you add a macOS DMG app to Microsoft
Intune. A DMG app is a disk image file that contains one or more applications within it.
Many common applications for macOS are available in DMG format. For more
information about how to create a disk image file, see Apple’s website .
７ Note
The DMG file must contain one or more files with .app extensions. DMG files
containing other types of installer files will not be installed.
Prerequisites
The following prerequisites must be met before a macOS DMG app is installed on
macOS devices.
Devices are managed by Intune.

DMG app is smaller than 2GB in size.
The Microsoft Intune management agent for macOS is installed.
７ Note
The full disk access permission is required to update or delete DMG apps. Intune
automatically requests the permission when a DMG app policy is assigned on
macOS 13 and higher.
Important considerations for deploying DMG

apps
A single DMG should only contain a single application file or multiple application files
that are dependent on one another. The containing application files can be listed under
the Included apps section in the Detection rules tab in order starting with the parent
app to be used in reports.
It is not recommended that multiple apps that are not dependent on each other are
installed using the same DMG file. If multiple independent apps are deployed using the
same DMG app, failure to install one app will cause other apps to be re-installed. In this
case, monitoring reports consider the DMG installation a failure as well.
７ Note
You can update apps of type macOS apps (DMG) deployed using Intune. Edit a
DMG app that is already created in Intune by uploading the update for the app
with the same bundle identifier as the original DMG app. In addition, you must use
the Microsoft Intune agent for macOS version 2304.039 or greater.
Select the app type

3. In the Select app type pane, under the Other app types, select macOS app (DMG).
Step 1 – App information

Select the app package file:

2. In the App package file pane, select the browse button. Then, select a macOS
DMG file with the extension .dmg. The app details will be displayed.
Set app information

Name: Enter the name of the app as it appears in the policy name and
company portal. Make sure all app names that you use are unique. If the
same app name exists twice, only one of the apps appears in the company
portal.
company portal.
department.
2. Click Next to set the requirements.
Step 2 – Requirements
You can choose the minimum operating system required to install this app.
Minimum Operating System: From the list, choose the minimum operating system
version on which the app can be installed. If you assign the app to a device with an
earlier operating system, it will not be installed.
Step 3 – Detection rules

You can use detection rules to choose how an app installation is detected on a managed
macOS device.
Ignore app version: Select Yes to install the app if the app is not already installed on the
device. This will only look for the presence of the app bundle ID. For apps that have an
auto-update mechanism, select Yes. Select No to install the app when it is not already
installed on the device, or if the deploying app's version number does not match the
version that's already installed on the device.
７ Note
To Uninstall group assignments, consider the Ignore app version setting. When
Ignore app version is set to No, the app bundle ID and version number must
match to remove the app. When Ignore app version is set to Yes, only the app
bundle ID must match to remove the app.
Included apps: Provide the apps that are contained in the uploaded file. Included app
bundle IDs and build numbers are used for detecting and monitoring app installation
status of the uploaded file. Included apps list should only contain the application(s)
installed by the uploaded file in Applications folder on Macs. Any other type of file that
is not an application or an application that is not installed to Applications folder should
be excluded from the Included apps list. If Included apps list contains files that are not
applications or if all the listed apps are not installed, app installation status does not
report success.
７ Note
The first app on the Included apps list is used for identifying the app when
multiple apps are present in the DMG file.
Mac Terminal can be used to lookup and confirm the included app details of
an installed app. For example, to look up the bundle ID and build number of
Company Portal, run the following:
CFBundleIdentifier
Alternatively, the CFBundleIdentifier and CFBundleShortVersionString can be

found under the <app_name>.app/Contents/Info.plist file of a mounted DMG
file on a Mac.
Step 4 – Select scope tags (optional)

distributed IT. 1. Click Select scope tags to optionally add scope tags for the app. 2. Click
Next to display the Assignments page.
You can select the Required or Uninstall group assignments for the app. For more
information, see Add groups to organize users and devices and Assign apps to groups
with Microsoft Intune.
７ Note
A macOS app deployed using Intune agent will not automatically be removed from
the device when the device is retired. The app and data it contains will remain on
the device. It is recommended that the app is removed prior to retiring the device.
1. For the specific app, select an assignment type:
Required: The app is installed to /Applications/ directory on devices in the

selected groups.
Uninstall: The app is uninstalled from /Applications/ directory on devices in
the selected groups.
Step 6 – Review + create

2. When you are done, click Create to add the app to Intune. The Overview pane for
the macOS DMG app is displayed.
７ Note
If the .dmg file contains multiple apps, then Microsoft Intune will only report that
the app is successfully installed when all installed apps are detected on the device.
Next steps
Known issues
"Available for enrolled devices" assignment type is not available: Only Required
and Uninstall assignment types are currently supported.
"Collect logs" action is unavailable during preview: Log collection feature on

macOS apps (DMG) is unavailable during preview.
DMG apps report once after deployment: Assigned DMG apps report back on
initial deployment only. These apps will not report back again during preview.
Some DMG apps may display a warning to end-users on launch: Apps

downloaded from the internet and deployed using Intune may show a warning to
end-users when launched. End-users can click "Open" on the dialog to continue
opening the app.
Some app icons may not display immediately after installation: Some app icons
may take some time after installation to start displaying on the installed device.
Monitoring reports only show error code: failed app installations only show an
error code in "device status" monitoring reports. To show error details, refresh the
browser window or refer to the table in the Troubleshooting section.
Troubleshooting
macOS app installation may not be successful due to any of the following reasons
provided in the table below. To resolve these errors, follow the remediation steps. If the
app remains assigned, failed installations are retried at the next agent check-in.
Error code Error message Remediation steps
0x87D30137 The device doesn't meet Update macOS to the minimum OS version
the minimum OS required by the admin.
requirement set by the
admin.
0x87D3013E The DMG file doesn't Ensure that the uploaded file contains one
contain any supported or more .app files.
app. It must contain at
least one .app file.
0x87D30139 The DMG file couldn't be Try manually mounting the DMG file to
mounted for installation. verify that the volume loads successfully.
Check the DMG file if the
error persists.
0x87D3013B The app couldn't be Ensure that the device can install apps
installed to the locally to the Applications directory.
Applications directory.
Sync the device to retry
installing the app.
0x87D3012F, The app couldn't be Something went wrong while installing the
0x87D30130, installed due to an internal app using Intune. Try installing the app
0x87D30133, error. Contact Intune manually or try creating a new macOS app
0x87D30134, support if the error profile containing the app. Contact Intune
0x87D30136, persists. support if the error persists.
0x87D30131, The app couldn't be Something went wrong while downloading

0x87D30132 downloaded. Sync the the app. This may happen if the network is
device to retry installing poor or the app size is large.
the app.
0x87D30135 The app couldn't be This could be due to insufficient disk space
installed due to a device or the app could not be written to the
error. Sync the device to folder. Ensure that the device can install
retry installing the app. apps to the Applications folder.
0x87D3013A The physical resources of This could be due to the hard disk running
this disk have been out of space or binaries of the installation
exhausted. files being corrupt. Fix the Hard disk space
and restart the Microsoft Intune
Management Extension service and try
again.
Add an unmanaged macOS PKG app to
Microsoft Intune (public preview)
Article • 07/24/2023
７ Note
This feature is in public preview. For more information, go to Public preview in

Microsoft Intune.
Use the information in this article to help you add an unmanaged macOS PKG app to
Microsoft Intune. To deploy a managed PKG app, see How to add macOS line-of-
business (LOB) apps to Microsoft Intune.
Prerequisites
The following prerequisites must be met before an unmanaged macOS PKG app is
installed on macOS devices.

The PKG file is smaller than 2GB in size.
The Microsoft Intune management agent for macOS version 2308.006 or greater is
installed.
The PKG file successfully runs using the installer command in Terminal.
Important considerations for deploying PKG

apps
The unmanaged macOS PKG app-type can install the following types of PKG apps:
Non-flat packages with a hierarchical structure

Component packages
Unsigned packages
Packages without a payload
Packages that install apps outside /Applications/
Custom packages with scripts
７ Note
These types of PKG apps may not successfully deploy using the managed LOB app-
type.
The containing app files can be listed under the Included apps section in the Detection
rules tab in order, starting with the parent app to be used in reports.
Select the app type

3. In the Select app type pane, under the Other app types, select macOS app (PKG).
Step 1 – App information

Select the app package file:

2. In the App package file pane, select the browse button. Then, select a macOS PKG
file with the extension .pkg. The app details will be displayed.
Set app information

Name: Enter the name of the app as it appears in the policy name and
company portal. Make sure all app names that you use are unique. If the
same app name exists twice, only one of the apps appears in the company
portal.
company portal.
department.
2. Click Next to set the requirements.
Step 2 – Requirements
You can choose the minimum operating system required to install this app.
Minimum Operating System: From the list, choose the minimum operating system
version on which the app can be installed. If you assign the app to a device with an
earlier operating system, it will not be installed.
Step 3 – Detection rules

You can use detection rules to choose how an app installation is detected on a managed
macOS device.
Ignore app version: Select Yes to install the app if the app is not already installed on the
device. This will only look for the presence of the app bundle ID. For apps that have an
auto-update mechanism, select Yes. Select No to install the app when it is not already
installed on the device, or if the deploying app's version number does not match the
version that's already installed on the device.
Included apps: Provide the apps that are contained in the uploaded file. Included app
bundle IDs and build numbers are used for detecting and monitoring app installation
status of the uploaded file. Included apps list should only contain the application(s)
installed by the uploaded file. Any other type of file that is not an application should be
excluded from the Included apps list. If Included apps list contains files that are not
applications or if all the listed apps are not installed, app installation status does not
report success.
７ Note
The first app on the Included apps list is used for identifying the app when
multiple apps are present in the PKG file.
the CFBundleIdentifier and CFBundleShortVersionString can be found under
the <app_name>.app/Contents/Info.plist file of an installed app on a Mac.
Alternatively, Mac Terminal can be used to look up and confirm the included
app details of an installed app at a known location.
For example, to look up the bundle ID and build number of Company Portal,
run the following:
CFBundleIdentifier

Step 4 – Select scope tags (optional)

distributed IT. 1. Click Select scope tags to optionally add scope tags for the app. 2.
Click Next to display the Assignments page.
You can select the Required group assignment for the app. For more information, see
Add groups to organize users and devices and Assign apps to groups with Microsoft
Intune.
７ Note
A macOS app deployed using Intune agent will not automatically be removed from
the device when the device is retired. The app and data it contains will remain on
the device. It is recommended that the app is removed prior to retiring the device.
1. For the specific app, select Required assignment type.

Step 6 – Review + create

2. When you are done, click Create to add the app to Intune. The Overview pane for
the macOS PKG app is displayed.
Known issues
"Available for enrolled devices" and "uninstall" assignment type are not
available: Only Required assignment type is currently supported.
Troubleshooting
macOS app installation may not be successful due to any of the following reasons
provided in the table below. To resolve these errors, follow the remediation steps. If the
app remains assigned, failed installations are retried at the next agent check-in.
Error code Error message Remediation steps
0x87D30137 The device doesn't meet Update macOS to the minimum OS version
the minimum OS required by the admin.
requirement set by the
admin.
0x87D3012F, The app couldn't be Something went wrong while installing the
0x87D30130, installed due to an app using Intune. Try installing the app
0x87D30133, internal error. Contact manually or try creating a new macOS app
0x87D30134, Intune support if the error profile containing the app. Contact Intune
0x87D30136, persists. support if the error persists.
Next steps
Win32 app management in Microsoft
Intune
Article • 08/24/2023
Microsoft Intune enables Windows Win32 app management. Although it's possible for
cloud-connected customers to use Microsoft Configuration Manager for Windows app
management, Intune-only customers will have greater management capabilities for their
Win32 apps. This topic provides an overview of the Intune Win32 app management
features and related information.
７ Note
This app management capability supports both 32-bit and 64-bit operating system
architecture for Windows applications.
） Important
When you're deploying Windows Win32 apps, consider using the Win32 app type
in Intune exclusively, particularly when you have a multiple-file Win32 app installer.
If you mix the installation of Win32 apps and line-of-business apps during
Autopilot enrollment, the app installation might fail as they both may attempt to
use the Trusted Installer service at the same time which causes a failure due to this
conflict.
Prerequisites
To use Win32 app management, be sure the following criteria are met:
Use Windows 10 version 1607 or later (Enterprise, Pro, or Education editions).
Devices must be enrolled in Intune and either:

Azure AD registered
Azure AD joined
Hybrid Azure AD joined
Windows application size must not be greater than 8 GB per app.
７ Note
The Microsoft Intune management extension (IME) provides Intune's Win32
app type capabilities on managed clients. It is installed automatically when a
PowerShell script or Win32 app is assigned to the user or device. Additionally,
the Intune management extension agent checks every hour (or on service or
device restart) for any new Win32 app assignments.
Prepare the Win32 app content for upload

Before you can add a Win32 app to Microsoft Intune, you must prepare the app by
using the Microsoft Win32 Content Prep Tool. You use the Microsoft Win32 Content
Prep Tool to pre-process Windows classic (Win32) apps. The tool converts application
installation files into the .intunewin format. For more information and steps, see Prepare
Win32 app content for upload.
Add, assign, and monitor a Win32 app

After you have prepared a Win32 app to be uploaded to Intune by using the Microsoft
Win32 Content Prep Tool, you can add the app to Intune. For more information and
steps, see Add, assign, and monitor a Win32 app in Microsoft Intune.
７ Note
Windows application size is limited to 8 GB per app.
Delivery optimization
Windows 10 1709 and later clients will download Intune Win32 app content by using the
delivery optimization component of Windows. Delivery optimization provides peer-to-
peer functionality that's turned on by default.
You can configure Delivery Optimization to download Win32 app content in either
background or foreground mode based on assignment. Delivery optimization can be
configured using Intune device configuration (or by group policy). For more information,
see Delivery Optimization for Windows 10.
７ Note
You can also install a Microsoft Connected Cache server on your Configuration
Manager distribution points to cache delivery optimization aware content like
Intune Win32 app content. For more information, see Microsoft Connected Cache
in Configuration Manager.
Install required and available apps on devices

The user will see Windows notifications for the required and available app installations.
The following image shows an example notification where the app installation is not
complete until the device is restarted.
The following image notifies the user that app changes are being made to the device.
Additionally, the Company Portal app shows more app installation status messages to
users. The following conditions apply to Win32 dependency features:
App failed to be installed. Dependencies defined by the admin were not met.
App was installed successfully but requires a restart.
App is in the process of being installed but requires a restart to continue.
Set Win32 app availability and notifications

You can configure the start time and deadline time for a Win32 app. At the start time,
the Intune management extension will start the app content download and cache it for
the required intent. The app will be installed at the deadline time.
For available apps, the start time will dictate when the app is visible in the company
portal, and content will be downloaded when the user requests the app from the
company portal. You can also enable a restart grace period.
７ Note
Win32 apps installed by Intune on a managed device won't be automatically

uninstalled from that device if it is unenrolled from Intune management. Admins
should restrict app assignment and installation to corporate managed devices to
reduce the risk of applications and data becoming unmanaged.
Set the app availability and other app assignment properties using the following steps:
2. Select Apps > All apps or Apps > Windows.
3. Select an app from the list with Windows app (Win32) as its Type.
4. From the app pane, select Properties and then Edit next to the Assignments
section. Then select Add group, Add all users, or Add all devices below one of the
assignment types.
Assignment type options include the following:
Required
Available for enrolled devices
Uninstall
７ Note
Win32 apps installed using the Available for enrolled devices assignment will
not be automatically reinstalled by Intune if they are uninstalled from a device
in any way.
5. If Add group was used, select a group on the Select groups pane to specify which
groups will be assigned the app.
6. To modify additional properties of the assignment, select the corresponding text

under one of the assignment headings, including Group mode, End user
notifications, Availability, Installation deadline, Restart grace period, or Delivery
optimization priority.
7. In the Edit assignment pane, you can set the following properties:
Mode to Include or Exclude
End user notifications to one of the following options:

Show all toast notifications
Show toast notifications for computer restarts
Hide all toast notifications.
Time zone to UTC or Device time zone
App availability to As soon as possible or A specific date and time and

specify your date and time. This date and time specify when the app is
downloaded to the user's device.
App installation deadline to As soon as possible or A specific date and time

and select your date and time. This date and time specify when the app is
installed on the targeted device. When more than one assignment is made
for the same user or device, the app installation deadline time is picked based
on the earliest time possible.
Restart grace period to Enabled or Disabled. The restart grace period starts
as soon as the app installation has finished on the device. When the setting is
disabled, the device can restart without warning.
You can customize the following options:

Device restart grace period (minutes): The default value is 1,440 minutes
(24 hours). This value can be a maximum of 2 weeks.
Select when to display the restart countdown dialog box before the
restart occurs (minutes): The default value is 15 minutes.
Allow user to snooze the restart notification: You can choose Yes or No.
Select the snooze duration (minutes): The default value is 240 minutes
(4 hours). The snooze value can't be more than the reboot grace period.
） Important
The Restart grace period assignment setting is available only when

Device restart behavior in the Program section of the app is set to
either of the following options:
Determine behavior based on return codes
Intune will force a mandatory device restart
8. Select Review + save.
Notifications for Win32 apps

If needed, you can suppress showing user notifications per app assignment. Follow the
steps above and choose either Show toast notifications for computer restarts or Hide
all toast notifications for the End user notifications option in the Edit assignment pane
based on the level of notificaiton suppression that you require.
Next steps
For more information about adding apps to Intune, see Add apps to Microsoft
Intune.
Prepare Win32 app content for upload
Article • 06/12/2023
Before you can add a Win32 app to Microsoft Intune, you must prepare the app by
using the Microsoft Win32 Content Prep Tool .
Prerequisites
To use Win32 app management, be sure you meet the following criteria:
Use Windows 10 version 1607 or later (Enterprise, Pro, and Education versions).
Devices must be registered or joined to Azure Active Directory (Azure AD) and
auto-enrolled. The Intune management extension supports devices that are Azure
AD registered, Azure AD joined, hybrid domain joined, and group policy enrolled.
７ Note
For the scenario of group policy enrollment, the user uses the local user
account to Azure AD join their Windows 10 device. The user must log on to
the device by using their Azure AD user account and enroll in Intune. Intune
management extension is installed automatically when a PowerShell script or
Win32 app, Microsoft Store apps, Custom compliance policy settings, or
Proactive remediations is assigned to the user or device.
Windows application size is capped at 8 GB per app.
Convert the Win32 app content

Use the Microsoft Win32 Content Prep Tool to pre-process Windows classic (Win32)
apps. The tool converts application installation files into the .intunewin format. The tool
also detects some of the attributes that Intune requires to determine the application
installation state. After you use this tool on the app installer folder, you'll be able to
create a Win32 app in the Microsoft Intune admin center.
） Important
The Microsoft Win32 Content Prep Tool zips all files and subfolders when it
creates the .intunewin file. Be sure to keep the Microsoft Win32 Content Prep Tool
separate from the installer files and folders, so that you don't include the tool or
other unnecessary files and folders in your .intunewin file.
You can download the Microsoft Win32 Content Prep Tool from GitHub as a .zip file.
The zipped file contains a folder named Microsoft-Win32-Content-Prep-Tool-master. The
folder contains the prep tool, the license, a readme, and the release notes.
Process flow to create a .intunewin file
Running the Microsoft Win32 Content Prep Tool

If you run IntuneWinAppUtil.exe from the command window without parameters, the
tool will guide you to enter the required parameters step by step. Or, you can add the
parameters to the command based on the following available command-line
parameters.
Available command-line parameters
Command-line Description
parameter
-h Help
Command-line Description
parameter
-c <setup_folder> Folder for all setup files. All files in this folder will be compressed into an
.intunewin file.
-s <setup_file> Setup file (such as setup.exe or setup.msi).
-o <output_folder> Output folder for the generated .intunewin file.
-q Quiet mode.
Example commands
Example command Description
IntuneWinAppUtil -h This command shows usage information for the tool.
IntuneWinAppUtil -c This command generates the .intunewin file from the specified
c:\testapp\v1.0 -s source folder and setup file. For the MSI setup file, this tool retrieves
c:\testapp\v1.0\setup.exe required information for Intune. If -q is specified, the command runs
-o c:\testappoutput\v1.0 in quiet mode. If the output file already exists, it is overwritten. Also,
-q if the output folder doesn't exist, it's created automatically.
When you're generating an .intunewin file, put any files you need to reference into a
subfolder of the setup folder. Then, use a relative path to reference the specific file you
need. For example:
Setup source folder: c:\testapp\v1.0
License file: c:\testapp\v1.0\licenses\license.txt
Refer to the license.txt file by using the relative path licenses\license.txt.
Next steps
Add a Win32 app to Microsoft Intune
Add, assign, and monitor a Win32 app
in Microsoft Intune
Article • 08/22/2023
After you've prepared a Win32 app to be uploaded to Intune by using the Microsoft
Win32 Content Prep Tool , you can add the app to Intune. To learn more about
preparing a Win32 app to be uploaded, see Prepare Win32 app content for upload.
Prerequisites
To use Win32 app management, be sure you meet the following criteria:
Use Windows 10 version 1607 or later (Enterprise, Pro, and Education versions).
Devices must be joined or registered to Azure Active Directory (Azure AD) and be
auto-enrolled. The Intune management extension supports devices that are Azure
AD joined, Azure AD registered, hybrid domain joined, or group policy enrolled.
７ Note
For the scenario of group policy enrollment, the user uses the local user
account to Azure AD join their Windows 10 device. The user must log on to
the device by using their Azure AD user account and enroll in Intune. Intune
will install the Intune Management extension on the device if a PowerShell
script or a Win32 app is targeted to the user or device.
Windows application size is capped at 8 GB per app.
Much like a standard line-of-business (LOB) app, you can add a Win32 app to Microsoft
Intune. This type of app is typically written in-house or by a third party.
Process flow to add a Win32 app to Intune

Add a Win32 app to Intune
The following steps help you add a Windows app to Intune:

3. On the Select app type pane, under the Other app types, select Windows app
(Win32).
） Important
Be sure to use the latest version of the Microsoft Win32 Content Prep Tool. If
you don't use the latest version, you'll see a warning that says the app was
packaged using an older version of the tool.
4. Click Select. The Add app steps appear.
Step 1: App information

1. On the Add app pane, click Select app package file.
2. On the App package file pane, select the browse button. Then, select a Windows
installation file with the extension .intunewin. The app details appear.
3. When you're finished, select OK on the App package file pane.
Set app information

On the App information page, add the details for your app. Depending on the app that
you chose, some of the values on this page might be automatically filled in.
Name: Enter the name of the app as it appears in the company portal. Make sure
all app names that you use are unique. If the same app name exists twice, only one
of the apps appears in the company portal.
company portal.
Category: Select one or more of the built-in app categories, or select a category
that you created. Categories make it easier for users to find the app when they
browse through the company portal.
Show this as a featured app in the Company Portal: Display the app prominently
on the main page of the company portal when users browse for apps.
Information URL: Optionally, enter the URL of a website that contains information
about this app. The URL appears in the company portal.
department.
Logo: Upload an icon that's associated with the app. This icon is displayed with the
app when users browse through the company portal.
Select Next to display the Program page.
Step 2: Program
On the Program page, configure the app installation and removal commands for the
app:
Install command: Add the complete installation command line to install the app.
For example, if your app's file name is MyApp123, add the following:
msiexec /p "MyApp123.msp"
If the application is ApplicationName.exe , the command would be the application

name followed by the command arguments (switches) that the package supports.
For example:
ApplicationName.exe /quiet
In the preceding command, the ApplicationName.exe package supports the /quiet

command argument.
For the specific arguments that the application package supports, contact your
application vendor.
） Important
Admins must be careful when they use the command tools. Unexpected or
harmful commands might be passed via the Install command and Uninstall
command fields.
Calling powershell.exe in either of these fields will result in a 32-bit

Powershell instance being launched. To force 64-bit Powershell execution, use
the following command:
%SystemRoot%\Sysnative\WindowsPowerShell\v1.0\powershell.exe
Uninstall command: Add the complete command line to uninstall the app based
on the app's GUID.
For example:
msiexec /x "{12345A67-89B0-1234-5678-000001000000}"
Installation time required: The number of minutes the system will wait for install
program to finish. Default value is 60 minutes. If the app takes longer to install
than the set installation time, the system will fail the app install. Max timeout value
is 1440 minutes (1 day).
Allow available uninstall: Select Yes to provide the uninstall option for this app for
users from the Company Portal. Select No to prevent users from uninstalling the
app from the Company Portal.
Install behavior: Set the install behavior to either System or User.
７ Note
You can configure a Win32 app to be installed in User or System context. User
context refers to only a particular user. System context refers to all users of a
Windows 10 device.
When a device is enrolled by being Azure AD registered, select System.
Users are not required to be logged in on the device to install Win32 apps.
The Win32 app installation and uninstallation will happen under admin
privilege (by default) when the app is set to install in user context and the user
on the device has admin privileges.
Device restart behavior: Select one of the following options:

Determine behavior based on return codes: Choose this option to restart the
device based on the return codes. This option means that the device will restart
based on the configured return code. With this configuration, a hard reboot
return code will immediately trigger a restart of the device and a soft reboot
return code will notify the user that a restart is required to finish the installation.
No specific action: Choose this option to suppress device restarts during the
app installation of MSI-based apps.
App install may force a device restart: Choose this option to allow the app
installation to finish without suppressing restarts. This option means that the
Win32 app installation is allowed to complete without suppressing restarts. With
this configuration, a hard reboot return code will notify the user that a restart of
the device will be triggered in 120 minutes and a soft reboot return code will
only notify the user that a restart is required to finish the installation.
Intune will force a mandatory device restart: Choose this option to always
restart the device after a successful app installation.
Specify return codes to indicate post-installation behavior: Add the return codes
that are used to specify either app installation retry behavior or post-installation
behavior. Return code entries are added by default during app creation. However,
you can add more return codes or change existing return codes.
1. In the Code type column, set the Code type to one of the following:
Failed: The return value that indicates an app installation failure.
Hard reboot: The hard reboot return code doesn't allow the next Win32
app to be installed on the client without reboot.
Soft reboot: The soft reboot return code allows the next Win32 app to be
installed without requiring a client reboot. Reboot is necessary to
complete installation of the current application.
Retry: The retry return code agent will attempt to install the app three
times. It will wait for five minutes between each attempt.
Success: The return value that indicates the app was successfully installed.
2. If needed, select Add to add more return codes, or modify existing return
codes.
Select Next to display the Requirements page.
Step 3: Requirements
On the Requirements page, specify the requirements that devices must meet before the
app is installed:
Operating system architecture: Choose the architectures needed to install the app.
Minimum operating system: Select the minimum operating system needed to
install the app.
Disk space required (MB): Optionally, add the free disk space needed on the
system drive to install the app.
Physical memory required (MB): Optionally, add the physical memory (RAM)
required to install the app.
Minimum number of logical processors required: Optionally, add the minimum
number of logical processors required to install the app.
Minimum CPU speed required (MHz): Optionally, add the minimum CPU speed
required to install the app.
Configure additional requirement rules:
1. Select Add to display the Add a Requirement rule pane and configure more
requirement rules. Select the Requirement type value to choose the type of
rule that you'll use to determine how a requirement is validated. Requirement
rules can be based on file system information, registry values, or PowerShell
scripts.
File: When you choose File as the Requirement type value, the
requirement rule must detect a file or folder, date, version, or size.
Path: The full path of the folder that contains the file or folder to detect.
File or folder: The file or folder to detect.
Property: Select the type of rule used to validate the presence of the
app.
Associated with a 32-bit app on 64-bit clients: Select Yes to expand
any path environment variables in the 32-bit context on 64-bit clients.
Select No (default) to expand any path variables in the 64-bit context
on 64-bit clients. 32-bit clients will always use the 32-bit context.
Registry: When you choose Registry as the Requirement type value, the
requirement rule must detect a registry setting based on value, string,
integer, or version.
Key path: The full path of the registry entry that contains the value to
detect.
Value name: The name of the registry value to detect. If this value is
empty, the detection will happen on the key. The (default) value of a
key will be used as detection value if the detection method is other
than file or folder existence.
Registry key requirement: Select the type of registry key comparison
that's used to determine how the requirement rule is validated.
Associated with a 32-bit app on 64-bit clients: Select Yes to search the
32-bit registry on 64-bit clients. Select No (default) to search the 64-bit
registry on 64-bit clients. 32-bit clients will always search the 32-bit
registry.
Script: Choose Script as the Requirement type value when you can't
create a requirement rule based on file, registry, or any other method
available to you in the Microsoft Intune admin center.
Script file: For a rule based on a PowerShell script requirement, if the
existing code is 0, we'll detect the standard output (STDOUT) in more
detail. For example, we can detect STDOUT as an integer that has a
value of 1.
Run script as 32-bit process on 64-bit clients: Select Yes to run the
script in a 32-bit process on 64-bit clients. Select No (default) to run the
script in a 64-bit process on 64-bit clients. 32-bit clients run the script in
a 32-bit process.
Run this script using the logged on credentials: Select Yes to run the
script by using the signed-in device credentials.
Enforce script signature check: Select Yes to verify that a trusted
publisher has signed the script, which will allow the script to run with no
warnings or prompts displayed. The script will run unblocked. Select No
(default) to run the script with user confirmation without signature
verification.
Select output data type: Select the data type used for determining a
requirement rule match.
2. When you're finished setting the requirement rules, select OK.
Select Next to display the Detection rules page.
Step 4: Detection rules

On the Detection rules pane, configure the rules to detect the presence of the app. You
can choose to add multiple rules:
Rules format: Select how the presence of the app will be detected. You can choose
to either manually configure the detection rules or use a custom script to detect
the presence of the app. You must choose at least one detection rule.
７ Note
The conditions for all rules must be met to detect the app.
If Intune detects that the app isn't present on the device, Intune will offer the
app again within approximately 24 hours. This will occur only for apps
targeted with the required intent.
Manually configure detection rules: You can select one of the following rule types:
MSI: Verify based on an MSI version check. This option can be added only once.
When you choose this rule type, you have two settings:
MSI product code: Add a valid MSI product code for the app.
MSI product version check: Select Yes to verify the MSI product version in
addition to the MSI product code.
File: Verify based on file or folder detection, date, version, or size.

Path: Enter the full path of the folder that contains the file or folder to detect.
This shouldn't include special characters such as , or ".
File or folder: Enter the file or folder to detect.
Detection method: Select the type of detection method used to validate the
presence of the app.
Associated with a 32-bit app on 64-bit clients: Select Yes to expand any
path environment variables in the 32-bit context on 64-bit clients. Select No
(default) to expand any path variables in the 64-bit context on 64-bit clients.
32-bit clients will always use the 32-bit context.
Examples of file-based detection
Check for file existence.
Check for folder existence.

Registry: Verify based on value, string, integer, or version.
Key path: The full path of the registry entry that contains the value to detect.
A valid syntax is HKEY_LOCAL_MACHINE\Software\WinRAR or
HKLM\Software\WinRAR.
Value name: The name of the registry value to detect. If this value is empty,
the detection will happen on the key. The (default) value of a key will be used
as detection value if the detection method is other than file or folder
existence.
Detection method: Select the type of detection method that's used to
validate the presence of the app.
Associated with a 32-bit app on 64-bit clients: Select Yes to search the 32-
bit registry on 64-bit clients. Select No (default) to search the 64-bit registry
on 64-bit clients. 32-bit clients will always search the 32-bit registry.
Examples for registry-based detection
Check if the registry key exists.

Check if the registry value exists.
Check for registry value string equals.
Use a custom detection script: Specify the PowerShell script that will be used to
detect this app.
Script file: Select a PowerShell script that will detect the presence of the app on
the client. The app will be detected when the script both returns a 0 value exit
code and writes a string value to STDOUT.
Run script as 32-bit process on 64-bit clients: Select Yes to run the script in a
32-bit process on 64-bit clients. Select No (default) to run the script in a 64-bit
process on 64-bit clients. 32-bit clients run the script in a 32-bit process.
Enforce script signature check: Select Yes to verify that a trusted publisher has
signed the script, which will allow the script to run with no warnings or prompts
displayed. The script will run unblocked. Select No (default) to run the script
without signature verification.
The Intune agent checks the results from the script. It reads the values written by
the script to the STDOUT stream, the standard error (STDERR) stream, and the exit
code. If the script exits with a nonzero value, the script fails and the application
detection status isn't installed. If the exit code is zero and STDOUT has data, the
application detection status is installed.
７ Note
We recommend encoding your script as UTF-8. When the script exits with the
value of 0, the script execution was successful. The second output channel
indicates that the app was detected. STDOUT data indicates that the app was
found on the client. We don't look for a particular string from STDOUT.
The version of your Win32 app is displayed in the Microsoft Intune admin center. The
app version is provided in the All apps list, where you can filter by Win32 apps and
select the optional version column. In the Microsoft Intune admin center , select Apps
> All apps > Columns > Version to display the app version in the app list.
After you've added your rules, select Next to display the Dependencies page.
Step 5: Dependencies
App dependencies are applications that must be installed before your Win32 app can be
installed. You can require that other apps are installed as dependencies.
Specifically, the device must install the dependent apps before it installs the Win32 app.
There's a maximum of 100 dependencies, which includes the dependencies of any
included dependencies, as well as the app itself.
You can add Win32 app dependencies only after your Win32 app has been added and
uploaded to Intune. After your Win32 app has been added, you'll see the Dependencies
option on the pane for your Win32 app.
Any Win32 app dependency needs to also be a Win32 app. It doesn't support
depending on other app types, such as single MSI LOB apps or Microsoft Store apps.
When you're adding an app dependency, you can search based on the app name and
publisher. Additionally, you can sort your added dependencies based on app name and
publisher. Previously added app dependencies can't be selected in the list of added app
dependencies.
You can choose whether or not to install each dependent app automatically. By default,
the Automatically install option is set to Yes for each dependency. By automatically
installing a dependent app, even if the dependent app isn't targeted to the user or
device, Intune will install the app on the device to satisfy the dependency before
installing your Win32 app.
７ Note
The install status of a dependent app will be displayed within Intune if the app is
targeted to the user or device.
It's important to note that a dependency can have recursive sub-dependencies, and
each sub-dependency will be installed before the main dependency is installed.
Additionally, installation of dependencies doesn't follow a specific order at a
dependency level.
Win32 apps added to Intune can't be removed while they are in a dependency
relationship. These apps can only be deleted after the dependency relationship is
removed. This requirement is applied to both parent and child apps in a dependency
relationship. Also, this requirement ensures that dependencies are enforced properly
and that dependency behavior is more predictable.
Select the dependencies

On the Dependencies page, select applications that must be installed before your
Win32 app can be installed:
1. Select Add to display the Add dependency pane.

2. Add the dependent apps, and then click Select.
3. Choose whether to automatically install the dependent apps by selecting Yes or
No under the Automatically Install column.
After you've selected dependencies, select Next to display the Scope tags page.
Understand additional dependency details

The user will see Windows notifications indicating that dependent apps are being
downloaded and installed as part of the Win32 app installation process.
Dependency limitations
The following bulleted list provides additional clarity about dependency limitations:
If an app has 100 dependencies, then the app graph has a total size of 101 (100
dependency apps + 1 parent app).
If an app has 3 dependencies, and one of the dependency apps has 2
dependencies, then the app graph has a total size of 6 (1 parent app + 3
dependency app + 2 dependency apps that are from another dependency app).
If an app is a dependency for multiple app “graphs”, meaning that the dependency
is somewhere in the dependency chain for some app graph, then all apps from all
the separate graphs are summed to calculate the dependency size. For example, if
graph A has 23 apps, graph B has 62 apps, and graph C has 20 apps, and app X
exist as a dependency app somewhere in the dependency chain in all 3 graphs,
then the total size of the graph is 103 (app X is only counted once), which
surpasses the 100 limit restriction.
Dependency failures
When a dependent app isn't installed, the user will commonly see one of the following
notifications:
One or more dependent apps failed to be installed.

One or more dependent app requirements aren't met.
One or more dependent apps are pending a device reboot.
If you choose not to put a dependency in the Automatically install column, the Win32
app installation won't be attempted. Additionally, app reporting will show that the
dependency was flagged as failed and provide a failure reason. You can view the
dependency installation failure by selecting a failure (or warning) provided in the Win32
app installation details.
Each dependency will adhere to Intune Win32 app retry logic (try to install three times
after waiting for five minutes) and the global reevaluation schedule. Also, dependencies
are applicable only at the time of installing the Win32 app on the device. Dependencies
aren't applicable for uninstalling a Win32 app. To delete a dependency, you must select
the ellipsis (three dots) to the left of the dependent app located at the end of the row of
the dependency list.
Step 6: Supersedence
When you supersede an application, you can specify which app will be updated or
replaced. To update an app, disable the uninstall previous version option. To replace an
app, enable the uninstall previous version option. There's a maximum of 10 updated or
replaced apps, including references to other apps. For example, your app references
another app. This other app references other apps, and so on. This scenario creates a
graph of apps. All apps in the graph count toward the maximum value of 10.
To add apps that the current app will supersede:
1. In the Supersedence step, click Add to choose apps that should be superseded.
７ Note
There can be a maximum of 10 nodes in a supersedence relationship in

Intune.
2. Find and click the apps to apply the supersedence relationship in the Add Apps
pane. Click Select to add the apps to your supersedence list.
3. In the list of superseded apps, modify the Uninstall previous version option for
each selected app to specify whether an uninstall command will be sent by Intune
to each selected app. If the installer of the current app updates the selected app
automatically, then it isn't necessary to send an uninstall command. When
replacing a selected app with a different app, it may be necessary to turn on the
Uninstall previous version option to remove and replace the older app.
4. Once this step is finalized, click Next.
For more information, see Add Win32 app supersedence.
Step 7: Assignments
You can select the Required, Available for enrolled devices, or Uninstall group
assignments for the app. For more information, see Add groups to organize users and
devices and Assign apps to groups with Microsoft Intune.
） Important
For the scenario when a Win32 app is deployed and assigned based on user
targeting, if the Win32 app requires device admin privileges or any other
permissions that the standard user of the device doesn't have, the app will fail to
install.
Required: The app is installed on devices in the selected groups.

Available for enrolled devices: Users install the app from the company portal
app or the company portal website.
Uninstall: The app is uninstalled from devices in the selected groups.
2. Select Add group and assign the groups that will use this app.
3. On the Select groups pane, select groups to assign based on users or devices.
4. After you select your groups, you can also set End user notifications, Availability,
and Installation deadline. For more information, see Set Win32 app availability and
notifications.
5. If you don't want this app assignment to affect groups of users, select Included
under the MODE column. In the Edit assignment pane, change the mode value
from Included to Excluded. Select OK to close the Edit assignment pane.
6. In the App settings section, select the Delivery optimization priority value for the
app. This setting will determine how the app content will be downloaded. You can
choose to download the app content in background mode or foreground mode
based on assignment.
After you finish setting the assignments for the apps, select Next to display the Review
+ create page.
Step 8: Review and create

1. Review the values and settings that you entered for the app. Verify that you
configured the app information correctly.
2. Select Create to add the app to Intune.
The Overview pane for the LOB app appears.
At this point, you've completed steps to add a Win32 app to Intune. For information
about app assignment and monitoring, see Assign apps to groups with Microsoft Intune
and Monitor app information and assignments with Microsoft Intune.
Next steps
Troubleshoot Win32 app issues
Add Win32 app supersedence
Article • 05/25/2023
After you've added a Win32 app to Intune, you can use Intune to create one or more
supersedence relationships between apps. In general, supersedence is where you
update or replace something. In Intune, supersedence enables you to update and
replace existing Win32 apps with newer versions of the same app or an entirely different
Win32 app. This topic provides an overview of the supersedence feature.
） Important
Supersedence, which enables you to update and replace a version of a Win32 app,
doesn't currently allow you to interchange the Win32 app with an app dependency.
For more information about app dependencies, see Dependencies.
Supersedence relationships can be created when adding or modifying a Win32 app

within Intune. The Supersedence steps allow you to specify any supersedence
relationships related to the Win32 app.
Prerequisites
App supersedence can only be applied to Win32 apps. For more information, see Add a
Win32 app to Intune.
A Microsoft Intune permission is required to create and edit Win32 app supersedence
and dependency relationships with other apps. The permission is available under the
Mobile apps category by selecting Relate. Starting in the 2202 service release, Intune
admins need this permission to add supersedence and dependency apps when creating
or editing a Win32 app in Microsoft Intune admin center. To find this permission in
Microsoft Intune admin center , choose Tenant administration > Roles > All roles >
Create.
This Win32 app supersedence permission has been added to the following built-in roles:
Application Manager
School administrator
Create a Supersedence relationship in Intune

The following steps help you create a supersedence relationship between apps:
2. Select Apps > All apps, and then select a Win32 app from the list. If you haven't
added a Win32 app, you can follow the steps to add a Win32 app to Intune.
3. After you have selected the existing Win32 app, click Properties.
4. In the Supersedence section, click Edit > Add to choose apps that should be
superseded.
７ Note
There can be a maximum of 10 nodes in a supersedence relationship in

Intune.
5. Find and click the apps to apply the supersedence relationship in the Add Apps
pane. Click Select to add the apps to your supersedence list.
6. In the list of superseded apps, modify the Uninstall previous version option for
each selected app to specify whether an uninstall command will be sent by Intune
to each selected app. If the installer of the current app updates the selected app
automatically, then it isn't necessary to send an uninstall command. When
replacing a selected app with a different app, it may be necessary to turn on the
Uninstall previous version option to remove and replace the older app.
7. Once this step is finalized, click Review + save > Save.

） Important
Superseding apps do not get automatic targeting. Each app must have explicit
targeting to take effect. Superseding apps that aren't targeted will be ignored
by the agent. If the superseding app is targeted to a device with a superseded
app, then the supersedence will take place regardless of whether the
superseded app has targeting or not. For more information on Supersedence
behavior, please refer to the matrix below. This behavior is in direct contrast
to dependencies, which doesn't require targeting. Additionally, only apps that
are targeted will show install statuses in Microsoft Intune admin center.
Supersedence behavior
A superseding app is an app that updates or replaces other apps. A superseded app is an
app that is being updated or replaced. Supersedence behavior can be illustrated based
on the following scenarios.
Scenarios Targeting for required intent Targeting for

available intent
Scenario 1:
The superseded app will be uninstalled, and Only superseding apps
The superseded app the superseding app will be installed on the will be shown in the
exists on the device and device. company portal and
Uninstall previous NOTE: Even if the superseded app isn't can be installed.
version is set to Yes. targeted, it will be uninstalled.
Scenario 2:
The superseding app will be installed on the Only superseding apps
The superseded app device. Whether the superseded app will be will be shown in the
exists on the device and uninstalled or not is dependent on the company portal and
Uninstall previous superseding app’s installer. can be installed.
version is set to No.
Scenario 3:
The superseding app will be installed. The new app will
The superseded app appear in the
doesn't exist on the Company Portal.
device.
Understand app update versus app replacement within

supersedence
Given that an app could have multiple superseded apps, it is possible for an app to
update a set of apps while replacing another set of apps at the same time.
７ Note
End-users won't be able to check whether a specific Win32 app supersedence

operation is an update or replacement in the Company Portal. In addition, when
multiple apps supersede an app with available targeting in the Company Portal, the
superseded app's details page will navigate to the app page of the first
superseding app that was set up. For example, if app A is superseded by app B and
C, and app B is superseded by app A first, then app A's detail page in the Company
Portal will navigate to App B.
Understanding how supersedence is applied when updating an app versus replacing an

app can be illustrated based on the following scenario.
Customer Description Expected behavior Additional information

scenario
App update IT admin The installer of the newer Since the installer will complete
wants to version of the app (the the updating, it isn't necessary to
update an superseding app) will send down an uninstall
app with a automatically update the older command to the older version.
newer version of the app to the newer Hence, the Uninstall previous
version of version. version is toggled off.
the same
app.
App IT admin The superseded app will be Since the two apps are different,
replacement wants to uninstalled and the superseding the admin can turn the Uninstall
replace an app will be installed. Both install previous version toggle on to
app with an and uninstall will be based on IT uninstall the older app from the
entirely Pro’s defined install/uninstall device.
different command line.
app.
Understand in-place app update versus supersedence

app update
In the following scenarios, you should review app detection rules after performing either
type of the following updates.
Update type Update description and details

Update type Update description and details
In-place app With an in-place app update, admin can only swap the app content,
update update the metadata, and change the detection and install commands.
Admin cannot change any of the fields that aren't stored on the app with
an in-place app update. For example, the admin cannot modify targeting at
the same time as an update.
Admin can only perform the in-place app update one app at a time.
Supersedence Admin can update an app in its entirety with a new set of configurations.
app update Admin can elect to send down an uninstall command to uninstall previous
app versions.
Admin can update devices containing multiple app versions to the newest
app version with one Supersedence configuration. The admin also
maintains access to older version of the app.
Understand interactions between dependencies and

supersedence
７ Note
Supersedence GA is currently being rolled out. For more information, see

Upcoming improvements to Win32 app supersedence - Microsoft Community
Hub .
Interactions between dependencies and supersedence include the following:
Supersedence and dependency relationships can be created in the same app

subgraph.
Enforcement prefers supersedence over dependency, but if there is a conflict state,
Intune will report it.
Specific example: A depends on B, C supersedes B. A will report a conflict state.
Specific example #2: A depends on B, C replaces A; C installs and A gets
replaced. B gets left.
Supersedence won't go through in specific scenarios.
Example: A depends on B and C, and B supersedes C.
Basic Supersedence Examples

For the purposes of this document, we assume that all apps are targeted (either device
or user targeting) and are applicable.
Legend for supersedence example scenarios
Legend Definition
A is superseded by B via app update.
A is superseded by B via app replacement.
A is present on the device, fully installed, and passes the defined

detection rules.
A isn't present on the device.
Case and resolution supersedence examples
Case Resolution Notes
Scenario: Neither App update means that admin chose not to uninstall the
app is detected on superseded app during the configuration stage. See above in the
the device. A is Supersedence Step in App Deployment.
superseded by B via
app update.
Result: Install B.
Scenario: Only A is Since admin chose not to uninstall the previous version during
detected on the configuration, A isn't explicitly uninstalled by Intune. A may be
device. A is uninstalled based on the behavior of B’s installer.
superseded by B via
app update.
Result: Install B.
Scenario: Only B is Since B is already detected on the device, no action is taken.

detected on the
device. A is
superseded by B via
app update.
Result: Nothing.
Scenario: Both apps Since B is already detected on the device, no action is taken.
are detected on the Admin chose not to uninstall the previous version when
device. A is configuring, hence A isn't uninstalled.
superseded by B via
app update.
Result: Nothing.
Scenario: Neither App replacement means that admin chose to uninstall the
apps are detected superseded app during the configuration stage. See above in the
on the device. A is Supersedence Step in App Deployment.
superseded by B via
app replacement.
Result: Install B.
Scenario: Only A is A will be uninstalled and once the agent detects that A is no
detected on the longer present on the device, it will install B. If the detection
device. A is continues to detect A as present, then the agent won’t install B.
superseded by B via Whether B is installed on the device is predicated on whether A is
app replacement. detected on the device.
Result: Uninstall A,
then install B.
Scenario: Only B is No actions are taken because B is already installed and A doesn’t
detected on the exist on the device.
device. A is
superseded by B via
app replacement.
Result: None
Scenario: Both apps A is uninstalled as part of the app replacement process. Detection
are detected on the of a replaced app after the replacing app is already installed will
device. A is incur a remediation enforcement.
superseded by B via
app replacement.
Result: Uninstall A.
Behavior for Chained Supersedence Scenarios

Supersedence chains occur when multiple apps are part of a supersedence relationship.
For example, an IT admin could configure App A to be superseded by App B, and then
later configure App B to be superseded by App C. In this scenario, a supersedence chain
is created between App A, B, and C (as shown in the first case below). Supersedence
chains can have a maximum of 10 related nodes in the chain. For more information
about this maximum, see Supersedence Limitations.
The behavior for supersedence chains can summarized as the following:
All apps in a supersedence chain will be superseded by the superseding app of

the chain. In the example given above, the superseding app of the chain is App
C.
To better understand the behavior of a supersedence chain, the following table provides
a list of cases and resolutions. When reviewing these supersedence chains, assume all
apps are targeted and are applicable to the device.
Scenario: None of the Since none of the apps exist on the device, we install the
apps exist on the superseding app: App C. The superseding app refers to
device. The relationship the app that supersedes all other apps in the chain.
between apps is one of
app update.
Result: Install C.
Scenario: Only Apps A Since App C already exists on the device and this is an
and C exist on the app update scenario, App A isn't uninstalled.
device. The relationship
app update.
Result: None.
Scenario: Only App A Simply install App C. App A isn't uninstalled because it is
exists on the device. an app update scenario. C’s installer may or may not have
The relationship behavior to remove A, where "remove" means A is no
between apps is one of longer detected via its detection rules (usually due to
app update. version detection).
Result: Install C.
Scenario: Only App C Since App C, the superseding app, already exists on the
exists on the device. device, and this is an app update scenario, no action is
The relationship taken.
app update.
Result: None.
Scenario: None of the Since none of the apps exist on the device, simply install
apps exist on the the superseding app, App C.
device. The relationship
app replacement.
Result: Install C.
Scenario: Apps A and C Since App C exists on the device and this is an app
exist on the device. The replacement scenario, simply uninstall App A.
relationship between
apps is one of app
replacement.
Result: Uninstall A.
Scenario: Only App A Since this is an app replacement scenario, App A is

exists on the device. uninstalled and App C, the superseding app, is installed.
The relationship
app replacement.
Result: Uninstall A, then

install C.
Scenario: Only App C Since the superseding app, App C, exists on the device
exists on the device. and none of the other superseded apps exist, no action is
The relationship taken.
app replacement.
Result: None.
Supersedence Limitations
There can only be a maximum of 11 nodes in a single supersedence graph. The nodes
include the superseding app, the superseded apps, and all subsequent related apps.
In
the following Supersedence diagram, there are five nodes in total. Hence, five more
nodes could be created until the max node count is reached.
Additional supersedence limitations:
Azure Virtual Desktop multi-session only supports supersedence relationships with

system-context (device-based) apps.
Only apps that are targeted will show install statuses in Microsoft Intune admin
center.
Next steps
Win32 app management in Microsoft Intune
Article • 05/25/2023
When you're troubleshooting Win32 apps used in Microsoft Intune, you can use a
number of methods. This article provides troubleshooting details and information to
help you solve Win32 app problems. For more information, see Win32 app installation
troubleshooting resources.
７ Note
This app management capability supports both 32-bit and 64-bit operating system
architectures for Windows applications.
） Important
When you're deploying Win32 apps, consider using the Intune Management
Extension approach exclusively, particularly when you have a multiple-file Win32
app installer. If you mix the installation of Win32 apps and line-of-business (LOB)
apps during Autopilot enrollment, the app installation might fail. The Intune
Win32 app is assigned to the user or device.
For the scenario when a Win32 app is deployed and assigned based on user
targeting, if the Win32 app requires device admin privileges or any other
permissions that the standard user of the device does not have, the app will fail to
install.
App troubleshooting details

You can view installation issues, such as when the app was created, modified, targeted,
and delivered to a device. The Microsoft Intune admin center provides these and
other details on the Troubleshoot + support pane. For more information, see App
troubleshooting details.
Troubleshooting app issues by using logs

Viewing the details of logs can help you determine the cause of the issues that you're
seeing and help resolve them. You can choose to view the logs displayed in Intune, or
view the logs displayed through CMTrace.
Logs displayed in Intune

When an installation issue occurs with a Win32 app, you can choose the Collect logs
option in the Installation details pane for the app in Intune. For more details, see Win32
app installation troubleshooting.
Logs displayed through CMTrace

Agent logs on the client machine are commonly in
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs. You can use CMTrace.exe
to view these log files. For more information, see CMTrace.
） Important
To allow proper installation and execution of LOB Win32 apps, antimalware settings
should exclude the following directories from being scanned:
On x64 client machines:
C:\Program Files (x86)\Microsoft Intune Management Extension\Content
C:\windows\IMECache
On x86 client machines:
C:\Program Files\Microsoft Intune Management Extension\Content
C:\windows\IMECache
For more information, see Virus scanning recommendations for enterprise

computers that are running currently supported versions of Windows .
Detecting the Win32 app file version by using

PowerShell
If you have difficulty detecting the Win32 app file version, consider using or modifying
the following PowerShell command:
PowerShell
$FileVersion = [System.Diagnostics.FileVersionInfo]::GetVersionInfo("<path
to binary file>").FileVersion
#The below line trims the spaces before and after the version name
$FileVersion = $FileVersion.Trim();
if ("<file version of successfully detected file>" -eq $FileVersion)
#Write the version to STDOUT by default
$FileVersion
exit 0
else
#Exit with non-zero failure code
exit 1
In the preceding PowerShell command, replace the <path to binary file> string with
the path to your Win32 app file. An example path would be similar to the following:
C:\Program Files (x86)\Microsoft SQL Server Management Studio
18\Common7\IDE\ssms.exe
Also, replace the <file version of successfully detected file> string with the file
version that you need to detect. An example file version string would be similar to the
following:
2019.0150.18118.00 ((SSMS_Rel).190420-0019)
If you need to get the version information of your Win32 app, you can use the following
PowerShell command:
PowerShell
[System.Diagnostics.FileVersionInfo]::GetVersionInfo("<path to binary
file>").FileVersion
In the preceding PowerShell command, replace <path to binary file> with your file
path.
Additional troubleshooting areas to consider
Check targeting to make sure the agent is installed on the device. A Win32 app
targeted to a group or a PowerShell Script targeted to a group will create an agent
installation policy for a security group.
Check the OS version: Windows 10 1607 and later.
Check the Windows 10 SKU. Windows 10 S, or Windows versions running with S-
mode enabled, doesn't support MSI installation.
For more information about troubleshooting Win32 apps, see Win32 app installation
troubleshooting. For information about app types on ARM64 devices, see App types
supported on ARM64 devices.
Next steps
Troubleshoot app installation issues
Enable Win32 apps on S mode devices
Article • 03/07/2023
Windows 10 S mode is a locked-down operating system that only runs Store apps. By
default, Windows S mode devices don't allow installation and execution of Win32 apps.
These devices include a single Win 10S base policy, which locks the S mode device from
running any Win32 apps on it. However, by creating and using an S mode supplemental
policy in Intune, you can install and run Win32 apps on Windows 10 S mode managed
devices. By using the Microsoft Defender Application Control (WDAC) PowerShell tools,
you can create one or more supplemental policies for Windows S mode. You must sign
the supplemental policies with the Device Guard Signing Service (DGSS) or with
SignTool.exe and then upload and distribute the policies via Intune. As an alternative,
you can sign the supplemental policies with a codesigning certificate from your
organization, however the preferred method is to use DGSS. In the instance that you use
the codesigning certificate from your organization, the root certificate that the
codesigning certificate chains up to, must be present on the device.
By assigning the S mode supplemental policy in Intune, you enable the device to make
an exception to the device's existing S mode policy, which allows the uploaded
corresponding signed app catalog. The policy sets an allowlist of apps (the app catalog)
that can be used on the S mode device.
７ Note
Win32 apps on S mode devices are only supported on Windows 10 November

2019 Update (build 18363) or later versions.
The steps to allow Win32 apps to run on a Windows 10 device in S mode are the
following:
1. Enable S mode devices through Intune as part of Windows 10 S enrollment

process.
2. Create a supplemental policy to allow Win32 apps:
You can use Microsoft Defender Application Control (WDAC) tools to create a
supplemental policy. The base policy ID within the policy must match the S
mode base policy ID (which is hard coded on the client). Also, make sure that
the policy version is higher than the previous version.
You use DGSS to sign your supplemental policy. For more information, see
Sign code integrity policy with Device Guard signing.
You upload the signed supplemental policy to Intune by creating a Windows
10 S mode supplemental policy (see below).
3. You allow Win32 app catalogs through Intune:
You create catalog files (one for every app) and signs them using DGSS or
other certificate infrastructure.
You package the signed catalog into the .intunewin file using the Microsoft
Win32 Content Prep Tool . There are no naming restrictions when creating a
catalog file using the Microsoft Win32 Content Prep Tool . When generating
the .intunewin file from the specified source folder and setup file, you can
provide a separate folder containing only catalog files by using the -a
cmdline option. For more information, see Win32 app management - Prepare
the Win32 app content for upload.
Intune applies the signed app catalog to install the Win32 app on the S mode
device using the Intune Management Extension.
７ Note
Line-of-business (LOB) .appx and .appx bundles on Windows 10 S mode will be

supported via Microsoft Store for Business (MSFB) signing.
S mode supplemental policy for apps must be delivered via Intune Management
Extension.
S mode policies are enforced at the device level. Multiple targeted policies will be
merged on the device. The merged policy will be enforced on the device.
To create a Windows 10 S mode supplemental policy, use the following steps:
2. Select Apps > S mode supplemental policies > Create policy.
3. Before adding the Policy file, you must create and sign it. For more information,
see:
Create a WDAC policy using PowerShell tools and convert it to a binary

format
Sign using Device Guard Signing Service (recommended)
4. On the Basics page, add the following values:

Value Description
Policy file The file that contains the WDAC policy.
Name The name of this policy.
Description [Optional] The description of this policy.
5. Select Next: Scope tags.
On the Scope tags page you can optionally configure scope tags to determine
who can see the app policy in Intune. For more information about scope tags, see
Use role-based access control and scope tags for distributed IT.
6. Select Next: Assignments.
The Assignments page allows you can assign the policy to users and devices. It's
important to note that you can assign a policy to a device whether or not the
device is managed by Intune.
7. Select Next: Review + create to review the values you entered for the profile.
8. When you're done, select Create to create the S mode supplemental policy in
Intune.
Once the policy is created, you'll see it added to the list of S mode supplemental policies
in Intune. Once the policy is assigned, the policy gets deployed to the devices. Note that
you must deploy the app to same security group as the supplemental policy. You can
start targeting and assigning apps to those devices. This will allow your end users to
install and execute the apps on the S mode devices.
Removal of S mode policy

Currently, to remove the S mode supplemental policy from the device, you must assign
and deploy an empty policy to overwrite the existing S mode supplemental policy.
Policy Reporting
The S mode supplemental policy, which is enforced at device level, only has device level
reporting.Device level reporting is available for success and error conditions.
Reporting values that are shown in the Microsoft Intune admin center for S mode
reporting policies:
Success: The S mode supplemental policy is in effect.

Unknown: The status of the S mode supplemental policy isn't known.
TokenError: The S mode supplemental policy is structurally okay but there's an
error with authorizing the token.
NotAuthorizedByToken: The token doesn't authorize this S mode supplemental
policy.
PolicyNotFound: The S mode supplemental policy isn't found.
Next steps
For more information, see Win32 apps on s mode.
Intune.
For more information about Win32 apps, see Intune Win32 app management.
Deploy Windows update packages in
Intune
Article • 03/07/2023
If you want to deploy a specific Windows update package (.msu file) to Windows 10/11
devices managed by Intune, you can use the Intune Win32 app management capabilities
to deploy an .msu file as a Win32 app.
The following steps help you deploy a Windows update package to Intune.
Step 1: Prepare the update package as Win32

app content
1. Download the Windows update package by searching on Microsoft Update
Catalog .
2. Use the Microsoft Win32 Content Prep Tool to convert the .msu file into the
.intunewin format. This tool will guide you to input the required parameters in a
step-by-step process if you don't specify the parameters in the command-line. For
more information about the Microsoft Win32 Content Prep Tool, see Convert the
Win32 app content.
Step 2: Create the Win32 app

3. In the Select app type pane, under Other app types, select Windows app (Win32).
4. Click Select, locate the Add app pane, and then select Select app package file.
5. In the App package file pane, select the .intunewin file, and then select OK.
6. On the App information page, add the details for your app.
7. On the Program page, specify the following installation and removal commands
for the app:
Install command:
wusa.exe <full path of the .msu file> /quiet /norestart -Wait

For example, if the windows10.0-kb4532693-
x64_e22f60a077a0ec5896266a18cc3daf26bfc29e16.msu file is in the current folder,
type the following command in Install command:
wusa.exe .\windows10.0-kb4532693-
x64_e22f60a077a0ec5896266a18cc3daf26bfc29e16.msu /quiet /norestart -Wait
Uninstall command:
wusa.exe /uninstall /kb:<KB number> /quiet
The following image provides an example of the Program page:
Use the /quiet switch to run Wusa.exe in quiet mode without user interaction. Use
the /norestart switch to prevent Wusa.exe from restarting the computer. For more
information about Wusa.exe, see Description of the Windows Update Standalone
Installer in Windows .
The -Wait option is used to make sure that the app installation returns after
Wusa.exe exits.
8. On the Requirements page, specify the requirements that devices must meet
before the app is installed.
Minimum operating system: Select the minimum operating system that is

required to apply the update.
To specify additional requirements, such as build number and Update Build
Revision (UBR), select Add to display the Add a Requirement rule pane.
For example, to install the app on only devices that are running Windows 10,
version 1903, build 18362, UBR less than 329, select Registry as the Requirement
type, and then specify the following rules:
Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Value name: CurrentBuildNumber
Registry key requirement: String comparison
Operator: Equals
Value: 18362
Associated with a 32-bit app on 64-bit clients: No
Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Value name: UBR
Registry key requirement: Integer comparison
Operator: Less than
Value: 329
Associated with a 32-bit app on 64-bit clients: No
9. On the Detection rules page, select Use a custom detection script as the Rules
format.
Example:
Sample script file (DetectKB.ps1):
PowerShell
$result = systeminfo.exe | findstr KB<KB number>
if ($result)
Write-Output "Found KB<KB number>"
exit 0
else
exit 1
10. Specify assignments for the app.
11. Review your settings, and then select Create to add the app to Intune.
Step 3: Deploy the app

Assign the app to groups.
Next steps
Intune.
For more information about Win32 apps, see Intune Win32 app management.
Add and assign the Windows Company
Portal app for Intune managed devices
Article • 04/06/2023
To manage devices and install apps, your users can optionally use the Company Portal
app. You can assign the Windows Company Portal app directly from Intune using
Microsoft Store app (new) apps.
Prerequisites
You can choose to install the Company Portal app using the steps below. The Company
Portal app will be installed in device context (also known as system-context) when
assigned to the Autopilot group and will be installed on the device before the user logs
in.
Create and Assign the Company Portal app

1. Sign in to the Microsoft Intune admin center  with your admin account.
3. In Select app type pane, select Microsoft Store app (new) under the Store app
section.
4. Choose Select at the bottom of the page to begin creating an app from the
Microsoft Store.
5. Select Search the Microsoft Store app (new).
6. Enter the text Company Portal, select Company Portal, then choose Select at the
bottom of the page.
7. Change Install behavior to System, then select Next.
8. Select scope tags as necessary, then select Next.
9. To Assign the Company Portal app as a required app to your selected device
groups, select > Add Group (below Required) and then select a device group to
assign the app. After you've created all the necessary assignments, select Next.
10. Review your settings and select Create.
Next steps
To learn more about assigning apps, see Assign apps to groups.
To learn more about Microsoft Store app (new) apps, see Add Microsoft Store
apps to Microsoft Intune.
Add the Windows 10 Company Portal
app by using Microsoft Intune
Article • 03/06/2023
To manage devices and install apps, your users can install the Company Portal app
themselves from the Microsoft Store. If your business needs require that you assign the
Company Portal app to them, however, you can assign the Windows 10 Company Portal
app directly from Intune. You can do so even if you haven't integrated Intune with the
） Important
If you download the Company Portal app, the option described in this article
requires that you assign manual updates each time an app update is released. To
deploy the Company Portal app for Windows 10 Autopilot provisioned devices, see
Add Windows 10 Company Portal app Autopilot devices.
７ Note
The Company Portal supports Configuration Manager applications. This feature

allows end users to see both Configuration Manager and Intune deployed
applications in the Company Portal for co-managed customers. This new version of
the Company Portal will display Configuration Manager deployed apps for all co-
managed customers. This support will help administrators consolidate their
different end user portal experiences. For more information, see Use the Company
Portal app on co-managed devices.
Configure settings to show offline apps

1. Sign in to the Microsoft Store for Business with your admin account. Ensure that
you sign into the Microsoft Store for Business using the same tenant account you
use to sign into Intune. Your Microsoft Store for Business account must be
associated with Intune. For more information, see Associate your Microsoft Store
for Business account with Intune.
2. Select the Manage tab near the top of the window.
3. In the left pane, select Settings.
4. Select the Shop tab. Then,under Shopping experience, set Show offline apps to
On.
Download the offline Company Portal app

1. Search for and then select the Company Portal app.
2. Set the License type to Offline. Offline apps are managed by Intune, whereas
online apps are managed by the store. Use offline apps when you need to install
and maintain a specific app version.
3. Select Get the app to acquire and add the offline Company Portal app to your
inventory. If you already have the offline app, you can select the Manage option.
4. For Platform, select Windows 10 all devices, and then select the appropriate
Minimum version, Architecture, and Download app metadata values.
5. Select Download to save the file to your local machine.
6. Download all the packages under "Required Frameworks" by selecting Download.
This action must be completed for x86, x64, and ARM architectures:
There are 9 Required Framework Packages when selecting 1507 as the minimum OS
Version, 12 packages when selecting 1511, and 15 packages when selecting 1607.
7. In Microsoft Intune in the portal, upload the Company Portal app as a new app.
You add the application by selecting Line-of-business app as the App type in the
Select app type pane. You then select the app package file (extension
.AppxBundle).
8. Under Select dependency app files select all the dependencies you downloaded in
step 7 by using shift-click, and verify that the Added column displays Yes for the
architectures you need.
７ Note
If the dependencies are not added, the app might not install on the specified
device types.
9. Click Ok, enter any desired App Information, and click Add.
10. Assign the Company Portal app as a required app to your selected set of user or
device groups.
For more information about how Intune handles dependencies for Universal apps, see
Deploying an appxbundle with dependencies via Microsoft Intune MDM.
Frequently asked questions
７ Note
Microsoft Intune will be ending support on October 21, 2022 for devices running
Windows 8.1. Intune will no longer support Windows 8.1 sideloading.
How do I update the Company Portal app on my users'

devices if they have already installed the older apps from
the store?
If your users have already installed the Windows 8.1 Company Portal apps from the
Microsoft Store, their apps should be automatically updated to the latest version with no
action required from you or your users. If the update does not happen, ask your users to
confirm that they have enabled auto-updates for Store apps on their devices.
How do I upgrade my sideloaded Windows 8.1 Company

Portal app to the Windows 10 Company Portal app?
Our recommended migration path is to delete the assignment for the Windows 8.1
Company Portal app by setting the assignment action to Uninstall. After you select this
setting, you can assign the Windows 10 Company Portal app by using any of the
previously discussed options.
If you need to sideload the app and you assigned the Windows 8.1 Company Portal
without signing it with the Symantec Certificate, complete the upgrade by completing
the steps in the preceding sections of this article.
If you need to sideload the app and you signed and assigned the Windows 8.1
Company Portal app with the Symantec code-signing certificate, follow the steps in the
next section.
How do I upgrade my signed and sideloaded Windows

8.1 Company Portal app to the Windows 10 Company
Portal app?
Our recommended migration path is to delete the existing assignment for the Windows
8.1 Company Portal app by setting the assignment action to Uninstall. After you select
this setting, you can assign the Windows 10 Company Portal app normally.
Otherwise, the Windows 10 Company Portal app must be appropriately updated and
signed to ensure that the upgrade path is respected.
If you sign and assign the Windows 10 Company Portal app in this way, you will need to
repeat this process for each new app update when it is available in the store. The app is
not automatically updated when the store is updated.
Here's how you sign and assign the app in this way:
1. Download the Microsoft Intune Windows 10 Company Portal App Signing Script .
This script requires the Windows SDK for Windows 10 to be installed on the host
computer. Download the Windows SDK for Windows 10 .
2. Download the Windows 10 Company Portal app from the Microsoft Store for
Business, as discussed previously.
3. To sign the Windows 10 Company Portal app, run the script with the input
parameters detailed in the script header, as shown in the following table.
Dependencies do not need to be passed into the script. They are required only
when the app is being uploaded to the Microsoft Intune admin center.
InputWin10AppxBundle The path to the source appxbundle file.
OutputWin10AppxBundle The output path for the signed appxbundle file.

Win81Appx The path to the Windows 8.1 Company Portal (.APPX) file.
PfxFilePath The path to the Symantec Enterprise Mobile Code Signing Certificate
(.PFX) file.
PfxPassword The password of the Symantec Enterprise Mobile Code Signing

Certificate.
PublisherId The Publisher ID of the enterprise. If it is absent, the Subject field of

the Symantec Enterprise Mobile Code Signing Certificate is used.
SdkPath The path to the root folder of the Windows SDK for Windows 10. This
argument is optional and defaults to
${env:ProgramFiles(x86)}\Windows Kits\10.
When the script has finished running, it outputs the signed version of the Windows 10
Company Portal app. You can then assign the signed version of the app as a line-of-
business (LOB) app via Intune, which upgrades the currently assigned versions to this
new app.
Next steps
Add the macOS Company Portal app
Article • 03/07/2023
To manage devices, install optional apps, and gain access to resources protected by
Conditional Access on macOS devices with user affinity, users must install and sign in to
the Company Portal app. You can provide instructions to your users to install Company
Portal for macOS or install it on devices already enrolled directly from Intune.
You can use any of the following options to install the Company Portal for macOS app:
Instruct users to download and install Company Portal

Install Company Portal for macOS as a macOS LOB app
Install Company Portal for macOS by using a macOS Shell Script
To help keep the apps more secure and up to date once installed, the Company Portal
app comes with Microsoft AutoUpdate (MAU).
７ Note
The Company Portal app can only be installed automatically on devices using
Intune that are already enrolled using direct enrollment or Automated Device
Enrollment. For personal device or manual enrollment, the Company Portal app
must be downloaded and installed to initiate enrollment. See Instruct users to
download and install Company Portal.
Instruct users to download and install Company

Portal
You can instruct users to download, install, and sign in to Company Portal for macOS.
For instructions on downloading, installing, and signing into the Company Portal, see
Enroll your macOS device using the Company Portal app.
７ Note
When you download the Intune Company Portal for macOS devices version
2.18.2107 and later, it installs the new universal version of the app that runs natively
on Apple Silicon Macs. The same app will install the x64 version of the app on Intel
Mac machines.
Install Company Portal for macOS as a macOS
LOB app
Company Portal for macOS can be downloaded and installed using the macOS LOB apps
feature. The version downloaded is the version that will always be installed and may
need to be updated periodically to ensure users get the best experience during initial
enrollment.
1. Download Company Portal for macOS from https://go.microsoft.com/fwlink/?

linkid=853070 .
2. Follow the instructions to create a macOS LOB app in macOS LOB apps.
７ Note
Once installed, the Company Portal for macOS app will automatically update using
Microsoft AutoUpdate (MAU).
Install Company Portal for macOS by using a

macOS Shell Script
Company Portal for macOS can be downloaded and installed using the macOS Shell
Scripts feature. This option will always install the current version of Company Portal for
macOS, but will not provide you with application install reporting you might be used to
when deploying applications using macOS LOB apps.
1. Download a sample script to install Company Portal for macOS from Intune Shell
Script Samples - Company Portal.
2. Follow instructions to deploy the macOS Shell Script using macOS Shell Scripts.
Set Run script as signed-in user to No (to run in the system context).
Set Maximum number of retries if script fails to 3.
７ Note
The script will require Internet access when it runs to download the current version
of the Company Portal for macOS.
Signing into the Company Portal for macOS
when using Setup Assistant with Modern
Authentication
For macOS devices running 10.15 and later, when creating an Automated Device
Enrollment profile, you can now choose a new authentication method: Setup Assistant
with modern authentication. The user has to authenticate using Azure AD credentials
during the setup assistant screens. This will require an additional Azure AD login post-
enrollment in the Company Portal app to gain access to corporate resources protected
by Conditional Access and for Intune to assess device compliance. The Company Portal
can be installed in any of the three ways documented here for Setup Assistant with
modern authentication.
Use one of the ways documented above to deploy the macOS Company Portal to the
devices enrolling with Setup Assistant with modern authentication so that the end user
can authenticate and complete Azure AD registration.
Users must sign into the Company Portal to complete Azure AD authentication and gain
access to resources protected by Conditional Access. User affinity is established when
users complete the enrollment and reach the home screen of the macOS device. If the
tenant has multi-factor authentication turned on for these devices or users, the users
will be asked to complete multi-factor authentication during enrollment during Setup
Assistant. Multi-factor authentication is not required, but it is available for this
authentication method within Conditional Access if needed.
For more information about configuring Setup Assistant with modern authentication for
macOS, see Create an Apple enrollment profile.
Next steps
To learn more about assigning apps, see Assign apps to groups.
To learn more about configuring Automated Device Enrollment, see Device
Enrollment Program - Enroll macOS.
To learn more about configuring Microsoft AutoUpdate settings on macOS, see
Mac Updates.
Add Microsoft Edge for Windows 10/11
to Microsoft Intune
Article • 04/19/2023
Before you can deploy, configure, monitor, or protect apps, you must add them to
Intune. One of the available app types is Microsoft Edge version 77 and later. By
selecting this app type in Intune, you can assign and install Microsoft Edge version 77
and later to devices you manage that run Windows 10.
） Important
This app type offers stable, beta, and dev channels for Windows 10. The
deployment is in English (EN) only, however end users can change the display
language in the browser under Settings > Languages. Microsoft Edge is a Win32
app installed in system context and on like architectures (x86 app on x86 OS, and
x64 app on x64 OS). Intune will detect any preexisting Microsoft Edge installations.
If it is installed in user context, a system installation will overwrite it. If it is installed
in system context, installation success is reported. In addition, automatic updates of
Microsoft Edge are On by default.
７ Note
Microsoft Edge version 77 and later is available for macOS as well.
You cannot use the built-in application deployment of Microsoft Edge for
workplace join computers. Built-in application deployment requires the Intune
management extension, which only exists for AAD joined devices. You can still
deploy Microsoft Edge version 77 and later using an .msi uploaded to Apps, see
Add a Windows line-of-business app to Microsoft Intune.
Prerequisites
Windows 10 version 1709 or later.
Any pre-installed versions of Microsoft Edge version 77 and later for all channels in
user context will be overwritten with Edge installed in system context.
Configure the app in Intune

You can add a Microsoft Edge version 77 and later to Intune using the following steps:

3. In the App type list under the Microsoft Edge, version 77 and later, select
Windows 10.

In this step, you provide information about this app deployment. This information helps
you identify the app in Intune, and it helps users find the app in the company portal.
1. Click App information to display the App information pane.

2. In the App information pane, you provide information about this app deployment.
This information helps you identify the app in Intune, and it helps users find the
app in the company portal.
Name: Enter the name of the app as it will be displayed in the company
portal. Make sure that all names are unique. If the same app name exists
twice, only one of the apps is displayed to users in the company portal.
Description: Enter a description for the app. For example, you could list the
targeted users in the description.
app when they browse the company portal.
Display this as a featured app in the Company Portal: Select this option to
display the app prominently on the main page of the company portal when
users browse for apps.
portal.
3. Select OK.
Configure app settings

In this step, configure installation options for the app.
1. In the Add App pane, select App settings.
2. In the App settings pane, select either Stable, Beta or Dev from the Channel list to
determine which Edge Channel you will deploy the app from. For more
information, see Microsoft Edge release schedule.
Stable channel is the recommended channel for deploying broadly in

Enterprise environments. It updates every four weeks, each release
incorporating improvements from the Beta channel.
Beta channel is the most stable Microsoft Edge preview experience and the
best choice for a full pilot within your organization. With major updates every
four weeks, each release incorporates the learnings and improvements from
the Dev channel.
Dev channel is ready for enterprise feedback on Windows, Windows Server
and macOS. It updates every week and contains the latest improvements and
fixes.
７ Note
The Microsoft Edge browser logo is displayed with the app when users
3. Select OK.
Select scope tags (optional)

distributed IT.
1. Select Scope (Tags) > Add.

2. Use the Select box to search for scope tags.
3. Select the check box next to the scope tags you want to assign to this app.
4. Click Select > OK.
Add the app

When you've completed configuring the app, select Add from the App app pane.
７ Note
Currently, if you unassign the deployment of Microsoft Edge, it will remain on the
device.
Uninstall the app

When you need to uninstall Microsoft Edge from user's devices, use the following steps.
2. Select Apps > All apps > Microsoft Edge app > Assignments > Add group.
3. In the Add group pane, select Uninstall.
７ Note
The app is uninstalled from devices in the selected groups if Intune has
previously installed the application onto the device via an Available for
enrolled devices or Required assignment using the same deployment.
4. Select Included Groups to select the groups of users that are affected by this app
assignment.
5. Select the groups that you want to apply the uninstall assignment.
6. Click Select on the Select groups pane.
7. Click OK on the Assign pane to set the assignment.
10. Select OK in the Add group pane.
11. Select Save in the app Assignments pane.
） Important
To uninstall the app successfully, make sure to remove the members or group
assignment for install before assigning them to be uninstalled. If a group is
assigned to both install an app and uninstall an app, the app will remain and not be
removed.
Troubleshooting
Microsoft Edge version 77 and later for Windows 10:
Intune uses the Intune management extension to download and deploy the Microsoft
Edge installer to assigned Windows 10 devices, then communicates the deployment
settings to the Microsoft Edge installer, which downloads and installs the Microsoft Edge
browser directly from the CDN. Reference the prerequisites for the Intune management
extension, and the best practices outlined in accessing Azure Update Service and the
CDN to ensure that your network configuration permits Windows 10 devices to access
these locations. In addition, to allow access to installation files from a CDN to install the
browser, you need to allow access to Windows Update endpoints. For more information,
see Manage connection endpoints for Windows 10, version 1809 – Windows Update
and Network endpoints for Microsoft Intune.
Next steps
Add Microsoft Edge to macOS devices
using Microsoft Intune
Article • 05/01/2023
Intune. One of the available app types is Microsoft Edge version 77 and later. By
selecting this app type in Intune, you can assign and install Microsoft Edge version 77
and later to devices you manage that run macOS. This app type makes it easy for you to
assign Microsoft Edge to macOS devices without requiring you to use the macOS app
wrapping tool. To help keep the apps more secure and up to date, the app comes with
Microsoft AutoUpdate (MAU).
） Important
This app type offers developer and beta channels for macOS. The deployment is in
English (EN) only, however end users can change the display language in the
browser under Settings > Languages.
７ Note
Microsoft Edge version 77 and later is available for Windows 10 as well.
Prerequisites
The macOS device must be running macOS 10.14 or later before installing
Microsoft Edge.
Add Microsoft Edge to Intune

You can add Microsoft Edge version 77 and later to Intune using the following steps:

3. In the App type list under the Microsoft Edge, version 77 and later, select macOS.


portal.
3. Select OK.
Configure Microsoft Edge settings

In this step, configure installation options for the app.
1. In the Add App pane, select App settings.
2. In the App settings pane, select either Stable, Beta or Dev from the Channel list to
determine which Edge Channel you will deploy the app from. For more
information, see Microsoft Edge release schedule.
Stable channel is the recommended channel for deploying broadly in
Enterprise environments. It updates every four weeks, each release
incorporating improvements from the Beta channel.
Beta channel is the most stable Microsoft Edge preview experience and the
best choice for a full pilot within your organization. With major updates every
four weeks, each release incorporates the learnings and improvements from
the Dev channel.
Dev channel is ready for enterprise feedback on Windows, Windows Server
and macOS. It updates every week and contains the latest improvements and
fixes.
７ Note
The Microsoft Edge browser logo is displayed with the app when users
3. Select OK.

distributed IT.

Add the app

When you've completed configuring, select Add from the App app pane.
Next steps
To learn how to configure Microsoft Edge on macOS devices, see Configure
Microsoft Edge on macOS devices.
Add Microsoft Defender for Endpoint to
macOS devices using Microsoft Intune
Article • 05/01/2023
Intune. One of the available app types is Microsoft Defender for Endpoint. By selecting
this app type in Intune, you can assign and install Microsoft Defender for Endpoint to
devices you manage that run macOS. This app type makes it easy for you to assign
Microsoft Defender for Endpoint to macOS devices without requiring you to use the
macOS app wrapping tool. To help keep the apps more secure and up to date, the app
comes with Microsoft AutoUpdate (MAU).
Prerequisites
The macOS device must be running macOS 10.13 or later.
The macOS device must have at least 650 MB of disk space.
Deploy kernel extension in Intune. See more information, see Add macOS kernel
extensions in Intune.
） Important
The kernel extension can be automatically approved only if it is present on the

device before the Microsoft DDefender for Endpoint app is installed. Else, users will
see "System extension blocked" message on Macs and must approve the extension
by going to Security Preferences or System Preferences > Security & Privacy and
then selecting Allow. For more information, see Troubleshoot kernel extension
issues in Microsoft Defender for Endpoint for Mac.
Add Microsoft Defender for Endpoint to Intune

You can add Microsoft Defender for Endpoint to Intune using the following steps:

3. In the App type list under the Microsoft Defender for Endpoint, select macOS.


portal.
3. Select OK.

distributed IT.

Add the app
When you've completed configuring, select Add from the App app pane.
７ Note
Currently, Apple does not provide a way for Intune to uninstall Microsoft Defender
for Endpoint on macOS devices.
Next steps
To learn about Intune-based deployment for Microsoft Defender for Endpoint on
macOS, see Intune-based deployment for Microsoft Defender for Endpoint on
macOS
To learn about applying an antivirus policy for endpoint security in Intune, see
Antivirus policy for endpoint security in Intune
To learn how to assign apps to groups in Intune, see Assign apps to groups.
Use PowerShell scripts on Windows
10/11 devices in Intune
Article • 07/17/2023
Use the Microsoft Intune management extension to upload PowerShell scripts in Intune.
Then, run these scripts on Windows 10 devices. The management extension enhances
Windows device management (MDM), and makes it easier to move to modern
management.
７ Note
Once the Intune management extension prerequisites are met, the Intune
Win32 app, Microsoft Store apps, Custom compliance policy settings or Proactive
remediations is assigned to the user or device. For more information, see Intune
Management Extensions prerequisites.
PowerShell scripts, which are not officially supported on Workplace join (WPJ)
devices, can be deployed to WPJ devices. Specifically, device context PowerShell
scripts work on WPJ devices, but user context PowerShell scripts are ignored by
design. User context scripts will be ignored on WPJ devices and will not be reported
to the Microsoft Intune admin center.
Move to modern management

User computing is going through a digital transformation. Traditional IT focuses on a
single device platform, business-owned devices, users that work from the office, and
different manual, reactive IT processes. The modern workplace uses many platforms that
are user and business owned. It allows users to work from anywhere, and provides
automated and proactive IT processes.
MDM services, such as Microsoft Intune, can manage mobile and desktop devices
running Windows 10. The built-in Windows 10 management client communicates with
Intune to run enterprise management tasks. There are some tasks that you might need,
such as advanced device configuration and troubleshooting. For Win32 app
management, you can use the Win32 app management feature on your Windows 10
devices.
The Intune management extension supplements the in-box Windows 10 MDM features.
You can create PowerShell scripts to run on Windows 10 devices. For example, create a
PowerShell script that does advanced device configurations. Then, upload the script to
Intune, assign the script to an Azure Active Directory (AD) group, and run the script. You
can then monitor the run status of the script from start to finish.
Before you begin

When scripts are set to user context and the end user has administrator rights, by
default, the PowerShell script runs under the administrator privilege.
End users aren't required to sign in to the device to execute PowerShell scripts.
The Intune management extension agent checks after every reboot for any new
scripts or changes. After you assign the policy to the Azure AD groups, the
PowerShell script runs, and the run results are reported. Once the script executes, it
doesn't execute again unless there's a change in the script or policy. If the script
fails, the Intune management extension agent retries the script three times for the
next three consecutive Intune management extension agent check-ins.
For shared devices, the PowerShell script will run for every new user that signs in.
PowerShell scripts are executed before Win32 apps run. In other words, PowerShell
scripts execute first. Then, Win32 apps execute.
PowerShell scripts time out after 30 minutes.
） Important
Best practices for privacy awareness when using PowerShell scripts and
Remediation scripts include the following:
Do not include any type of sensitive information in scripts (such as passwords)

Do not include Personally Identifiable Information (PII) in scripts
Do not use scripts to collect PII from devices
Always follow privacy best practices
For related information, see Remediations.

Prerequisites
The Intune management extension has the following prerequisites. Once they're met,
the Intune management extension installs automatically when a PowerShell script or
Win32 app is assigned to the user or device.
Devices running Windows 10 version 1607 or later. If the device is enrolled using
bulk auto-enrollment, devices must run Windows 10 version 1709 or later. The
Intune management extension isn't supported on Windows 10 in S mode, as S
mode doesn't allow running non-store apps.
Devices joined to Azure Active Directory (AD), including:

Hybrid Azure AD-joined: Devices joined to Azure Active Directory (AAD), and
also joined to on-premises Active Directory (AD). See Plan your hybrid Azure
Active Directory join implementation for guidance.
Azure AD registered/Workplace joined (WPJ): Devices registered in Azure Active

Directory (AAD), see Workplace Join as a seamless second factor authentication for
more information. Typically these are Bring Your Own Device (BYOD) devices which
have had a work or school account added via Settings>Accounts>Access work or
school.
Devices enrolled in Intune, including:
Devices enrolled in a group policy (GPO). See Enroll a Windows 10 device

automatically using Group Policy for guidance.
Devices manually enrolled in Intune, which is when:

Auto-enrollment to Intune is enabled in Azure AD. Users sign in to devices
using a local user account, and manually join the device to Azure AD. Then,
they sign in to the device using their Azure AD account.
OR
User signs in to the device using their Azure AD account, and then enrolls in
Intune.
Co-managed devices that use Configuration Manager and Intune. When

installing Win32 apps, make sure the Apps workload is set to Pilot Intune or
Intune. PowerShell scripts will be run even if the Apps workload is set to
Configuration Manager. The Intune management extension will be deployed to
a device when you target a PowerShell script to the device. Remember, the
device must be an Azure AD or Hybrid Azure AD joined device. And, it must be
running Windows 10 version 1607 or later. See the following articles for
guidance:
Client apps workload
How to switch Configuration Manager workloads to Intune
Scripts deployed to clients running the Intune management extension will fail to
run if the device's system clock is exceedingly out of date by months or years.
Once the system clock is brought up to date, script will run as expected.
７ Note
For information about using Window 10 VMs, see Using Windows 10 virtual
machines with Intune.
Create a script policy and assign it

2. Select Devices > Scripts > Add > Windows 10 and later.
3. In Basics, enter the following properties, and select Next:
Name: Enter a name for the PowerShell script.

Description: Enter a description for the PowerShell script. This setting is
optional, but recommended.
4. In Script settings, enter the following properties, and select Next:
Script location: Browse to the PowerShell script. The script must be less than
200 KB (ASCII).
Run this script using the logged on credentials: Select Yes (default) to run
the script with the user's credentials on the device. Choose No to run the
script in the system context. Many administrators choose Yes. If the script is
required to run in the system context, choose No.
Enforce script signature check: Select Yes (default) if the script must be
signed by a trusted publisher. Select No if there isn't a requirement for the
script to be signed.
Run script in 64-bit PowerShell host: Select Yes to run the script in a 64-bit
PowerShell host on a 64-bit client architecture. Select No (default) runs the
script in a 32-bit PowerShell host.
When setting to Yes or No, use the following table for new and existing
policy behavior:
Run Client New script Existing policy script

script architecture
in 64-
bit
host
No 32-bit 32-bit PowerShell host Runs only in 32-bit PowerShell

supported host, which works on 32-bit and
64-bit architectures.
Yes 64-bit Runs script in 64-bit Runs script in 32-bit PowerShell

PowerShell host for 64- host. If this setting changes to
bit architectures. When 64-bit, the script opens (it
ran on 32-bit, the script doesn't run) in a 64-bit
runs in a 32-bit PowerShell host, and reports the
PowerShell host. results. When ran on 32-bit, the
script runs in 32-bit PowerShell
host.
5. Select Scope tags. Scope tags are optional. Use role-based access control (RBAC)
and scope tags for distributed IT has more information.
To add a scope tag:
a. Choose Select scope tags > select an existing scope tag from the list > Select.
b. When finished, select Next.
6. Select Assignments > Select groups to include. An existing list of Azure AD

groups is shown.
a. Select one or more groups that include the users whose devices receive the
script. Choose Select. The groups you chose are shown in the list, and will
receive your policy.
７ Note
PowerShell scripts in Intune can be targeted to Azure AD device security

groups or Azure AD user security groups. However, when targeting
workplace joined (WPJ) devices, only Azure AD device security groups can
be used (user targeting will be ignored). For more information, see Win32
app support for Workplace join (WPJ) devices.
b. Select Next.
7. In Review + add, a summary is shown of the settings you configured. Select Add
to save the script. When you select Add, the policy is deployed to the groups you
chose.
Failure to run script example

8 AM
Check in
Run script ConfigScript01
Script fails
9AM
Check in
Script fails (retry count = 1)
10 AM
Check in
11 AM
Check in
12 PM
Check in
No additional attempts are made to run ConfigScript01script.
If no additional changes are made to the script, then no additional attempts are
made to run the script.
Monitor run status

You can monitor the run status of PowerShell scripts for users and devices in the portal.
In PowerShell scripts, select the script to monitor, choose Monitor, and then choose
one of the following reports:
Device status
User status
Intune management extension logs

Agent logs on the client machine are typically in
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs . You can use CMTrace.exe to
view these log files.
Delete a script
In PowerShell scripts, right-click the script, and select Delete.
Common issues and resolutions
Issue: Intune management extension doesn't download

Possible resolutions:
The device isn't joined to Azure AD. Be sure the devices meet the prerequisites (in
this article).
There are no PowerShell scripts or Win32 apps assigned to the groups that the
user or device belongs.
The device can't check in with the Intune service. For example, there's no internet
access, no access to Windows Push Notification Services (WNS), and so on.
The device is in S mode. The Intune management extension isn't supported on
devices running in S mode.
To see if the device is auto-enrolled, you can:
1. Go to Settings > Accounts > Access work or school.

2. Select the joined account > Info.
3. Under Advanced Diagnostic Report, select Create Report.
4. Open the MDMDiagReport in a web browser.
5. Search for the MDMDeviceWithAAD property. If the property exists, the device is
auto-enrolled. If this property doesn't exist, then the device isn't auto-enrolled.
Enable Windows 10 automatic enrollment includes the steps to configure automatic

enrollment in Intune.
Issue: PowerShell scripts do not run

Possible resolutions:
The PowerShell scripts don't run at every sign in. They run:
When the script is assigned to a device
If you change the script, upload it, and assign the script to a user or device
 Tip
The Microsoft Intune Management Extension is a service that runs on the
device, just like any other service listed in the Services app (services.msc).
After a device reboots, this service may also restart, and check for any
assigned PowerShell scripts with the Intune service. If the Microsoft Intune
Management Extension service is set to Manual, then the service may not
restart after the device reboots.
Be sure devices are joined to Azure AD. Devices that are only joined to your
workplace or organization (registered in Azure AD) won't receive the scripts.
Confirm the Intune management extension is downloaded to

%ProgramFiles(x86)%\Microsoft Intune Management Extension .
Scripts don't run on Surface Hubs or Windows 10 in S mode.
Review the logs for any errors. See Intune management extension logs (in this
article).
For possible permission issues, be sure the properties of the PowerShell script are
set to Run this script using the logged on credentials . Also check that the
signed in user has the appropriate permissions to run the script.
To isolate scripting problems, you can:
Review the PowerShell execution configuration on your devices. See the

PowerShell execution policy for guidance.
Run a sample script using the Intune management extension. For example,
create the C:\Scripts directory, and give everyone full control. Run the
following script:
PowerShell
write-output "Script worked" | out-file c:\Scripts\output.txt
If it succeeds, output.txt should be created, and should include the "Script

worked" text.
To test script execution without Intune, run the scripts in the System account
using the psexec tool locally:
psexec -i -s
If the script reports that it succeeded, but it didn't actually succeed, then it's
possible your antivirus service may be sandboxing AgentExecutor. The following
script always reports a failure in Intune. As a test, you can use this script:
PowerShell
Write-Error -Message "Forced Fail" -Category OperationStopped

mkdir "c:\temp"
echo "Forced Fail" | out-file c:\temp\Fail.txt
If the script reports a success, look at the AgentExecutor.log to confirm the

error output. If the script executes, the length should be >2.
To capture the .error and .output files, the following snippet executes the
script through AgentExecutor to PowerShell x86
( C:\Windows\SysWOW64\WindowsPowerShell\v1.0 ). It keeps the logs for your
review. Remember, the Intune Management Extension cleans up the logs after
the script executes:
PowerShell
$scriptPath = read-host "Enter the path to the script file to

execute"
$logFolder = read-host "Enter the path to a folder to output the
logs to"
$outputPath = $logFolder+"\output.output"
$errorPath = $logFolder+"\error.error"
$timeoutPath = $logFolder+"\timeout.timeout"
$timeoutVal = 60000
$PSFolder = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0"
$AgentExec = "C:\Program Files (x86)\Microsoft Intune Management
Extension\agentexecutor.exe"
&$AgentExec -powershell $scriptPath $outputPath $errorPath
$timeoutPath $timeoutVal $PSFolder 0 0
Next steps
Monitor and troubleshoot your profiles.
Use shell scripts on macOS devices in
Intune
Article • 05/25/2023
Use shell scripts to extend device management capabilities in Intune, beyond what is
supported by the macOS operating system.
７ Note
Rosetta 2 is required to run x64 (Intel) version of apps on Apple Silicon Macs. To
install Rosetta 2 on Apple Silicon Macs automatically, you can deploy a shell script
in Endpoint Manager. To view a sample script, see Rosetta 2 Installation Script .
Prerequisites
Ensure that the following prerequisites are met when composing shell scripts and
assigning them to macOS devices.
Devices are running macOS 11.0 or later.

Devices are connected directly to the Internet. Connection through a proxy is not
supported.
Shell scripts begin with #! and must be in a valid location such as #!/bin/sh or
#!/usr/bin/env zsh .
Command-line interpreters for the applicable shells are installed.
Important considerations before using shell

scripts
Shell scripts require that the Microsoft Intune management agent is successfully
installed on the macOS device. For more information, see Microsoft Intune
management agent for macOS.
Shell scripts run in parallel on devices as separate processes.
Shell scripts that are run as the signed-in user will run for all currently signed-in
user accounts on the device at the time of the run.
An end user is required to sign in to the device to execute scripts running as a
signed-in user.
Root user privileges are required if the script requires making changes that a
standard user account cannot.
Shell scripts will attempt to run more frequently than the chosen script frequency
for certain conditions, such as if the disk is full, if the storage location is tampered
with, if the local cache is deleted, or if the Mac device restarts.
Shell scripts that are running for longer than 60 minutes are stopped and reported
as "failed".
Create and assign a shell script policy

2. Select Devices > macOS > Shell scripts > Add.
Name: Enter a name for the shell script.

Description: Enter a description for the shell script. This setting is optional,
but recommended.
4. In Script settings, enter the following properties, and select Next:
Upload script: Browse to the shell script. The script file must be less than 200
KB in size.
Run script as signed-in user: Select Yes to run the script with the user's
credentials on the device. Choose No (default) to run the script as the root
user.
Hide script notifications on devices: By default, script notifications are shown
for each script that is run. End users see a IT is configuring your computer
notification from Intune on macOS devices.
Script frequency: Select how often the script is to be run. Choose Not
configured (default) to run a script only once.
Max number of times to retry if script fails: Select how many times the script
should be run if it returns a non-zero exit code (zero meaning success).
Choose Not configured (default) to not retry when a script fails.
5. In Scope tags, optionally add scope tags for the script, and select Next. You can
use scope tags to determine who can see scripts in Intune. For full details about
scope tags, see Use role-based access control and scope tags for distributed IT.
6. Select Assignments > Select groups to include. An existing list of Azure AD

groups is shown. Select one or more user or device groups that are to receive the
script. Choose Select. The groups you choose are shown in the list, and will receive
your script policy.
７ Note
Shell scripts assigned to user groups applies to any user logging in to

the Mac.
Updating assignments for shell scripts also updates assignments for
Microsoft Intune MDM Agent for macOS.
to save the script. When you select Add, the script policy is deployed to the groups
you chose.
The script you created now appears in the list of scripts. If needed, you can view the
contents of macOS shell scripts after you upload them to Intune.
Monitor a shell script policy

You can monitor the run status of all assigned scripts for users and devices by choosing
one of the following reports:
Scripts > select the script to monitor > Device status

Scripts > select the script to monitor > User status
） Important
Irrespective of the selected Script frequency, the script run status is reported only
the first time a script is run. Script run status is not updated on subsequent runs.
However, updated scripts are treated as new scripts and will report the run status
again.
Once a script runs, it returns one of the following statuses:
A script run status of Failed indicates that the script returned a non-zero exit code
or the script is malformed.
A script run status of Success indicated that the script returned zero as the exit
code.
Troubleshoot macOS shell script policies using
log collection
You can collect device logs to help troubleshoot script issues on macOS devices.
Requirements for log collection

The following items are required to collect logs on a macOS device:
You must specify the full absolute log file path.

File paths must be separated using only a semicolon (;).
The maximum log collection size to upload is 60 MB (compressed) or 25 files,
whichever occurs first.
File types that are allowed for log collection include the following extensions: .log,
.zip, .gz, .tar, .txt, .xml, .crash, .rtf
Collect device logs

2. Navigate to Devices > Scripts and select a macOS shell script.
3. In Device status or User status report, select a device.
4. Select Collect logs, provide folder paths of log files separated only by a semicolon
(;) without spaces or newlines in between paths.
For example, multiple paths should be written as

/Path/to/logfile1.zip;/Path/to/logfile2.log .
） Important
Multiple log file paths separated using comma, period, newline or quotation
marks with or without spaces will result in log collection error. Spaces are also
not allowed as separators between paths.
5. Select OK. Logs are collected the next time the Intune management agent on the
device checks in with Intune. This check-in usually occurs every 8 hours.
７ Note
Collected logs are encrypted on the device, transmitted and stored in
Microsoft Azure storage for 30 days. Stored logs are decrypted on
demand and downloaded using Microsoft Intune admin center.
In addition to the admin-specified logs, the Intune management agent
logs are also collected from these folders:
/Library/Logs/Microsoft/Intune and ~/Library/Logs/Microsoft/Intune .
The agent log file-names are IntuneMDMDaemon date--time.log and

IntuneMDMAgent date--time.log .
If any admin-specified file is missing or has the wrong file-extension, you

will find these file-names listed in LogCollectionInfo.txt .
Log collection errors

Log collection may not be successful due to any of the following reasons provided in
the table below. To resolve these errors, follow the remediation steps.
Error code Error code Error message Remediation steps

(hex) (dec)
0X87D300D1 2016214834 Log file size cannot exceed 60 MB. Ensure that
compressed logs are
less than 60 MB in
size.
0X87D300D1 2016214831 The provided log file path must exist. Ensure that the
The system user folder is an invalid provided file path is
location for log files. valid and accessible.
0X87D300D2 2016214830 Log collection file upload failed due Retry the Collect logs
to expiration of upload URL. action.
0X87D300D3, 2016214829, Log collection file upload failed due Retry the Collect logs
0X87D300D5, 2016214827, to encryption failure. Retry log action.
0X87D300D7 2016214825 upload.
2016214828 The number of log files exceeded the Only up to 25 log files
allowed limit of 25 files. can be collected at a
time.
0X87D300D6 2016214826 Log collection file upload failed due Retry the Collect logs
to zip error. Retry log upload. action.
2016214740 The logs couldn't be encrypted as Retry the Collect logs

compressed logs were not found. action.
Error code Error code Error message Remediation steps
(hex) (dec)
2016214739 The logs were collected but couldn't Retry the Collect logs
be stored. action.
Custom attributes for macOS

You can create custom attribute profiles which enable you to collect custom properties
from managed macOS device using shell scripts.
Create and assign a custom attribute for macOS devices

2. Select Devices > macOS > Custom attributes > Add.
Name: Enter a name for the script.

Description: Enter a description for the script. This setting is optional, but
recommended.
4. In Attribute settings, enter the following properties, and select Next:
Data type of attribute: Select the data type of the result that the script
returns. Available values are String, Integer, and Date.
Script: Select a script file.
Additional details:
The shell script must echo the attribute to be reported and the data type of
the output must match the data type of attribute in the custom attribute
profile.
The result returned by the shell script must be 20KB or less.
７ Note
When using Date type attributes, ensure that the shell script returns dates in
ISO-8601 format. See the examples below.
To print an ISO-8601-compliant date with time-zone:
Shell
#!/bin/sh
var=$(date +"%Y-%m-%dT%H:%M:%S%z")
echo $var # Prints an ISO-8601 compliant date with time-zone
To print an ISO-8601-compliant date in UTC time:
Shell
#!/bin/sh
var=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
echo $var # Prints an ISO-8601 compliant date in UTC time
5. In Assignments, click Select groups to include. When you choose Select groups to
include an existing list of Azure AD groups is shown. Select one or more user or
device groups that are to receive the script. Choose Select. The groups you choose
are shown in the list, and will receive your script policy. Alternatively, you can
choose to select All users, All devices, or All users and all devices by selecting one
of these options in the dropdown box next to Assign to.
７ Note
Scripts assigned to user groups applies to any user logging in to the

Mac.
to save the script. When you select Add, the script policy is deployed to the groups
you chose.
The script you created now appears in the list of custom attributes. If needed, you can
view the contents of custom attributes after you upload them to Intune.
Monitor a custom attribute policy

You can monitor the run status of all assigned custom attribute profiles for users and
devices by choosing one of the following reports:
Custom attributes > select the custom attribute profile to monitor > Device status
Custom attributes > select the custom attribute profile to monitor > User status
） Important
Shell scripts provided in custom attribute profiles are run every 8 hours on
managed Macs and reported.
Once a custom attribute profile runs, it returns one of the following statuses:
A status of Failed indicates that the script returned a non-zero exit code or the
script is malformed. The error is reported in the Result column.
As status of Success indicates that the script returned zero as the exit code. The
output echoed by the script is reported in the Result column.
Why are assigned shell scripts not running on the device?

There could be several reasons:
The agent might need to check in to receive new or updated scripts. This check-in
process occurs every 8 hours and is different from the MDM check-in. Make sure
that the device is awake and connected to a network for a successful agent check-
in and wait for the agent to check in. You can also request the end user to open
Company Portal on the Mac, select the device and click Check settings.
The agent may not be installed. Check that the agent is installed at
/Library/Intune/Microsoft Intune Agent.app on the macOS device.
The agent may not be in a healthy state. The agent will attempt to recover for 24
hours, remove itself and reinstall if shell scripts are still assigned.
How frequently is script run status reported?

Script run status is reported to Microsoft Intune admin center as soon as script run is
complete. If a script is scheduled to run periodically at a set frequency, it only reports
status the first time it runs.
When are shell scripts run again?

A script is run again only when the Max number of times to retry if script fails setting is
configured and the script fails on run. If the Max number of times to retry if script fails
is not configured and a script fails on run, it will not be run again and run status will be
reported as failed.
What Intune role permissions are required for shell
scripts?
Your assigned-intune role requires Device configurations permissions to delete, assign,
create, update, or read shell scripts.
Known issues
No script run status: In the unlikely event that a script is received on the device
and the device goes offline before the run status is reported, the device will not
report run status for the script in the admin center.
When you deploy shell scripts or custom attributes for macOS devices from Microsoft
Endpoint Manager, it deploys the new universal version of the Intune management
agent app that runs natively on Apple Silicon Mac machines. The same deployment will
install the x64 version of the app on Intel Mac machines. Rosetta 2 is required to run x64
(Intel) version of apps on Apple Silicon Macs. To install Rosetta 2 on Apple Silicon Macs
automatically, you can deploy a shell script in Endpoint Manager. To view a sample
script, see Rosetta 2 Installation Script .
Next steps
Create a compliance policy in Microsoft Intune
Assign apps to groups with Microsoft
Intune
Article • 04/19/2023
After you've added an app to Microsoft Intune, you can assign the app to users and
devices. It is important to note that you can deploy an app to a device whether or not
the device is managed by Intune.
７ Note
The Available for enrolled devices deployment intent is supported for user groups
and device groups when targeting Android Enterprise fully managed devices
(COBO) and Android Enterprise corporate-owned personally-enabled (COPE)
devices.
The following table lists the various options for assigning apps to users and devices:
Option Devices enrolled Devices not

with Intune enrolled with
Intune
Assign to users Yes Yes
Assign to devices Yes No
Assign wrapped apps or apps that incorporate the Yes Yes

Intune SDK (for app protection policies)
Assign apps as Available Yes Yes
Assign apps as Required Yes No
Uninstall apps Yes No
Receive app updates from Intune Yes No
End users install available apps from the Company Yes No

Portal app
End users install available apps from the web-based Yes Yes
Company Portal
７ Note
Currently, you can assign iOS/iPadOS and Android apps (line-of-business and
store-purchased apps) to devices that aren't enrolled with Intune.
To receive app updates on devices that aren't enrolled with Intune, device users
must go to their organization's Company Portal and manually install app updates.
For almost all app types and platforms, Available assignments are only valid when
assigning to user groups, not device groups. Win32 apps can be assigned to either
user or device groups.
If managed Google Play pre-production track apps are assigned as required on

Android Enterprise personally-owned work profile devices, they will not install on
the device. To work around this, create two identical user groups and assign the
pre-production track as "available" to one and "required" to the other. The result
will be that the pre-production track successfully deploys to the device.
Assign an app
3. In the Apps pane, select the app you want to assign.
4. In the Manage section of the menu, select Properties.
5. Scroll down to Properties and select Assignments.
6. Select Add Group to open the Add group pane that is related to the app.
Available for enrolled devices: Assign the app to groups of users who can
install the app from the Company Portal app or website.
Available with or without enrollment: Assign this app to groups of users

whose devices are not enrolled with Intune. Users must be assigned an Intune
license, see Intune Licenses.
Required: The app is installed on devices in the selected groups. Some

platforms may have additional prompts for the end user to acknowledge
before app installation begins.
Uninstall: The app is uninstalled from devices in the selected groups if Intune
has previously installed the application onto the device via an "Available for
enrolled devices" or "Required" assignment using the same deployment.
７ Note
For iOS/iPadOS apps only:

To configure what happens to managed apps when devices are no
longer managed, you can select the intended setting under Uninstall
on device removal. For more information, see App uninstall setting
for iOS/iPadOS managed apps.
If you have created an iOS/iPadOS VPN profile that contains per-app
VPN settings, you can select the VPN profile under VPN. When the
app is run, the VPN connection is opened. For more information, see
VPN settings for iOS/iPadOS devices.
To configure whether a required iOS/iPadOS app is installed as a
removable app by end users, you can select the setting under Install
as removable.
To configure a way to prevent the iCloud backup of the managed
iOS/iPadOS app, you can click on one of the following settings after
adding a group assignment - VPN, or Uninstall on device removal, or
Install as removable. Then, configure the setting called Prevent iCloud
app backup. For more information, see Prevent iCloud app backup
setting for iOS/iPadOS and macOS apps.
For macOS apps only:

To configure a way to prevent the iCloud backup of the managed
macOS app, you can click on one of the following settings after
adding a group assignment - VPN, or Uninstall on device removal, or
Install as removable. Then, configure the setting called Prevent iCloud
app backup. For more information, see Prevent iCloud app backup
setting for iOS/iPadOS and macOS apps.
For Android apps only:

If you deploy an Android app as Available with or without
enrollment, reporting status will only be available on enrolled
devices.
For Available for enrolled devices:
The app is only displayed as available if the user logged into the
Company Portal is the primary user who enrolled the device and the
app is applicable to the device.
8. To select the groups of users that are affected by this app assignment, select
Included Groups.
9. After you have selected one or more groups to include, select Select.
10. In the Assign pane, select OK to complete the included groups selection.
13. In the Add group pane, select OK.
14. In the app Assignments pane, select Save.
The app is now assigned to the groups that you selected. For more information about
including and excluding app assignments, see Include and exclude app assignments.
 Tip
Intune supports assigning apps to nested groups too. For example, if you assigned
an app to the "Engineering Global" group and have "Engineering APAC",
"Engineering EMEA" and "Engineering US" nested as child groups, the members of
those child groups will also be targeted with the assignment.
Prevent iCloud app backup setting for

iOS/iPadOS and macOS apps
Admins will have the option to no longer backup managed App Store apps and line-of-
business (LOB) apps on iOS/iPadOS and managed App Store apps on macOS devices,
for both user and device licensed VPP/non-VPP apps. macOS LOB apps won’t support
this setting. This functionality will include both new and existing App Store/LOB apps
devices. Preventing the backup of the specified managed apps will ensure that these
apps can be properly deployed via Intune when the device is enrolled and restored from
backup. If you configure the new setting for new/existing apps in your tenant, managed
apps can and will be re-installed for devices, but Intune will no longer allow them to be
backed up.
７ Note
While we don't expect managed apps on devices to backup data to iCloud, note
that data saved locally for managed apps may not be available after a backup and
restore.
For existing devices, when Prevent iCloud app backup is set to Yes for an app/apps, the
new behavior will be automatically updated for all required App Store/LOB apps (with or
without VPP). Required apps previously installed on devices will be automatically re-
configured for all devices once the setting value is saved to Yes. Available apps will
require the user to re-download the available app from the Company Portal app or the
Company Portal website . Additionally, depending on the app’s configurations and
licensing, a sync between Intune and the device may be needed.
How conflicts between app intents are resolved

A single group is prevented from being targeted for multiple app assignment intents,
however if a user or a device is a member of multiple groups that are each assigned with
different intents it will result in a conflict. Creating assignment conflicts for applications
is not recommended.
The information in the following table can help you understand
the resulting intent when a conflict occurs:
Group 1 intent Group 2 Resulting intent

intent
User Required User Available Required and Available
User Required User Uninstall Required
User Available User Uninstall Uninstall
User Required Device Both exist, Intune treats Required

Required
User Required Device Both exist, Intune resolves Required

Uninstall
User Available Device Both exist, Intune resolves Required (Required and Available)
Required
intent
User Available Device Both exist, Intune resolves Available.
Uninstall
App shows up in the Company Portal.
If the app is already installed (as a required app with

previous intent), the app is uninstalled.
If the user selects Install from the Company Portal, the app
is installed, and the uninstall intent is not honored.
User Uninstall Device Both exist, Intune resolves Required

Required
User Uninstall Device Both exist, Intune resolves Uninstall

Uninstall
Device Required Device Required

Uninstall
User Required User Available Required and Available

and Available
User Required User Uninstall Required and Available

and Available
User Required Device Both exist, Required and Available

and Available Required
User Required Device Both exist, Intune resolves Required (Required and Available)
and Available Uninstall
User Available User Required Required and Available

without and Available
enrollment
User Available User Required Required

without
enrollment
User Available User Available Available

without
enrollment
User Available Device Required and Available without enrollment

without Required
enrollment
intent
User Available Device Uninstall and Available without enrollment.
without Uninstall
enrollment If the user didn't install the app from the Company Portal,
the uninstall is honored.
If the user installs the app from the Company Portal, the
install is prioritized over the uninstall.
７ Note
For managed iOS store apps only, when you add these apps to Microsoft Intune
and assign them as Required, the apps are automatically created with both
Required and Available intents.
iOS Store apps (not iOS/iPadOS VPP apps) that are targeted with required intent
will be enforced on the device at the time of the device check-in and will also show
in the Company Portal app.
When conflicts occur in Uninstall on device removal setting, the app is not
removed from the device when the device is no longer managed.
７ Note
Apps deployed as Required to corporate-owned work profile devices cannot be

uninstalled manually by the user.
Managed Google Play app deployment to

unmanaged devices
For unenrolled Android devices, you can use managed Google Play to deploy store apps
and line-of-business (LOB) apps to users. Once deployed, you can use Mobile
Application Management (MAM) to manage the applications. Managed Google Play
apps targeted as Available with or without enrollment will appear in the Play Store app
on the end user's device, and not in the Company Portal app. End user will browse and
install apps deployed in this manner from the Play app. Because the apps are being
installed from managed Google Play, the end user will not need to alter their device
settings to allow app installation from unknown sources, which means the devices will
be more secure. If the app developer publishes a new version of an app to Play that was
installed on a user's device, the app will be automatically updated by Play.
Steps to assign a Managed Google Play app to unmanaged devices:
1. Connect your Intune tenant to managed Google Play. If you have already done this
in order to manage Android Enterprise personally owned, dedicated, fully
managed, or corporate-owned work profile devices, you do not need to do it
again.
2. Add apps from managed Google Play to your Intune admin center.
3. Target managed Google Play apps as Available with or without enrollment to the
desired user group. Required and Uninstall app targeting are not supported for
non-enrolled devices.
4. Assign an App Protection Policy to the user group.
5. User logs in any protected app.
6. The next time the end user opens the Company Portal app and completes the log
in process, they will see a message indicating in the Apps section that there are
apps available for them. The user can select this notification to navigate to the Play
Store.
７ Note
You can configure device enrollment setting options to be Available, no

prompts or Unavailable. This setting will prevent user from unintentionally
enrolling their device or receiving notifications to enroll their device after they
logged in to the Company Portal.
7. The end user can expand the context menu within the Play Store app and switch
between their personal Google account (where they see their personal apps), and
their work account (where they will see store and LOB apps targeted to them). End
users install the apps by tapping Install in the Play Store app.
When an APP selective wipe is issued in the Intune admin center, the work account will
be automatically removed from the Play Store app and the end user will from that point
no longer see work apps in the Play Store app catalog. When the work account is
removed from a device, apps installed from the Play Store will remain installed on the
device and will not uninstall.
App uninstall setting for iOS managed apps
For iOS/iPadOS devices, you can choose what happens to managed apps on unenrolling
the device from Intune or removing the management profile using Uninstall on device
removal setting. This setting only applies to apps after the device is enrolled and apps
are installed as managed. The setting cannot be configured for web apps or web links.
Only data protected by Mobile Application Management (MAM) is removed after
retirement by an App Selective Wipe.
Default values for the setting are prepopulated for new assignments as follows:
iOS app type Default setting for "Uninstall on device removal"
Line-of-business app Yes
Store app No
VPP app No
Built-in app No
７ Note
"Available" assignment types: If you're updating this setting for "available for
enrolled devices" or "available with or without enrollment" groups, users who
already have the managed app won't get the updated setting until they sync the
device with Intune and re-install the app.
Pre-existing assignments: The App uninstall setting was introduced in May 2019.
Assignments that existed prior to this date are unmodified and all managed apps
will be removed on device removal from management. If your assignment was
created before May 2019, you may need to explicitly set the App uninstall setting,
as the default settings above may not apply.
Next steps
To learn more about monitoring app assignments, see How to monitor apps.
Include and exclude app assignments in
Microsoft Intune
Article • 05/01/2023
In Intune, you can determine who has access to an app by assigning groups of users to
include and exclude. Before you assign groups to the app, you must set the assignment
type for an app. The assignment type makes the app available, required, or uninstalls the
app.
To set the availability of an app, you include and exclude app assignments to a group of
users or devices by using a combination of include and exclude group assignments. This
capability can be useful when you make the app available by including a large group,
and then narrow the selected users by also excluding a smaller group. The smaller group
might be a test group or an executive group.
As a best practice, create and assign apps specifically for your user groups, and
separately for your device groups. For more information on groups, see Add groups to
Important scenarios exist when including or excluding app assignments:
Exclusion takes precedence over inclusion in the following same group type
scenarios:
Including user groups and excluding user groups when assigning apps
Including device groups and excluding device group when assigning apps
For example, if you assign a device group to the All corporate users user group,
but exclude members in the Senior Management Staff user group, All
corporate users except the Senior Management staff get the assignment,
because both groups are user groups.
Intune doesn't evaluate user-to-device group relationships. If you assign apps to
mixed groups, the results may not be what you want or expect.
For example, if you assign a device group to the All Users user group, but exclude an All
personal devices device group, All users get the app. The exclusion does not apply.
As a result, it's not recommended to assign apps to mixed groups.
７ Note
When you set a group assignment for an app, the Not Applicable type is
deprecated and replaced with exclude group functionality.
Intune provides pre-created All Users and All Devices groups in the Microsoft
Intune admin center. The groups have built-in optimizations for your convenience.
It's highly recommended that you use these groups to target all users and all
devices instead of any "all users" or "all devices" groups that you might create
yourself.
Android enterprise supports including and excluding groups. You can leverage the
built-in All Users and All Devices groups for Android enterprise app assignment.
Include and exclude groups when assigning

apps
To assign an app to groups by using the include and exclude assignment:
2. Select Apps > All apps. The list of added apps is shown.
3. Select the app that you want to assign. A dashboard displays information about
the app.
4. In the Manage section of the menu, select Assignments.
5. Select Add group to add the groups of users who are assigned the app.
6. In the Add group pane, select an Assignment type from the available assignment
types.
7. For the assignment type, select Available with or without enrollment.

8. Select Included Groups to select the group of users that you want to make this
app available to.
７ Note
When you add a group, if any other group has already been included for a
specific assignment type, the app is preselected and can't be modified for
other include assignment types. The group that has been used can't be used
as an included group.
9. Select Yes to make this app available to all users.

10. Select OK to set the group to include.
11. Select Excluded Groups to select the groups of users that you want to make this
app unavailable to.
12. Select the groups to exclude. This makes this app unavailable to those groups.
13. Select Select to complete your group selection.
14. In the Add group pane, select OK. The app Assignments list appears.
15. Click Save to make your group assignments active for the app.
When you make group assignments, groups that have already been assigned aren't
available to be modified. If you want to select a group that currently isn't available, first
remove the app from the app's assigned list.
To edit assignments, in the app Assignments list, select the row that contains the
specific assignment that you want to change. You can also remove an assignment by
selecting the ellipse (…) at the end of a row, and then selecting Remove.
７ Note
Removing a group assignment does not remove the related app except on Android
Enterprise dedicated, fully managed, and corporate-owned work profile devices.
The installed app will remain on the device.
To change the view of the Assignments list, group by Assignment type or by
Included/Excluded.
Next steps
For more information about including and excluding group assignments for apps,
see the Microsoft Intune blog .
Learn how to monitor app information and assignments.
Windows 10/11 app deployment by using
Microsoft Intune
Article • 04/19/2023
Microsoft Intune supports a variety of app types and deployment scenarios on Windows 10 devices.
After you've added an app to Intune, you can assign the app to users and devices. This article
provides more details on the supported Windows 10 scenarios, and also covers key details to note
when you're deploying apps to Windows. For information about deploying an app, also known as
assigning an app, see Assign an app to a group.
Line-of-business (LOB) apps and Microsoft Store for Business apps are the app types supported on
Windows 10 devices. The file extensions for Windows apps include .msi, .appx, and .appxbundle.
７ Note
To deploy modern apps, you need at least:
For Windows 10 1803, May 23, 2018—KB4100403 (OS Build 17134.81) .

For Windows 10 1709, June 21, 2018—KB4284822 (OS Build 16299.522) .
Only Windows 10 1803 and later support installing apps when there is no primary user
associated.
LOB app deployment isn't supported on devices running Windows 10 Home editions.
Supported Windows 10 app types

Specific app types are supported based on the version of Windows 10 that your users are running.
The following table provides the app type and Windows 10 supportability.
App type Home Pro Business Enterprise Education S- HoloLens1 Surface WCOS Mobile
Mode Hub
.MSI No Yes Yes Yes Yes No No No No No
.IntuneWin No Yes Yes Yes Yes 19H2+ No No No No
Office C2R No Yes Yes Yes Yes RS4+ No No No No
LOB: Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
APPX/MSIX
MSFB Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Offline
MSFB Yes Yes Yes Yes Yes Yes RS4+ No Yes Yes
Online
App type Home Pro Business Enterprise Education S- HoloLens1 Surface WCOS Mobile
Mode Hub
Microsoft No Yes Yes Yes Yes Yes No No No No

Store app
(new)
Web Apps Yes Yes Yes Yes Yes Yes Yes2 Yes2 Yes Yes2
Store Link Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Microsoft No Yes Yes Yes Yes 19H2+3 No No No No

Edge
1 To unlock app management, upgrade your HoloLens device to Holographic for Business.
2
Launch from the Company Portal only.
3
For Edge app to install successfully, devices must also be assigned an S-Mode policy.
７ Note
All Windows app types require enrollment.
Windows 10 LOB apps

You can sign and upload Windows 10 LOB apps to the Microsoft Intune admin center. These can
include modern apps, such as Universal Windows Platform (UWP) apps and Windows App Packages
(AppX), as well as Win 32 apps, such as simple Microsoft Installer package files (MSI). The admin
must manually upload and deploy updates of LOB apps. These updates are automatically installed
on user devices that have installed the app. No user intervention is required, and the user has no
control over the updates.
Microsoft Store for Business apps

Microsoft Store for Business apps are modern apps, purchased from the Microsoft Store for Business
admin portal. They are then synced over to Microsoft Intune for management. The apps can either
be online licensed or offline licensed. The Microsoft Store directly manages updates, with no
additional action required by the admin. You can also prevent updates to specific apps by using a
custom Uniform Resource Identifier (URI). For more information, see Enterprise app management -
Prevent app from automatic updates. The user can also disable updates for all Microsoft Store for
Business apps on the device.
Categorize Microsoft Store for Business apps

To categorize Microsoft Store for Business apps:

3. Select a Microsoft Store for Business app. Then select Properties > App Information >
Category.
4. Select a category.
Install apps on Windows 10 devices

Depending on the app type, you can install the app on a Windows 10 device in one of two ways:
User Context: When an app is deployed in user context, the managed app is installed for that
user on the device when the user signs in to the device. Note that the app installation doesn't
succeed until the user signs in to the device.
Modern LOB apps and Microsoft Store for Business apps (both online and offline) can be
deployed in user context. The apps support both the Required and Available intents.
Win32 apps built as User Mode or Dual Mode can be deployed in user context, and support
both the Required and Available intents.
Device Context: When an app is deployed in device context, the managed app is installed
directly to the device by Intune.
Only modern LOB apps and offline licensed Microsoft Store for Business apps can be
deployed in device context. These apps only support the Required intent.
Win32 apps built as Machine Mode or Dual Mode can be deployed in device context, and
support only the Required intent.
７ Note
For Win32 apps built as Dual Mode apps, the admin must choose if the app will function as a
User Mode or Machine Mode app for all assignments associated with that instance. The
deployment context can't be changed per assignment.
Apps can only be installed in the device context when supported by the device and the Intune app
type. Device context installs are supported on Windows 10 desktops and Teams devices, such as the
Surface Hub. They aren't supported on devices running Windows Holographic for Business, such as
the Microsoft HoloLens.
You can install the following app types in the device context and assign these apps to a device
group:
Win32 apps
Offline licensed Microsoft Store for Business apps
LOB apps (MSI, APPX and MSIX)
Microsoft 365 Apps for enterprise
Windows LOB apps (specifically APPX and MSIX) and Microsoft Store for Business apps (Offline
apps) that you've selected to install in device context must be assigned to a device group. The
installation fails if one of these apps is deployed in the user context. The following status and error
appears in the admin center:
Status: Failed.
Error: A user can't be targeted with a device context install.
） Important
When used in combination with an Autopilot pre-provisioning scenario, there is no

requirement for LOB apps and Microsoft Store for Business apps deployed in device context to
target a device group. For more information, see Windows Autopilot pre-provisioning
deployment.
７ Note
After you save an app assignment with a specific deployment, you can't change the context for
that assignment, except for modern apps. For modern apps, you can change the context from
user context to device context.
If there's a conflict in policies on a single user or device, the following priorities apply:
A device context policy is a higher priority than a user context policy.

An install policy is a higher priority than an uninstall policy.
For more information, see Include and exclude app assignments in Microsoft Intune. For more
information about app types in Intune, see Add apps to Microsoft Intune.
Next steps
How to monitor apps
Deploying apps using Intune on the
GCC High and DoD Environments
Article • 03/07/2023
Microsoft Intune can be used by tenant administrators to distribute apps to their

workforce. The workforce is the company employee, the users of the apps. There are
many types of apps that can be deployed from Intune on GCC High or DoD
environments. If an administrator needs to upload and distribute a Windows app
intended for a GCC High or DoD audience that is custom-made, created by third-party
vendors, or as an offline app downloaded from the Microsoft Store for Business , the
admin can choose to distribute it as a line-of-business app.
７ Note
For commercial environments, a tenant admin can sync their Microsoft Store for
Business (MSFB) with Intune, however for GCC High and DoD environments, this
service is not available. Admins in this situation must deploy an app by uploading
directly to Intune. To get the offline version of the desired app, an actual
commercial account will have to be used to log in to MSFB to download the
package, and this is currently the only work-around for GCC high and DOD
environments.
Add line-of-business apps using Intune

To add a line-of-business app intended for a GCC High or DoD environment using
Intune, you can follow the Windows LOB app instructions. You may choose to deploy the
Company Portal first from the Microsoft Store for Business. If you choose to use the
Company Portal, you can manually install and deploy the Company Portal. For more
information, see How to configure the Microsoft Intune Company Portal app.
Distribute Offline Apps from the Store for

Business using Intune
If you need to download an offline-licensed app from the Microsoft Store for Business,
follow these steps to download the application:
1. Sign in to the Store for Business .

2. Select Manage > Settings.
3. Under Shopping Experience, set Show offline apps to On.
When shopping for apps, if an offline version is available, you can choose to change the
license type to offline. After getting the app, you can then manage it by selecting
Manage > Products & Services in the Store for Business . Additionally, you can
download the app and its dependencies. Then, you can deploy this downloaded app
(and its dependencies) to users using Intune.
Syncing Intune to the Store for Business

In a commercial (non-government) environment, an admin can sync Intune to the
Microsoft Store for Business. This is not an available feature on the government
environments. For details about differences between Intune in commercial environments
and Intune for government environments, see Enterprise Mobility + Security for US
Government Service Description.
To sync Intune to your Store for Business account, see How to manage apps you
purchased from the Microsoft Store for Business with Microsoft Intune.
Compliance
Review the privacy and compliance statements of apps and compare them to the
compliance, security and privacy requirements of your organization when assessing the
appropriate use of these services.
Next steps
To learn more about deploying and assigning apps, see Assign apps to groups with
Microsoft Intune.
Monitor app information and
assignments with Microsoft Intune
Article • 03/07/2023
Intune provides several ways to monitor the properties of apps that you manage and to
manage app assignment status.

3. In the list of apps, select an app to monitor. You'll then see the app pane, which
includes an overview of the device status and the user status.
７ Note
Microsoft Store and Android Store apps that are deployed as Available do not
report their installation status.
For Managed Google Play apps deployed to Android Enterprise personally-owned

work profile devices, you can view the status and version number of the app
installed on a device using Intune.
From the Installed apps page of the Windows Company Portal or the Company
Portal website, end users can view the installation status and details for device-
assigned required apps. This functionality is provided in addition to the installation
status and details of user-assigned required apps.
App overview pane

In the app pane, you can review details about the status of an app in your environment.
Essentials
The Essentials section contains the following information about the app:
App Description
details
Publisher The publisher of the app

App Description
details
Operating The app operating system (Windows, iOS/iPadOS, Android, and so on)
system
Created The date and time when this revision was created Note: This date value is updated
when an IT admin changes app metadata, such as changing the app category or
app description.
Assigned Whether the app has been assigned (Yes or No)
Device and user status graphs

The graphs show the number of apps for the following status:
Device status Description
Installed The number of apps installed
Not Installed The number of apps not installed
Failed The number of failed installations
Install Pending The number of apps that are in the process of being installed
Not Applicable The number of apps for which status is not applicable
７ Note
Be aware that Android LOB apps (.APK) deployed as Available with or without
enrollment only report app installation status for enrolled devices. App installation
status is not available for devices that are not enrolled in Intune.
Device install status

A device status list is shown when you select Device install status in the Monitor section
of the menu. The details table includes the following columns:
Device Description
column
Device The name of the device on platforms that allow naming a device Note: On other
name platforms, Intune creates a name from other properties. This attribute isn't available
to any other device.
Device Description
column
User The name of the user

name
Platform The operating system of the device (Windows, iOS/iPadOS, Android, and so on)
Version The version number of the app Note: For line-of-business (LOB) apps and Microsoft
Store for Business apps, the full version number of the app is shown. The full
version number identifies a specific release of the app. The number appears as
Version(Build). For example, 2.2(2.2.17560800). For standard Store apps, no versions
are shown.
Status The status of the app
Status The details of the status

details
Last The date of the device's last sync with Intune

check-in
７ Note
Even if the App is targetted to device context and into a device group, the user
name will always be reported. You may refer to the corresponded API Call.
Additionally, the system context may appear as "No user".
User install status

A user status list is shown when you select User install status in the Monitor section of
the menu. The details table includes the following columns:
User column Description
Name The name of the user in Azure Active Directory
User name The unique name of the user
Installations The number of apps installed by the user
Failures The number of failed app installations for the user
Not installed The number of apps not installed by the user
Next steps
To learn more about working with your Intune data, see Use the Intune Data
Warehouse.
To learn about app configuration policies, see App configuration policies for
Intune.
Intune discovered apps
Article • 03/07/2023
Intune discovered apps is a list of detected apps on the Intune enrolled devices in your
tenant. It acts as a software inventory for your tenant. Discovered apps is a separate
report from the app installation reports. For personal devices, Intune never collects
information on applications that are unmanaged. On corporate devices, any app
whether it's a managed app or not is collected for this report. Below is the table
mapping the expected behavior. In general, the report refreshes every seven days from
the time of enrollment (not a weekly refresh for the entire tenant). The only exception to
this refresh cycle for the Discovered apps report is application information collected
through the Intune Management Extension for Win32 Apps, which is collected every 24
hours.
Monitor discovered apps with Intune

Intune provides an aggregated list of detected apps on the Intune enrolled devices in
your tenant.

2. Select Apps > Monitor > Discovered apps.
７ Note
You can export the list of discovered apps to a .csv file by selecting Export from the
Discovered apps pane.
For discovered Win32 apps, there currently is no aggregate count. This type of data
can only be viewed on a per-device basis.
Intune also provides the list of discovered apps for the individual device in your tenant.

2. Select Devices > All Devices.
3. Select a device.
4. To view detected apps for this device, select Discovered Apps in the Monitor
section.
Details of discovered apps

The following list provides the app platform type, the apps that are monitored for
personal devices, the apps that are monitored for company-owned devices, and the
refresh cycle. For more information about app types supported by Intune, see App types
in Microsoft Intune.
Platform For personally For company- Refresh cycle

owned devices owned devices
Windows 10/11 (Win32 Apps) NOTE: Not Applicable MSI installed Every 24 hours
Requires Intune Management apps on the from device
Extension on device device enrollment
Windows 10/11 (Modern Apps) Only managed All modern apps Every seven days
modern apps installed on the from device
device enrollment
Windows 8.1 Only managed Only managed Every seven days

apps apps from device
enrollment
Windows RT Only managed Only managed Every seven days

apps apps from device
enrollment
iOS/iPadOS Only managed All apps installed Every seven days

apps on the device from device
enrollment
macOS Only managed All apps installed Every seven days

enrollment
Android device administrator Only managed All apps installed Every seven days
enrollment
Android Enterprise personally owned Only managed Not applicable Every seven days
enrollment apps in the work from device
profile enrollment
Android Enterprise corporate-owned Not applicable Not yet Not Applicable

enrollments supported
AOSP enrollments Not applicable Not yet Not applicable

supported
７ Note
Windows 10/11 co-managed devices, as shown in the client apps workload in
Configuration Manager, do not currently collect app inventory through the
Intune Management Extension (IME) as per the above schedule. To mitigate
this issue, the client apps workload in Configuration Manager should be
switched to Intune for the IME to be installed on the device (IME is required
for Win32 inventory and PowerShell deployment). Note that any changes or
updates on this behavior are announced in in development and/or what's
new.
Personally-owned macOS devices enrolled before November 2019 may
continue to show all apps installed on the device until the devices are enrolled
again.
Android Enterprise corporate-owned enrollments (fully managed, dedicated,
and corporate-owned work profile) do not display discovered apps.
Android Open Source Project (AOSP) enrollments do not display discovered
apps.
For customers using a Mobile Threat Defense partner with Intune, App Sync
data is sent to Mobile Threat Defense partners at an interval based on device
check-in, and should not be confused with the refresh interval for the
Discovered Apps report.
The number of discovered apps may not match the app install status count. Possibilities
for inconsistencies include:
A targeting change of an installed managed app can cause the install count in the
status pane to decrement, but remain reported in the detected apps.
Targeting multiple instances of the same app in a tenant will result in different
counts due to potential overlap of users or devices. Each instance of the app will
count overlapping users, but discovered apps will have duplicated counts.
Discovered apps and app status are collected at different time intervals, which
could cause a discrepancy in the app counts.
Next steps
App types in Microsoft Intune
App configuration policies for Microsoft
Intune
Article • 03/31/2023
App configuration policies can help you eliminate app setup problems by letting you
assign configuration settings to a policy that is assigned to end-users before they run
the app. The settings are then supplied automatically when the app is configured on the
end-users device, and end-users don't need to take action. The configuration settings
are unique for each app.
You can create and use app configuration policies to provide configuration settings for
both iOS/iPadOS or Android apps. These configuration settings allow an app to be
customized by using app configuration and management. The configuration policy
settings are used when the app checks for these settings, typically the first time the app
is run.
An app configuration setting, for example, might require you to specify any of the
following details:
A custom port number

Language settings
Security settings
Branding settings such as a company logo
If end-users were to enter these settings instead, they could do this incorrectly. App
configuration policies can help provide consistency across an enterprise and reduce
helpdesk calls from end-users trying to configure settings on their own. By using app
configuration policies, the adoption of new apps can be easier and quicker.
The available configuration parameters and the implementation of the configuration

parameters are decided by the developers of the application. Documentation from the
application vendor should be reviewed to see what configurations are available and how
the configurations influence the behavior of the application. For some applications,
Intune will populate the available configuration settings.
７ Note
In the Managed Google Play Store, apps that support configuration will be marked
as such:
You will only see apps from Managed Google Play store , not the Google Play
store , when using Managed Devices as the Enrollment Type for Android devices.
You can assign an app configuration policy to a group of end-users and devices by
using a combination of include and exclude assignments. As part of the process to add
or update an app configuration policy, you can set the assignments for the app
configuration policy. When you set the assignments for the policy, you can choose to
include and exclude the groups of end-users for which the policy applies. When you
choose to include one or more groups, you can choose to select specific groups to
include or select built-in groups. Built-in groups include All Users, All Devices, and All
Users + All Devices.
You can also use filters to refine the assignment scope when deploying app
configuration policies for managed iOS and Android devices. You must first create a
filter using any of the available properties for iOS and Android. Then, in Microsoft Intune
admin center you can assign your managed app configuration policy by selecting
Apps > App configuration policies > Add > Managed devices and go to the
assignment page. After selecting a group, you can refine the applicability of the policy
by choosing a filter and deciding to use it in Include or Exclude mode.
The app configuration policy workload provides a list of app configuration policies that
have been created for your tenant. This list provides details, such as Name, Platform,
Updated, Enrollment type, and Scope Tags. For additional details about a specific app
configuration policy, select the policy. On the policy Overview pane, you can see specific
details, such as the policy status based on device and based on user, as well as whether
the policy has been assigned.
Apps that support app configuration

App configuration can be delivered either through the mobile device management
(MDM) OS channel on enrolled devices (Managed App Configuration channel for iOS
or the Android in the Enterprise channel for Android) or through the Mobile
Application Management (MAM) channel.
Intune represents these different app configuration policy channels as:
Managed devices - The device is managed by Intune as the unified endpoint

management provider. The app must be pinned to the management profile on
iOS/iPadOS or deployed through Managed Google Play on Android devices. In
addition, the app supports the desired app configuration.
Managed apps - An app that has either integrated the Intune App SDK or have
been wrapped using the Intune Wrapping Tool and supports App Protection
Policies (APP). In this configuration, neither the device's enrollment state or how
the app is delivered to the device matter. The app supports the desired app
configuration.
Apps may handle app configuration policy settings differently with respect to user
preference. For example, with Outlook for iOS and Android, the Focused Inbox app
configuration setting will respect the user setting, allowing the user to override admin
intent. Other settings may let you control whether a user can or cannot change the
setting based on the admin intent.
７ Note
Managed devices
Selecting Managed devices as the Device Enrollment Type specifically refers to apps
deployed by Intune on the enrolled device and thus are managed by Intune as the
enrollment provider.
To support app configuration for apps deployed through Intune on enrolled devices,
apps must be written to support the use of app configurations as defined by the OS.
Consult your app vendor for details for which app config keys they support for delivery
through the MDM OS channel. There are generally four scenarios for app configuration
delivery in using the MDM OS channel:
Only allow work or school accounts

Account setup configuration settings
General app configuration settings
S/MIME configuration settings
Managed apps
Selecting Managed apps as the Device Enrollment Type specifically refers to apps
configured with an Intune App Protection Policy on devices regardless of the enrollment
state.
To support app configuration through the MAM channel, the app must be integrated
with Intune App SDK. Line-of-business apps can either integrate the Intune App SDK or
use the Intune App Wrapping Tool. For a comparison between the Intune App SDK and
the Intune App Wrapping Tool, see Prepare line-of-business apps for app protection
policies.
Delivery of app configuration through the MAM channel does not require the device to
be enrolled or for the app to be managed or delivered through the unified endpoint
management solution. There are three scenarios for app configuration delivery using the
MAM channel:

S/MIME configuration settings
Advanced APP data protection settings which extend the capabilities offered by
App Protection Policies
７ Note
Intune managed apps will check-in with an interval of 30 minutes for Intune App
Configuration Policy status, when deployed in conjunction with an Intune App
Protection Policy. If an Intune App Protection Policy isn't assigned to the user, then
the Intune App Configuration Policy check-in interval is set to 720 minutes.
For information on which apps support app configuration through the MAM channel,
see Microsoft Intune protected apps.
Android Enterprise app configuration policies

For Android Enterprise app configuration policies, you can select the device enrollment
type before creating an app configuration profile. You can account for certificate profiles
that are based on enrollment type.
Enrollment type can be one of the following:
All Profile Types: If a new profile is created and All Profile Types is selected for
device enrollment type, you will not be able to associate a certificate profile with
the app config policy. This option supports username and password
authentication. If you use certificate-based authentication, don't use this option.
Fully Managed, Dedicated, and Corporate-Owned Work Profile Only: If a new
profile is created and Fully Managed, Dedicated, and Corporate-Owned Work
Profile Only is selected, Fully Managed, Dedicated, and Corporate-Owned Work
Profile certificate policies created under Device > Configuration profiles can be
utilized. This option supports certificate-based authentication, and username and
password authentication. Fully Managed relates to Android Enterprise fully
managed devices (COBO). Dedicated relates to Android Enterprise dedicated
devices (COSU). Corporate-Owned Work Profile relates to Android Enterprise
corporate-owned work profile (COPE).
Personally-Owned Work Profile Only: If a new profile is created and Personally-
Owned Work Profile Only is selected, Work Profile certificate policies created
under Device > Configuration profiles can be utilized. This option supports
certificate-based authentication, and username and password authentication.
７ Note
If you deploy a Gmail or Nine configuration profile to an Android Enterprise

dedicated device work profile which doesn’t involve a user, it will fail because
Intune can’t resolve the user.
） Important
Existing policies created prior to the release of this feature (April 2020 release -
2004) that do not have any certificate profiles associated with the policy will default
to All Profile Types for device enrollment type. Also, existing policies created prior
to the release of this feature that have certificate profiles associated with them will
default to Work Profile only.
Existing policies will not remediate or issue new certificates.
Validate the applied app configuration policy

You can validate the app configuration policy using the following three methods:
1. Verify the app configuration policy visibly on the device. Confirm that the targeted
app is exhibiting the behavior applied in the app configuration policy.
2. Verify via Diagnostic Logs (see the Diagnostic Logs section below).
3. Verify in the Microsoft Intune admin center. In the Microsoft Intune admin
center , select Apps > All apps > select the related app*. Then, under the Monitor
section, select either Device install status or User install status:
Device Install
Status Report monitors the latest check-in's for all the devices the configuration
policy has been targeted to.
User Install Status Report monitors the latest changes to the user details, such as
name, e-mail, and UPN. User Report is also independent of Device Report.
Additionally,in the Microsoft Intune admin center , select Devices > All Devices >
select a device > App configuration. The app configuration** pane will display all
the assigned policies and their state:
Diagnostic Logs
iOS/iPadOS configuration on unmanaged devices

You can validate iOS/iPadOS configuration with the Intune Diagnostic Log for settings
deployed through the managed app configuration policies. In addition to the below
steps, you can access managed app logs using Microsoft Edge. For more information,
see Use Edge for iOS and Android to access managed app logs.
1. If not already installed on the device, download and install the Microsoft Edge
from the App Store. For more information, see Microsoft Intune protected apps.
2. Launch the Microsoft Edge and enter about:intunehelp in the address box.
3. Click Get Started.
4. Click Share Logs.
5. Use the mail app of your choice to send the log to yourself so they can be viewed
on your PC.
6. Review IntuneMAMDiagnostics.txt in your text file viewer.
7. Search for ApplicationConfiguration . The results will look like the following:
JSON
{
Name =
"com.microsoft.intune.mam.managedbrowser.BlockListURLs";
Value = "https://www.aol.com";
},
Name =
"com.microsoft.intune.mam.managedbrowser.bookmarks";
Value = "Outlook
Web|https://outlook.office.com||Bing|https://www.bing.com";
);
},
ApplicationConfiguration =
Name = IntuneMAMUPN;
Value =
"CMARScrubbedM:13c45c42712a47a1739577e5c92b5bc86c3b44fd9a27aeec3f32857f
69ddef79cbb988a92f8241af6df8b3ced7d5ce06e2d23c33639ddc2ca8ad8d9947385f8
a";
},
Name =
"com.microsoft.outlook.Mail.BlockExternalImagesEnabled";
Value = true;
);
Your application configuration details should match the application configuration

policies configured for your tenant.
iOS/iPadOS configuration on managed devices

You can validate iOS/iPadOS configuration with the Intune Diagnostic Log on managed
devices for managed app configuration.
1. If not already installed on the device, download and install the Microsoft Edge
from the App Store. For more information, see Microsoft Intune protected apps.
2. Launch Microsoft Edge and enter about:intunehelp in the address box.
3. Click Get Started.
4. Click Share Logs.
5. Use the mail app of your choice to send the log to yourself so they can be viewed
on your PC.
6. Review IntuneMAMDiagnostics.txt in your text file viewer.
7. Search for AppConfig . Your results should match the application configuration
policies configured for your tenant.
Android configuration on managed devices

You can validate Android configuration with the Intune Diagnostic Log on managed
devices for managed app configuration.
To collect logs from an Android device, you or the end user must download the logs
from the device via a USB connection (or the File Explorer equivalent on the device).
Here are the steps:
1. Connect the Android device to your computer with the USB cable.
2. On the computer, look for a directory that has the name of your device. In that
directory, find Android
Device\Phone\Android\data\com.microsoft.windowsintune.companyportal .
3. In the com.microsoft.windowsintune.companyportal folder, open the Files folder

and open OMADMLog_0 .
4. Search for AppConfigHelper to find app configuration related messages. The results
will look similar to the following block of data:
2019-06-17T20:09:29.1970000 INFO AppConfigHelper 10888 02256 Returning app

config JSON [{"ApplicationConfiguration":
[{"Name":"com.microsoft.intune.mam.managedbrowser.BlockListURLs","Value":"http
s:\/\/www.aol.com"},
{"Name":"com.microsoft.intune.mam.managedbrowser.bookmarks","Value":"Outlook
Web|https:\/\/outlook.office.com||Bing|https:\/\/www.bing.com"},
{"Name":"com.microsoft.intune.mam.managedbrowser.homepage","Value":"https:\/\/
www.arstechnica.com"}]},{"ApplicationConfiguration":
[{"Name":"IntuneMAMUPN","Value":"AdeleV@M365x935807.OnMicrosoft.com"},
{"Name":"com.microsoft.outlook.Mail.NotificationsEnabled","Value":"false"},
{"Name":"com.microsoft.outlook.Mail.NotificationsEnabled.UserChangeAllowed","V
alue":"false"}]}] for user User-875363642
Graph API support for app configuration

You can use Graph API to accomplish app configuration tasks. For details, see Graph API
Reference MAM Targeted Config. For more information about Intune and Graph, see
Working with Intune in Microsoft Graph.
Troubleshooting
Using logs to show a configuration parameter

When the logs show a configuration parameter that is confirmed to be applying but
doesn't seem to work, there may be an issue with the configuration implementation by
the app developer. Reaching out to that app developer first, or checking their
knowledge base, may save you a support call with Microsoft. If it is an issue with how
the configuration is being handled within an app, it would have to be addressed in a
future updated version of that app.
Next steps
Managed devices
Learn how to use app configuration with your iOS/iPadOS devices. See Add app
configuration policies for managed iOS/iPadOS devices.
Learn how to use app configuration with your Android devices. See Add app
configuration policies for managed Android devices.
Managed apps
Learn how to use app configuration with managed apps. See Add app
configuration policies for managed apps without device enrollment.
Add app configuration policies for
managed iOS/iPadOS devices
Article • 03/31/2023
Use app configuration policies in Microsoft Intune to provide custom configuration

settings for an iOS/iPadOS app. These configuration settings allow an app to be
customized based on the app suppliers direction. You must get these configuration
settings (keys and values) from the supplier of the app. To configure the app, you specify
the settings as keys and values, or as XML containing the keys and values.
As the Microsoft Intune admin, you can control which user accounts are added to
Microsoft Office applications on managed devices. You can limit access to only allowed
organization user accounts and block personal accounts on enrolled devices. The
supporting applications process the app configuration and remove and block
unapproved accounts. The configuration policy settings are used when the app checks
for them, typically the first time it is run.
Once you add an app configuration policy, you can set the assignments for the app
configuration policy. When you set the assignments for the policy, you can choose to
use a filter and to include and exclude the groups of users for which the policy applies.
When you choose to include one or more groups, you can choose to select specific
groups to include or select built-in groups. Built-in groups include All Users, All Devices,
and All Users + All Devices.
７ Note
Intune provides pre-created All Users and All Devices groups in the console with
built-in optimizations for your convenience. It is highly recommended that you use
these groups to target all users and all devices instead of any 'All users' or 'All
devices' groups you may have created yourself.
Once you have selected the included groups for your application configuration policy,
you can also choose the specific groups to exclude. For more information, see Include
and exclude app assignments in Microsoft Intune.
 Tip
This policy type is currently available only for devices running iOS/iPadOS 8.0 and
later. It supports the following app installation types:
Managed iOS/iPadOS app from the app store
App package for iOS
For more information about app installation types, see How to add an app to
Microsoft Intune. For more information about incorporating app config into your
.ipa app package for managed devices, see Managed App Configuration in the iOS
developer documentation .
Create an app configuration policy

2. Choose the Apps > App configuration policies > Add > Managed devices. Note
that you can choose between Managed devices and Managed apps. For more
information see Apps that support app configuration.
3. On the Basics page, set the following details:
Name - The name of the profile that appears in the Microsoft Intune admin
center.
Description - The description of the profile that appears in the Microsoft
Device enrollment type - This setting is set to Managed devices.
4. Select iOS/iPadOS as the Platform.
5. Click Select app next to Targeted app. The Associated app pane is displayed.
6. On the Targeted app pane, choose the managed app to associate with the
configuration policy and click OK.
7. Click Next to display the Settings page.
8. In the dropdown box, select the Configuration settings format. Select one of the
following methods to add configuration information:
Use configuration designer

Enter XML data
For details about using the configuration designer, see Use configuration
designer. For details about entering XML data, see Enter XML data.

10. [Optional] You can configure scope tags for your app configuration policy. For
more information about scope tags, see Use role-based access control (RBAC) and
scope tags for distributed IT.
12. On the Assignments page, select either Add groups, Add all users, or Add all
devices to assign the app configuration policy. Once you've selected an
assignment group, you can select a filter to refine the assignment scope when
deploying app configuration policies for managed devices.
13. Select All users in the dropdown box.
14. [Optional] Click Edit filter to add a filter and refine the assignment scope.
15. Click Select groups to exclude to display the related pane.
16. Choose the groups you want to exclude and then click Select.
７ Note
When adding a group, if any other group has already been included for a
given assignment type, it is pre-selected and unchangeable for other include
assignment types. Therefore, that group that has been used, cannot be used
as an excluded group.
18. Click Create to add the app configuration policy to Intune.

Microsoft Intune provides configuration settings that are unique to an app. You can use
the configuration designer for apps on devices that are enrolled or not enrolled in
Microsoft Intune. The designer lets you configure specific configuration keys and values
that help you create the underlying XML. You must also specify the data type for each
value. These settings are supplied to apps automatically when the apps are installed.
Add a setting
1. For each key and value in the configuration, set:
Configuration key - The case sensitive key that uniquely identifies the
specific setting configuration.
Value type - The data type of the configuration value. Types include Integer,
Real, String, or Boolean.
Configuration value - The value for the configuration.
2. Choose OK to set your configuration settings.
Delete a setting
1. Choose the ellipsis (...) next to the setting.
2. Select Delete.
The {{ and }} characters are used by token types only and must not be used for other
purposes.
Allow only configured organization accounts in apps

As the Microsoft Intune administrator, you can control which work or school accounts
are added to Microsoft apps on managed devices. You can limit access to only allowed
organization user accounts and block personal accounts within the apps (if supported)
on enrolled devices. For iOS/iPadOS devices, use the following key/value pairs in a
Managed Devices app configuration policy:
Key Values
IntuneMAMAllowedAccountsOnly Enabled: The only account allowed is the managed

user account defined by the IntuneMAMUPN key.
Disabled (or any value that is not a case insensitive
match to Enabled): Any account is allowed.
Key Values
IntuneMAMUPN UPN of the account allowed to sign into the app.

For Intune enrolled devices, the {{userprincipalname}}
token may be used to represent the enrolled user
account.
７ Note
The following apps process the above app configuration and only allow
organization accounts:
Edge for iOS (44.8.7 and later)

Office, Word, Excel, PowerPoint for iOS (2.41 and later)
OneDrive for iOS (10.34 and later)
OneNote for iOS (2.41 and later)
Outlook for iOS (2.99.0 and later)
Teams for iOS (2.0.15 and later)
Require configured organization accounts in apps

On enrolled devices, organizations can require that the work or school account is signed
into managed Microsoft apps in order to receive Org data from other managed apps.
For example, consider the scenario where the user has attachments included in email
messages contained within the managed email profile located in the native iOS mail
client. If the user attempts to transfer the attachments to a Microsoft app, like Office,
that is managed on the device and has these keys applied, then this configuration will
treat the transferred attachment as Org data, requiring the work or school account to be
signed in and enforcing the app protection policy settings.
For iOS/iPadOS devices, use the following key/value pairs in a Managed Devices app
configuration policy for each Microsoft app:
Key Values
IntuneMAMRequireAccounts Enabled: The app requires the user to sign-in to the

managed user account defined by the IntuneMAMUPN key
to receive Org data.
Disabled (or any value that is not a case insensitive match to
Enabled): No account sign-in is required
Key Values
IntuneMAMUPN UPN of the account allowed to sign into the app.

For Intune enrolled devices, the {{userprincipalname}}
token may be used to represent the enrolled user account.
７ Note
Apps must have Intune APP SDK for iOS version 12.3.3 or later and be targeted with
an Intune app protection policy when requiring sign-in to work or school account.
Within the app protection policy, the “Receive data from other apps” must be set to
“All apps with incoming Org data”.
At this time, app sign-in is only required when there is incoming Org data to a targeted
app.
Enter XML data

You can type or paste an XML property list that contains the app configuration settings
for devices enrolled in Intune. The format of the XML property list varies depending on
the app that you are configuring. For details about the exact format to use, contact the
supplier of the app.
Intune validates the XML format. However, Intune does not check that the XML property
list (PList) works with the target app.
To learn more about XML property lists:
Refer to Understand XML Property Lists in the iOS Developer Library.
Example format for an app configuration XML file

When you create an app configuration file, you can specify one or more of the following
values by using this format:
XML
<dict>
<key>userprincipalname</key>
<string>{{userprincipalname}}</string>
<key>mail</key>
<string>{{mail}}</string>
<key>partialupn</key>
<string>{{partialupn}}</string>
<key>accountid</key>
<string>{{accountid}}</string>
<key>deviceid</key>
<string>{{deviceid}}</string>
<key>userid</key>
<string>{{userid}}</string>
<key>username</key>
<string>{{username}}</string>
<key>serialnumber</key>
<string>{{serialnumber}}</string>
<key>serialnumberlast4digits</key>
<string>{{serialnumberlast4digits}}</string>
<key>udidlast4digits</key>
<string>{{udidlast4digits}}</string>
<key>aaddeviceid</key>
<string>{{aaddeviceid}}</string>
<key>IsSupervised</key>
<string>{{IsSupervised}}</string>
</dict>
Supported XML PList data types

Intune supports the following data types in a property list:
<integer>
<real>
<string>
<array>
<dict>
<true /> or <false />
Tokens used in the property list

Additionally, Intune supports the following token types in the property list:
{{userprincipalname}}—for example, John@contoso.com

{{mail}}—for example, John@contoso.com
{{partialupn}}—for example, John
{{accountid}}—for example, fc0dc142-71d8-4b12-bbea-bae2a8514c81
{{deviceid}}—for example, b9841cd9-9843-405f-be28-b2265c59ef97
{{userid}}—for example, 3ec2c00f-b125-4519-acf0-302ac3761822
{{username}}—for example, John Doe
{{serialnumber}}—for example, F4KN99ZUG5V2 (for iOS/iPadOS devices)
{{serialnumberlast4digits}}—for example, G5V2 (for iOS/iPadOS devices)
{{aaddeviceid}}—for example, ab0dc123-45d6-7e89-aabb-cde0a1234b56
{{issupervised}}—for example, True (for iOS/iPadOS devices)
Configure the Company Portal app to support

iOS and iPadOS devices enrolled with
Automated Device Enrollment
Apple's Automated Device Enrollments are not compatible with the app store version of
the Company Portal app by default. However, you can configure the Company Portal
app to support iOS/iPadOS ADE devices even when users have downloaded the
Company Portal from the App Store by using the following steps.
1. In Microsoft Intune admin center , add the Intune Company Portal app if it has
not been added yet, by going to Apps > All apps > Add > iOS Store App.
2. Go to Apps > App configuration policies, to create an app configuration policy for
the Company Portal app.
3. Create an app configuration policy with the XML below. More information on how
to create an app configuration policy and enter XML data can be found at Add app
configuration policies for managed iOS/iPadOS devices.
Use the Company Portal on an Automated Device Enrollment (ADE) device

enrolled with user affinity:
７ Note
When the enrollment profile has "Install Company Portal" set to yes,
Intune pushes the application configuration policy below automatically
as part of the initial enrollment process. This configuration should not be
deployed manually to users or devices as this will cause a conflict with
the payload already sent during enrollment, resulting on end-users
being asked to download a new management profile after signing in to
Company Portal (when they shouldn't, because there is a management
profile already installed on these devices).
XML
<dict>
<key>IntuneCompanyPortalEnrollmentAfterUDA</key>
<dict>
<key>IntuneDeviceId</key>
<string>{{deviceid}}</string>
<key>UserId</key>
<string>{{userid}}</string>
</dict>
</dict>
Use the Company Portal on a ADE device enrolled without user affinity
(also known as Device Staging):
７ Note
The user signing in to Company Portal is set as the primary user of the
device.
XML
<dict>
<key>IntuneUDAUserlessDevice</key>
<string>{{SIGNEDDEVICEID}}</string>
</dict>
4. Deploy the Company Portal to devices with the app configuration policy targeted
to desired groups. Be sure to only deploy the policy to groups of devices that are
already ADE enrolled.
5. Tell end users to sign into the Company Portal app when it is automatically
installed.
７ Note
When you add an app configuration to allow the Company Portal app on ADE
devices without user affinity, you may experience a STATE Policy Error . Unlike
other app configurations, this situation does not apply every time the device checks
in. Instead, this app configuration is meant to be a one-time operation to enable
existing devices enrolled without user affinity to attain user affinity when a user
signs into the Company Portal. This app configuration is removed from the policy in
the background once it has been successfully applied. The policy assignment will
exist, but it will not report "success" once the app configuration is removed in the
background. Once the app configuration policy has applied to the device, you can
unassign the policy.
Monitor iOS/iPadOS app configuration status
per device
Once a configuration policy has been assigned, you can monitor iOS/iPadOS app
configuration status for each managed device. From Microsoft Intune in the Microsoft
Intune admin center , select Devices > All devices. From the list of managed devices,
select a specific device to display a pane for the device. On the device pane, select App
configuration.
Deploying Outlook for iOS/iPadOS and Android app configuration settings
Next steps
Continue to assign and monitor the app.
Add app configuration policies for
managed Android Enterprise devices
Article • 03/31/2023
App configuration policies in Microsoft Intune supply settings to Managed Google Play
apps on managed Android Enterprise devices. The app developer exposes Android-
managed app configuration settings. Intune uses these exposed setting to let the admin
configure features for the app. The app configuration policy is assigned to your user
groups. The policy settings are used when the app checks for them, typically the first
time the app runs.
Not every app supports app configuration. Check with the app developer to see if their
app supports app configuration policies.
７ Note
Email apps
Android Enterprise has several enrollment methods. The enrollment type depends on
how email is configured on the device:
On Android Enterprise Fully Managed, Dedicated, and Corporate-owned Work

Profiles, use an app configuration policy and the steps in this article. App
configuration policies support Gmail and Nine Work email apps.
On Android Enterprise personally owned devices with a work profile, create an
Android Enterprise email device configuration profile. When you create the profile,
you can configure settings for email clients that support app configuration policies.
When using the configuration designer, Intune includes email settings specific to
Gmail and Nine Work apps.
On Android device administrator, create an Android device administrator email
device configuration profile for Samsung Knox devices. When you create the
profile, you can configure Exchange email settings, such as outlook.office365.com .
Create an app configuration policy

2. Choose the Apps > App configuration policies > Add > Managed devices. Note
that you can choose between Managed devices and Managed apps. For more
information see Apps that support app configuration.
Name - The name of the profile that appears in the portal.

Description - The description of the profile that appears in the portal.
4. Select Android Enterprise as the Platform.
5. Click Select app next to Targeted app. The Associated app pane is displayed.
6. On the Associated app pane, choose the managed app to associate with the
configuration policy and click OK.
8. Click Add to display the Add permissions pane.
9. Click the permissions that you want to override. Permissions granted will override
the "Default app permissions" policy for the selected apps.
10. Set the Permission state for each permission. You can choose from Prompt, Auto
grant, or Auto deny.
11. If the managed app supports configuration settings, the Configuration settings
format dropdown box is visible. Select one of the following methods to add
configuration information:

Enter JSON data
For details about using the configuration designer, see Use configuration designer.
For details about entering XML data, see Enter JSON data.
12. If you need to enable users to connect the targeted app across both the work and
personal profiles, select Enabled next to Connected apps.
７ Note
This setting only works for personally-owned work profile and corporate-
owned work profile devices.
Changing the Connected apps setting to Not Configured will not remove the
configuration policy from the device. To remove the Connected apps
functionality from a device, you must unassign the related configuration
policy.
14. [Optional] You can configure scope tags for your app configuration policy. For
more information about scope tags, see Use role-based access control (RBAC) and
scope tags for distributed IT.
16. In the dropdown box next to Assign to, select either Add groups, Add all users, or
Add all devices to assign the app configuration policy. Once you've selected an
assignment group, you can select a filter to refine the assignment scope when
deploying app configuration policies for managed devices.
17. Select All users in the dropdown box.
18. [Optional] Click Edit filter to add a filter and refine the assignment scope.
７ Note

Use the configuration designer
You can use the configuration designer for Managed Google Play apps when the app is
designed to support configuration settings. Configuration applies to devices enrolled in
Intune. The designer lets you configure specific configuration values for the settings
exposed by the app.
1. Select Add. Choose the list of configuration settings that you want to enter for the
app.
If you're using Gmail or Nine Work email apps, Android Enterprise device settings
to configure email has more information on these specific settings.
2. For each key and value in the configuration, set:
Value type: The data type of the configuration value. For String value types,
you can optionally choose a variable or certificate profile as the value type.
Configuration value: The value for the configuration. If you select variable or
certificate for the Value type, choose from a list of variables or certificate
profiles. If you choose a certificate, then the certificate alias of the certificate
deployed to the device is populated at runtime.
Supported variables for configuration values

You can choose the following options if you choose variable as the value type:
Option Example
Azure AD Device ID dc0dc142-11d8-4b12-bfea-cae2a8514c82
Account ID fc0dc142-71d8-4b12-bbea-bae2a8514c81
Intune Device ID b9841cd9-9843-405f-be28-b2265c59ef97
Domain contoso.com
Mail john@contoso.com
Partial UPN john
User ID 3ec2c00f-b125-4519-acf0-302ac3761822
User name John Doe
User Principal Name john@contoso.com

Allow only configured organization accounts in apps
As the Microsoft Intune administrator, you can control which work or school accounts
are added to Microsoft apps on managed devices. You can limit access to only allowed
organization user accounts and block personal accounts on enrolled devices. For
Android devices, use the following key/value pairs in a Managed Devices app
configuration policy:
Key com.microsoft.intune.mam.AllowedAccountUPNs
Values One or more ; delimited UPNs.

Only account(s) allowed are the managed user account(s) defined by this key.
For Intune enrolled devices, the {{userprincipalname}} token may be used to
represent the enrolled user account.
７ Note
The following apps process the above app configuration and only allow
organization accounts:
Edge for Android (42.0.4.4048 and later)

Office, Word, Excel, PowerPoint for Android (16.0.9327.1000 and later)
OneDrive for Android (5.28 and later)
OneNote for Android (16.0.13231.20222 or later)
Outlook for Android (2.2.222 and later)
Teams for Android (1416/1.0.0.2020073101 and later)
Enter JSON data

Some configuration settings on apps (such as apps with Bundle types) can't be
configured with the configuration designer. Use the JSON editor for those values.
Settings are supplied to apps automatically when the app is installed.
1. For Configuration settings format, select Enter JSON editor.

2. In the editor, you can define JSON values for configuration settings. You can
choose Download JSON template to download a sample file that you can then
configure.
3. Choose OK, and then choose Add.
The policy is created and shown in the list.

When the assigned app is run on a device, it runs with the settings that you configured
in the app configuration policy.
Enable connected apps

Applies to:
Android 11+
Personally-owned work profile users must have Company Portal version 5.0.5291.0 or
newer. Corporate-owned work profile users do not need a specific version of the
Microsoft Intune app for support.
You can allow users using Android personally-owned and corporate-owned work
profiles to turn on connected apps experiences for supported apps. This app
configuration setting enables apps to connect and integrate app data across the work
and personal app instances.
For an app to provide this experience, the app needs to integrate with Google's
connected apps SDK, so only limited apps support it. You can turn on the connected
apps setting proactively, and when apps add support, users will be able to enable the
connected apps experience.
Changing the Connected apps setting to Not Configured will not remove the
configuration policy from the device. To remove the Connected apps functionality from
a device, you must unassign the related configuration policy.
２ Warning
If you enable the connected apps functionality for an app, work data in personal
apps will not be protected by an app protection policy.
Additionally, regardless of your connected apps configuration, some OEMs may

automatically connect certain apps or may be able to request user approval to
connect apps that you did not configure. An example of an app in this case could
be the OEM's keyboard app.
There are two ways users may be able to connect work and personal apps after you've
enabled the connected apps setting:
1. A supported app may choose to prompt a user to approve connecting it across

profiles.
2. Users can open the Settings app and go to the Connected work & personal apps
section, where they will see all supported apps listed.
） Important
If multiple app configuration policies are assigned for the same app targeting the
same device, and one policy sets Connected Apps to Enabled while the other
policy does not, the app configuration will report a conflict and the resulting
behavior applied on the device will be to disallow the connected apps.
Preconfigure the permissions grant state for

apps
You can also preconfigure app permissions to access Android device features. By default,
Android apps that require device permissions, such as access to location or the device
camera, prompt users to accept or deny permissions.
For example, an app uses the device's microphone. The user is prompted to grant the
app permission to use the microphone.
1. In the Microsoft Intune admin center , select Apps > App configuration policies
> Add > Managed devices.
2. Add the following properties:
Name: Enter a descriptive name for the policy. Name your policies so you can
easily identify them later. For example, a good policy name is Android
Enterprise prompt permissions app policy for entire company.
Description. Enter a description for the profile. This setting is optional, but
recommended.
Device enrollment type: This setting is set to Managed devices.
Platform: Select Android Enterprise.
3. Select Profile Type:

4. Select Targeted App. Choose the app that you want to associate a configuration
policy with. Select from the list of Android Enterprise fully managed work profile
apps that you've approved and synchronized with Intune.
5. Select Permissions > Add. From the list, select the available app permissions > OK.
6. Select an option for each permission to grant with this policy:
Prompt. Prompt the user to accept or deny.

Auto grant. Automatically approve without notifying the user.
Auto deny. Automatically deny without notifying the user.
7. To assign the app configuration policy, select the app configuration policy >
Assignment > Select groups. Choose the user groups to assign > Select.
8. Choose Save to assign the policy.
Assign a Managed Google Play app to Android Enterprise personally-owned and
corporate-owned work profile devices
Deploying Outlook for iOS/iPadOS and Android app configuration settings
Next steps
Continue to assign and monitor the app.
App configuration policies for Intune
App SDK managed apps
Article • 04/05/2023
The Intune App Software Development Kit (SDK) supports app configuration delivery
through the mobile app management (MAM) channel. Within the Intune admin center,
the MAM channel is referred to as a Managed Apps app configuration policy. The MAM
channel is different than the mobile device management (MDM) OS platform channels
that are offered when a device is enrolled.
To support app configuration through the MAM channel, the app must be integrated
with Intune App SDK. Line-of-business apps can either integrate the Intune App SDK or
use the Intune App Wrapping Tool. For a comparison between the Intune App SDK and
the Intune App Wrapping Tool, see Prepare line-of-business apps for app protection
policies.
By using the MAM channel, apps can receive app configuration policies regardless of
the device enrollment state. For information on which apps support app configuration
through the MAM channel, see Microsoft Intune protected apps. Documentation from
the app vendor should be reviewed to see what configurations are available and how
the configurations influence the behavior of the app.
For more information, see App configuration policies for Microsoft Intune.
７ Note
Add a Managed apps app configuration policy

Use the following steps to create a Managed apps app configuration policy. After the
configuration is created, you can assign its settings to groups of users.

2. Choose the Apps > App configuration policies > Add > Managed apps.
Name: The name of the profile that will appear in the portal.
Description: The description of the profile that will appear in the portal.
Device enrollment type: Managed apps is selected.
4. Choose either Select public apps or Select custom apps to choose the app that
you are going to configure. Select the app from the list of apps that you've
approved and synchronized with Intune.
6. The Settings page provides options that are displayed based on the app that
you're configuring:
General configuration settings - For each general configuration setting that

the app supports, type the Name and Value.
Intune App SDK-enabled apps support configurations in key/value pairs. To

learn more about which key-value configurations are supported, consult the
documentation for each app. Note that you can use tokens that will be
dynamically populated with data generated by the application. To delete a
general configuration setting, choose the ellipsis (…) and select Delete. For
more information, see Configuration values for using tokens.
７ Note
Use the LocalDocsMLExempt configuration key to suppress managed apps from

opening documents contained in local storage and personal cloud storage.
Personal cloud storage includes personal OneDrive and iCloud. For related
app configuration information, see App configuration policies for Microsoft
Intune.
For information about app configuration settings for specific Microsoft apps, see:

Manage collaboration experiences in Office for iOS and Android with
Microsoft Intune
Deploying Outlook for iOS and Android app configuration settings
Manage collaboration experiences in Teams for iOS and Android with
Microsoft Intune
8. Click Select groups to include.
9. Select a group in the Select groups to include pane and click Select.
７ Note
Configuration values for using tokens

Intune can generate certain tokens and send them to the managed application. For
example, if your app configuration can use an email setting, you can add a dynamic
email by using a token. Type the name expected by the app in the Name field, and then
type {{mail}} in the Value field.
Intune supports the following token types in the configuration settings. Other custom
key/value pairs aren't supported.
{{userprincipalname}}—for example, John@contoso.com

{{mail}}—for example, John@contoso.com
{{partialupn}}—for example, John
{{accountid}}—for example, fc0dc142-71d8-4b12-bbea-bae2a8514c81
{{userid}}—for example, 3ec2c00f-b125-4519-acf0-302ac3761822
{{username}}—for example, John Doe
{{PrimarySMTPAddress}}—for example, testuser@ad.domain.com
７ Note
The {{ and }} characters are used by token types only and must not be used for
other purposes.
Next steps
Continue to assign and monitor the app as usual.
Use iOS app provisioning profiles to
prevent your apps from expiring
Article • 03/31/2023
Introduction
Apple iOS/iPadOS line-of-business apps that are assigned to iPhones and iPads are built
with an included provisioning profile and code that is signed with a certificate. When the
app is run, iOS/iPadOS confirms the integrity of the iOS/iPadOS app and enforces
policies that are defined by the provisioning profile. The following validations happen:
Installation file integrity - iOS/iPadOS compares the app's details with the
enterprise signing certificate's public key. If they differ, the app's content might
have changed, and the app is not allowed to run.
Capabilities enforcement - iOS/iPadOS attempts to enforce the app's capabilities
from the enterprise provisioning profile (not individual developer provisioning
profiles) that are in the app installation (.ipa) file.
The enterprise signing certificate that you use to sign apps typically lasts for three years.
However, the provisioning profile expires after a year. While the certificate is still valid,
Intune gives you the tools to proactively assign a new provisioning profile to devices
that have apps that are nearing expiry.
After the certificate expires, you must sign the
app again with a new certificate and embed a new provisioning profile with the key of
the new certificate.
As the admin, you can include and exclude security groups to assign iOS/iPadOS app
provisioning configuration. For example, you can assign an iOS/iPadOS app provisioning
configuration to All Users, but exclude an executive group.
How to create an iOS mobile app provisioning

profile
2. Select Apps > iOS app provisioning profiles > Create profile.
Name - Provide a name for this mobile provisioning profile.

Description - Optionally, provide a description for the policy.
Upload profile file - Choose Open icon, and then choose an Apple Mobile
Configuration Profile file (with the extension .mobileprovision ) that you
downloaded from the Apple Developer website .
The Expiration date will be populated from a value in the Apple Mobile
Configuration Profile file that you added above.
4. Click Next: Scope tags.
On the Scope tags page you can optionally configure scope tags to determine
who can see iOS/iPadOS app provisioning profile in Intune. For more information
about scope tags, see Use role-based access control and scope tags for distributed
IT.
5. Click Next: Assignments.
The Assignments page allows you can assign the profile to users and devices. It is
important to note that you can assign a profile to a device whether or not the
device is managed by Intune.
6. Click Next: Review + create to review the values you entered for the profile.
7. When you are done, click Create to create the iOS/iPadOS app provisioning profile
in Intune.
Next steps
Assign the profile to the required iOS/iPadOS devices. For more information, use the
steps in How to assign device profiles.
Configure the Microsoft Managed
Home Screen app for Android
Enterprise
Article • 08/14/2023
The Managed Home Screen is the application used for corporate-owned Android
Enterprise dedicated devices enrolled via Intune and running in multi-app kiosk mode.
For these devices, the Managed Home Screen acts as the launcher for other approved
apps to run on top of it. The Managed Home Screen provides IT admins the ability to
customize their devices and to restrict the capabilities that the end user can access. For
even more details, see How to setup Microsoft Managed Home Screen on Dedicated
devices in multi-app kiosk mode .
When to configure the Microsoft Managed

Home Screen app
First, ensure that your devices are supported. Intune supports the enrollment of Android
Enterprise dedicated devices for Android devices running OS version 8.0 and above that
reliably connect to Google Mobile Services. Similarly, Managed Home Screen supports
Android devices running OS version 8.0 and above.
Typically, if settings are available to you through Device configuration, configure the
settings there. Doing so will save you time, minimize errors, and will give you a better
Intune-support experience. However, some of the Managed Home Screen settings are
currently only available via the App configuration policies pane in the Intune admin
center. Use this document to learn how to configure the different settings either using
the configuration designer or a JSON script. Additionally, use this document to learn
what Managed Home Screen settings are available using Device configuration. You may
also see Dedicated device settings for a full list of settings available in Device
configuration that impact the Managed Home Screen.
If using App configuration, navigate to the Microsoft Intune admin center and select
Apps > App configuration policies. Add a configuration policy for Managed devices
running Android and choose Managed Home Screen as the associated app. Select
Configuration settings to configure the different available Managed Home Screen
settings.
Choosing a Configuration Settings Format
There are two methods that you can use to define configuration settings for Managed
Home Screen:
Configuration designer allows you to configure settings with an easy-to-use UI

that lets you toggle features on or off and set values. In this method, there are a
few disabled configuration keys with value type BundleArray . These configuration
keys can only be configured by entering JSON data.
JSON data allows you to define all possible configuration keys using a JSON script.
If you add properties with Configuration Designer, you can automatically convert these
properties to JSON by selecting Enter JSON data from the Configuration settings
format dropdown.
Using Configuration Designer

Configuration designer allows you to select pre-populated settings and their associated
values.
The following table lists the Managed Home Screen available configuration keys, value
types, default values, and descriptions. The description provides the expected device
behavior based on selected values. Configuration keys of type BundleArray are disabled
in the Configuration Designer and are further described in the Enter JSON Data section
of this document.
Configuration to customize applications, folders, and general appearance of Managed
Home Screen:
Configuration Value Type Default Description Available in

Key Value device
configuration
Set allow-listed bundleArray See Enter Allows you to define the set of ✔️
applications JSON Data apps visible on the home screen
section of from amongst the apps installed
this on the device. You can define
document. the apps by entering the app
package name of the apps that
you want visible. For example,
com.microsoft.emmx would make
settings accessible on the home
screen. The apps that you allow-
list in this section should already
be installed on the device to be
visible on the home screen.
Set pinned web bundleArray See Enter Allows you to pin websites as ✔️
links JSON Data quick launch icons on the home
section of screen. With this configuration,
this you can define the URL and add
document. it to the home screen for the
end user to launch in the
browser with a single tap. Note:
We recommend that you create,
assign, and approve Managed
Google Play web links to your
devices. When you do, they're
treated like allow-listed
applications.
Create bundleArray See Enter Allows you to create and name ✔️

Managed JSON Data folders and group apps within
Folder for section of these folders. End users can't
grouping apps this move folders, rename the
document. folders, or move the apps within
the folders. Folders will appear
in the order created, and apps
within the folders will appear
alphabetically. Note: all apps
that you want to group into
folders must be assigned as
required to the device and must
have been added to the
Managed Home Screen.
Key Value device
configuration
Set Grid Size string Auto Allows you to set the grid size ✔️
for apps to be positioned on the
managed home screen. You can
set the number of app rows and
columns to define grid size in
the following format:
columns;rows . If you define the
grid size, then the maximum
number of apps that shown in a
row on the home screen is the
number of rows you set. The
maximum number of apps
shown in a column in the home
screen is the number of columns
you set.
Lock Home bool TRUE Removes the ability of the end ✔️

Screen user to move around app icons
on the home screen. If you
enable this configuration key,
the app icons on the home
screen are locked. End users
can't drag and drop to different
grid positions on the home
screen. If turned to false, end
users can move around
application and weblink icons on
the Managed Home Screen.
Application bool FALSE Turning this setting to True ✔️

order enabled enables the ability to set the
order of applications, weblinks,
and folders on the Managed
Home Screen. Once enabled, set
the ordering with app_order.
Application bundleArray See Enter Allows you to specify the order ✔️

order JSON Data of applications, weblinks, and
section of folders on the Managed Home
this Screen. To use this setting, Lock
document. Home Screen must be enabled,
Set grid size must be defined,
and Application order enabled
must be set to True.
Key Value device
configuration
Applications in bool TRUE False allows items in a folder to ❌

folder are appear in the order they're
ordered by specified. Otherwise, they'll
name appear in the folder
alphabetically.
Set app icon integer 2 Allows you to set the icon size ✔️
size for apps displayed on the home
screen. You can choose the
following values in this
configuration for different sizes
- 0 (Smallest), 1 (Small), 2
(Regular), 3 (Large) and 4
(Largest).
Set app folder integer 0 Allows you to define the ✔️

icon appearance of app folders on
the home screen. You can
choose the appearance from
following values: Dark Square(0);
Dark Circle(1); Light Square(2);
Light Circle(3).
Set screen integer 1 Allows you to set the orientation ✔️

orientation of the home screen to portrait
mode, landscape mode or allow
auto rotate. You can set the
orientation by entering values 1
(for portrait mode), 2 (for
Landscape mode), 3 (for
Autorotate).
Set device wall string Default Allows you to set a wallpaper of ✔️

paper your choice. Enter the URL of
the image that you want to set
as a wallpaper.
Define theme string light Specify if you want Managed ❌

color Home Screen to run in "light" or
"dark" mode.
Block pinning bool FALSE Set this restriction to true to ✔️

browser web block users from pinning web
pages to MHS pages from any browser onto
Configurations for device peripherals and Managed Home Screen settings:
Configuration Value Type Default Value Description Available in

Key device
configuration
Show Managed bool TRUE "Managed Setting" is a ✔️

Setting Managed Home Screen app
that appears only if you've
configured any settings for
quick access. These settings
can include the Show Wi-Fi
Setting, Show Bluetooth
setting, Show volume
setting, and show flashlight
setting. These settings can
also be accessed by
swiping-down on the
screen. Set this key to False
to hide the "Managed
Setting" app and have end-
users access settings only
via swiping-down.
Show Wi-Fi bool FALSE Turning this setting to True ✔️

setting allows the end user to
connect to different Wi-Fi
networks.
Enable Wi-Fi bool FALSE True fills out the Wi-Fi allow- ✔️
allow-list list key to restrict what Wi-Fi
networks are shown within
Managed Home Screen. Set
to False to show all possible
available Wi-Fi networks the
device has discovered. This
setting is only relevant if
show Wi-Fi setting has been
set to True and the Wi-Fi
allow-list has been filled out.
Wi-Fi allow-list bundleArray See Enter JSON Allows you to list all the ✔️
Data section of SSIDs of what Wi-Fi
this document. networks you want the
device to show within
Managed Home Screen. This
list is only relevant if show
Wi-Fi setting and Enable Wi-
Fi allow-list have been set to
True. If either setting has
Key device
configuration
been set to False, then you

don't need to modify this
configuration.
Show bool FALSE Turning this setting to True ✔️

Bluetooth allows the end user to turn
setting on or off Bluetooth and to
connect to different
Bluetooth-capable devices.
Show volume bool FALSE Turning this setting to True ✔️

setting allows the end user to
access a volume slider to
adjust media volume.
Show flashlight bool FALSE Turning this setting to True ✔️

setting allows the end user to on or
off the device's flashlight. If
the device doesn't support a
flashlight, then this setting
won't appear, even if
configured to True.
Show device bool FALSE True allows end users to ✔️

info setting access quick info about the
device from the Managed
Setting app or swipe-down.
Accessible information
includes device's make,
model, and serial number
for OS 8.
Show device's bool FALSE Turn this setting to True to ❌

name on MHS easily view the device's
Intune admin center "device
name" property from the
Managed Settings app or
from swipe-down when
Show device info setting is
set to True. Make sure to
also include the string
property "Device's name,"
which is auto-populated by
Intune with the correct
value.
Key device
configuration
Show serial choice {{serialnumber}} Ensure that in-app config ❌

number for all device_serial_number is
supported OS configured to display
version on {{SerialNumber}} Show
MHS device info setting is set to
True. This value is auto-
populated by Intune with
the correct value.
Enable virtual bool FALSE True allows end users to ✔️

home button have access to a Managed
Home Screen home button
that will return the user to
the Managed Home Screen
from the current task they
are in.
Type of virtual string swipe_up Use swipe_up to access ✔️

home button home button with a swipe
up gesture. Use float to
access a sticky, persistent
home button that can be
moved around the screen
by the end user.
Enable bool FALSE Enables the notification ✔️

notifications badge for app icons that
badge shows the number of new
notifications on the app. If
you enable this setting, end
users will see notification
badges on apps that have
unread notifications. If you
keep this configuration key
disabled, the end user won't
see any notification badged
to apps that might have
unread notifications.
Battery and bool TRUE Turning this setting to True ❌

Signal Strength shows the battery and signal
indicator bar strength indicator bar.
） Important
The Managed Home Screen app has been updated at the API level to better adhere
with the Google Play Store's requirements. In doing so, there were some changes
to how Wi-Fi configuration works from Managed Home Screen. The changes
include the following:
Being unable to change (enable or disable) the Wi-Fi connection for the
device. Users will be able to switch between networks, but will not be able to
turn on/off Wi-Fi.
Being unable to automatically connect to a configured Wi-Fi network that
requires a password for the first time. The configured network will
automatically connect after you enter the password the first time.
On Android devices running OS 11, when an end-user tries to connect to a network

via the Managed Home Screen app, they will get prompted with a consent pop-up.
This pop-up comes from the Android platform, and is not specific to the Managed
Home Screen app. Additionally, when an end-user tries to connect to a password
protected network via the Managed Home Screen app, they will be asked to input
the password. Even if the password is correct, the network will only change if the
device is not connected to a network. Devices that are already connected to a
stable network will not be able connect to a password protected network via the
Managed Home Screen app.
On Android devices running OS 10, when an end-user tries to connect to a network

via the Managed Home Screen app, they will get prompted with a consent via
notifications. Because of this prompt, users on OS 10 will need to have access to
the status bar and notifications in order to complete the consent step. Use the
General settings for dedicated devices to make status bar and notifications
available to your end-users, if appropriate. Additionally, when an end-user tries to
connect to a password protected network via the Managed Home Screen app, they
will be asked to input the password. Even if the password is correct, the network
will only change if the device is not already connected to a stable network.
） Important
For devices running on Android 10+ and using Managed Home Screen, for
Bluetooth pairing to successfully work on devices that require a pairing key, admins
must enable the following Android system apps:
Android System Bluetooth

Android System Settings
Android System UI
For more information on how to enable Android system apps, go to: Manage
Android Enterprise system apps
Configurations for a custom screensaver:
Configuration Value Default Description Available in

Key Type Value device
configuration
Enable screen bool FALSE To enable screen saver mode or not. If set ✔️
saver to true, you can configure
screen_saver_image,
screen_saver_show_time,
inactive_time_to_show_screen_saver, and
media_detect_screen_saver.
Screen saver string Set the URL of the screen saver image. If ✔️
image no URL is set, devices will show the
default screen saver image when screen
saver is activated. The default image
shows the Managed Home Screen app
icon.
Screen saver integer 0 Gives option to set the amount of time in ✔️

show time seconds the device will display the screen
saver during screen saver mode. If set to
0, the screen saver will show on screen
saver mode indefinitely until the device
becomes active.
Inactive time integer 30 The number of seconds the device is ✔️

to enable inactive before triggering the screen
screen saver saver. If set to 0, the device will never go
into screen saver mode.
Media detect bool TRUE Choose whether the device screen should ✔️
before show screen saver if audio/video is
showing playing on device. If set to true, the
screen saver device won't play audio/video, regardless
of the value in
inactive_time_to_show_scree_saver. If set
to false, device screen will show screen
saver according to value set in
inactive_time_to_show_screen_saver.
７ Note
Managed Home Screen will start the screensaver whenever the lock screen appears.
If the system's lock screen timeout is longer than Screensaver show time then the
screen saver will show until the lock screen appears. If the system's lock screen
timeout is shorter than inactive time to enable screen saver the screensaver will
appear as soon as the device's lock screen appears.
Configurations to help with troubleshooting issues on the device:

configuration
Exit lock task string Enter a 4-6-digit code to use to ✔️

mode password temporarily drop out of lock-task mode
for troubleshooting.
Enable easy bool FALSE Turn this setting to True to access the ✔️
access debug debug menu from the Managed
menu Settings app or from swipe-down while
in Managed Home Screen. The debug
menu is currently where the capability
to exit kiosk mode lives, and is accessed
by clicking the back button about 15
times. Keep this setting set to False to
keep the entry point to debug menu
only accessible via the back button.
Enable MAX bool FALSE Turn this setting to True to ❌

inactive time automatically re-launch Managed
outside of MHS Home Screen after a set period of
inactivity. The timer will only count
inactive time and, when configured, will
reset each time the user interacts with
the device while outside of Managed
Home Screen. Use MAX inactive time
outside MHS to set the inactivity timer.
By default, this setting is off. This
setting can only be used if Exit lock
task mode password has been
configured.
MAX inactive integer 180 Set the maximum amount of inactive ❌

time outside time, in seconds, that a user can spend
MHS outside of Managed Home Screen
before it is automatically re-launched.
By default, this configuration is set to
180 seconds. Enable MAX inactive time
configuration
outside of MHS must be set to true to

use this setting.
Enable MAX bool FALSE Turn this setting to True to ❌

time outside automatically re-launch Managed
MHS Home Screen after a set period of time
has passed. The timer will factor in both
inactive and active time spent outside
of Managed Home Screen. Use MAX
time outside MHS to set the inactivity
timer. By default, this setting is off. This
setting can only be used if Exit lock
task mode password has been
configured.
MAX time integer 600 Set the maximum amount of absolute ❌

outside MHS time, in seconds, that a user can spend
outside of Managed Home Screen
before it is automatically re-launched.
By default, this configuration is set to
600 seconds. Enable MAX time outside
of MHS must be set to true to use this
setting.
Configurations to customize Managed Home Screen experience when device is set up

with Azure AD Shared device mode:

configuration
Enable sign in bool FALSE Turn this setting to True to enable end- ✔️
users to sign into Managed Home
Screen. When used with Azure AD
Shared device mode, users who sign in
to Managed Home Screen will get
automatically signed in to all other apps
on the device that have participated
with Azure AD’s Shared device mode. By
default this setting is off.
Sign in type string AAD Set this configuration to "AAD" to sign ✔️

in with an AAD account. Otherwise, set
this configuration to "Other". Users who
sign in with a non-AAD account won't
get single sign-on to all apps that have
configuration
integrated with Azure AD’s Shared

device mode, but will still get signed in
to Managed Home Screen. By default,
this setting uses "AAD" user accounts.
This setting can only be used if Enable
sign in has been set to True.
Set to the url of string Allows you to set a wallpaper of your ✔️

wallpaper choice for the sign in screen. To use this
setting, enter the URL of the image that
you want set for the sign-in screen
wallpaper. This image can be different
than the Managed Home Screen
wallpaper that is configured with Set
device wallpaper. This setting can only
be used if Enable sign in has been set to
True.
Enable show bool TRUE Turn this setting to True to use a ✔️

organization company logo that will appear on the
logo on sign in sign-in screen and the Session PIN
page screen. This setting is used with
Organization logo on sign in page and
can only be used if Enable sign in has
been set to True.
Organization string Allows you to brand your device with a ✔️

logo on sign in logo of your choice on the Managed
page Home Screen sign-in screen and Session
PIN screen. To use this setting, enter the
URL of the image that you want set for
the logo. This setting can only be used if
Enable show organization logo on sign
in page and Enable sign in have been
set to True.
Enable session bool FALSE Turn this setting to True if you want ✔️
PIN end-users to get prompted to create a
local Session PIN after they’ve
successfully signed in to Managed
Home Screen. The Session PIN prompt
will appear before end-user gets access
to the home screen, and can be used in
conjunction with other features. The
Session PIN lasts for the duration of a
user’s sign-in, and is cleared upon sign-
configuration
out. By default, this setting is off. This

setting can only be used if Enable sign
in has been set to True.
Complexity of string Choose whether the local session PIN ✔️

session PIN should be simple, complex, or NOTE: The
alphanumeric complex. If you choose alphanumeric
simple, users will only be required to complex option
enter a numeric PIN. If you choose is only available
complex, users will get prompted to in app config
create a PIN with alphanumeric today.
characters and no repeating (444) or
ordered sequences (123, 432, 246) are
allowed. Evaluation of repeating and
sequential patterns begins at three (3)
digits/characters. If you choose
alphanumeric complex, then users will
get prompted to create a PIN with
alphanumeric characters, and at least
one symbol or letter is required. No
repeating (444) or ordered sequences
(123, 432, 246) are allowed. Evaluation
of repeating and sequential patterns
begins at three (3) characters. The
default value for this setting is one (1),
where one (1) means that the user must
have at least one character in their
Session PIN. This setting can only be
used if Enable session PIN and Enable
sign in have been set to True.
Minimum string Define the minimum length a user's ❌

length for session PIN must adhere to. This can be
session PIN used with any of the complexity values
for session PIN. This setting can only be
used if Enable session PIN and Enable
Maximum string Define the maximum number of times a ❌

number of user can attempt to enter their session
attempts for PIN before getting automatically logged
session PIN out from Managed Home Screen. The
default value is zero (0), where zero (0)
means the user gets infinite tries. This
can be used with any of the complexity
values for session PIN. This setting can
configuration
only be used if Enable session PIN and

Enable sign in have been set to True.
Customer Bool FALSE Use this specification with Create ❌

facing folder Managed Folder for grouping apps to
create a folder that can’t be exited
without a user entering their Session
PIN. This setting can only be used if
Enable session PIN and Enable sign in
have been set to True.
Require PIN bool FALSE Turn this setting True if you want to ✔️
code after require end-users to enter their Session
returning from PIN to resume activity on Managed
screensaver Home Screen after the screensaver has
appeared. This setting can only be used
if Enable sign in has been set to True.
Enable auto bool FALSE Turn this setting to True to automatically ✔️

sign-out sign current user out of Managed Home
Screen after a specified period of
inactivity. When used with Azure AD
Shared device mode, users will also get
signed out of all apps on the device that
participate with Azure AD Shared device
mode. By default, this setting is turned
off. This setting can only be used if
Enable sign in has been set to True.
Auto sign-out integer 300 Set a period of inactivity, in seconds, ✔️

time that can pass before user gets
automatically signed out of Managed
Home Screen. This setting can only be
used if Enable auto sign-out and Enable
Count down integer 60 The amount of time, in seconds, to give ✔️

time on auto notice to user before signing them out
sign-out dialog of Managed Home Screen. This setting
can only be used if Enable auto sign-
out and Enable sign in have been set to
True.
Privacy string Optionally display your organization’s ❌

statement title custom privacy statement on Managed
Home Screen, next to Microsoft’s
privacy statement. Use this setting to
configuration
name the link containing your

organization’s privacy statement, which
is specified in Privacy statement link.
Privacy string Optionally display your organization’s ❌

statement link custom privacy statement on Managed
Home Screen, next to Microsoft’s
privacy statement. If you set a link but
don't set Privacy statement title, the
title will read "Custom privacy
statement".
７ Note
Managed Home Screen uses the exact alarm permission to do the following
actions:
Automatically relaunch MHS after a certain period of time when a user exits
kiosk mode
For devices running Android 14 and higher, by default, the exact alarm permission
will be denied. To make sure critical user functionality is not impacted, end-users
will be prompted to grant exact alarm permission upon first launch of Managed
Home Screen.
Enter JSON Data

Enter JSON data to configure all available settings for Managed Home Screen, and the
settings disabled in Configuration Designer.
In addition to the list of configurable settings listed in the Configuration Designer table
(above), the following table provides the configuration keys you can only configure via
JSON data.
Configuration Value Type Default Description

Key Value
Set allow-listed bundleArray Allows you to define the set of apps visible on the
applications home screen from all the apps installed on the
device. You can define the apps by entering the
app package name of the apps that you want to
make visible. For example, com.android.settings
would make settings accessible on the home
screen. The apps that you allow-list in this section
should already be installed on the device to be
visible on the home screen.
Set pinned web bundleArray Allows you to pin websites as quick launch icons
links on the home screen. With this configuration, you
can define the URL and add it to the home screen
for the end user to launch in the browser with a
single tap. Note: We recommend that you create,
assign, and approve Managed Google Play web
links to your devices. When you do, they're
treated like allow-listed applications.
Create Managed bundleArray Allows you to create and name folders and group
Folder for apps within these folders. End users can't move
grouping apps folders, rename the folders, or move the apps
within the folders. Folders will appear in the order
created, and apps within the folders will appear
alphabetically. Note: all apps that you want to
group into folders must be assigned as required
to the device and must have been added to the
The following syntax is an example JSON script with all the available configuration keys
included:
JSON
{
"kind": "androidenterprise#managedConfiguration",
"productId": "app:com.microsoft.launcher.enterprise",
"managedProperty": [
{
"key": "lock_home_screen",
"valueBool": true
},
{
"key": "wallpaper",
"valueString": "default"
},
{
"key": "icon_size",
"valueInteger": 2
},
{
"key": "app_folder_icon",
"valueInteger": 0
},
{
"key": "screen_orientation",
"valueInteger": 1
},
{
"key": "applications",
"valueBundleArray": [
{
{
"key": "package",
"valueString": "app package name here"
}
]
}
]
},
{
"key": "weblinks",
{
{
"key": "link",
"valueString": "link here"
},
{
"key": "label",
"valueString": "weblink label here"
}
]
}
]
},
{
"key": "widgets",
{
{
"key": "package",
"valueString": "package name of application that
exposes the widget here. An example: com.microsoft.launcher.enterprise"
},
{
"key": "widget_class",
"valueString": "class name of widget here. an
example: Time"
},
{
"key": "span_x",
"valueInteger": 5
},
{
"key": "span_y",
"valueInteger": 2
}
]
}
]
},
{
"key": "show_virtual_home",
"valueBool": false
},
{
"key": "virtual_home_type",
"valueString": "swipe_up"
},
{
"key": "show_virtual_status_bar",
"valueBool": true
},
{
"key": "exit_lock_task_mode_code",
"valueString": "123456"
},
{
"key": "show_wifi_setting",
"valueBool": false
},
{
"key": "show_bluetooth_setting",
"valueBool": false
},
{
"key": "show_flashlight_setting",
"valueBool": false
},
{
"key": "show_volume_setting",
"valueBool": false
},
{
"key": "show_device_info_setting",
"valueBool": false
},
{
"key": "show_device_name",
"valueBool": false
},
{
"key": "device_name",
"valueString": "{{DeviceName}}"
},
{
"key": "device_serial_number",
"valueString": "{{SerialNumber}}"
},
{
"key": "show_managed_setting",
"valueBool": false
},
{
"key": "enable_easy_access_debugmenu",
"valueBool": false
},
{
"key": "enable_wifi_allowlist",
"valueBool": false
},
{
"key": "wifi_allowlist",
{
{
"key": "SSID",
"valueString": "name of Wi-Fi network 1 here"
}
]
},
{
{
"key": "SSID",
"valueString": "name of Wi-Fi network 2 here"
}
]
}
]
},
{
"key": "grid_size",
"valueString": "4;5"
},
{
"key": "app_order_enabled",
"valueBool": true
},
{
"key": "apps_in_folder_ordered_by_name",
"valueBool": true
},
{
"key": "app_orders",
{
{
"key": "package",
"valueString": "com.Microsoft.emmx"
},
{
"key": "type",
"valueString": "application"
},
{
"key": "container",
"valueInteger": 1
},
{
"key": "position",
"valueInteger": 1
}
]
},
{
{
"key": "folder_name",
"valueString": "Work"
},
{
"key": "type",
"valueString": "managed_folder"
},
{
"key": "container",
"valueInteger": 1
},
{
"key": "position",
"valueInteger": 2
}
]
},
{
{
"key": "package",
"valueString":
"com.microsoft.launcher.enterprise"
},
{
"key": "type",
},
{
"key": "class",
"valueString": "com.microsoft.launcher.launcher"
},
{
"key": "container",
"valueInteger": 1
},
{
"key": "position",
"valueInteger": 3
}
]
},
{
{
"key": "package",
"valueString": "class name for widget here"
},
{
"key": "type",
"valueString": "widget"
},
{
"key": "container",
"valueInteger": 1
},
{
"key": "position",
"valueInteger": 1
}
]
}
]
},
{
"key": "managed_folders",
{
{
"valueString": "Folder name here"
},
{
{
{
"key": "package",
"valueString":
"com.microsoft.emmx"
}
]
},
{
{
"key": "package",
"valueString":
"com.microsoft.bing"
}
]
},
{
{
"key": "link",
"valueString":
"https://microsoft.com/"
}
]
}
]
}
]
},
{
{
"valueString": "Example folder name 2"
},
{
"key": "is_customer_facing",
"valueBool": true
},
{
{
{
"key": "package",
"valueString":
"com.microsoft.office.word"
}
]
}
]
}
]
}
]
},
{
"key": "show_notification_badge",
"valueBool": true
},
{
"key": "show_screen_saver",
"valueBool": true
},
{
"key": "screen_saver_image",
"valueString": "URL to desired screen saver image here"
},
{
"key": "screen_saver_show_time",
"valueInteger": 0
},
{
"key": "inactive_time_to_show_screen_saver",
"valueInteger": 30
},
{
"key": "media_detect_before_screen_saver",
"valueBool": true
},
{
"key": "enable_max_inactive_time_outside_MHS",
"valueBool": false
},
{
"key": "enable_max_absolute_time_outside_MHS",
"valueBool": false
},
{
"key": "max_inactive_time_outside_MHS",
"valueInteger": 180
},
{
"key": "max_absolute_time_outside_MHS",
"valueInteger": 600
},
{
"key": "theme_color",
"valueString": "light"
},
{
"key": "enable_mhs_signin",
"valueBool": true
},
{
"key": "block_pinning_browser_web_pages_to_MHS",
"valueBool": true
},
{
"key": "signin_type",
"valueString": "AAD"
},
{
"key": "signin_screen_wallpaper",
"valueString": "URL to desired image for signin screen wallpaper
here"
},
{
"key": "enable_corporate_logo",
"valueBool": true
},
{
"key": "signin_screen_branding_logo",
"valueString": "URL to desired image for branding logo here"
},
{
"key": "enable_session_PIN",
"valueBool": true
},
{
"key": "session_PIN_complexity",
"valueString": "simple"
},
{
"key": "max_number_of_attempts_for_session_PIN",
"valueInteger": 0
},
{
"key": "minimum_length_for_session_PIN",
"valueInteger": 1
},
{
"key": "max_number_of_attempts_for_exit_PIN",
"valueInteger": 0
},
{
"key": "amount_of_time_before_try_exit_PIN_again",
"valueInteger": 0
},
{
"key": "enable_auto_signout",
"valueBool": true
},
{
"key": "inactive_time_to_signout",
"valueInteger": 300
},
{
"key": "auto_signout_time_to_give_user_notice",
"valueInteger": 30
},
{
"key": "enable_PIN_to_resume",
"valueBool": true
},
{
"key": "custom_privacy_statement_title",
"valueString": "name of custom privacy statement here"
},
{
"key": "custom_privacy_statement_url",
"valueString": "link to custom privacy statement here"
}
]
}
Managed Home Screen debug screen

You can access the Managed Home Screen's debug screen by selecting the back button
until the debug screen is displayed (select the back button 15 times or more). From this
debug screen, you can launch the Android Device Policy application, view and upload
logs, or temporarily pause kiosk mode to update the device. For more information
about pausing kiosk mode, see the Leave kiosk mode item in the Android Enterprise
dedicated device settings. If you would like an easier way to access Managed Home
Screen's debug screen, you can enable the Quick access to debug menu setting using
device configuration policies or you can set the Enable easy access debug menu to
True using application configuration policies.
Next steps
For more information about Android Enterprise dedicated devices, see Set up
Intune enrollment of Android Enterprise dedicated devices.
How to configure the Intune Company
Portal apps, Company Portal website,
and Intune app
Article • 03/23/2023
The Company Portal apps, Company Portal website, and Intune app on Android are
where users access company data and can do common tasks. Common task may include
enrolling devices, installing apps, and locating information (such as for assistance from
your IT department). Additionally, they allow users to securely access company
resources. The end-user experience provides several different pages, such as Home,
Apps, App details, Devices, and Device details. To quickly find apps within the Company
Portal, you can filter the apps on the Apps page.
７ Note

applications in the Company Portal for co-managed customers. This new version of
the Company Portal will display Configuration Manager deployed apps for all co-
managed customers. This support will help administrators consolidate their
different end user portal experiences. For more information, see Use the Company
Portal app on co-managed devices.
The minimum supported version of the iOS Company Portal app is v4.16.0. If users
are running v4.14.1 or below, they will be prompted for an update at login.
Customizing the user experience

By customizing the end-user experience, you will help to provide a familiar and helpful
experience for your end users. To do this, sign in as a Global administrator or an Intune
service administrator. Navigate to the Microsoft Intune admin center and select
Tenant Administration > Customization where you can either edit the default policy or
create up to 10 group targeted policies. These settings will apply to the Company Portal
apps, Company Portal website, and Intune app on Android.
Branding
The following table provides the branding customization details for the end-user
experience:
Field name More information
Organization This name is displayed throughout the messaging in the end-user experience. It
name can be set to display in headers as well using the Show in header setting. Max
length is 40 characters.
Color Choose Standard to choose from five standard colors. Choose Custom to select a
specific color based on a hex code value.
Theme color Set theme color to show across end-user experience. We'll automatically set the
text color to black or white so that it's most visible on top of your selected theme
color.
Show in Select whether the header in the end-user experiences should display the
header Organization logo and name, the Organization logo only, or the Organization
name only. The preview boxes below will only show the logos, not the name.
Upload logo Upload the logo you want to show on top of your selected theme color. For the
for theme best appearance, upload a logo with a transparent background. You can see how
color this will look in the preview box below the setting.
background Recommended image height: Greater than 72 px
Maximum file size: 750KB
File type: PNG, JPG, or JPEG
Upload logo Upload the logo you want to show on top of white or light-colored backgrounds.
for white or For the best appearance, upload a logo with a transparent background. You can
light see how this will look on a white background in the preview box below the
background setting.
Recommended image height: Greater than 72 px
Maximum file size: 750KB
Upload Upload an image that reflects your organization's brand.

brand image
Recommended image width: Greater than 1125 px
Maximum image size: 1.3 MB
It is displayed in these locations:
iOS/iPadOS Company Portal: Background image on the user's profile
page.
Windows Company Portal: Background image on the user's profile page.
Company Portal website: Background image on the user's profile page.
Android Intune app: In the drawer and as a background image on the
user's profile page.
７ Note
When a user is installing an iOS/iPadOS application from the Company Portal they
will receive a prompt. This occurs when the iOS/iPadOS app is linked to the app
store, linked to a volume-purchase program (VPP), or linked to a line-of-business
(LOB) app. The prompt allows the users to accept the action or allow management
of the app. The prompt will display your company name, or when your company
name is unavailable, Company Portal will be displayed.
Brand image best practices

The right brand image can enhance the user's trust by presenting a strong sense of your
organization's brand. Here are some tips you may want to consider for acquiring,
choosing, and optimizing the image for the display locations.
Reach out to your marketing or art department. They may already have an
approved set of brand images. They may also be able to help you optimize images
as needed.
Consider both landscape and portrait composition. The image should have
sufficient background surrounding the focal point. The image may be cropped
differently based on device size, orientation, and platform.
Avoid using a generic, stock image. The image should reflect your organization's
brand and feel familiar to users. If you don't have one, it's better to not use one
than use a generic one that has no meaning to your user.
Remove unnecessary metadata. Image file can come with metadata such as camera
profile, geo location, title, caption, and so on. Use an image optimization tool to
strip out this information to maintain quality while meeting file size limit.
Brand image examples

The following image shows an example of the brand image on an iPhone:
The following shows an example of the brand image in the Intune app for Android:
Support information
Enter your organization's support information, so employees can reach out with
questions. This support information will be displayed on Support, Help & Support, and
Helpdesk pages across the end-user experience.
Field name Maximum More information

length
Contact 40 This name is who users will reach when they contact support.
name
Phone 20 This number enables users to call for support.

number
Email 40 This email address is where users can send emails for support. You
address must enter a valid email address in the format alias@domainname.com .
Website 40 This is the friendly name that is displayed in some locations for the
name URL to the support website. If you specify a support website URL and
no friendly name, then the URL itself is displayed in the end-user
experiences.
Website 150 The support website that users should use. The URL must be in the
URL format https://www.contoso.com .
Additional 120 Include any additional support-related messaging to users here.

information
Configuration
You can configure the Company Portal experience specifically for enrollment, privacy,
notifications, device categories, app sources, and self-service actions.
Enrollment
The following table provides enrollment-specific configuration details:
Field Maximum More information

name length
Device N/A Specify if and how users should be prompted to enroll into mobile
enrollment device management. For more information, see Device enrollment
setting options.
Device enrollment setting options
Support for the device enrollment setting requires end users have these Company Portal
versions:
Company Portal on iOS/iPadOS: version 4.4 or later

Company Portal on Android: version 5.0.4715.0 or later
） Important
The following settings do not apply to iOS/iPadOS devices configured to enroll with
Automated Device Enrollment. Regardless of how these setting are configured,
iOS/iPadOS devices configured to enroll with Automated Device Enrollment will
enroll during the out of box flow and users will be prompted to sign in when they
launch the Company Portal.
The following settings do apply to Android devices configured with Samsung Knox
Mobile Enrollment (KME). If a device has been configured for KME and device
enrollment is set to Unavailable, the device will not be able to enroll during the out
of box flow.
For the Android Company Portal app, if Intune detects that the user's device is set
up for app protection policies without enrollment, the user will not get prompted
to enroll in the Company Portal, even if the device enrollment setting is configured
to prompt enrollment. This applies to all Android device types except Surface Duo
devices.
Device Description Checklist Notification Device App

enrollment prompts details visibility
options status (for an app
that
requires
enrollment)
Available, The default experience with Yes Yes Yes Yes

with prompts to enroll in all
prompts possible locations.
Available, User can enroll via the status No No Yes Yes

no prompts in device details for their
current device or from apps
that require enrollment.
Device Description Checklist Notification Device App
enrollment prompts details visibility
options status (for an app
that
requires
enrollment)
Unavailable There is no way for users to No No No No

enroll. Apps requiring
enrollment will be hidden.
Privacy
The following table provides privacy-specific configuration details:

length
Privacy statement 79 Set your organization's privacy statement to appear when

URL users click on privacy links. You must enter a valid URL in the
format https://www.contoso.com . This is a mandatory field.
Privacy message 520 Keep the default message or customize the message to list
about what support the items that your organization can't see on managed
can't see or do iOS/iPadOS devices. You can use markdown to add bullets,
(iOS/iPadOS) bolding, italics, and links.
Privacy message 520 Keep the default message or customize the message to list
about what support the items that your organization can see on managed
can see or do iOS/iPadOS devices. You can use markdown to add bullets,
(iOS/iPadOS) bolding, italics, and links.
For related information, see Configure feedback settings for Company Portal and
Microsoft Intune apps.
Device categories
You can allow or block the device category prompt in Intune Company Portal.

name length
name length
Let users N/A If your tenant has device categories set up, users on targeted devices
select are prompted to choose a category when they sign in to Company
device Portal. Select Block to hide the prompt across all platforms. Select
categories Allow to show the prompt.
in the
Company The category selection prompt goes away once someone chooses a
Portal category, and doesn't reappear. This setting is intended to be used
with device categories. If there are no device categories in your tenant,
no selection prompt will appear. For more information about creating
device categories, see Categorize devices into groups.
App sources
You can choose which additional app sources will be shown in Company Portal.
７ Note

applications in the Company Portal for co-managed customers. For more
information, see Use the Company Portal app on co-managed devices.
The following table provides app source specific configuration details:

length
Azure AD N/A Select Hide or Show to display Azure AD Enterprise applications in

Enterprise the Company Portal for each end user. For more information, see
Applications App source setting options.
Office Online N/A Select Hide or Show to display Office Online applications in the
Applications Company Portal for each end user. For more information, see App
source setting options.
Configuration N/A Select Hide or Show to display Configuration Manager

Manager applications in the Company Portal for each end user. For more
Applications information, see App source setting options.
App source setting options

７ Note
The display of apps from the Configuration Manager Applications app source is
only displayed in the Windows Company Portal. However, the display of apps from
either the Azure AD Enterprise Applications app source or the Office Online
Applications app source are displayed in the Windows Company Portal and the
Company Portal website.
You can hide or show Azure AD Enterprise applications, Office Online applications, and
Configuration Manager applications in the Company Portal for each end user. Show
will cause the Company Portal to display the entire applications catalog from the chosen
Microsoft service(s) assigned to the user. Azure AD Enterprise applications are
registered and assigned via the Microsoft Intune admin center . Office Online
applications are assigned using the licensing controls available in the M365 Admin
Center . In the Microsoft Intune admin center , select Tenant administration >
Customization to find this configuration setting. By default, each additional app source
will be set to Hide.
Customizing Remove and Reset device actions

You can customize visibility of the Remove and Reset self-service device actions for
Windows and iOS devices that are shown to end users across platforms in the Company
Portal app, Company Portal website, and Intune app on Android. To prevent users from
removing or resetting corporate Windows and iOS devices, you can hide these actions in
Tenant Administration > Customization.
The following actions are available:
Hide Remove button on corporate Windows devices. (This setting will always show
as disabled because the Remove button for corporate Windows devices is always
hidden.)
Hide Reset button on corporate Windows devices.
Hide Remove button on corporate iOS/iPadOS devices.
Hide Reset button on corporate iOS/iPadOS devices.
７ Note
These actions can be used to restrict device actions in the Company Portal app and
website and do not implement any device restriction policies. To restrict users from
performing factory reset or MDM removal from settings, you must configure device
restriction policies.
Also, these customizations are only available in the default Customization policy,
not in the group targeted Customization policies.
Device compliance status in Company Portal website

End users can see the compliance status of their devices from the Company Portal
website. End users can navigate to the Company Portal website and select the Devices
page to see device status. Devices will be listed with a status of Can access company
resources, Checking access, or Can't access company resources. For related
information, see Manage apps from the Company Portal website.
Opening Web Company Portal applications

For Web Company Portal applications, if the end user has the Company Portal
application installed, the end users will see a dialog box asking how they want to open
the application when opening outside of the browser. If the app is not in the path of the
Company Portal, then the Company Portal will open the homepage. If the app is in the
path, then the Company Portal will open the specific app.
Upon selecting the Company Portal, the user will be directed to the corresponding page
in the application when the URI path is one of the following:
/apps - The Web Company Portal will open the Apps page that lists all of the apps.
/apps/[appID] - The Web Company Portal will open the Details page of the
corresponding app.
The URI path is different or unexpected - The Web Company Portal home page will
be displayed.
If the user does not have the Company Portal app installed, the user will be taken to the
Web Company Portal.
７ Note
To improve page load performance on the Company Portal website, app icons will
now load in batches. End users may temporarily see a placeholder icon for some of
their applications while loading the Company Portal website.
For feedback related information, see Configure feedback settings for Company Portal
and Microsoft Intune apps.
Company Portal and Apple Setup Assistant for
iOS/iPadOS
For iOS/iPadOS devices running 13.0 and later, when creating an Automated Device
Enrollment profile, you can now choose a new authentication method: Setup Assistant
with modern authentication. This method provides all the security from authenticating
with the Company Portal but avoids the issue of leaving end users stuck on a device that
they can't use while the Company Portal installs on the device. The user has to
authenticate using Azure AD credentials during the setup assistant screens. This will
require an additional Azure AD login post-enrollment in the Company Portal app to gain
access to corporate resources protected by Conditional Access and for Intune to assess
device compliance. The correct Company Portal version will automatically be sent down
as a required app to the device for iOS/iPadOS, which we recommend choosing a VPP
token for from the enrollment profile.
Enrollment is completed once the user lands on the home screen, and users can freely
use the device for resources not protected by Conditional Access. User affinity is
established when users complete the additional Azure AD login into the Company Portal
app on the device. If the tenant has multi-factor authentication turned on for these
devices or users, the users will be asked to complete multi-factor authentication during
enrollment during Setup Assistant. Multi-factor authentication is not required, but it is
available for this authentication method within Conditional Access if needed.
Company Portal derived credentials for

iOS/iPadOS devices
Intune supports Personal Identity Verification (PIV) and Common Access Card (CAC)
Derived Credentials in partnership with credential providers DISA Purebred, Entrust, and
Intercede. End users will go through additional steps post-enrollment of their
iOS/iPadOS device to verify their identity in the Company Portal application. Derived
Credentials will be enabled for users by first setting up a credential provider for your
tenant, then targeting a profile that uses Derived Credentials to users or devices.
７ Note
The user will see instructions about derived credentials based on the link that you
have specified via Intune.
For more information about derived credentials for iOS/iPadOS devices, see Use derived
credentials in Microsoft Intune.
Dark Mode for the Company Portal

Dark Mode is available for the iOS/iPadOS, macOS, and Windows Company Portal. Users
can download apps, manage their devices, and get IT support in the color scheme of
their choice based on device settings. The iOS/iPadOS, macOS, and Windows Company
Portal will automatically match the end user's device settings for dark or light mode.
Windows Company Portal keyboard shortcuts

End users can trigger navigation, app, and device actions in the Windows Company
Portal using keyboard shortcuts (accelerators).
The following keyboard shortcuts are available in the Windows Company Portal app.
Area Description Keyboard shortcut
Navigation menu Navigation Alt+M
Home Alt+H
All apps Alt+A
All devices Alt+D
Downloads & updates Alt+U
Send feedback Alt+F
My profile Alt+P
Settings Alt+T
Device tile Rename F2
Remove Ctrl+D or Delete
Check access Ctrl+M or F9
Device details Rename F2
Remove Ctrl+D or Delete
Check access Ctrl+M or F9
App details Install Ctrl+I

Area Description Keyboard shortcut
Apps list tile Install Ctrl+I
Apps list item Install Ctrl+I
End users will also be able to see the available shortcuts in the Windows Company
Portal app.
User self-service device actions from the

Company Portal
Users can perform actions on their local or remote devices via the Company Portal app,
Company Portal website, or the Intune app on Android. The actions that a user can
perform vary based on device platform and configuration. In all cases, the remote device
actions can only be performed by device's Primary User.
Available self-service device actions include the following:

Retire – Removes the device from Intune Management. In the company portal app
and website, this shows as Remove.
Wipe – This action initiates a device reset. In the company portal website this is
shown as Reset, or Factory Reset in the iOS/iPadOS Company Portal App.
Rename – This action changes the device name that the user can see in the
Company Portal. It does not change the local device name, only the listing in the
Company Portal.
Sync – This action initiates a device check-in with the Intune service. This shows as
Check Status in the Company Portal.
Remote Lock – This locks the device, requiring a PIN to unlock it.
Reset Passcode – This action is used to reset device passcode. On iOS/iPadOS
devices the passcode will be removed and the end user will be required to enter a
new code in settings. On supported Android devices, a new passcode is generated
by Intune and temporarily displayed in the Company Portal.
Key Recovery – This action is used to recover a personal recovery key for
encrypted macOS devices from the Company Portal website.
To customize the available user self-service actions, see Customizing user self-service
actions for the Company Portal.
Self-Service Actions
Some platforms and configurations do not allow self-service device actions. This table
below provides further details about self-service actions:
Action Windows 10(3) iOS/iPadOS(3) macOS(3) Android(3)
Retire Available(1) Available(9) Available Available(7)
Wipe Available Available(5)(9) NA Available(7)
Rename(4) Available Available Available Available
Sync Available Available Available Available
Key Recovery NA NA Available(2) NA
(1) Retire is always blocked on Azure AD Joined Windows devices.
(2)
Key Recovery for macOS is only available via the Web Portal.
(3) All remote actions are disabled if using a Device Enrollment Manager enrollment.
(4) Rename only changes the device name in the Company Portal app or Web Portal, not
on the device.
(5)
Wipe is not available on User Enrolled iOS/iPadOS devices.
(6) Reset Passcode is not supported on some Android and Android Enterprise
configurations. For more information, see Reset or remove a device passcode in Intune.
(7) Retire and Wipe are not available on Android Enterprise Device Owner scenarios
(COPE, COBO, COSU).
(8) Reset Passcode is not supported on User Enrolled iOS/iPadOS devices.
(9)All iOS/iPadOS Automated Device Enrollment devices (formerly known as DEP) have
Retire and Wipe options disabled.
App logs
App users can share their logs with you when requesting help through the Intune
Company Portal app or Microsoft Intune app. If you're using Azure Government, users
get to select their sharing preference when they initiate the sharing process. If you're
not using Azure Government, user-submitted logs are sent directly to Microsoft support
or the admin center.
） Important
Support for accessing mobile app diagnostics in the admin center is in public
preview. For more information, see Public preview in Microsoft Intune.
You can download user-submitted mobile app diagnostics in the admin center for the
Android, AOSP, and Windows versions of the Company Portal app. To download user-
submitted logs, go to Troubleshooting + support > Diagnostics. For more information,
see Use the troubleshooting dashboard to help users at your company.
７ Note
Consistent with Microsoft and Apple policy, we do not sell any data collected by
our service to any third parties for any reason.
Company Portal app notifications

The Company Portal app can store, as well as display, push notifications sent to your
users' devices from the Microsoft Intune admin center. Users who have opted in to
receive Company Portal push notifications can view and manage the customized stored
messages that you send to their devices in the Notifications tab of the Company Portal.
７ Note
Users must updated to recent versions of the Android Company Portal (version
5.0.5291.0, released in October 2021) or Android Intune app (version 2021.09.04,
released in September 2021) to receive custom notifications on Android devices. If
users do not update prior to Intune's November (2111) service release and they are
sent a custom notification, they will instead receive a notification telling them to
update their app to view the notification. Once they update their app, they will see
the message sent by your organization in the Notifications section in the app.
Notifications from the iOS/iPadOS Company Portal app are now delivered to devices
using the default Apple sound, rather than being delivered silently. To turn the
notification sound off from the iOS/iPadOS Company Portal app, select Settings >
Notifications > Comp Portal and select the Sound toggle.
For more information about notifications, see Receive a custom notification.
Configure feedback settings for Company

Portal and Microsoft Intune apps
There are a number of M365 enterprise policies which affect whether feedback must be
enabled or disabled for currently logged users. These policies are available via the
Microsoft 365 Apps admin center . In relation to Microsoft Intune, these policies affect
feedback and surveys for the Intune Company Portal app, the Web Company Portal, and
Microsoft Intune app.
M365 feedback policies include the following policies:
Policy Name Default Policy Summary

State
Allow the use of connected experiences in Enabled Controls whether clients can use the
Office suite of connected experiences,
including feedback.
Allow users to submit feedback to Microsoft Enabled Controls the feedback entry points
across applications.
Allow users to receive and respond to in- Enabled Controls the survey prompts within the
product surveys from Microsoft product.
Allow users to include screenshots and Disabled Controls the metadata the user can
attachments when they submit feedback to decide to submit with the feedback
Microsoft and survey.
Policy Name Default Policy Summary
State
Allow Microsoft to follow up on feedback Disabled Controls whether the user can share
submitted by users contact info with the feedback and
survey.
Allow users to include log files and content Disabled Controls the metadata the user can
samples when feedback is submitted to decide to submit with the feedback
Microsoft and survey.
To configure feedback policy settings:
1. Go to Microsoft 365 Apps admin center and login.

2. Select Customization > Policy Management > Create.
3. Enter name and description.
4. Choose the type of user that this policy will apply.
5. Choose the group for your tenant that this policy will apply.
6. Search for Feedback and Survey to find and select the policies.
7. For each policy listed, set the value to either Enabled or Disabled.
Next steps
Configure your organization's logo and brand color for new tab pages in Microsoft
Edge for iOS and Android
Add apps
Configure Microsoft Launcher
Article • 03/06/2023
Microsoft Launcher is an Android application that lets users personalize their phone, stay
organized on the go, and transfer from working from their phone to their PC.
On Android Enterprise fully managed devices, Launcher allows enterprise IT admins to

customize managed device home screens by selecting the wallpaper, apps, and icon
positions. This standardizes the look and feel of all managed Android devices across different
OEM devices and system versions.
How to configure the Microsoft Launcher app

Once the Microsoft Launcher application has been added to Intune, navigate to the Microsoft
Intune admin center and select Apps > App configuration policies. Add a configuration
policy for Managed devices running Android and choose Microsoft Launcher as the
associated app. Click on Configuration settings to configure the different available Microsoft
Launcher settings.
Choosing a Configuration Settings Format

There are two methods that you can use to define configuration settings for Microsoft
Launcher:
Configuration designer allows you to configure settings with an easy-to-use UI that lets
you toggle features on or off and set values. In this method, there are a few disabled
configuration keys with value type BundleArray. These configuration keys can only be
configured by entering JSON data.
JSON data allows you to define all possible configuration keys using a JSON script.
If you add properties with Configuration Designer, you can automatically convert these
properties to JSON by selecting Enter JSON data from the Configuration settings format
dropdown list as shown below.
７ Note
Once properties are configured via the Configuration Designer, the JSON data will also
be updated to only reflect these properties. To add additional configuration keys into
the JSON Data, use the JSON script example to copy the necessary lines for each
configuration key.
When editing previously created app configuration policies, if complex properties have been
configured, the edit process will display the JSON Data editor. All previously configured
settings will be preserved and you can switch to use the configuration designer to modify
supported settings.
Using Configuration Designer

Configuration designer allows you to select pre-populated settings and their associated
values.
The following table lists the Microsoft Launcher available configuration keys, value types,
default values, and descriptions. The description provides the expected device behavior
based on the selected values. Configuration keys that are disabled in Configuration Designer
are not listed in the table.
Configuration Value Default Description

Key type value
Enrollment String Default Allows you to set the enrollment type this policy should apply to.
Type Currently, the value Default refers to CorporateOwnedBusinessOnly.
There are no other supported enrollment types at present. JSON key
name: management_mode_key
Key type value
Home Screen Boolean True Allows you to specify if the Home Screen App Order setting can be
App Order changed by the end user.
User Change
Allowed If set to True, the app order defined in the policy will only be
enforced for the initial deployment. Subsequently, the policy will
not be enforced to respect any changes the user may have made.
If set to False, the app order will be enforced on every sync.
Note: The Home Screen App order can only be configured via the JSON
editor.
JSON key name:
com.microsoft.launcher.HomeScreen.AppOrder.UserChangeAllowed
Set Grid Size String Auto Allows you to set the grid size for apps to be positioned on the home
screen. You can set the number of app rows and columns to define grid
size in the following format: columns;rows . If you define the grid size,
the maximum number of apps that will be shown in a row on the home
screen would be the number of rows you set and the maximum number
of apps that will be shown in a column in the home screen would be
the number of columns you set.
JSON key name:
com.microsoft.launcher.HomeScreen.GridSize
Set Device String Null Allows you to set a wallpaper of your choice by entering the URL of the
Wallpaper image that you want to set as a wallpaper.
JSON key name:
com.microsoft.launcher.Wallpaper.URL
Set Device Boolean True Allows you to specify if the Set Device Wallpaper setting can be
Wallpaper changed by the end user.
User Change If set to True, the wallpaper in the policy will only be enforced for
Allowed the initial deployment. Subsequently, the policy will not be
enforced to respect any changes the user may have made.
If set to False, the wallpaper will be enforced on every sync.
JSON key name:
com.microsoft.launcher.Wallpaper.URL.UserChangeAllowed
Key type value
Feed Enable Boolean True Allows you to enable the launcher feed on the device when the user
swipes to the right on the home screen.
If set to True, the feed will be enabled.
If set to False, the feed will be disabled.
JSON key name:
com.microsoft.launcher.Feed.Enabled
Feed Enable Boolean True Allows you to specify if the Feed Enable setting can be changed by the
User Change end user.
Allowed
If set to True, the feed will only be enforced for the initial
deployment. Subsequently, the policy will not be enforced to
respect any changes the user may have made.
If set to False, the feed will be enforced on every sync.
JSON key
name: com.microsoft.launcher.Feed.Enabled.UserChangeAllowed
Search Bar String Bottom Allows you to specify the placement of search bar on the home screen.
Placement
If set to Bottom, the search bar will be located on the bottom of
the home screen.
If set to Top, the search bar will be located on the top of the
home screen.
If set to Hidden, the search bar will be removed from the home
screen.
JSON key name:
com.microsoft.launcher.Search.SearchBar.Placement
Search Bar Boolean True Allows you to specify if the Search Bar Placement setting can be
Placement changed by the end user.
User Change
Allowed If set to True, the search bar placement will only be enforced for
the initial deployment. Subsequently, the policy will not be
enforced to respect any changes the user may have made.
If set to False, the placement of search bar will be enforced on
every sync.
JSON key name:
com.microsoft.launcher.Search.SearchBar.Placement.UserChangeAllowed
NOTE: For Microsoft Launcher v 6.2 and later, this setting will no longer
be enforced. Therefore, setting this value to True will have no effect.
Your end users will not be able to customize the location of the search
bar placement on their device.
Key type value
Dock Mode String Show Allows you to enable the dock on the device when the user swipes up
from the bottom on the home screen.
If set to Show, the dock will be enabled.
If set to Hidden, the dock will hide from the home screen, but the
user can display it when it is needed.
If set to Disabled, the dock will be disabled.
JSON key name:
com.microsoft.launcher.Dock.Mode
Dock Mode String True Allows you to specify if the Dock Mode setting can be changed by the
User Change end user.
Allowed If set to True, the dock mode setting will only be enforced for the
initial deployment. Subsequently, the policy will not be enforced
to respect any changes the user may have made.
If set to False, the dock mode setting will be enforced on every
sync.
JSON key name:
com.microsoft.launcher.Dock.Mode.UserChangeAllowed
Enter JSON Data

Enter JSON data to configure all available settings for Microsoft Launcher, as well as the
settings disabled in Configuration Designer, as shown below.
In addition to the list of configurable settings listed in the Configuration Designer table
(above), the following table provides the configuration keys you can only configure via JSON
data.
Configuration Key Value type Default Description

value
value
Set Allow-Listed Applications

BundleArray See: Set Allows you to define
JSON allow-listed the set of apps visible
key: com.microsoft.launcher.HomeScreen.Applications applications on the home screen
from amongst the
apps installed on the
device. You can define
the apps by entering
the app package
name of the apps that
you would like to
make visible, for
example,
com.android.settings
would make settings
accessible on the
home screen. The
apps that you allow-
list in this section
should already be
installed on the device
in order to be visible
on the home screen.
Properties:
Package: The
application
package name
Class: The
application
activity, which is
specific to a
certain app
page. It would
use the default
app page if this
value is empty.
Home Screen App Order

BundleArray See: Home Allows you to specify
JSON key: com.microsoft.launcher.HomeScreen.AppOrder screen app the app order on the
order home screen.
Properties:
Type: If you
want to specify
positions of
apps, the only
type supported
value
is application .
If you want to
specify
positions of
web links, the
type is weblink .
Position: This
specifies
application icon
slot on home
screen. This
starts from
position 1 on
the top left, and
goes left to
right, top to
bottom.
Package: This is
application
package name
used for
specifying app
order.
Class: The is an
application
activity, which is
specific to a
certain app
page. The
default app
page will be
used if this
value is empty.
This property is
used for app.
Label: The is an
application
activity, which is
specific to a
certain app
page. The
default app
page will be
used if this
value is empty.
This property is
used for app.
Link: The url to
be launched
value
after end user

clicks the web
link icon. This
property is used
for web link.
Set Pinned Web Links

BundleArray N/A This key allows you to
JSON key: com.microsoft.launcher.HomeScreen.WebLinks pin website to the
home screen as quick
launch icon. That way
you can make sure
that end user can
have quick and easy
access to essential
websites. You can
modify location of
each web link icon in
'Home Screen App
Order' configuration.
Properties:
Label: The
weblink title
displayed on
MS Launcher
home screen.
Link: The url to
be launched
after end user
clicks the web
link icon.
value
Set Folder Icon Shape, Open Format, and Scroll Direction

BundleArray N/A Allows you to define
JSON key: com.microsoft.launcher.Folder.Style appearance of folder
icon and way of
opening a folder on
the Microsoft
Launcher home
screen and dock.
Properties:
folderShape:
This key can be
set as one of
the five values:
Rounded_square ,
Square ,
Squircle ,
Round , and
Teardrop .
openFullScreen:
This key can be
set as one of
the values: True
or False . If it
set to True , the
folder will be
opened in the
full screen. If it
set to False ,
the folder will
not be opened
in the full
screen.
folderScroll:
This key can be
set as one of
the values:
vertical or
horizontal . The
default value is
set as vertical .
value
Set Folder Icon Shape, Open Format, and Scroll Direction Boolean True Allows you to specify
User Change Allowed
if the Folder Style
JSON key: setting can be
com.microsoft.launcher.Folder.Style.UserChangeAllowed changed by the end
user.
If set to True ,
the shape of
folder, the way
the folder
opens, and the
way the folder
scrolls as
defined in the
policy will only
be enforced for
the initial
deployment.
Subsequently,
the policy will
not be enforced
to respect any
changes the
user may have
made later.
If set to False ,
the shape of
folder, the way
the folder
opens, and the
way the folder
scrolls will be
enforced on
every sync.
Set allow-listed applications

JSON
"key": "com.microsoft.launcher.HomeScreen.Applications",
"valueBundleArray":
"key": "package",
"valueString": "com.android.settings"
},
"key": "class",
"valueString": ""
Home screen app order

JSON
"key": "com.microsoft.launcher.HomeScreen.AppOrder",
"valueBundleArray":
"key": "type",
},
"key": "position",
"valueInteger": 1
},
"key": "package",
"valueString": "com.android.settings"
},
"key": "class",
"valueString": ""
Set Pinned Web link

JSON
"key": "com.microsoft.launcher.HomeScreen.WebLinks",
"key": "label",
"valueString": "weblink"
},
"key": "link",
"valueString": "https://www.microsoft.com"
},
"key": "type",
},
"key": "position",
"valueInteger": 2
},
"key": "label",
"valueString": "Microsoft"
},
"key": "link",
"valueString": "https://www.microsoft.com"
Microsoft Launcher configuration example

The following is an example JSON script with all the available configuration keys included:
JSON
"productId": "app:com.microsoft.launcher",
"key": "management_mode_key",
"valueString": "Default"
},
"key": "com.microsoft.launcher.Feed.Enable.UserChangeAllowed",
"valueBool": false
},
"key": "com.microsoft.launcher.Feed.Enable",
"valueBool": true
},
"key": "com.microsoft.launcher.Wallpaper.Url.UserChangeAllowed",
"valueBool": false
},
"key": "com.microsoft.launcher.Wallpaper.Url",
"valueString": "http://www.contoso.com/wallpaper.png"
},
"key": "com.microsoft.launcher.HomeScreen.GridSize",
"valueString": "5;5"
},
"key": "com.microsoft.launcher.HomeScreen.Applications",
"key": "package",
"valueString": "com.ups.mobile.android"
},
"key": "class",
"valueString": ""
},
"key": "package",
"valueString": "com.microsoft.teams"
},
"key": "class",
"valueString": ""
},
"key": "package",
"valueString": "com.microsoft.bing"
},
"key": "class",
"valueString": ""
},
"key": "com.microsoft.launcher.HomeScreen.WebLinks",
"key": "label",
"valueString": "News"
},
"key": "link",
"valueString": "https://www.contoso.com"
},
"key":
"com.microsoft.launcher.HomeScreen.AppOrder.UserChangeAllowed",
"valueBool": false
},
"key": "type",
},
"key": "position",
"valueInteger": 17
},
"key": "package",
"valueString": "com.ups.mobile.android"
},
"key": "class",
"valueString": ""
},
"key": "type",
},
"key": "position",
"valueInteger": 18
},
"key": "package",
"valueString": "com.microsoft.teams"
},
"key": "class",
"valueString": ""
},
"key": "type",
},
"key": "position",
"valueInteger": 19
},
"key": "package",
"valueString": "com.microsoft.bing"
},
"key": "class",
"valueString": ""
},
"key": "type",
},
"key": "position",
"valueInteger": 20
},
"key": "label",
"valueString": "News"
},
"key": "link",
"valueString": "https://www.contoso.com"
Next steps
For more information about Android Enterprise fully managed devices, see Set up
Intune enrollment of Android Enterprise fully manage devices.
Article • 08/24/2023
Edge for iOS and Android is designed to enable users to browse the web and supports multi-identity. Users can add a work account, as
well as a personal account, for browsing. There is complete separation between the two identities, which is like what is offered in other
Microsoft mobile apps.
iOS/iPadOS 14.0 or later

Android 8.0 or later for enrolled devices and Android 9.0 or later for unenrolled devices
７ Note
Edge for iOS and Android doesn't consume settings that users set for the native browser on their devices, because Edge for iOS and
Android can't access these settings.
The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility +
Security suite, which includes Microsoft Intune and Azure Active Directory Premium features, such as conditional access. At a minimum,
you will want to deploy a conditional access policy that only allows connectivity to Edge for iOS and Android from mobile devices and an
Intune app protection policy that ensures the browsing experience is protected.
７ Note
New web clips (pinned web apps) on iOS devices will open in Edge for iOS and Android instead of the Intune Managed Browser
when required to open in a protected browser. For older iOS web clips, you must re-target these web clips to ensure they open in
Edge for iOS and Android rather than the Managed Browser.
Apply Conditional Access

Organizations can use Azure AD Conditional Access policies to ensure that users can only access work or school content using Edge for
iOS and Android. To do this, you will need a conditional access policy that targets all potential users. These policies are described in
Conditional Access: Require approved client apps or app protection policy.
Follow the steps in Require approved client apps or app protection policy with mobile devices, which allows Edge for iOS and Android,
but blocks other mobile device web browsers from connecting to Microsoft 365 endpoints.
７ Note
This policy ensures mobile users can access all Microsoft 365 endpoints from within Edge for iOS and Android. This policy also
prevents users from using InPrivate to access Microsoft 365 endpoints.
With Conditional Access, you can also target on-premises sites that you have exposed to external users via the Azure AD Application
Proxy.
７ Note
To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android
devices, the Intune Company Portal app is required. For more information, see App-based Conditional Access with Intune.
Create Intune app protection policies

App Protection Policies (APP) define which apps are allowed and the actions they can take with your organization's data. The choices
available in APP enable organizations to tailor the protection to their specific needs. For some, it may not be obvious which policy
settings are required to implement a complete scenario. To help organizations prioritize mobile client endpoint hardening, Microsoft has
introduced taxonomy for its APP data protection framework for iOS and Android mobile app management.
The APP data protection framework is organized into three distinct configuration levels, with each level building off the previous level:
Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and performs selective wipe
operations. For Android devices, this level validates Android device attestation. This is an entry level configuration that provides
similar data protection control in Exchange Online mailbox policies and introduces IT and the user population to APP.
Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and minimum OS
requirements. This is the configuration that is applicable to most mobile users accessing work or school data.
Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN configuration, and APP
Mobile Threat Defense. This configuration is desirable for users that are accessing high risk data.
To see the specific recommendations for each configuration level and the minimum apps that must be protected, review Data protection
framework using app protection policies.
Regardless of whether the device is enrolled in a unified endpoint management (UEM) solution, an Intune app protection policy needs to
be created for both iOS and Android apps, using the steps in How to create and assign app protection policies. These policies, at a
minimum, must meet the following conditions:
They include all Microsoft 365 mobile applications, such as Edge, Outlook, OneDrive, Office, or Teams, as this ensures that users can
access and manipulate work or school data within any Microsoft app in a secure fashion.
They are assigned to all users. This ensures that all users are protected, regardless of whether they use Edge for iOS or Android.
Determine which framework level meets your requirements. Most organizations should implement the settings defined in
Enterprise enhanced data protection (Level 2) as that enables data protection and access requirements controls.
For more information on the available settings, see Android app protection policy settings and iOS app protection policy settings.
） Important
To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also install
the Intune Company Portal.
Single sign-on to Azure AD-connected web apps in policy-protected

browsers
Edge for iOS and Android can take advantage of single sign-on (SSO) to all web apps (SaaS and on-premises) that are Azure AD-
connected. SSO allows users to access Azure AD-connected web apps through Edge for iOS and Android, without having to re-enter
their credentials.
SSO requires your device to be registered by either the Microsoft Authenticator app for iOS devices, or the Intune Company Portal on
Android. When users have either of these, they are prompted to register their device when they go to an Azure AD-connected web app
in a policy-protected browser (this is only true if their device hasn't already been registered). After the device is registered with the user's
account managed by Intune, that account has SSO enabled for Azure AD-connected web apps.
７ Note
Device registration is a simple check-in with the Azure AD service. It doesn't require full device enrollment, and doesn't give IT any
additional privileges on the device.
Use app configuration to manage the browsing experience

Edge for iOS and Android supports app settings that allow unified endpoint management, like Microsoft Intune, administrators to
customize the behavior of the app.
App configuration can be delivered either through the mobile device management (MDM) OS channel on enrolled devices (Managed
App Configuration channel for iOS or the Android in the Enterprise channel for Android) or through the MAM (Mobile Application
Management) channel. Edge for iOS and Android supports the following configuration scenarios:

Data protection settings
Additional app configuration for managed devices
） Important
For configuration scenarios that require device enrollment on Android, the devices must be enrolled in Android Enterprise and Edge
for Android must be deployed via the Managed Google Play store. For more information, see Set up enrollment of Android
Enterprise personally-owned work profile devices and Add app configuration policies for managed Android Enterprise devices.
Each configuration scenario highlights its specific requirements. For example, whether the configuration scenario requires device
enrollment, and thus works with any UEM provider, or requires Intune App Protection Policies.
） Important
App configuration keys are case sensitive. Use the proper casing to ensure the configuration takes effect.
７ Note
With Microsoft Intune, app configuration delivered through the MDM OS channel is referred to as a Managed Devices App
Configuration Policy (ACP); app configuration delivered through the MAM (Mobile Application Management) channel is referred to
as a Managed Apps App Configuration Policy.

Respecting the data security and compliance policies of our largest and highly regulated customers is a key pillar to the Microsoft 365
value. Some companies have a requirement to capture all communications information within their corporate environment, as well as,
ensure the devices are only used for corporate communications. To support these requirements, Edge for iOS and Android on enrolled
devices can be configured to only allow a single corporate account to be provisioned within the app.
You can learn more about configuring the org allowed accounts mode setting here:
Android setting
iOS setting
This configuration scenario only works with enrolled devices. However, any UEM provider is supported. If you are not using Microsoft
Intune, you need to consult with your UEM documentation on how to deploy these configuration keys.
General app configuration scenarios

Edge for iOS and Android offers administrators the ability to customize the default configuration for several in-app settings. This
capability is offered when Edge for iOS and Android has a managed apps App Configuration Policy applied to the work or school
account that is signed into the app.
Edge supports the following settings for configuration:
New Tab Page experiences

Bookmark experiences
App behavior experiences
Kiosk mode experiences
These settings can be deployed to the app regardless of device enrollment status.
New Tab Page experiences

When you sign in into Edge for iOS and Android, opening a new tab page delivers the familiar productivity content and new pivots that
organize news feeds relevant to your organization's industry and interests in one view. The New Tab Page experience provides links for
your organization's home page, top sites, and industry news.
Edge for iOS and Android offers organizations several options for adjusting the New Tab Page experience.
Organization logo and brand color

These settings allow you to customize the New Tab Page for Edge for iOS and Android to display your organization's logo and brand
color as the page background.
To upload your organization's logo and color, first complete the following steps:
1. Within Microsoft Intune admin center , navigate to Tenant Administration > Customization. Next to Settings, click Edit.
2. To set your brand's logo, next to Show in header, choose "Organization logo only". Transparent background logos are
recommended.
3. To set your brand's background color, select a Theme color. Edge for iOS and Android applies a lighter shade of the color on the
New Tab Page, which ensures the page has high readability.
７ Note
As Azure Active Directory (Azure AD) Graph is deprecated, it has entered its retire phase. See details on Migrate Azure AD Graph
Overview. As a result, organization logo and brand color maintained within Intune Admin center will be inaccessible when Azure
Active Directory (Azure AD) Graph is completely retired.
Therefore, starting version v116 of Edge for iOS and Android, organization logo and brand color will be retrieved from Microsoft
Graph. You need to maintain your organization logo and brand color via steps. Favicon will be used as your organization and
Background image will be used as brand color.
Next, use the following key/value pairs to pull your organization's branding into Edge for iOS and Android:
Key Value
com.microsoft.intune.mam.managedbrowser.NewTabPage.BrandLogo true shows organization's brand logo

false (default) will not expose a logo
com.microsoft.intune.mam.managedbrowser.NewTabPage.BrandColor true shows organization's brand color

false (default) will not expose a color
Homepage shortcut
This setting allows you to configure a homepage shortcut for Edge for iOS and Android in the New Tab Page. The homepage shortcut
you configure appears as the first icon beneath the search bar when the user opens a new tab in Edge for iOS and Android. The user
can't edit or delete this shortcut in their managed context. The homepage shortcut displays your organization's name to distinguish it.
Key Value
com.microsoft.intune.mam.managedbrowser.homepage Specify a valid URL. Incorrect URLs are blocked as a security measure.
For example: https://www.bing.com
Multiple top site shortcuts

Similarly to configuring a homepage shortcut, you can configure multiple top site shortcuts on New Tab Pages in Edge for iOS and
Android. The user can't edit or delete these shortcuts in a managed context. Note: you can configure a total of 8 shortcuts, including a
homepage shortcut. If you have configured a homepage shortcut, that shortcut will override the first top site configured.
Key Value
com.microsoft.intune.mam.managedbrowser.managedTopSites Specify set of value URLs. Each top site shortcut consists of a title and URL. Separate the
title and URL with the | character.
For example: GitHub|https://github.com/||LinkedIn|https://www.linkedin.com
Industry news
You can configure the New Tab Page experience within Edge for iOS and Android to display industry news that is relevant to your
organization. When you enable this feature, Edge for iOS and Android uses your organization's domain name to aggregate news from
the web about your organization, organization's industry, and competitors, so your users can find relevant external news all from the
centralized new tab pages within Edge for iOS and Android. Industry News is off by default.
Key Value
com.microsoft.intune.mam.managedbrowser.NewTabPage.IndustryNews true shows Industry News on the New Tab Page

false (default) hides Industry News from the New Tab Page
Homepage instead of New Tab Page experience

Edge for iOS and Android allows organizations to disable the New Tab Page experience and instead have a web site launch when the
user opens a new tab. While this is a supported scenario, Microsoft recommends organizations take advantage of the New Tab Page
experience to provide dynamic content that is relevant to the user.
Key Value
com.microsoft.intune.mam.managedbrowser.NewTabPage.CustomURL Specify a valid URL. If no URL is specified, the app uses the New Tab Page
experience. Incorrect URLs are blocked as a security measure.
For example: https://www.bing.com
Bookmark experiences
Edge for iOS and Android offers organizations several options for managing bookmarks.
Managed bookmarks
For ease of access, you can configure bookmarks that you'd like your users to have available when they are using Edge for iOS and
Android.
Bookmarks only appear in the work or school account and are not exposed to personal accounts.
Bookmarks can't be deleted or modified by users.
Bookmarks appear at the top of the list. Any bookmarks that users create appear below these bookmarks.
If you have enabled Application Proxy redirection, you can add Application Proxy web apps by using either their internal or external
URL.
Ensure that you prefix all URLs with http:// or https:// when entering them into the list.
Bookmarks are created in a folder named after the organization's name which is defined in Azure Active Directory.
Key Value
com.microsoft.intune.mam.managedbrowser.bookmarks The value for this configuration is a list of bookmarks. Each bookmark consists of the
bookmark title and the bookmark URL. Separate the title and URL with the | character.
For example: Microsoft Bing|https://www.bing.com
To configure multiple bookmarks, separate each pair with the double character || .
For example: Microsoft Bing|https://www.bing.com||Contoso|https://www.contoso.com
My Apps bookmark
By default, users have the My Apps bookmark configured within the organization folder inside Edge for iOS and Android.
Key Value
com.microsoft.intune.mam.managedbrowser.MyApps true (default) shows My Apps within the Edge for iOS and Android bookmarks
false hides My Apps within Edge for iOS and Android
App behavior experiences

Edge for iOS and Android offers organizations several options for managing the app's behavior.
Azure AD password single sign-on
The Azure AD Password single sign-on (SSO) functionality offered by Azure Active Directory brings user access management to web
applications that don't support identity federation. By default, Edge for iOS and Android does not perform SSO with the Azure AD
credentials. For more information, see Add password-based single sign-on to an application.
Key Value
com.microsoft.intune.mam.managedbrowser.PasswordSSO true Azure AD Password SSO is enabled

false (default) Azure AD Password SSO is disabled
Default protocol handler

By default, Edge for iOS and Android uses the HTTPS protocol handler when the user doesn't specify the protocol in the URL. Generally,
this is considered a best practice, but can be disabled.
Key Value
com.microsoft.intune.mam.managedbrowser.defaultHTTPS true (default) default protocol handler is HTTPS

false default protocol handler is HTTP
Disable data sharing for personalization

By default, Edge for iOS and Android prompts users for usage data collection and sharing browsing history to personalize their browsing
experience. Organizations can disable this data sharing by preventing this prompt from being shown to end users.
Key Value
com.microsoft.intune.mam.managedbrowser.disableShareUsageData true disables this prompt from displaying to end users

false (default) users are prompted to share usage data
com.microsoft.intune.mam.managedbrowser.disableShareBrowsingHistory true disables this prompt from displaying to end users

false (default) users are prompted to share browsing history
Disable specific features
Edge for iOS and Android allows organizations to disable certain features that are enabled by default. To disable these features,
configure the following setting:
Key Value
com.microsoft.intune.mam.managedbrowser.disabledFeatures password disables prompts that offer to save passwords for the end user
inprivate disables InPrivate browsing
autofill disables "Save and Fill Addresses" and "Save and Fill Payment info". Autofill will
be disabled even for previously saved information
translator disables translator
readaloud disables read aloud
drop disables drop
developertools grays out the build version numbers to prevent users from accessing
Developer options (Edge for Android only)
To disable multiple features, separate values with | . For example, inprivate|password

disables both InPrivate and password storage.
Control Cookie Mode

You can control whether sites can store cookies for your users within Edge for Android. To do this, configure the following setting:
Key Value
com.microsoft.intune.mam.managedbrowser.cookieControlsMode 0 (default) allow cookies

1 block non-Microsoft cookies
2 block non-Microsoft cookies in InPrivate mode
3 block all cookies
７ Note
Edge for iOS does not support controlling cookies.
Kiosk mode experiences on Android devices

Edge for Android can be enabled as a kiosk app with the following settings:
Key Value
com.microsoft.intune.mam.managedbrowser.enableKioskMode true enables kiosk mode for Edge for Android

false (default) disables kiosk mode
com.microsoft.intune.mam.managedbrowser.showAddressBarInKioskMode true shows the address bar in kiosk mode

false (default) hides the address bar when kiosk mode is enabled
com.microsoft.intune.mam.managedbrowser.showBottomBarInKioskMode true shows the bottom action bar in kiosk mode

false (default) hides the bottom bar when kiosk mode is enabled
Switch network stack between Chromium and iOS

By default, Microsoft Edge for both iOS and Android use the Chromium network stack for Microsoft Edge service communication,
including sync services, auto search suggestions and sending feedback. Microsoft Edge for iOS also provides the iOS network stack as a
configurable option for Microsoft Edge service communication.
Organizations can modify their network stack preference by configuring the following setting.
Key Value
com.microsoft.intune.mam.managedbrowser.NetworkStackPref 0 (default) use the Chromium network stack

1 use the iOS network stack
７ Note
Using the Chromium network stack is recommended. If you experience sync issues or failure when sending feedback with the
Chromium network stack, for example with certain per-app VPN solutions, using the iOS network stack may solve the issues.
Set a proxy .pac file URL

Organizations can specify a URL to a proxy auto-config (PAC) file for Microsoft Edge for Android.
Key Value
com.microsoft.intune.mam.managedbrowser.proxyPacUrl Specify a valid URL to a proxy .pac file.

For example: https://internal.site/example.pac
PAC failed-open support

By default, Microsoft Edge for Android will block network access with invalid or unavailable PAC script. However, organizations can
modify the default behavior to PAC failed open.
Key Value
com.microsoft.intune.mam.managedbrowser.proxyPacUrl.FailOpenEnabled false (default) Block network access

true Allow network access
iOS Website data store
As there is only one persistent website data store in Edge for iOS, by default the website data store is always statically used only by
personal account. Work or school account cannot use the website data store, which causes the browsing data expect cookies lost after
each session ends. Organizations can make the website data store used by work or school account so the browsing data will be persisted
for a better users experience.
Key Value
com.microsoft.intune.mam.managedbrowser.PersistentWebsiteDataStore 0 (default) The website data store is always statically used only by personal
account
1 The website data store will be used by the first signed-in account
2 The website data store will be used by work or school account first
regardless of the sign-in order
Bing Chat Enterprise
Bing Chat Enterprise is available on Microsoft Edge for iOS and Android. Users can start Bing Chat Enterprise by clicking on Bing button
in bottom bar.
There are three settings in Settings->General->New Bing copilot mode for Bing Chat Enterprise.
New Bing copilot mode – Control whether to show Bing button on bottom bar
Page context – Control whether to allow Bing Chat Enterprise to access page content
Show Quick chat panel – Control whether to show quick chat panel when text on a webpage is selected
You can manage the settings for Bing Chat Enterprise.
Key Value
com.microsoft.intune.mam.managedbrowser.Chat true (default) Users will see Bing button in bottom bar. Setting “New Bing co-pilot
mode” is on by default and can be turned off by users.
false Users cannot see Bing button in bottom bar. Setting “New Bing co-pilot mode” will
be disabled and cannot be turned on by users
com.microsoft.intune.mam.managedbrowser.ChatPageContext true (default) Bing Chat Enterprise can access to page content. “Page context” and
“Show quick chat panel” option under “New Bing co-pilot mode” settings are on by
default and can be turned off by users.
false Bing Chat Enterprise can NOT access to page content. “Page context” and “Show
quick chat panel” option under “New Bing co-pilot mode” settings will be disabled and
cannot be turned on by users
７ Note
Bing Chat Enterprise is only avaiable on Edge for iOS and com.microsoft.intune.mam.managedbrowser.Chat will have false as the
default value before Aug 28, 2023. You can enable Bing Chat Enterprise by setting the policy value to true. The default value will
become true after Aug 28, 2023 with new release avaiable on Edge for iOS and Android.
Data protection app configuration scenarios

Edge for iOS and Android supports app configuration policies for the following data protection settings when the app is managed by
Microsoft Intune with a managed apps App Configuration Policy applied to the work or school account that is signed into the app:
Manage account synchronization

Manage restricted web sites
Manage proxy configuration
Manage NTLM single sign-on sites
These settings can be deployed to the app regardless of device enrollment status.
Manage account synchronization

By default, Microsoft Edge sync enables users to access their browsing data across all their signed-in devices. The data supported by
sync includes:
Favorites
Passwords
Addresses and more (autofill form entry)
Sync functionality is enabled via user consent and users can turn sync on or off for each of the data types listed above. For more
information see Microsoft Edge Sync.
Organizations have the capability to disable Edge sync on iOS and Android.
Key Value
com.microsoft.intune.mam.managedbrowser.account.syncDisabled true disables Edge sync

false (default) allows Edge sync
Manage restricted web sites

Organizations can define which sites users can access within the work or school account context in Edge for iOS and Android. If you use
an allow list, your users are only able to access the sites explicitly listed. If you use a blocked list, users can access all sites except for
those explicitly blocked. You should only impose either an allowed or a blocked list, not both. If you impose both, only the allowed list is
honored.
Organizations also define what happens when a user attempts to navigate to a restricted web site. By default, transitions are allowed. If
the organization allows it, restricted web sites can be opened in the personal account context, the Azure AD account’s InPrivate context,
or whether the site is blocked entirely. For more information on the various scenarios that are supported, see Restricted website
transitions in Microsoft Edge mobile . By allowing transitioning experiences, the organization's users stay protected, while keeping
corporate resources safe.
７ Note
Edge for iOS and Android can block access to sites only when they are accessed directly. It doesn't block access when users use
intermediate services (such as a translation service) to access the site. URL that launch Edge, such as Edge://* , Edge://flags , and
Edge://net-export , are not supported in app configuration policy AllowListURLs or BlockListURLs for managed apps. Instead, you
can use app configuration policy URLAllowList or URLBlocklist for managed devices. For related information inforamtion, see
Microsoft Edge mobile policies.
Use the following key/value pairs to configure either an allowed or blocked site list for Edge for iOS and Android.
Key Value
com.microsoft.intune.mam.managedbrowser.AllowListURLs The corresponding value for the key is a list of URLs. You enter all the URLs you
want to allow as a single value, separated by a pipe | character.
Examples:
URL1|URL2|URL3
http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com
com.microsoft.intune.mam.managedbrowser.BlockListURLs The corresponding value for the key is a list of URLs. You enter all the URLs you
want to block as a single value, separated by a pipe | character.
Examples:
URL1|URL2|URL3
http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com
com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock true (default) allows Edge for iOS and Android to transition restricted sites.
When personal accounts are not disabled, users are prompted to either switch
to the personal context to open the restricted site, or to add a personal
account. If com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked
is set to true, users have the capability of opening the restricted site in the
InPrivate context.
false prevents Edge for iOS and Android from transitioning users. Users are
simply shown a message stating that the site they are trying to access is
blocked.
com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked true allows restricted sites to be opened in the Azure AD account's InPrivate
context. If the Azure AD account is the only account configured in Edge for iOS
and Android, the restricted site is opened automatically in the InPrivate
context. If the user has a personal account configured, the user is prompted to
choose between opening InPrivate or switch to the personal account.
false (default) requires the restricted site to be opened in the user's personal
account. If personal accounts are disabled, then the site is blocked.
In order for this setting to take effect,
com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock must be
set to true.
com.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBar Enter the number of seconds that users will see the snack bar notification
"Access to this site is blocked by your organization. We’ve opened it in
InPrivate mode for you to access the site." By default, the snack bar notification
is shown for 7 seconds.
The following sites are always allowed regardless of the defined allow list or block list settings:
https://*.microsoft.com/*
http://*.microsoft.com/*
https://microsoft.com/*
http://microsoft.com/*
https://*.windowsazure.com/*
https://*.microsoftonline.com/*
https://*.microsoftonline-p.com/*
URL formats for allowed and blocked site list
You can use various URL formats to build your allowed/blocked sites lists. These permitted patterns are detailed in the following table.
Ensure that you prefix all URLs with http:// or https:// when entering them into the list.
You can use the wildcard symbol (*) according to the rules in the following permitted patterns list.
A wildcard can only match a portion (e.g., news-contoso.com ) or entire component of the hostname (e.g., host.contoso.com ) or
entire parts of the path when separated by forward slashes ( www.contoso.com/images ).
You can specify port numbers in the address. If you do not specify a port number, the values used are:
Port 80 for http
Port 443 for https
Using wildcards for the port number is not supported. For example, http://www.contoso.com:* and http://www.contoso.com:*/ are
not supported.
URL Details Matches Does not match
http://www.contoso.com Matches a single page www.contoso.com host.contoso.com

www.contoso.com/images
contoso.com/
http://contoso.com Matches a single page contoso.com/ host.contoso.com

www.contoso.com/images
www.contoso.com
http://www.contoso.com/* Matches all URLs that begin with www.contoso.com host.contoso.com

www.contoso.com www.contoso.com/images host.contoso.com/images
www.contoso.com/videos/tvshows
http://*.contoso.com/* Matches all subdomains under developer.contoso.com/resources contoso.host.com

contoso.com news.contoso.com/images news-contoso.com
news.contoso.com/videos
http://*contoso.com/* Matches all subdomains ending with news-contoso.com news-contoso.host.com

contoso.com/ news-contoso.com.com/daily news.contoso.com
http://www.contoso.com/images Matches a single folder www.contoso.com/images www.contoso.com/images/dogs
http://www.contoso.com:80 Matches a single page, by using a port www.contoso.com:80

number
https://www.contoso.com Matches a single, secure page www.contoso.com www.contoso.com
http://www.contoso.com/images/* Matches a single folder and all subfolders www.contoso.com/images/dogs www.contoso.com/videos

www.contoso.com/images/cats
The following are examples of some of the inputs that you can't specify:
*.com
*.contoso/*
www.contoso.com/*images
www.contoso.com/*images*pigs
www.contoso.com/page*
IP addresses
https://*
http://*
http://www.contoso.com:*
http://www.contoso.com: /*
Manage proxy configuration
You can use Edge for iOS and Android and Azure AD Application Proxy together to give users access to intranet sites on their mobile
devices. For example:
A user is using the Outlook mobile app, which is protected by Intune. They then click a link to an intranet site in an email, and Edge
for iOS and Android recognizes that this intranet site has been exposed to the user through Application Proxy. The user is
automatically routed through Application Proxy, to authenticate with any applicable multi-factor authentication and Conditional
Access, before reaching the intranet site. The user is now able to access internal sites, even on their mobile devices, and the link in
Outlook works as expected.
A user opens Edge for iOS and Android on their iOS or Android device. If Edge for iOS and Android is protected with Intune, and
Application Proxy is enabled, the user can go to an intranet site by using the internal URL they are used to. Edge for iOS and
Android recognizes that this intranet site has been exposed to the user through Application Proxy. The user is automatically routed
through Application Proxy, to authenticate before reaching the intranet site.
Before you start:
Set up your internal applications through Azure AD Application Proxy.

To configure Application Proxy and publish applications, see the setup documentation.
Ensure that the user is assigned to the Azure AD Application Proxy app, even if the app is configured with Passthrough pre-
authentication type.
The Edge for iOS and Android app must have an Intune app protection policy assigned.
Microsoft apps must have an app protection policy that has Restrict web content transfer with other apps data transfer setting set
to Microsoft Edge.
７ Note
Edge for iOS and Android updates the Application Proxy redirection data based on the last successful refresh event. Updates are
attempted whenever the last successful refresh event is greater than one hour.
Target Edge for iOS with the following key/value pair, to enable Application Proxy:
Key Value
com.microsoft.intune.mam.managedbrowser.AppProxyRedirection true enables Azure AD App Proxy redirection scenarios

false (default) prevents Azure AD App Proxy scenarios
７ Note
Edge for Android does not consume this key. Instead, Edge for Android consumes Azure AD Application Proxy configuration
automatically as long as the signed-in Azure AD account has an App Protection Policy applied.
For more information about how to use Edge for iOS and Android and Azure AD Application Proxy in tandem for seamless (and
protected) access to on-premises web apps, see Better together: Intune and Azure Active Directory team up to improve user access .
This blog post references the Intune Managed Browser, but the content applies to Edge for iOS and Android as well.
Manage NTLM single sign-on sites

Organizations may require users to authenticate with NTLM to access intranet web sites. By default, users are prompted to enter
credentials each time they access a web site that requires NTLM authentication as NTLM credential caching is disabled.
Organizations can enable NTLM credential caching for particular web sites. For these sites, after the user enters credentials and
successfully authenticates, the credentials are cached by default for 30 days.
Key Value
com.microsoft.intune.mam.managedbrowser.NTLMSSOURLs The corresponding value for the key is a list of URLs. You enter all the URLs you want
to allow as a single value, separated by a pipe | character.
Examples:
URL1|URL2
http://app.contoso.com/|https://expenses.contoso.com
Key Value
For more information on the types of URL formats that are supported, see URL
formats for allowed and blocked site list.
com.microsoft.intune.mam.managedbrowser.durationOfNTLMSSO Number of hours to cache credentials, default is 720 hours
Additional app configuration for managed devices

The following policies, originally configurable through managed apps app configuration policy, is now available through managed
devices app configuration policy. When using policies for managed apps, users must sign into Microsoft Edge. When using policies for
managed devices, users are not required to sign into Edge to apply the policies.
As app configuration policies for managed devices needs device enrollment, any unified endpoint management (UEM) is supported. To
find more policies under the MDM channel, see Microsoft Edge Mobile Policies.
MAM policy MDM policy
com.microsoft.intune.mam.managedbrowser.NewTabPage.CustomURL EdgeNewTabPageCustomURL
com.microsoft.intune.mam.managedbrowser.MyApps EdgeMyApps
com.microsoft.intune.mam.managedbrowser.defaultHTTPS EdgeDefaultHTTPS
com.microsoft.intune.mam.managedbrowser.disableShareUsageData EdgeDisableShareUsageData
com.microsoft.intune.mam.managedbrowser.disableShareBrowsingHistory EdgeDisableShareBrowsingHistory
com.microsoft.intune.mam.managedbrowser.disabledFeatures EdgeDisabledFeatures
com.microsoft.intune.mam.managedbrowser.enableKioskMode EdgeEnableKioskMode
com.microsoft.intune.mam.managedbrowser.showAddressBarInKioskMode EdgeShowAddressBarInKioskMode
com.microsoft.intune.mam.managedbrowser.showBottomBarInKioskMode EdgeShowBottomBarInKioskMode
com.microsoft.intune.mam.managedbrowser.account.syncDisabled EdgeSyncDisabled
com.microsoft.intune.mam.managedbrowser.NetworkStackPref EdgeNetworkStackPref
Deploy app configuration scenarios with Microsoft Intune

If you are using Microsoft Intune as your mobile app management provider, the following steps allow you to create a managed apps
app configuration policy. After the configuration is created, you can assign its settings to groups of users.
1. Sign into the Microsoft Intune admin center .
2. Select Apps and then select App configuration policies.
3. On the App Configuration policies blade, choose Add and select Managed apps.
4. On the Basics section, enter a Name, and optional Description for the app configuration settings.
5. For Public apps, choose Select public apps, and then, on the Targeted apps blade, choose Edge for iOS and Android by selecting
both the iOS and Android platform apps. Click Select to save the selected public apps.
6. Click Next to complete the basic settings of the app configuration policy.
7. On the Settings section, expand the Edge configuration settings.
8. If you want to manage the data protection settings, configure the desired settings accordingly:
For Application proxy redirection, choose from the available options: Enable, Disable (default).
For Homepage shortcut URL, specify a valid URL that includes the prefix of either http:// or https://. Incorrect URLs are
blocked as a security measure.
For Managed bookmarks, specify the title and a valid URL that includes the prefix of either http:// or https://.
For Allowed URLs, specify a valid URL (only these URLs are allowed; no other sites can be accessed). For more information on
the types of URL formats that are supported, see URL formats for allowed and blocked site list.
For Blocked URLs, specify a valid URL (only these URLs are blocked). For more information on the types of URL formats that
are supported, see URL formats for allowed and blocked site list.
For Redirect restricted sites to personal context, choose from the available options: Enable (default), Disable.
７ Note
When both Allowed URLs and Blocked URLs are defined in the policy, only the allowed list is honored.
9. If you want to additional app configuration settings not exposed in the above policy, expand the General configuration settings
node and enter in the key value pairs accordingly.
10. When you are finished configuring the settings, choose Next.
11. On the Assignments section, choose Select groups to include. Select the Azure AD group to which you want to assign the app
configuration policy, and then choose Select.
12. When you are finished with the assignments, choose Next.
13. On the Create app configuration policy Review + Create blade, review the settings configured and choose Create.
The newly created configuration policy is displayed on the App configuration blade.
Use Edge for iOS and Android to access managed app logs
Users with Edge for iOS and Android installed on their iOS or Android device can view the management status of all Microsoft published
apps. They can send logs for troubleshooting their managed iOS or Android apps by using the following steps:
1. Open Edge for iOS and Android on your device.
2. Type edge://intunehelp/ in the address box.
3. Edge for iOS and Android launches troubleshooting mode.
You can retrieve logs from Microsoft Support by giving them the user's incident ID.
For a list of the settings stored in the app logs, see Review client app protection logs.
Next steps
Manage collaboration experiences in
Office for iOS and Android with
Microsoft Intune
Article • 07/05/2023
Office for iOS and Android delivers several key benefits including:
Combining Word, Excel, and PowerPoint in a way that simplifies the experience
with fewer apps to download or switch between. It requires far less phone storage
than installing individual apps while maintaining virtually all the capabilities of the
existing mobile apps people already know and use.
Integrating Office Lens technology to unlock the power of the camera with
capabilities like converting images into editable Word and Excel documents,
scanning PDFs, and capturing whiteboards with automatic digital enhancements to
make the content easier to read.
Adding new functionality for common tasks people often encounter when working
on a phone—things like making quick notes, signing PDFs, scanning QR codes,
and transferring files between devices.
Office for iOS and Android from mobile devices and an Intune app protection policy

Organizations can use Azure AD Conditional Access policies to ensure that users can
only access work or school content using Office for iOS and Android. To do this, you will
need a conditional access policy that targets all potential users. These policies are
described in Conditional Access: Require approved client apps or app protection policy.
1. Follow the steps in Require approved client apps or app protection policy with
mobile devices, which allows Office for iOS and Android, but blocks third-party
OAuth capable mobile device clients from connecting to Microsoft 365 endpoints.
７ Note
This policy ensures mobile users can access all Microsoft 365 endpoints using
the applicable apps.
７ Note
To leverage app-based conditional access policies, the Microsoft Authenticator app

must be installed on iOS devices. For Android devices, the Intune Company Portal
app is required. For more information, see App-based Conditional Access with
Intune.

App Protection Policies (APP) define which apps are allowed and the actions they can
take with your organization's data. The choices available in APP enable organizations to
tailor the protection to their specific needs. For some, it may not be obvious which
policy settings are required to implement a complete scenario. To help organizations
prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its
APP data protection framework for iOS and Android mobile app management.
The APP data protection framework is organized into three distinct configuration levels,
with each level building off the previous level:
Enterprise basic data protection (Level 1) ensures that apps are protected with a
PIN and encrypted and performs selective wipe operations. For Android devices,
this level validates Android device attestation. This is an entry level configuration
that provides similar data protection control in Exchange Online mailbox policies
and introduces IT and the user population to APP.
Enterprise enhanced data protection (Level 2) introduces APP data leakage
prevention mechanisms and minimum OS requirements. This is the configuration
that is applicable to most mobile users accessing work or school data.
Enterprise high data protection (Level 3) introduces advanced data protection
mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. This
configuration is desirable for users that are accessing high risk data.
To see the specific recommendations for each configuration level and the minimum
apps that must be protected, review Data protection framework using app protection
policies.
Regardless of whether the device is enrolled in a unified endpoint management (UEM)

solution, an Intune app protection policy needs to be created for both iOS and Android
apps, using the steps in How to create and assign app protection policies. These
policies, at a minimum, must meet the following conditions:
1. They include all Microsoft 365 mobile applications, such as Edge, Outlook,
OneDrive, Office, or Teams, as this ensures that users can access and manipulate
work or school data within any Microsoft app in a secure fashion.
2. They are assigned to all users. This ensures that all users are protected, regardless
of whether they use Office for iOS or Android.
3. Determine which framework level meets your requirements. Most organizations

should implement the settings defined in Enterprise enhanced data protection
(Level 2) as that enables data protection and access requirements controls.
For more information on the available settings, see Android app protection policy
settings and iOS app protection policy settings.
） Important
To apply Intune app protection policies against apps on Android devices that are
not enrolled in Intune, the user must also install the Intune Company Portal.
Utilize app configuration

Office for iOS and Android supports app settings that allow unified endpoint
management, like Microsoft Intune, administrators to customize the behavior of the
app.
or the Android in the Enterprise channel for Android) or through the Intune App
Protection Policy (APP) channel. Office for iOS and Android supports the following

General app configuration
） Important
For configuration scenarios that require device enrollment on Android, the devices
must be enrolled in Android Enterprise and Office for Android must be deployed
via the Managed Google Play store. For more information, see Set up enrollment
of Android Enterprise personally-owned work profile devices and Add app
configuration policies for managed Android Enterprise devices.
Each configuration scenario highlights its specific requirements. For example, whether
the configuration scenario requires device enrollment, and thus works with any UEM
provider, or requires Intune App Protection Policies.
） Important
App configuration keys are case sensitive. Use the proper casing to ensure the
configuration takes effect.
７ Note
With Microsoft Intune, app configuration delivered through the MDM OS channel is
referred to as a Managed Devices App Configuration Policy (ACP); app
configuration delivered through the App Protection Policy channel is referred to as
a Managed Apps App Configuration Policy.

Respecting the data security and compliance policies of our largest and highly regulated
customers is a key pillar to the Microsoft 365 value. Some companies have a
requirement to capture all communications information within their corporate
environment, as well as, ensure the devices are only used for corporate communications.
To support these requirements, Office for Android on enrolled devices can be
configured to only allow a single corporate account to be provisioned within the app.
Android setting
iOS setting
This configuration scenario only works with enrolled devices. However, any UEM
provider is supported. If you are not using Microsoft Intune, you need to consult with
your UEM documentation on how to deploy these configuration keys.
General app configuration scenarios

Office for iOS/iPadOS and Android offers administrators the ability to customize the
default configuration for several in-app settings using either iOS/iPadOS or Android app
configuration policies. This capability is offered for both enrolled devices via any UEM
provider and for devices that are not enrolled when Office for iOS and Android has an
Intune App Protection Policy applied.
７ Note
If an App Protection Policy is targeted to the users, the recommendation is to

deploy the general app configuration settings in a Managed Apps enrollment
model. This ensures the App Configuration Policy is deployed to both enrolled
devices and unenrolled devices.
Office supports the following settings for configuration:
Manage the creation of Sticky Notes

Set add-ins preference
Manage Teams apps running on Office for iOS and Android
Manage the creation of Sticky Notes

By default, Office for iOS and Android enables users to create Sticky Notes. For users
with Exchange Online mailboxes, the notes are synchronized into the user's mailbox. For
users with on-premises mailboxes, these notes are only stored on the local device.
Key Value
com.microsoft.office.NotesCreationEnabled true (default) enables Sticky Notes creation for the

work or school account
false disables Sticky Notes creation for the work or

school account
Set add-ins preference

For iOS/iPadOS devices running Office, you (as the admin) can set whether Office add-
ins are enabled. These app settings can be deployed using an app configuration policy
in Intune.
Key Value
Key Value
com.microsoft.office.OfficeWebAddinDisableAllCatalogs true (default) disables the entire add-in

platform
false enables the add-in platform
If you need to enable or disable the Office Store portion of the platform for iOS devices,
you can use the following key.
Key Value
com.microsoft.office.OfficeWebAddinDisableOMEXCatalog true (default) disables only the Office

Store portion of the platform
false enables the Office Store

portion of the platform
NOTE: Sideloaded will continue to

work.
For more information about adding configuration keys, see Add app configuration
policies for managed iOS/iPadOS devices.
Manage Teams apps running on Office for iOS and

Android
IT admins can manage access to Teams apps by creating custom permission policies and
assigning these policies to users using Teams admin center. You can now also run Teams
personal tab apps in Office for iOS and Android. Teams personal tab apps built using
Microsoft Teams JavaScript client SDK v2 (version 2.0.0) and Teams App manifest
(version 1.13) appear in Office for iOS and Android under the “Apps” menu.
There may be additional management requirements specific to Office for iOS and
Android. You may want to:
Only allow specific users in your organization to try enhanced Teams apps on
Office for iOS and Android, or
Block all users in your organization from using enhanced Teams apps on Office for
iOS and Android.
To manage these, you can use the following key:
Key Value
Key Value
com.microsoft.office.officemobile.TeamsApps.IsAllowed true (default) enables Teams apps on

Office for iOS and Android
false disables Teams apps on Office for

iOS and Android
This key can be used both by managed devices and managed apps.
Enable or disable Microsoft 365 Feed for iOS and Android

Admins can now enable or disable the Microsoft 365 Feed by configuring the following
setting in the Intune admin center. To deploy this app setting, use an app configuration
policy in Intune.
To manage the Microsoft 365 Feed, you can use the following key:
Key Value
com.microsoft.office.officemobile.Feed.IsAllowed true (default) Feed is enabled for the tenant
false disables Feed for the tenant
This key can be used by managed devices and managed apps.
Next steps
Manage messaging collaboration access
by using Outlook for iOS and Android
Article • 03/07/2023
The Outlook for iOS and Android app is designed to enable users in your organization
to do more from their mobile devices, by bringing together email, calendar, contacts,
and other files.
Outlook for iOS and Android from mobile devices and an Intune app protection policy

only access work or school content using Outlook for iOS and Android. To do this, you
will need a conditional access policy that targets all potential users. These policies are
1. Follow the steps in Require approved client apps or app protection policy with
mobile devices. This policy allows Outlook for iOS and Android, but blocks OAuth
and basic authentication capable Exchange ActiveSync mobile clients from
connecting to Exchange Online.
７ Note
This policy ensures mobile users can access all Microsoft 365 endpoints using
the applicable apps.
2. Follow the steps in Block Exchange ActiveSync on all devices, which prevents
Exchange ActiveSync clients using basic authentication on non-mobile devices
from connecting to Exchange Online.
The above policies leverage the grant access control Require app protection policy,
which ensures that an Intune App Protection Policy is applied to the associated
account within Outlook for iOS and Android prior to granting access. If the user
isn't assigned to an Intune App Protection Policy, isn't licensed for Intune, or the
app isn't included in the Intune App Protection Policy, then the policy prevents the
user from obtaining an access token and gaining access to messaging data.
3. Follow the steps in How to: Block legacy authentication to Azure AD with
Conditional Access to block legacy authentication for other Exchange protocols on
iOS and Android devices; this policy should target only Microsoft Exchange Online
cloud app and iOS and Android device platforms. This ensures mobile apps using
Exchange Web Services, IMAP4, or POP3 protocols with basic authentication
cannot connect to Exchange Online.
７ Note

Intune.

policies.

They include all Microsoft 365 mobile applications, such as Edge, Outlook,
They are assigned to all users. This ensures that all users are protected, regardless
of whether they use Outlook for iOS or Android.
Determine which framework level meets your requirements. Most organizations

） Important
To apply Intune app protection policies against apps on Android devices that are
not enrolled in Intune, the user must also install the Intune Company Portal.
Use app configuration

Outlook for iOS and Android supports app settings that allow unified endpoint
management, like Microsoft Endpoint Manager, administrators to customize the
behavior of the app.
Protection Policy (APP) channel. Outlook for iOS and Android supports the following

S/MIME settings
For specific procedural steps and detailed documentation on the app configuration
settings Outlook for iOS and Android supports, see Deploying Outlook for iOS and
Android app configuration settings.
Next steps
Manage collaboration experiences in
Teams for iOS and Android with
Microsoft Intune
Article • 03/09/2023
Microsoft Teams is the hub for team collaboration in Microsoft 365 that integrates the
people, content, and tools your team needs to be more engaged and effective.
minimum, you'll want to deploy a conditional access policy that allows connectivity to
Teams for iOS and Android from mobile devices and an Intune app protection policy

only access work or school content using Teams for iOS and Android. To do this, you will
need a conditional access policy that targets all potential users. These policies are
７ Note

Intune.
Follow the steps in Require approved client apps or app protection policy with mobile
devices, which allows Teams for iOS and Android, but blocks third-party OAuth capable
mobile device clients from connecting to Microsoft 365 endpoints.
７ Note
This policy ensures mobile users can access all Microsoft 365 endpoints using the
applicable apps.
policies.

1. They include all Microsoft 365 mobile applications, such as Edge, Outlook,
2. They're assigned to all users. This ensures that all users are protected, regardless of
whether they use Teams for iOS or Android.
3. Determine which framework level meets your requirements. Most organizations

） Important
To apply Intune app protection policies against apps on Android devices that aren't
enrolled in Intune, the user must also install the Intune Company Portal.
Utilize app configuration

Teams for iOS and Android supports app settings that allow unified endpoint
management, like Microsoft Endpoint Manager, administrators to customize the
behavior of the app.
Protection Policy (APP) channel. Teams for iOS and Android supports the following
） Important
For configuration scenarios that require device enrollment on Android, the devices
must be enrolled in Android Enterprise and Teams for Android must be deployed
via the Managed Google Play store. For more information, see Set up enrollment
of Android Enterprise personally-owned work profile devices and Add app
configuration policies for managed Android Enterprise devices.
Each configuration scenario highlights its specific requirements. For example, whether
the configuration scenario requires device enrollment, and thus works with any UEM
provider, or requires Intune App Protection Policies.
） Important
App configuration keys are case sensitive. Use the proper casing to ensure the
configuration takes effect.
７ Note
With Microsoft Endpoint Manager, app configuration delivered through the MDM
OS channel is referred to as a Managed Devices App Configuration Policy (ACP);
app configuration delivered through the App Protection Policy channel is referred
to as a Managed Apps App Configuration Policy.

Respecting the data security and compliance policies of our largest and highly regulated
customers is a key pillar to the Microsoft 365 value. Some companies have a
requirement to capture all communications information within their corporate
environment, as well as, ensure the devices are only used for corporate communications.
To support these requirements, Teams for iOS and Android on enrolled devices can be
configured to only allow a single corporate account to be provisioned within the app.
Android setting
iOS setting
This configuration scenario only works with enrolled devices. However, any UEM
provider is supported. If you aren't using Microsoft Endpoint Manager, you need to
consult with your UEM documentation on how to deploy these configuration keys.
Notification settings in Microsoft Teams

Notifications keep you up to date about what's happening or going to happen around
you. They appear on home screen or lock screen based on the settings.
Use the
following options to configure your notifications on the portal through an app
protection policy.
Options Description
Allow Display actual notification with all the details (title and content).
Block Remove title and replace content with “You have a new message” for chat notifications,
org and “There is new activity” for others. A user won't be able to Reply to a notification
data from a lock screen.
Blocked Suppresses notification and doesn't notify user.

To set the policies in Intune
2. In the left navigation pane, navigate to Apps > App protection policies.
3. Click Create Policy and select your desired platform, such as iOS/iPadOS.
4. On the Basics page, add details such as Name and Description. Click Next.
5. On the Apps page, click Select public apps, then find and select the Microsoft
Teams apps. Click Next.
6. On the Data Protection page, find the Org data notifications setting and select
the Block org Data option. Set the Assignments for the groups of users to include
and then create your policy.
7. Once the app protection policy has been created, go to Apps > App configuration
policies > Add > Managed apps.
8. On the Basics page, add a Name and click Select public apps, then find and select
the Microsoft Teams apps. Click Next.
9. Under General configuration settings, set any of the following keys to 1 to turn
this feature ON for chat, channels, all other notifications or any of these
combinations. And, set to 0 to turn off the feature.
Name Value
com.microsoft.teams.chat.notifications.IntuneMAMOnly 1 for on, 0 for off
com.microsoft.teams.channel.notifications.IntuneMAMOnly 1 for on, 0 for off
com.microsoft.teams.others.notifications.IntuneMAMOnly 1 for on, 0 for off

10. Set the Assignments for the groups of users to include and then create your
policy.
11. Once the policy has been created, go to Apps > App protection policies. Find your
newly created App protection policy and check whether the policy has been
deployed by reviewing the Deployed column. The Deployed column should
display Yes for the created policy. If it displays No, refresh the page, and check
after 10 minutes.
For the notifications to show up on iOS and Android

devices
1. On the device, sign in to both Teams and Company Portal. Set it to Show Previews
> Always to make sure your device notification settings allow notifications from
Teams.
2. Lock the device and send notifications to the user logged in on that device. Tap on
a notification to expand it on the lock screen, without unlocking the device.
3. Notifications on the lock screen should look as follows (screenshots are from iOS,
but the same strings should be shown on Android):
No option for Reply or other quick notification reactions from lock screen
should be visible.
The sender’s avatar isn't visible; however, initials are fine.
The notification should display title but replace content with "You have a new
message" for chat notifications, and "There is new activity" for others.
For more information about app configuration policies and app protection policies, see
the following topics:

Next steps
Configure Google Chrome for Android
devices using Intune
Article • 03/14/2023
You can use an Intune app configuration policy to configure Google Chrome for Android
devices. The settings for the app can be automatically applied. For example, you can
specifically set the bookmarks and the URLs that you would like to block or allow.
Prerequisites
The user's Android Enterprise device must be enrolled in Intune. For more
information, see Set up enrollment of Android Enterprise personally-owned work
profile devices.
Google Chrome is added as a Managed Google Play app. For more information
about Managed Google Play, see Connect your Intune account to your Managed
Google Play account.
Add the Google Chrome app to Intune

2. Select Apps > All apps > Add then add the Managed Google Play app.
3. Go to Managed Google Play, search with Google Chrome and approve.
4. Assign Google Chrome to a group as a required app type. Google Chrome will be
deployed automatically when the device is enrolled into Intune.
For additional details about adding a Managed Google Play app to Intune, see Managed
Google Play store apps.
Add app configuration for managed AE devices

1. From the Microsoft Intune admin center , select Apps > App configuration
policies > Add > Managed devices.
2. Set the following details:
Name - The name of the profile that appears in the portal.

Description - The description of the profile that appears in the portal.
Platform - Select Android.
3. Click Associated app to display the Associated app pane. Find and select Google
Chrome. This list contains Managed Google Play apps that you've approved and
synchronized with Intune.
4. Click Configuration settings, select Use configuration designer, and then click
Add to select the configuration keys.
Below is the example of the common settings:
Block access to a list of URLs: ["*"]

Allow access to a list of URLs: ["baidu.com", "youtube.com", "chromium.org",
"chrome://*"]
Managed Bookmarks: [{"toplevel_name": "My managed bookmarks folder" },

{"url": "baidu.com", "name": "Baidu"}, {"url": "youtube.com", "name":
"Youtube"}, {"name": "Chrome links", "children": [{"url": "chromium.org",
"name": "Chromium"}, {"url": "dev.chromium.org", "name": "Chromium

Developers"}]}]
Incognito mode availability: Incognito mode disabled
Once the configuration settings are added using the configuration designer, they
will be listed in a table.
The above settings create bookmarks and block access to all URLs except
baidu.com , youtube.com , chromium.org , and chrome:// .
5. Click OK and Add to add your configuration policy to Intune.
6. Assign this configuration policy to a user group. For more information, see Assign
apps to groups with Microsoft Intune.
Verify the device settings

Once the Android device is enrolled with Android Enterprise, the managed Google
Chrome app with the portfolio icon will be deployed automatically.
Launch Google Chrome and you will find the settings applied.
Bookmarks:
Blocked URL:
Allow URL:
Incognito tab:
Troubleshooting
1. Check Intune to monitor the policy deployment status.
2. Launch Google Chrome and visit chrome://policy. We can confirm if the settings
are applied successfully.
Chrome Enterprise policy list
Next steps
For more information about Android Enterprise fully managed devices, see Set up
Intune enrollment of Android Enterprise fully manage devices.
Use a VPN and per-app VPN policy on
Android Enterprise devices in Microsoft
Intune
Article • 03/07/2023
Virtual private networks (VPN) allow users to access organization resources remotely,
including from home, hotels, cafes, and more. In Microsoft Intune, you can configure
VPN client apps on Android Enterprise devices using an app configuration policy. Then,
deploy this policy with its VPN configuration to devices in your organization.
You can also create VPN policies that are used by specific apps. This feature is called
per-app VPN. When the app is active, it can connect to the VPN, and access resources
through the VPN. When the app isn't active, the VPN isn't used.
Android Enterprise
There are two ways to build the app configuration policy for your VPN client app:
Configuration designer
JSON data
This article shows you how to create a per-app VPN and VPN app configuration policy
using both options.
７ Note
Many of the VPN client configuration parameters are similar. But, each app has its
unique keys and options. Consult with your VPN vendor if you have questions.
Before you begin

Android doesn't automatically trigger a VPN client connection when an app opens.
The VPN connection must be started manually. Or, you can use always-on VPN to
start the connection.
The following VPN clients support Intune app configuration policies:

Cisco AnyConnect
Citrix SSO
F5 Access
Palo Alto Networks GlobalProtect
Pulse Secure
SonicWall Mobile Connect
When you create the VPN policy in Intune, you'll select different keys to configure.
These key names vary with the different VPN client apps. So, the key names in your
environment may be different than the examples in this article.
The Configuration designer and JSON data can successfully use certificate-based
authentication. If VPN authentication requires client certificates, then create the
certificate profiles before you create the VPN policy. The VPN app configuration
policies use the values from the certificate profiles.
Android Enterprise personally owned work profile devices support SCEP and PKCS
certificates. Android Enterprise fully managed, dedicated, and corporate-owned
work profile devices only support SCEP certificates. For more information, see Use
certificates for authentication in Microsoft Intune.
Per-app VPN overview

When creating and testing per-app VPN, the basic flow includes the following steps:
1. Select the VPN client application. Before you begin (in this article) lists the
supported apps.
2. Get the application package IDs of the apps that will use the VPN connection. Get
the app package ID (in this article) shows you how.
3. If you use certificates to authenticate the VPN connection, then create and deploy
the certificate profiles before you deploy the VPN policy. Make sure the certificate
profiles deploy successfully. For more information, see Use certificates for
authentication in Microsoft Intune.
4. Add the VPN client application to Intune, and deploy the app to your users and
devices.
5. Create the VPN app configuration policy. Use the app package IDs and certificate
information in the policy.
6. Deploy the new VPN policy.
7. Confirm the VPN client app successfully connects to your VPN server.
8. When the app is active, confirm that traffic from your app successfully goes
through the VPN.
Get the app package ID

Get the package ID for each application that will use the VPN. For publicly available
applications, you can get the app package ID in the Google Play store. The displayed
URL for each application includes the package ID.
In the following example, the package ID of the Microsoft Edge browser app is
com.microsoft.emmx . The package ID is part of the URL:
For Line of Business (LOB) apps, get the package ID from the vendor or application
developer.
Certificates
This article assumes your VPN connection uses certificate-based authentication. It also
assumes you successfully deployed all the certificates in the chain needed for clients to
successfully authenticate. Typically, this certificate chain includes the client certificate,
any intermediate certificates, and the root certificate.
For more information on certificates, see Use certificates for authentication in Microsoft
Intune.
When your client authentication certificate profile is deployed, it creates a certificate

token in the certificate profile. This token is used to create the VPN app configuration
policy.
If you’re not familiar with creating app configuration policies, see Add app configuration
policies for managed Android Enterprise devices.
Use the Configuration Designer
2. Select Apps > App configuration policies > Add > Managed devices.
easily identify them later. For example, a good policy name is App config
policy: Cisco AnyConnect VPN policy for Android Enterprise work profile
devices.
Description: Enter a description for the policy. This setting is optional, but
recommended.
Profile type: Your options:

All Profile Types: This option supports username and password
authentication. If you use certificate-based authentication, don't use this
option.
Fully Managed, Dedicated, and Corporate-Owned Work Profile Only:
This option supports certificate-based authentication, and username and
password authentication.
Personally-Owned Work Profile Only: This option supports certificate-
based authentication, and username and password authentication.
Targeted app: Select the VPN client app you previously added. In the
following example, the Cisco AnyConnect VPN client app is used:
4. Select Next.
5. In Settings, enter the following properties:
Configuration settings format: Select Use Configuration designer:
Add: Shows the list of configuration keys. Select all the configuration keys
needed for your configuration > OK.
In the following example, we selected a minimal list for AnyConnect VPN,

including certificate-based authentication and per-app VPN:
Configuration value: Enter the values for the configuration keys you selected.
Remember, the key names vary depending on the VPN Client app you're
using. In the keys selected in our example:
Per App VPN Allowed Apps: Enter the application package ID(s) you
collected earlier. For example:
KeyChain Certificate Alias (optional): Change the Value type from string
to certificate. Select the client certificate profile to use with VPN
authentication. For example:
Protocol: Select the SSL or IPsec tunnel protocol of the VPN.

Connection Name: Enter a user friendly name for the VPN connection.
Users see this connection name on their devices. For example, enter
ContosoVPN .
Host: Enter the host name URL to the headend router. For example, enter
vpn.contoso.com .
6. Select Next.
7. In Assignments, select the groups to assign the VPN app configuration policy.
Select Next.
saved, and the policy is deployed to your groups. The policy is also shown in the
app configuration policies list.
Use JSON
Use this option if you don't have, or don't know all the required VPN settings used in
the Configuration designer. If you need help, consult your VPN vendor.
Get the certificate token

In these steps, create a temporary policy. The policy won't be saved. The intent is to
copy the certificate token. You'll use this token when creating the VPN policy using
JSON (next section).

Name: Enter any name. This policy is temporary, and won't be saved.
Profile type: Select Personally-Owned Work Profile Only.
Targeted app: Select the VPN client app you previously added.
3. Select Next.
Configuration settings format: Select Use configuration designer.
Add: Shows the list of configuration keys. Select any key with a Value type of
string. Select OK.
5. Change the Value type from string to certificate. This step lets you select the
correct client certificate profile that authenticates the VPN:
6. Immediately change the Value type back to string. The Configuration value
changes to a token {{cert:GUID}} :
7. Copy and paste this certificate token to another file, such as a text editor.
8. Discard this policy. Don't save it. The only purpose is to copy and paste the
certificate token.
Create the VPN policy using JSON

easily identify them later. For example, a good policy name is App config
policy: JSON Cisco AnyConnect VPN policy for Android Enterprise work
profile devices in entire company.
recommended.
Profile type: Your options:
All profile types: This option supports username and password
authentication. If you use certificate-based authentication, don't use this
option.
Fully Managed, Dedicated, and Corporate-Owned work profile only: This
option supports certificate-based authentication, and username and
password authentication.
Personally-Owned Work Profile Only: This option supports certificate-
based authentication, and username and password authentication.
Targeted app: Select the VPN client app you previously added.
3. Select Next.
Configuration settings format: Select Enter JSON data. You can edit the
JSON directly.
Download JSON template: Use this option to download, and update the
template in any external editor. Be careful with text editors that use Smart
quotes, as they may create invalid JSON.
After you enter the values needed for your configuration, remove all settings that
have "STRING_VALUE" or STRING_VALUE .
5. Select Next.
6. In Assignments, select the groups to assign the VPN app configuration policy.
Select Next.
saved, and the policy is deployed to your groups. The policy is also shown in the
app configuration policies list.
JSON example for F5 Access VPN
JSON
"productId": "app:com.f5.edge.client_ics",
"key": "disallowUserConfig",
"valueBool": false
},
"key": "vpnConfigurations",
"key": "name",
"valueString": "MyCorpVPN"
},
"key": "server",
"valueString": "vpn.contoso.com"
},
"key": "weblogonMode",
"valueBool": false
},
"key": "fipsMode",
"valueBool": false
},
"key": "clientCertKeychainAlias",
"valueString": "{{cert:77333880-14e9-0aa0-9b2c-
a1bc6b913829}}"
},
"key": "allowedApps",
"valueString": "com.microsoft.emmx"
},
"key": "mdmAssignedId",
"valueString": ""
},
"key": "mdmInstanceId",
"valueString": ""
},
"key": "mdmDeviceUniqueId",
"valueString": ""
},
"key": "mdmDeviceWifiMacAddress",
"valueString": ""
},
"key": "mdmDeviceSerialNumber",
"valueString": ""
},
"key": "allowBypass",
"valueBool": false
Android Enterprise device settings to configure VPN in Intune
Next steps
Create VPN profiles to connect to VPN servers in Intune
Manage volume-purchased apps and
books with Microsoft Intune
Article • 05/04/2023
Introduction
Some app stores give you the ability to purchase multiple licenses for an app or books
that you want to use in your company. Buying licenses in bulk can help you reduce the
administrative overhead of tracking multiple purchased copies of apps and books.
Microsoft Intune helps you manage apps and books that you purchased through such a
program. You import license information from the store, and track how many licenses
you have used. This process helps to ensure that you don't install more copies of the
app or book than you own.
Which types of apps and books can you

manage?
With Intune, you can manage apps and books that you purchased in volume from the
iOS store. To discover how to manage licensed store apps, choose one of the following
topics:
Manage iOS/iPadOS volume-purchased apps

How to manage iOS/iPadOS eBooks
How to manage iOS and macOS apps
purchased through Apple Business
Manager with Microsoft Intune
Article • 04/07/2023
Apple lets you purchase multiple licenses for an app that you want to use in your
organization on iOS/iPadOS and macOS devices using Apple Business Manager or
Apple School Manager . You can then synchronize your volume purchase information
with Intune and track your volume-purchased app use. Purchasing app licenses helps
you efficiently manage apps within your company and retain ownership and control of
purchased apps.
Microsoft Intune helps you manage apps purchased through this program by:
Synchronizing location tokens you download from Apple Business Manager.

Tracking how many licenses are available and have been used for purchased apps.
Helping you install apps up to the number of licenses you own.
Additionally, you can synchronize, manage, and assign books you purchased from Apple
Business Manager with Intune to iOS/iPadOS devices. For more information, see How to
manage iOS/iPadOS eBooks you purchased through a volume-purchase program.
What are location tokens?

Location tokens are volume purchase licenses that were commonly known as Volume
Purchase Program (VPP) tokens. These location tokens are used to assign and manage
licenses purchased using Apple Business Manager. Content Managers can purchase and
associate licenses with location tokens they have permissions to in Apple Business
Manager. These location tokens are then downloaded from Apple Business Manager
and uploaded in Microsoft Intune. Microsoft Intune supports uploading multiple
location tokens per tenant. Each token is valid for one year.
７ Note
The Apple Volume Purchase Program (VPP) has been integrated into Apple
Business Manager. Apple Business Manager is a portal for admins to deploy Apple
devices and acquire content in volume. Content may include apps, books, and
custom apps. Location tokens are used to assign and manage licenses purchased
using Apple Business Manager. VPP is now called legacy VPP tokens.
How are purchased apps licensed?
Purchased apps can be assigned to groups using two types of licenses that Apple offers
for iOS/iPadOS and macOS devices.
７ Note
Device-licensed VPP apps must be installed and updated through the MDM
channel only. Users cannot go the store directly to manually install or update a VPP
app.
Action Device Licensing User Licensing
App Store Not required. Each end user must use a unique Apple
sign-in ID when prompted to sign in to App
Store.
Device Apps can be installed and updated The invitation to join Apple Business
configuration using Company Portal. Manager requires access to App Store.
blocking If you have set a policy to disable App
access to Store, user licensing for VPP apps will
App Store not work.
Automatic As configured by the Intune admin in As configured by the Intune admin in

app update Apple Business Manager token Apple Business Manager token settings.
settings. If the assignment type is available for
If the assignment type is available for enrolled devices, available app updates
enrolled devices, available app updates can also be installed from the Company
can also be installed from the Company Portal by selecting the Update action
Portal by selecting the Update action on the app details page.
on the app details page.
User Not supported. Supported using Managed Apple IDs.

Enrollment
Books Not supported. Supported.
Licenses 1 license per device. The license is 1 license for up to 5 devices using the
used associated with the device. same personal Apple ID. The license is
associated with the user.
An end user associated with a personal
Apple ID and a Managed Apple ID in
Intune consumes 2 app licenses.
Action Device Licensing User Licensing
License Apps can migrate silently from user to Apps cannot migrate from device to
migration device licenses only when using user licenses for any assignment type.
Required assignment type.
７ Note
Company Portal does not show device-licensed apps on User Enrollment devices
because only user-licensed apps can be installed on User Enrollment devices.
When you create a new assignment for a Apple Volume Purchase Program (VPP)
app, the default license type is now "device". Existing assignments remain
unchanged.
What app types are supported?

You can purchase and distribute public as well as private apps using Apple Business
Manager.
Store apps: Using Apple Business Manager, Content Managers can acquire both
free and paid apps that are available in the App Store.
Custom Apps: Using Apple Business Manager, Content Managers can also acquire
Custom Apps made available privately to your organization. These apps are
tailored to your organization's specific needs by developers with whom you work
directly. Learn more about how to distribute Custom Apps .
Prerequisites
An Apple Business Manager or Apple School Manager account for your
organization.
Purchased app licenses assigned to one or more location tokens.
Downloaded location tokens.
） Important
A location token can only be used with one device management solution at a
time. Before you start to use purchased apps with Intune, revoke and remove
any existing location tokens used with other mobile device management
(MDM) vendor.
A location token is only supported for use on one Intune tenant at a time. Do
not reuse the same token for multiple Intune tenants.
By default, Intune synchronizes the location tokens with Apple once a day.
You can initiate a manual sync at any time from Intune.
After you have imported the location token to Intune, do not import the same
token to any other device management solution. Doing so might result in the
loss of license assignment and user records.
Migrate from Volume Purchase Program (VPP)

to Apps and Books
If your organization has not migrated to Apple Business Manager or Apple School
Manager yet, review Apple's guidance on migrating to Apps and Books before
proceeding to manage purchased apps in Intune.
） Important
For the best migration experience, migrate only one VPP purchaser per
location. If each purchaser migrates to a unique location, all licenses —
assigned and unassigned — will move to Apps and Books.
Do not delete the existing legacy VPP token in Intune or apps and
assignments associated with existing legacy VPP token in Intune. These
actions will require all app assignments to be recreated in Intune.
Migrate existing purchased VPP content and tokens to Apps and Books in Apple
Business Manager or Apple School Manager as follows:
1. Invite VPP purchasers to join your organization and direct each user to select a
unique location.
2. Ensure that all VPP purchasers within your organization have completed step 1
before proceeding.
3. Verify that all purchased apps and licenses have migrated to Apps and Books in
Apple Business Manager or Apple School Manager.
4. Download the new location token by going to Apple Business (or School)
Manager > Settings > Apps and Books > My Server Tokens.
5. Update the location token in Microsoft Intune admin center by going to Tenant
administration > Connectors and tokens > Apple VPP tokens and manually
upload the token.
Upload an Apple VPP or Apple Business
Manager location token
2. Select Tenant administration > Connectors and tokens > Apple VPP tokens.
3. On the list of VPP tokens pane, select Create. The Create VPP token process is
displayed. There are four pages used when creating a VPP token. The first is Basics.
4. On the Basics page, specify the following information:
Token Name - An administrative field for setting the token name.

Apple ID - Enter the Managed Apple ID of the account associated with the
uploaded token.
VPP token file - If you haven't already, sign up for Apple Business Manager
or Apple School Manager. After you sign up, download the Apple Business
Manager location token (Apple VPP token) for your account and select it
here.

6. On the Settings page, specify the following information:
Take control of token from another MDM - Setting this option to yes allows
the token to be reassigned to Intune from another MDM solution.
Country/Region - Select the VPP country/region store. Intune synchronizes

VPP apps for all locales from the specified VPP country/region store.
２ Warning
Changing the country/region will update the apps metadata and App
Store URL on next sync with the Apple service for apps created with this
token. The app will not be updated if it does not exist in the new
country/region store.
Type of VPP account - Choose from Business or Education.
Automatic app updates - Choose from Yes or No to enable automatic

updates. When enabled, Intune detects the VPP app updates inside the app
store and automatically pushes them to the device when the device checks in.
７ Note
Automatic app updates for Apple VPP apps will automatically update for
both Required and Available install intents. For apps deployed with
Available install intent, the automatic update generates a status
message for the IT admin informing that a new version of the app is
available. This status message is viewable by selecting the app, selecting
Device Install Status, and checking the Status Details.
When updating a VPP app, it can take up to 24 hours for the device to
receive the updated VPP app. The device must be unlocked and
available to install the update successfully.
I grant Microsoft permission to send both user and device information to

Apple. - You must select I agree to proceed. To review what data Microsoft
sends to Apple, see Data Intune sends to Apple.

distributed IT.
entered for the VPP token.
10. When you are done, click Create. The token is displayed in the list of tokens pane.
Synchronize a VPP token

You can synchronize the app names, metadata and license information for your
purchased apps in Intune by choosing Sync for a selected token.
Assign a volume-purchased app

2. On the list of apps pane, choose the app you want to assign, and then choose
Properties. Select Edit next to Assignments.
3. On the Assignments tab, choose whether the app will be Required or Available for
enrolled devices.
4. Choose Add group under the assignment type you've selected, then on the Select
groups pane choose the Azure AD user or device groups to which you want to
assign the app.
７ Note
When you create a new assignment for a Apple Volume Purchase Program
(VPP) app, the default license type is "device". Existing assignments remain
unchanged.
5. Once you are done, choose Save.
７ Note
The Available deployment intent is not supported for device groups, only user
groups are supported. The list of apps displayed is associated with a token. If you
have an app that is associated with multiple VPP tokens, you see the same app
being displayed multiple times; once for each token.
７ Note
Apps assigned as Available do not become managed on the device until the user
initiates an install of the application. Once an app assigned as Available has been
installed, or the user has attempted to install the application, Intune will ensure that
the app is licensed.
７ Note
Intune (or any other MDM for that matter) does not actually install VPP apps.
Instead, Intune connects to your VPP account and tells Apple which app licenses to
assign to which devices. From there, all the actual installation is handled between
Apple and the device.
End-User Prompts for VPP

The end-user will receive prompts for VPP app installation in a number of scenarios. The
following table explains each condition:
# Scenario Invite to Apple VPP App install Prompt for

program prompt Apple ID
1 BYOD – user licensed (not User Y Y Y

Enrollment device)
# Scenario Invite to Apple VPP App install Prompt for
program prompt Apple ID
2 Corp – user licensed (not Y Y Y

supervised device)
3 Corp – user licensed (supervised Y N Y

device)
4 BYOD – device licensed N Y N
5 CORP – device licensed (not N Y N

supervised device)
6 CORP – device licensed (supervised N N N

device)
7 Kiosk mode (supervised device) – N N N

device licensed
8 Kiosk mode (supervised device) – --- --- ---

user licensed
７ Note
User and device licensed apps running on supervised devices (scenarios 3 and 6 in
the table above) will still prompt for updates if the app is in use or is running in the
background. Accepting the prompt to install the app may not result in the app
installing. In order to update the app, you must: close the app, initiate a sync, and
leave the device unlocked while the app updates.
７ Note
It is not recommended to assign VPP apps to Kiosk-mode devices using user

licensing.
７ Note
You cannot update any app while the device is locked in Single App Mode. You
need to exit Single App Mode long enough to update apps as needed. During that
time, you should restrict the visible apps as much as possible, except for Settings
and other apps that cannot be blocked.
Revoking app licenses
You can revoke all associated iOS/iPadOS or macOS volume-purchase program (VPP)
app licenses based on a given device, user, or app. But there are some differences
between iOS/iPadOS and macOS platforms.
Action iOS/iPadOS macOS
Remove Removing an app assignment is a Removing an app assignment is a

app prerequisite to revoking an app prerequisite to revoking an app license.
assignment license. When you remove an app When you remove an app assignment for a
assignment for a user, Intune does user, Intune does not reclaim the user or
not reclaim the user or device license device license until you change the
until you change the assignment to assignment to Uninstall. If the app
Uninstall. If the app assignment is assignment is removed while the app is
removed while the app is installed installed and never assigned as Uninstall, it
and never assigned as Uninstall, it will remain installed, but it will no longer be
will remain installed, but it will no offered for installation to the user or
longer be offered for installation to device.
the user or device.
Revoke After changing the app assignment After changing the app assignment to
app license to Uninstall, you can reclaim an app Uninstall, you can reclaim an app license
license from the user or device using from the user or device using the Revoke
the Revoke license action. You must license action. The macOS app with
change the assignment to Uninstall revoked license remains usable on the
to remove the app from the device device, but cannot be updated until a
and revoke the app license. license is reassigned to the user or device.
According to Apple, such apps are removed
after a 30-day grace period. You must
change the assignment to Uninstall to
remove the app from the device and
revoke the app license.
７ Note
Intune reclaims app licenses when an employee leaves the company and is no
longer part of the AAD groups.
When assigning a purchased app with Uninstall intent, Intune both reclaims
the license and uninstalls the app.
App licenses are not reclaimed when a device is removed from Intune
management.
Intune will revoke app licenses when the user is deleted from Azure AD.
Deleting VPP tokens
You can delete an Apple Volume Purchasing Program (VPP) token using the console.
This may be necessary when you have duplicate instances of a VPP token. Deleting a
token will also delete any associated apps and assignment. Deleting a token revokes
associated app licenses but doesn't uninstall the apps.
７ Note
Intune cannot revoke app licenses after a token has been deleted.
To revoke the license of all VPP apps for a given VPP token, you must first revoke all app
licenses associated with the token, then delete the token.
Renewing VPP tokens or Apple Business

Manager location token
You can renew an Apple Business Manager location token (Apple VPP token) by
downloading the token from Apple Business Manager or Apple School Manager
again and updating the existing token in Intune.
To renew an Apple Business Manager location token (Apple VPP token), use the
following steps:
1. Navigate to Apple Business Manager or Apple School Manager .

2. Download the existing token in Apple Business (or School) Manager, by selecting
Preferences > Payments and Billing > Apps and Books > Server Tokens.
3. Update the token in Microsoft Intune admin center by selecting Tenant
administration > Connectors and tokens > Apple VPP tokens.
4. Select the VPP token you are renewing, click Edit on the Basics category, upload
the new token on this page, and then save your changes.
７ Note
You must renew the existing Apple VPP token or location token when the user who
set up the token in Apple Business Manager changes their password or the user
leaves your Apple Business Manager organization. Tokens that are not renewed will
show "invalid" status in Intune.
Configure updates for VPP apps
assignment level using the Prevent automatic updates setting. The Prevent automatic
updates setting is dependent on the token-level Allow automatic updates setting. To
use the Prevent automatic updates, the Allow automatic updates setting must be set
to Yes. This setting is available in Microsoft Intune admin center by selecting Apps >
iOS/iPadOS or macOS > Select a volume purchase program app > Properties >
Assignments.
Deleting a VPP app

You can delete purchased apps that don't have any available or used licenses associated
with them. This may be necessary to clean up apps that are no longer assigned.
To delete a VPP app, use the following steps:
1. Create a new location in Apple Business Manager or Apple School Manager .

2. Revoke all licenses for the app that use the associated location token. In Microsoft
Intune admin center , select Apps > All apps > select the app to delete > App
licenses > Revoke licenses.
3. In Apple Business Manager or Apple School Manager, transfer all licenses for the
app from the original location to the new location.
4. Sync the location token in Microsoft Intune admin center .
5. Delete the app in Microsoft Intune admin center by selecting Apps > All apps >
right-click on the app to delete > Delete.
Deleting a VPP app will cause the following results:
The associated app assignments will be removed.

If the VPP app has assigned licenses when attempting to delete, an error will be
displayed to you.
７ Note
Purchased books associated with a VPP token won't be deleted.
Assigning custom role permissions for VPP

Access to Apple Business Manager location token and apps (Apple VPP tokens and VPP
apps) can be controlled independently using permissions assigned to custom
administrator roles in Intune.
To allow an Intune custom role to manage Apple Business Manager location

tokens, in Microsoft Intune admin center, select Tenant administration >
Connectors and tokens > Apple VPP tokens, assign permissions for Managed
apps.
To allow an Intune custom role to manage apps purchased using iOS/iPadOS VPP
tokens under Apps > All apps, assign permissions for Mobile apps.
７ Note
You can view and manage VPP apps with only the Mobile apps permission
assigned. Previously, the Managed apps permission was required to view and
manage VPP apps. This change does not apply to Intune for Education tenants who
still need to assign the Managed apps permission.
Apple provides direct assistance to create and renew VPP tokens. For more information,
see Distribute content to your users with the Volume Purchase Program (VPP) as part
of Apple's documentation.
If Assigned to external MDM is indicated in Intune, then you (the admin) must remove
the VPP token from the 3rd party MDM before using the VPP token in Intune.
If status is Duplicate for a token, then multiple tokens with the same Token Location
have been uploaded. Remove the duplicate token to begin syncing the token again. You
can still assign and revoke licenses for tokens that are marked as duplicate. However,
licenses for new apps and books purchased may not be reflected once a token is
marked as duplicate.
How many tokens can I upload?

You can upload up to 3,000 tokens in Intune.
How long does the portal take to update the license

count once an app is installed or removed from the
device?
The license should be updated within a few hours after installing or uninstalling an app.
Note that if the end user removes the app from the device, the license is still assigned to
that user or device.
Is it possible to oversubscribe an app and, if so, in what

circumstance?
Yes. The Intune admin can oversubscribe an app. For example, if the admin purchases
100 licenses for app XYZ, and then targets the app to a group with 500 members in it.
The first 100 members (users or devices) will get the license assigned to them, the rest
of the members will fail on license assignment.
７ Note
When the amount of used licenses is greater than or equal to 50% of total available
licenses for a specific app, an alert will appear under the Enrollment alerts tab. The
alert will disappear when the amount of used licenses is less than 50% of total
available licenses for the app.
Next steps
See How to monitor apps for information to help you monitor app assignments.
See How to troubleshoot apps for information on troubleshooting app-related issues.

How to manage volume purchased apps
from the Microsoft Store for Business
Article • 05/22/2023
） Important
Intune admin center . Apps added from the Microsoft Store for Business or
Microsoft Store for Education will no longer sync with Intune. Apps that have
previously synced will continue to be available and deploy to devices and users. For
related information, see Deprecation of Microsoft Store for Business and
Education.
The Microsoft Store for Business gives you a place to find and purchase apps for your
organization, individually, or in volume. By connecting the store to Microsoft Intune, you
can manage volume-purchased apps from the portal. For example:
You can synchronize the list of apps you have purchased (or that are free) from the
store with Intune.
Apps that are synchronized appear in the Microsoft Intune admin center; you can
assign these apps like any other apps.
Both Online and Offline licensed versions of Apps are synchronized to Intune. App
names will be appended with "Online" or "Offline" in the portal.
You can track how many licenses are available, and how many are being used in
the admin center.
Intune blocks assignment and installation of apps if there are an insufficient
number of licenses available.
Intune will revoke app licenses for apps managed by Microsoft Store for Business
when the user is deleted from Azure AD.
Before you start
） Important
The retirement of the Microsoft Store for Business and the Microsoft Store for
Education, originally scheduled for March 31, 2023, has been postponed. Until they
are retired, admins can still leverage the connection to Store for Business and
Education from their UEM solution to deploy apps to managed Windows 11
devices.
Review the following information before you start syncing and assigning apps from the
Microsoft Store for Business:
Configure Intune as the mobile device management authority for your

organization.
You must have signed up for an account on the Microsoft Store for Business.
Once you have associated a Microsoft Business Store account with Intune, you
cannot change to a different account in the future.
Apps purchased from the store cannot be manually added to or deleted from
Intune. They can only be synchronized with the Microsoft Store for Business.
Both online and offline licensed apps that you have purchased from the Microsoft
Store for Business are synced into Intune. You can then deploy these apps to
device groups or user groups.
Online app installations are managed by the store.
Offline apps that are free of charge can also be synced to Intune. These apps are
installed by Intune, not by the store.
To use this capability, devices must be joined to Active Directory Domain Services,
Azure AD joined, or workplace-joined.
Enrolled devices must be using the 1511 release of Windows 10 or later.
７ Note
Online Microsoft Store for Business apps can be used only for user context install;
that is, when deployed through Intune, you need to target user groups. Device
licensed offline Microsoft Store for Business apps can be installed in device context;
that is, when deployed through Intune, you can target device groups as well as user
groups.
７ Note
If you disable access to the Store on managed devices (either manually, via policy
or Group Policy), Online licensed apps will fail to install.
Associate your Microsoft Store for Business
account with Intune
Before you enable synchronization in the Microsoft Intune admin center, you must
configure your store account to use Intune as a management tool:
2. In the Business Store, choose the Manage tab, select Settings, and choose the
Distribute tab.
3. If you don't specifically have Microsoft Intune available as a mobile device
management tool, choose Add management tool to add Microsoft Intune. If you
don't have Microsoft Intune activated as your mobile device management tool,
click Activate next to Microsoft Intune. Note that you should activate Microsoft
Intune rather than Microsoft Intune Enrollment.
７ Note
Previously you could associate only one management tool to assign apps with the
Microsoft Store for Business. Now you can associate multiple management tools
with the store, for example, Intune and Configuration Manager.
Continue to set up synchronization in the Microsoft Intune admin center.
Configure synchronization
Business.
3. Click Enable.
4. If you haven't already done so, click the link to sign up for the Microsoft Store for
Business and associate your account as detailed previously.
5. From the Language drop-down list, choose the language in which apps from the
Microsoft Store for Business are displayed in the portal. Regardless of the language
in which they are displayed, they are installed in the end user's language when
available.
Synchronize apps
If you've already associated your Microsoft Store for Business account with your Intune
admin credentials, you can manually sync your Microsoft Store for Business apps with
Intune using the following steps.
Business.
７ Note
Apps with encrypted app packages are currently not supported and will not be
synchronized to Intune.
Assign apps
You assign apps from the store in the same way you assign any other Intune app. For
more information, see How to assign apps to groups with Microsoft Intune.
Offline apps can be targeted to user groups, device groups, or groups with users and
devices.
Offline apps can be installed for a specific user on a device or for all users on a
device.
When you assign a Microsoft Store for Business app, a license is used by each user who
installs the app. If you use all of the available licenses for an assigned app, you cannot
assign any more copies. Take one of the following actions:
Uninstall the app from some devices.

Reduce the scope of the current assignment, targeting only the users you have
sufficient licenses for.
Buy more copies of the app from the Microsoft Store for Business.
Remove apps
To remove an app that is synced from the Microsoft Store for Business, you need to log
into the Microsoft Store for Business and complete the following steps. The process is
the same whether the app is free or not.
2. Look for the app that you want to remove by selecting Products & services >
Apps & software and select it.
3. In the Users pane select all users, click on the ... symbol under the Actions column
and choose to Reclaim license.
4. Open the Private store availability tab of the app and change its availability to No
one.
5. Select the Product details link on the top and then select the ... button next to
Install. If the previous steps have been completed successfully, a Remove product
option will be available. Select Remove product to remove the app from the
6. Sync the apps using the Microsoft for Business Store connector in Intune in order
to remove the app from the list of Windows apps in Intune.
Next steps
Manage volume-purchased apps and books with Microsoft Intune
How to manage iOS/iPadOS eBooks you
purchased through a volume-purchase
program with Microsoft Intune
Article • 03/06/2023
The Apple Volume Purchase Program (VPP) lets you purchase multiple licenses for a
book that you want to distribute to users in your company. You can distribute books
from the Business, or Education stores.
Microsoft Intune helps you synchronize, manage, and assign books that you purchased
through this program. You can import license information from the store and track how
many of the licenses you have used.
The procedures to manage books are similar to managing VPP apps.
Manage volume-purchased books for iOS

devices
You acquire multiple licenses for iOS/iPadOS books through the Apple Business
Manager or the Apple School Manager . This process involves setting up an Apple
Business Manager account from the Apple website and uploading the location token to
Intune. You can then synchronize your volume purchase information with Intune and
track your volume-purchased book use.
Before you start

Before you start, get a VPP token from Apple and upload it to your Intune account.
Additionally:
If you previously used a VPP token with a different product, you must generate a
new one to use with Intune.
Each token is valid for one year.
By default, Intune syncs with the Apple Business Manager service twice a day. You
can start a manual sync at any time.
After you have imported the VPP token to Intune, do not import the same token to
any other device management solution. Doing so might result in the loss of license
assignment and user records.
Before you start to use iOS/iPadOS books with Intune, remove any existing VPP
user accounts created with other mobile device management (MDM) vendors.
Intune does not synchronize those user accounts into Intune as a security measure.
Intune synchronizes only data from the Apple Business Manager service that
Intune created.
When you assign a book to a device, that device must have the built-in iBooks app
installed. If it is not, the end user must reinstall the app before they can read the
book. You cannot currently use Intune to restore removed built-in apps.
You can only assign books from the Apple Volume Purchase Program site. You
cannot upload, then assign books you created in-house.
You cannot currently assign books to end-user categories in the same way as you
do apps.
You cannot reclaim a license once the book is assigned.
When a user with an eligible device first tries to install a VPP book, they must join
the Apple Volume Purchase program before they can install a book. You can also
assign licenses to security groups with managed Apple IDs. If you do this, then
users are not prompted for their Apple ID when a book is installed.
Devices must be enrolled with user affinity as e-books can only be assigned to user
groups.
To get and upload an Apple Business Manager

location token
2. Select Tenant administration > Connectors and tokens > Apple VPP tokens.
3. On the list of VPP tokens pane, click Create.
4. On the New VPP Token pane, specify the following information:
VPP token file - Ensure you have signed in to Apple Business Manager or
Apple School Manager . Note these services were previously known as
Apple's volume purchase program for business or the Apple volume purchase
program for education. Then, download the Apple location/VPP token for
your account and select it in Endpoint Manager.
Apple ID - Enter the Apple ID of the account associated with the volume-
purchase program.
Type of VPP account - Choose from Business or Education.
5. When you are done, click Create.
The token is displayed in the list of tokens pane.

You can synchronize the data held by Apple with Intune at any time by choosing Sync
now.
To assign a volume-purchased app

1. Select Apps > eBooks > All eBooks.
2. On the list of books pane, choose the book you want to assign, and then choose
'...' > Assign Groups.
3. On the <book name> - Groups Assigned pane, choose Manage > Groups
Assigned.
4. Choose Assign Groups then, on the Select groups pane, choose the Azure AD user
groups to which you want to assign the book. Device groups are currently not
supported.
Choose an assignment action of Available, or Required.
5. Once you are done, choose Save.
Next steps
See How to monitor apps for information to help you monitor book assignments.
How to wipe only corporate data from
Intune-managed apps
Article • 03/07/2023
When a device is lost or stolen, or if the employee leaves your company, you want to
make sure company app data is removed from the device. But you might not want to
remove personal data on the device, especially if the device is an employee-owned
device.
７ Note
The iOS/iPadOS, Android, and Windows 10 platforms are the only platforms
currently supported for wiping corporate data from Intune managed apps. Intune
managed apps are applications that include the Intune APP SDK, and have at least
one enabled and licensed user account in your organization. Deployment of
Application Protection Policies is required to enable app selective wipe on Android
and iOS.
７ Note
For iOS 16 and later devices, the "Device Name" value for all selective wipe actions
and status will be a generic device name. For more information, see Apple
Developer documentation .
To selectively remove company app data, create a wipe request by using the steps in this
topic. After the request is finished, the next time the app runs on the device, company
data is removed from the app. In addition, you can also configure a selective wipe of
your company data as a new action when the conditions of Application Protection
Policies (APP) Access settings are not met. This feature helps you automatically protect
and remove sensitive company data from applications based on pre-configured criteria.
） Important
Contacts synced directly from the app to the native address book are removed. Any
contacts synced from the native address book to another external source can't be
wiped. Currently, this only applies to the Microsoft Outlook app.
Deployed WIP policies without user enrollment
Windows Information Protection (WIP) policies can be deployed without requiring MDM
users to enroll their Windows 10 device. This configuration allows companies to protect
their corporate documents based on the WIP configuration, while allowing the user to
maintain management of their own Windows devices. Once documents are protected
with a WIP policy, the protected data can be selectively wiped by an Intune
administrator (Global administrator or an Intune Service administrator). By selecting the
user and device, and sending a wipe request, all data that was protected via the WIP
policy will become unusable. From the Intune in the portal, select Client app > App
selective wipe. For more information, see Create and deploy Windows Information
Protection (WIP) app protection policy with Intune.
Create a device based wipe request

2. Select Apps > App selective wipe > Create wipe request.
The Create wipe request pane is displayed.
3. Click Select user, choose the user whose app data you want to wipe, and click
Select at the bottom of the Select user pane.
4. Click Select the device, choose the device, and click Select at the bottom of the
Select Device pane.
5. Click Create to make a wipe request.
The service creates and tracks a separate wipe request for each protected app on the
device, and the user associated with the wipe request.
Create a user based wipe request

By adding a user to the User-level wipe we will automatically issue wipe commands to
all apps on all the user's devices. The user will continue to get wipe commands at every
check-in from all devices. To re-enable a user, you must remove them from the list.

2. Select Apps > App selective wipe > User-Level Wipe
3. Select Add. The Select user pane displays.
4. Choose the user whose app data you would like to wipe > Select.
Monitor your wipe requests

You can have a summarized report that shows the overall status of the wipe request, and
includes the number of pending requests and failures. Completed wipe request entries
remain in the report for 4 days after completion. In the event that a wipe request is not
marked as completed, but remains in a pending state, the request remains in the report
for a total number of days equal to the sum of the value of Offline grace period wipe
data + 4 days for the record to be deleted which, by default, is 94 days.
To get more details, follow these steps:
1. On the Apps > App selective wipe pane, you can see the list of your requests
grouped by users. Because the system creates a wipe request for each protected
app running on the device, you might see multiple requests for a user. The status
indicates whether a wipe request is pending, failed, or successful.
Additionally, you are able to see the device name, and its device type, which can be
helpful when reading the reports.
） Important
The user must open the app for the wipe to occur, and the wipe may take up to 30
minutes after the request was made.
Delete a device wipe request

Wipes with pending status are displayed until you manually delete them. To manually
delete a wipe request:
1. On the Client Apps - App selective wipe pane.
2. From the list, right-click on the wipe request you want to delete, then choose
Delete wipe request.
3. You're prompted to confirm the deletion, choose Yes or No, then click OK.
Delete a user wipe request

User wipes will remain in the list until removed by an administrator. To remove a user
from the list:
1. On the Client Apps - App selective wipe pane select User-Level Wipe
2. From the list, right-click on the user you want to delete, then choose Delete.
See also
What's app protection policy
What's app management

Article • 03/07/2023
App protection policies (APP) are rules that ensure an organization's data remains safe
or contained in a managed app. A policy can be a rule that is enforced when the user
monitored when the user is inside the app. A managed app is an app that has app
protection policies applied to it, and can be managed by Intune.
Mobile Application Management (MAM) app protection policies allows you to manage
and protect your organization's data within an application. Many productivity apps, such
as the Microsoft Office apps, can be managed by Intune MAM. See the official list of
Microsoft Intune protected apps available for public use.
How you can protect app data

Your employees use mobile devices for both personal and work tasks. While making
sure your employees can be productive, you want to prevent data loss, intentional and
unintentional. You'll also want to protect company data that is accessed from devices
that are not managed by you.
You can use Intune app protection policies independent of any mobile-device
management (MDM) solution. This independence helps you protect your company's
data with or without enrolling devices in a device management solution. By
implementing app-level policies, you can restrict access to company resources and keep
data within the purview of your IT department.
App protection policies on devices

App protection policies can be configured for apps that run on devices that are:
Enrolled in Microsoft Intune: These devices are typically corporate owned.
Enrolled in a third-party Mobile device management (MDM) solution: These

devices are typically corporate owned.
７ Note
Mobile app management policies should not be used with third-party mobile
app management or secure container solutions.
Not enrolled in any mobile device management solution: These devices are
typically employee owned devices that aren't managed or enrolled in Intune or
other MDM solutions.
） Important
You can create mobile app management policies for Office mobile apps that
connect to Microsoft 365 services. You can also protect access to Exchange on-
premises mailboxes by creating Intune app protection policies for Outlook for
iOS/iPadOS and Android enabled with hybrid Modern Authentication. Before using
this feature, make sure you meet the Outlook for iOS/iPadOS and Android
requirements. App protection policies are not supported for other apps that
connect to on-premises Exchange or SharePoint services.
Benefits of using App protection policies

The important benefits of using App protection policies are the following:
Protecting your company data at the app level. Because mobile app management
doesn't require device management, you can protect company data on both
managed and unmanaged devices. The management is centered on the user
identity, which removes the requirement for device management.
End-user productivity isn't affected and policies don't apply when using the app
in a personal context. The policies are applied only in a work context, which gives
you the ability to protect company data without touching personal data.
App protection policies makes sure that the app-layer protections are in place.
For example, you can:
Require a PIN to open an app in a work context
Control the sharing of data between apps
Prevent the saving of company app data to a personal storage location
MDM, in addition to MAM, makes sure that the device is protected. For example,
you can require a PIN to access the device, or you can deploy managed apps to
the device. You can also deploy apps to devices through your MDM solution, to
give you more control over app management.
There are additional benefits to using MDM with App protection policies, and
companies can use App protection policies with and without MDM at the same time. For
example, consider an employee that uses both a phone issued by the company, and
their own personal tablet. The company phone is enrolled in MDM and protected by
App protection policies while the personal device is protected by App protection
policies only.
If you apply a MAM policy to the user without setting the device state, the user will get
the MAM policy on both the BYOD device and the Intune-managed device. You can also
apply a MAM policy based on the managed state. So when you create an app protection
policy, next to Target to all app types, you'd select No. Then do any of the following:
Apply a less strict MAM policy to Intune managed devices, and apply a more
restrictive MAM policy to non MDM-enrolled devices.
Apply a MAM policy to unenrolled devices only.
Supported platforms for app protection

policies
Intune offers a range of capabilities to help you get the apps you need on the devices
you want to run them on. For more information, see App management capabilities by
platform.
Intune app protection policies platform support aligns with Office mobile application
platform support for Android and iOS/iPadOS devices. For details, see the Mobile apps
section of Office System Requirements .
） Important
The Intune Company Portal is required on the device to receive App Protection
Policies on Android.
App protection policy data protection

framework
The choices available in app protection policies (APP) enable organizations to tailor the
protection to their specific needs. For some, it may not be obvious which policy settings
are required to implement a complete scenario. To help organizations prioritize mobile
client endpoint hardening, Microsoft has introduced taxonomy for its APP data
protection framework for iOS and Android mobile app management.
policies.
How app protection policies protect app data
Apps without app protection policies

to apps beyond your purview and result in data loss. The arrows in the following
diagram show unrestricted data movement between both corporate and personal apps,
and to storage locations.
Data protection with app protection policies (APP)
You can use App protection policies to prevent company data from saving to the local
storage of the device (see the image below). You can also restrict data movement to
other apps that aren't protected by App protection policies. App protection policy
settings include:
Data relocation policies like Save copies of org data, and Restrict cut, copy, and
paste.
Access policy settings like Require simple PIN for access, and Block managed
apps from running on jailbroken or rooted devices.
Data protection with APP on devices managed by an
MDM solution
The below illustration shows the layers of protection that MDM and App protection
policies offer together.
The MDM solution adds value by providing the following:
Enrolls the device

The App protection policies add value by providing the following:
the device
Data protection with APP for devices without enrollment

The following diagram illustrates how the data protection policies work at the app level
without MDM.
For BYOD devices not enrolled in any MDM solution, App protection policies can help
protect company data at the app level.
However, there are some limitations to be aware
of, such as:
You can't deploy apps to the device. The end user has to get the apps from the
store.
You can't provision certificate profiles on these devices.
You can't provision company Wi-Fi and VPN settings on these devices.
Apps you can manage with app protection

policies
Any app that has been integrated with the Intune SDK or wrapped by the Intune App
Wrapping Tool can be managed using Intune app protection policies. See the official list
of Microsoft Intune protected apps that have been built using these tools and are
available for public use.
The Intune SDK development team actively tests and maintains support for apps built
with the native Android, iOS/iPadOS (Obj-C, Swift), Xamarin, and Xamarin.Forms
platforms. While some customers have had success with Intune SDK integration with
other platforms such as React Native and NativeScript, we do not provide explicit
guidance or plugins for app developers using anything other than our supported
platforms.
End-user requirements to use app protection

policies
The following list provides the end-user requirements to use app protection policies on
an Intune-managed app:
365 admin center .
App protection policies for Microsoft Office

apps
There are a few additional requirements that you want to be aware of when using App
protection policies with Microsoft Office apps.
Outlook mobile app

The additional requirements to use the Outlook mobile app include the following:
The end user must have the Outlook mobile app installed to their device.
The end user must have an Microsoft 365 Exchange Online mailbox and license
linked to their Azure Active Directory account.
７ Note
The Outlook mobile app currently only supports Intune App Protection for
Microsoft Exchange Online and Exchange Server with hybrid modern
authentication and does not support Exchange in Office 365 Dedicated.
Word, Excel, and PowerPoint

The additional requirements to use the Word, Excel, and PowerPoint apps include the
following:
The end user must have a license for Microsoft 365 Apps for business or
enterprise linked to their Azure Active Directory account. The subscription must
include the Office apps on mobile devices and can include a cloud storage account
with OneDrive for Business . Microsoft 365 licenses can be assigned in the
Microsoft 365 admin center following these instructions .
The end user must have a managed location configured using the granular save as
functionality under the "Save copies of org data" application protection policy
setting. For example, if the managed location is OneDrive, the OneDrive app
should be configured in the end user's Word, Excel, or PowerPoint app.
protection policy deployed to the end user.
７ Note
The Office mobile apps currently only support SharePoint Online and not
Managed location needed for Office

A managed location (i.e. OneDrive) is needed for Office. Intune marks all data in the app
as either "corporate" or "personal". Data is considered "corporate" when it originates
from a business location. For the Office apps, Intune considers the following as business
locations: email (Exchange) or cloud storage (OneDrive app with a OneDrive for Business
account).
Skype for Business
There are additional requirements to use Skype for Business. See Skype for Business
license requirements. For Skype for Business (SfB) hybrid and on-prem configurations,
see Hybrid Modern Auth for SfB and Exchange goes GA and Modern Auth for SfB
OnPrem with Azure AD , respectively.
App protection Global policy

If a OneDrive administrator browses to admin.onedrive.com and selects Device access,
they can set Mobile application management controls to the OneDrive and SharePoint
client apps.
The settings, made available to the OneDrive Admin console, configure a special Intune
app protection policy called the Global policy. This global policy applies to all users in
your tenant, and has no way to control the policy targeting.
Once enabled, the OneDrive and SharePoint apps for iOS/iPadOS and Android are
protected with the selected settings by default. An IT Pro can edit this policy in the
Microsoft Intune admin center to add more targeted apps and to modify any policy
setting.
By default, there can only be one Global policy per tenant. However, you can use Intune
Graph APIs to create extra global policies per tenant, but doing so isn't recommended.
Creating extra global policies isn't recommended because troubleshooting the
implementation of such a policy can become complicated.
While the Global policy applies to all users in your tenant, any standard Intune app
protection policy will override these settings.
７ Note
The policy settings in the OneDrive Admin Center are no longer being updated.
Microsoft Endpoint Manager may be used instead. For more information, see
Control access to features in the OneDrive and SharePoint mobile apps.
App protection features
Multi-identity
Multi-identity support allows an app to support multiple audiences. These audiences are
both "corporate" users and "personal" users. Work and school accounts are used by
"corporate" audiences, whereas personal accounts would be used for consumer
audiences, such as Microsoft Office users. An app that supports multi-identity can be
released publicly, where app protection policies apply only when the app is used in the
work and school ("corporate") context. Multi-identity support uses the Intune SDK to
only apply app protection policies to the work or school account signed into the app. If
a personal account is signed into the app, the data is untouched. App protection
policies can be used to prevent the transfer of work or school account data to personal
accounts within the multi-identity app, personal accounts within other apps, or personal
apps.
） Important
Regardless of whether an app supports multi-identity, only a single "corporate"

identity can have an Intune App Protection Policy applied.
For an example of "personal" context, consider a user who starts a new document in
Word, this is considered personal context so Intune App Protection policies are not
applied. Once the document is saved on the "corporate" OneDrive account, then it is
considered "corporate" context and Intune App Protection policies are applied.
Consider the following examples for the work or "corporate" context:
A user starts the OneDrive app by using their work account. In the work context,
they can't move files to a personal storage location. Later, when they use OneDrive
with their personal account, they can copy and move data from their personal
OneDrive without restrictions.
A user starts drafting an email in the Outlook app. Once the subject or message
body is populated, the user is unable to switch the FROM address from the work
context to the personal context as the subject and message body are protected by
the App Protection policy.
７ Note
Outlook has a combined email view of both "personal" and "corporate" emails. In
this situation, the Outlook app prompts for the Intune PIN on launch.
） Important
Although Edge is in "corporate" context, users can intentionally move OneDrive
"corporate" context files to an unknown personal cloud storage location. To avoid
this, see Manage restricted web sites and configure the allowed/blocked site list
for Edge.
Intune app PIN

The Personal Identification Number (PIN) is a passcode used to verify that the correct
user is accessing the organization's data in an application.
PIN prompt
Intune prompts for the user's app PIN when the user is about to access "corporate" data.
In multi-identity apps such as Word, Excel, or PowerPoint, the user is prompted for their
PIN when they try to open a "corporate" document or file. In single-identity apps, such
as line-of-business apps managed using the Intune App Wrapping Tool, the PIN is
prompted at launch, because the Intune SDK knows the user's experience in the app is
always "corporate".
PIN prompt, or corporate credential prompt, frequency
The IT admin can define the Intune app protection policy setting Recheck the access
requirements after (minutes) in the Microsoft Intune admin center . This setting
specifies the amount of time before the access requirements are checked on the device,
and the application PIN screen, or corporate credential prompt, is shown again.
However, important details about PIN that affect how often the user will be prompted
are:
The PIN is shared among apps of the same publisher to improve usability:
On iOS/iPadOS, one app PIN is shared amongst all apps of the same app
publisher. For example, all Microsoft apps share the same PIN. On Android, one
app PIN is shared amongst all apps.
The Recheck the access requirements after (minutes) behavior after a device
reboot:
A timer tracks the number of minutes of inactivity that determine when to show
the Intune app PIN, or corporate credential prompt next. On iOS/iPadOS, the timer
is unaffected by device reboot. Thus, device reboot has no effect on the number of
minutes the user has been inactive from an iOS/iPadOS app with Intune PIN (or
corporate credential) policy targeted. On Android, the timer is reset on device
reboot. As such, Android apps with Intune PIN (or corporate credential) policy will
likely prompt for an app PIN, or corporate credential prompt, regardless of the
'Recheck the access requirements after (minutes)' setting value after a device
reboot.
The rolling nature of the timer associated with the PIN:
Once a PIN is entered to access an app (app A), and the app leaves the foreground
(main input focus) on the device, the timer gets reset for that PIN. Any app (app B)
that shares this PIN will not prompt the user for PIN entry because the timer has
reset. The prompt will show up again once the 'Recheck the access requirements
after (minutes)' value is met again.
For iOS/iPadOS devices, even if the PIN is shared between apps from different
publishers, the prompt will show up again when the Recheck the access requirements
after (minutes) value is met again for the app that is not the main input focus. So, for
example, a user has app A from publisher X and app B from publisher Y, and those two
apps share the same PIN. The user is focused on app A (foreground), and app B is
minimized. After the Recheck the access requirements after (minutes) value is met and
the user switches to app B, the PIN would be required.
７ Note
In order to verify the user's access requirements more often (i.e. PIN prompt),
especially for a frequently used app, it is recommended to reduce the value of the
'Recheck the access requirements after (minutes)' setting.
Built-in app PINs for Outlook and OneDrive
The Intune PIN works based on an inactivity-based timer (the value of Recheck the
access requirements after (minutes)). As such, Intune PIN prompts show up
independently from the built-in app PIN prompts for Outlook and OneDrive which often
are tied to app launch by default. If the user receives both PIN prompts at the same
time, the expected behavior should be that the Intune PIN takes precedence.
Intune PIN security
The PIN serves to allow only the correct user to access their organization's data in the
app. Therefore, an end user must sign in with their work or school account before they
can set or reset their Intune app PIN. This authentication is handled by Azure Active
Directory via secure token exchange and is not transparent to the Intune SDK. From a
security perspective, the best way to protect work or school data is to encrypt it.
Encryption is not related to the app PIN but is its own app protection policy.
Protecting against brute force attacks and the Intune PIN
As part of the app PIN policy, the IT administrator can set the maximum number of
times a user can try to authenticate their PIN before locking the app. After the number
of attempts has been met, the Intune SDK can wipe the "corporate" data in the app.
Intune PIN and a selective wipe
On iOS/iPadOS, the app level PIN information is stored in the keychain that is shared
between apps with the same publisher, such as all first party Microsoft apps. This PIN
information is also tied to an end user account. A selective wipe of one app shouldn't
affect a different app.
For example, a PIN set for Outlook for the signed in user is stored in a shared keychain.
When the user signs into OneDrive (also published by Microsoft), they will see the same
PIN as Outlook since it uses the same shared keychain. When signing out of Outlook or
wiping the user data in Outlook, the Intune SDK does not clear that keychain because
OneDrive might still be using that PIN. Because of this, selective wipes do not clear that
shared keychain, including the PIN. This behavior remains the same even if only one app
by a publisher exists on the device.
Since the PIN is shared amongst apps with the same publisher, if the wipe goes to a
single app, the Intune SDK does not know if there are any other apps on the device with
the same publisher. Thus, the Intune SDK does not clear the PIN since it might still be
used for other apps. The expectation is that the app PIN should be wiped when last app
from that publisher will be removed eventually as part of some OS cleanup.
If you observe the PIN being wiped on some devices, the following is likely happening:
Since the PIN is tied to an identity, if the user signed in with a different account after a
wipe, they will be prompted to enter a new PIN. However, if they sign in with a
previously existing account, a PIN stored in the keychain already can be used to sign in.
Setting a PIN twice on apps from the same publisher?
MAM (on iOS/iPadOS) currently allows application-level PIN with alphanumeric and
special characters (called 'passcode') which requires the participation of applications (i.e.
WXP, Outlook, Managed Browser, Yammer) to integrate the Intune SDK for iOS. Without
this, the passcode settings are not properly enforced for the targeted applications. This
was a feature released in the Intune SDK for iOS v. 7.1.12.
In order to support this feature and ensure backward compatibility with previous
versions of the Intune SDK for iOS/iPadOS, all PINs (either numeric or passcode) in
7.1.12+ are handled separately from the numeric PIN in previous versions of the SDK.
Another change was introduced in the Intune SDK for iOS v 14.6.0 that causes all PINs in
14.6.0+ to be handled separately from any PINs in previous versions of the SDK.
Therefore, if a device has applications with Intune SDK for iOS versions before 7.1.12
AND after 7.1.12 from the same publisher (or versions before 14.6.0 AND after 14.6.0),
they will have to set up two PINs. The two PINs (for each app) are not related in any way
(i.e. they must adhere to the app protection policy that's applied to the app). As such,
only if apps A and B have the same policies applied (with respect to PIN), user may set
up the same PIN twice.
This behavior is specific to the PIN on iOS/iPadOS applications that are enabled with
Intune Mobile App Management. Over time, as applications adopt later versions of the
Intune SDK for iOS/iPadOS, having to set a PIN twice on apps from the same publisher
becomes less of an issue. Please see the note below for an example.
７ Note
For example, if app A is built with a version prior to 7.1.12 (or 14.6.0) and app B is
built with a version greater than or equal to 7.1.12 (or 14.6.0) from the same
publisher, the end user will need to set up PINs separately for A and B if both are
installed on an iOS/iPadOS device.
If an app C that has SDK version 7.1.9 (or 14.5.0)
is installed on the device, it will share the same PIN as app A.
An app D built with
7.1.14 (or 14.6.2) will share the same PIN as app B.
If only apps A and C are installed on a device, then one PIN will need to be set. The
same applies to if only apps B and D are installed on a device.
App data encryption

IT administrators can deploy an app protection policy that requires app data to be
encrypted. As part of the policy, the IT administrator can also specify when the content
is encrypted.
How does Intune data encryption process
settings for detailed information on the encryption app protection policy setting.
Data that is encrypted
Only data marked as "corporate" is encrypted according to the IT administrator's app

protection policy. Data is considered "corporate" when it originates from a business
location. For the Office apps, Intune considers the following as business locations:
Email (Exchange)
Cloud storage (OneDrive app with a OneDrive for Business account)
For line-of-business apps managed by the Intune App Wrapping Tool, all app data is
considered "corporate".
Selective wipe
Remotely wipe data
Intune can wipe app data in three different ways:
Full device wipe

Selective wipe for MDM
MAM selective wipe
For more information about remote wipe for MDM, see Remove devices by using wipe
or retire. For more information about selective wipe using MAM, see the Retire action
and How to wipe only corporate data from apps.
Full device wipe removes all user data and settings from the device by restoring the
device to its factory default settings. The device is removed from Intune.
７ Note
Full device wipe, and selective wipe for MDM can only be achieved on devices
enrolled with Intune mobile device management (MDM).
Selective wipe for MDM
See Remove devices - retire to read about removing company data.
Selective wipe for MAM
Selective wipe for MAM simply removes company app data from an app. The request is
initiated using Intune. To learn how to initiate a wipe request, see How to wipe only
corporate data from apps.
If the user is using the app when selective wipe is initiated, the Intune SDK checks every
30 minutes for a selective wipe request from the Intune MAM service. It also checks for
selective wipe when the user launches the app for the first time and signs in with their
work or school account.
When On-Premises (on-prem) services don't work with Intune protected apps
Intune app protection depends on the identity of the user to be consistent between the
application and the Intune SDK. The only way to guarantee that is through modern
authentication. There are scenarios in which apps may work with an on-prem
configuration, but they are neither consistent nor guaranteed.
Secure way to open web links from managed apps
The IT administrator can deploy and set app protection policy for Microsoft Edge, a web
browser that can be managed easily with Intune. The IT administrator can require all
web links in Intune-managed apps to be opened using a managed browser.
App protection experience for iOS devices
Device fingerprint or face IDs

Intune app protection policies allow control over app access to only the Intune licensed
user. One of the ways to control access to the app is to require either Apple's Touch ID
or Face ID on supported devices. Intune implements a behavior where if there is any
change to the device's biometric database, Intune prompts the user for a PIN when the
next inactivity timeout value is met. Changes to biometric data include the addition or
removal of a fingerprint, or face. If the Intune user does not have a PIN set, they are led
to set up an Intune PIN.
The intent of this process is to continue keeping your organization's data within the app
secure and protected at the app level. This feature is only available for iOS/iPadOS, and
requires the participation of applications that integrate the Intune SDK for iOS/iPadOS,
version 9.0.1 or later. Integration of the SDK is necessary so that the behavior can be
enforced on the targeted applications. This integration happens on a rolling basis and is
dependent on the specific application teams. Some apps that participate include WXP,
Outlook, Managed Browser, and Yammer.
iOS share extension

You can use the iOS/iPadOS share extension to open work or school data in unmanaged
apps, even with the data transfer policy set to managed apps only or no apps. Intune
app protection policy cannot control the iOS/iPadOS share extension without managing
the device. Therefore, Intune encrypts "corporate" data before it is shared outside the
app. You can validate this encryption behavior by attempting to open a "corporate" file
outside of the managed app. The file should be encrypted and unable to be opened
outside the managed app.
Universal Links support

By default, Intune app protection policies will prevent access to unauthorized
application content. In iOS/iPadOS, there is functionality to open specific content or
applications using Universal Links .
Users can disable an app's Universal Links by visiting them in Safari and selecting Open
in New Tab or Open. In order to use Universal Links with Intune app protection policies,
it's important to re-enable the universal links. The end user would need to do an Open
in <app name> in Safari after long pressing a corresponding link. This should prompt
any additional protected app to route all Universal Links to the protected application on
the device.
Multiple Intune app protection access settings for same

set of apps and users
Intune app protection policies for access will be applied in a specific order on end-user
wipe would take precedence, followed by a block, then a dismissible warning. For
example, if applicable to the specific user/app, a minimum iOS/iPadOS operating system
setting that warns a user to update their iOS/iPadOS version will be applied after the
minimum iOS/iPadOS operating system setting that blocks the user from access. So, in
the scenario where the IT admin configures the min iOS operating system to 11.0.0.0
and the min iOS operating system (Warning only) to 11.1.0.0, while the device trying to
access the app was on iOS 10, the end user would be blocked based on the more
restrictive setting for min iOS operating system version that results in blocked access.
When dealing with different types of settings, an Intune SDK version requirement would
take precedence, then an app version requirement, followed by the iOS/iPadOS
operating system version requirement. Then, any warnings for all types of settings in the
same order are checked. We recommend the Intune SDK version requirement be
configured only upon guidance from the Intune product team for essential blocking
scenarios.
App protection experience for Android devices
７ Note
App protection policies (APP) are not supported on Intune managed Android
Enterprise dedicated devices without Shared device mode. On these devices,
Company Portal installation is needed for an APP block policy to take effect with no
impact to the user. App protection policies are supported on Intune managed
Android Enterprise dedicated devices with Shared device mode, as well as on AOSP
userless devices that leverage Shared device mode.
Microsoft Teams Android devices

The Teams app on Microsoft Teams Android devices does not support APP (does not
receive policy through the Company Portal app). This means that app protection policy
settings will not be applied to Teams on Microsoft Teams Android devices. If you have
app protection policies configured for these devices, consider creating a group of Teams
device users and exclude that group from the related app protection policies.
Additionally, consider modifying your Intune Enrollment Policy, Conditional Access
Policies and Intune Compliance policies so they have supported settings. If you cannot
change your existing policies, you must configure (exclusion) Device Filters. Verify each
setting against the existing Conditional Access configuration and Intune Compliance
policy to know if you have unsupported settings. For related information see Supported
Conditional Access and Intune device compliance policies for Microsoft Teams Rooms
and Teams Android Devices. For information related to Microsoft Teams Rooms, see
Conditional Access and Intune compliance for Microsoft Teams Rooms.
Device biometric authentication

For Android devices that support biometric authentication, you can allow end users to
use fingerprint or Face Unlock, depending on what their Android device supports. You
can configure whether all biometric types beyond fingerprint can be used to
authenticate. Note that fingerprint and Face Unlock are only available for devices
manufactured to support these biometric types and are running the correct version of
Android. Android 6 and higher is required for fingerprint, and Android 10 and higher is
required for Face Unlock.
Company Portal app and Intune app protection

Much of app protection functionality is built into the Company Portal app. Device
enrollment is not required even though the Company Portal app is always required. For
Mobile Application Management (MAM), the end user just needs to have the Company
Portal app installed on the device.
Multiple Intune app protection access settings for same

set of apps and users
Intune app protection policies for access will be applied in a specific order on end-user
block would take precedence, then a dismissible warning. For example, if applicable to
the specific user/app, a minimum Android patch version setting that warns a user to
take a patch upgrade will be applied after the minimum Android patch version setting
that blocks the user from access. So, in the scenario where the IT admin configures the
min Android patch version to 2018-03-01 and the min Android patch version (Warning
only) to 2018-02-01, while the device trying to access the app was on a patch version
2018-01-01, the end user would be blocked based on the more restrictive setting for
min Android patch version that results in blocked access.
When dealing with different types of settings, an app version requirement would take
precedence, followed by Android operating system version requirement and Android
patch version requirement. Then, any warnings for all types of settings in the same order
are checked.
Intune app protection policies and Google's SafetyNet

Attestation for Android devices
Intune app protection policies provide the capability for admins to require end-user
devices to pass Google's SafetyNet Attestation for Android devices. A new Google Play
service determination will be reported to the IT admin at an interval determined by the
Intune service. How often the service call is made is throttled due to load, thus this value
is maintained internally and is not configurable. Any IT admin configured action for the
Google SafetyNet Attestation setting will be taken based on the last reported result to
the Intune service at the time of conditional launch. If there is no data, access will be
allowed depending on no other conditional launch checks failing, and Google Play
Service "roundtrip" for determining attestation results will begin in the backend and
prompt the user asynchronously if the device has failed. If there is stale data, access will
be blocked or allowed depending on the last reported result, and similarly, a Google
Play Service "roundtrip" for determining attestation results will begin and prompt the
user asynchronously if the device has failed.
Intune app protection policies and Google's Verify Apps

API for Android devices
Intune App Protection Policies provide the capability for admins to require end-user
devices to send signals via Google's Verify Apps API for Android devices. The
instructions on how to do this vary slightly by device. The general process involves
going to the Google Play Store, then clicking on My apps & games, clicking on the
result of the last app scan which will take you into the Play Protect menu. Ensure the
toggle for Scan device for security threats is switched to on.
Google's SafetyNet Attestation API

Intune leverages Google Play Protect SafetyNet APIs to add to our existing root
detection checks for unenrolled devices. Google has developed and maintained this API
set for Android apps to adopt if they do not want their apps to run on rooted devices.
The Android Pay app has incorporated this, for example. While Google does not share
publicly the entirety of the root detection checks that occur, we expect these APIs to
detect users who have rooted their devices. These users can then be blocked from
accessing, or their corporate accounts wiped from their policy enabled apps. Check
basic integrity tells you about the general integrity of the device. Rooted devices,
emulators, virtual devices, and devices with signs of tampering fail basic integrity. Check
basic integrity & certified devices tells you about the compatibility of the device with
Google's services. Only unmodified devices that have been certified by Google can pass
this check. Devices that will fail include the following:
Devices that fail basic integrity

Devices with an unlocked bootloader
Devices with a custom system image/ROM
Devices for which the manufacturer didn't apply for, or pass, Google certification
Devices with a system image built directly from the Android Open Source Program
source files
Devices with a beta/developer preview system image
See Google's documentation on the SafetyNet Attestation for technical details.
SafetyNet device attestation setting and the

'jailbroken/rooted devices' setting
Google Play Protect's SafetyNet API checks require the end user being online, atleast for
the duration of the time when the "roundtrip" for determining attestation results
executes. If end user is offline, IT admin can still expect a result to be enforced from the
jailbroken/rooted devices setting. That being said, if the end user has been offline too
long, the Offline grace period value comes into play, and all access to work or school
data is blocked once that timer value is reached, until network access is available.
Turning on both settings allows for a layered approach to keeping end-user devices
healthy which is important when end-users access work or school data on mobile.
Google Play Protect APIs and Google Play Services

The app protection policy settings that leverage Google Play Protect APIs require
Google Play Services to function. Both the SafetyNet device attestation, and Threat
scan on apps settings require Google determined version of Google Play Services to
function correctly. Since these are settings that fall in the area of security, the end user
will be blocked if they have been targeted with these settings and are not meeting the
appropriate version of Google Play Services or have no access to Google Play Services.
Next steps
How to create and deploy app protection policies with Microsoft Intune
Available Android app protection policy settings with Microsoft Intune
Available iOS/iPadOS app protection policy settings with Microsoft Intune

Data protection framework using app
protection policies
Article • 08/15/2023
As more organizations implement mobile device strategies for accessing work or school
data, protecting against data leakage becomes paramount. Intune's mobile application
management solution for protecting against data leakage is App Protection Policies
(APP). APP are rules that ensure an organization's data remains safe or contained in a
managed app, regardless of whether the device is enrolled. For more information, see
App protection policies overview.
When configuring App Protection Policies, the number of various settings and options
enable organizations to tailor the protection to their specific needs. Due to this
flexibility, it may not be obvious which permutation of policy settings are required to
implement a complete scenario. To help organizations prioritize client endpoint
hardening endeavors, Microsoft has introduced a new taxonomy for security
configurations in Windows 10 , and Intune is leveraging a similar taxonomy for its APP
data protection framework for mobile app management.
The APP data protection configuration framework is organized into three distinct
Level 1 enterprise basic data protection – Microsoft recommends this configuration

as the minimum data protection configuration for an enterprise device.
Level 2 enterprise enhanced data protection – Microsoft recommends this

configuration for devices where users access sensitive or confidential information.
This configuration is applicable to most mobile users accessing work or school
data. Some of the controls may impact user experience.
Level 3 enterprise high data protection – Microsoft recommends this configuration

for devices run by an organization with a larger or more sophisticated security
team, or for specific users or groups who are at uniquely high risk (users who
handle highly sensitive data where unauthorized disclosure causes considerable
material loss to the organization). An organization likely to be targeted by well-
funded and sophisticated adversaries should aspire to this configuration.
APP Data Protection Framework deployment

methodology
As with any deployment of new software, features or settings, Microsoft recommends
investing in a ring methodology for testing validation prior to deploying the APP data
protection framework. Defining deployment rings is generally a one-time event (or at
least infrequent), but IT should revisit these groups to ensure that the sequencing is still
correct.
Microsoft recommends the following deployment ring approach for the APP data
protection framework:
Deployment Tenant Assessment teams Output Timeline

ring
Quality Pre- Mobile capability Functional scenario 0-30 days

Assurance production owners, Security, Risk validation, draft
tenant Assessment, Privacy, documentation
UX
Preview Production Mobile capability End-user scenario 7-14 days, post

tenant owners, UX validation, user facing Quality
documentation Assurance
Production Production Mobile capability N/A 7 days to

tenant owners, IT help desk several weeks,
post Preview
As the above table indicates, all changes to the App Protection Policies should be first
performed in a pre-production environment to understand the policy setting
implications. Once testing is complete, the changes can be moved into production and
applied to a subset of production users, generally, the IT department and other
applicable groups. And finally, the rollout can be completed to the rest of the mobile
user community. Rollout to production may take a longer amount of time depending on
the scale of impact regarding the change. If there is no user impact, the change should
roll out quickly, whereas, if the change results in user impact, rollout may need to go
slower due to the need to communicate changes to the user population.
When testing changes to an APP, be aware of the delivery timing. The status of APP
delivery for a given user can be monitored. For more information, see How to monitor
app protection policies.
Individual APP settings for each app can be validated on devices using Edge and the
URL about:Intunehelp. For more information, see Review client app protection logs and
Use Edge for iOS and Android to access managed app logs.
APP Data Protection Framework settings

The following App Protection Policy settings should be enabled for the applicable apps
and assigned to all mobile users. For more information on each policy setting, see iOS
app protection policy settings and Android app protection policy settings.
Microsoft recommends reviewing and categorizing usage scenarios, and then

configuring users using the prescriptive guidance for that level. As with any framework,
settings within a corresponding level may need to be adjusted based on the needs of
the organization as data protection must evaluate the threat environment, risk appetite,
and impact to usability.
Administrators can incorporate the below configuration levels within their ring
deployment methodology for testing and production use by importing the sample
Intune App Protection Policy Configuration Framework JSON templates with Intune's
PowerShell scripts .
７ Note
Preview: When using MAM for Windows, see App protection policy settings for
Windows.
Conditional Access Policies

To ensure that only apps supporting App Protection Polices access work or school
account data, Azure Active Directory Conditional Access policies are required. These
policies are described in Conditional Access: Require approved client apps or app
protection policy.
See Require approved client apps or app protection policy with mobile devices in
Conditional Access: Require approved client apps or app protection policy for steps to
implement the specific policies. Finally, implement the steps in Block legacy
authentication to block legacy authentication capable iOS and Android apps.
７ Note
These policies leverage the grant controls Require approved client app and
Require app protection policy.
Apps to include in the App Protection Policies

For each App Protection Policy, the Core Microsoft Apps group is targeted, which
includes the following apps:
Edge
Excel
Office
OneDrive
OneNote
Outlook
PowerPoint
SharePoint
Teams
To Do
Word
The policies should include other Microsoft apps based on business need, additional
third-party public apps that have integrated the Intune SDK used within the
organization, as well as line-of-business apps that have integrated the Intune SDK (or
have been wrapped).
Level 1 enterprise basic data protection

Level 1 is the minimum data protection configuration for an enterprise mobile device.
This configuration replaces the need for basic Exchange Online device access policies by
requiring a PIN to access work or school data, encrypting the work or school account
data, and providing the capability to selectively wipe the school or work data. However,
unlike Exchange Online device access policies, the below App Protection Policy settings
apply to all the apps selected in the policy, thereby ensuring data access is protected
beyond mobile messaging scenarios.
The policies in level 1 enforce a reasonable data access level while minimizing the
impact to users and mirror the default data protection and access requirements settings
when creating an App Protection Policy within Microsoft Intune.
Data protection
Setting Setting description Value Platform
Data Back up org data to… Allow iOS/iPadOS,

Transfer Android
Data Send org data to other apps All apps iOS/iPadOS,

Setting Setting description Value Platform
Transfer Android
Data Receive data from other apps All apps iOS/iPadOS,

Transfer Android
Data Restrict cut, copy, and paste between apps Any app iOS/iPadOS,
Transfer Android
Data Third-party keyboards Allow iOS/iPadOS

Transfer
Data Approved keyboards Not Android

Transfer required
Data Screen capture and Google Assistant Allow Android

Transfer
Encryption Encrypt org data Require iOS/iPadOS,

Android
Encryption Encrypt org data on enrolled devices Require Android
Functionality Sync app with native contacts app Allow iOS/iPadOS,

Android
Functionality Printing org data Allow iOS/iPadOS,

Android
Functionality Restrict web content transfer with other Any app iOS/iPadOS,
apps Android
Functionality Org data notifications Allow iOS/iPadOS,

Android
Access requirements
Setting Value Platform Notes
PIN for access Require iOS/iPadOS,

Android
PIN type Numeric iOS/iPadOS,

Android
Simple PIN Allow iOS/iPadOS,

Android
Select Minimum PIN 4 iOS/iPadOS,

Setting Value Platform Notes
length Android
Touch ID instead of Allow iOS/iPadOS

PIN for access (iOS
8+/iPadOS)
Override biometrics Require iOS/iPadOS,

with PIN after timeout Android
Timeout (minutes of 720 iOS/iPadOS,

activity) Android
Face ID instead of PIN Allow iOS/iPadOS

for access (iOS
11+/iPadOS)
Biometric instead of Allow iOS/iPadOS,

PIN for access Android
PIN reset after number No iOS/iPadOS,

of days Android
Select number of 0 Android

previous PIN values to
maintain
App PIN when device Require iOS/iPadOS, If the device is enrolled in Intune,
PIN is set Android administrators can consider setting this to
"Not required" if they are enforcing a strong
device PIN via a device compliance policy.
Work or school Not iOS/iPadOS,

account credentials required Android
for access
Recheck the access 30 iOS/iPadOS,

requirements after Android
(minutes of inactivity)
Conditional launch
Setting Setting Value / Platform Notes

description Action
App Max PIN attempts 5 / Reset PIN iOS/iPadOS,

conditions Android
Setting Setting Value / Platform Notes
description Action
App Offline grace 720 / Block iOS/iPadOS,

conditions period access Android
(minutes)
App Offline grace 90 / Wipe iOS/iPadOS,

conditions period data (days) Android
Device Jailbroken/rooted N/A / Block iOS/iPadOS,

conditions devices access Android
Device SafetyNet device Basic Android This setting configures

conditions attestation integrity and Google's SafetyNet Attestation
certified on end-user devices. Basic
devices / integrity validates the integrity
Block access of the device. Rooted devices,
emulators, virtual devices, and
devices with signs of tampering
fail basic integrity.
Basic integrity and certified

devices validates the
compatibility of the device with
Google's services. Only
unmodified devices that have
been certified by Google can
pass this check.
Device Require threat N/A / Block Android This setting ensures that
conditions scan on apps access Google's Verify Apps scan is
turned on for end user devices.
If configured, the end-user will
be blocked from access until
they turn on Google's app
scanning on their Android
device.
Device Require device Low/Warn Android This setting ensures that

conditions lock Android devices have a device
password that meets the
minimum password
requirements.
Level 2 enterprise enhanced data protection

Level 2 is the data protection configuration recommended as a standard for devices
where users access more sensitive information. These devices are a natural target in
enterprises today. These recommendations do not assume a large staff of highly skilled
security practitioners, and therefore should be accessible to most enterprise
organizations. This configuration expands upon the configuration in Level 1 by
restricting data transfer scenarios and by requiring a minimum operating system
version.
implement more controls and a more sophisticated configuration than level 1. While
these settings may have a slightly higher impact to users or to applications, they enforce
a level of data protection more commensurate with the risks facing users with access to
sensitive information on mobile devices.
Data protection
Setting Setting Value Platform Notes

description
Data Back up org data Block iOS/iPadOS,

Transfer to… Android
Data Send org data to Policy managed apps iOS/iPadOS, With

Transfer other apps Android iOS/iPadOS,
administrators
can configure
this value to
be "Policy
managed
apps", "Policy
managed
apps with OS
sharing", or
"Policy
managed
apps with
Open-
In/Share
filtering".
Policy
managed
apps with OS
sharing is
available
when the
device is also
enrolled with
description
Intune. This
setting allows
data transfer
to other
policy
managed
apps, as well
as file
transfers to
other apps
that have are
managed by
Intune.
Policy
managed
apps with
Open-
In/Share
filtering filters
the OS Open-
in/Share
dialogs to
only display
policy
managed
apps.
For more
information,
see iOS app
protection
policy
settings.
Data Select apps to Default / skype;app- iOS/iPadOS

Transfer exempt settings;calshow;itms;itmss;itms-
apps;itms-appss;itms-services;
Data Save copies of org Block iOS/iPadOS,

Transfer data Android
Data Allow users to save OneDrive for Business, iOS/iPadOS,

Transfer copies to selected SharePoint Online, Photo Android
services Library
Data Transfer Any dialer app iOS/iPadOS,

Transfer telecommunication Android
data to
description
Data Restrict cut, copy, Policy managed apps with paste iOS/iPadOS,
Transfer and paste between in Android
apps
Data Screen capture Block Android

Transfer and Google
Assistant
Functionality Restrict web Microsoft Edge iOS/iPadOS,

content transfer Android
with other apps
Functionality Org data Block Org Data iOS/iPadOS, For a list of

notifications Android apps that
support this
setting, see
iOS app
protection
policy settings
and Android
app
protection
policy
settings.
Conditional launch
Setting Setting Value / Action Platform Notes

description
App Disabled N/A / Block iOS/iPadOS,

conditions account access Android
Device Min OS Format: iOS/iPadOS Microsoft recommends

conditions version Major.Minor.Build configuring the minimum iOS
Example: 14.8 / major version to match the
Block access supported iOS versions for
Microsoft apps. Microsoft apps
support an N-1 approach where N
is the current iOS major release
version. For minor and build
version values, Microsoft
recommends ensuring devices are
up to date with the respective
security updates. See Apple
security updates for Apple's
latest recommendations
description
Device Min OS Format: Android Microsoft recommends

conditions version Major.Minor configuring the minimum Android
Example: 9.0 / major version to match the
Block access supported Android versions for
Microsoft apps. OEMs and devices
adhering to Android Enterprise
recommended requirements must
support the current shipping
release + one letter upgrade.
Currently, Android recommends
Android 9.0 and later for
knowledge workers. See Android
Enterprise Recommended
requirements for Android's
latest recommendations
Device Min patch Format: YYYY- Android Android devices can receive
conditions version MM-DD monthly security patches, but the
Example: 2020- release is dependent on OEMs
01-01 / Block and/or carriers. Organizations
access should ensure that deployed
Android devices do receive
security updates before
implementing this setting. See
Android Security Bulletins for
the latest patch releases.
Device Required Hardware- Android Hardware backed attestation

conditions SafetyNet backed key enhances the existing SafetyNet
evaluation attestation service check by
type leveraging a new evaluation type
called Hardware Backed ,
providing a more robust root
detection in response to newer
types of rooting tools and
methods that cannot always be
reliably detected by a software
only solution.
As its name implies, hardware

backed attestation leverages a
hardware-based component
which shipped with devices
installed with Android 8.1 and
later. Devices that were upgraded
from an older version of Android
to Android 8.1 are unlikely to have
description
the hardware-based components

necessary for hardware backed
attestation. While this setting
should be widely supported
starting with devices that shipped
with Android 8.1, Microsoft
strongly recommends testing
devices individually before
enabling this policy setting
broadly.
Device Require Medium/Block Android This setting ensures that Android

conditions device lock Access devices have a device password
that meets the minimum
password requirements.
Level 3 enterprise high data protection

Level 3 is the data protection configuration recommended as a standard for
organizations with large and sophisticated security organizations, or for specific users
and groups who will be uniquely targeted by adversaries. Such organizations are
typically targeted by well-funded and sophisticated adversaries, and as such merit the
additional constraints and controls described. This configuration expands upon the
configuration in Level 2 by restricting additional data transfer scenarios, increasing the
complexity of the PIN configuration, and adding mobile threat detection.
implement more controls and a more sophisticated configuration than level 2. These
policy settings can have a potentially significant impact to users or to applications,
enforcing a level of security commensurate with the risks facing targeted organizations.
Data protection

description
Data Transfer Any policy-managed dialer app Android Administrators

Transfer telecommunication can also
data to configure this
setting to use
a dialer app
description
that does not

support App
Protection
Policies by
selecting A
specific dialer
app and
providing the
Dialer App
Package ID
and Dialer
App Name
values.
Data Transfer A specific dialer app iOS/iPadOS

Transfer telecommunication
data to
Data Dialer App URL replace_with_dialer_app_url_scheme iOS/iPadOS On

Transfer Scheme iOS/iPadOS,
this value
must be
replaced with
the URL
scheme for
the custom
dialer app
being used. If
the URL
scheme is not
known,
contact the
app developer
for more
information.
For more
information
on URL
schemes, see
Defining a
Custom URL
Scheme for
Your App .
Data Receive data from Policy managed apps iOS/iPadOS,

transfer other apps Android
description
Data Open data into Block iOS/iPadOS,

transfer Org documents Android
Data Allow users to OneDrive for Business, SharePoint, iOS/iPadOS, For related
transfer open data from Camera, Photo Library Android information,
selected services see Android
app
protection
policy settings
and iOS app
protection
policy
settings.
Data Third-party Block iOS/iPadOS On

transfer keyboards iOS/iPadOS,
this blocks all
third-party
keyboards
from
functioning
within the
app.
Data Approved Require Android

transfer keyboards
Data Select keyboards add/remove keyboards Android With Android,

transfer to approve keyboards
must be
selected in
order to be
used based on
your deployed
Android
devices.
Functionality Printing org data Block iOS/iPadOS,

Android
Access requirements
Setting Value Platform
Simple PIN Block iOS/iPadOS, Android

Setting Value Platform
Select Minimum PIN length 6 iOS/iPadOS, Android
PIN reset after number of days Yes iOS/iPadOS, Android
Number of days 365 iOS/iPadOS, Android
Class 3 Biometrics (Android 9.0+) Require Android
Override Biometrics with PIN after biometric updates Require Android
Conditional launch

description
Device Require device High/Block Android This setting ensures that

conditions lock Access Android devices have a
device password that meets
the minimum password
requirements.
Device Jailbroken/rooted N/A / Wipe data iOS/iPadOS,

conditions devices Android
Device Max allowed Secured / Block iOS/iPadOS, Unenrolled devices can be

conditions threat level access Android inspected for threats using
Mobile Threat Defense. For
more information, see
Mobile Threat Defense for
unenrolled devices.
If the device is enrolled, this

setting can be skipped in
favor of deploying Mobile
Threat Defense for enrolled
devices. For more
information, see Mobile
Threat Defense for enrolled
devices.
Device Max OS version Format: Android Microsoft recommends

conditions Major.Minor configuring the maximum
Example: 11.0 / Android major version to
Block access ensure beta or unsupported
versions of the operating
system are not used. See
Android Enterprise
description
Recommended
requirements for
Android's latest
recommendations
Device Max OS version Format: iOS/iPadOS Microsoft recommends

conditions Major.Minor.Build configuring the maximum
Example: 15.0 / iOS/iPadOS major version to
Block access ensure beta or unsupported
versions of the operating
system are not used. See
Apple security updates for
Apple's latest
recommendations
Device Samsung Knox Warn, Block Android Microsoft recommends

conditions device attestation access, Wipe configuring the Samsung
data Knox device attestation
setting to Block access to
ensure the user account is
blocked from access if the
device does not meet
Samsung's Knox device
attestation check. For more
information, see Device
settings for Android app
Next steps
Administrators can incorporate the above configuration levels within their ring
deployment methodology for testing and production use by importing the sample
Intune App Protection Policy Configuration Framework JSON templates with Intune's
PowerShell scripts .
See also
How to create and deploy app protection policies with Microsoft Intune
Available Android app protection policy settings with Microsoft Intune
Available iOS/iPadOS app protection policy settings with Microsoft Intune
How to create and assign app
protection policies
Article • 06/07/2023
Learn how to create and assign Microsoft Intune app protection policies (APP) for users
of your organization. This topic also describes how to make changes to existing policies.
Before you begin

App protection policies can apply to apps running on devices that may or may not be
managed by Intune. For a more detailed description of how app protection policies
work and the scenarios that are supported by Intune app protection policies, see App
protection policies overview.
The choices available in app protection policies (APP) enable organizations to tailor the
protection to their specific needs. For some, it may not be obvious which policy settings
are required to implement a complete scenario. To help organizations prioritize mobile
client endpoint hardening, Microsoft has introduced taxonomy for its APP data
protection framework for iOS and Android mobile app management.
policies.
If you're looking for a list of apps that have integrated the Intune SDK, see Microsoft
Intune protected apps.
For information about adding your organization's line-of-business (LOB) apps to

Microsoft Intune to prepare for app protection policies, see Add apps to Microsoft
Intune.
App protection policies for iOS/iPadOS and

Android apps
When you create an app protection policy for iOS/iPadOS and Android apps, you follow
a modern Intune process flow that results in a new app protection policy. For
information about creating app protection policies for Windows apps, see Create and
deploy Windows Information Protection (WIP) policy with Intune.
Create an iOS/iPadOS or Android app protection policy

2. Select Apps > App protection policies. This selection opens the App protection
policies details, where you create new policies and edit existing policies.
3. Select Create policy and select either iOS/iPadOS or Android. The Create policy
pane is displayed.
Value Description
Name The name of this app protection policy.
Description [Optional] The description of this app protection policy.
The Platform value is set based on your above choice.

5. Click Next to display the Apps page.
The Apps page allows you to choose which apps should be targeted by this policy.
You must add at least one app.
Value/Option Description
Target policy In the Target policy to dropdown box, choose to target your app
to protection policy to All Apps, Microsoft Apps, or Core Microsoft Apps.
All Apps includes all Microsoft and partner apps that have
integrated the Intune SDK.
Microsoft Apps includes all Microsoft apps that have integrated the
Intune SDK.
Core Microsoft Apps includes the following apps: Edge, Excel, Office,
OneDrive, OneNote, Outlook, PowerPoint, SharePoint, Teams, To Do,
and Word.
Next, you can select View a list of the apps that will be targeted to view a
list of the apps that will be affected by this policy.
Public apps If you do not want to select one of the pre-defined app groups, you can
choose to target individual apps by selecting Selected apps in the Target
policy to dropdown box. Click Select public apps to select public apps to
target.
Custom apps If you do not want to select one of the pre-defined app groups, you can
choose to target individual apps by selecting Selected apps in the Target
policy to dropdown box. Click Select custom apps to select custom apps
to target based on a Bundle ID. You cannot choose a custom app when
targeting all public apps in the same policy.
The app(s) you have selected will appear in the public and custom apps list.
７ Note
Public apps are supported are apps from Microsoft and partners that are
commonly used with Microsoft Intune. These Intune protected apps are
enabled with a rich set of support for mobile application protection policies.
For more information, see Microsoft Intune protected apps. Custom apps are
LOB apps that have been integrated with the Intune SDK or wrapped by the
Intune App Wrapping Tool. For more information see Microsoft Intune App
SDK Overview and Prepare line-of-business apps for app protection policies.
6. Click Next to display the Data protection page.

This page provides settings for data loss prevention (DLP) controls, including cut,
copy, paste, and save-as restrictions. These settings determine how users interact
with data in the apps that this app protection policy applies.
Data protection settings:
iOS/iPadOS data protection - For information, see iOS/iPadOS app

protection policy settings - Data protection.
Android data protection - For information, see Android app protection policy
settings - Data protection.
7. Click Next to display the Access requirements page.

This page provides settings to allow you to configure the PIN and credential
requirements that users must meet to access apps in a work context.
Access requirements settings:
iOS/iPadOS access requirements - For information, see iOS/iPadOS app

protection policy settings - Access requirements.
Android access requirements - For information, see Android app protection
policy settings - Access requirements.
8. Click Next to display the Conditional launch page.

This page provides settings to set the sign-in security requirements for your app
protection policy. Select a Setting and enter the Value that users must meet to
sign in to your company app. Then select the Action you want to take if users do
not meet your requirements. In some cases, multiple actions can be configured for
a single setting.
Conditional launch settings:

iOS/iPadOS conditional launch - For information, see iOS/iPadOS app
protection policy settings - Conditional launch.
Android conditional launch - For information, see Android app protection
policy settings - Conditional launch.
The Assignments page allows you to assign the app protection policy to groups of
users. You must apply the policy to a group of users to have the policy take effect.
10. Click Next: Review + create to review the values and settings you entered for this
app protection policy.
11. When you are done, click Create to create the app protection policy in Intune.
 Tip
These policy settings are enforced only when using apps in the work context.
When end users use the app to do a personal task, they aren't affected by
these policies. Note that when you create a new file it is considered a personal
file.
） Important
It can take time for app protection policies to apply to existing devices. End
users will see a notification on the device when the app protection policy is
applied. Apply your app protection policies to devices before applying
condidtional access rules.
End users can download the apps from the App store or Google Play. For more
information, see:
Where to find work or school apps for iOS/iPadOS

Where to find work or school apps for Android
Change existing policies

You can edit an existing policy and apply it to the targeted users. However, when you
change existing policies, users who are already signed in to the apps won't see the
changes for an eight-hour period.
To see the effect of the changes immediately, the end user must sign out of the app, and
then sign back in.
To change the list of apps associated with the policy

1. In the App protection policies pane, select the policy you want to change.
2. In the Intune App Protection pane, select Properties.
3. Next to the section titled Apps, select Edit.
4. The Apps page allows you to choose which apps should be targeted by this policy.
You must add at least one app.
Value/Option Description
Public apps In the Target policy to dropdown box, choose to target your app
protection policy to All public apps, Microsoft Apps, or Core Microsoft
Apps. Next, you can select View a list of the apps that will be targeted to
view a list of the apps that will be affected by this policy.
If needed, you can choose to target individual apps by clicking Select

public apps.
Custom apps Click Select custom apps to select custom apps to target based on a
Bundle ID.
The app(s) you have selected will appear in the public and custom apps list.
5. Click Review + create to review the apps selected for this policy.
6. When you are done, click Save to update the app protection policy.
To change the list of user groups

3. Next to the section titled Assignments, select Edit.
4. To add a new user group to the policy, on the Include tab choose Select groups to
include, and select the user group. Choose Select to add the group.
5. To exclude a user group, on the Exclude tab choose Select groups to exclude, and
select the user group. Choose Select to remove the user group.
6. To delete groups that were added previously, on either the Include or Exclude tabs,
select the ellipsis (...) and select Delete.
7. Click Review + create to review the user groups selected for this policy.
8. After your changes to the assignments are ready, select Save to save the
configuration and deploy the policy to the new set of users. If you select Cancel
before you save your configuration, you will discard all changes you've made to
the Include and Exclude tabs.
To change policy settings

3. Next to the section corresponding to the settings you want to change, select Edit.
Then change the settings to new values.
4. Click Review + create to review the updated settings for this policy.
5. Select the Save to save your changes. Repeat the process to select a settings area
and modify and then save your changes, until all your changes are complete. You
can then close the Intune App Protection - Properties pane.
Target app protection policies based on device

management state
In many organizations, it's common to allow end users to use both Intune Mobile Device
Management (MDM) managed devices, such as corporate owned devices, and un-
managed devices protected with only Intune app protection policies. Unmanaged
devices are often known as Bring Your Own Devices (BYOD).
Because Intune app protection policies target a user's identity, the protection settings
for a user can apply to both enrolled (MDM managed) and non-enrolled devices (no
MDM). Therefore, you can target an Intune app protection policy to either Intune
enrolled or unenrolled iOS/iPadOS and Android devices using filters. For more
information on creating filters see, Use filters when assigning policies . You can have one
protection policy for unmanaged devices in which strict data loss prevention (DLP)
controls are in place, and a separate protection policy for MDM managed devices, where
the DLP controls may be a little more relaxed. For more information how this works on
personal Android Enterprise devices, see App protection policies and work profiles.
To use these filters when assigning policies, browse to Apps > App protection policies
in the Intune admin center, and then select Create policy. You can also edit an existing
app protection policy. Navigate to the Assignments page and select Edit filter to
include or exclude filters for the assigned group.
Device Management types

Unmanaged: For iOS/iPadOS devices, unmanaged devices are any devices where
either Intune MDM management or a 3rd party MDM/EMM solution does not pass
the IntuneMAMUPN key. For Android devices, unmanaged devices are devices where
Intune MDM management has not been detected. This includes devices managed
by third-party MDM vendors.
Intune managed devices: Managed devices are managed by Intune MDM.
Android device administrator: Intune-managed devices using the Android Device
Administration API.
Android Enterprise: Intune-managed devices using Android Enterprise Work
Profiles or Android Enterprise Full Device Management.
Android Enterprise corporate-owned dedicated devices with Azure AD Shared
device mode: Intune-managed devices using Android Enterprise dedicated devices
with Shared device mode.
Android (AOSP) user-associated devices: Intune-managed devices using AOSP
user-associated management.
Android (AOSP) userless devices: Intune-managed devices using AOSP userless
devices. These devices also leverage Azure AD Shared device mode.
On Android, Android devices will prompt to install the Intune Company Portal app
regardless of which Device Management type is chosen. For example, if you select
'Android Enterprise' then users with unmanaged Android devices will still be prompted.
For iOS/iPadOS, for the Device Management type to be enforced to Intune managed
devices, additional app configuration settings are required. These configurations will
communicate to the APP service that a particular app is managed—and that APP
settings will not apply:
IntuneMAMUPN and IntuneMAMOID must be configured for all MDM managed

applications. For more information, see How to manage data transfer between
iOS/iPadOS apps in Microsoft Intune.
IntuneMAMDeviceID must be configured for all third-party and line-of-business
MDM managed applications. The IntuneMAMDeviceID should be configured to
the device ID token. For example, key=IntuneMAMDeviceID, value={{deviceID}} . For
more information, see Add app configuration policies for managed iOS/iPadOS
devices.
If only the IntuneMAMDeviceID is configured, the Intune APP will consider the
device as unmanaged.
Policy settings
To see a full list of the policy settings for iOS/iPadOS and Android, select one of the
following links:
iOS/iPadOS policies
Android policies
Next steps
Monitor compliance and user status
See also
Where to find work or school apps for Android (user help)
Where to find work or school apps for iOS/iPadOS (user help)

Android app protection policy settings
in Microsoft Intune
Article • 08/14/2023
This article describes the app protection policy settings for Android devices. The policy
settings that are described can be configured for an app protection policy on the
Settings pane in the portal. There are three categories of policy settings: data protection
settings, access requirements, and conditional launch. In this article, the term policy-
managed apps refers to apps that are configured with app protection policies.
） Important
The Intune Company Portal is required on the device to receive App Protection
Policies for Android devices.
The Intune Managed Browser has been retired. Use Microsoft Edge for your
protected Intune browser experience.
Data protection
Data Transfer
Setting How to use Default

value
Backup org data to Select Block to prevent this app from backing up work Allow
Android backup services or school data to the Android Backup Service .
Select Allow to allow this app to back up work or school

data.
Send org data to other Specify what apps can receive data from this app: All apps
apps Policy managed apps: Allow transfer only to other
policy-managed apps.
All apps: Allow transfer to any app.
None: Do not allow data transfer to any app,
including other policy-managed apps.
There are some exempt apps and services to which

Intune may allow data transfer by default. In addition,
you can create your own exemptions if you need to
allow data to transfer to an app that doesn't support
value
Intune APP. For more information, see Data transfer

exemptions.
This policy may also apply to Android App Links.

General web links are managed by the Open app links
in Intune Managed Browser policy setting.
７ Note
Intune doesn't currently support the

Android Instant Apps feature. Intune will
block any data connection to or from the
app. For more information, see Android
Instant Apps in the Android Developer
documentation.
If Send org data to other apps is configured

to All apps, text data may still be transferred
via OS sharing to the clipboard.
Select apps to This option is available when you select Policy managed
exempt apps for the previous option.
Save copies of org Choose Block to disable the use of the Save As option in Allow
data this app. Choose Allow if you want to allow the use of
Save As. When set to Block, you can configure the
setting Allow user to save copies to selected services.
Note:
This setting is supported for Microsoft Excel,

OneNote, PowerPoint, Word, and Edge. It may also
be supported by third-party and LOB apps.
This setting is only configurable when the setting
Send org data to other apps is set to Policy
managed apps.
This setting will be "Allow" when the setting Send
org data to other apps is set to All apps.
This setting will be "Block" with no allowed service
locations when the setting Send org data to other
apps is set to None.
Allow user to Users can save to the selected services (OneDrive for 0
save copies to Business, SharePoint, Photo Library, Box, and Local selected
selected services Storage). All other services will be blocked.
value
Transfer Typically, when a user selects a hyperlinked phone Any
telecommunications number in an app, a dialer app will open with the phone dialer
data to number prepopulated and ready to call. For this setting, app
choose how to handle this type of content transfer
when it is initiated from a policy-managed app:
None, do not transfer this data between apps:
Do not transfer communication data when a
phone number is detected.
A specific dialer app: Allow a specific dialer app
to initiate contact when a phone number is
detected.
Any policy-managed dialer app: Allow any policy
managed dialer app to initiate contact when a
phone number is detected.
Any dialer app: Allow any dialer app to be used to
initiate contact when a phone number is detected.
Dialer App When a specific dialer app has been selected, you must Blank
Package ID provide the app package ID.
Dialer App Name When a specific dialer app has been selected, you must Blank
provide the name of the dialer app.
Receive data from other Specify what apps can transfer data to this app: All apps
apps Policy managed apps: Allow transfer only from
other policy-managed apps.
All apps: Allow data transfer from any app.
None: Do not allow data transfer from any app,
including other policy-managed apps.
There are some exempt apps and services from which

Intune may allow data transfer. See Data transfer
exemptions for a full list of apps and services.
Open data into Org Select Block to disable the use of the Open option or
documents other options to share data between accounts in this
app. Select Allow if you want to allow the use of Open. Allow
When set to Block you can configure the Allow user to

open data from selected services to specific which
services are allowed for Org data locations.
Note:
This setting is only configurable when the setting

Receive data from other apps is set to Policy
managed apps.
value
This setting will be "Allow" when the setting

Receive data from other apps is set to All apps.
This setting will be "Block" with no allowed service
locations when the setting Receive data from other
apps is set to None.
The following apps support this setting:
OneDrive 6.14.1 or later.
Outlook for Android 4.2039.2 or later.
Teams for Android 1416/1.0.0.2021173701 or
later.
Allow users to Select the application storage services that users can All
open data from open data from. All other services are blocked. Selecting selected
selected services no services will prevent users from opening data.
Supported services:
OneDrive for Business

SharePoint Online
Camera
Photo Library
Note: Camera does not include Photos or Photo Gallery

access. When selecting Photo Library (includes
Android's Photo picker tool) in the Allow users to
open data from selected services setting within Intune,
you can allow managed accounts to allow incoming
image/video from their device's local storage to their
managed apps.
Restrict cut, copy and Specify when cut, copy, and paste actions can be used Any app
paste between other apps with this app. Choose from:
Blocked: Do not allow cut, copy, and paste actions
between this app and any other app.
Policy managed apps: Allow cut, copy, and paste
actions between this app and other policy-
managed apps.
Policy managed with paste in: Allow cut or copy
between this app and other policy-managed apps.
Allow data from any app to be pasted into this
app.
Any app: No restrictions for cut, copy, and paste
to and from this app.
Cut and copy Specify the number of characters that may be cut or 0
character limit for copied from org data and accounts. This will allow
value
any app sharing of the specified number of characters when it

would be otherwise blocked by the "Restrict cut, copy,
and paste with other apps" setting.
Default Value = 0
Note: Requires Intune Company Portal version

5.0.4364.0 or later.
Screen capture and Select Block to block screen capture and block Google Block
Google Assistant Assistant accessing org data on the device when using
this app. Choosing Block will also blur the App-switcher
preview image when using this app with a work or
school account.
Note: Google Assistant may be accessible to users for

scenarios that do not access org data.
Approved keyboards Select Require and then specify a list of approved Not
keyboards for this policy. required
Users who aren't using an approved keyboard receive a

prompt to download and install an approved keyboard
before they can use the protected app. This setting
requires the app to have the Intune SDK for Android
version 6.2.0 or later.
Select keyboards to This option is available when you select Require for the
approve previous option. Choose Select to manage the list of
keyboards and input methods that can be used with
apps protected by this policy. You can add additional
keyboards to the list, and remove any of the default
options. You must have at least one approved keyboard
to save the setting. Over time, Microsoft may add
additional keyboards to the list for new App Protection
Policies, which will require administrators to review and
update existing policies as needed.
To add a keyboard, specify:
Name: A friendly name that that identifies the

keyboard, and is visible to the user.
Package ID: The Package ID of the app in the
Google Play store. For example, if the URL for the
app in the Play store is
https://play.google.com/store/details?
id=com.contoskeyboard.android.prod , then the
Package ID is com.contosokeyboard.android.prod .
This package ID is presented to the user as a
value
simple link to download the keyboard from

Google Play.
Note: A user assigned multiple App Protection Policies

will be allowed to use only the approved keyboards
common to all policies.
Encryption

value
Encrypt org data Choose Require to enable encryption of work or school data in Require
this app. Intune uses a wolfSSL, 256-bit AES encryption scheme
along with the Android Keystore system to securely encrypt app
data. Data is encrypted synchronously during file I/O tasks.
Content on the device storage is always encrypted. New files will
be encrypted with 256-bit keys. Existing 128-bit encrypted files will
undergo a migration attempt to 256-bit keys, but the process is
not guaranteed. Files encrypted with 128-bit keys will remain
readable.
The encryption method is FIPS 140-2 validated; for more

information, see wolfCrypt FIPS 140-2 and FIPS 140-3 .
Encrypt Select Require to enforce encrypting org data with Intune app Require
org data layer encryption on all devices. Select Not required to not enforce
on encrypting org data with Intune app layer encryption on enrolled
enrolled devices.
devices
Functionality

value
Sync policy managed Choose Block to prevent policy managed apps from saving Allow
app data with native data to the device's native apps (Contacts, Calendar and
apps or add-ins widgets) and to prevent the use of add-ins within the
policy managed apps. If not supported by the application,
saving data to native apps and using add-ins will be
allowed.
value
If you choose Allow, the policy managed app can save data
to the native apps or use add-ins, if those features are
supported and enabled within the policy managed app.
Applications may provide additional controls to customize

the data sync behavior to specific native apps or not honor
this control.
Note: When you perform a selective wipe to remove work,

or school data from the app, data synced directly from the
policy managed app to the native app is removed. Any
data synced from the native app to another external
source will not be wiped.
Note: The following apps support this feature:
Outlook for Android see Deploying Outlook for iOS

and Android app configuration settings
Printing Org data Choose Block to prevent the app from printing work or Allow
school data. If you leave this setting to Allow, the default
value, users will be able to export and print all Org data.
Restrict web content Specify how web content (http/https links) is opened from Not
transfer with other policy-managed applications. Choose from: configured
apps Any app: Allow web links in any app.
Intune Managed Browser: Allow web content to
open only in the Intune Managed Browser. This
browser is a policy-managed browser.
Microsoft Edge: Allow web content to open only in
the Microsoft Edge. This browser is a policy-
managed browser.
Unmanaged browser: Allow web content to open
only in the unmanaged browser defined by
Unmanaged browser protocol setting. The web
content will be unmanaged in the target browser.
Note: Requires Intune Company Portal version
5.0.4415.0 or later.
Policy-managed browsers
On Android, your end users can choose from other
policy-managed apps that support http/https links if
neither Intune Managed Browser nor Microsoft Edge
is installed.
value
If a policy-managed browser is required but not

installed, your end users will be prompted to install
the Microsoft Edge.
If a policy-managed browser is required, Android

App Links are managed by the Allow app to transfer
data to other apps policy setting.
Intune device enrollment

If you are using Intune to manage your devices, see
Manage Internet access using managed browser
policies with Microsoft Intune.
Policy-managed Microsoft Edge

The Microsoft Edge browser for mobile devices
(iOS/iPadOS and Android) supports Intune app
protection policies. Users who sign in with their
corporate Azure AD accounts in the Microsoft Edge
browser application will be protected by Intune. The
Microsoft Edge browser integrates the APP SDK and
supports all of its data protection policies, with the
exception of preventing:
Save-as: The Microsoft Edge browser does not
allow a user to add direct, in-app connections to
cloud storage providers (such as OneDrive).
Contact sync: The Microsoft Edge browser does
not save to native contact lists.
Note: The APP SDK cannot determine if a target app
is a browser. On Android devices, other managed
browser apps that support the http/https intent are
allowed.
Unmanaged Enter the application ID for a single browser. Web content Blank
Browser ID (http/https links) from policy managed applications will
open in the specified browser. The web content will be
unmanaged in the target browser.
Unmanaged Enter the application name for browser associated with the Blank
Browser Name Unmanaged Browser ID. This name will be displayed to
users if the specified browser is not installed.
Org data Specify how much org data is shared via OS notifications Allow
notifications for org accounts. This policy setting will impact the local
device and any connected devices such as wearables and
smart speakers. Apps may provide additional controls to
customize notification behavior or may choose to not
honor all values. Select from:
value
Block: Do not share notifications.

If not supported by the application, notifications
will be allowed.
Block org data: Do not share org data in
notifications. For example, "You have new mail"; "You
have a meeting".
If not supported by the application, notifications
will be blocked.
Allow: Shares org data in the notifications
Note: This setting requires app support:
Outlook for Android 4.0.95 or later

Teams for Android 1416/1.0.0.2020092202 or later.
Data transfer exemptions

There are some exempt apps and platform services that Intune app protection policies
allow data transfer to and from. For example, all Intune-managed apps on Android must
be able to transfer data to and from the Google Text-to-speech, so that text from your
mobile device screen can be read aloud. This list is subject to change and reflects the
services and apps considered useful for secure productivity.
Full exemptions
These apps and services are fully allowed for data transfer to and from Intune-managed
apps.
App/service name Description
com.android.phone Native phone app
com.android.vending Google Play Store
com.google.android.webview WebView , which is necessary for many apps

including Outlook.
com.android.webview Webview , which is necessary for many apps

including Outlook.
com.google.android.tts Google Text-to-speech
com.android.providers.settings Android system settings

App/service name Description
com.android.settings Android system settings
com.azure.authenticator Azure Authenticator app, which is required for

successful authentication in many scenarios.
com.microsoft.windowsintune.companyportal Intune Company Portal
Conditional exemptions
These apps and services are only allowed for data transfer to and from Intune-managed
apps under certain conditions.
App/service name Description Exemption condition
com.android.chrome Google Chrome Chrome is used for some WebView

Browser components on Android 7.0+ and is
never hidden from view. Data flow to
and from the app, however, is always
restricted.
com.skype.raider Skype The Skype app is allowed only for

certain actions that result in a phone
call.
com.android.providers.media Android media The media content provider allowed

content provider only for the ringtone selection action.
com.google.android.gms; Google Play These packages are allowed for

com.google.android.gsf Services Google Cloud Messaging actions, such
packages as push notifications.
com.google.android.apps.maps Google Maps Addresses are allowed for navigation.
com.android.documentsui Android Allowed when opening or creating a

Document Picker file.
com.google.android.documentsui Android Allowed when opening or creating a

Document Picker file.
(Android 10+)
For more information, see Data transfer policy exceptions for apps.
Access requirements
Setting How to use
PIN for access Select Require to require a PIN to use this app. The user is prompted to
set up this PIN the first time they run the app in a work or school context.
Default value = Require
You can configure the PIN strength using the settings available under the
PIN for access section.
Set a requirement for either numeric or passcode type PINs before

accessing an app that has app protection policies applied. Numeric
PIN type requirements involve only numbers, while a passcode can be defined
with at least 1 alphabetical letter or at least 1 special character.
Default value = Numeric
Note: Special characters allowed include the special characters and

symbols on the Android English language keyboard.
Simple PIN Select Allow to allow users to use simple PIN sequences like 1234, 1111,
abcd or aaaa. Select Blocks to prevent them from using simple
sequences. Simple sequences are checked in 3 character sliding windows.
If Block is configured, 1235 or 1112 would not be accepted as PIN set by
the end user, but 1122 would be allowed.
Default value = Allow
Note: If Passcode type PIN is configured, and Simple PIN is set to Allow,
the user needs at least one letter or at least one special character in their
PIN. If Passcode type PIN is configured, and Simple PIN is set to Block,
the user needs at least one number and one letter and at least one
special character in their PIN.
Select Specify the minimum number of digits in a PIN sequence.

minimum PIN
length Default value = 4
Biometrics Select Allow to allow the user to use biometrics to authenticate users on
instead of PIN Android devices. If allowed, biometrics is used to access the app on
for access Android 10 or higher devices.
Override To use this setting, select Require and then configure an inactivity
biometric with timeout.
PIN after
timeout Default value = Require
Setting How to use
Timeout Specify a time in minutes after which either a passcode or numeric (as
(minutes of configured) PIN will override the use of a biometric. This timeout value
inactivity) should be greater than the value specified under 'Recheck the access
requirements after (minutes of inactivity)'.
Default value = 30
Class 3 Select Require to require the user to sign in with class 3 biometrics. For
biometrics more information on class 3 biometrics, see Biometrics in Google's
(Android 9.0+) documentation.
Override Select Require to override the use of biometrics with PIN when a change
biometrics in biometrics is detected.
with PIN after
biometric NOTE:
updates This setting only takes effect once a biometric has been used to access
the app. Depending on the Android device manufacturer, not all forms of
biometrics may be supported for cryptographic operations. Currently,
cryptographic operations are supported for any biometric (e.g.,
fingerprint, iris, or face) on the device that meets or exceeds the
requirements for Class 3 biometrics, as defined in the Android
documentation. See the BIOMETRIC_STRONG constant of the
BiometricManager.Authenticators interface and the authenticate
method of the BiometricPrompt class. You may need to contact your
device manufacturer to understand the device-specific limitations.
PIN reset after Select Yes to require users to change their app PIN after a set period of
number of time, in days.
days
When set to Yes, you then configure the number of days before the PIN
reset is required.
Default value = No
Number of Configure the number of days before the PIN reset is required.
days
Default value = 90
Select number This setting specifies the number of previous PINs that Intune will
of previous maintain. Any new PINs must be different from those that Intune is
PIN values to maintaining.
maintain
Default value = 0
App PIN when Select Not required to disable the app PIN when a device lock is
device PIN is detected on an enrolled device with Company Portal configured.
set
Setting How to use
Default value = Require.
Work or school Choose Require to require the user to sign in with their work or school
account credentials account instead of entering a PIN for app access. When set to Require,
for access and PIN or biometric prompts are turned on, both corporate credentials
and either the PIN or biometric prompts are shown.
Default value = Not required
Recheck the access Configure the following setting:

requirements after Timeout: This is the number of minutes before the access
(minutes of requirements (defined earlier in the policy) are rechecked. For
inactivity) example, an admin turns on PIN and Blocks rooted devices in the
policy, a user opens an Intune-managed app, must enter a PIN, and
must be using the app on a non-rooted device. When using this
setting, the user won't have to enter a PIN or undergo another
root-detection check on any Intune-managed app for a period of
time equal to the configured value.
This policy setting format supports a positive whole number.
Default value = 30 minutes
Note: On Android, the PIN is shared with all Intune-managed apps.

The PIN timer is reset once the app leaves the foreground on the
device. The user won't have to enter a PIN on any Intune-managed
app that shares its PIN for the duration of the timeout defined in
this setting.
７ Note
To learn more about how multiple Intune app protection settings configured in the
Access section to the same set of apps and users work on Android, see Intune
MAM frequently asked questions and Selectively wipe data using app protection
policy access actions in Intune.
Conditional launch
Configure conditional launch settings to set sign-in security requirements for your app
protection policy.
By default, several settings are provided with pre-configured values and actions. You can
delete some settings, like the Min OS version. You can also select additional settings
from the Select one dropdown.
App conditions
Setting How to use
Max PIN Specify the number of tries the user has to successfully enter their PIN before the
attempts configured action is taken. If the user fails to successfully enter their PIN after the
maximum PIN attempts, the user must reset their pin after successfully logging into
their account and completing a Multi-Factor Authentication (MFA) challenge if
required. This policy setting format supports a positive whole number. Actions
include:
Reset PIN - The user must reset their PIN.
Wipe data - The user account that is associated with the application is wiped
from the device.
Default value = 5
Offline The number of minutes that MAM apps can run offline. Specify the time (in minutes)
grace before the access requirements for the app are rechecked. Actions include:
period
Block access (minutes) - The number of minutes that MAM apps can run
offline. Specify the time (in minutes) before the access requirements for the
app are rechecked. After this period expires, the app requires user
authentication to Azure Active Directory (Azure AD) so that the app can
continue to run.
This policy setting format supports a positive whole number.
Default value = 720 minutes (12 hours)
Note: Configuring the Offline grace period timer for blocking access to be less
than the default value may result in more frequent user interruptions as policy
is refreshed. Choosing a value of less than 30 mins is not recommended as it
may result in user interruptions at each application launch or resume.
Wipe data (days) - After this many days (defined by the admin) of running
offline, the app will require the user to connect to the network and
reauthenticate. If the user successfully authenticates, they can continue to
access their data and the offline interval will reset. If the user fails to
authenticate, the app will perform a selective wipe of the user's account and
data. For more information, see How to wipe only corporate data from Intune-
managed apps. This policy setting format supports a positive whole number.
Default value = 90 days

Setting How to use
This entry can appear multiple times, with each instance supporting a different action.
Min app Specify a value for the minimum application version value. Actions include:
version
Warn - The user sees a notification if the app version on the device doesn't
meet the requirement. This notification can be dismissed.
Block access - The user is blocked from access if the app version on the device
does not meet the requirement.
from the device.
As apps often have distinct versioning schemes between them, create a policy with
one minimum app version targeting one app (for example, Outlook version policy).
This entry can appear multiple times, with each instance supporting a different action.
This policy setting format supports either major.minor, major.minor.build,

major.minor.build.revision.
Additionally, you can configure where your end users can get an updated version of
a line-of-business (LOB) app. End users will see this in the min app version
conditional launch dialog, which will prompt end users to update to a minimum
version of the LOB app. On Android, this feature uses the Company Portal. To
configure where an end user should update a LOB app, the app needs a managed
app configuration policy sent to it with the key, com.microsoft.intune.myappstore .
The value sent will define which store the end user will download the app from. If the
app is deployed via the Company Portal, the value must be CompanyPortal . For any
other store, you must enter a complete URL.
Disabled There is no value to set for this setting. Actions include:

account
Block access - The user is blocked from access because their account has been
disabled.
Warn - The user sees a notification about their disabled account.
Device conditions
Setting How to use
Jailbroken/rooted Specify whether to block access to the device or wipe the device data for
devices jailbroken/rooted devices. Actions include:
Block access - Prevent this app from running on jailbroken or rooted

devices. The user continues to be able to use this app for personal
Setting How to use
tasks, but will have to use a different device to access work or school
data in this app.
Wipe data - The user account that is associated with the application is
wiped from the device.
Min OS version Specify a minimum Android operating system that is required to use this
app. OS versions below the specified Min OS version will trigger the actions.
Actions include:
Warn - The user will see a notification if the Android version on the
device doesn't meet the requirement. This notification can be
dismissed.
Block access - The user will be blocked from access if the Android
version on the device doesn't meet this requirement.

Max OS version Specify a maximum Android operating system that is required to use this
app. OS versions below the specified Max OS version will trigger the
actions. Actions include:
dismissed.

Min patch version Require devices have a minimum Android security patch released by Google.
dismissed.
Setting How to use
This policy setting supports the date format of YYYY-MM-DD.
Device Specify a semicolon separated list of manufacturer(s). These values are not
manufacturer(s) case sensitive. Actions include:
Allow specified (Block non-specified) - Only devices that match the

specified manufacturer can use the app. All other devices are blocked.
Allow specified (Wipe non-specified) - The user account that is

associated with the application is wiped from the device.
For more information on using this setting, see Conditional Launch actions.
SafetyNet device App protection policies support some of Google Play Protect's APIs. This
attestation setting in particular configures Google's SafetyNet Attestation on end
user devices to validate the integrity of those devices. Specify either Basic
integrity or Basic integrity and certified devices.
Basic integrity tells you about the general integrity of the device. Rooted
devices, emulators, virtual devices, and devices with signs of tampering fail
basic integrity. Basic integrity & certified devices tells you about the
compatibility of the device with Google's services. Only unmodified devices
that have been certified by Google can pass this check.
If you select SafetyNet device attestation as required for conditional launch,

you can specify that a hardware-backed key is used as the evaluation type.
The presence of a hardware-backed key as the evaluation type will indicate
greater integrity of a device. Devices that do not support hardware-backed
keys will be blocked by the MAM policy if they are targeted with this setting.
The hardware-backed key provides a more robust root detection in
response to newer types of rooting tools and methods that cannot always
be reliably detected by a software only solution. Within APP, hardware
attestation will be enabled by setting Required SafetyNet evaluation type
to Hardware-backed key once SafetyNet device attestation is configured.
Hardware backed attestation leverages a hardware-based component which
shipped with devices installed with Android 8.1 and later. Devices that were
upgraded from an older version of Android to Android 8.1 are unlikely to
have the hardware-based components necessary for hardware backed
attestation. While this setting should be widely supported starting with
devices that shipped with Android 8.1, Microsoft strongly recommends
testing devices individually before enabling this policy setting broadly.
Important: Devices that do not support this evaluation type will be blocked
or wiped based on the SafetyNet device attestation action. Organizations
that would like to use this functionality will need to ensure users have
supported devices. For more information on Google’s recommended
devices, see Android Enterprise Recommended requirements .
Setting How to use
Actions include:
Warn - The user sees a notification if the device does not meet
Google's SafetyNet Attestation scan based on the value configured.
This notification can be dismissed.
Block access - The user is blocked from access if the device does not
meet Google's SafetyNet Attestation scan based on the value
configured.
For commonly asked questions related to this setting, see Frequently asked
questions about MAM and app protection.
Require threat App protection policies support some of Google Play Protect's APIs. This
scan on apps setting in particular ensures that Google's Verify Apps scan is turned on for
end user devices. If configured, the end user will be blocked from access
until they turn on Google's app scanning on their Android device. Actions
include:
Warn - The user sees a notification if Google's Verify Apps scan on the
device is not turned on. This notification can be dismissed.
Block access - The user is blocked from access if Google's Verify Apps
scan on the device is not turned on.
Results from Google's Verify Apps scan are surfaced in the Potentially
Harmful Apps report in the console.
Required Hardware backed attestation enhances the existing SafetyNet attestation

SafetyNet service check. You can set the value to Hardware-backed key after setting
evaluation type SafteyNet device attestation.
Require device This setting determines whether the Android device has a device PIN that
lock meets the minimum password requirement. The App protection policy can
take action if the device lock doesn’t meet the minimum password
requirement.
Values include:
Low Complexity
Medium Complexity
High Complexity
This complexity value is targeted to Android 12+. For devices operating on

Android 11 and earlier, setting a complexity value of low, medium, or high
will default to the expected behavior for Low Complexity. For more
information, see Google's developer documentation
Setting How to use
getPasswordComplexity , PASSWORD_COMPLEXITY_LOW ,
PASSWORD_COMPLEXITY_MEDIUM , and
PASSWORD_COMPLEXITY_HIGH .
Actions include:
Warn - The user sees a notification if the device lock doesn’t meet the
minimum password requirement. The notification can be dismissed.
Block access - The user will be blocked from access if the device lock
doesn’t meet the minimum password requirement.
wiped from the device if the device lock doesn’t meet the minimum
password requirement.
Min Company By using the Min Company Portal version, you can specify a specific
Portal version minimum defined version of the Company Portal that is enforced on an end
user device. This conditional launch setting allows you to set values to Block
access, Wipe data, and Warn as possible actions when each value is not
met. The possible formats for this value follow the pattern [Major].[Minor],
[Major].[Minor].[Build], or [Major].[Minor].[Build].[Revision]. Given that some
end users may not prefer a forced update of apps on the spot, the 'warn'
option may be ideal when configuring this setting. The Google Play Store
does a good job of only sending the delta bytes for app updates, but this
can still be a large amount of data that the user may not want to utilize if
they are on data at the time of the update. Forcing an update and thereby
downloading an updated app could result in unexpected data charges at the
time of the update. For more information, see Android policy settings.
Max Company You can set a maximum number of days as the age of the Company Portal
Portal version age (CP) version for Android devices. This setting ensures that end users are
(days) within a certain range of CP releases (in days). The value must be between 0
and 365 days. When the setting for the devices is not met, the action for this
setting is triggered. Actions include Block access, Wipe data, or Warn. For
related information, see Android policy settings. Note: The age of the
Company Portal build is determined by Google Play on the end user
device.
Samsung Knox Specify if the Samsung Knox device attestation check is required. Only
device attestation unmodified devices that have been verified by Samsung can pass this check.
For the list of supported devices, see devices with Knox version 3.6+ on
samsungknox.com .
By using this setting, Microsoft Intune will also verify communication from
the Company Portal to the Intune Service was sent from a healthy device.
Actions include:
Setting How to use
Warn - The user sees a notification if the device does not meet
Samsung Knox device attestation check. This notification can be
dismissed.
Block access - The user account is blocked from access if the device
does not meet Samsung's Knox device attestation check.
Note: The user must accept the Samsung Knox terms before the device
attestation check can be performed. If the user does not accept the
Samsung Knox terms, the specified action will occur.
Max allowed App protection policies can take advantage of the Intune-MTD connector.
device threat level Specify a maximum threat level acceptable to use this app. Threats are
determined by your chosen Mobile Threat Defense (MTD) vendor app on
the end user device. Specify either Secured, Low, Medium, or High. Secured
requires no threats on the device and is the most restrictive configurable
value, while High essentially requires an active Intune-to-MTD connection.
Actions include:
Block access - The user will be blocked from access if the threat level
determined by your chosen Mobile Threat Defense (MTD) vendor app
on the end user device doesn't meet this requirement.
For more information on using this setting, see Enable the Mobile Threat
Defense connector in Intune for unenrolled devices.
Primary MTD If you have configured multiple Intune-MTD connectors, specify the primary
service MTD vendor app that should be used on the end user device.
Values include:
Microsoft Defender for Endpoint - if the MTD connector is

configured, specify Microsoft Defender for Endpoint will provide the
device threat level information.
Mobile Threat Defense (Non-Microsoft) - if the MTD connector is
configured, specify the non-Microsoft MTD will provide the device
threat level information.
You must configure the setting “Max allowed device threat level” to use this
setting.
There are no Actions for this setting.

iOS app protection policy settings
Article • 03/10/2023
This article describes the app protection policy settings for iOS/iPadOS devices. The policy
settings that are described can be configured for an app protection policy on the Settings
pane in the portal when you make a new policy.
There are three categories of policy settings: Data relocation, Access requirements, and
Conditional launch. In this article, the term policy-managed apps refers to apps that are
configured with app protection policies.
） Important
The Intune Managed Browser has been retired. Use Microsoft Edge for your protected
Intune browser experience.
Data protection
Data Transfer

value
Backup Org data to Select Block to prevent this app from backing up work or school data to Allow
iTunes and iCloud iTunes and iCloud. Select Allow to allow this app to back up of work or
backups school data to iTunes and iCloud.
Send Org data to other Specify what apps can receive data from this app: All apps
apps All apps: Allow transfer to any app. The receiving app will have the
ability to read and edit the data.
None: Do not allow data transfer to any app, including other
policy-managed apps. If the user performs a managed open-in
function and transfers a document, the data will be encrypted and
unreadable.
Policy managed apps: Allow transfer only to other policy-
managed apps.
Note: Users may be able to transfer content via Open-in or Share

extensions to unmanaged apps on unenrolled devices or enrolled
devices that allow sharing to unmanaged apps. Transferred data is
encrypted by Intune and unreadable by unmanaged apps.
Policy managed apps with OS sharing: Only allow data transfer to
other policy managed apps, as well as file transfers to other MDM
managed apps on enrolled devices.
value
Note: The Policy managed apps with OS sharing value is

applicable to MDM enrolled devices only. If this setting is targeted to
a user on an unenrolled device, the behavior of the Policy managed
apps value applies. Users will be able to transfer unencrypted
content via Open-in or Share extensions to any application allowed
by the iOS MDM allowOpenFromManagedtoUnmanaged setting,
assuming the sending app has the IntuneMAMUPN and
IntuneMAMOID configured; for more information, see How to
manage data transfer between iOS apps in Microsoft Intune. See
https://developer.apple.com/business/documentation/Configuration-
Profile-Reference.pdf for more information on this iOS/iPadOS
MDM setting.
Policy managed apps with Open-In/Share filtering: Allow transfer

only to other policy managed apps, and filter OS Open-in/Share
dialogs to only display policy managed apps. To configure the
filtering of the Open-In/Share dialog, it requires both the app(s)
acting as the file/document source and the app(s) that can open
this file/document to have the Intune SDK for iOS version 8.1.1 or
above.
Note: Users may be able to transfer content via Open-in or Share

extensions to unmanaged apps if Intune private data type is
supported by the app. Transferred data is encrypted by Intune and
unreadable by unmanaged apps.
In addition, when set to Policy managed apps or None, the Spotlight

search (enables searching data within apps) and Siri shortcuts iOS
features are blocked.
This policy can also apply to iOS/iPadOS Universal Links. General web
links are managed by the Open app links in Intune Managed Browser
policy setting.
There are some exempt apps and services to which Intune may allow
data transfer by default. In addition, you can create your own exemptions
if you need to allow data to transfer to an app that doesn't support
Intune APP. See data transfer exemptions for more information.
Select apps to This option is available when you select Policy managed apps for the
exempt previous option.
Select universal Specify which iOS/iPadOS Universal Links should open in the specified
links to exempt unmanaged application instead of the protected browser specified by
the Restrict web content transfer with other apps setting. You must
contact the application developer to determine the correct universal link
format for each application.
value
Select managed Specify which iOS/iPadOS Universal Links should open in the specified
universal links managed application instead of the protected browser specified by the
Restrict web content transfer with other apps setting. You must contact
the application developer to determine the correct universal link format
for each application.
Save copies of org Choose Block to disable the use of the Save As option in this app. Allow
data Choose Allow if you want to allow the use of Save As. When set to Block,
you can configure the setting Allow user to save copies to selected
services.
Note:
This setting is supported for Microsoft Excel, OneNote, Outlook,

PowerPoint, Word, and Edge. It can also be supported by third-party
and LOB apps.
This setting is only configurable when the setting Send org data to
other apps is set to Policy managed apps, Policy managed apps
with OS sharing or Policy managed apps with Open-In/Share
filtering.
This setting will be "Allow" when the setting Send org data to other
apps is set to All apps.
This setting will be "Block" with no allowed service locations when
the setting Send org data to other apps is set to None.
Allow user to Users can save to the selected services (OneDrive for Business, 0
save copies to SharePoint, Photo Library, and Local Storage). All other services are selected
selected blocked. OneDrive for Business: you can save files to OneDrive for
services Business and SharePoint Online. SharePoint: you can save files to on-
premises SharePoint. Photo Library: You can save files to photo library
locally. Local Storage: managed apps can save copies of org data locally.
This does NOT include saving files to the local unmanaged locations such
as the Files app on the device.
value
Transfer Typically, when a user selects a hyperlinked phone number in an app, a Any
telecommunication dialer app will open with the phone number prepopulated and ready to dialer
data to call. For this setting, choose how to handle this type of content transfer app
when it is initiated from a policy-managed app:
None, do not transfer this data between apps: Do not transfer
communication data when a phone number is detected.
A specific dialer app: Allow a specific dialer app to initiate contact
when a phone number is detected.
Any dialer app: Allow any dialer app to be used to initiate contact
when a phone number is detected.
Note: This setting requires Intune SDK 12.7.0 and later. If your apps rely on
dialer functionality and are not using the correct Intune SDK version, as a
workaround, consider adding "tel;telprompt" as a data transfer exemption.
Once the apps support the correct Intune SDK version, the exemption can
be removed.
Dialer App URL When a specific dialer app has been selected, you must provide the Blank
Scheme dialer app URL scheme that is used to launch the dialer app on iOS
devices. For more information, see Apple's documentation about Phone
Links .
Receive data from other Specify what apps can transfer data to this app: All apps
apps All apps: Allow data transfer from any app.
None: Do not allow data transfer from any app, including other
policy-managed apps.
Policy managed apps: Allow transfer only from other policy-
managed apps.
All apps with incoming Org data: Allow data transfer from any
app. Treat all incoming data without a user identity as data from
your organization. The data will be marked with the MDM enrolled
user's identity as defined by the IntuneMAMUPN setting.
Note: The All apps with incoming Org data value is applicable to
MDM enrolled devices only. If this setting is targeted to a user on an
unenrolled device, the behavior of the Any apps value applies.
Multi-identity MAM enabled applications will attempt to switch to an

unmanaged account when receiving unmanaged data if this setting is
configured to None or Policy managed apps. If there is no unmanaged
account signed into the app or the app is unable to switch, the incoming
data will be blocked.

value
Open data into Select Block to disable the use of the Open option or other options to Allow
Org documents share data between accounts in this app. Select Allow if you want to
allow the use of Open.
When set to Block you can configure the Allow user to open data from
selected services to specific which services are allowed for Org data
locations.
Note:
This setting is only configurable when the setting Receive data from
other apps is set to Policy managed apps.
This setting will be "Allow" when the setting Receive data from
other apps is set to All apps or All apps with incoming Org data.
This setting will be "Block" with no allowed service locations when
the setting Receive data from other apps is set to None.
The following apps support this setting:
OneDrive 11.45.3 or later.
Outlook for iOS 4.60.0 or later.
Teams for iOS 3.17.0 or later.
Allow users to Select the application storage services that users can open data from. All All
open data from other services are blocked. Selecting no services will prevent users from selected
selected opening data from external locations.
services
Supported services:
OneDrive for Business

SharePoint Online
Camera
Photo Library
Note: Camera does not include Photos or Photo Gallery access. When
selecting Photo Library in the Allow users to open data from selected
services setting within Intune, you can allow managed accounts to allow
incoming data from their device's photo library to their managed apps.
Restrict cut, copy and Specify when cut, copy, and paste actions can be used with this app. Any app
paste between other Select from:
apps Blocked: Don't allow cut, copy, and paste actions between this app
and any other app.
Policy managed apps: Allow cut, copy, and paste actions between
this app and other policy-managed apps.
Policy managed with paste in: Allow cut or copy between this app
and other policy-managed apps. Allow data from any app to be
pasted into this app.
Any app: No restrictions for cut, copy, and paste to and from this
app.
value
Cut and copy Specify the number of characters that may be cut or copied from Org 0
character limit for data and accounts. This will allow sharing of the specified number of
any app characters to any application, regardless of the Restrict cut, copy, and
paste with other apps setting.
Default Value = 0
Note: Requires app to have Intune SDK version 9.0.14 or later.
Third party keyboards Choose Block to prevent the use of third-party keyboards in managed Allow
applications.
When this setting is enabled, the user receives a one-time message

stating that the use of third-party keyboards is blocked. This message
appears the first time a user interacts with organizational data that
requires the use of a keyboard. Only the standard iOS/iPadOS keyboard
is available while using managed applications, and all other keyboard
options are disabled. This setting will affect both the organization and
personal accounts of multi-identity applications. This setting does not
affect the use of third-party keyboards in unmanaged applications.
Note: This feature requires the app to use Intune SDK version 12.0.16 or
later. Apps with SDK versions from 8.0.14 to, and including, 12.0.15, will
not have this feature correctly apply for multi-identity apps. For more
details, see Known issue: Third party keyboards are not blocked in
iOS/iPadOS for personal accounts .
７ Note
An app protection policy is required with IntuneMAMUPN for managed devices. This
applies for any setting that requires enrolled devices as well.
Encryption

value
value
Encrypt Choose Require to enable encryption of work or school data in this app. Intune Require
Org enforces iOS/iPadOS device-level encryption to protect app data while the device is
data locked. In addition, applications may optionally encrypt app data using Intune APP
SDK encryption. Intune APP SDK uses iOS/iPadOS cryptography methods to apply
256-bit AES encryption to app data.
When you enable this setting, the user may be required to set up and use a device
PIN to access their device. If there's no device PIN and encryption is required, the
user is prompted to set a PIN with the message "Your organization has required you
to first enable a device PIN to access this app."
Go to the official Apple documentation to read more about their Data Protection
Classes, as part of their Apple Platform Security.
Functionality

value
Sync policy Choose Block to prevent policy managed apps from saving data to Allow
managed app the device's native apps (Contacts, Calendar and widgets) and to
data with native prevent the use of add-ins within the policy managed apps. If not
apps or add-ins supported by the application, saving data to native apps and using
add-ins will be allowed.
If you choose Allow, the policy managed app can save data to the
native apps or use add-ins, if those features are supported and
enabled within the policy managed app.
Applications may provide additional controls to customize the data

sync behavior to specific native apps or not honor this control.
Note: When you perform a selective wipe to remove work, or school

data from the app, data synced directly from the policy managed app
to the native app is removed. Any data synced from the native app to
another external source will not be wiped.
Note: The following apps support this feature:
Outlook for iOS see Deploying Outlook for iOS and Android app
configuration settings
Printing Org data Select Block to prevent the app from printing work or school data. If Allow
you leave this setting to Allow, the default value, users will be able to
export and print all Org data.
value
Restrict web Specify how web content (http/https links) is opened from policy- Not
content transfer managed applications. Choose from: configured
with other apps Any app: Allow web links in any app.
Intune Managed Browser: Allow web content to open only in

the Intune Managed Browser. This browser is a policy-managed
browser.
Microsoft Edge: Allow web content to open only in the
Microsoft Edge. This browser is a policy-managed browser.
Unmanaged browser: Allow web content to open only in the
unmanaged browser defined by Unmanaged browser protocol
setting. The web content will be unmanaged in the target
browser.
Note: Requires app to have Intune SDK version 11.0.9 or later.
If you're using Intune to manage your devices, see Manage Internet

access using managed browser policies with Microsoft Intune.
If a policy-managed browser is required but not installed, your end

users will be prompted to install the Microsoft Edge.
If a policy-managed browser is required, iOS/iPadOS Universal Links

are managed by the Allow app to transfer data to other apps policy
setting.
Intune device enrollment
If you are using Intune to manage your devices, see Manage Internet
access using managed browser policies with Microsoft Intune.
Policy-managed Microsoft Edge
The Microsoft Edge browser for mobile devices (iOS/iPadOS and

Android) supports Intune app protection policies. Users who sign in
with their corporate Azure AD accounts in the Microsoft Edge
browser application will be protected by Intune. The Microsoft Edge
browser integrates the Intune SDK and supports all of its data
protection policies, with the exception of preventing:
Save-as: The Microsoft Edge browser does not allow a user to

add direct, in-app connections to cloud storage providers (such
as OneDrive).
Contact sync: The Microsoft Edge browser does not save to
native contact lists.
Note: The Intune SDK cannot determine if a target app is a browser. On

iOS/iPadOS devices, no other managed browser apps are allowed.
value
Unmanaged Enter the protocol for a single unmanaged browser. Web content Blank
Browser (http/https links) from policy managed applications will open in any
Protocol app that supports this protocol. The web content will be unmanaged
in the target browser.
This feature should only be used if you want to share protected

content with a specific browser that is not enabled using Intune app
protection policies. You must contact your browser vendor to
determine the protocol supported by your desired browser.
Note: Include only the protocol prefix. If your browser requires links of
the form mybrowser://www.microsoft.com , enter mybrowser .
Links will be translated as:
http://www.microsoft.com > mybrowser://www.microsoft.com

https://www.microsoft.com > mybrowsers://www.microsoft.com
Org data Specify how Org data is shared via OS notifications for Org accounts. Allow
notifications This policy setting will impact the local device and any connected
devices such as wearables and smart speakers. Apps may provide
additional controls to customize notification behavior or may choose
to not honor all values. Select from:
Blocked: Do not share notifications.
If not supported by the application, notifications will be
allowed.
Block org Data: Do not share Org data in notifications, for
example.
"You have new mail"; "You have a meeting".
If not supported by the application, notifications will be
allowed.
Allow: Shares Org data in the notifications.
Note: This setting requires app support:
Outlook for iOS 4.34.0 or later

Teams for iOS 2.0.22 or later.
７ Note
None of the data protection settings control the Apple managed open-in feature on
iOS/iPadOS devices. To use manage Apple open-in, see Manage data transfer between
iOS/iPadOS apps with Microsoft Intune.
Data transfer exemptions

There are some exempt apps and platform services that Intune app protection policy may
allow data transfer to and from in certain scenarios. This list is subject to change and reflects
the services and apps considered useful for secure productivity.
Third party unmanaged apps can be added to the exemptions list which can allow data
transfer exceptions. For additional details and examples, see How to create exceptions to the
Intune App Protection Policy (APP) data transfer policy. The exempt unmanaged app must be
invoked based on iOS URL protocol. For example, when data transfer exemption is added for
an unmanaged app, it would still prevent users from cut, copy, and paste operations, if
restricted by policy. This type of exemption would also still prevent users from using Open-in
action within a managed app to share or save data to exempt app since it is not based on iOS
URL protocol. For more information about Open-in, see Use app protection with iOS apps.
App/service name(s) Description
skype Skype
app-settings Device settings
itms; itmss; itms-apps; itms-appss; itms-services App Store
calshow Native Calendar
） Important
App Protection policies created before June 15, 2020 include tel and telprompt URL
scheme as part of the default data transfer exemptions. These URL schemes allow
managed apps to initiate the dialer. The App Protection policy setting Transfer
telecommunication data to has replaced this functionality. Administrators should remove
tel;telprompt; from the data transfer exemptions and rely on the App Protection policy
setting, provided the managed apps that initiate dialer functionality include the Intune
SDK 12.7.0 or later.
） Important
In Intune SDK 14.5.0 or later, including sms and mailto URL schemes in the data transfer
exemptions will also allow sharing of Org data to the MFMessageCompose (for sms) and
MFMailCompose (for mailto) view controllers within policy managed applications.
Universal Links
Universal links allow the user to directly launch an application associated with the link instead
of a protected browser specified by the Restrict web content transfer with other apps setting.
You must contact the application developer to determine correct universal link format for each
application.
Exempt Universal Links

By adding Universal Links to unmanaged apps, you can launch the specified application. To
add the app, you must add the link to the exemption list.
Ｕ Caution
The target applications for these Universal Links are unmanaged and adding an
exemption may result in data security leaks.
The default app Universal Link exemptions are the following:
App Universal Link Description
http://maps.apple.com; https://maps.apple.com Maps App
http://facetime.apple.com; https://facetime.apple.com FaceTime App
If you don't want to allow the default Universal Link exemptions, you can delete them. You can
also add Universal Links for third party or LOB apps. The exempted universal links allow for
wildcards such as http://*.sharepoint-df.com/* .
Managed Universal Links

By adding Universal Links to managed apps, you can launch the specified application securely.
To add the app, you must add the link to the managed list. If the target application has an App
Protection policy applied, selecting the link will launch the app. If the target application does
not have an App Protection policy applied, selecting the link will launch the protected browser.
The default managed Universal Links are the following:
Managed App Universal Link Description
http://*.onedrive.com/*; https://*.onedrive.com/*; OneDrive
http://*.appsplatform.us/*; http://*.powerapps.cn/*; http://*.powerapps.com/*; PowerApps

http://*.powerapps.us/*; https://*.powerbi.com/*; https://app.powerbi.cn/*;
https://app.powerbigov.us/*; https://app.powerbi.de/*;
http://*.powerbi.com/*; http://app.powerbi.cn/*; http://app.powerbigov.us/*; Power BI

http://app.powerbi.de/*; https://*.appsplatform.us/*; https://*.powerapps.cn/*;
https://*.powerapps.com/*; https://*.powerapps.us/*;
http://*.service-now.com/*; https://*.service-now.com/*; ServiceNow

Managed App Universal Link Description
http://*.sharepoint.com/*; http://*.sharepoint-df.com/*; SharePoint

https://*.sharepoint.com/*; https://*.sharepoint-df.com/*;
http://web.microsoftstream.com/video/*; http://msit.microsoftstream.com/video/*; Stream

https://web.microsoftstream.com/video/*; https://msit.microsoftstream.com/video/*;
http://*teams.microsoft.com/l/*; http://*devspaces.skype.com/l/*; Teams

http://*teams.live.com/l/*; http://*collab.apps.mil/l/*;
http://*teams.microsoft.us/l/*; http://*teams-fl.microsoft.com/l/*;
https://*teams.microsoft.com/l/*; https://*devspaces.skype.com/l/*;
https://*teams.live.com/l/*; https://*collab.apps.mil/l/*;
https://*teams.microsoft.us/l/*; https://*teams-fl.microsoft.com/l/*;
http://tasks.office.com/*; https://tasks.office.com/*; http://to- ToDo

do.microsoft.com/sharing*; https://to-do.microsoft.com/sharing*;
http://*.yammer.com/*; https://*.yammer.com/*; Yammer
http://*.zoom.us/*; https://*.zoom.us/*; Zoom
If you don't want to allow the default managed Universal Links, you can delete them. You can
also add Universal Links for third party or LOB apps.
Access requirements
value
PIN for access Select Require to require a PIN to use this app. The user is Require
prompted to set up this PIN the first time they run the app in a work
or school context. The PIN is applied when working either online or
offline.
You can configure the PIN strength using the settings available
under the PIN for access section.
PIN type Set a requirement for either numeric or passcode type PINs before Numeric
accessing an app that has app protection policies applied. Numeric
requirements involve only numbers, while a passcode can be
defined with at least 1 alphabetical letter or at least 1 special
character.
Note: To configure passcode type, it requires app to have Intune SDK

version 7.1.12 or above. Numeric type has no Intune SDK version
restriction. Special characters allowed include the special characters
and symbols on the iOS/iPadOS English language keyboard.
value
Simple PIN Select Allow to allow users to use simple PIN sequences like 1234, Allow
1111, abcd or aaaa. Select Block to prevent them from using simple
sequences. Simple sequences are checked in 3 character sliding
windows. If Block is configured, 1235 or 1112 would not be
accepted as PIN set by the end user, but 1122 would be allowed.
Note: If Passcode type PIN is configured, and Allow simple PIN is set
to Yes, the user needs at least 1 letter or at least 1 special character in
their PIN. If Passcode type PIN is configured, and Allow simple PIN is
set to No, the user needs at least 1 number and 1 letter and at least 1
special character in their PIN.
Select minimum Specify the minimum number of digits in a PIN sequence. 4

PIN length
Touch ID Select Allow to allow the user to use Touch ID instead of a PIN for Allow
instead of PIN app access.
for access (iOS
8+)
Override To use this setting, select Require and then configure an inactivity Require
Touch ID timeout.
with PIN
after
timeout
Timeout Specify a time in minutes after which either a passcode or numeric 30

(minutes (as configured) PIN will override the use of a fingerprint or face as
of method of access. This timeout value should be greater than the
inactivity) value specified under 'Recheck the access requirements after
(minutes of inactivity)'.
Face ID Select Allow to allow the user to use facial recognition technology Allow
instead of to authenticate users on iOS/iPadOS devices. If allowed, Face ID
PIN for must be used to access the app on a Face ID capable device.
access (iOS
11+)
PIN reset after Select Yes to require users to change their app PIN after a set period No
number of days of time, in days.
When set to Yes, you then configure the number of days before the
PIN reset is required.
Number of Configure the number of days before the PIN reset is required. 90
days
value
App PIN when Select Disable to disable the app PIN when a device lock is detected Enable
device PIN is on an enrolled device with Company Portal configured.
set
Note: Requires app to have Intune SDK version 7.0.1 or above. The
IntuneMAMUPN setting must be configured for applications to detect
the enrollment state.
On iOS/iPadOS devices, you can let the user prove their identity by
using Touch ID or Face ID instead of a PIN. Intune uses the
LocalAuthentication API to authenticate users using Touch ID and
Face ID. To learn more about Touch ID and Face ID, see the iOS
Security Guide .
When the user tries to use this app with their work or school
account, they're prompted to provide their fingerprint identity or
face identity instead of entering a PIN. When this setting is enabled,
the App-switcher preview image will be blurred while using a work
or school account. If there is any change to the device's biometric
database, Intune prompts the user for a PIN when the next inactivity
timeout value is met. Changes to biometric data include the
addition or removal of a fingerprint or face for authentication. If the
Intune user does not have a PIN set, they are led to set up an Intune
PIN.
Work or school Select Require to require the user to sign in with their work or Not
account credentials school account instead of entering a PIN for app access. If you set required
for access this to Require, and PIN or biometric prompts are turned on, both
corporate credentials and either the PIN or biometric prompts are
shown.
Recheck the access Configure the number of minutes of inactivity that must pass before 30
requirements after the app requires the user to again specify the access requirements.
(minutes of inactivity)
For example, an admin turns on PIN and Blocks rooted devices in
the policy, a user opens an Intune-managed app, must enter a PIN,
and must be using the app on a non-rooted device. When using this
setting, the user would not have to enter a PIN or undergo another
root-detection check on any Intune-managed app for a period of
time equal to the configured value.
Note: On iOS/iPadOS, the PIN is shared amongst all Intune-managed

apps of the same publisher. The PIN timer for a specific PIN is reset
once the app leaves the foreground on the device. The user wouldn't
have to enter a PIN on any Intune-managed app that shares its PIN
for the duration of the timeout defined in this setting. This policy
setting format supports a positive whole number.
７ Note
To learn more about how multiple Intune app protection settings configured in the
Access section to the same set of apps and users work on iOS/iPadOS, see Intune MAM
frequently asked questions and Selectively wipe data using app protection policy
access actions in Intune.
Conditional launch
Configure conditional launch settings to set sign-in security requirements for your access
protection policy.
By default, several settings are provided with pre-configured values and actions. You can
delete some of these, like the Min OS version. You can also select additional settings from the
Select one dropdown.
Setting How to use
Max OS version Specify a maximum iOS/iPadOS operating system to use this app. Actions include:
Warn - The user will see a notification if the iOS/iPadOS version on the device
doesn't meet the requirement. This notification can be dismissed.
Block access - The user will be blocked from access if the iOS/iPadOS version
on the device doesn't meet this requirement.
from the device.
This entry can appear multiple times, with each instance supporting a different
action.

Note: Requires app to have Intune SDK version 14.4.0 or above.

Setting How to use
Min OS version Specify a minimum iOS/iPadOS operating system to use this app. Actions include:
Warn - The user will see a notification if the iOS/iPadOS version on the device
Block access - The user will be blocked from access if the iOS/iPadOS version
on the device doesn't meet this requirement.
from the device.
action.

Max PIN Specify the number of tries the user has to successfully enter their PIN before the
attempts configured action is taken. If the user fails to successfully enter their PIN after the
maximum PIN attempts, the user must reset their pin after successfully logging into
their account and completing a multi-factor authentication (MFA) challenge if
required. This policy setting format supports a positive whole number. Actions
include:
Reset PIN - The user must reset their PIN.
from the device.
Default value = 5
Setting How to use
Offline grace The number of minutes that policy-managed apps can run offline. Specify the time
period (in minutes) before the access requirements for the app are rechecked. Actions
include:
Block access (minutes) - The number of minutes that policy-managed apps

can run offline. Specify the time (in minutes) before the access requirements
for the app are rechecked. After the configured period expires, the app blocks
access to work or school data until network access is available. The Offline
grace period timer for blocking data access is calculated individually for each
app based on last check-in with the Intune service. This policy-setting format
supports a positive whole number.
Default value = 720 minutes (12 hours)
Note: Configuring the Offline grace period timer for blocking access to be less
than the default value may result in more frequent user interruptions as policy
is refreshed. Choosing a value of less than 30 mins is not recommended as it
may result in user interruptions at each application launch or resume.
Wipe data (days) - After this many days (defined by the admin) of running
offline, the app will require the user to connect to the network and
reauthenticate. If the user successfully authenticates, they can continue to
access their data and the offline interval will reset. If the user fails to
authenticate, the app will perform a selective wipe of the users' account and
data. See How to wipe only corporate data from Intune-managed apps for
more information on what data is removed with a selective wipe. The Offline
grace period timer for wiping data is calculated individually for each app
based on last check-in with the Intune service. This policy setting format
supports a positive whole number.
Default value = 90 days
action.
Jailbroken/rooted There is no value to set for this setting. Actions include:
devices
Block access - Prevent this app from running on jailbroken or rooted devices.
The user continues to be able to use this app for personal tasks, but must use
a different device to access work or school data in this app.
from the device.
Setting How to use
Disabled account There is no value to set for this setting. Actions include:
Block access - When we have confirmed the user has been disabled in Azure
Active Directory, the app blocks access to work or school data.
Wipe data - When we have confirmed the user has been disabled in Azure
Active Directory, the app will perform a selective wipe of the users' account
and data.
Min app version Specify a value for the minimum application version value. Actions include:
Warn - The user sees a notification if the app version on the device doesn't
meet the requirement. This notification can be dismissed.
Block access - The user is blocked from access if the app version on the
device doesn't meet the requirement.
from the device.
As apps often have distinct versioning schemes between them, create a policy with
one minimum app version targeting one app (for example, Outlook version policy).
action.
This policy setting supports matching iOS app bundle version formats (major.minor
or major.minor.patch).
Additionally, you can configure where your end users can get an updated version of
a line-of-business (LOB) app. End users will see this in the min app version
conditional launch dialog, which will prompt end users to update to a minimum
version of the LOB app. On iOS/iPadOS, this feature requires the app to be
integrated (or wrapped using the wrapping tool) with the Intune SDK for iOS v.
10.0.7 or above. To configure where an end user should update a LOB app, the app
needs a managed app configuration policy sent to it with the key,
com.microsoft.intune.myappstore . The value sent will define which store the end
user will download the app from. If the app is deployed via the Company Portal, the
value must be CompanyPortal . For any other store, you must enter a complete URL.
Setting How to use
Min SDK version Specify a minimum value for the Intune SDK version. Actions include:
Block access - The user is blocked from access if the app's Intune app
protection policy SDK version doesn't meet the requirement.
from the device.
To learn more about the Intune app protection policy SDK, see Intune App SDK
overview. As apps often have distinct Intune SDK version between them, create a
policy with one min Intune SDK version targeting one app (for example, Intune SDK
version policy for Outlook).
action.
Device model(s) Specify a semi-colon separated list of model identifier(s). These values are not case
sensitive. Actions include:
Allow specified (Block non-specified) - Only devices that match the specified
device model can use the app. All other device models are blocked.
Allow specified (Wipe non-specified) - The user account that is associated

with the application is wiped from the device.
For more information on using this setting, see Conditional Launch actions.
Max allowed App protection policies can take advantage of the Intune-MTD connector. Specify a
device threat maximum threat level acceptable to use this app. Threats are determined by your
level chosen Mobile Threat Defense (MTD) vendor app on the end user device. Specify
either Secured, Low, Medium, or High. Secured requires no threats on the device and
is the most restrictive configurable value, while High essentially requires an active
Intune-to-MTD connection. Actions include:
determined by your chosen Mobile Threat Defense (MTD) vendor app on the
end user device doesn't meet this requirement.
from the device.
For more information on using this setting, see Enable MTD for unenrolled devices.
Setting How to use
Primary MTD If you have configured multiple Intune-MTD connectors, specify the primary MTD
service vendor app that should be used on the end user device.
Values include:
Microsoft Defender for Endpoint - if the MTD connector is configured,

specify Microsoft Defender for Endpoint will provide the device threat level
information.
Mobile Threat Defense (Non-Microsoft) - if the MTD connector is configured,
specify the non-Microsoft MTD will provide the device threat level
information.
You must configure the setting “Max allowed device threat level” to use this setting.
There are no Actions for this setting.
Learn more
Learn about LinkedIn information and features in your Microsoft apps .
Learn about LinkedIn account connections release on the Microsoft 365 Roadmap
page .
Learn about Configuring LinkedIn account connections.
For more information about data that is shared between users' LinkedIn and Microsoft
work or school accounts, see LinkedIn in Microsoft applications at your work or school .
Preview: App protection policy settings
for Windows
Article • 06/19/2023
This article describes app protection policy (APP) settings for Windows. The policy
settings that are described can be configured for an app protection policy on the
Settings pane in the Intune admin center (portal) when you make a new policy.
There are two categories of policy settings: Data protection and Health Checks. In this
article, the term policy-managed app refers to apps that are configured with app
Data protection
The Data protection settings impact the org data and context. As the admin, you can
control the movement of data into and out of the context of org protection. The org
context is defined by documents, services, and sites accessed by the specified org
account. The following policy settings help control external data received into the org
context and org data sent out of the org context.
Data Transfer

value
Receive Select one of the following options to specify the sources org users can All sources
data receive data from:
from
All sources: Org users can open data from any account,
document, location, or application into the org context.
No sources: Org users cannot open data from external accounts,
documents, locations, or applications into the org context. NOTE:
For Microsoft Edge, No sources controls file upload behavior
either via drag and drop or the file open dialog. Local file viewing
and sharing files between sites/tabs will be blocked.
value
Send Select one of the following options to specify the destinations org users All
org can send data to:
destinations
data to
All destinations: Org users can send org data to any account,
document, location, or application.
No destinations: Org users cannot send org data to external
accounts, documents, locations, or applications from the org
context. NOTE: For Microsoft Edge, No destinations controls file
download, Share, and Add to Collections only. This means sharing
files between sites/tabs will be blocked.
Allow Select one of the following options to specify the sources and Any
cut, destinations org users can cut or copy or paste org data:
destination
copy, and any
and Any destination and any source: Org users can paste data from source
paste and cut/copy data to any account, document, location, or
for application.
No destination or source: Org users cannot cut, copy or paste
data to or from external accounts, documents, locations or
applications from or into the org context. NOTE: For Microsoft
Edge, No destination or source blocks cut, copy, and paste
behavior within the web content only. Cut, copy, and paste are
disabled from all web content, but not application controls,
including the address bar.
Functionality

value
Printing Select Block to prevent printing of org data. Select Allow to permit printing Allow
Org of org data. Personal or unmanaged data is not affected.
data
Health Checks
Set the health check conditions for your app protection policy. Select a Setting and
enter the Value that users must meet to access your org data. Then select the Action
you want to take if users do not meet your conditionals. In some cases, multiple actions
can be configured for a single setting. For more information, see Health Check Actions.
App conditions
Configure the following health check settings to verify the application configuration
before allowing access to org accounts and data.

value
Offline The number of minutes that policy-managed app can run offline. Specify Block
grace the time (in minutes) before the access requirements for the app are access
period rechecked. Actions include:
(minutes):
720
Block access (minutes): The number of minutes that policy- minutes
managed apps can run offline. Specify the time (in minutes) before (12
the access requirements for the app are rechecked. After the hours)
configured period expires, the app blocks access to work or school
data until network access is available. The Offline grace period Wipe
timer for blocking data access is calculated based on last check-in data
with the Intune service. This policy-setting format supports a (days): 90
positive whole number. days
Wipe data (days): After this many days (defined by the admin) of
running offline, the app will require the user to connect to the
network and reauthenticate. If the user successfully authenticates,
they can continue to access their data and the offline interval will
reset. If the user fails to authenticate, the app will perform a
selective wipe of the users' account and data. See How to wipe only
corporate data from Intune-managed apps for more information on
what data is removed with a selective wipe. The Offline grace
period timer for wiping data is calculated by the app based on last
check-in with the Intune service. This policy setting format supports
a positive whole number.
This entry can appear multiple times, with each instance supporting a
different action.

value
Min app Specify a value for the minimum application version value. Actions No
version include:
default
value
Warn - The user sees a notification if the app version on the device
Block access - The user is blocked from access if the app version on
the device doesn't meet the requirement.
Wipe data - The user account that is associated with the

application is wiped from the device.
As apps often have distinct versioning schemes between them, create a

policy with one minimum app version targeting one app.
different action.
This policy setting supports matching Windows app bundle version

formats (major.minor or major.minor.patch).
Min SDK Specify a minimum value for the Intune SDK version. Actions include: No
version default
Block access - The user is blocked from access if the app's Intune value
app protection policy SDK version doesn't meet the requirement.
Wipe data - The user account that is associated with the

application is wiped from the device.
different action.
Disabled Specify an automated action if the AAD account for the user is disabled. No
account Admin may specify only one Action. There is no value to set for this default
setting. Actions include:
value
Block access - When we have confirmed the user has been disabled
in Azure Active Directory, the app blocks access to work or school
data.
Wipe data - When we have confirmed the user has been disabled
in Azure Active Directory, the app will perform a selective wipe of
the users' account and data.
Device conditions
Configure the following health check settings to verify the device configuration before
allowing access to org accounts and data.
Similar device based settings can be
configured for enrolled devices. Learn more about configuring device compliance
settings for enrolled devices.

value
Min OS Specify a minimum Windows operating system to use this app. Actions
version include:
Warn - The user will see a notification if the Windows version on the
dismissed.
Block access - The user will be blocked from access if the Windows
different action.

Max OS Specify a maximum Windows operating system to use this app. Actions
version include:
Warn - The user will see a notification if the Windows version on the
dismissed.
Block access - The user will be blocked from access if the Windows
different action.

value
Max App protection policies can take advantage of the Intune-MTD connector.
allowed Specify a maximum threat level acceptable to use this app. Threats are
device determined by your chosen Mobile Threat Defense (MTD) vendor app on the
threat end user device. Specify either Secured, Low, Medium, or High. Secured
level requires no threats on the device and is the most restrictive configurable
value, while High essentially requires an active Intune-to-MTD connection.
Actions include:
determined by your chosen Mobile Threat Defense (MTD) vendor app
on the end user device doesn't meet this requirement.
For more information on using this setting, see Enable MTD for unenrolled
devices.
Selectively wipe data using app
protection policy conditional launch
actions in Intune
Article • 03/31/2023
Conditional launch actions within Intune app protection policies provide organizations
the ability to block access or wipe org data when certain device or app conditions aren't
met.
You can explicitly choose to wipe your company's corporate data from the end user's
device as an action to take for non-compliance by using these settings. For some
settings, you'll be able to configure multiple actions, such as block access and wipe data
based on different specified values.
Create an app protection policy using

conditional launch actions
2. Select Apps > App protection Policies.
3. Click Create policy and select the platform of the device for your policy.
4. Click Configure required settings to see the list of settings available to be

configured for the policy.
5. By scrolling down in the Settings pane, you'll see a section titled Conditional
launch with an editable table.
6. Select a Setting and enter the Value that users must meet to sign in to your
company app.
7. Select the Action you want to take if users don't meet your requirements. In some
cases, multiple actions can be configured for a single setting. For more
information, see How to create and assign app protection policies.
Policy settings
The app protection policy settings table has columns for Setting, Value, and Action.
iOS policy settings

For iOS/iPadOS, you'll be able to configure actions for the following settings using the
Setting dropdown:
Max PIN attempts

Offline grace period
Jailbroken/rooted devices
Max OS version
Min OS version
Min app version
Min SDK version
Device model(s)
Max allowed device threat level
Disabled account
To use the Device model(s) setting, input a semi-colon separated list of iOS/iPadOS
model identifiers. These values aren't case-sensitive. Besides within Intune Reporting for
the 'Device model(s)' input, you can find an iOS/iPadOS model identifier in this 3rd party
GitHub repository .
Example input: iPhone5,2;iPhone5,3
On end-user devices, the Intune client would take action based on a simple matching of
device model strings specified in Intune for Application Protection Policies. Matching
depends entirely on what the device reports. You (the IT administrator) are encouraged
to ensure that the intended behavior occurs by testing this setting based on a variety of
device manufacturers and models, and targeted to a small user group. The default value
is Not configured.
Set one of the following actions:
Allow specified (Block nonspecified)

Allow specified (Wipe nonspecified)
What happens if the IT admin inputs a different list of iOS/iPadOS model identifier(s)
between policies targeted to the same apps for the same Intune user?
When conflicts arise between two app protection policies for configured values, Intune
typically takes the most restrictive approach. Thus, the resultant policy sent down to the
targeted app being opened by the targeted Intune user would be an intersection of the
listed iOS/iPadOS model identifier(s) in Policy A and Policy B targeted to the same
app/user combination. For example, Policy A specifies "iPhone5,2;iPhone5,3", while
Policy B specifies "iPhone5,3", the resultant policy that the Intune user targeted by both
Policy A and Policy B will be "iPhone5,3".
Android policy settings

For Android, you'll be able to configure actions for the following settings using the
Setting dropdown:
Max PIN attempts

Offline grace period
Jailbroken/rooted devices
Min OS version
Max OS version
Min app version
Min patch version
Device manufacturer(s)
SafetyNet device attestation
Require threat scan on apps
Min Company Portal version
Max allowed device threat level
Disabled account
Require device lock
By using the Min Company Portal version, you can specify a specific minimum defined
version of the Company Portal that is enforced on an end user device. This conditional
launch setting allows you to set values to Block access, Wipe data, and Warn as
possible actions when each value isn't met. The possible formats for this value follow the
pattern [Major].[Minor], [Major].[Minor].[Build], or [Major].[Minor].[Build].[Revision]. Given
that some end users may not prefer a forced update of apps on the spot, the 'warn'
option may be ideal when configuring this setting. The Google Play Store does a good
job of only sending the delta bytes for app updates, but this can still be a large amount
of data that the user may not want to utilize if they are on data at the time of the
update. Forcing an update and thereby downloading an updated app could result in
unexpected data charges at the time of the update. The Min Company Portal version
setting, if configured, will affect any end user who gets version 5.0.4560.0 of the
Company Portal and any future versions of the Company Portal. This setting will have no
effect on users using a version of Company Portal that is older than the version that this
feature is released with. End users using app auto-updates on their device will likely not
see any dialogs from this feature, given that they'll likely be on the latest Company
Portal version. This setting is Android only with app protection for enrolled and
unenrolled devices.
To use the Device manufacturer(s) setting, input a semi-colon separated list of Android
manufacturers. These values aren't case-sensitive. Besides Intune Reporting, you can find
the Android manufacturer of a device under the device settings.
Example input: Manufacturer A;Manufacturer B
７ Note
These are some common manufacturers reported from devices using Intune, and
can be used as input: Asus;Blackberry;Bq;Gionee;Google;Hmd
global;Htc;Huawei;Infinix;Kyocera;Lemobile;Lenovo;Lge;Motorola;Oneplus;Oppo;Sa
msung;Sharp;Sony;Tecno;Vivo;Vodafone;Xiaomi;Zte;Zuk
On end-user devices, the Intune client would take action based on a simple matching of
device model strings specified in Intune for Application Protection Policies. Matching
depends entirely on what the device reports. You (the IT administrator) are encouraged
to ensure that the intended behavior occurs by testing this setting based on a variety of
device manufacturers and models, and targeted to a small user group. The default value
is Not configured.
Set one of the following actions:
Allow specified (Block on nonspecified)

Allow specified (Wipe on nonspecified)
What happens if the IT admin inputs a different list of Android manufacturer(s)

between policies targeted to the same apps for the same Intune user?
When conflicts arise between two app protection policies for configured values, Intune
typically takes the most restrictive approach. Thus, the resultant policy sent down to the
targeted app being opened by the targeted Intune user would be an intersection of the
listed Android manufacturers in Policy A and Policy B targeted to the same app/user
combination. For example, Policy A specifies "Google;Samsung", while Policy B specifies
"Google", the resultant policy that the Intune user targeted by both Policy A and Policy B
will be "Google".
Additional settings and actions

By default, the table will have populated rows as settings configured for Offline grace
period, and Max PIN attempts, if the Require PIN for access setting is set to Yes.
To configure a setting, select a setting from the dropdown under the Setting column.
Once a setting is selected, the editable text box will become enabled under the Value
column in the same row, if a value is required to be set. Also, the dropdown will become
enabled under the Action column with the set of conditional launch actions applicable
to the setting.
The following list provides the common list of actions:
Block access – Block the end user from accessing the corporate app.
Wipe data – Wipe the corporate data from the end user's device.
Warn – Provide dialog to end user as a warning message.
In some cases, such as the Min OS version setting, you can configure the setting to
perform all applicable actions based on different version numbers.
Once a setting is fully configured, the row will appear in a read-only view and be
available to be edited at any time. In addition, the row will appear to have a dropdown
available for selection in the Setting column. Settings that have already been configured
and don't allow multiple actions won't be available for selection in the dropdown.
Next steps
Learn more information on Intune app protection policies, see:

iOS/iPadOS app protection policy settings
Android app protection policy settings in Microsoft Intune
How to create exceptions to the Intune
App Protection Policy (APP) data
transfer policy
Article • 03/31/2023
As an administrator, you can create exceptions to the Intune App Protection Policy (APP)
data transfer policy. An exception allows you to specifically choose which unmanaged
apps can transfer data to and from managed apps. Your IT must trust the unmanaged
apps that you include in the exception list.
２ Warning
You are responsible for making changes to the data transfer exception policy.
Additions to this policy allow unmanaged apps (apps that are not managed by
Intune) to access data protected by managed apps. This access to protected data
may result in data security leaks. Only add data transfer exceptions for apps that
your organization must use, but that do not support Intune APP (Application
Protection Policies). Additionally, only add exceptions for apps that you do not
consider to be data leak risks.
Within an Intune Application Protection Policy, setting Allow app to transfer data to
other apps to Policy managed apps means that the app can transfer data only to apps
managed by Intune. If you need to allow data to be transferred to specific apps that
don't support Intune APP, you can create exceptions to this policy by using Select apps
to exempt. Exemptions allow applications managed by Intune to invoke unmanaged
applications based on URL protocol (iOS/iPadOS) or package name (Android). By
default, Intune adds vital native applications to this list of exceptions.
７ Note
Modifying or adding to the data transfer policy exceptions doesn't impact other
App Protection Policies, such as cut, copy, and paste restrictions.
iOS data transfer exceptions

For a policy targeting iOS/iPadOS, you can configure data transfer exceptions by URL
protocol. To add an exception, check the documentation provided by the developer of
the app to find information about supported URL protocols. For more information about
iOS/iPadOS data transfer exceptions, see iOS/iPadOS app protection policy settings -
Data transfer exemptions.
７ Note
Microsoft does not have a method to manually find the URL protocol for creating
app exceptions for third-party applications.
Android data transfer exceptions

For a policy targeting Android, you can configure data transfer exceptions by app
package name. You can check the Google Play store page for the app you would like to
add an exception for to find the app package name. For more information about
Android data transfer exceptions, see Android app protection policy settings - Data
transfer exemptions.
 Tip
You can find the package ID of an app by browsing to the app on the Google Play
store. The package ID is contained in the URL of the app's page. For example, the
package ID of the Microsoft Word app is com.microsoft.office.word.
Example
By adding the Webex package as an exception to the MAM data transfer policy, Webex
links inside a managed Outlook email message are allowed to open directly in the
Webex application. Data transfer is still restricted in other unmanaged apps.
iOS/iPadOS Webex example:

To exempt the Webex app so that it's allowed to be
invoked by Intune managed apps, you must add a data transfer exception for the
following string: wbx
iOS/iPadOS Maps example:

To exempt the native Maps app so that it's allowed to
be invoked by Intune managed apps, you must add a data transfer exception for
the following string: maps
Android Webex example:

To exempt the Webex app so that it's allowed to be
invoked by Intune managed apps, you must add a data transfer exception for the
following string: com.cisco.webex.meetings
Android SMS example:
To exempt the native SMS app so that it's allowed to be
invoked by Intune managed apps across different messaging apps and Android
devices, you must add data transfer exceptions for the following strings:
com.google.android.apps.messaging
com.android.mms
com.samsung.android.messaging
Next steps
Create and deploy app protection policies
iOS/iPadOS app protection policy settings - Data transfer exemptions
Android app protection policy settings - Data transfer exemptions
How to validate your app protection
policy setup in Microsoft Intune
Article • 03/31/2023
Validate that your app protection policy is correctly set up and working. This guidance
applies to app protection policies in the portal.
Checking for symptoms

Users are unlikely to report issues since app protection is a data protection tool. If
there's a problem with the app protection configuration, the user will have unrestricted
access, as they would have without app protection, and they wouldn't know there's an
issue. For this reason, we recommend you validate your app protection configuration by
piloting your app protection policies with a small group of users who can deliberately
test the app protection restrictions.
What to check
If testing shows that your app protection policy behavior isn't functioning as expected,
check these items:
Are the users licensed for app protection?

Are the users licensed for Microsoft 365?
Is the status of each of the users' app protection apps as expected. The possible
statuses for the apps are Checked in and Not checked in.
User app protection status

2. Select Apps > Monitor > App protection status, and then select the Assigned
users tile.
3. On the App reporting page, select Select user to bring up a list of users and
groups.
4. Search for and select a user from the list, then choose Select user. At the top of the
App reporting pane, you can see whether the user is licensed for app protection.
You can also see whether the user has a license for Microsoft 365 and the app
status for all of the user's devices.
What to do
Here are the actions to take based on the user status:
If the user isn't licensed for app protection, assign an Intune license to the user.
If the user isn't licensed for Microsoft 365, get a license for the user.
If a user's app is listed as Not checked in, check if you've correctly configured an
app protection policy for that app.
Ensure that these conditions apply across all users to which you want app
protection policies to apply.
See also
What is Intune app protection policy?
Licenses that include Intune
Assign licenses to users so they can enroll devices in Intune
How to validate your app protection policy setup
How to monitor app protection policies
Understand App Protection Policy
delivery timing
Article • 03/31/2023
Learn the different deployment windows for app protection policies to understand when
changes should appear on your end-user devices.
Delivery timing summary

App protection policy (APP) delivery depends on the license state and Intune service
registration for your users.
User State App Protection Retry Interval (see note) Why does this
behavior happen?
Tenant Not Wait for next 24 hours Occurs when you

Onboarded retry interval. have not setup your
App Protection tenant for Intune.
isn't active for
the user.
User Not Licensed Wait for next 12 hours - However, on Android Occurs when you
retry interval. devices this interval requires haven't licensed the
App Protection Intune APP SDK version 5.6.0 or user for Intune.
isn't active for later. Otherwise for Android
the user. devices, the interval is 24 hours.
User Not Assigned Wait for next 12 hours Occurs when you
App Protection retry interval. haven't assigned
Policies App Protection APP settings to the
isn't active for user.
the user.
User Assigned Wait for next 12 hours Occurs when you

App Protection retry interval. haven't added the
Policies but app App Protection app to APP.
isn't defined in the isn't active for
App Protection the user.
Policies
User State App Protection Retry Interval (see note) Why does this
behavior happen?
User Successfully App Protection is Intune Service defined based on Occurs when the
Registered for applied per user load. Typically 30 mins. user has
Intune MAM policy settings. successfully
Updates occur registered with the
based on retry Intune service for
interval APP configuration.
７ Note
Retry intervals may require active app use to occur, meaning the app is launched
and in use. If the retry interval is 24 hours and the user waits 48 hours to launch the
app, the Intune APP SDK will retry at 48 hours.
Handling network connectivity issues

When user registration fails due to network connectivity issues an accelerated retry
interval is used. The Intune APP SDK will retry at increasingly longer intervals until the
interval reaches 60 minutes or a successful connection is made. The Intune APP SDK will
then continue to retry at 60 minute intervals until a successful connection is made. Then,
the Intune APP SDK will return to the standard retry interval based on the user state.
Next steps
Assign licenses to users so they can enroll devices in Intune
Protecting application extensions
Article • 03/31/2023
This article describes app protection policies for extensions in Microsoft Intune.
Add-ins for Outlook app

Outlook add-ins let you integrate popular apps with the email client. Add-ins for
Outlook are available on the web, Windows, Mac, and Outlook for Android and
iOS/iPadOS. The Intune APP SDK and Intune app protection policies do not include
support for managing add-ins for Outlook, but there are other ways to limit their use.
Since add-ins are managed via Microsoft Exchange, users will be able to share data and
messages across Outlook and unmanaged add-in applications unless add-ins are turned
off for the user by their Exchange.
If you want to stop your end users from accessing and installing Outlook add-ins (this
affects all Outlook clients), make sure you have the following changes to roles in the
Exchange admin center:
To prevent users from installing Office Store add-ins, remove the My Marketplace
role from them.
To prevent users from side loading add-ins, remove the My Custom Apps role from
them.
To prevent users from installing all add-ins, remove both, My Custom Apps and My
Marketplace roles from them.
These instructions apply to Microsoft 365, Exchange 2016, Exchange 2013 across
Outlook on the web, Windows, Mac, and mobile.
Learn more about add-ins for Outlook.

Learn more about how to specify the administrators and users who can install and
manage add-ins for Outlook app.
LinkedIn account connections for Microsoft

apps
LinkedIn account connections allow users to see public LinkedIn profile information
within certain Microsoft apps. By default, your users can choose to connect their
LinkedIn and Microsoft work or school accounts to see additional LinkedIn profile
information.
７ Note
LinkedIn integration is currently unavailable for United States Government

customers and for organizations with Exchange Online mailboxes hosted in
Australia, Canada, China, France, Germany, India, South Korea, United Kingdom,
Japan, and South Africa.
The Intune SDK and Intune app protection policies don't include support for managing
LinkedIn account connections, but there are other ways to manage them. You can
disable LinkedIn account connections for your entire organization, or you can enable
LinkedIn account connections for selected user groups in your organization. These
settings affect LinkedIn connections across Microsoft 365 apps on all platforms (web,
mobile, and desktop). You can:
Enable or disable LinkedIn account connections for your tenant in the portal.
Enable or disable LinkedIn account connections for your organization's Office 2016
apps using Group Policy.
If LinkedIn integration is enabled for your tenant, when users in your organization
connect their LinkedIn and Microsoft work or school accounts, they have two options:
They can give permission to share data between both accounts. This means that
they give permission for their LinkedIn account to share data with their Microsoft
work or school account, as well as their Microsoft work or school account to share
data with their LinkedIn account. Data that is shared with LinkedIn leaves the
online services.
They can give permission to share data only from their LinkedIn account to their
Microsoft work and school account
If a user consents to sharing data between accounts, as with Office add-ins, LinkedIn
integration uses existing Microsoft Graph APIs. LinkedIn integration uses only a subset
of the APIs available to Office add-ins and supports various exclusions.
Microsoft Description
Graph
permissions
Read Allows the app to read a scored list of people relevant to the signed-in user. The
permissions list can include local contacts, contacts from social networking or your
for People organization's directory, and people from recent communications (such as email
and Skype).
Microsoft Description
Graph
permissions
Read Allows the app to read events in user calendars. Includes the meetings in signed-
permissions in user calendars, their times, locations, and attendees.
for Calendars
Read Allows users to sign in to the app, and allows the app to read the profile of
permissions signed-in users. It also allows the app to read basic company information for
for User signed-in users.
Profile
Subscriptions This scope isn't available and not yet in use. It includes subscriptions provided by
the user's organization to Microsoft apps and services, such as Microsoft 365.
Insights This scope isn't available and not yet in use. It includes the interests associated
with the signed-in user's account based on their use of Microsoft services.
Learn more
Learn about LinkedIn information and features in your Microsoft apps .
Learn about LinkedIn account connections release on the Microsoft 365 Roadmap
page .
Learn about Configuring LinkedIn account connections.
For more information about data that is shared between users' LinkedIn and
Microsoft work or school accounts, see LinkedIn in Microsoft applications at your
work or school .
How to monitor app protection policies
Article • 07/26/2023
You can monitor the status of the app protection policies that you've applied to users
from the Intune app protection pane in Intune. Additionally, you can find information
about the users affected by app protection policies, policy compliance status, and any
issues that your users might be experiencing.
App protection data is retained for a minimum of 90 days. Any app instances that have
checked in to the Intune service within the past 90 days is included in the app protection
status report.
７ Note
For iOS 16 and later devices, the Device Name value in all app protection reports
will be a generic device name. For related information, see Apple Developer
documentation .
View the App protection status report

2. Select Apps > Monitor > App protection status.
The following list provides details about app protection status:
User: The name of the user.

Email: The email of the user.
App: The name of the app that is being protected.
App version: The version of the app.
Device Name: Names of any devices that are associated with the user's account.
App Instance ID: The string that identities a unique user + app + device that has
checked-in with the Intune service.
Device type: The type of device or operating system of the device.
AAD Device ID: The AAD device ID is displayed if the device is AAD-joined.
Management type: The type of management on the device. For example,
unmanaged, MDM, or Android Enterprise.
Platform: The operating system of the device.
Policy name: The name of the app protection policy targeted to the app for the
user.
Last sync: The timestamp of the last sync of the app with Microsoft Intune.
Device Name: Names of any devices that are associated with the user's account.
Device manufacturer: The manufacturer of the Android device.
Device model: The Android device model.
Android patch version: The date of the last Android Security Patch received by the
device.
MDM device ID: The MDM device ID is displayed if the device is enrolled with
Microsoft Intune MDM.
Platform version: The operating system version.
App Protection Status: The app is considered protected if it is targeted with a
MAM policy.
iOS SDK version: The current iOS MAM SDK version of the iOS app.
Compliance State: The app meets compliance if it is targeted with MAM policy.
７ Note
The Last Sync column represents the same value in both the in-console User status
report and the App Protection Policy exportable .csv report. The difference is a
small delay in synchronization between the value in the two reports.
The time referenced in Last Sync is when Intune last saw the app instance. When a
user launches an app, it might notify the Intune App Protection service at that
launch time, depending on when it last checked in. See the retry interval times for
App Protection Policy check-in. If a user hasn't used that particular app in the last
check-in interval (which is usually 30 minutes for active usage), and they launch the
app, then:
The App Protection Policy exportable .csv report has the newest time, within 1
minute (minimum) to 30 minutes (maximum).
The User status report has the newest time instantly.
For example, consider a targeted and licensed user who launches a protected app
at 12:00 PM:
If this is a sign in for the first time, that means the user was signed out before,
and doesn't have an app instance registration with Intune. After the user signs
in, the user gets a new app instance registration, and can be checked-in
immediately (with the same time delays listed previously for future check-ins).
Thus, the Last Sync time is 12:00 PM in the User status report, and 12:01 PM
(or 12:30 PM at latest) in the App Protection Policy report.
If the user is just launching the app, the Last Sync time reported depends on
when the user last checked in.
See also
Intune reports
Get ready for Windows Information
Protection in Windows 10/11
Article • 03/31/2023
Enable mobile application management (MAM) for Windows 10/11 by setting the MAM
provider in Azure AD. Setting a MAM provider in Azure AD allows you to define the
enrollment state when creating a new Windows Information Protection (WIP) policy with
Intune. The enrollment state can be either MAM or mobile device management (MDM).
） Important
Windows Information Protection (WIP) policies without enrollment has been

deprecated. You can no longer create WIP policies for unenrolled devices.
To configure the MAM provider

2. Select All services and choose M365 Azure Active Directory to switch dashboards.
3. Select Azure Active Directory.
4. Choose Mobility (MDM and MAM) in the Manage group.
5. Click Microsoft Intune.
6. Configure the settings in the Restore default MAM URLs group on the Configure
pane.
MAM user scope
Use MAM auto-enrollment to manage enterprise data on your employees'

Windows devices. MAM auto-enrollment will be configured for bring your own
device scenarios.
None
Select if no users can be enrolled in MAM.

Some
Select Azure AD groups that contain users who will be enrolled in MAM.
All
Select if all users can be enrolled in MAM.

MAM terms of use URL
The MAM terms of use URL is not supported for Microsoft Intune. This input box
must be left blank for protection policies to apply.
MAM discovery URL
The URL of the enrollment endpoint of the MAM service. The enrollment endpoint
is used to enroll devices for management with the MAM service.
MAM compliance URL
The MAM compliance URL is not supported for Microsoft Intune. This input box
must be left blank for protection policies to apply.
7. Click Save.
Next steps
Create a WIP policy
Create and deploy Windows
Information Protection (WIP) policy with
Intune
Article • 05/01/2023
７ Note
Microsoft Endpoint Manager has discontinued future investments in managing and

deploying Windows Information Protection.
Support for the Windows Information Protection without enrollment scenario in

Microsoft Intune has been removed.
For more information, see End of support guidance for Windows Information
Protection .
You can use Windows Information Protection (WIP) policies with Windows 10 apps to
protect apps without device enrollment.
Before you begin

You must understand a few concepts when adding a WIP policy:
List of allowed and exempt apps

Protected apps: These apps are the apps that need to adhere to this policy.
Exempt apps: These apps are exempt from this policy and can access corporate
data without restrictions.
Types of apps
Recommended apps: A pre-populated list of (mostly Microsoft Office) apps that
allow you to easily import into the policy.
Store apps: You can add any app from the Windows store to the policy.
Windows desktop apps: You can add any traditional Windows desktop apps to the
policy (for example, .exe, .dll)
Prerequisites
You must configure the MAM provider before you can create a WIP policy. Learn more
about how to configure your MAM provider with Intune.
） Important
WIP does not support multi-identity, only one managed identity can exist at a time.
For more information about the capabilities and limitations of WIP, see Protect
your enterprise data using Windows Information Protection (WIP).
Additionally, you need to have the following license and update:
Azure AD Premium license

Windows Creators Update
To add a WIP policy

After you set up Intune in your organization, you can create a WIP-specific policy.
） Important
Windows Information Protection (WIP) policies without enrollment has been

deprecated. You can no longer create WIP policies for unenrolled devices.
 Tip
For related information about creating WIP policies for Intune, including available
settings and how to configure them, see Create a Windows Information Protection
(WIP) policy with MAM using the portal for Microsoft Intune in the Windows
Security documentation library.

2. Select Apps > App protection policies > Create policy.
3. Add the following values:
Name: Type a name (required) for your new policy.

Description: (Optional) Type a description.
Platform: Choose Windows 10 as the supported platform for your WIP policy.
Enrollment state: Choose Without enrollment as the enrollment state for
your policy.
4. Choose Create. The policy is created and appears in the table on the App
protection policies pane.
To add recommended apps to your protected

apps list
2. Select Apps > App protection policies.
3. On the App protection policies pane, choose the policy you want to modify. The
Intune App Protection pane is displayed.
4. Choose Protected apps from the Intune App Protection pane. The Protected apps
pane opens showing you all apps that are already included in the list for this app
protection policy.
5. Select Add apps. The Add apps information shows you a filtered list of apps. The
list at the top of the pane allows you to change the list filter.
6. Select each app that you want to allow access your corporate data.
7. Click OK. The Protected apps pane is updated showing all selected apps.
8. Click Save.
Add a Store app to your protected apps list

To add a Store app

protection policy.
6. From the list, select Store apps.
7. Enter values for Name, Publisher, Product Name, and Action. Be sure to set the
Action value to Allow, so that the app will have access to your corporate data.
9. Click Save.
Add a desktop app to your protected apps list
To add a desktop app

protection policy.
6. From the list, select Desktop apps.
7. Enter values for Name, Publisher, Product Name, File, Min Version, Max Version,
and Action. Be sure to set the Action value to Allow, so that the app will have
access to your corporate data.
9. Click Save.
WIP Learning
After you add the apps you want to protect with WIP, you need to apply a protection
mode by using WIP Learning.
Before you begin

WIP Learning is a report that allows you to monitor your WIP-enabled apps and WIP-
unknown apps. The unknown apps are the ones not deployed by your organization's IT
department. You can export these apps from the report and add them to your WIP
policies to avoid productivity disruption before they enforce WIP in "Block" mode.
In addition to viewing information about WIP-enabled apps, you can view a summary of
the devices that have shared work data with websites. With this information, you can
determine which websites should be added to group and user WIP policies. The
summary shows which website URLs are accessed by WIP-enabled apps.
When working with WIP-enabled apps and WIP-unknown apps, we recommend that
you start with Silent or Allow Overrides while verifying with a small group that you have
the right apps on your protected apps list. After you're done, you can change to your
final enforcement policy, Block.
What are the protection modes?
Block
WIP looks for inappropriate data sharing practices and stops the user from completing
the action. Blocked actions can include sharing info across non-corporate-protected
apps, and sharing corporate data between other people and devices outside of your
organization.
Allow Overrides
WIP looks for inappropriate data sharing, warning users when they do something
deemed potentially unsafe. However, this mode lets the user override the policy and
share the data, logging the action to your audit log.
Silent
WIP runs silently, logging inappropriate data sharing, without blocking anything that
would have been prompted for employee interaction while in Allow Override mode.
Unallowed actions, like apps inappropriately trying to access a network resource or WIP-
protected data, are still stopped.
Off (not recommended)

WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the
locally attached drives. Note that previous decryption and policy info isn't automatically
reapplied if you turn WIP protection back on.
Add a protection mode

1. From the App policy pane, choose the name of your policy, then choose Required
settings.
2. Select a setting and then choose Save.
Allow Windows Search Indexer to search

encrypted items
Allows or disallows the indexing of items. This switch is for the Windows Search Indexer,
which controls whether it indexes items that are encrypted, such as the Windows
Information Protection (WIP) protected files.
This app protection policy option is in the Advanced settings of the Windows
Information Protection policy. The app protection policy must be set to the Windows 10
platform and the app policy Enrollment state must be set to With enrollment.
When the policy is enabled, WIP protected items are indexed and the metadata about
them are stored in an unencrypted location. The metadata includes things like file path
and date modified.
When the policy is disabled, the WIP protected items are not indexed and do not show
up in the results in Cortana or file explorer. There may also be a performance impact on
photos and Groove apps if there are many WIP protected media files on the device.
Add encrypted file extensions

In addition to setting the Allow Windows Search Indexer to search encrypted items
option, you can specify a list of file extensions. Files with these extensions are encrypted
when copying from a Server Message Block (SMB) share within the corporate boundary
as defined in the network location list. When this policy is not specified, the existing
auto-encryption behavior is applied. When this policy is configured, only files with the
extensions in the list will be encrypted.
Deploy your WIP app protection policy
） Important
This information applies for WIP without device enrollment.
After you created your WIP app protection policy, you need to deploy it to your
organization using MAM.
1. On the App policy pane, choose your newly created app protection policy, choose
User groups > Add user group.
A list of user groups, made up of all the security groups in your Azure Active
Directory, opens in the Add user group pane.
2. Choose the group you want your policy to apply to, then choose Select to deploy
the policy.
Next steps
Learn more about Windows Information Protection, see Protect your enterprise data
using Windows Information Protection (WIP).
How to manage data transfer between
iOS apps in Microsoft Intune
Article • 03/06/2023
To help protect company data, restrict file transfers to only the apps that you manage.
You can manage iOS apps in the following ways:
Protect Org data for work or school accounts by configuring an app protection
policy for the apps. which we call policy managed apps. See Microsoft Intune
protected apps.
Deploy and manage the apps through iOS device management, which requires
devices to enroll in a Mobile Device Management (MDM) solution. The apps you
deploy can be policy managed apps or other iOS managed apps.
The Open-in management feature for enrolled iOS devices can limit file transfers
between iOS managed apps. Set Open-in management restrictions using an app
protection policy that sets Send org data to other apps to the Policy managed apps
with Open-In/Share filtering value and then deploy the policy using Intune. When a
user installs the deployed app, the restrictions you set are applied based on the
assigned policy.
Use Open-in management to protect iOS apps

and data
Use App protection policies with the iOS Open-in management feature to protect
company data in the following ways:
Devices not managed by any MDM solution: You can set the app protection
policy settings to control sharing of data with other applications via Open-in or
Share extensions. To do so, configure the Send org data to other apps setting to
Policy managed apps with Open-In/Share filtering value. The Open-in/Share
behavior in the policy managed app presents only other policy managed apps as
options for sharing. For related information, see App protection policies for
iOS/iPadOS and Android apps, Data Transfer, and iOS share extension.
Devices managed by MDM solutions: For devices enrolled in Intune or third-party

MDM solutions, data sharing between apps with app protection policies and other
managed iOS apps deployed through MDM is controlled by Intune APP policies
and the iOS Open-in management feature. To make sure that apps you deploy
using a MDM solution are also associated with your Intune app protection policies,
configure the user UPN setting as described in the following section, Configure
user UPN setting. To specify how you want to allow data transfer to other policy
managed apps and iOS managed apps, configure Send org data to other apps
setting to Policy managed apps with OS sharing. To specify how you want to allow
an app to receive data from other apps, enable Receive data from other apps and
then choose your preferred level of receiving data. For more information about
receiving and sharing app data, see Data relocation settings.
Configure user UPN setting for Microsoft

Intune or third-party EMM
Configuring the user UPN setting is required for devices that are managed by Intune or
a third-party EMM solution to identify the enrolled user account for the sending policy
managed app when transferring data to an iOS managed app. The UPN configuration
works with the app protection policies you deploy from Intune. The following procedure
is a general flow on how to configure the UPN setting and the resulting user experience:
1. In the Microsoft Intune admin center , create and assign an app protection policy
for iOS/iPadOS. Configure policy settings per your company requirements and
select the iOS apps that should have this policy.
2. Deploy the apps and the email profile that you want managed through Intune or
your third-party MDM solution using the following generalized steps. This
experience is also covered by Example 1.
3. Deploy the app with the following app configuration settings to the managed
device:
key = IntuneMAMUPN, value = username@company.com
Example: ['IntuneMAMUPN', 'janellecraig@contoso.com']
７ Note
In Intune, the App Configuration policy enrollment type must be set to

Managed Devices.
Additionally, the app needs to be either installed from the
Intune Company Portal (if set as available) or pushed as required to the
device.
７ Note
Deploy IntuneMAMUPN app configuration settings to the target managed
app which sends data. Adding the app configuration key to the receiving app
is optional.
７ Note
Currently, there is no support for enrolling with a different user on an app if

there is a MDM enrolled account on the same device.
4. Deploy the Open-in management policy using Intune or your third-party MDM
provider to enrolled devices.
Example 1: Admin experience in Intune or third-party

MDM console
1. Go to the Microsoft Intune admin center or your third-party MDM provider. Go
to the section of the admin center in which you deploy application configuration
settings to enrolled iOS devices.
2. In the Application Configuration section, enter the following setting for each policy
managed app that will transfer data to iOS managed apps:
key = IntuneMAMUPN, value = username@company.com
The exact syntax of the key/value pair may differ based on your third-party MDM
provider. The following table shows examples of third-party MDM providers and
the exact values you should enter for the key/value pair.
Third-party MDM provider Configuration Value Configuration Value

Key Type
Microsoft Intune IntuneMAMUPN String {{userprincipalname}}
Microsoft Intune IntuneMAMOID String {{userid}}
VMware AirWatch IntuneMAMUPN String {UserPrincipalName}
MobileIron IntuneMAMUPN String ${userUPN} or

${userEmailAddress}
Citrix Endpoint Management IntuneMAMUPN String ${user.userprincipalname}
ManageEngine Mobile Device IntuneMAMUPN String %upn%

Manager
７ Note
For Outlook for iOS/iPadOS, if you deploy a managed devices App Configuration
Policy with the option "Using configuration designer" and enable Allow only work
or school accounts, the configuration key IntuneMAMUPN is configured
automatically behind the scenes for the policy. More details can be found in the
FAQ section in New Outlook for iOS and Android App Configuration Policy
Experience – General App Configuration .
Example 2: End-user experience

Sharing from a policy managed app to other applications with OS sharing
1. A user opens the Microsoft OneDrive app on an enrolled iOS device and signs-in
to their work account. The account the user enters must match the account UPN
you specified in the app configuration settings for the Microsoft OneDrive app.
2. After sign-in, your Administrator configured APP settings apply to the user account
in Microsoft OneDrive. This includes configuring the Send Org data to other apps
setting to the Policy managed apps with OS sharing value.
3. The user previews a work file and attempts to share via Open-in to iOS managed
app.
4. The data transfer succeeds and data is now protected by Open-in management in
the iOS managed app. Intune APP does not apply to applications that are not
policy managed apps.
Sharing from a iOS managed app to a policy managed app with incoming Org data
1. A user opens native Mail on an enrolled iOS device with a Managed email profile.
2. The user opens a work document attachment from native Mail to Microsoft Word.
3. When the Word app launches, one of two experiences occur:

a. The data is protected by Intune APP when:
The user is signed-in to their work account that matches the account UPN
you specified in the app configuration settings for the Microsoft Word
app.
Your Administrator configured APP settings apply to the user account in
Microsoft Word. This includes configuring the Receive data from other
apps setting to the All apps with incoming Org data value.
The data transfer succeeds and the document is tagged with the work
identity in the app. Intune APP protects the user actions for the document.
b. The data is not protected by Intune APP when:
The user is not signed-in to their work account.

Your Administrator configured settings are not applied to Microsoft Word
because the user is not signed in.
The data transfer succeeds and the document is not tagged with the work
identity in the app. Intune APP does not protects the user actions for the
document because it is not active.
７ Note
The user can add and use their personal accounts with Word. App protection
policies don't apply when the user uses Word outside of a work-context.
Validate user UPN setting for third-party EMM

After configuring the user UPN setting, validate the iOS app's ability to receive and
comply to Intune app protection policy.
For example, the Require app PIN policy setting is easy to test. When the policy setting
equals Require, the user should see a prompt to set or enter a PIN before they can
access company data.
First, create and assign an app protection policy to the iOS app. For more information
on how to test app protection policy, See Validate app protection policies.
See also
What is Intune app protection policy
Review client app protection logs
Article • 08/17/2023
Learn about the settings you can review in the app protection logs. Access logs by enabling Intune
Diagnostics on a mobile client.
The process to enable and collect logs varies by platform:
iOS/iPadOS devices - Use Microsoft Edge for iOS/iPadOS to collect logs. For details, see Use
Edge for iOS and Android to access managed app logs.
Windows 10/11 devices - Use MDMDiag and event logs. See, Diagnose MDM failures in
Windows 10 in the Windows client management content, and the blog Troubleshooting
Windows 10 Intune Policy Failures.
Android devices - Use Microsoft Edge for Android to collect logs. For details, see Use Edge for
iOS and Android to access managed app logs.
７ Note
On Android Fully Managed devices, in certain instances the Intune Company Portal app
may be visible under all apps. This may happen when an app associated with an app
protection policy is either not installed or not launched.
The following tables list the App protection policy setting name and supported values that are
recorded in the log. In addition, each setting identifies the policy setting found within Microsoft
Intune admin center. For detailed information on each setting, see iOS/iPadOS app protection policy
settings and Android app protection policy settings in Microsoft Intune.
iOS/iPadOS App protection policy settings

Name Value details Setting in Microsoft Intune App
Protection Policy
AccessRecheckOfflineTimeout x minutes Section: Conditional launch

Setting: Offline grace period with
action Block access (minutes)
AccessRecheckOnlineTimeout x minutes Section: Access requirements

Setting: Recheck the Access
requirements after (minutes of
inactivity)
AllowedIOSModelsElseBlock x characters Section: Conditional launch

Setting: Device model(s) with action
Allow specified (Block non-specific)
AllowedIOSModelsElseWipe x characters Section: Conditional launch

Protection Policy
Allow specified (Wipe non-specific)
AppActionIfUnableToAuthenticateUser 0 = Block access Section: Conditional launch

1 = Wipe data required Setting: Disabled account
AppPinDisabled 0 = Require Section: Access requirements

1 = Not required Setting: App PIN when device PIN is
set
AppSharingFromLevel 0 = None Section: Data protection

1 = Policy Managed Setting: Receive data from other
apps apps
2 = All apps
AppSharingToLevel 0 = None Section: Data protection

1 = Policy managed Setting: Send org data to other
apps apps
2 = All app
AuthenticationEnabled 0 = Not required Section: Access requirements

1 = Require Setting: Work or school account
credentials for access
ClipboardCharacterExceptionLength x characters Section: Data protection

Setting: Cut and copy character limit
for any app
ClipboardEncryptionEnabled 0 = Disabled No administrative control for this

1 = Enabled setting.
ClipboardSharingLevel 0 = Blocked Section: Data protection

1 = Policy managed Setting: Restrict cut, copy, and paste
apps between other apps
2 = Policy managed
apps with paste in
3 = Any app
ContactSyncDisabled 0 = Allow Section: Data protection

1 = Block Setting: Sync app with native
contacts app
DataBackupDisabled 0 = Allow Section: Data protection

1 = Block Setting: Prevent backups
DeviceComplianceEnabled 0 = False Section: Conditional launch

1 = True Setting: Jailbroken/rooted devices
DeviceComplianceFailureAction 0 = Block access Section: Conditional launch

1 = Wipe data Setting: Jailbroken/rooted devices
DialerRestrictionLevel 0 = None, do not Section: Data protection

transfer this data Setting: Transfer telecommunication
between apps data to
1 = A specific dialer
Protection Policy
app
3 = Any dialer app
DictationBlocked 0 = Allow No administrative control for this

1 = Block setting.
DisableShareSense N/A N/A: Not actively used by the Intune

service.
EnableOpenInFilter 0 = Disabled Section: Data protection

1 = Enabled Setting: Send Org data to other
apps > Policy managed apps with
Open-In/Share filtering
FaceIDEnabled 0 = Block Section: Access requirements

1 = Allow Setting: Face ID instead of PIN for
access (iOS 11+/iPadOS)
FileEncryptionLevel 0 = When device is Section: Data protection

locked Setting: Encrypt org data
1 = When device is
locked and there are
open files
2 = After device restart
3 = Use device settings
FileSharingSaveAsDisabled 0 = Allow Section: Data protection

1 = Block Setting: Save copies of org data
IntuneIdentityUPN UPN of the Intune N/A

MAM user
ManagedBrowserRequired 0 = False Section: Data protection

1 = True Setting: Restrict web content
transfer with other apps
ManagedLocations A value that represents Section: Data protection

the number of Setting: Allow user to save copies to
managed storage selected services
locations to which the
app can save data.
1 = OneDrive
2 = SharePoint
3 = OneDrive &
SharePoint
4 = Box
5 = OneDrive & Box
6 = SharePoint & Box
7 = OneDrive,
SharePoint & Box
32 = Local Storage
33 = Local Storage &
OneDrive
Protection Policy
SharePoint
35 = Local Storage,
OneDrive & SharePoint
Box
37 = Local Storage,
OneDrive & Box
38 = Local Storage,
SharePoint & Box
39 = Local Storage,
OneDrive, SharePoint
& Box
128 = Photo Library
129 = Photo Library &
OneDrive
SharePoint
131 = Photo Library,
Box
OneDrive & Box
SharePoint & Box
& Box
Local Storage
Local Storage &
OneDrive
Local Storage &
SharePoint
Local Storage,
Local Storage & Box
Local Storage,
OneDrive & Box
Local Storage,
SharePoint & Box
Local Storage,
& Box
Protection Policy
ManagedUniversalLinks A list of universal links Section: Data protection

that allow data to be Setting: Select managed universal
open in the links
corresponding
managed apps
MaxPinRetryExceededAction 0 = Reset PIN Section: Conditional launch

1 = Wipe data Setting: Max PIN attempts
MaxOsVersion "0.0" = no maximum Section: Conditional launch

OS version Setting: Max OS version with action
anything else = Block access
maximum OS version
MaxOsVersionWarning "0.0" = no maximum Section: Conditional launch

anything else = Warn
maximum OS version
MaxOsVersionWipe "0.0" = no maximum Section: Conditional launch

anything else = Wipe data
maximum OS version
MinAppVersion "0.0" = no minimum Section: Conditional launch

app version Setting: Min app version with action
minimum app version
MinAppVersionWarning "0.0" = no minimum Section: Conditional launch

app version. Setting: Min app version with action
minimum app version
MinAppVersionWipe "0.0" = no minimum Section: Conditional launch

OS version Setting: Min app version with action
minimum OS version
MinOsVersion "0.0" = no minimum Section: Conditional launch

OS version Setting: Min OS version with action
minimum OS version
MinOsVersionWarning "0.0" = no minimum Section: Conditional launch

minimum OS version
MinOsVersionWipe "0.0" = no minimum Section: Conditional launch

minimum OS version
Protection Policy
MinSDKVersion "0.0" = no minimum Section: Conditional launch

SDK version Setting: Min SDK version with action
minimum OS version
MinSDKVersionWipe "0.0" = no minimum Section: Conditional launch

minimum OS version
MinimumRequiredDeviceThreatProtectionLevel 0 = Not configured Section: Conditional launch

1 = Secured Setting: Max allowed device threat
2 = Low level
3 = Medium
4 = High
MobileThreatDefenseRemediationAction 0 = Block access Section: Access requirements

1 = Wipe data Setting: Max allowed device threat
level action)
NonBioPassTimeOutRequired 0 = Not required Section: Access requirements

1 = Require Setting: Override Touch ID with PIN
after timeout
NonBioPassTimeOut x minutes Section: Access requirements

Setting: Override Touch ID with PIN
after timeout > Timeout (minutes of
inactivity)
NotificationRestriction 0 = Allow Section: Data protection

1 = Block Org Data Setting: Org data notifications
2 = Block
OpenDataFromManagedLocations A value that represents Section: Data protection

the number of Setting: Allow users to open data
managed storage from selected services
app can save data.
1 = OneDrive
2 = SharePoint
3 = OneDrive &
SharePoint
4 = Camera
5 = OneDrive &
Camera
6 = SharePoint &
Camera
7 = OneDrive,
SharePoint & Camera
8 = Local Storage
9 = Local Storage &
OneDrive
SharePoint
Protection Policy
11 = Local Storage,
Camera
13 = Local Storage,
OneDrive & Camera
14 = Local Storage,
SharePoint & Camera
15 = Local Storage,
& Camera
16 = Photo Library
OneDrive
SharePoint
19 = Photo Library,
Camera
21 = Photo Library,
OneDrive & Camera
22 = Photo Library,
SharePoint & Camera
23 = Photo Library,
& Camera
Local Storage
25 = Photo Library,
Local Storage &
OneDrive
26 = Photo Library,
Local Storage &
SharePoint
27 = Photo Library,
Local Storage,
28 = Photo Library,
Local Storage &
Camera
29 = Photo Library,
Local Storage,
OneDrive & Camera
30 = Photo Library,
Local Storage,
SharePoint & Camera
31 = Photo Library,
Local Storage,
& Camera
Protection Policy
OpenDataIntoOrgDocumentsBlocked 0 = Allow Section: Data protection

1 = Block Setting: Open data into Org
documents
OfflineWipeInterval x days Note: No administrative control for

this setting.
PINCharacterType 0 = Passcode Section: Access requirements

1 = Numeric Setting: Pin type
PINEnabled 0 = Not required Section: Access requirements

1 = Require Setting: PIN for access
PINExpiryDays x characters Section: Access requirements

Setting: PIN reset after number of
days > Number of days
PINMinLength x characters Section: Access requirements

Setting: Select minimum PIN length
PINNumRetry x attempts Section: Conditional launch

Setting: Max PIN attempts
PrintingBlocked 0 = Allow Section: Data protection

1 = Block Setting: Printing org data
ProtectAllIncomingUnknownSourceData N/A Note: Not actively used by the

Intune service.
ProtectManagedOpenInData 0 = False Section: Data protection

1 = True Setting: Send org data to other
apps is set to Policy Managed apps
with Open-In/Share filtering when
true. Note that this can also be set
to 1 when Policy Managed Apps
with OS sharing is enabled.
ProtocolExclusions A list of app URL Section: Data protection

protocol schemes that Setting: Select apps to exempt
allow data to be open
in the corresponding
unmanaged apps data
RequireFileEncryption N/A Note: Not actively used by the

Intune service.
SimplePINAllowed 0 = Block Section: Access requirements

1 = Allow Setting: Simple PIN
SpecificDialerProtocol URL protocol scheme Section: Data protection

for the specific dialer Setting: Dialer App URL Scheme
that is used for phone
calls from managed
apps
Protection Policy
ThirdPartyKeyboardsBlocked 0 = Allow Section: Data protection

1 = Block Setting: Third party keyboards
TouchIDEnabled 0 = Block Section: Access requirements

1 = Allow Setting: Touch ID instead of PIN for
UniversalLinkExclusions A list of universal links Section: Data protection

that allow data to be Setting: Select universal links to
open in the exempt
corresponding
unmanaged apps
UnmanagedBrowserProtocol URL protocol scheme Section: Data protection

for the unmanaged Setting: Restrict web content
browser that is used to transfer with other apps
view managed web
links
Android App protection policy settings

Name Value details Setting in
Microsoft Intune
App Protection
Policy
AccessRecheckOfflineTimeout x minutes Section:

Conditional launch
Setting: Offline
grace period with
action Block access
(minutes)
AccessRecheckOnlineTimeout x minutes Section: Access

requirements
Setting: Recheck
the Access
requirements after
(minutes of
inactivity)
AllowedAndroidManufacturersElseBlock Empty if not set, otherwise list of allowed Section:

manufacturers Conditional launch
Setting: Device
manufacturers with
action Allow
specified (Block
non-specified)
AllowedAndroidManufacturersElseWipe Empty if not set, otherwise list of allowed Section:

Setting: Device
Microsoft Intune
App Protection
Policy
manufacturers with
action Allow
specified (Wipe
non-specified)
AllowedAndroidModelsElseBlock Empty if not set, otherwise list of allowed No administrative

models control for this
setting.
AllowedAndroidModelsElseWipe Empty if not set, otherwise list of allowed No administrative

setting.
AndroidSafetyNetDeviceAttestationEnforcement NOT_REQUIRED = not set Section:

BASIC_INTEGRITY = Basic Integrity Conditional launch
BASIC_INTEGRITY_AND_DEVICE_CERTIFICATION Setting: SafetyNet
= Basic Integrity and certified devices device attestation
AndroidSafetyNetDeviceAttestationFailedAction BLOCK = Block access Section:

WARN = Warn Conditional launch
WIPE_DATA = Wipe Data Setting: SafetyNet
device attestation
AndroidSafetyNetVerifyAppsEnforcementType NOT_REQUIRED = not set Section:

REQUIRE_ENABLED = configured Conditional launch
Setting: Require
threat scan on
apps
AndroidSafetyNetVerifyAppsFailedAction BLOCK = Block access Section:

Setting: Require
threat scan on
apps
AppActionIfUnableToAuthenticateUser NONE = not set Section:

BLOCK = Block access Conditional launch
WIPE_DATA = Wipe apps Setting: Disabled
account
AppPinDisabled true = Require Section: Access

false = Not required requirements
Setting: App PIN
when device PIN is
set
ApprovedKeyboards List of approved keyboard bundle IDs required Section: Data

protection
Setting: Select
keyboards to
approve
Microsoft Intune
App Protection
Policy
AppSharingFromLevel BLOCKED = None Section: Data

MANAGED = Policy Managed apps protection
UNRESTRICTED = All apps Setting: Receive
data from other
apps
AppSharingToLevel BLOCKED = None Section: Data

UNRESTRICTED = All app Setting: Send org
data to other apps
AuthenticationEnabled false = Not required Section: Access

true = Require requirements
Setting: Work or
school account
credentials for
access
BiometricIdEnabled 0 = Block Section: Access

1 = Allow requirements
Setting: Biometrics
instead of PIN for
access
BlockAfterCompanyPortalUpdateDeferralInDays x days Section:

Conditional launch
Setting: Max
Company Portal
version age (days)
BlockClockSttausWithGracePeriod N/A Note: Not actively

used by the Intune
service.
BlockScreenCapture false = Allow Section: Data

true = Block protection
Setting: Screen
capture and
Google Assistant
ClipboardCharacterExceptionLength x characters Section: Data

protection
Setting: Cut and
copy character
limit for any app
ClipboardSharingLevel BLOCKED = Blocked Section: Data

MANAGED = Policy managed apps protection
MANAGED_PASTE_IN = Policy managed apps Setting: Restrict
with paste in cut, copy, and
UNMANAGED = Any app
Microsoft Intune
App Protection
Policy
paste between
other apps
ConditionalEncryptionEnabled false = Require Section: Data

true = Not required protection
Setting: Encrypt
org data on
enrolled devices
ConnectToVPNOnLaunch N/A Note: Not actively

used by the Intune
service.
ContactSyncDisabled false = Allow Section: Data

Setting: Sync app
with native
contacts app
DataBackupDisabled false = Allow Section: Data

Setting: Prevent
backups
DeviceComplianceEnabled false = False Section:

true = True Conditional launch
Setting:
Jailbroken/rooted
devices
DeviceComplianceFailureAction BLOCK = Block access Section:

WIPE_DATA = Wipe data Conditional launch
Setting:
Jailbroken/rooted
devices
DialerRestrictionLevel 0 = None, do not transfer this data between Section: Data

apps protection
1 = A specific dialer app Setting: Transfer
2 = Any policy-managed dialer app telecommunication
3 = Any dialer app data to
DictationBlocked false = Allow No administrative

true = Block control for this
setting.
FileEncryptionKeyLength 128 No administrative

256 control for this
setting.
FileSharingSaveAsDisabled false = Allow Section: Data

Microsoft Intune
App Protection
Policy
Setting: Save
copies of org data
IntuneMAMPolicyVersion version number N/A
isManaged true N/A

false
KeyboardsRestricted true = Required Section: Data

false = Not required protection
Setting: Approved
keyboards
ManagedBrowserRequired true = Microsoft Edge or Unmanaged browser Section: Data

false = Any app protection
Setting: Restrict
web content
transfer with other
apps.
ManagedLocations A value that represents the number of Section: Data

managed storage locations to which the app protection
can save data, separated by a semi-colon. Setting: Allow user
ONEDRIVE_FOR_BUSINESS to save copies to
SHAREPOINT selected services
LOCAL
MaxPinRetryExceededAction RESET_PIN = Reset PIN Section:

Setting: Max PIN
attempts
MaxOsVersion "0.0" = no maximum OS version Section:

anything else = maximum OS version Conditional launch
Setting: Max OS
version with action
Block access
MaxOsVersionWarning "0.0" = no maximum OS version Section:

Setting: Max OS
version with action
Warn
MaxOsVersionWipe "0.0" = no maximum OS version Section:

Setting: Max OS
version with action
Wipe data
MinAppVersion "0.0" = no minimum app version Section:

anything else = minimum app version Conditional launch
Setting: Min app
Microsoft Intune
App Protection
Policy
version with action

Block access
MinAppVersionWarning "0.0" = no minimum app version. Section:

Setting: Min app
version with action
Warn
MinAppVersionWipe "0.0" = no minimum OS version Section:

anything else = minimum OS version Conditional launch
Setting: Min app
version with action
Wipe data
MinOsVersion "0.0" = no minimum OS version Section:

Setting: Min OS
version with action
Block access
MinOsVersionWarning "0.0" = no minimum OS version Section:

Setting: Min OS
version with action
Warn
MinOsVersionWipe "0.0" = no minimum OS version Section:

Setting: Min OS
version with action
Wipe data
MinPatchVersion "0000-00-00" = no minimum Patch version Section:

anything else = minimum Patch version Conditional launch
Setting: Min Patch
version with action
Block access
MinPatchVersionWarning "0000-00-00" = no minimum Patch version Section:

Setting: Min Patch
version with action
Warn
MinPatchVersionWipe "0000-00-00" = no minimum Patch version Section:

Setting: Min Patch
version with action
Wipe data
Microsoft Intune
App Protection
Policy
MinimumRequiredCompanyPortalVersion "0.0" = no minimum Company Portal version Section:

anything else = minimum Company Portal Conditional launch
version Setting: Min
Company Portal
version with action
Block access
MinimumRequiredDeviceThreatProtectionLevel NOT_SET = not defined in the policy Section:

SECURED = Secured Conditional launch
LOW = Low Setting: Max
MEDIUM = Medium allowed device
HIGH = High threat level
MinimumWarningCompanyPortalVersion "0.0" = no minimum Company Portal version Section:

Company Portal
version with action
Warn
MinimumWipeCompanyPortalVersion "0.0" = no minimum Company Portal version Section:

Company Portal
version with action
Wipe data
MobileThreatDefenseRemediationAction BLOCK = Block Access Section:

Setting: Max
allowed device
threat level
NonBioPassRequiredOnLaunch N/A Note: Not actively

used by the Intune
service.
NonBioPassTimeOut x minutes Section: Access

requirements
Setting: Override
fingerprint with
PIN after timeout
> Timeout
(minutes of
inactivity)
NonBioPassTimeOutRequired false = Not required Section: Access

Setting: Override
fingerprint with
PIN after timeout
Microsoft Intune
App Protection
Policy
NotificationRestriction UNRESTRICTED = Allow Section: Data

BLOCK_ORG_DATA = Block Org Data protection
BLOCK = Block Setting: Org data
notifications
OpenDataFromManagedLocations A value that represents the number of Section: Data

can save data, separated by a semi-colon. Setting: Allow
ONEDRIVE_FOR_BUSINESS users to open data
SHAREPOINT from selected
CAMERA services
OpenDataIntoOrgDocumentsBlocked false = Allow Section: Data

Setting: Open data
into Org
documents
PINCharacterType PASSCODE = Passcode Section: Access

NUMERIC = Numeric requirements
Setting: Pin type
PINEnabled false = Not required Section: Access

Setting: PIN for
access
PINExpiryDays x characters Section: Access

requirements
Setting: PIN reset
after number of
days > Number of
days
PINMinLength x characters Section: Access

requirements
Setting: Select
minimum PIN
length
PINNumRetry x attempts Section:

Conditional launch
Setting: Max PIN
attempts
PackageExclusions Empty if no bundle IDs are configured, Section: Data

otherwise bundle IDs separated by a semi- protection
colon Setting: Select
apps to exempt
PinHistoryLength x PIN values to maintain Section: Access

requirements
Microsoft Intune
App Protection
Policy
Setting: Select
number of
previous PIN
values to maintain
PolicyCount number N/A
PrintingBlocked false = Allow Section: Data

Setting: Printing
org data
RequireDeviceLock true = Required Section:

false = Not required Conditional launch
Setting: Require
device lock
RequireDeviceLockEnforcementType BLOCK = Block access Section:

WIPE_DATA = Wipe required Conditional launch
Setting: Require
device lock
RequireFileEncryption false = Not required Section: Data

true = Require protection
Setting: Encrypt
org data
SimplePINAllowed false = Block Section: Access

true = Allow requirements
Setting: Simple
PIN
SpecificDialerDisplayName Dialer app name Section: Data

protection
Setting: Dialer app
name
SpecificDialerPackageID Dialer app bundle ID Section: Data

protection
Setting: Dialer App
Package ID
TouchIDEnabled false = Block Section: Access

Setting:
Fingerprint instead
of PIN for access
(Android 9.0+)
UnmanagedBrowserDisplayName Unmanaged web browser display name Section: Data

protection
Setting:
Microsoft Intune
App Protection
Policy
Unmanaged
Browser name
UnmanagedBrowserPackageID Unmanaged web browser package ID Section: Data

protection
Setting:
Unmanaged
Browser ID
UserStatusPollInterval N/A Note: Not actively

used by the Intune
service.
UserStatusTimeoutInSeconds N/A Note: Not actively

used by the Intune
service.
Next steps
To learn more about app protection policies, see What are app protection policies?
Intune offers a number of tools to help you troubleshoot issues in your environment. For more
information, see Use the troubleshooting portal to help users.
Policies for Office apps
Article • 05/24/2023
Intune provides policies specifically for Microsoft Office apps. You can select specific
options to create mobile app management policies for Office mobile apps that connect
to Microsoft 365 services. There are many policies for Office apps that you can add to
Microsoft Intune and apply to groups of end users.
Examples of just a few of the Office app policies include the following:
Microsoft Word: Turn off Protected View for attachments opened from Outlook
Microsoft Visio: Block macros from running in Office files from the Internet
Microsoft Project: Allow Trusted Locations on the network
Microsoft Publisher: Publisher Automation Security Level
Microsoft PowerPoint: Turn off Protected View for attachments opened from Outlook
７ Note
When you select to configure each specific app policy, additional policy details are
provided. You can filter the Office policy list to quickly select the recommended
Security Baseline policies.
You can also protect access to Exchange on-premises mailboxes by creating Intune app
protection policies for Outlook for iOS/iPadOS and Android enabled with hybrid Modern
Authentication. Before using this feature, you must meet the requirements for using the
Office cloud policy service. App protection policies are not supported for other apps
that connect to on-premises Exchange or SharePoint services. For related information,
see Overview of the Office cloud policy service for Microsoft 365 Apps for enterprise.
Prerequisites
You must meet the requirements to use policies for Office apps. For more information,
see Requirements for using the Office cloud policy service.
To add an Office app policy

After you set up Intune for your organization, you can create an Office app policy.

2. Select Apps > Policies for Office apps > Create.
3. Add the following values:
Name: Type a name (required) for your new policy.

Description: (Optional) Type a description.
Select type: Select how this policy configuration will be applied.
Select group: Select the group for this policy configuration.
Configure policies: Select the Office policy that you want to apply. You can
sort the provided list based on policy, platform, application,
recommendation, and status.
4. Select Create. The policy is created and appears in the table on the Policy
configurations pane.
 Tip
The Policy configurations pane provides the Health status for each policy.
Quiet time notification policies

end user work-related notifications received after work hours. You can find these
settings in Microsoft Endpoint Manager admin center by selecting Apps > Quiet Time
> Policies.
Overview of the Office cloud policy service for Microsoft 365 Apps for enterprise
Use policy settings to manage privacy controls for Microsoft 365 Apps for
enterprise
Use preferences to manage privacy controls for Office for Mac
Use preferences to manage privacy controls for Office on iOS devices
Use policy settings to manage privacy controls for Office on Android devices
Next steps
Quiet time policies for iOS/iPadOS and
Android apps
Article • 05/24/2023
end user notifications received after work hours.
Quiet time policy types

There are two quiet time policy types available. The following table describes each
policy type.
Policy Description
Type
Date Select this option to automatically mute Microsoft Outlook email and Teams notifications
Range on iOS/iPadOS and Android platforms during the specified range.
Days Select this option to automatically mute Microsoft Outlook email and Teams notifications
of the on iOS/iPadOS and Android platforms during certain hours or all day on selected days of
week the week.
Create an iOS/iPadOS and Android quiet time

policy
To create a quiet time policy, use the following steps:
1. Sign in to Microsoft Endpoint Manager admin center .

2. Select Apps > Quiet Time > Policies.
3. Select Create policy.
4. Select Policy Type. You can choose the Date Range or the Days of the week policy
types. For more information, see, Quiet time policy types.
5. Select Create to display the Basics page.
6. On the Basics page, add a Name and optional Description for the quiet time
policy. The Platform value is prepopulated with “Android; iOS/iPadOS.”
Select Next to display the Configuration settings page.

7. On the Configuration settings page, select how you want to apply quiet time
settings. Each type of Quiet Time policy has different configuration values. For
more information, see Quiet time policy configuration settings.
Select Next to display the Scope tags page.

8. The Scope tags page allows you to optionally add scope tags for the app. For
more information, see Use role-based access control (RBAC) and scope tags for
distributed IT.
Select Next to display the Assignments page.

9. The Assignments page allows you to assign the app protection policy to groups of
users. You must apply the policy to a group of users to have the policy take effect.
Select Next to display the Review + create page.

10. The Review + create page allows you to review the values and settings you
entered for this quiet time policy.
11. When you're ready, click Create to create the quiet time policy in Intune.
Change existing quiet time policies

You can edit an existing quiet time policy and apply it to the targeted users. However,
when you change existing policies, users won't see the changes for a 24-hour period.
To change the list of user groups, use the following steps:
1. In the Quiet Time > Policies pane, select the policy you want to change.
2. Next to the section titled Assignments, select Edit.
3. To add a new user group to the policy, under the Included groups section, choose
Add groups. Then, find and select the user group. Choose Select to add the group.
4. To exclude a user group, under the Excluded groups section, choose Add groups.
Then, find and select the user group.Choose Select to exclude the user group.
5. To delete groups that were previously added, in either the Included groups or
Excluded groups section, select Remove.
6. Select Review + save to review the user groups selected for this policy.
7. After your changes to the assignments are ready, select Save to save the
configuration and deploy the policy to the new set of users. If you select Cancel
before you save your configuration, you'll discard all changes you have made to
the Included groups and Excluded groups sections.
To change policy configuration settings, use the following steps:
1. In the Quiet Time > Policies pane, select the policy you want to change.
2. Next to the section titled Configuration settings, select Edit. Then change the
settings to new values.
3. Select Review + save to review the updated settings for this policy.
4. Select Save to save your changes. If you select Cancel before you save your
configuration, you'll discard all changes you have made to the Configuration
settings pane.
Quiet time policy configuration settings
Date Range policy

The Date Range policy has a Range Settings configuration section.
Range Settings section:
Policy setting Description
Start Specify Start date and time to mute notifications.
End Specify End date and time to mute notifications.
Days of week policy

The Days of week policy has the Allday, Certain Hours, and End User Overrides
configuration settings sections.
Allday section:
Mute Set to Require to enable muting notifications for a full 24 hours on specific
notifications all days of the week.
day
Days of the Set to Configured and then select one or more days of the week that
week notifications must be muted for a full 24 hours.
Certain Hours section:
Mute Set to Require to enable muting notifications for certain hours on specific days
notifications of the week.
daily
Start time Set the start time for muting notifications for certain hours on specific days of
the week.
End time Set the end time for muting notifications for certain hours on specific days of
the week.
Days of the Set to Configured and then select one or more days of the week that
week notifications must be muted for certain hours.
End User Overrides section:
Policy Description
setting
Allow user Select Yes to allow end users to make changes to this setting by editing their global
to change quiet time settings. Select No to disallow end users from changing this setting by
settings editing their global quiet time settings.
Use the troubleshooting dashboard to
help users at your company
Article • 07/21/2023
The troubleshooting pane lets help desk operators and Intune administrators view user
information to address user help requests. Organizations that include a help desk can
assign the Help desk operator role to a group of Intune users. The help desk operator
role can use the Troubleshooting + support pane help end users.
The Troubleshooting + support pane provides three options:
Guided scenarios to provide a customized series of steps centered around one

end-to-end use-case.
Troubleshooting to help determine any issues with Assignments, App protection
status, and Enrollment failures.
Help and support to provide global technical, pre-sales, billing, and subscription
support for device management cloud-based services related to Intune.
Details about the issue and suggested remediation steps can help administrators and
help desk operators troubleshoot problems. Certain enrollment issues aren't captured
and some errors might not have remediation suggestions.
７ Note
For steps on adding a help desk operator role, see Role-based administration
control (RBAC) with Intune
When a user contacts support with a technical issue with Intune, the help desk operator
enters and finds the user's name. Additionally, the help desk operator can filter by
device if the user has multiple managed devices.
The Troubleshooting pane provides the following tabs to quickly narrow the
troubleshooting focus:
Summary - Provides specific counts of issues related to policy, compliance, app

protection, applications, devices, roles, and scopes.
Devices - Provides details for devices, such as OS, OS Version, Intune compliance,
and last check-in.
Groups - Provides details for groups, such as membership type.
Policy - Provides policy details, such as assignment, type, platform, and last
modified.
Applications - Provides app install status, assigned, platform, type, and last
modified.
App protection policy - Provides the name, platform, and enrollment details for
Updates - Provides the name, platform, and update type.
Enrollment restrictions - Provides the policy type, name, platform, and device limit.
Diagnostics - Provides the device name or application, platform, created date, and
diagnostic log.
ServiceNow incidents - Provides a list of associated incidents for the selected user.
For more information, go to ServiceNow integration with Intune.
View user troubleshooting details

In the Troubleshooting pane provides specific details for each Intune end-user. User
information can help you understand the current state of users and their devices.

2. Select Troubleshooting + support > Troubleshoot.
3. Find and select a User by entering a display name or email.
4. If the user has multiple devices, filter by Device.
5. Review the provided information to help troubleshoot end-user issues.
Areas of the troubleshooting dashboard

You can use the Troubleshooting + support pane to review a variety of managed user
and device information.
Summary
The Summary tab provides overall details for the user who is managed by Intune.
Column Description
Policy The status of the policies available for the user or device.
Compliance The compliance status for the user or device.
App protection App protection details.
Applications The state of the applications for the user or device.
Devices The status of the device(s) related to the user.
Role and scope The role and scope for the user.
Devices
The Devices tab provides details for devices, such as OS, OS Version, Intune compliance,
and last check-in.
Column Description
Name The name of the device.
Managed Identifies how the device is managed. For more information, see Available details
by by management type.
Column Description
Ownership The type of device ownership (Company, Personal, or Unknown).
Intune Identifies whether the device is compliant with Intune. Should be Yes. If No is
compliant shown, there may be an issue with compliance policies, or the device isn't
connecting to the Intune service. For example, the device may be turned off, or
may not have a network connection. Eventually, the device becomes non-
compliant, possibly after 30 days. For more information, see Use compliance
policies to set rules for devices you manage with Intune.
AAD Identifies whether the device is compliant with Azure Active Directory (AAD).
compliant Should be Yes. If No is shown, there may be an issue with compliance policies, or
the device isn't connecting to the Intune service. For example, the device may be
turned off, or may not have a network connection. Eventually, the device becomes
non-compliant, possibly after 30 days. For more information, see Use compliance
policies to set rules for devices you manage with Intune.
App Denotes whether an app install failure or success has occurred on the individual
lifecycle device.
status
OS The Operating System installed on the device.
OS version The Operating System version number of the device.
Last check- The timestamp of the last time the device checked in.
in
Groups
The Groups tab provides the group membership of all Azure AD groups for a specific
managed device. For related information, see Device group membership report.
Column Description
Name The name of the group.
Object ID The Object ID is used by Azure Active Directory. Intune commonly refers to them
as Group ID.
Membership Provides how you assign and add users. Assigned denotes you manually assign
type users or devices to the group, and manually remove users or devices. Dynamic
User denotes you create membership rules to automatically add and remove
members. Dynamic Device denotes you create dynamic group rules to
automatically add and remove devices.
Direct or Identifies whether the device is a direct member or a transitive member.

Transitive
Policy
The Policy tab provides the policies applied to devices, which include policy details, such
as assignment, type, platform, and last modified.
Column Description
Name The name of the device policy.
Assignment Identifies the assignment status of the device.
Type The type of policy.
Platform The type of device platform.
Last Modified The timestamp of the last time the device synchronized with Intune.
Applications
The Applications tab provides managed app install status, assigned, platform, type, and
last modified.
Column Description
Name The name of the application.
App The installation status of the app.

install
status
Assigned Provides whether the app has been assigned.
Platform The type of device platform.
Type You can choose an assignment type for each app. Available denotes that users install
the app from the Company Portal app or website. Not Applicable denotes that the
app is not installed or shown in the Company Portal. Uninstall denotes that the app
is uninstalled from devices in the selected groups. Available with or without
enrollment denotes that this app is assigned to groups of users whose devices are
not enrolled with Intune.
Last The timestamp of the last time the device synchronized with Intune.
modified
App protection policy

The App protection policy tab provides the name, platform, and enrollment details for
app protection policies. An app protection policy is available to mobile apps that
integrate with EMS technologies. These policies give a baseline of protection for your
corporate data when it is downloaded to mobile apps, including the Office mobile apps.
Column Description
Name The name of the app protection policy.
Platform The platform of the device.
Enrollment The enrollment status of the device.
Updates
The Updates tab provides an overall view of updates that are deployed to users. This
information also provides filtering, searching, paging, and sorting.
Column Description
Name The update name.
Platform The platform of the device intended for the update.
Update type The type of update.
The Enrollment restrictions tab provides the policy type, name, platform, and device
limit. Enrollment restrictions are use to prevent (block) personally owned devices from
enrolling, you will need to add the devices using corporate device identifiers, prior to
enrollment.
Properties
Column Description
Policy type The type of policy.
Name The name of the policy.

Column Description
Device The enrollment restriction to limit the number of devices a user can enroll in
limit Microsoft Intune.
Diagnostics
The Diagnostics tab provides the device name or application, platform, created date,
and diagnostic log.
７ Note
To collect and access diagnostics you must have the Collect diagnostics permission
added to your role. For more information, see Role-based administration control
(RBAC) with Intune.
Column Text
Device name or application The name of the device or application.
Created date The timestamp of when the event occurred.
Diagnostic log The diagnostic log file.
Collect available data from mobile device

Use the following resources to help collect device data when troubleshooting user's
device issues:
Report a problem in Company Portal for iOS

Report a problem in Company Portal or Intune app for Android
You can access and download user-submitted logs under Diagnostics.
Next steps
You can learn more about Role-based administration control (RBAC) to define roles in
your organizational device, mobile application management, data protection tasks. For
more information, see Role-based administration control (RBAC) with Intune.
Learn about any known issues in Microsoft Intune. For more information, see Known
issues in Microsoft Intune .
Learn how to create a support ticket a get help when you need it. Get support.
Troubleshooting Intune app installation
issues
Article • 05/27/2023
This article gives troubleshooting guidance for when app installations fail for Microsoft
Intune-managed apps. The Intune Troubleshoot pane provides failure details, including
details about managed apps, to help you address user help requests. For detailed
information, see Use the troubleshooting portal to help users at your company. In the
Managed Apps pane, you can find information about the end-to-end lifecycle of an app
for each individual device. You can view installation issues, such as when the app was
created, modified, targeted, and delivered to a device.
７ Note
For specific app installation error code information, see Intune app installation
error reference.
Get app troubleshooting details

Intune provides app troubleshooting details based on the apps installed on a specific
user's device.
2. Select Troubleshoot + support.
3. Click Select user to go to the Select users pane.
4. Type the name or email address of the user you want to troubleshoot, and then
click Select at the bottom of the pane. The troubleshooting information for the
user is displayed in the Troubleshoot pane.
5. Select the device that you want to troubleshoot from the Devices list.

6. Select Managed Apps from selected device pane. A list of managed apps is
displayed.
7. Select an app from the list where Installation Status indicates a failure.

７ Note
The same app could be assigned to multiple groups but with different
intended actions (intents) for the app. For instance, a resolved intent for an
app will show excluded if the app is excluded for a user during app
assignment. For more information, see How conflicts between app intents
are resolved.
If an installation failure occurs for a required app, either you or your help desk
will be able to sync the device and retry the app install.
The app installation error details will indicate the problem. You can use these details to
determine the best action to take to resolve the problem. For more information about
troubleshooting app installation issues, see Android app installation errors and iOS app
installation errors.
７ Note
You can also access the Troubleshoot directly in your browser with this URL:
https://aka.ms/intunetroubleshooting .
User Group targeted app installation does not

reach device
If you have app installation problems, consider the following actions:
If the app does not display in the Company Portal, ensure the app is deployed with
Available intent and that the user is accessing the Company Portal with the device
type supported by the app.
For Windows BYOD devices, the user needs to add a Work account to the device.
Check if the user is over the Azure Active Directory (Azure AD) device limit:
1. Navigate to Azure Active Directory Device Settings .

2. Make note of the value set for Maximum devices per user.
3. Navigate to Azure Active Directory Users .
4. Select the affected user and click Devices.
5. If user is over the set limit then delete any stale records that are no longer
needed.
For iOS/iPadOS ADE devices, ensure that the user is listed as Enrolled by User in
the Intune devices Overview pane. If it shows NA, then deploy a config policy for
the Intune Company Portal. For more information, see Configure the Company
Portal app.
App types supported on ARM64 devices

App types that are supported on ARM64 devices include the following:
Web apps that do not require a managed browser to open.

Microsoft Store for Business apps or Windows Universal LOB apps ( .appx ) with any
of the following combination of TargetDeviceFamily and ProcessorArchitectures
elements:
TargetDeviceFamily includes Desktop apps, Universal apps and Windows8x
apps. Windows8x apps apply only as Online Microsoft Store for Business apps.
ProcessorArchitecture includes x86 apps, ARM apps, ARM64 apps, and neutral
apps.
Windows Store apps
Mobile MSI LOB apps
Win32 apps with the requirement rule of 32-bit.
Windows Office click-to-run apps if 32-bit or x86 architecture is selected.
７ Note
To better recognize ARM64 apps in the Company Portal, consider adding ARM64
to the name of your ARM64 apps.
Feedback
Was this page helpful? ﾂ Yes ﾄ No
Provide product feedback

| Get help at Microsoft Q&A
Intune app installation error reference
Article • 10/28/2022
This article lists common app installation errors for Android, iOS, and other scenarios.
Use the following reference to troubleshoot application errors and to get more
information about specific app errors based on returned error codes.
Android app installation errors

This section addresses common errors for both Device Administrator (DA) and Samsung
Knox enrollment. For more information, see Android device administrator enrollment
and Automatically enroll Android devices by using Samsung's Knox Mobile Enrollment.
Error code Error code Error Description

(Hex) (Dec) message/code
0xC7D14FB5 -942583883 The app failed This error message is displayed when Intune
to install. cannot determine the root cause of the Android
app installation error. No information was
provided by Android during the failure. This
error is returned when the APK download
succeeded, but the app installation failed. This
error may occur more commonly due to a bad
APK file that cannot be installed onto the device.
A possible cause can be when Google Play
Protect blocks the install of the app due to
security concerns. Another possible cause of this
error is when a device does not support the app.
For example, if the app requires API version 21+
and the device currently has API version 19.
Intune returns this error for both DA and KNOX
devices and although there may be a notification
that users can click to retry, if there is an issue
with the APK, it will never continue to fail. If the
app is an available app, the notification can be
dismissed. However, if the app is required, it
cannot be dismissed.
0xC7D14FBA -942583878 The app The download of the APK succeeded, but before
installation was the user installed the app the file was removed
canceled from the device. This could happen if there was
because the a large time difference between download and
installation install. For example, the user canceled the
(APK) file was original install, waited, and then clicked the
deleted after notification to try again. This error message is
download, but returned this for only DA scenarios. KNOX
before scenarios can be done silently. We do present a
installation. notification to retry so the user can accept
instead of cancel. If the app is an available app,
the notification can be dismissed. However, if
the app is required, it cannot be dismissed.
0xC7D14FBB -942583877 The app The device was rebooted during the APK
installation was installation process, resulting in a canceled
canceled installation. This error message is returned for
because the both DA and KNOX devices. Intune presents a
process was notification that users can click to retry. If the
restarted app is an available app, the notification can be
during dismissed. However, if the app is required, it
installation. cannot be dismissed.
0x87D1041C -2016345060 The application The user explicitly uninstalled the app. This error
was not is not returned from the client. It is an error
detected after produced when the app was installed at one
installation point, but then the user uninstalled it. This error
completed should only occur for required applications.
successfully. Users can uninstall non-required apps. This error
can only happen in DA. KNOX blocks the
uninstall of managed apps. The next sync will
repost the notification on the device for the user
to install. The user can ignore the notification.
This error will continue to be reported until the
user installs the app.
0xC7D14FB2 -942583886 The download This error occurs when the download fails. This
failed because error can commonly occur due to Wi-Fi issues or
of an unknown slow connections. This error is returned for only
error. DA scenarios. For KNOX scenarios, the user is
not prompted to install, this can be done silently.
Intune presents a notification that users can click
to retry. If the app is an available app, the
notification can be dismissed. However, if the
app is required, it cannot be dismissed.
0xC7D15078 -942583688 The download This error occurs when the download fails. This
failed because error can commonly occur due to Wi-Fi issues or
of an unknown slow connections. This error is returned for only
error. The DA scenarios. For KNOX scenarios, the user is
policy will be not prompted to install, this can be done silently.
retried the next
time the device
syncs.
0xC7D14FB1 -942583887 The end user The user explicitly uninstalled the app. This error
canceled the is returned when the Android OS install activity
app was canceled by the user. The user pressed the
installation. cancel button when the OS install prompt was
presented or clicked away from the prompt. This
error is returned for only DA scenarios. For
KNOX scenarios, the user is not prompted to
install, this can be done silently. Intune presents
a notification that users can click to retry. If the
cannot be dismissed. Ask the user not to cancel
the install.
0xC7D15015 -942583787 The file The OS stopped the download process before it
download was complete. This error can occur when the
process was device has low battery or the download is taking
unexpectedly too long. This error is returned for only DA
stopped. scenarios. For KNOX scenarios, the user is not
prompted to install, this can be done silently.
Intune presents a notification that users can click
to retry. If the app is an available app, the
notification can be dismissed. However, if the
app is required, it cannot be dismissed. Ensure
the device has a reliable network connection.
0xC7D1507C -942583684 The file The OS ended the download process before it
download was completed. This error can occur when the
service was device has low battery or the download is taking
unexpectedly too long. This error is returned for only DA
stopped. The scenarios. For KNOX scenarios, the user is not
policy will be prompted to install, this can be done silently.
retried the next Manually sync the device or wait for 24 hours
time the device and check the status.
syncs.
0xc7d14fb8 -942583880 The app failed This error is a generic uninstall failure. The OS
to uninstall. did not specify why the app failed to uninstall.
Some admin apps cannot simply be uninstalled.
Check to ensure the app can be uninstalled
manually and collect the Company Portal logs if
the uninstall fails.
0xc7d14fb7 -942583881 The app Android OS has the limitation of requiring the
installation signing cert for the upgrade version to be
APK file used exactly the same as the cert used to sign the
for the existing version. If the developer cannot use the
upgrade does same cert to sign the new version, you will need
not match the to uninstall the existing app and re-deploy the
signature for new app rather than upgrade the existing app.
the current
app on the
device.
0xc7d14fb9 -942583879 The end user Educate the user to accept the Intune deployed
canceled the app and install the app when prompted.
app
installation.
0xc7d14fbc -942583876 Uninstall of the The app install process was terminated by the
app was OS or the device was restarted. Retry the install
canceled and collect Company Portal logs if this error
because the occurs again.
process was
restarted
during
installation.
0xc7d14fb6 -942583882 The app By default, Android OS requires apps to be

installation signed. Ensure the app is signed before
APK file cannot deployment.
be installed
because it was
not signed.
0xC7D14FB1 -942583887 The end user The user explicitly uninstalled the app. This error
canceled the is returned when the Android OS install activity
app was canceled by the user. The user pressed the
installation. cancel button when the OS install prompt was
presented or clicked away from the prompt. This
error is returned for only DA scenarios. For
KNOX scenarios, the user is not prompted to
install, this can be done silently. Intune presents
a notification that users can click to retry. If the
cannot be dismissed. Ask the user not to cancel
the install.
0xC7D14FB9 -942583879 The end user Educate the user to accept the Intune deployed
canceled the app and install the app when prompted.
app
installation. (At
the accept
prompt)
iOS and iPadOS app installation errors

The following error messages and descriptions provide details about iOS and iPadOS
installation errors.
Error code Error code Error message/code Description/Troubleshooting

(Hex) (Dec) tips
0x87D12906 -2016335610 Apple MDM Agent error: App Apple MDM Agent returned
installation command failed with that the installation command
no error reason specified. Retry failed.
app installation.
0x87D1313C -2016333508 Network connection on the client The network connection was
was lost or interrupted. Later lost while the updated
attempts should succeed in a download service URL was
better network environment. sent to the device. Specifically,
a server with the specified
hostname could not be found.
(Hex) (Dec) tips
0x87D1313D -2016333507 Could not retrieve license for the Sync the associated VPP
app with iTunes Store ID token, then sync the device
with Intune. If the issue
persists, remove group
assignment and reassign the
VPP app as device-licensed. If
the issue still persists, revoke
the app license from the
device by navigating to Apps
> iOS > select VPP app > App
licenses > select device. Then,
revoke license and try re-
assigning the app to the user
group or device group. If the
issue still persists, revoke all
VPP licenses for the device by
going to Devices > iOS >
select device > Overview >
Revoke licenses, then retire
the device and re-enroll to
Intune.
0x87D11388 -2016341112 iOS/iPadOS device is currently The iOS/iPadOS device was

busy. busy, which resulted in an
error. The device was locked.
The user needs to unlock the
device to install the app.
0x87D13B64 -2016330908 The app installation has failed. An app installation failure
occurred. iOS/iPadOS Console
logs are needed to
troubleshoot this error.
0x87D13B66 -2016330906 The app is managed, but has Either the user explicitly
expired or been removed by the uninstalled the app, or the app
user. is expired but failed to
download, or the app
detection does not match the
response from the device.
Additionally, this error could
occur based on an iOS/iPadOS
9.2.2 platform bug.
0x87D13B60 -2016330912 The app is scheduled for This error typically occurs with
installation, but needs a iOS Store apps which are paid
redemption code to complete the apps.
transaction.
(Hex) (Dec) tips
0x87D13B7D -2016330883 Unknown error. An unknown app installation

error occurred. This error code
can be returned for multiple
reasons, one of which is an
expired VPP token in Intune.
As a general recommendation,
whenever an unknown error is
encountered, ensure that the
Volume Purchase Program
(VPP) token is checked to
verify that it's current and
functional.
0x87D1041C -2016345060 The application was not detected The app detection process did
after installation completed not match with the response
successfully. from the device.
0x87D13B62 -2016330910 The user rejected the offer to During initial app install, the
install the app. user clicked cancel. Ask the
user to accept the install
request the next time.
0x87D13B63 -2016330909 The user rejected the offer to The end user clicked cancel
update the app. during the update process.
Deploy as required or educate
the user to accept the
upgrade prompt.
0x87D103E8 -2016345112 Unknown error An unknown app installation

error occurred. This is the
resulting error when other
errors have not occurred.
0x87D13B93 -2016330861 Can only install VPP apps on The apps must be obtained
Shared iPad. using Apple Volume Purchase
Program to install on a Shared
iPad.
0x87D13B94 -2016330860 Can't install apps when App Store The App Store must be
is disabled. enabled for the user to install
the app.
0x87D13B95 -2016330859 Can't find VPP license for app. Try revoking and reassigning
the app license.
(Hex) (Dec) tips
0x87D13B96 -2016330858 Can't install system apps with your Installing apps that are pre-
MDM provider. installed by the iOS/iPadOS
operating system is not a
supported scenario.
0x87D13B97 -2016330857 Can't install apps when device is All use of the device is
in Lost Mode. blocked in Lost Mode. Disable
Lost Mode to install apps.
0x87D13B98 -2016330856 Can't install apps when device is Try adding this device to an
in kiosk mode. exclude group for kiosk mode
configuration policy to install
apps.
0x87D13B9C -2016330852 Can't install 32-bit apps on this The device doesn't support
device. installing 32-bit apps. Try
deploying the 64-bit version
of the app.
0x87D13B99 -2016330855 User must sign in to the App The user needs to sign in to
Store. the App Store before the app
can be installed.
0x87D13B9A -2016330854 Unknown problem. Please try The app installation failed due
again. to an unknown reason. Try
again later.
0x87D13B9B -2016330853 The app installation failed. Intune The app installation
will try again the next time the encountered a device error.
device syncs. Sync the device to try
installing the app again.
0x87d13b7e -2016330882 License Assignment failed with This behavior is by design. To

Apple error 'No VPP licenses resolve this, purchase
remaining' additional VPP licenses or
reclaim licenses from users no
longer targeted.
0x87d13b6e -2016330898 App Install Failure 12024: Apple hasn't given us

Unknown cause. sufficient information to
determine why the install
failed. Nothing to report.
(Hex) (Dec) tips
0x87d13b7f -2016330881 Needed app configuration policy App requires app config but
not present, ensure policy is no app config is targeted.
targeted to same groups. Admin should make sure the
groups the app is targeted to
also has the required app
config targeted to the groups.
0x87d13b69 -2016330903 Device VPP licensing is only Upgrade affected iOS/iPadOS

applicable for iOS/iPadOS 9.0+ devices to iOS/iPadOS 9.0+.
devices.
0x87d13b8f -2016330865 The application is installed on the This error only happens to
device but is unmanaged. LOB apps. The app was
installed outside of Intune. To
address this error, uninstall the
app from the device. The next
time the device sync happens,
the device should install the
app from Intune.
0x87d13b68 -2016330904 User declined app management Ask the user to accept app
management.
0x87d1279d -2016335971 Unknown error. This error happens to iOS

store apps, but the error
scenario is unknown.
0x87D13B9D -2016330851 The latest version of the app This error message is
failed to update from an earlier displayed if the app is installed
version. and managed but with the
incorrect version on the
device. This situation includes
when a device has received a
command to update an app
but the new version has not
yet been installed and
reported back. This error will
be reported for the first check-
in of a device after the
upgrade has been deployed,
and will occur until the device
reports that the new version is
installed, or fails due to a
different error.
(Hex) (Dec) tips
0x87D13B6F -2016330897 Your connection to Intune timed App Manifest validation failure
out. due to network
connectivity(timeout)
0x87D13B70 -2016330896 You lost connection to the App Manifest validation failure
Internet. due to network
connectivity(Cannot Find Host)
connectivity(Connection Lost)
connectivity(Not Connected to
internet)
0x87D13B77 -2016330889 The secure connection failed. App Manifest validation failure
due to network
connectivity(Secure
Connection Failed)
0x87D13B80 -2016330880 CannotConnectToITunesStoreError App install failed due to failure

to Connect To ITunes Store
0x87D13B9F -2016330849 The VPP App has an update This code is returned when a
available VPP app is installed but there
is a newer version available.
0x87D13B9E 2016330850 Can't enforce app uninstall The app is already installed on
setting. Retry installing the app. the device but the "uninstall
on retire" setting does not
match the configured value.
Advise the user to request the
app-install from Company
Portal to attempt applying the
"uninstall on retire" setting
again.
Other installation errors

Error code Error code Error message/code Description
(Hex) (Dec)
(Hex) (Dec)
0x80073CFF -2147009281 (client error) To install this app, you must have
a sideloading-enabled system.
Make sure that the app package
is signed with a trusted signature
and installed on a domain-joined
device that has the
AllowAllTrustedApps policy
enabled, or a device that has a
Windows Sideloading license
with the AllowAllTrustedApps
policy enabled. For more
information, see Troubleshooting
packaging, deployment, and
query of Windows Store apps.
0x80CF201C -2133909476 (client error) To install this app, you must have
a sideloading-enabled system.
Make sure that the app package
is signed with a trusted signature
and installed on a domain-joined
device that has the
AllowAllTrustedApps policy
enabled, or a device that has a
Windows Sideloading license
with the AllowAllTrustedApps
policy enabled. For more
information, see Troubleshooting
packaging, deployment, and
query of Windows Store apps.
0x80073CF0 -2147009296 The package is unsigned. The The package could not be
publisher name does not opened.
match the signing certificate
subject. Check the
AppxPackagingOM event log
for information. For more
information, see
Troubleshooting packaging,
deployment, and query of
Windows Store apps.
(Hex) (Dec)
0x80073CF3 -2147009296 The incoming package The package failed update,

conflicts with an installed dependency, or conflict
package. A specified package validation.
dependency is not found. The
package does not support the
correct processor architecture.
Check the AppXDeployment-
Server event log for
information. For more
information, see
Troubleshooting packaging,
deployment, and query of
Windows Store apps.
0x80073CFB -2147009285 Increment the version number The provided package is already
of the app, then rebuild and installed, and reinstallation of the
re-sign the package. Remove package is blocked. You could
the old package for every user receive this error if you are
on the system before you installing a package that is not
install the new package. For identical to the package that is
more information, see already installed. Confirm the
Troubleshooting packaging, digital signature is also part of
deployment, and query of the package. When a package is
Windows Store apps. rebuilt or re-signed, that package
is no longer bitwise identical to
the previously installed package.
Two possible options to fix this
error are as follows:
0x87D1041C -2016345060 The end user uninstalled the Application installation

app. The identity information succeeded but application is not
in the package does not detected. The app was deployed
match what device reports for successfully by Intune, then
bad apps. For self-updating subsequently uninstalled.
MSIs, the product version Reasons for the app being
does not match the uninstalled include:
information of the app after it
is updated outside of Intune.
Instruct the user to reinstall
the app from the company
portal. Note that required
apps will be reinstalled
automatically when the device
next checks in.
(Hex) (Dec)
0x8000FFFF -2147418113 An unexpected error occurred

during installation. Check the
installation logs for additional
information.
Feedback

Troubleshooting app protection policy
user issues
Article • 05/27/2023
This article provides solutions to common user issues and error messages related to
Intune app protection policies. It provides an explanation and solution, when available,
for user issues in the following categories:
Common usage scenarios: A user might experience these scenarios on apps that
have an Intune app protection policy. They are not actual issues, but may be
perceived as bugs or errors.
Common usage dialogs: Usage dialogs a user might see in apps that have an
Intune app protection policy. These messages and dialogs do not indicate an error
or bug.
Error messages and dialogs on iOS, Error messages and dialogs on Android: Error
messages and dialogs a user might see on apps that have an Intune app
protection policy. They often indicate an error was made by the IT administrator or
a bug with the app protection policy.
Common usage scenarios

Platform Scenario Explanation
iOS The user can use the Intune app protection policy can't control the
iOS/iPadOS share iOS/iPadOS share extension without managing the
extension to open work or device. Therefore, Intune encrypts "corporate" data
school data in unmanaged before sharing it outside the app. You can validate it
apps, even with the data by attempting to open the "corporate" file outside of
transfer policy set to the managed app. The file should be encrypted and
Managed apps only or No unable to be opened outside the managed app.
apps. Will this leak data?
iOS The user is prompted to It is needed when App Based Conditional Access is
install the Microsoft applied, see Require approved client app.
Authenticator app.
Platform Scenario Explanation
Android The user is required to On Android, much of app protection functionality is

install the Company Portal built into the Company Portal app. Device
app, even if we use app enrollment is not required even though the
protection without device Company Portal app is always required. For app
enrollment. protection without enrollment, the end user just
needs to have the Company Portal app installed on
the device.
iOS/Android App protection policy not Since Outlook supports both corporate and personal
applied on draft email in context, it does not enforce MAM on draft email.
the Outlook app
iOS/Android App protection policy not Since WXP supports both corporate and personal
applied on new documents context, it does not enforce MAM on new
in WXP (Word, Excel, documents until they are saved in an identified
PowerPoint) corporate location like OneDrive.
iOS/Android Apps not allowing Save As The App behavior for this setting is controlled by the
to Local Storage when App Developer.
policy is enabled
Android Android has more Android is an open platform and the native app
restrictions than association can be changed by the end user to
iOS/iPadOS on what potentially unsafe apps. Apply Data transfer policy
"native" apps can access exceptions to exempt specific apps.
MAM protected content
Android Azure Information AIP honors the MAM policy for 'Disable printing'
Protection (AIP) can Save when Save as PDF is used.
as PDF when Save As is
prevented
iOS Opening PDF attachments This issue can occur if the user has not authenticated
in Outlook app fails with to Acrobat Reader for Intune, or has used
Action Not Allowed thumbprint to authenticate to their organization.
Open Acrobat Reader beforehand and authenticate
using UPN credentials.
Common usage dialogs

Platform Message or dialog Explanation
Platform Message or dialog Explanation
iOS, Sign-in: To protect its data, The end user must sign in with their work or school
Android your organization needs to account in order to use this app, which requires an app
manage this app. To protection policy. In order for the policy to apply, the
complete this action, sign user must authenticate against Azure Active Directory.
in with your work or school
account.
iOS, Restart Required: Your The app has just received an Intune app protection
Android organization is now policy and must restart in order for the policy to apply.
protecting its data in this
app. You need to restart the
app to continue.
iOS, Action Not Allowed: Your The IT administrator has set the Allow app to receive
Android organization only allows data from other apps to Managed apps only.
you to open work or school Therefore, the end user can only transfer data into this
data in this app. app from other apps that have an app protection
policy.
iOS, Action Not Allowed: Your The IT administrator has set the Allow app to transfer
Android organization only allows data to other apps to Managed apps only. Therefore,
you to transfer its data to the end user can only transfer data out of this app to
other managed apps. other apps that have an app protection policy.
iOS, Wipe Alert: Your The IT administrator has initiated an app wipe using
Android organization has removed Intune app protection.
its data associated with this
app. To continue, restart
the app.
Android Company Portal required: On Android, much of app protection functionality is

To use your work or school built into the Company Portal app. Device enrollment
account with this app, you is not required even though the Company Portal app
must install the Intune is always required. For app protection without
Company Portal app. Click enrollment, the end user just needs to have the
"Go to store" to continue. Company Portal app installed on the device.
Error messages and dialogs on iOS

Error message or dialog Cause Remediation
App Not Set Up: This app has not Failure to detect a required app Make sure an iOS app
been set up for you to use. Contact protection policy for the app. protection policy is
your IT administrator for help. deployed to the user's
security group and
targets this app.
Welcome to the Intune Managed Failure to detect a required app Make sure an iOS app
Browser: This app works best when protection policy for the Intune protection policy is
managed by Microsoft Intune. You Managed Browser app.
deployed to the user's
can always use this app to browse security group and
the web, and when it is managed by The user can still use the app to targets the Intune
Microsoft Intune you gain access to browse the web, but the app is Managed Browser
additional data protection features. not managed by Intune. app.
Sign-in Failed: We can't sign you in Failure to enroll the user with the Make sure an iOS app
right now. Please try again later. MAM service after the user protection policy is
attempts to sign in with their deployed to the user's
work or school account. security group and
targets this app.
Account Not Set Up: Your The user account does not have Make sure the user's
organization has not set up your an Intune A Direct license. account has an Intune
account to access work or school license assigned in the
data. Contact your IT administrator Microsoft 365 admin
for help. center .
Device Non-Compliant: This app Intune detected the user is on a Reset the device to
cannot be used because you are jailbroken device. default factory
using a jailbroken device. Contact settings. Follow these
your IT administrator for help. instructions from
the Apple support
site.
Internet Connection Required: You The device is not connected to Connect the device to
must be connected to the Internet the Internet. a WiFi or Data
to verify that you can use this app. network.
Unknown Failure: Try restarting this An unknown failure occurred. Wait a while and try
app. If the problem persists, contact again. If the error
your IT administrator for help. persists, create a
support ticket with
Intune.
Accessing Your Organization's Data: Intune detects the user Have the user sign in
The work or school account you attempted to sign in with second with the account
specified does not have access to work or school account that is whose username is
this app. You may have to sign in different from the MAM enrolled pre-populated by the
with a different account. Contact account for the device. Only one sign-in screen. You
your IT administrator for help. work or school account can be may need to
managed by MAM at a time per configure the user
device. UPN setting for
Intune.
Or, have the user sign

in with the new work
or school account and
remove the existing
MAM enrolled
account.
Connection Issue: An unexpected Unexpected failure. Wait a while and try

connection issue occurred. Check again. If the error
your connection and try again. persists, create a
support ticket with
Intune.
Alert: This app can no longer be Failure to validate the app's Make sure the app
used. Contact your IT administrator certificate. version is up to date.
for more information.

Reinstall the app.
Error: This app has encountered a Failure to read the MAM app PIN Restart the device.
problem and must close. If this error from the Apple iOS Keychain. Make sure the app
persists, please contact your IT version is up to date.
administrator.
Reinstall the app.
Error messages and dialogs on Android

Dialog/Error message Cause Remediation
App not set up: This app has Failure to detect a Make sure an Android app
not been set up for you to required app protection protection policy is deployed to the
use. Contact your IT policy for the app. user's security group and targets
administrator for help. this app.
Failed app launch: There was Intune detected valid app Make sure the app version is up to
an issue launching your app. protection policy for the date.
Try updating the app or the app, but the app is

Intune Company Portal app. If crashing during MAM Make sure the Intune Company
you need help, contact your IT initialization. Portal app is installed and up-to-
administrator. date on the device.
If the error persists, use the

Company Portal app to send logs
to Intune or create a support ticket.
No apps found: There are no The user tried to open Make sure an Android app
apps on this device that your work or school data with protection policy is deployed to the
organization allows to open another app, but Intune user's security group and targets at
this content. Contact your IT cannot find any other least one other MAM-enabled app
administrator for help. managed apps that are that can open the data in question.
allowed to open the data.
Sign-in failed: Try to sign in Failure to authenticate the Make sure the user signs in with
again. If this problem persists, account with which the the work or school account that is
contact your IT administrator user attempted to sign in. already enrolled with the Intune
for help. MAM service (the first work or
school account that was
successfully signed into in this app).
Clear the app's data.
Make sure the app version is up to

date.
Make sure the Company Portal

version is up to date.
Internet connection required: The device is not Connect the device to a WiFi or
You must be connected to the connected to the Internet. Data network.
Internet to verify that you can
use this app.
Device noncompliant: This Intune detected the user Reset the device to default factory
app can't be used because is on a rooted device. settings.
you are using a rooted device.
Contact your IT administrator
for help.
Account not set up: This app The user account does Make sure the user's account has
must be managed by not have an Intune A an Intune license assigned in the
Microsoft Intune, but your Direct license. Microsoft 365 admin center .
account has not been set up.
Contact your IT administrator
for help.
Unable to register the app: Failure to automatically Clear the app's data.
This app must be managed by enroll the app with the

Microsoft Intune, but we were MAM service when app Send logs to Intune through the
unable to register this app at protection policy is Company Portal app or file a
this time. Contact your IT required. support ticket. For more
administrator for help. information, see How to get
support in Microsoft Intune.
Feedback

Review client app protection logs
Article • 08/17/2023
Learn about the settings you can review in the app protection logs. Access logs by enabling Intune
Diagnostics on a mobile client.
The process to enable and collect logs varies by platform:
iOS/iPadOS devices - Use Microsoft Edge for iOS/iPadOS to collect logs. For details, see Use
Edge for iOS and Android to access managed app logs.
Windows 10/11 devices - Use MDMDiag and event logs. See, Diagnose MDM failures in
Windows 10 in the Windows client management content, and the blog Troubleshooting
Windows 10 Intune Policy Failures.
Android devices - Use Microsoft Edge for Android to collect logs. For details, see Use Edge for
iOS and Android to access managed app logs.
７ Note
On Android Fully Managed devices, in certain instances the Intune Company Portal app
may be visible under all apps. This may happen when an app associated with an app
protection policy is either not installed or not launched.
The following tables list the App protection policy setting name and supported values that are
recorded in the log. In addition, each setting identifies the policy setting found within Microsoft
Intune admin center. For detailed information on each setting, see iOS/iPadOS app protection policy
settings and Android app protection policy settings in Microsoft Intune.
iOS/iPadOS App protection policy settings

Protection Policy
AccessRecheckOfflineTimeout x minutes Section: Conditional launch

Setting: Offline grace period with
action Block access (minutes)
AccessRecheckOnlineTimeout x minutes Section: Access requirements

Setting: Recheck the Access
requirements after (minutes of
inactivity)
AllowedIOSModelsElseBlock x characters Section: Conditional launch

Allow specified (Block non-specific)
AllowedIOSModelsElseWipe x characters Section: Conditional launch

Protection Policy
Allow specified (Wipe non-specific)
AppActionIfUnableToAuthenticateUser 0 = Block access Section: Conditional launch

1 = Wipe data required Setting: Disabled account
AppPinDisabled 0 = Require Section: Access requirements

1 = Not required Setting: App PIN when device PIN is
set
AppSharingFromLevel 0 = None Section: Data protection

1 = Policy Managed Setting: Receive data from other
apps apps
2 = All apps
AppSharingToLevel 0 = None Section: Data protection

1 = Policy managed Setting: Send org data to other
apps apps
2 = All app
AuthenticationEnabled 0 = Not required Section: Access requirements

1 = Require Setting: Work or school account
credentials for access
ClipboardCharacterExceptionLength x characters Section: Data protection

Setting: Cut and copy character limit
for any app
ClipboardEncryptionEnabled 0 = Disabled No administrative control for this

1 = Enabled setting.
ClipboardSharingLevel 0 = Blocked Section: Data protection

1 = Policy managed Setting: Restrict cut, copy, and paste
apps between other apps
2 = Policy managed
apps with paste in
3 = Any app
ContactSyncDisabled 0 = Allow Section: Data protection

1 = Block Setting: Sync app with native
contacts app
DataBackupDisabled 0 = Allow Section: Data protection

1 = Block Setting: Prevent backups
DeviceComplianceEnabled 0 = False Section: Conditional launch

1 = True Setting: Jailbroken/rooted devices
DeviceComplianceFailureAction 0 = Block access Section: Conditional launch

1 = Wipe data Setting: Jailbroken/rooted devices
DialerRestrictionLevel 0 = None, do not Section: Data protection

transfer this data Setting: Transfer telecommunication
between apps data to
1 = A specific dialer
Protection Policy
app
3 = Any dialer app
DictationBlocked 0 = Allow No administrative control for this

1 = Block setting.
DisableShareSense N/A N/A: Not actively used by the Intune

service.
EnableOpenInFilter 0 = Disabled Section: Data protection

1 = Enabled Setting: Send Org data to other
apps > Policy managed apps with
Open-In/Share filtering
FaceIDEnabled 0 = Block Section: Access requirements

1 = Allow Setting: Face ID instead of PIN for
FileEncryptionLevel 0 = When device is Section: Data protection

locked Setting: Encrypt org data
1 = When device is
locked and there are
open files
2 = After device restart
3 = Use device settings
FileSharingSaveAsDisabled 0 = Allow Section: Data protection

1 = Block Setting: Save copies of org data
IntuneIdentityUPN UPN of the Intune N/A

MAM user
ManagedBrowserRequired 0 = False Section: Data protection

1 = True Setting: Restrict web content
transfer with other apps
ManagedLocations A value that represents Section: Data protection

the number of Setting: Allow user to save copies to
managed storage selected services
app can save data.
1 = OneDrive
2 = SharePoint
3 = OneDrive &
SharePoint
4 = Box
5 = OneDrive & Box
6 = SharePoint & Box
7 = OneDrive,
SharePoint & Box
32 = Local Storage
OneDrive
Protection Policy
SharePoint
35 = Local Storage,
Box
37 = Local Storage,
OneDrive & Box
38 = Local Storage,
SharePoint & Box
39 = Local Storage,
& Box
128 = Photo Library
OneDrive
SharePoint
Box
OneDrive & Box
SharePoint & Box
& Box
Local Storage
Local Storage &
OneDrive
Local Storage &
SharePoint
Local Storage,
Local Storage & Box
Local Storage,
OneDrive & Box
Local Storage,
SharePoint & Box
Local Storage,
& Box
Protection Policy
ManagedUniversalLinks A list of universal links Section: Data protection

that allow data to be Setting: Select managed universal
open in the links
corresponding
managed apps
MaxPinRetryExceededAction 0 = Reset PIN Section: Conditional launch

1 = Wipe data Setting: Max PIN attempts
MaxOsVersion "0.0" = no maximum Section: Conditional launch

maximum OS version
MaxOsVersionWarning "0.0" = no maximum Section: Conditional launch

maximum OS version
MaxOsVersionWipe "0.0" = no maximum Section: Conditional launch

maximum OS version
MinAppVersion "0.0" = no minimum Section: Conditional launch

app version Setting: Min app version with action
minimum app version
MinAppVersionWarning "0.0" = no minimum Section: Conditional launch

app version. Setting: Min app version with action
minimum app version
MinAppVersionWipe "0.0" = no minimum Section: Conditional launch

OS version Setting: Min app version with action
minimum OS version
MinOsVersion "0.0" = no minimum Section: Conditional launch

minimum OS version
MinOsVersionWarning "0.0" = no minimum Section: Conditional launch

minimum OS version
MinOsVersionWipe "0.0" = no minimum Section: Conditional launch

minimum OS version
Protection Policy
MinSDKVersion "0.0" = no minimum Section: Conditional launch

minimum OS version
MinSDKVersionWipe "0.0" = no minimum Section: Conditional launch

minimum OS version
MinimumRequiredDeviceThreatProtectionLevel 0 = Not configured Section: Conditional launch

1 = Secured Setting: Max allowed device threat
2 = Low level
3 = Medium
4 = High
MobileThreatDefenseRemediationAction 0 = Block access Section: Access requirements

1 = Wipe data Setting: Max allowed device threat
level action)
NonBioPassTimeOutRequired 0 = Not required Section: Access requirements

1 = Require Setting: Override Touch ID with PIN
after timeout
NonBioPassTimeOut x minutes Section: Access requirements

Setting: Override Touch ID with PIN
after timeout > Timeout (minutes of
inactivity)
NotificationRestriction 0 = Allow Section: Data protection

1 = Block Org Data Setting: Org data notifications
2 = Block
OpenDataFromManagedLocations A value that represents Section: Data protection

the number of Setting: Allow users to open data
managed storage from selected services
app can save data.
1 = OneDrive
2 = SharePoint
3 = OneDrive &
SharePoint
4 = Camera
5 = OneDrive &
Camera
6 = SharePoint &
Camera
7 = OneDrive,
SharePoint & Camera
8 = Local Storage
9 = Local Storage &
OneDrive
SharePoint
Protection Policy
11 = Local Storage,
Camera
13 = Local Storage,
OneDrive & Camera
14 = Local Storage,
SharePoint & Camera
15 = Local Storage,
& Camera
16 = Photo Library
OneDrive
SharePoint
19 = Photo Library,
Camera
21 = Photo Library,
OneDrive & Camera
22 = Photo Library,
SharePoint & Camera
23 = Photo Library,
& Camera
Local Storage
25 = Photo Library,
Local Storage &
OneDrive
26 = Photo Library,
Local Storage &
SharePoint
27 = Photo Library,
Local Storage,
28 = Photo Library,
Local Storage &
Camera
29 = Photo Library,
Local Storage,
OneDrive & Camera
30 = Photo Library,
Local Storage,
SharePoint & Camera
31 = Photo Library,
Local Storage,
& Camera
Protection Policy
OpenDataIntoOrgDocumentsBlocked 0 = Allow Section: Data protection

1 = Block Setting: Open data into Org
documents
OfflineWipeInterval x days Note: No administrative control for

this setting.
PINCharacterType 0 = Passcode Section: Access requirements

1 = Numeric Setting: Pin type
PINEnabled 0 = Not required Section: Access requirements

1 = Require Setting: PIN for access
PINExpiryDays x characters Section: Access requirements

Setting: PIN reset after number of
days > Number of days
PINMinLength x characters Section: Access requirements

Setting: Select minimum PIN length
PINNumRetry x attempts Section: Conditional launch

Setting: Max PIN attempts
PrintingBlocked 0 = Allow Section: Data protection

1 = Block Setting: Printing org data
ProtectAllIncomingUnknownSourceData N/A Note: Not actively used by the

Intune service.
ProtectManagedOpenInData 0 = False Section: Data protection

1 = True Setting: Send org data to other
apps is set to Policy Managed apps
with Open-In/Share filtering when
true. Note that this can also be set
to 1 when Policy Managed Apps
with OS sharing is enabled.
ProtocolExclusions A list of app URL Section: Data protection

protocol schemes that Setting: Select apps to exempt
allow data to be open
in the corresponding
unmanaged apps data
RequireFileEncryption N/A Note: Not actively used by the

Intune service.
SimplePINAllowed 0 = Block Section: Access requirements

1 = Allow Setting: Simple PIN
SpecificDialerProtocol URL protocol scheme Section: Data protection

for the specific dialer Setting: Dialer App URL Scheme
that is used for phone
calls from managed
apps
Protection Policy
ThirdPartyKeyboardsBlocked 0 = Allow Section: Data protection

1 = Block Setting: Third party keyboards
TouchIDEnabled 0 = Block Section: Access requirements

1 = Allow Setting: Touch ID instead of PIN for
UniversalLinkExclusions A list of universal links Section: Data protection

that allow data to be Setting: Select universal links to
open in the exempt
corresponding
unmanaged apps
UnmanagedBrowserProtocol URL protocol scheme Section: Data protection

for the unmanaged Setting: Restrict web content
browser that is used to transfer with other apps
view managed web
links
Android App protection policy settings

Microsoft Intune
App Protection
Policy
AccessRecheckOfflineTimeout x minutes Section:

Conditional launch
Setting: Offline
grace period with
action Block access
(minutes)
AccessRecheckOnlineTimeout x minutes Section: Access

requirements
Setting: Recheck
the Access
requirements after
(minutes of
inactivity)
AllowedAndroidManufacturersElseBlock Empty if not set, otherwise list of allowed Section:

Setting: Device
manufacturers with
action Allow
specified (Block
non-specified)
AllowedAndroidManufacturersElseWipe Empty if not set, otherwise list of allowed Section:

Setting: Device
Microsoft Intune
App Protection
Policy
manufacturers with
action Allow
specified (Wipe
non-specified)
AllowedAndroidModelsElseBlock Empty if not set, otherwise list of allowed No administrative

setting.
AllowedAndroidModelsElseWipe Empty if not set, otherwise list of allowed No administrative

setting.
AndroidSafetyNetDeviceAttestationEnforcement NOT_REQUIRED = not set Section:

BASIC_INTEGRITY = Basic Integrity Conditional launch
BASIC_INTEGRITY_AND_DEVICE_CERTIFICATION Setting: SafetyNet
= Basic Integrity and certified devices device attestation
AndroidSafetyNetDeviceAttestationFailedAction BLOCK = Block access Section:

WIPE_DATA = Wipe Data Setting: SafetyNet
device attestation
AndroidSafetyNetVerifyAppsEnforcementType NOT_REQUIRED = not set Section:

REQUIRE_ENABLED = configured Conditional launch
Setting: Require
threat scan on
apps
AndroidSafetyNetVerifyAppsFailedAction BLOCK = Block access Section:

Setting: Require
threat scan on
apps
AppActionIfUnableToAuthenticateUser NONE = not set Section:

BLOCK = Block access Conditional launch
WIPE_DATA = Wipe apps Setting: Disabled
account
AppPinDisabled true = Require Section: Access

false = Not required requirements
Setting: App PIN
when device PIN is
set
ApprovedKeyboards List of approved keyboard bundle IDs required Section: Data

protection
Setting: Select
keyboards to
approve
Microsoft Intune
App Protection
Policy
AppSharingFromLevel BLOCKED = None Section: Data

UNRESTRICTED = All apps Setting: Receive
data from other
apps
AppSharingToLevel BLOCKED = None Section: Data

UNRESTRICTED = All app Setting: Send org
data to other apps
AuthenticationEnabled false = Not required Section: Access

Setting: Work or
school account
credentials for
access
BiometricIdEnabled 0 = Block Section: Access

1 = Allow requirements
Setting: Biometrics
instead of PIN for
access
BlockAfterCompanyPortalUpdateDeferralInDays x days Section:

Conditional launch
Setting: Max
Company Portal
version age (days)
BlockClockSttausWithGracePeriod N/A Note: Not actively

used by the Intune
service.
BlockScreenCapture false = Allow Section: Data

Setting: Screen
capture and
Google Assistant
ClipboardCharacterExceptionLength x characters Section: Data

protection
Setting: Cut and
copy character
limit for any app
ClipboardSharingLevel BLOCKED = Blocked Section: Data

MANAGED = Policy managed apps protection
MANAGED_PASTE_IN = Policy managed apps Setting: Restrict
with paste in cut, copy, and
UNMANAGED = Any app
Microsoft Intune
App Protection
Policy
paste between
other apps
ConditionalEncryptionEnabled false = Require Section: Data

true = Not required protection
Setting: Encrypt
org data on
enrolled devices
ConnectToVPNOnLaunch N/A Note: Not actively

used by the Intune
service.
ContactSyncDisabled false = Allow Section: Data

Setting: Sync app
with native
contacts app
DataBackupDisabled false = Allow Section: Data

Setting: Prevent
backups
DeviceComplianceEnabled false = False Section:

true = True Conditional launch
Setting:
Jailbroken/rooted
devices
DeviceComplianceFailureAction BLOCK = Block access Section:

Setting:
Jailbroken/rooted
devices
DialerRestrictionLevel 0 = None, do not transfer this data between Section: Data

apps protection
1 = A specific dialer app Setting: Transfer
2 = Any policy-managed dialer app telecommunication
3 = Any dialer app data to
DictationBlocked false = Allow No administrative

true = Block control for this
setting.
FileEncryptionKeyLength 128 No administrative

256 control for this
setting.
FileSharingSaveAsDisabled false = Allow Section: Data

Microsoft Intune
App Protection
Policy
Setting: Save
copies of org data
IntuneMAMPolicyVersion version number N/A
isManaged true N/A

false
KeyboardsRestricted true = Required Section: Data

false = Not required protection
Setting: Approved
keyboards
ManagedBrowserRequired true = Microsoft Edge or Unmanaged browser Section: Data

false = Any app protection
Setting: Restrict
web content
transfer with other
apps.
ManagedLocations A value that represents the number of Section: Data

can save data, separated by a semi-colon. Setting: Allow user
ONEDRIVE_FOR_BUSINESS to save copies to
SHAREPOINT selected services
LOCAL
MaxPinRetryExceededAction RESET_PIN = Reset PIN Section:

Setting: Max PIN
attempts
MaxOsVersion "0.0" = no maximum OS version Section:

Setting: Max OS
version with action
Block access
MaxOsVersionWarning "0.0" = no maximum OS version Section:

Setting: Max OS
version with action
Warn
MaxOsVersionWipe "0.0" = no maximum OS version Section:

Setting: Max OS
version with action
Wipe data
MinAppVersion "0.0" = no minimum app version Section:

Setting: Min app
Microsoft Intune
App Protection
Policy
version with action

Block access
MinAppVersionWarning "0.0" = no minimum app version. Section:

Setting: Min app
version with action
Warn
MinAppVersionWipe "0.0" = no minimum OS version Section:

Setting: Min app
version with action
Wipe data
MinOsVersion "0.0" = no minimum OS version Section:

Setting: Min OS
version with action
Block access
MinOsVersionWarning "0.0" = no minimum OS version Section:

Setting: Min OS
version with action
Warn
MinOsVersionWipe "0.0" = no minimum OS version Section:

Setting: Min OS
version with action
Wipe data
MinPatchVersion "0000-00-00" = no minimum Patch version Section:

Setting: Min Patch
version with action
Block access
MinPatchVersionWarning "0000-00-00" = no minimum Patch version Section:

Setting: Min Patch
version with action
Warn
MinPatchVersionWipe "0000-00-00" = no minimum Patch version Section:

Setting: Min Patch
version with action
Wipe data
Microsoft Intune
App Protection
Policy
MinimumRequiredCompanyPortalVersion "0.0" = no minimum Company Portal version Section:

Company Portal
version with action
Block access
MinimumRequiredDeviceThreatProtectionLevel NOT_SET = not defined in the policy Section:

SECURED = Secured Conditional launch
LOW = Low Setting: Max
MEDIUM = Medium allowed device
HIGH = High threat level
MinimumWarningCompanyPortalVersion "0.0" = no minimum Company Portal version Section:

Company Portal
version with action
Warn
MinimumWipeCompanyPortalVersion "0.0" = no minimum Company Portal version Section:

Company Portal
version with action
Wipe data
MobileThreatDefenseRemediationAction BLOCK = Block Access Section:

Setting: Max
allowed device
threat level
NonBioPassRequiredOnLaunch N/A Note: Not actively

used by the Intune
service.
NonBioPassTimeOut x minutes Section: Access

requirements
Setting: Override
fingerprint with
PIN after timeout
> Timeout
(minutes of
inactivity)
NonBioPassTimeOutRequired false = Not required Section: Access

Setting: Override
fingerprint with
PIN after timeout
Microsoft Intune
App Protection
Policy
NotificationRestriction UNRESTRICTED = Allow Section: Data

BLOCK_ORG_DATA = Block Org Data protection
BLOCK = Block Setting: Org data
notifications
OpenDataFromManagedLocations A value that represents the number of Section: Data

can save data, separated by a semi-colon. Setting: Allow
ONEDRIVE_FOR_BUSINESS users to open data
SHAREPOINT from selected
CAMERA services
OpenDataIntoOrgDocumentsBlocked false = Allow Section: Data

Setting: Open data
into Org
documents
PINCharacterType PASSCODE = Passcode Section: Access

NUMERIC = Numeric requirements
Setting: Pin type
PINEnabled false = Not required Section: Access

Setting: PIN for
access
PINExpiryDays x characters Section: Access

requirements
Setting: PIN reset
after number of
days > Number of
days
PINMinLength x characters Section: Access

requirements
Setting: Select
minimum PIN
length
PINNumRetry x attempts Section:

Conditional launch
Setting: Max PIN
attempts
PackageExclusions Empty if no bundle IDs are configured, Section: Data

otherwise bundle IDs separated by a semi- protection
colon Setting: Select
apps to exempt
PinHistoryLength x PIN values to maintain Section: Access

requirements
Microsoft Intune
App Protection
Policy
Setting: Select
number of
previous PIN
values to maintain
PolicyCount number N/A
PrintingBlocked false = Allow Section: Data

Setting: Printing
org data
RequireDeviceLock true = Required Section:

false = Not required Conditional launch
Setting: Require
device lock
RequireDeviceLockEnforcementType BLOCK = Block access Section:

WIPE_DATA = Wipe required Conditional launch
Setting: Require
device lock
RequireFileEncryption false = Not required Section: Data

true = Require protection
Setting: Encrypt
org data
SimplePINAllowed false = Block Section: Access

Setting: Simple
PIN
SpecificDialerDisplayName Dialer app name Section: Data

protection
Setting: Dialer app
name
SpecificDialerPackageID Dialer app bundle ID Section: Data

protection
Setting: Dialer App
Package ID
TouchIDEnabled false = Block Section: Access

Setting:
Fingerprint instead
of PIN for access
(Android 9.0+)
UnmanagedBrowserDisplayName Unmanaged web browser display name Section: Data

protection
Setting:
Microsoft Intune
App Protection
Policy
Unmanaged
Browser name
UnmanagedBrowserPackageID Unmanaged web browser package ID Section: Data

protection
Setting:
Unmanaged
Browser ID
UserStatusPollInterval N/A Note: Not actively

used by the Intune
service.
UserStatusTimeoutInSeconds N/A Note: Not actively

used by the Intune
service.
Next steps
To learn more about app protection policies, see What are app protection policies?
Intune offers a number of tools to help you troubleshoot issues in your environment. For more
information, see Use the troubleshooting portal to help users.
Troubleshooting app protection policy
deployment in Intune
Article • 05/27/2023
This article helps IT Admins understand and troubleshoot problems when you apply app
protection policies (APP) in Microsoft Intune. Follow the instructions in the sections that
apply to your situation. Browse the guide for additional APP-related troubleshooting
guidance, such as Troubleshooting app protection policy user issues and Troubleshoot
data transfer between apps.
Before you begin

Before you start troubleshooting, collect some basic information to help you better
understand the problem and reduce the time to find a resolution.
Collect the following background information:
Which policy setting is or isn't applied? Is any policy applied?

What is the user experience? Have users installed and started the targeted app?
When did the problem start? Has app protection ever worked?
Which platform (Android or iOS) has the problem?
How many users are affected? Are all users or only some users affected?
How many devices are affected? Are all devices or only some devices affected?
Although Intune app protection policies don't require a mobile device
management (MDM) service, are affected users using Intune or a third-party MDM
solution?
Are all managed apps or only specific apps affected? For example, are line-of-
business (LOB) apps built with the Intune App SDK affected but store apps are not?
Is any management service other than Intune being used on the device?
With the above information in place, you can start troubleshooting.
Recommended investigation flow

Successful app protection policy deployment relies on proper configuration of settings
and other dependencies. The recommended flow for investigating common issues with
Intune APP is as follows, which we review in more detail in this article:
1. Verify you have met the prerequisites for deploying app protection policies.
2. Check app protection policy status and check targeting.
3. Verify that the user is targeted.
4. Verify that the managed app is targeted.
5. Verify that the user signed in to the affected application using their targeted
corporate account.
6. Collect device data.
Step 1: Verify app protection policy prerequisites

The first step in troubleshooting is to check whether all prerequisites are met. Although
you can use Intune APP independent of any MDM solution, the following prerequisites
must be met:
The user must have an Intune license assigned.
The user must belong to a security group that is targeted by an app protection
policy. The same app protection policy must target the specific app that's used.
For Android devices, the Company Portal app is required to receive app protection
policies.
If you use Word, Excel, or PowerPoint apps, the following additional

requirements must be met:
The user must have a license for Microsoft 365 Apps for business or
enterprise linked to the user's Azure Active Directory (Azure AD) account. The
subscription must include the Office apps on mobile devices and can include a
cloud storage account with OneDrive for Business . Microsoft 365 licenses can
be assigned in the Microsoft 365 admin center by following these
instructions.
The user must have a managed location that's configured by using the granular
Save as functionality. This command is located under the Save Copies of Org
Data application protection policy setting. For example, if the managed location
is OneDrive , the OneDrive app should be configured in the user's Word, Excel,
or PowerPoint app.
protection policy that's deployed to the user.
７ Note
The Office mobile apps currently support only SharePoint Online and not
If you use Intune app protection policies together with on-premises resources
(Microsoft Skype for Business and Microsoft Exchange Server), you must enable
Hybrid Modern Authentication for Skype for Business and Exchange.
Step 2: Check app protection policy status

Review the following details to understand the status of your app protection policies:
Has there been a user check-in from the affected device?

Are the applications for the problem scenario managed via the targeted policy?
Verify that the timing of policy delivery is within expected behavior. For more
information, see Understand app protection policy delivery timing.
Use these steps to get detailed information:

users tile.
3. On the App reporting page, select Select user to bring up a list of users and
groups.
4. Search for and select one of the affected users from the list, then select Select
user. At the top of the App reporting page, you can see whether the user is
licensed for app protection and has a license for Microsoft 365. You can also see
the app status for all the user's devices.
5. Make a note of such important information as the targeted apps, device types,
policies, device check-in status, and last sync time.
７ Note
App protection policies are applied only when apps are used in the work context.
For example, when the user is accessing apps by using a work account.
For more information, see How to validate your app protection policy setup in Microsoft
Intune.
Step 3: Verify that the user is targeted

Intune app protection policies must be targeted to users. If you don't assign an app
protection policy to a user or user group, the policy isn't applied.
To verify that the policy is applied to the targeted user, follow these steps:
2. Select Apps > Monitor > App protection status, and then select the User status
tile (based on device OS platform).
On the App reporting pane that opens, select
Select user to search for a user.
3. Select the user from the list. You can see the details for that user. Note it can take
up to 24 hours for a newly targeted user to show up in reports.
When you assign the policy to a user group, make sure that the user is in the user
group. To do this, follow these steps:

2. Select Groups > All groups, and then search for and select the group that's used
for your app protection policy assignment.
3. Under the Manage section, select Members.
4. If the affected user isn't listed, review Manage app and resource access using
Azure Active Directory groups and your group membership rules. Make sure that
the affected user is included in the group.
5. Make sure that the affected user isn't in any of the excluded groups for the policy.
） Important
The Intune app protection policy must be assigned to user groups and not
device groups.
If the affected device uses Android Enterprise, only personally-owned work
profiles will support app protection policies.
If the affected device uses Apple's Automated Device Enrollment (ADE), make
sure that User Affinity is enabled. User Affinity is required for any app that
requires user authentication under ADE. For more information on iOS/iPadOS
ADE enrollment, see Automatically enroll iOS/iPadOS devices.
Step 4: Verify that the managed app is targeted

When you configure Intune app protection policies, the targeted apps must use Intune
App SDK. Otherwise, app protection policies may not work correctly.
Make sure that the targeted app is listed in Microsoft Intune protected apps. For LOB or
custom apps, verify that the apps use the latest version of Intune App SDK.
For iOS, this practice is important because each version contains fixes that affect how
these policies are applied and how they function. For more information, see Intune App
SDK iOS releases . Android users should have the latest version of the Company Portal
app installed because the app works as the policy broker agent.
Step 5: Verify that the user signed in to the affected

application using their targeted corporate account
Some apps can be used without user sign-in, but to successfully manage an app using
Intune APP, your users must sign in to the app using their corporate credentials. Intune
app protection policies require that the identity of the user is consistent between the
app and Intune App SDK. Make sure that the affected user has successfully signed in to
the app with their corporate account.
In most scenarios, users sign in to their accounts with their user principal name (UPN).
However, in some environments (such as on-premises scenarios), users might use some
other form of sign-in credentials. In these cases, you might find that the UPN that's used
in the app doesn't match the UPN object in Azure AD. When this issue occurs, app
protection policies aren't applied as expected.
Microsoft's recommended best practices are to match the UPN to the primary SMTP
address. This practice enables users to log in to managed apps, Intune app protection,
and other Azure AD resources by having a consistent identity. For more information, see
Azure AD UserPrincipalName population.
The only way to guarantee this consistency is through modern authentication. There are
scenarios in which apps may work in an on-premises configuration without modern
authentication. However, the outcomes are not consistent or guaranteed.
If your environment requires alternative sign-in methods, see Configuring Alternate

Login ID, specifically Hybrid Modern Authentication with Alternate-ID.
Step 6: Collect device data with Microsoft Edge

Work with the user to collect details about they are trying to do and the steps they are
taking. Ask the user to collect screenshots or video recording of the behavior. This helps
clarify the explicit device actions being performed. Then, collect managed app logs
through Microsoft Edge on the device.
Users with Microsoft Edge installed on their iOS or Android device can view the
management status of all Microsoft published apps. They can use the following steps to
send logs to help with troubleshooting.
1. Open Microsoft Edge for iOS and Android on your device.

2. In the address bar, type about:intunehelp.
3. Microsoft Edge for iOS and Android launches in troubleshooting mode.
From this screen, you will be presented with two options and data about the device.
Select View Intune App Status to see a list of apps. If you select a specific app, it will
show the APP settings associated with that app that are currently active on the device.
If the information displayed for a specific app is limited to the app version and bundle
with the policy check-in timestamp, it means no policy is currently applied to that app
on the device.
The Get Started option allows you to collect logs about the APP enabled applications. If
you open a support ticket with Microsoft for app protection policies, you should always
provide these logs from an affected device if possible. For Android-specific instructions,
see Upload and email logs.
For a list of the settings stored in the Intune Diagnostics (APP) logs, see Review client
app protection logs.
Additional troubleshooting scenarios

Review the following common scenarios when troubleshooting APP issue. You can also
review the scenarios in Common data transfer issues.
Scenario: Policy changes are not applying

The Intune App SDK checks regularly for policy changes. However, this process may be
delayed for any of the following reasons:
The app hasn't checked in with the service.

The Company Portal app has been removed from the device.
Intune app protection policy relies on user identity. Therefore, a valid login that uses a
work or school account to the app and a consistent connection to the service are
required. If the user hasn't signed in to the app, or the Company Portal app has been
removed from the device, policies updates won't apply.
） Important
The Intune App SDK checks every 30 minutes for selective wipe. However, changes
to existing policy for users who are already signed in may not appear for up to 8
hours. To speed up this process, have the user log out of the app and then log back
in or restart their device.
To check app protection status, follow these steps:

users tile.
3. On the App reporting page, select Select user to open a list of users and groups.
4. Search for and select one of the affected users from the list, then select Select
user.
5. Review the policies that are currently applied, including the status and last sync
time.
6. If the status is Not checked in, or if the display indicates that there has not been a
recent sync, check whether the user has a consistent network connection. For
Android users, make sure that they have the latest version of the Company Portal
app installed.
Intune app protection policies include multi-identity support. Intune can apply app
protection policies to only the work or school account that's signed in to the app.
However, only one work or school account per device is supported.
Scenario: Intune-enrolled iOS devices require additional

configuration
When you create an app protection policy, you can target it to all app types or to the
following app types:
Apps on unmanaged devices

Apps on Intune-managed devices
Apps in the Android personally-owned work profile
７ Note
To specify the app types, set Target to all app types to No, and then select from
the App types list.
If you are targeting only iOS Intune-managed devices, the following additional app
configuration settings are required to be targeted alongside your app protection policy:
IntuneMAMUPN must be configured for all MDM (Intune or a third-party EMM)-
managed applications. For more information, see Configure user UPN setting for
Microsoft Intune or third-party EMM.
IntuneMAMDeviceID must be configured for all third-party and LOB MDM-
managed applications.
IntuneMAMDeviceID must be configured as the device ID token. For example,
key=IntuneMAMDeviceID, value={{deviceID}}. For more information, see Add app
configuration policies for managed iOS devices.
If only the IntuneMAMDeviceID value is configured, Intune APP will consider the
device as unmanaged.
Next steps
Troubleshooting app protection policy user issues
Frequently asked questions about MAM and app protection
Validate your app protection policy setup in Microsoft Intune
Feedback

Protect data and devices with Microsoft
Intune
Article • 02/24/2023
Microsoft Intune can help you keep your managed devices secure and up to date while
helping you to protect your organization’s data from compromised devices. Data
protection includes controlling what users do with an organization’s data on both
managed and unmanaged devices. Data protection also extends to blocking access to
data from devices that might be compromised.
This article highlights many of Intune’s built-in capabilities and partner technologies you
can integrate with Intune. As you learn more about them, you can bring several together
for more comprehensive solutions on your journey towards a zero-trust environment.
From the Microsoft Intune admin center, Intune supports managed devices that run
Android, iOS/iPad, macOS, and Windows 10.
When you use Configuration Manager to manage on-premises devices, you can extend
Intune policies to those devices by configuring tenant attach or co-management.
Intune can also work with information from devices that you manage with third-party
products that provide device compliance and mobile threat protection.
Protect devices through policies

Deploy Intune’s device configuration and device compliance policies to configure devices
to meet your organizations security goals. Policies support one or more profiles, which
are the discrete sets of platform-specific rules you deploy to groups of enrolled devices.
With device configuration policies, manage profiles that define the settings and
features that devices use in your organization. Configure devices for endpoint
protection, provision certificates for authentication, set software update behaviors,
and more.
With device compliance policies, you create profiles for different device platforms
that establish device requirements. Requirements can include operating system
versions, the use of disk encryption, or being at or under specific threat levels as
defined by threat management software.
Intune can safeguard devices that aren't compliant with your policies and alert the
device user so they can bring the device into compliance.
When you add Conditional Access to the mix, configure policies that allow only
compliant devices to access your network and organization’s resources. Access
restrictions can include file shares and company email. Conditional Access policies
also work with the device state data reported by third-party device compliance
partners you integrate with Intune.
Following are a few of the security settings and tasks you can manage through device
policy:
Device encryption – Manage BitLocker on Windows 10 devices, and FileVault on

macOS.
Authentication methods – Configure how your devices authenticate to your

organization’s resources, email, and applications.
Use certificates for authentication to applications, your organization’s resources,

and for signing and encryption of email using S/MIME. You can also set up
derived credentials when your environment requires the use of smartcards.
Configure settings that help limit risk, like:

Require multi-factor-authentication (MFA) to add an extra layer of
authentication for users.
Set PIN and password requirements that must be met before gaining access
to resources.
Enable Windows Hello for Business for Windows 10 devices.
Virtual private networks (VPNs) – With VPN profiles, assign VPN settings to
devices so they can easily connect to your organization’s network. Intune supports
several VPN connection types and apps, that include both built-in capabilities for
some platforms and both first and third-party VPN apps for devices.
Software updates – Manage how and when devices get software updates.
For iOS, manage device operating system versions, and when devices check for
and install updates.
For Windows 10, you can manage the Windows Update experience for devices.
You can configure when devices scan or install updates, hold a set of your
managed devices at specific feature versions, and more.
Security Baselines – Deploy security baselines to establish a core security posture

on your Windows 10 devices. Security baselines are pre-configured groups of
Windows settings that are recommended by the relevant product teams. You can
use baselines as provided or edit instances of them to meet your security goals for
targeted groups of devices.
Protect data through policies
Intune-managed apps and Intune's app protection policies can help stop data leaks and
keep your organization's data safe. These protections can apply to devices that are
enrolled with Intune and to devices that aren’t.
Intune-managed apps (or managed apps for short), are apps that have been
integrated with the Intune App SDK or wrapped by the Intune App Wrapping Tool.
These apps can be managed using Intune app protection policies. To view a list of
publicly available managed apps, see Intune protected apps.
Users can use managed apps to work with both your organization’s data, and their
own personal data. However, when app protection policies require the use of a
managed app, the managed app is the only app that can be used to access your
organization’s data. App protection rules don’t apply to a user’s personal data.
App protection policies are rules that ensure an organization's data remains safe
or contained in a managed app. The rules identify the managed app that must be
used and define what can be done with the data while the app is in use.
The following are examples of protections and restrictions you can set with app
protection policies and managed apps:
Configure app-layer protections, like requiring a PIN to open an app in a work

context.
Control the sharing of an organization’s data between apps on a device, like
blocking copy and paste, or screen captures.
Prevent the saving of your organization’s data to personal storage locations.
Use device actions to protect devices and data

From the Microsoft Intune admin center, you can run device actions that help keep a
selected device protected. You can run a subset of these actions as bulk device actions
to affect multiple devices at the same time. And several remote actions from Intune can
also be used with co-managed devices.
Device actions aren't policy and take effect a single time when invoked. They apply
either immediately if the device is accessible on-line, or when the device next boots up
or checks in with Intune. Considered these actions as supplemental to the use of policies
that configure and maintain security configurations for a population of devices.
Following are examples of actions you can run that help secure devices and data:
Devices managed by Intune:
BitLocker key rotation (Windows only)

Disable Activation Lock (iOS only)
Full or Quick scan (Windows 10 only)
Remote lock
Retire (which removes your organization’s data from the device while leaving
personal data intact)
Update Microsoft Defender Security Intelligence
Wipe (factory reset the device, removing all data, apps, and settings)
Devices managed by Configuration Manager:
Retire
Wipe
Sync (force a device to immediately check in with Intune to find new policies or
pending actions)
Integrate with other products

Intune supports integration with partner apps from both first-party and third-party
sources, which expand on its built-in capabilities. You can also integrate Intune with
several Microsoft technologies.
Partner Technologies
Intune can use data from integrated compliance partners and mobile threat defense
partners:
Compliance partners – Learn about device compliance partners with Intune. When
you manage a device with a mobile device management partner other than Intune,
you can integrate that compliance data with Azure Active Directory. When
integrated, the partner data can be used by Conditional Access policies along-side
compliance data from Intune.
Mobile Threat defense – Mobile threat defense apps can scan devices for threats
and help you identify the risk of allowing the device to access your organization’s
resources and data. You can then use that risk level in various policies, like
Conditional Access policies, to help gate access to those resources.
Configuration Manager
You can use many Intune policies and device actions to protect the devices you manage
with Configuration Manager. To support those devices, configure co-management or
tenant attach. You can also use both together with Intune.
Co-management enables you to concurrently manage a Windows 10 device with

both Configuration Manager and Intune. You install the Configuration Manager
client and enroll the device to Intune. The device communicates with both services.
Tenant attach sets up synchronization between your Configuration Manager site

and your Intune tenant. This synchronization provides you with a single view for all
devices that you manage with Microsoft Intune.
After establishing a connection between Intune and Configuration Manager, devices

from Configuration Manager are available in the Microsoft Intune admin center. You can
then deploy Intune policies to those devices or use device actions to protect them.
Some of the protections you can apply include:
Deploy certificates to devices by using Intune Simple Certificate Enrollment Protocol

(SCEP) or private and public key pair (PKCS) certificate profiles.
Use compliance policy.
Use endpoint security policies, like Antivirus, Endpoint detection and response, and
Firewall rules.
Apply security baselines.
Manage Windows Updates.
Mobile Threat Defense apps

Mobile Threat Defense (MTD) apps actively scan and analyze devices for threats. When
you integrate (connect) Mobile Threat Defense apps with Intune, you gain the apps
assessment of a devices threat level. Evaluation of a device threat level is an important
tool for protecting your organization’s resources from compromised mobile devices.
Use threat-level data with policies for device compliance, app protection, and
Conditional Access. These policies use the data to help block non-compliant devices
from accessing your organization’s resources.
With an integrated MTD app:
For enrolled devices:

Use Intune to deploy and then manage the MTD app on devices.
Deploy device compliance policies that use the devices reported threat level to
evaluate compliance.
Define Conditional Access policies that consider a devices threat level.
Define app protection policies to determine when to block or allow access to
data, based on the threat level of the device.
For devices that don't enroll with Intune but run an MTD app that's integrated with
Intune, use their threat level data with your app protection policies to help block
access to your organization’s data.
Intune supports integration with:
Several third-party MTD partners.

Microsoft Defender for Endpoint, which supports extra capabilities with Intune.

On its own, Microsoft Defender for Endpoint provides several security focused benefits.
Microsoft Defender for Endpoint also integrates with Intune and is supported on several
device platforms. With integration, you gain a mobile threat defense app and add
capabilities to Intune for keeping data and devices safe. These capabilities include:
Support for Microsoft Tunnel - On Android devices, Microsoft Defender for

Endpoint is the client application you use with Microsoft Tunnel, a VPN gateway
solution for Intune. When used as the Microsoft Tunnel client app, you don’t need
a subscription for Microsoft Defender for Endpoint.
Security tasks – With security tasks, Intune admins can take advantage of
Microsoft Defender for Endpoint's threat and vulnerability management
capabilities. How it works:
Your Defender for Endpoint team identifies at-risk-devices and create the
security tasks for Intune in the Defender for Endpoint security center.
Those tasks show up in Intune with mitigation advice that Intune admins can
use to mitigate the risk.
When a task is resolved in Intune, that status passes back to the Defender for
Endpoint security center where the results of the mitigation can be evaluated.
Endpoint security policies – The following Intune endpoint security policies

require integration with Microsoft Defender for Endpoint. When you use tenant
attach, you can deploy these policies to devices you manage with either Intune or
Antivirus policy - Manage the settings for Microsoft Defender Antivirus and the
Windows Security experience on supported devices, like Windows 10 and
macOS.
Endpoint detection and response policy – Use this policy to configure endpoint
detection and response (EDR), which is a capability of Microsoft Defender for
Endpoint.
Conditional Access
Conditional Access is an Azure Active Directory (Azure AD) capability that works with
Intune to help protect devices. For devices that register with Azure AD, Conditional
Access policies can use device and compliance details from Intune to enforce access
decisions for users and devices.
Combine Conditional Access policy with:
Device compliance policies can require a device be marked as compliant before

that device can be used to access your organization’s resources. The Conditional
Access policies specify apps services you want to protect, conditions under which
the apps or services can be accessed, and the users the policy applies to.
App protection policies can add a security layer that ensures only client apps that
support Intune app protection policies can access your online resources, like
Exchange or other Microsoft 365 services.
Conditional Access also works with the following to help you keep devices secure:
Microsoft Defender for Endpoint and third-party MTD apps

Device compliance partner apps
Microsoft Tunnel
Next steps
Plan to use Intune's capabilities to support your journey towards a zero-trust
environment by protecting your data and securing devices. Beyond the previous in-line
links to learn more about those capabilities, learn about data security and sharing in
Intune.
Use compliance policies to set rules for
devices you manage with Intune
Article • 06/23/2023
Mobile device management (MDM) solutions like Intune can help protect organizational
data by requiring users and devices to meet some requirements. In Intune, this feature is
called compliance policies.
Compliance policies in Intune:
Define the rules and settings that users and devices must meet to be compliant.
Include actions that apply to devices that are noncompliant. Actions for
noncompliance can alert users to the conditions of noncompliance and safeguard
data on noncompliant devices.
Can be combined with Conditional Access, which can then block users and devices
that don't meet the rules.
Can override the configuration of settings that you also manage through device
configuration policies. To learn more about conflict resolution for policies, see
Compliance and device configuration policies that conflict.
There are two parts to compliance policies in Intune:
Compliance policy settings – Tenant-wide settings that are like a built-in

compliance policy that every device receives. Compliance policy settings set a
baseline for how compliance policy works in your Intune environment, including
whether devices that haven’t received any device compliance policies are
compliant or noncompliant.
Device compliance policy – Platform-specific rules you configure and deploy to

groups of users or devices. These rules define requirements for devices, like
minimum operating systems or the use of disk encryption. Devices must meet
these rules to be considered compliant.
Like other Intune policies, compliance policy evaluations for a device depend on when
the device checks-in with Intune, and policy and profile refresh cycles.
Compliance policy settings

Compliance policy settings are tenant-wide settings that determine how Intune’s
compliance service interacts with your devices. These settings are distinct from the
settings you configure in a device compliance policy.
To manage the compliance policy settings, sign in to Microsoft Intune admin center
and go to Endpoint security > Device compliance > Compliance policy settings.
Compliance policy settings include the following settings:
Mark devices with no compliance policy assigned as
This setting determines how Intune treats devices that haven't been assigned a
device compliance policy. This setting has two values:
Compliant (default): This security feature is off. Devices that aren’t sent a device
compliance policy are considered compliant.
Not compliant: This security feature is on. Devices that haven’t received a
device compliance policy are considered noncompliant.
If you use Conditional Access with your device compliance policies, change this
setting to Not compliant to ensure that only devices that are confirmed as
compliant can access your resources.
If an end user isn't compliant because a policy isn't assigned to them, then the
Company Portal app shows No compliance policies have been assigned.
Compliance status validity period (days)
Specify a period in which devices must successfully report on all their received
compliance policies. If a device fails to report its compliance status for a policy
before the validity period expires, the device is treated as noncompliant.
By default, the period is set to 30 days. You can configure a period from 1 to 120
days.
You can view details about a devices compliance to the validity period setting. Sign
in to Microsoft Intune admin center and go to Devices > Monitor > Setting
compliance. This setting has a name of Is active in the Setting column. For more
information about this and related compliance status views, see Monitor device
compliance.
Device compliance policies

Intune device compliance policies:
Define the rules and settings that users and managed devices must meet to be
compliant. Examples of rules include requiring devices run a minimum OS version,
not being jail-broken or rooted, and being at or under a threat level as specified by
threat management software you’ve integrated with Intune.
Support actions that apply to devices that don’t meet your compliance rules.
Examples of actions include being remotely locked, or sending a device user email
about the device status so they can fix it.
Deploy to users in user groups or devices in device groups. When a compliance
policy is deployed to a user, all the user's devices are checked for compliance.
Using device groups in this scenario helps with compliance reporting.
If you use Conditional Access, your Conditional Access policies can use your device
compliance results to block access to resources from noncompliant devices.
The available settings you can specify in a device compliance policy depend on the
platform type you select when you create a policy. Different device platforms support
different settings, and each platform type requires a separate policy.
The following subjects link to dedicated articles for different aspects of device
configuration policy.
Actions for noncompliance - Each device compliance policy includes one or more
actions for noncompliance. These actions are rules that get applied to devices that
don’t meet the conditions you set in the policy.
By default, each device compliance policy includes the action to mark a device as
noncompliant if it fails to meet a policy rule. The policy then applies to the device
any additional actions for noncompliance that you’ve configured, based on the
schedules you set for those actions.
Actions for noncompliance can help alert users when their device isn’t compliant,
or safeguard data that might be on a device. Examples of actions include:
Sending email alerts to users and groups with details about the noncompliant
device. You might configure the policy to send an email immediately upon
being marked as noncompliant, and then again, periodically, until the device
becomes compliant.
Remotely lock devices that have been noncompliant for some time.
Retire devices after they’ve been noncompliant for some time. This action
marks a qualifying device as ready to be retired. An admin can then view a list of
devices marked for retirement and must take an explicit action to retire one or
more devices. Retiring a device removes the device from Intune management
and removes all company data from the device. For more information about this
action, see Available actions for noncompliance.
Create a policy – With the information in this article, you can review prerequisites,
work through the options to configure rules, specify actions for noncompliance,
and assign the policy to groups. This article also includes information about policy
refresh times.
View the device compliance settings for the different device platforms:
Android Enterprise
Android Open Source Project (AOSP)
iOS
Linux
macOS
Windows 8.1 and later
） Important
On October 22, 2022, Microsoft Intune ended support for devices running
Windows 8.1. Technical assistance and automatic updates on these devices
aren't available.
If you currently use Windows 8.1, then we recommend moving to Windows

10/11 devices. Microsoft Intune has built-in security and device features
that manage Windows 10/11 client devices.
Windows 10/11
Custom compliance settings – With custom compliance settings you can expand
on Intune’s built-in device compliance options. Custom settings provide flexibility
to base compliance on the settings that are available on a device without having to
wait for Intune to add those settings.
You can use custom compliance settings with the following platforms:
Linux – Ubuntu Desktop, version 20.04 LTS and 22.04 LTS
Windows 10/11
Monitor compliance status

Intune includes a device compliance dashboard that you use to monitor the compliance
status of devices, and to drill-in to policies and devices for more information. To learn
more about this dashboard, see Monitor device compliance.
Integrate with Conditional Access

When you use Conditional Access, you can configure your Conditional Access policies to
use the results of your device compliance policies to determine which devices can access
your organizational resources. This access control is in addition to and separate from the
actions for noncompliance that you include in your device compliance policies.
When a device enrolls in Intune it registers in Azure AD. The compliance status for
devices is reported to Azure AD. If your Conditional Access policies have Access controls
set to Require device to be marked as compliant, Conditional access uses that compliance
status to determine whether to grant or block access to email and other organization
resources.
If you’ll use device compliance status with Conditional Access policies, review how your
tenant has configured Mark devices with no compliance policy assigned as, which you
manage under Compliance policy settings.
For more information about using Conditional Access with your device compliance
policies, see Device-based Conditional Access
Learn more about Conditional Access in the Azure AD documentation:
What is Conditional Access

What is a device identity
Reference for non-compliance and Conditional Access on

the different platforms
The following table describes how noncompliant settings are managed when a
compliance policy is used with a Conditional Access policy.
Remediated: The device operating system enforces compliance. For example, the
user is forced to set a PIN.
Quarantined: The device operating system doesn't enforce compliance. For

example, Android and Android Enterprise devices don't force the user to encrypt
the device. When the device isn't compliant, the following actions take place:
If a Conditional Access policy applies to the user, the device is blocked.
The Company Portal app notifies the user about any compliance problems.
Policy setting Platform
Allowed Distros Linux (only) - Quarantined

Device encryption - Android 4.0 and later: Quarantined

- Samsung Knox Standard 4.0 and later: Quarantined
- Android Enterprise: Quarantined
- iOS 8.0 and later: Remediated (by setting PIN)
- macOS 10.11 and later: Quarantined
- Linux: Quarantined
- Windows 10/11: Quarantined
Email profile - Android 4.0 and later: Not applicable
- Samsung Knox Standard 4.0 and later: Not applicable
- Android Enterprise: Not applicable
- iOS 8.0 and later: Quarantined
- Linux: Not applicable
- Windows 10/11: Not applicable
Jailbroken or rooted device - Android 4.0 and later: Quarantined (not a setting)
- Samsung Knox Standard 4.0 and later: Quarantined (not a

setting)
- Android Enterprise: Quarantined (not a setting)
- iOS 8.0 and later: Quarantined (not a setting)
- macOS 10.11 and later: Not applicable
- Windows 10/11: Not applicable
Maximum OS version - Android 4.0 and later: Quarantined

- Linux: See Allowed Distros

Minimum OS version - Android 4.0 and later: Quarantined

- Linux: See Allowed Distros
PIN or password - Android 4.0 and later: Quarantined

configuration - Samsung Knox Standard 4.0 and later: Quarantined
- iOS 8.0 and later: Remediated
- macOS 10.11 and later: Remediated
- Linux: Quarantined
- Windows 10/11: Remediated
Windows health attestation - Android 4.0 and later: Not applicable
- Samsung Knox Standard 4.0 and later: Not applicable
- Android Enterprise: Not applicable
- iOS 8.0 and later: Not applicable
- macOS 10.11 and later: Not applicable
７ Note
The Company Portal app enters the enrollment remediation flow when the user
signs into the app and the device has not successfully checked in with Intune for 30
days or more (or the device is non-compliant due to a Lost contact compliance
reason). In this flow, we attempt to initiate a check-in one more time. If that still
does not succeed, we issue a retire command to allow the user to re-enroll the
device manually.
Next steps
Create and deploy policy and review prerequisites
Monitor device compliance
Common questions, issues, and resolutions with device policies and profiles in
Microsoft Intune
Reference for policy entities has information about the Intune Data Warehouse
policy entities
Create a compliance policy in Microsoft
Intune
Article • 03/09/2023
Device compliance policies are a key feature when using Intune to protect your
organization's resources. In Intune, you can create rules and settings that devices must
meet to be considered compliant, such as a minimum OS version. If the device isn't
compliant, you can then block access to data and resources using Conditional Access.
You can also take actions for non-compliance, such as sending a notification email to
the user. For an overview of what compliance policies do, and how they're used, see get
started with device compliance.
This article:
Lists the prerequisites and steps to create a compliancy policy.

Shows you how to assign the policy to your user and device groups.
Describes additional features, including scope tags to "filter" your policies, and
steps you can take on devices that aren't compliant.
Lists the check-in refresh cycle times when devices receive policy updates.
Before you begin

To use device compliance policies, be sure you:
Use the following subscriptions:

Intune
If you use Conditional Access, then you need Azure Active Directory (AD)
Premium edition. Azure Active Directory pricing lists what you get with the
different editions. Intune compliance doesn't require Azure AD.
Use a supported platform:

Android AOSP
Android Enterprise
iOS
Linux - Ubuntu Desktop, version 20.04 LTS and 22.04 LTS
macOS
Windows 10/11
Enroll devices in Intune (required to see the compliance status)

Enroll devices to one user, or enroll without a primary user. Single devices can't be
enrolled to multiple users.
In addition to compliance settings that are built in to Intune, the following platforms
support adding custom compliance settings to compliance policies:
Ubuntu Desktop, version 20.04 LTS and 22.04 LTS

Windows 10/11
Before you can add custom settings, you must prepare a custom JSON file that defines
the settings you want to base your custom compliance on, and a script that runs on
devices to detect the settings defined in the JSON.
For more information about using custom compliance settings, including supported
platforms, prerequisites, and how to configure the Custom Compliance category while
creating a policy, see Use custom compliance settings.
Create the policy

2. Select Devices > Compliance policies > Policies > Create Policy.
3. Select a Platform for this policy from the following options:

Android (AOSP)
Android Enterprise
iOS/iPadOS
Linux - (Ubuntu Desktop, version 20.04 LTS and 22.04 LTS)
macOS
For Android Enterprise, you also select a Policy type:
Fully Managed
Dedicated
Corporate-Owned Work Profile
Personally Owned Work Profile
Then, select Create to open the Create policy configuration window.

4. On the Basics tab, specify a Name that helps you identify them later. For example,
a good policy name is Mark iOS/iPadOS jailbroken devices as not compliant.
You can also choose to specify a Description.
5. On the Compliance settings tab, expand the available categories, and configure
settings for your policy. The following articles describe the available compliance
settings for each platform:

Android (AOSP)
Android Enterprise
iOS/iPadOS
Linux
macOS
Windows 10/11
6. Add custom settings to policies for supported platforms.
 Tip
This is an optional step that’s supported only for the following platforms:

Windows 10/11
Before you can add custom settings to a policy, you
must have uploaded a detection script to Intune, and have ready a JSON
file that defines the settings you want to use for compliance. See
Custom compliance settings.
On the Compliance settings page, expand the Custom Compliance category:
For Windows:
a. On the Compliance settings page, expand Custom Compliance and set Custom
compliance to Require.
b. For Select your discovery script, select Click to select, and then specify a script
that’s been previously added to the Microsoft Intune admin center. This script
must have been uploaded before you begin to create the policy.
c. For Upload and validate the JSON file with your custom compliance settings,
select the folder icon and then locate and add the JSON file for Windows that
you want to use with this policy. For assistance with the JSON, see Create a
JSON for custom compliance settings.
For Linux:
a. On the Compliance settings page, select Add settings to open the Settings picker
pane.
b. Select Custom Compliance, and then select 8.
c. Back on the Compliance settings page, select the toggle for Require Custom
Compliance to change it to be True.
d. For Select your discovery script, select Set reusable settings, and then specify a
script that’s been previously added to the Microsoft Intune admin center. This
script must have been uploaded before you begin to create the policy.
e. For Select your rules file, select the folder icon and then locate and add the
JSON file for Linux that you want to use with this policy. For assistance with the
JSON, see Create a JSON for custom compliance settings.
The JSON you enter is validated and any problems are displayed. After validation
of the JSON contents, the rules from the JSON are displayed in table format.
7. On the Actions for noncompliance tab, specify a sequence of actions to apply

automatically to devices that don't meet this compliance policy.
You can add multiple actions and configure schedules and additional details for
some actions. For example, you might change the schedule of the default action
Mark device noncompliant to occur after one day. You can then add an action to
send an email to the user when the device isn't compliant to warn them of that
status. You can also add actions that lock or retire devices that remain
noncompliant.
For information about the actions you can configure, see Add actions for
noncompliant devices, including how to create notification emails to send to your
users.
Another example includes the use of Locations where you add at least one location
to a compliance policy. In this case, the default action for noncompliance applies
when you select at least one location. If the device isn't connected to any of the
selected locations, it's considered not compliant. You can configure the schedule to
give your users a grace period, such as one day.
8. On the Scope tags tab, select tags to help filter policies to specific groups, such as
US-NC IT Team or JohnGlenn_ITDepartment . After you add the settings, you can also
add a scope tag to your compliance policies.
For information on using scope tags, see Use scope tags to filter policies.
9. On the Assignments tab, assign the policy to your groups.

Select + Select groups to include and then assign the policy to one or more
groups. The policy will apply to these groups when you save the policy after the
next step.
Policies for Linux don't support user-based assignments and can only be assigned
to device groups.
10. On the Review + create tab, review the settings and select Create when ready to
save the compliance policy.
The users or devices targeted by your policy are evaluated for compliance when
they check in with Intune.
Refresh cycle times

Intune uses different refresh cycles to check for updates to compliance policies. If the
device recently enrolled, the check-in runs more frequently. Policy and profile refresh
cycles lists the estimated refresh times.
At any time, users can open the Company Portal app, and sync the device to
immediately check for policy updates.
Assign an InGracePeriod status

The InGracePeriod status for a compliance policy is a value. This value is determined by
the combination of a device's grace period, and a device's actual status for that
compliance policy.
Specifically, if a device has a NonCompliant status for an assigned compliance policy,

and:
The device has no grace period assigned to it, then the assigned value for the
compliance policy is NonCompliant
The device has a grace period that's expired, then the assigned value for the
compliance policy is NonCompliant
The device has a grace period that's in the future, then the assigned value for the
compliance policy is InGracePeriod
The following table summarizes these points:
Actual compliance status Value of assigned grace period Effective compliance status
NonCompliant No grace period assigned NonCompliant

Actual compliance status Value of assigned grace period Effective compliance status
NonCompliant Yesterday's date NonCompliant
NonCompliant Tomorrow's date InGracePeriod
For more information about monitoring device compliance policies, see Monitor Intune
Device compliance policies.
Assign a resulting compliance policy status

If a device has multiple compliance policies, and the device has different compliance
statuses for two or more of the assigned compliance policies, then a single resulting
compliance status is assigned. This assignment is based on a conceptual severity level
assigned to each compliance status. Each compliance status has the following severity
level:
Status Severity
Unknown 1
NotApplicable 2
Compliant 3
InGracePeriod 4
NonCompliant 5
Error 6
When a device has multiple compliance policies, then the highest severity level of all the
policies is assigned to that device.
For example, a device has three compliance policies assigned to it: one Unknown status
(severity = 1), one Compliant status (severity = 3), and one InGracePeriod status (severity
= 4). The InGracePeriod status has the highest severity level. So, all three policies have
the InGracePeriod compliance status.
Next steps
Monitor your policies.
Use custom compliance policies and
settings for Linux and Windows devices
Article • 02/22/2023
Expanding on Intune’s built-in device compliance options, use policies for custom
compliance settings for managed Linux and Windows devices. Custom settings provide
flexibility to base compliance on the settings that are available on a device without
having to wait for Intune to add these settings.
Linux – Ubuntu Desktop, version 20.04 LTS and 22.04 LTS

Windows 10/11
Before you can add custom settings to a policy, you’ll need to prepare a JSON file, and a
detection script for use with each supported platform. Both the script and JSON become
part of the compliance policy. Each compliance policy supports a single script, and each
script can detect multiple settings:
The JSON file defines the custom settings and the values that are considered as
compliant. You can also configure messages for users to tell them how to restore
compliance for each setting. You add your JSON file while creating a compliance
policy, just after you select a discovery script for that policy.
Scripts are specific to different platforms and delivered to devices through the
compliance policy. When policy is evaluated, the script detects the settings from
the JSON file, and then reports the results to Intune. Windows uses a PowerShell
script and Linux uses a POSIX-compliant shell script.
The scripts must be uploaded to the Microsoft Intune admin center before you
create a compliance policy. You select the script when you’re configuring a policy
to support custom settings.
After you’ve deployed custom compliance settings and devices have reported back,
you'll be able to view the results alongside the built-in compliance setting details in the
Microsoft Intune admin center. Custom compliance settings can be used for conditional
access decisions, the same way built-in compliance settings are. Together they form a
compound rule set, equally affecting the device compliance state.
Prerequisites
Azure Active Directory (Azure AD) joined devices, including hybrid Azure AD-
joined devices.
Hybrid Azure AD-joined devices are devices that are joined to Azure AD and also
joined to on-premises Active Directory. For more information, see Plan your hybrid
Azure AD join implementation.
Azure AD registered/Workplace joined (WPJ)
Devices registered in Azure Active Directory (AAD), see Workplace Join as a

seamless second factor authentication for more information. Typically these are
Bring Your Own Device (BYOD) devices which have had a work or school account
added via Settings>Accounts>Access work or school.
On WPJ devices, device context PowerShell scripts work, but user context
PowerShell scripts are ignored.
Discovery script - A PowerShell for Windows or a POSIX-compliant shell script for

Linux that you create. The script runs on a device to discover the custom settings
defined in your JSON file. The script returns the configuration value of those
settings to Intune. You need to upload your script to the Microsoft Intune admin
center before you create a compliance policy and then select the script you want
to use when creating a policy.
To create a custom compliance script, see Custom compliance discovery scripts for
Microsoft Intune.
JSON file - The JSON file defines the custom settings and the value that is to be
considered as compliant and can contain messages for users on how to restore the
device to compliance for the setting. For guidance on creating a JSON for custom
compliance, see Custom compliance JSON files.
Create a policy with custom compliance

settings
Before you begin to create a policy that will include custom settings, review the
prerequisites.
You must first upload an applicable discovery script to Intune, and have a ready JSON to
add while creating the policy.
When ready, use the normal procedure to create a compliance policy, which includes
platform specific instructions for adding custom settings to the policy. Custom settings
are added while on the Configuration settings page by configuring the option for
Custom Compliance.
７ Note
When a Windows device receives a compliance policy with custom settings, it

checks for the presence of Intune Management Extensions. If not found, the
device runs an MSI that installs the extensions, enabling the client to download and
run PowerShell scripts that are part of a compliance policy, and to upload
compliance results. Actions managed by the services include:
Checking for new or updated PowerShell scripts every eight hours.

Running the discovery scripts every eight hours.
Running scripts that download when a user selects Check Compliance on the
device. However, there is no check for new or updated scripts when Check
Compliance is run.
It is not possible to push notifications to a device to enable custom compliance to

run on demand.
Monitor custom compliance policy

Use the following methods to view details about a device’s compliance status.
For both Linux and Windows devices, you can view per-setting device compliance
details for custom compliance settings in the Microsoft Intune admin center.
In the admin center go to Reports > Device compliance, and then select the
Reports tab. Select the tile for Noncompliant devices and settings, and then use
the drop-down menus to configure the report. Be sure to select a platform for the
OS, and then select Generate report.
For more information, see Monitor Intune Device compliance policies.
On a Linux device, you can open the Intune app to view the device’s status:
Compliant – Your device is compliant with your organization’s policies and
should be able to access organizational resources.
Checking status – Intune is currently evaluating the devices compliance to your
organization’s policies.
Not compliant – The device doesn’t meet your organization’s device and
security requirements and might not have access to your organization’s
resources.
When the device status is Not compliant, select View issues to see details about
issues that must be addressed to bring that device into compliance. For
information on resolving common issues, see Additional troubleshooting for Linux
devices.
Troubleshoot custom compliance for devices
Custom settings aren’t evaluated

Check the device compliance reports for the following error codes and insight into the
problem:
65007: Script returned failure

65008: Setting missing in the script result
65009: Invalid json for the discovered setting
65010: Invalid datatype for the discovered setting
On Windows you can add the following line at the end of the PowerShell script to return
errors related to the PowerShell script, ensure the following line is at the end of the
PowerShell script file: return $hash | ConvertTo-Json -Compress
PowerShell or POSIX-compliant shell scripts aren’t visible

to select, or remain visible after being deleted
Refresh the current view. If the issue persists, cancel the policy creation flow, and start
again.
After an issue on a device is fixed, subsequent syncs don’t

identify the issue as resolved and compliant
It can take up to eight hours before a noncompliant status shows as compliant after a
change to the device.
Can a user manually check for compliance after fixing an

issue on a device in order to identify if the issue is
resolved and compliant?
On Windows, a user can go to the Company Portal website and trigger a sync to
update the device status after fixing a non-compliant custom compliance setting.
On Linux, a user can open the Microsoft Intune app and select Refresh on either the
device details page or the compliance issues page to start a new check-in with
Intune.
Why aren’t more operators and operands supported?

Contact your account manager to request the addition of specific operators and
operands. They can then be considered for a future update.
Why can’t I apply multiple discovery scripts to one

custom compliance policy?
Policies support the use of a single script. However, each script supports checking for
multiple compliance values.
Additional troubleshooting for Linux devices

To identify settings that aren't compliant for a device:
In the Microsoft Intune admin center , you can identify devices that aren't
compliant with policy. Navigate to Reports > Device compliance, select the
Reports tab, and then select the tile for Noncompliant devices and settings. Use
the drop-downs to configure the report you want, and then select Generate report.
The admin center displays a separate line for each setting that isn’t compliant on a
device.
On the Linux device, open the Microsoft Intune app and view the Update device
settings page.
The following sections discuss common issues and resolutions for issues that users of
Linux devices might encounter.
Operating system distro and version

Users of devices that don’t meet the device compliance configuration for Linux
distribution or operating system versions, might receive a message that indicates the
need to upgrade or downgrade the device operating system.
To be compliant with the Allowed Distros setting, devices Linux distribution and version
must meet minimum, maximum, and type requirements. If necessary, install a different
version or distribution of Linux to bring the device into compliance.
Password complexity
Users of devices that don’t meet the device compliance configuration for password
complexity requirements might receive a message that indicates they must use a strong
password.
To be compliant with Password Policy settings, configure the Linux system to use
passwords that meet those requirements. Common organization requirements include:
Passwords that include a minimum number of letters, digits, or special characters

Passwords of a minimum length
Device encryption
Users of devices that don’t meet compliance settings for disk and partition encryption
might receive a message that they must encrypt the device drives.
To be compliant with the Require Device Encryption setting, device-level encryption is

required for writable fixed disks on the Linux device.
There are several options for disk and partition encryption on Linux operating systems.
Intune recognizes any encryption system that uses the underlying dm-crypt subsystem.
This subsystem has been standard on Linux systems for some time. The preferred
method of setting up dm-crypt is to use the LUKS format with the cryptsetup tool.
The following is general guidance when encrypting disk and partitions:
Encrypting Linux system volumes after installation is possible, but potentially time
consuming. We recommend setting up disk encryption while installing the
operating system.
Not all filesystem partitions need to be encrypted for a device to meet
organizational standards. The following aren't evaluated by the built-in device
encryption settings:
Read-only partitions
Pseudo-filesystems, like /proc or tmpfs
The /boot or /boot/efi partitions
Refresh your compliance status on Linux devices
After making changes to a device to bring it into compliance, refresh the device status
with Intune:
If the Microsoft Intune app is still running, select Refresh on the device details
page, or on the compliance issues page to start a new check-in with Intune.
If the Microsoft Intune app isn't running, sign into the app, which will start a new
check-in.
After installation, the Microsoft Intune app periodically checks-in with Intune on its
own, so long as the device is on, and a user is signed in to it.
Next steps
Create a compliance policy
Custom compliance JSON files for
Microsoft Intune
Article • 02/21/2023
To support custom settings for compliance for Microsoft Intune, you create a JSON file
that identifies the settings and value pairs that you want to use for custom compliance.
The JSON defines what a discovery script will evaluate for compliance on the device.
You’ll upload the JSON file when you create a compliance policy that includes custom
compliance settings.
A correctly formatted JSON file must include the following information:
SettingName - The name of the custom setting to use for base compliance.
Operator - Represents a specific action that is used to build a compliance rule. For
options, see the following list of supported operators.
DataType - The type of data that you can use to build your compliance rule. For
options, see the following list of supported DataTypes.
Operand - Represent the values that the operator works on.
MoreInfoURL - A URL that’s shown to device users so they can learn more about
the compliance requirement when their device is noncompliant for a setting. You
can also use this to link to instructions to help users bring their device into
compliance for this setting.
RemediationStrings - Information that gets displayed in the Company Portal when
a device is noncompliant to a setting. This information is intended to help users
understand the remediation options to bring a device to a compliant state.
You may include as many settings as you'd like in the JSON file, but the file must be no
larger than 1 megabyte (MB).
Supported operators:
IsEquals
NotEquals
GreaterThan
GreaterEquals
LessThan
LessEquals
Supported DataTypes:
Boolean
Int64
Double
String
DateTime
Version
Supported Languages:
cs_CZ
da_DK
de_DE
el_GR
en_US
es_ES
fi_FI
fr_FR
hu_HU
it_IT
ja_JP
ko_KR
nb_NO
nl_NL
pl_PL
pt_BR
ro_RO
ru_RU
sv_SE
tr_TR
zh_CN
zh_TW
For more information, see Available languages for Windows.
Example JSON file

JSON
"Rules":[
"SettingName":"BiosVersion",
"Operator":"GreaterEquals",
"DataType":"Version",
"Operand":"2.3",
"MoreInfoUrl":"https://bing.com",
"RemediationStrings":[
"Language":"en_US",
"Title":"BIOS Version needs to be upgraded to at least 2.3.

Value discovered was {ActualValue}.",
"Description": "BIOS must be updated. Please refer to the link

above"
},
"SettingName":"TPMChipPresent",
"Operator":"IsEquals",
"DataType":"Boolean",
"Operand":true,
"Language": "en_US",
"Title": "TPM chip must be enabled.",
"Description": "TPM chip must be enabled. Please refer to the

link above"
},
"SettingName":"ModelName",
"Operator":"IsEquals",
"DataType":"String",
"Operand":"Inspiron",
"Language": "en_US",
"Title": "Only Inspiron is supported.",
"Description": "Only desktop model Inspiron is allowed."
Next steps
Create a PowerShell script for discovery of custom compliance settings
Custom compliance discovery scripts for
Microsoft Intune
Article • 08/02/2023
Before you can use custom settings for compliance with Microsoft Intune, you must
define a script for discovery of custom compliance settings on devices. The script you
use depends on the platform:
Windows devices use a PowerShell script

Linux devices can run scripts in any language as long as the corresponding
interpreter is installed and configured on the device
The script deploys to devices as part of your custom compliance policies. When
compliance runs, the script discovers the settings that are defined by the JSON file that
you also provide through custom compliance policy.
All discovery scripts:
Are added to Intune before you create a compliance policy. After being added,
scripts are available to select when you create a compliance policy with custom
settings.
Each discovery script can only be used with one compliance policy, and each
compliance policy can only include one discovery script.
Discovery scripts that have been assigned to a compliance policy can't be
deleted until the script has been unassigned from the policy.
Run on a device that receives the compliance policy. The script evaluates the
conditions of the JSON file you upload when creating a custom compliance policy.
Identify one or more settings, as defined in the JSON, and return a list of
discovered values for those settings. A single script can be assigned to each policy,
and supports discovery of multiple settings.
In addition, the PowerShell script for Windows:
Must be compressed to output results in a single line. For example: $hash = @{

ModelName = "Dell"; BiosVersion = "1.24"; TPMChipPresent = $true}
Must include the following line at the end of the script: return $hash | ConvertTo-
Json -Compress
Limits
The scripts you write must be within the following limits in order to successfully return
compliance data to Intune:
Scripts can be no larger than 1 megabyte (MB) each.

Output generated by each script can be no larger than 1 MB.
Scripts must have a limited run time:
On Linux, scripts must take five minutes or less to run.
On Windows, scripts must take 10 minutes or less to run.
Sample discovery script for Windows

The following example is a sample PowerShell script that you would use for Windows
devices:
PowerShell
$WMI_ComputerSystem = Get-WMIObject -class Win32_ComputerSystem

$WMI_BIOS = Get-WMIObject -class Win32_BIOS
$TPM = Get-Tpm
$hash = @{ ModelName = $WMI_ComputerSystem.Model; BiosVersion =

$WMI_BIOS.SMBIOSBIOSVersion; TPMChipPresent = $TPM.TPMPresent}
return $hash | ConvertTo-Json -Compress
The following example is the output of the sample script:
PowerShell
PS C:\Users\apervaiz\Documents> .\sample.ps1
{"ModelName": "Dell","BiosVersion": 1.24,"TPMChipPresent": true}
Sample discovery script for Linux
７ Note
Discovery scripts in Linux are run in the User's context and as such they cannot
check for System level settings that require elevation. An example of this is the
state/hash of the /etc/sudoers file.
Discovery scripts for Linux can call any interpeter that meets your requirements. Ensure
that the chosen interpreter is properly installed and configured on the targeted device
before the script is deployed. To specify the intepreter for a script, include a shebang
line at the top of the script, indicating the path to the interpreter binary.
For example, if your script should use the Bash shell as the interpreter, add the following
line at the top of your script:
[ !/bin/bash ]
If you want to use Python for your script, indicate where the interpreter is installed. For
example, add the following to the top of your script: [ !/usr/bin/python3 ] or [
!/usr/bin/env python ]
Recommended best practice: Implementing graceful termination mechanisms in your

scripts enables them to handle scenarios such as interrups or cancellation signals. By
caching and handling these signals properly, your script can perform cleanup tasks and
exist gracefully, ensuring resources are released correctly. For example, you can catch
specific signals like SIGINT (interrupt signal) or SIGTERM (termination signal) and define
custom actions to be executed when these signals are received. These actions may
include closing open files, releasing acquired locks, or cleaning up temporary resources.
Properly handling signals helps to maintain script integrity and improve overall user
experience.
For more information, the following guides might be of use:
Intune Linux Custom Compliance Samples .
Add a discovery script to Intune

Before deploying your script in production, test it in an isolated environment to ensure
the syntax you use behaves as expected.
1. Sign into Microsoft Intune admin center and go to Endpoint security > Device
compliance > Scripts > Add > (choose your platform).
2. On Basics, provide a Name.
3. On Settings, add your script to Detection script. Review your script carefully. Intune
doesn’t validate the script for syntax or programmatic errors.
4. For Windows only - On Settings, configure the following behavior for the
PowerShell script:
Run this script using the logged on credentials – By default, the script runs
in the System context on the device. Set this value to Yes to have it run in the
context of the logged-on user. If the user isn’t logged in, the script defaults
back to the System context.
Enforce script signature check – For more information, see about_Signing in
the PowerShell documentation.
Run script in 64 bit PowerShell Host – By default, the script runs using the
32-bit PowerShell host. Set this value to Yes to force the script to run using
the 64-bit host instead.
5. Complete the script creation process. The script is now visible in the Scripts pane of
the Microsoft Intune admin center and is available to select when configuring
Also, note that the workflow for uploading these scripts to the Microsoft Intune admin
center does not support scope tags at this time. You must be targeted with the default
scope tag to create, edit, or see custom compliance discovery scripts.
Next steps
Create a JSON for custom compliance
Configure actions for noncompliant
devices in Intune
Article • 02/22/2023
As part of a compliance policy that protects your organizations resources from devices
that don't meet your security requirements, compliance policies also include Actions for
noncompliance. Actions for noncompliance are one or more time-ordered actions that
are taken by a policy to help protect devices and your organization. As an example, an
action for noncompliance can remotely lock a device to ensure it's protected, or send a
notification to devices or users to help them understand and resolve the noncompliant
status.
Overview
By default, each compliance policy includes the action for noncompliance of Mark
device noncompliant with a schedule of zero days (0). The result of this default is when
Intune detects a device isn't compliant, Intune immediately marks the device as
noncompliant. After a device is marked as noncompliance, Azure Active Directory (AD)
Conditional Access can block the device.
By configuring Actions for noncompliance you gain flexibility to decide what to do

about noncompliant devices, and when to do it. For example, you might choose to not
block the device immediately, and give the user a grace period to become compliant.
For each action you set, you can configure a schedule that determines when that action
takes effect. The schedule is a number of days after the device is marked as
noncompliant. You can also configure multiple instances of an action. When you set
multiple instances of an action in a policy, the action runs again at that later scheduled
time if the device remains non-compliant.
Not all actions are available for all platforms.
７ Note
The Microsoft Intune admin center displays the schedule (days after noncompliance)
in days. However it is possible to specify a more granular interval (hours), using
decimal fractions such as 0.25 (6 hours), 0.5 (12 hours), 1.5 (36 hours), and so on.
While other values are possible, they can only be configured using Microsoft Graph
and not via the admin center. Attempting to use other values in the admin center,
such as 0.33 (8 hours) will result in an error when attempting to save the policy.
Available actions for noncompliance
Following are the available actions for noncompliance:
Mark device non-compliant: By default, this action is set for each compliance
policy and has a schedule of zero (0) days, marking devices as noncompliant
immediately.
When you change the default schedule, you provide a grace period in which a user
can remediate issues or become compliant without being marked as non-
compliant.
This action is supported on all platforms supported by Intune.
Send email to end user: This action sends an email notification to the user.
When
you enable this action:
Select a Notification message template that this action sends. You Create a
notification message template before you can assign one to this action. When
you create the custom notification, you customize the message locale, subject,
message body, and can include the company logo, company name, and other
contact information.
Choose to send the message to more recipients by selecting one or more of
your Azure AD Groups.
Intune uses the email address defined in the end user's profile and not their user
principal name (UPN). If there's no defined email address defined in the user's
profile, then Intune doesn't send a notification email. When the email is sent,
Intune includes details about the noncompliant device in the email notification.
This action is supported on all platforms supported by Intune.
７ Note
In the commercial cloud, notification emails are sent from:

IntuneNotificationService@microsoft.com
In government clouds, notification emails are sent from: microsoft-

noreply@microsoft.com
Ensure you do not have any mailbox policies that would prevent delivery of
emails from these addresses, otherwise end users may not receive the email
notification.
Remotely lock the noncompliant device: Use this action to issue a remote lock of
a device. The user is then prompted for a PIN or password to unlock the device.
More on the Remote Lock feature.
The following platforms support this action:

Android (AOSP)
Android Enterprise:
Fully Managed
Dedicated
Android Enterprise kiosk devices
iOS/iPadOS
macOS
Retire the noncompliant device: This action removes all company data off the
device and removes the device from Intune management.

Android (AOSP)
Android Enterprise:
Fully Managed
Dedicated
iOS/iPadOS
macOS
Windows 10/11
When this action applies to a device, that device is added to a list of devices in the
Microsoft Intune admin center at Devices > Compliance policies > Retire
Noncompliant Devices. The device isn't retired until an admin takes explicit action
to retire the device.
７ Note
Only devices to which the Retire the noncompliant device action has been
triggered appear in the Retire Selected Devices view. To see a list of all
devices that are not compliant, see the Noncompliant devices report
mentioned in Monitor device compliance policy.
To retire one or more devices from the list, select devices to retire and then select
Retire Selected Devices. When you choose an action that retires devices, you're
then presented with a dialog box to confirm the action. It's only after confirming
the intent to retire the devices that they're cleared of company data and removed
from Intune management.
Other options include Retire All Devices, Clear All Devices Retire State, and Clear
Selected Devices Retire State. Clearing the retire state for a device removes the
device from the list of devices that can be retired until the action to Retire the
noncompliant device is applied to that device again.
Learn more about retiring devices.
Send push notification to end user: Configure this action to send a push
notification about non-compliance to a device through the Company Portal app or
Intune App on the device.

Android Enterprise:
Fully Managed
Dedicated
iOS/iPadOS
The push notification is sent the first time a device checks in with Intune and is
found to be non-compliant to the compliance policy. When a user selects the
notification, the Company Portal app or Intune app opens and displays information
about why they're non-compliant. The user can then take action to resolve the
issue. The message details about non-compliance are generated by Intune and
can't be customized.
） Important
Intune, the Company Portal app, and the Microsoft Intune app, can't
guarantee delivery of a push notification. Notifications might show up after
several hours of delay, if at all. This includes when users have turned off push
notifications.
Do not rely on this notification method for urgent messages.
Each instance of the action sends a notification a single time. To send the same
notification again from a policy, configure more instances of the action in that
policy, each with a different schedule.
For example, you might schedule the first action for zero days and then add a
second instance of the action set to three days. This delay before the second
notification gives the user a few days to resolve the issue, and avoid the second
notification.
To avoid spamming users with too many duplicate messages, review and
streamline which compliance policies include a push notification for non-
compliance, and review the schedules to avoid repeat notifications for the same
too often.
Consider:
For a single policy that includes multiple instances of a push notification set for
the same day, only a single notification is sent for that day.
When multiple compliance policies include the same compliance conditions,

and include the push notification action with the same schedule, Intune sends
multiple notifications to the same device on the same day.
７ Note
The following actions for noncompliance are not supported for devices that are
managed by a device compliance management partner:

Remotely lock the noncompliant device
Retire the noncompliant device
Before you begin

You can add actions for noncompliance when you configure device compliance policy,
or later by editing the policy. You can add extra actions to each policy to meet your
needs. Keep in mind that each compliance policy automatically includes the default
action for noncompliance that marks devices as noncompliant, with a schedule set to
zero days.
To use device compliance policies to block devices from corporate resources, Azure AD
Conditional Access must be set up. See Conditional Access in Azure Active Directory or
common ways to use Conditional Access with Intune for guidance.
To create a device compliance policy, see the following platform-specific guidance:
Android
Android (AOSP)
Android work profiles
iOS
macOS
Windows
Create a notification message template

To send email to your users, create a notification message template and associate that
to your compliance policy as an action for noncompliance. Then, when a device is
noncompliant, the details you enter in the template is shown in the email sent to your
users.
A notification message template can include multiple messages that are each specified
for a different locale. One local must be specified as the default.
When you specify multiple messages and locales, non-compliant end users receive the
appropriate localized message based on their O365 preferred language. Intune sends
the default message to users that haven’t set a preferred language or when the
template doesn’t include a specific message for their locale.
To create the template

2. Select Endpoint security > Device compliance > Notifications > Create
notification.
3. On the Basics page, configure the following settings:
Name - Give the template a friendly name to help you identify it.
Email header – Include company logo (default = Enable) - The logo you
upload as part of the Company Portal branding is used for email templates.
For more information about Company Portal branding, see Company identity
branding customization.
Email footer – Include company name (default = Enable)
Email footer – Include contact information (default = Enable)
Company Portal Website Link (default = Disable) - When set to Enable, the
email includes a link to the Company Portal website.
4. On the Notification message templates page, configure one or more messages.

For each message, specify the following details:
Locale
Subject
Message body text
７ Note
The maximum number of characters for the Subject is 78, and the maximum
number of characters for the message body text is 2000.
Before continuing, you must select the checkbox for Is Default for one of the
messages. Only one message can be set as default. To delete a message, select the
ellipsis (...) and then Delete.
5. Under Review + create, review your configurations to ensure the notification

message template is ready to use. Select Create to complete creation of the
notification.
View and edit notifications

Notifications that have been created are available in the Compliance policies >
Notifications page. From the page you can select a notification to view its configuration
and:
Select Send preview email to send a preview of the notification email to the
account you've used to sign in to Intune.
To successfully send the preview email, your account must have permissions equal
to those of the following Azure AD groups or Intune roles: Azure AD Global
Administrator, Intune Administrator (Intune Azure AD Intune Service Administrator),
or Intune Policy and Profile Manager.
Select Edit for Basics or Scope tags to make a change.

Add actions for noncompliance
When you create a device compliance policy, Intune automatically creates an action for
noncompliance. If a device does not meet your compliance policy, this action marks the
device as not compliant. You can customize how long the device is marked as not
compliant. This action can't be removed.
You can add optional actions when you create a compliance policy, or update an
existing policy.
2. Select Devices > Compliance policies > Policies, select one of your policies, and
then select Properties.
Don't have a policy yet? Create an Android, iOS, Windows, or other platform policy.
７ Note
Devices managed by third-party device compliance partners that are targeted

with device groups cannot receive compliance actions at this time.
3. Select Actions for noncompliance > Add.
4. Select your Action:
Send email to end users: When the device is noncompliant, choose to email
the user. Also:
Choose the Message template you previously created
Enter any Additional recipients by selecting groups
Remotely lock the noncompliant device: When the device is noncompliant,

lock the device. This action forces the user to enter a PIN or passcode to
unlock the device.
Retire the noncompliant device: When the device is noncompliant, remove

all company data off the device and remove the device from Intune
management.
Send push notification to end user: Configure this action to send a push
notification about non-compliance to a device through the Company Portal
app or Intune App on the device.
5. Configure a Schedule: Enter the number of days (0 to 365) after noncompliance to
trigger the action on users' devices. After this grace period, you can enforce a
conditional access policy. If you enter 0 (zero) number of days, then conditional
access takes effect immediately. For example, if a device is noncompliant, use
conditional access to block access to email, SharePoint, and other organization
resources immediately.
When you create a compliance policy, the Mark device noncompliant action is
automatically created, and automatically set to 0 days (immediately). With this
action, when the device checks-in with Intune and evaluates the policy, if it isn't
compliant to that policy Intune immediately marks that device as noncompliant. If
the client checks-in at a later time after remediating the issues that lead to
noncompliance, its status will update to its new compliance status. If you use
Conditional Access, those policies also apply as soon as a device is marked as
noncompliant. To set a grace period to allow for a condition of noncompliance to
be remediated before the device is marked as noncompliant, change the Schedule
on the Mark device noncompliant action.
In your compliance policy, for example, you also want to notify the user. You can
add the Send email to end user action. On this Send email action, you set the
Schedule to two days. If the device or end user is still evaluated as non-compliant
on day two, then your email is sent on day two. If you want to email the user again
on day five of noncompliance, then add another action, and set the Schedule to
five days.
For more information on compliance, and the built-in actions, see the compliance
overview.
6. When finished, select Add > OK to save your changes.
Next steps
Monitor your policies.
Monitor results of your Intune Device
compliance policies
Article • 08/21/2023
Compliance reports help you understand when devices fail to meet your compliance
policies and can help you identify compliance-related issues in your organization. Using
these reports, you can view information on:
The overall compliance states of devices

The compliance status for an individual setting
The compliance status for an individual policy
Drill down into individual devices to view specific settings and policies that affect
the device

Android (AOSP) (preview)
Android Enterprise
iOS/iPadOS
macOS
Intune includes the following options for reviewing device compliance details:
Device compliance status dashboard

Policy-based device compliance reports
Organizational and operational compliance reports
Important concepts for device compliance

policies and status results
When viewing compliance status details and reports, be aware of the following
important details that can affect how a device's compliance status is reported:
Devices must be enrolled into Intune to receive device compliance policies.
Intune follows the device check-in schedule for all compliance evaluations on the
device. Learn more about the device check-in schedule.
The tenant-wide compliance policy settings include the setting Mark devices with
no compliance policy assigned as. By default, this setting marks the devices that
haven't been assigned a compliance policy as Compliant. If it's important for your
organization to identify devices that aren't assigned a compliance policy, consider
editing this setting.
At times a device might send a compliance report back to Intune that shows
System Account as the user principal name. This result can happen when a
compliance policy targets a group of users or devices and is evaluated at a time
when there's no user is signed into the device.
Similarly, when a compliance policy is assigned to a device group and evaluated

while a user is signed in, there are two compliance evaluations: one for the user
and the one for the devices System account. In this scenario, the System Account
evaluation can fail, causing the device to be Not compliant. To prevent this
behavior:
For devices with a user signed in - assign the compliance policy to a User group.
For devices without a user signed in - assign the compliance policy to a Device
group.
When there are multiple users signed into the same device, and that device is
assigned a compliance policy that is scoped to all users that are currently signed in
the device, compliance runs for each of those users. This can result in compliance
reports showing multiple entries for the device where each entry indicates a
different user name.
Users of a device type who are assigned a compliance policy for a different device
type than they use aren't shown in reports. For example, if you've assigned a
Windows compliance policy to a user with an Android device, that compliance
policy doesn't run on the user's Android device and the devices previous
compliance state remains unchanged.
Device compliance dashboard

The device compliance dashboard is found in the Microsoft Intune admin center by
navigating to Devices > Overview and then selecting the Compliance status tab. The
Compliance status tab is a dashboard with several tiles that present high-level
summaries for the following compliance report details:
Device compliance status

Devices without compliance
Policy compliance
Setting compliance
Device compliance status

The Device compliance status tile displays the compliance states for all Intune enrolled
devices. If you select this tile, Intune displays the Noncompliant devices report that can
also be found under the Devices > Monitor node of the admin center.
The tile displays a count of devices for each of the following categories:
Compliant: The device successfully applied one or more device compliance policy
settings.
In-grace period: The device is targeted with one or more device compliance policy
settings but isn't yet compliant to all of them. Often this is due to users not
applying compliant configurations, like meeting password complexity
requirements. Devices with this status are noncompliant, but in the grace period
defined by the admin.
Learn more about Actions for noncompliant devices.
Not evaluated: An initial state for newly enrolled devices. Other possible reasons
for this state include:
Devices that aren't assigned a compliance policy and don't have a trigger to
check for compliance.
Devices that haven't checked in since the compliance policy was last updated.
Devices not associated to a specific user, such as:
iOS/iPadOS devices purchased through Apple's Device Enrollment Program
(DEP) that don't have user affinity.
Android kiosk or Android Enterprise dedicated devices.
Devices enrolled with a device enrollment manager (DEM) account.
Not compliant: The device failed to apply one or more device compliance policy
settings, or the user hasn't complied with the policies.
Policy compliance
The Policy compliance tile displays the list of compliance policies that are assigned to
devices, and the count of compliant and noncompliant devices for each policy.
You can select a policy from this tile to open a Policy Compliance view that provides
more details about that policy.
 Tip
We recommend using the newer Policy compliance (preview) report that replaces
this view and includes improved capabilities. Eventually, the older report version
will be retired.
Devices without compliance

The Devices without compliance policy tile displays a count of devices that don't have
any compliance policies assigned. The tile name is often truncated in the admin center
view as this tile displays only a count of devices:
If you select this tile, Intune displays a Device status view that lists each device that
doesn’t have a compliance policy. This view includes the Device name, the User Principal
Name associated with the device, the devices compliance Status, and the Device model.
 Tip
Intune includes an organizational report that identifies all devices in your tenant
that have not been assigned a compliance policy. See Devices without compliance
policy (Organizational).
Setting compliance
The Setting compliance tile displays all the device compliance policy settings from all
compliance policies, the platforms the policy settings apply to, and the number of
noncompliant devices. At least one device must report a status for a setting before the
setting is visible in this view.
Screenshot that shows the list of policies and how many devices are compliant or
noncompliant for each policy
You can select an individual setting to open a setting detail view that provides more
information about devices that report status for that setting.
 Tip
We recommend using the newer Setting compliance (preview) report that replaces
this report and includes improved capabilities. Eventually, this older report version
will be retired.
Policy-based device compliance reports

Each compliance policy you create directly supports compliance reporting. To view the
reports for an individual policy, in the admin center go to Devices > Compliance
Policies > Policies, and then select the policy for which you want to view its report
details.
By default, when you select a policy Intune opens the Monitor tab for that policy, where
Intune displays:
Device status - A simple bar chart that identifies the basic compliance status for
devices that receive this policy.
View report - A button you can select that opens the device status report where
you can view deeper details about device compliance to this policy.
Per-setting status - A tile you can select that opens the per-setting status report
for this policy.
 Tip
After navigating to the Monitor tab of the Compliance policies > Policies node, you
can select the Properties tab.
On the Properties tab you’ll see essential details about the policy like the policies
name and platform type, as well as the configuration of each setting in that policy.
On this tab you can choose to edit different details for the policy including the
settings configurations, policy assignments, and more.
Device status
The Device status summary is the default view that’s available when you select a
compliance policy. This summary is a simple chart that presents a count of devices that
report a specific device compliance status. The horizontal bar is divided into colors from
the available categories in proportion to the count of devices in each category. In the
preceding screen capture, all devices are compliant. As a result, the representational bar
is entirely green.
Before a device is represented in this chart view, the device must check in with Intune to
receive the policy, process it, and successfully report back its status. This process can
take up to 24 hours when the device is online.
Details in the Device status chart include:
Compliant - The device successfully applied one or more device compliance policy
settings.
Noncompliant - The device configuration has failed to meet one or more device
compliance policy settings.
Others - The device is in a state that is neither compliant or noncompliant with the
settings in this policy, such as Error or Not evaluated.
Total - The total number of devices that have received this policy and reported in.
To view more details, you can select the View report button.
View report
When you select the View report button on the device status view of a policy, Intune
displays a more detailed view of the device status for that policy.
By default, the report view displays details for the following, though you can add more
columns of detail can to the view:
Device name - The name of the device as it appears when viewing Devices and
creating groups.
Logged in user
Policy compliance status - This status identifies if the device is compliant to this
policy, but doesn't represent a device's compliance for any other compliance
policies. A device could still be considered noncompliant by Intune should it be
noncompliant to a different policy.
Device Id - The device's Intune Device ID.
OS - The operating system of the device, like Windows, or Android.
Last contacted - The last day and time that this device made contact with the
Intune service.
In this report view:
Each column can be sorted alphabetically.

You can configure Filters and specify a Search string to refine the reports results.
Search looks through all displayed columns.
For example, in the previous policy report view, when we enter a search string of st1
which appears in both the Device name and Logged in user columns. The resulting view
displays both devices that contain st1 as well as each device associated with the user
with st1 in their user name:
Per-setting status
After selecting a compliance policy, you can select the Per-setting status tile to open the
device compliance per-setting status view for that policy. This view displays the settings
that the policy configures with columns for the various status conditions that can be
reported. For each setting, each status column displays a count of devices that report
that status.
The following image displays a per-setting view of a policy for Android devices. This
policy includes one setting and was deployed to four devices, all of which are compliant
to that setting. In this view, you can sort by selecting a column, or using search:
From the per-setting view, you can select the device count from any status column to
open a view with more details for that specific setting and status. The following image
displays the results of having selected the number 4 from the Compliant devices
column"
In the screenshot we see there are four entries for the selected setting, with each entry
representing a distinct device. This count of devices matches the initial count on the
initial per-status view.
We can also see that one device, which has a name that starts with st1, has been flagged
in the Device compliance column as being Not compliant. This result is worth examining
more closely:
The details in the Device compliance column represent a device's overall

compliance status, and not necessarily a device's compliance with this policy or this
setting from this policy.
We can be assured that this device is compliant to how this setting is configured in
this policy because we're viewing a list of devices that reported as being compliant
to the settings for this policy.
This result indicates that the device is failing compliance against some other policy.
Because this drill-in view doesn’t support a deeper drill through, you must use the other
compliance reports that are available to determine which policy and setting the device is
reporting as noncompliant.
Device behavior with a compliance setting in Error state

When a setting for a compliance policy returns a value of Error, the compliance state of
the device remains unchanged for up to seven days to allow time for the compliance
calculation to complete correctly for that setting. Within those seven days, the device's
existing compliance status continues to apply until the compliance policy setting
evaluates as Compliant or Not compliant. If a setting still has a status of Error after
seven days, the device becomes Not compliant immediately.
Examples:
A device is initially marked Compliant, but then a setting in one of the compliance
policies targeted to the device reports Error. After three days, compliance
evaluation completes successfully and the setting now reports Not compliant. The
user can continue to use the device to access Conditional Access-protected
resources within the first three days after the setting states changes to Error, but
once the setting returns Not compliant, the device is marked Not compliant and
this access is removed until the device becomes Compliant again.
policies targeted to the device reports Error. After three days, compliance
evaluation completes successfully, the setting returns Compliant, and the device's
compliance status becomes Compliant. The user is able to continue to access
Conditional Access protected resources without interruption.
policies targeted to the device reports Error. The user is able to access Conditional
Access protected resources for seven days, but after seven days, the compliance
setting still returns Error. At this point, the device becomes Not compliant
immediately and the user loses access to the protected resources until the device
becomes Compliant, even if there's a grace period set for the applicable
compliance policy.
A device is initially marked Not compliant, but then a setting in one of the
compliance policies targeted to the device reports Error. After three days,
compliance evaluation completes successfully, the setting returns Compliant, and
the device's compliance status becomes Compliant. The user is prevented from
accessing Conditional Access protected resources for the first three days (while the
setting returns Error). Once the setting returns Compliant and the device is marked
Compliant, the user can begin to access protected resources on the device.
Organizational and operational compliance

reports
In addition to reports that are available through individual compliance policies, you can
view reports for device compliance that focus on the settings in your compliance
policies that list all the devices that are noncompliant, and that provide insights to
compliance trends.
To view these reports, open the Intune admin center , go to Reports > Device
compliance, and select the Reports tab.
For more information about these reports, see Device compliance reports in the Intune
reports article.
Other compliance reports

In addition to reports from the Compliance status tab and from the Reports node of the
admin center, the following older compliance reports are available. The following
reports are found under the Compliance category in the admin center at Devices >
Monitor:
Noncompliant devices
Setting compliance – This report version remains available but will be deprecated
as there is an updated version with enhanced capabilities. See the updated report
at Setting compliance (preview)
Policy compliance – This report version remains available but will be deprecated as
there is an updated version with enhanced capabilities. Policy compliance (preview)
Policy noncompliance
Windows health attestation report
How Intune resolves policy conflicts

Policy conflicts can occur when multiple Intune policies are applied to a device. If the
policy settings overlap, Intune resolves any conflicts by using the following rules:
If the conflict is between settings from an Intune configuration policy and a

compliance policy, the settings in the compliance policy take precedence over the
settings in the configuration policy. This result happens even if the settings in the
configuration policy are more secure.
If you have deployed multiple compliance policies, Intune uses the most secure of
these policies.
To learn more about conflict resolution for policies, see Compliance and device
configuration policies that conflict.
Next steps
Compliance policies overview
Support third-party device compliance
partners in Intune
Article • 02/22/2023
Microsoft Intune can add compliance state data to Azure Active Directory (Azure AD) for
the devices you manage with one or more third-party device compliance partners. With
this configuration, compliance data from those devices can be used with your
conditional access policies.
Supported platforms include Android, iOS/iPadOS, and macOS, with support for a
platform defined by the device compliance partner you use.
By default, Intune is set up to be the Mobile Device Management (MDM) authority for
your devices. When you add a compliance partner to Azure AD and Intune, you're
configuring that partner to be a source of Mobile Device Management (MDM) authority
for the devices you assign to that partner through an Azure AD user group.
To enable use data from device compliance partners, complete the following tasks:
1. Configure Intune to work with the device compliance partner, and then configure
groups of users whose devices are managed by that compliance partner.
2. Configure your compliance partner to send data to Intune.
3. Enroll your devices to your device compliance partner.
With these tasks complete, the device compliance partner sends device state details to
Intune. Intune then adds this information to Azure AD. For example, devices with a state
of non-compliant have that status added to their device record in Azure AD.
The compliance state is then evaluated by conditional access policies, the same as
compliance state data for devices managed by Intune. By default, Intune is a registered
compliance partner for iOS and Android. When you add additional partners, you can set
the priority order to ensure the correct partner manages device to fit your business
needs.
Supported device compliance partners

The following compliance partners are supported as generally available:
Addigy
BlackBerry UEM
Citrix Workspace device compliance
IBM MaaS360
JAMF Pro
MobileIron Device Compliance Cloud
MobileIron Device Compliance On-prem
SOTI MobiControl
VMware Workspace ONE UEM (formerly AirWatch)
７ Note
If you offer an MDM product and would like to onboard as a device compliance
partner, fill out this Form: Intune partner compliance onboarding.
Prerequisites
A subscription to Microsoft Intune, and access to the Microsoft Intune admin
center .
Device users must be assigned a license for Intune.
A subscription to the device compliance partner.
Review documentation for your compliance partner for supported device platforms
and additional prerequisites.
Configure Intune to work with a device

compliance partner
Enable support for a device compliance partner to use compliance state data from that
partner with your conditional access policies.
Add a compliance partner to Intune

2. Go to Tenant Administration > Connectors and Tokens > Partner Compliance

management > Add Compliance Partner.
3. On the Basics page, expand the Compliance partner drop-down and select the
partner you're adding.
To use VMware Workspace ONE as the compliance partner for iOS or Android
platforms, select VMware Workspace ONE mobile compliance.
Next, select the drop-down for Platform, and select the platform.
You're limited to a single partner per platform, even if you have added multiple
compliance partners to Azure AD.
4. On Assignments, select the user groups that will have devices managed by this
partner. With this assignment, you'll change the MDM authority for applicable
devices to use this partner. Users who have devices managed by the partner must
also be assigned a license for Intune.
5. On the Review + create page, review your selections, and then select Create to
complete this configuration.
Your configuration now appears on the Partner compliance management page.
Modify the configuration for a compliance partner

2. Go to Tenant Administration > Connectors and Tokens > Partner Compliance

management, and then select the partner configuration you want to modify.
Configurations are ordered by platform type.
3. On the partner configuration Overview page, select Properties to open the

Properties page where you can edit the assignments.
4. On the Properties page, select Edit to open the Assignments view where you can
change the groups that will use this configuration.
5. Select Review + save and then Save to save your edits.
6. This step only applies when you use VMware Workspace ONE:
From within the Workspace ONE UEM console, you must manually synchronize the
changes you saved in the Microsoft Intune admin center. Until you manually sync
changes, Workspace ONE UEM isn’t aware of configuration changes, and users in
new groups you’ve assigned won’t successfully report compliance.
To manually sync from Azure Services:
a. Sign in to your VMware Workspace ONE UEM console.
b. Go to Settings > System > Enterprise Integration > Directory Services.
c. For Sync Azure Services, select SYNC.
All the changes you’ve made since the initial configuration or the last manual
synchronization are synchronized from Azure Services to UEM.
Configure your compliance partner to work

with Intune
To enable a device compliance partner to work with Intune, you must complete
configurations specific to that partner. For information on this task, see the
documentation for the applicable partner:
Citrix Endpoint Management integration with Microsoft Endpoint Manager
VMware Workspace ONE UEM
Enroll your devices to your device compliance

partner
Refer to the documentation from your device compliance partner for how to enroll
devices with that partner. After devices enroll and submit compliance data to the
partner, that compliance data is forwarded to Intune and added to Azure AD.
Monitor devices managed by third-party device
compliance partners
After you configure third-party device compliance partners and enroll devices with
them, the partner will forward compliance details to Intune. After Intune receives that
data, you can view details about the devices in the Azure portal.
Sign in to the Azure portal and go to Azure AD > Devices > All devices .
Next steps
Use additional documentation from your third-party partner to create compliance
policies for devices.
Blackberry UEM
Citrix Endpoint Management - Integrate with Azure AD Conditional Access
MobileIron Device Compliance Cloud
VMware Workspace ONE UEM
Manage endpoint security in Microsoft
Intune
Article • 06/20/2023
As a Security Admin, use the Endpoint security node in Intune to configure device
security and to manage security tasks for devices when those devices are at risk. The
Endpoint security policies are designed to help you focus on the security of your devices
and mitigate risk. The available tasks can help you identify at-risk devices, to remediate
those devices, and restore them to a compliant or more secure state.
The Endpoint security node groups the tools that are available through Intune that you’ll
use to keep devices secure:
Review the status of all your managed devices. Use the All devices view where
you can view device compliance from a high level. Then, drill-in to specific devices
to understand which compliance policies aren't met so you can resolve them.
Deploy security baselines that establish best practice security configurations for
devices. Intune includes security baselines for Windows devices and a growing list
of applications, like Microsoft Defender for Endpoint and Microsoft Edge. Security
baselines are pre-configured groups of Windows settings that help you apply a
configuration that's recommended by the relevant security teams.
Manage security configurations on devices through tightly focused policies. Each

Endpoint security policy focuses on aspects of device security like antivirus, disk
encryption, firewalls, and several areas made available through integration with
Microsoft Defender for Endpoint.
Establish device and user requirements through compliance policy. With

compliance policies, you set the rules that devices and users must meet to be
considered compliant. Rules can include OS versions, password requirements,
device threat-levels, and more.
When you integrate with Azure Active Directory (Azure AD) conditional access
policies to enforce compliance policies, you can gate access to corporate resources
for both managed devices, and devices that aren’t managed yet.
Integrate Intune with your Microsoft Defender for Endpoint team. By integrating
with Microsoft Defender for Endpoint you gain access to security tasks. Security
tasks closely tie Microsoft Defender for Endpoint and Intune together to help your
security team identify devices that are at risk and hand-off detailed remediation
steps to Intune admins who can then act.
７ Note
For additional reporting information about device configuration profiles, see Intune
reports.
The following sections of this article discuss the different tasks you can do from the
endpoint security node of the admin center, and the role-based access control (RBAC)
permissions that are required to use them.
Manage devices
The Endpoint security node includes the All devices view, where you can view a list of all
devices from your Azure AD that are available in Microsoft Intune.
From this view, you can select devices to drill in for more information like which policies
a device isn't compliant with. You can also use access from this view to remediate issues
for a device, including, restarting a device, start a scan for malware, or rotate BitLocker
keys on a Window 10 device.
For more information, see Manage devices with endpoint security in Microsoft Intune.
Manage Security baselines

Security baselines in Intune are pre-configured groups of settings that are best practice
recommendations from the relevant Microsoft security teams for the product. Intune
supports security baselines for Windows 10/11 device settings, Microsoft Edge,
Microsoft Defender for Endpoint Protection, and more.
You can use security baselines to rapidly deploy a best practice configuration of device
and application settings to protect your users and devices. Security baselines are
supported for devices that run Windows 10 version 1809 and later, and Windows 11.
For more information, see Use security baselines to configure Windows devices in
Intune.
Security baselines are one of several methods in Intune to configure settings on devices.
When managing settings, it's important to understand what other methods are in use in
your environment that can configure your devices so you can avoid conflicts. See Avoid
policy conflicts later in this article.
Review Security tasks from Microsoft Defender

for Endpoint
When you integrate Intune with Microsoft Defender for Endpoint, you can review
Security tasks in Intune that identify at-risk devices and provide steps to mitigate that
risk. You can then use the tasks to report back to Microsoft Defender for Endpoint when
those risks are successfully mitigated.
Your Microsoft Defender for Endpoint team determines what devices are at risk
and pass that information to your Intune team as a security task. With a few clicks,
they create a security task for Intune that identifies the devices at risk, the
vulnerability, and provides guidance on how to mitigate that risk.
The Intune Admins review security tasks and then act within Intune to remediate
those tasks. Once mitigated, they set the task to complete, which communicates
that status back to the Microsoft Defender for Endpoint team.
Through Security tasks both teams remain in synch as to which devices are at risk, and
how and when those risks are remediated.
To learn more about using Security tasks, see Use Intune to remediate vulnerabilities
identified by Microsoft Defender for Endpoint.
Use policies to manage device security

As a security admin, use the security policies that are found under Manage in the
Endpoint security node. With these policies, you can configure device security without
having to navigate the larger body and range of settings in device configuration profiles
or security baselines.
To learn more about using these security policies, see Manage device security with
endpoint security policies.
Endpoint security policies are one of several methods in Intune to configure settings on
devices. When managing settings, it's important to understand what other methods are
in use in your environment that can configure your devices, and avoid conflicts. See
Avoid policy conflicts later in this article.
Also found under Manage are Device compliance and Conditional access policies. These
policies types aren't focused security policies for configuring endpoints, but are
important tools for managing devices and access to your corporate resources.
Use device compliance policy

Use device compliance policy to establish the conditions by which devices and users are
allowed to access your network and company resources.
The available compliance settings depend on the platform you use, but common policy
rules include:
Requiring devices run a minimum or specific OS version

Setting password requirements
Specifying a maximum allowed device threat-level, as determined by Microsoft
Defender for Endpoint or another Mobile Threat Defense partner
In addition to the policy rules, compliance policies support Actions for non-compliance.
These actions are a time-ordered sequence of actions to apply to non-compliant
devices. Actions include sending email or notifications to alert device users about non-
compliance, remotely locking devices, or even retiring non-compliant devices and
removing any company data that might be on it.
When you integrate Intune with Azure AD conditional access policies to enforce
compliance policies, Conditional access can use the compliance data to gate access to
corporate resources for both managed devices, and from devices that you don't
manage.
To learn more, see Set rules on devices to allow access to resources in your organization
using Intune.
Device compliance policies are one of several methods in Intune to configure settings
on devices. When managing settings, it's important to understand what other methods
are in use in your environment that can configure your devices, and to avoid conflicts.
See Avoid policy conflicts later in this article.
Configure conditional access

To protect your devices and corporate resources, you can use Azure Active Directory
(Azure AD) Conditional Access policies with Intune.
Intune passes the results of your device compliance policies to Azure AD, which then
uses conditional access policies to enforce which devices and apps can access your
corporate resources. Conditional access policies also help to gate access for devices that
aren’t managed by Intune and can use compliance details from Mobile Threat Defense
partners you integrate with Intune.
The following are two common methods of using conditional access with Intune:
Device-based conditional access, to ensure only managed and compliant devices

can access network resources.
App-based conditional access, which uses app-protection policies to manage
access to network resources by users on devices that you don't manage with
Intune.
To learn more about using conditional access with Intune, see Learn about Conditional
Access and Intune.
Set up Integration with Microsoft Defender for

Endpoint
When you integrate Microsoft Defender for Endpoint with Intune, you improve your
ability to identify and respond to risks.
While Intune can integrate with several Mobile Threat Defense partners, when you use
Microsoft Defender for Endpoint you gain a tight integration between Microsoft
Defender for Endpoint and Intune with access to deep device protection options,
including:
Security tasks – Seamless communication between Defender for Endpoint and

Intune admins about devices at risk, how to remediate them, and confirmation
when those risks are mitigated.
Streamlined onboarding for Microsoft Defender for Endpoint on clients.
Use of Defender for Endpoint device risk signals in Intune compliance policies and
Access to Tamper protection capabilities.
To learn more about using Microsoft Defender for Endpoint with Intune, see Enforce
compliance for Microsoft Defender for Endpoint with Conditional Access in Intune.
Role-based access control requirements

To manage tasks in the Endpoint security node of the Microsoft Intune admin center, an
account must:
Be assigned a license for Intune.

Have role-based access control (RBAC) permissions equal to the permissions
provided by the built-in Intune role of Endpoint Security Manager. The Endpoint
Security Manager role grants access to the Microsoft Intune admin center. This role
can be used by individuals who manage security and compliance features,
including security baselines, device compliance, conditional access, and Microsoft
Defender for Endpoint.
For more information, see Role-based access control (RBAC) with Microsoft Intune
Permissions granted by the Endpoint Security Manager

role
You can view the following list of permissions in the Microsoft Intune admin center by
going to Tenant administration > Roles > All Roles, select Endpoint Security Manager
> Properties.
Permissions:
Android FOTA
Read
Android for work
Read
Audit data
Read
Certificate Connector
Read
Corporate device identifiers
Read
Derived Credentials
Read
Device compliance policies
Assign
Create
Delete
Read
Update
View reports
Device configurations
Read
View reports
Device enrollment managers
Read
Endpoint protection reports
Read
Enrollment programs
Read device
Read profile
Read token
Filters
Read
Intune data warehouse
Read
Managed apps
Read
Managed devices
Delete
Read
Set primary user
Update
View reports
Microsoft Defender ATP
Read
Microsoft Store for Business
Read
Mobile Threat Defense
Modify
Read
Mobile apps
Read
Organization
Read
Partner Device Management
Read
PolicySets
Read
Remote assistance connectors
Read
View reports
Remote tasks
Get FileVault key
Initiate Configuration Manger action
Reboot now
Remote lock
Rotate BitLockerKeys (Preview)
Rotate FileVault key
Shut down
Sync devices
Windows defender
Roles
Read
Security baselines
Assign
Create
Delete
Read
Update
Security tasks
Read
Update
Terms and conditions
Read
Windows Enterprise Certificate
Read
Avoid policy conflicts

Many of the settings you can configure for devices can be managed by different
features in Intune. These features include but aren't limited to:
Endpoint security policies

Security baselines
Device configuration policies
Windows enrollment policies
For example, the settings found in Endpoint security policies are a subset of the settings
that are found in endpoint protection and device restriction profiles in device
configuration policy, and which are also managed through various security baselines.
One way to avoid conflicts is to not use different baselines, instances of the same
baseline, or different policy types and instances to manage the same settings on a
device. This requires planning which methods you'll use to deploy configurations to
different devices. When you use multiple methods or instances of the same method to
configure the same setting, ensure your different methods either agree or aren't
deployed to the same devices.
If conflicts happen, you can use Intune's built-in tools to identify and resolve the source
of those conflicts. For more information, see:
Troubleshoot policies and profiles in Intune

Monitor your security baselines
Next steps
Configure:
Security baselines
Compliance policies
Conditional access policies
Integration with Microsoft Defender for Endpoint
Manage devices with endpoint security
in Microsoft Intune
Article • 02/24/2023
As a security administrator, use the All devices view in the Microsoft Intune admin center
to review and manage your devices. The view displays a list of all your devices from your
Azure Active Directory (Azure AD), including devices managed by:
Intune
Configuration Manager
Co-management (by both Intune and Configuration Manager)
Devices can be in the cloud and from your on-premises infrastructure when integrated
with your Azure AD.
To find the view, open the Microsoft Intune admin center and select Endpoint security
> All devices.
The initial All devices view displays your devices and includes key information about
each:
How the device is managed

Compliance status
Operating system details
When the device last checked in
And more
While viewing device details, you can select a device to drill-in for more information.
Available details by management type
When viewing devices in the Microsoft Intune admin center, consider how the device is
managed. The management source affects the information that’s presented in the
admin center and which actions are available to manage the device.
Consider the following fields:
Managed by – This column identifies how the device is managed. Managed by

options include:
MDM - These devices are managed by Intune. Compliance data is collected and
reported by Intune to the admin center.
ConfigMgr – These devices appear in the Microsoft Intune admin center when
you use tenant attach to add the devices you manage with Configuration
Manager. To be managed, the device must run the Configuration Manager
client and be:
In a Workgroup (Azure AD joined and otherwise)
Domain Joined
Hybrid Azure AD Joined (joined to the AD and Azure AD)
Compliance status for devices that are managed by Configuration Manager isn't
visible in the Microsoft Intune admin center.
For more information, see Enable tenant attach in the Configuration Manager
documentation.
MDM/ConfigMgr Agent – These devices are under co-management between

Intune and Configuration Manager.
With co-management, you choose different co-management workloads to

determine which aspects are managed by Configuration Manager or by Intune.
These choices affect which policies the device applies, and how compliance data
is reported to the admin center.
For example, you can use Intune to configure policies for Antivirus, Firewall, and
Encryption. These policies are all considered policy for Endpoint Protection. To
have a co-managed device use the Intune policies and not the Configuration
Manager policies, set the co-management slider for Endpoint Protection to
either Intune or Pilot Intune. If the slider is set to Configuration Manager, the
device uses the policies and settings from Configuration Manager instead.
Compliance: Compliance is evaluated against the compliance policies that are
assigned to the device. The source of these policies and what information is in the
console depends on how the device is managed; Intune, Configuration Manager,
or co-management. For co-managed devices to report compliance, set the co-
management slider for Device Compliance to Intune or to Pilot Intune.
After compliance is reported to the admin center for a device, you can drill into the
details to view additional details. When a device isn’t compliant, drill into its details
to information about which policies aren't compliant. That information can help
you investigate and help you bring the device into compliance.
Last check-in: This field identifies the last time the device reported its status.
Review a devices policy

To view information about the device configuration policies that apply to a device that's
managed by MDM and Intune, you can view the Device configuration report. Both
endpoint security and security baseline policies are device configuration policies.
To view the report, select a device and then select Device configuration, which is found
below the Monitor category.
Devices that are managed by Configuration Manager don’t display policy details in the
report. To view additional information for these devices, use the Configuration Manager
console.
Remote actions for devices

Remote actions are actions you can start or apply to a device from the Microsoft Intune
admin center. When you view details for a device, you can access remote actions that
apply to the device.
Remote actions display across the top of the devices Overview page. Actions that can’t
display because of limited space on your screen are available by selecting the ellipsis on
the right side:
The remote actions that are available depend on how the device is managed:
Intune: All Intune remote actions that apply to the device platform are available.
Configuration Manager: You can use the following Configuration Manager actions:
Sync Machine Policy
Sync User Policy
App Evaluation Cycle
Co-management: You can access both Intune remote actions and Configuration
Manager actions.
Some of the Intune remote actions can help secure devices or safeguard data that might
be on the device. With remote actions you can:
Lock a device
Reset a device
Remove company data
Scan for malware outside of a scheduled run
Rotate BitLocker keys
The following Intune remote actions are of interest to the security admin, and are a
subset of the full list. Not all actions are available for all device platforms. The links go to
content that provides in-depth details for each action.
Synchronize device – Have the device immediately check-in with Intune. When a
device checks in, it receives any pending actions or policies that have been
assigned to it.
Restart – Force a Windows 10/11 device to restart, within five minutes. The device
owner won't automatically be notified of the restart and might lose work.
Quick Scan – Have Defender run a quick scan of the device for malware and then
submit the results to Intune. A quick scan looks at common locations where there
could be malware registered, such as registry keys and known Windows startup
folders.
Full scan – Have Defender run a scan of the device for malware and then submit
the results to Intune. A full scan looks at common locations where there could be
malware registered, and also scans every file and folder on the device.
Update Windows Defender security intelligence – Have the device update its
malware definitions for Microsoft Defender Antivirus. This action doesn’t start a
scan.
BitLocker key rotation – Remotely rotate the BitLocker recovery key of a device that
runs Windows 10 version 1909 or later, or Windows 11.
You can also use Bulk Device Actions to manage some actions like Retire and Wipe for
multiple devices at the same time. Bulk actions are available from the All devices view.
You’ll select the platform, action, and then specify up to 100 devices.
Options you manage for devices don’t take effect until the device checks in with Intune.
Next steps
Manage endpoint security in Intune
Use security baselines to configure
Windows devices in Intune
Article • 05/24/2023
With Microsoft Intune’s security baselines, you can rapidly deploy a recommended
security posture to your managed Windows devices for Windows security baselines to
help you secure and protect your users and devices.
Even though Windows and Windows Server are designed to be secure out-of-the-box,
many organizations still want more granular control over their security configurations.
To navigate the large number of controls, organizations often seek guidance on
configuring various security features. Microsoft provides this guidance in the form of
security baselines.
Each security baseline is a group of preconfigured Windows settings that help you apply
and enforce granular security settings that the relevant security teams recommend. You
can also customize each baseline you deploy to enforce only those settings and values
you require. When you create a security baseline profile in Intune, you're creating a
template that consists of multiple device configuration profiles.
The settings in each baseline are device configuration settings like those found in
various Intune policies. Each setting in a baseline works with the configuration service
provider for the relevant product that is present on a managed windows device.
To learn more about why and when you might want to deploy security baselines, see
Windows security baselines in the Windows security documentation.
Windows 10 version 1809 and later

Windows 11
Intune security baseline overview
７ Note
In May 2023, Intune began rollout of a new security baseline format for each new
baseline release or version update. The new format updates the baseline settings to
directly take their name and configuration options from the configuration service
provider (CSP) that the baseline setting manages.
Intune also introduced a new process to help you migrate an existing security
baseline profile to the newer baseline version. This new behavior is a one-time
process that replaces the normal update behavior when you move from the most
recent version of an older profile to a newer version that became available in May
2023 or later.
You deploy security baselines to groups of users or devices in Intune, and the settings
apply to devices that run Windows 10 or 11. For example, the default configuration of
the MDM Security Baseline automatically enables BitLocker for removable drives,
automatically requires a password to unlock a device, automatically disables basic
authentication, and more. When a default value doesn't work for your environment,
customize the baseline to apply the settings you need.
Benefits of using baselines:
Security baselines can help you to have an end-to-end secure workflow when working
with Microsoft 365. Some of the benefits include:
By default, each security baseline is configured to meet the best practices and
recommendations for the settings that affect security. Intune partners with the
same Windows security team that creates group policy security baselines. These
recommendations are based on guidance and extensive experience.
If you're new to Intune, and not sure where to start, security baselines give you an
advantage. You can quickly create and deploy a secure profile, knowing that you're
helping protect your organization's resources and data.
If you currently use group policy, migrating to Intune for management is easier
with these baselines. These baselines are natively built into Intune, and include a
modern management experience.
Default settings across multiple baselines:
Separate baseline types, like the MDM security baseline for Windows and the baseline
for Microsoft Defender, might include the same settings and use different default values
for those settings. Intune can’t determine which configuration is best for you, or even in
which environment or scenario you might want to use one baselines default
recommendation over another:
It's important to understand the defaults in the baselines you use, and to then
modify each baseline to fit your organizational needs.
By default, each baseline is preconfigured using the recommendations that are
specific to the product it applies to.
In some cases, a configuration that Microsoft Defender recommends might not be
the default configuration for similar settings when recommended by Windows. In
such situations, it’s important to review each setting so you can understand its
intent based on the configuration service provider details, and larger scope of the
two products.
In almost all scenarios, the default settings in the security baselines are the most
restrictive. You should confirm that these settings don't conflict with other policy
settings or features in your environment.
For example, the default settings for firewall configuration might not merge connection
security rules and local policy rules with MDM rules. So, if you're using delivery
optimization, then you should validate these configurations before assigning the
security baseline.
７ Note
Microsoft doesn't recommend using preview versions of security baselines in a

production environment. The settings in a preview baseline might change over the
course of the preview.
Available security baselines

The following security baseline instances are available for use with Intune. Use the links
to view the settings for recent instances of each baseline.
Security Baseline for Windows 10 and later

November 2021
December 2020
August 2020
Microsoft Defender for Endpoint baseline
(To use this baseline your environment must meet the prerequisites for using
Microsoft Defender for Endpoint).
Version 6
Version 5
Version 4
Version 3
７ Note
The Microsoft Defender for Endpoint security baseline has been optimized for
physical devices and is currently not recommended for use on virtual
machines (VMs) or VDI endpoints. Certain baseline settings can impact
remote interactive sessions on virtualized environments. For more
information, see Increase compliance to the Microsoft Defender for
Endpoint security baseline in the Windows documentation.
Microsoft 365 Apps for Enterprise

May 2023 (Office baseline)
Microsoft Edge Baseline

May 2023 (Edge Version 112 and later)
September 2020 (Edge version 85 and later)
April 2020 (Edge version 80 and later)
Preview: October 2019 (Edge version 77 and later)
Windows 365 Security Baseline

October 2021
When a new version for a profile becomes available, settings in profiles based on the
older versions become read-only. You can continue to use those older profiles. You can
also edit the profile names, description, and assignments, but they don't support a
change to their settings configuration and you can't create new profiles based on the
older versions.
When you're ready to use the more recent baseline version, you can create new profiles
or update your existing profiles to the new version. See Change the baseline version for
a profile in the Manage security baseline profiles article.
About baseline versions and instances

Each new version instance of a baseline can add or remove settings or introduce other
changes. For example, as new Windows settings become available with new versions of
Windows 10/11, the MDM Security Baseline might receive a new version instance that
includes the newest settings.
You can view the list of available baselines in the Microsoft Intune admin center ,
under Endpoint security > Security baselines. The list includes:
The name of each security baseline template.

How many profiles you have that use that type of baseline.
How many separate instances (versions) of the baseline type are available.
A Last Published date that identifies when the latest version of the baseline
template became available.
To view more information about the baseline versions you use, select a baseline type,
like MDM Security Baseline to open its Profiles pane, and then select Versions. Intune
displays details about the versions of that baseline that are in use by your profiles. The
details include the most recent and current baseline version. You can select a single
version to view deeper details about the profiles that use that version.
You can choose to change of the version of a baseline that's in use with a given profile.
When you change the version, you don't have to create a new baseline profile to take
advantage of updated versions. Instead you can select a baseline profile and use the
built-in option to change the instance version for that profile to a new one.
Avoid conflicts
You can use one or more of the available baselines in your Intune environment at the
same time. You can also use multiple instances of the same security baselines that have
different customizations.
When you use multiple security baselines, review the settings in each one to identify
when your different baseline configurations introduce conflicting values for the same
setting. Because you can deploy security baselines that are designed for different
intents, and deploy multiple instances of the same baseline that includes customized
settings, you might create configuration conflicts for devices that must be investigated
and resolved.
In addition, security baselines often manage the same settings you might set with device
configuration profiles or other types of policy. Therefore, remain aware of and consider
your other policies and profiles for settings when seeking to avoid or resolve conflicts.
Use the information at the following links to help identify and resolve conflicts:

Q&A
Why these settings?

The Microsoft security team has years of experience working directly with Windows
developers and the security community to create these recommendations. The settings
in this baseline are considered the most relevant security-related configuration options.
In each new build of Windows, the team adjusts its recommendations based on newly
released features.
Is there a difference in the recommendations for

Windows security baselines for group policy vs. Intune?
The same Microsoft security team chose and organized the settings for each baseline.
Intune includes all the relevant settings in the Intune security baseline. There are some
settings in the group policy baseline that are specific to an on-premises domain
controller. These settings are excluded from Intune's recommendations. All the other
settings are the same.
Are the Intune security baselines CIS or NIST compliant?

Strictly speaking, no. The Microsoft security team consults organizations, such as CIS, to
compile its recommendations. However, there isn't a one-to-one mapping between
"CIS-compliant" and Microsoft baselines.
What certifications do Microsoft's security baselines

have?
Microsoft continues to publish security baselines for group policies (GPOs) and the
Security Compliance Toolkit, as it has for many years. These baselines are used by many
organizations. The recommendations in these baselines are from the Microsoft security
team's engagement with enterprise customers and external agencies, including the
Department of Defense (DoD), National Institute of Standards and Technology (NIST),
and more. We share our recommendations and baselines with these organizations.
These organizations also have their own recommendations that closely mirror
Microsoft's recommendations. As mobile device management (MDM) continues to grow
into the cloud, Microsoft created equivalent MDM recommendations of these group
policy baselines. These additional baselines are built into Microsoft Intune, and include
compliance reports on users, groups, and devices that follow (or don't follow) the
baseline.
Many customers use the Intune baseline recommendations as a starting point, and then
customize them to meet their IT and security demands. Microsoft's Windows 10 and
later baseline template was the first baseline to release. This baseline is built as a generic
infrastructure that allows customers to eventually import other security baselines based
on CIS, NIST, and other standards.
Migrating from on-premises Active Directory group policies to a pure cloud solution
using Azure Active Directory (AD) with Microsoft Intune is a journey. To help, use the
various tools from the Security Compliance Toolkit that can help you identify cloud-
based options from security baselines that can replace your on-premises GPO
configurations.
Where can I find details about using or configuring the

settings that are available in a security baseline?
Each security baseline manages device configurations by applying the options found in
a configuration service provider on a device. For example, settings that apply to
Microsoft Defender are taken from th Microsoft Defender CSP. Because Intune is a
configuration vehicle for those options and doesn’t determine their functionality or
scope, the CSP documentation owns the content for how to configure each option.
Within the Intune security baseline policy UI, Intune provides information text that is
taken from the source CSP and provides a link to that CSP. In some cases, the CSP might
be part of a larger content set that includes proactive guidance that remains beyond the
scope of Intune to include or duplicate in our content. However, Intune does document
the list of settings in each security baseline version and its default configuration.
Next steps
Create security baseline profiles
Check the status and monitor the baseline and profile
View the settings in the latest versions of the available baselines:

Windows 10 and later - MDM security baseline
- [Microsoft 365 Apps for Enterprise (Office baseline)](security-baseline-settings-

office.md) -->
Microsoft Edge (Version 107 and later)

Manage security baseline profiles in
Microsoft Intune
Article • 05/24/2023
Create and deploy distinct instances of security baseline profiles to help secure and
protect your users and devices. By default, security baselines are preconfigured groups
of Windows settings that represent the relevant security teams' recommended security
posture. You can deploy a default (unmodified) baseline or create a customized profile
instance to configure devices with the settings that you require for your environment.
When you create a security baseline profile in Intune, you're creating a template that
consists of multiple device configuration settings.
When multiple versions for a security baseline exist, only the most recent version can be
used to create a new instance of that baseline. If you have profile instances of older
versions, you can continue to use them, and change the groups they're assigned to.
However, outdated versions don't support edits to their setting configurations. Instead,
create new baselines that use the latest version, or update your older baselines to that
version if you need to introduce new configurations for settings.
We recommend updating your older baseline versions to the latest version as soon as
it's practical to do so. Each new version can include newer settings that aren't available
in the older versions, retire old settings, and might include updates to the default
configurations for some settings that align to new security recommendations for the
applicable product.
Windows 10 version 1809 and later

Windows 11
See the list of available security baselines.
Common tasks when working with security baselines include:
Create a profile – Configure the settings you want to use and assign the baseline
to groups.
Change the profile version – Change the baseline version in use by a profile.
Remove a baseline assignment - Learn what happens when you stop managing
settings with a security baseline.
Prerequisites
To manage baselines in Intune, your account must have the Policy and Profile
Manager built-in role.
Use of some baselines might require you to have an active subscription to the
applicable services, like Microsoft Defender for Endpoint.
Create a profile for a security baseline

2. Select Endpoint security > Security baselines to view the list of available baselines.
3. Select the baseline you'd like to use, and then select Create profile.
4. On the Basics tab, specify the following properties:
Name: Enter a name for your security baselines profile. For example, enter
Standard profile for Defender for Endpoint.
Description: Enter some text that describes what this baseline does. The
description is for you to enter any text you want. It's optional, but
recommended.
Select Next to go to the next tab. After you advance to a new tab, you can select
the tab name to return to a previously viewed tab.
5. On the Configuration settings tab, view the groups of Settings that are available in
the baseline you selected. You can expand a group to view the settings in that
group, and the default values for those settings in the baseline. To find specific
settings:
Select a group to expand and review the available settings.

Use the Search bar and specify keywords that filter the view to display only
those groups that contain your search criteria.
Each setting in a baseline has a default configuration for that baseline version.
Reconfigure the default settings to meet your business needs. Different baselines
might contain the same setting, and use different default values for the setting,
depending on the intent of the baseline.
6. On the Scope tags tab, select Select scope tags to open the Select tags pane to
assign scope tags to the profile.
7. On the Assignments tab, select Select groups to include and then assign the
baseline to one or more groups. Use Select groups to exclude to fine-tune the
assignment.
７ Note
Security baselines must be assigned to either user groups or device groups

based on scope of the settings being used. Because of this, multiple baselines
may be needed when assigning both user and device-based settings.
8. When you're ready to deploy the baseline, advance to the Review + create tab and
review the details for the baseline. Select Create to save and deploy the profile.
As soon as you create the profile, it's pushed to the assigned group and might
apply immediately.
 Tip
If you save a profile without first assigning it to groups, you can later edit the
profile to do so.
9. After you create a profile, edit it by going to Endpoint security > Security
baselines, select the baseline type that you configured, and then select Profiles.
Select the profile from the list of available profiles, and then select Properties. You
can edit settings from all the available configuration tabs, and select Review +
save to commit your changes.
Update a profile to the latest version

The information in this section applies to updating a baseline instance created before
May 2023 to a version of that same baseline that was released in May 2023 or later.
７ Note
baseline release or update. Intune also introduced a new update process for
migrating an existing security baseline profile to a newly released security baseline.
This new behavior replaces existing behavior when moving to a baseline version
released in May 2023 or later.
The previous behavior remains available for use when updating baselines that have
not yet received a new version that uses the new format. For guidance, see Update
baselines that use the previous format.
After May 2023, when a new version for a baseline is released, plan to update your
existing profiles to the new version. When moving from an older format to the new
baseline format (from a version released prior to May 2023 to one released in May 2023
or later):
All new profiles for the baseline type, like Microsoft Edge, use the new format.
Creating a new baseline that uses an older baseline version isn't supported.
Baseline versions released before May 2023 don’t upgrade to the new format
released in May 2023 and later. Instead, create a new profile that uses the new
format and configure the settings from the old baseline in that new baseline
format. This recreation of the profile is a one-time process that is required to move
a baseline from the old format to the new baseline format.
To assist you in this process Intune can export the old profile to a CSV format that
identifies each setting based on the name of the setting as it appears in the new
profile version, along with its configuration.
After creating a new baseline that can replace your older baseline format and
version, the older profile remains unchanged, and you can continue to use it. You
can continue to deploy, reassign, and edit the settings in the older baseline format.
 Tip
Support to edit settings in an older baseline version after updating to a new

version is a change from past behavior. This behavior is possible only when
moving from baselines versions created before May 2023 to versions created
in May 2023 or later because the new baseline format exists side-by-side with
the older baseline format instead of replacing it. Later, when updating a
baseline instance that was created in May 2023 or later to a newer version, the
original behavior where you cannot edit settings in the older version returns.
We recommend planning to discontinue use of the older format and deploying a

profile based on the latest version as soon as possible. The older profiles don't
receive updates while the newer versions released in May 2023:
Use the new settings format in the Intune UI that directly aligns to the
configuration service provider (CSP) source for each setting.
Are preconfigured with default configurations that the relevant security teams
recommend.
Update a baseline to the new format
To update a baseline that was created before May 2023 to the new format, you must
create a new baseline instance. To assist you in recreating the original baselines
configuration, you can have Intune export your current baselines configuration as a .CSV
file. The export includes:
Each setting from the older baseline is identified by using the name of the setting
as it appears in the new baseline. While the name of the setting isn't presented
verbatim in the .csv, you will find the path for the setting, which contains part of
the setting name in it.
How each setting in the older baseline was configured.
If the configuration of a setting from the old baseline matches the default
configuration from the new baseline.
With the information from the export, you can rapidly reconfigure the new baseline to
use the same values as the older baseline instance.
1. Sign in the Microsoft Intune admin center , and go to Endpoint security >
Security baselines > select the baseline type, and then select the checkbox for the
baseline profile (instance) that you want to replicate in the new baseline format,
and then select Change Version. Intune displays the Change Version pane.
In the following screenshot, we’ve drilled into the Security Baseline for Microsoft
Edge. We have two profiles at this time. One is a new profile for Microsoft Edge
v112, and the other is an older profile from September 2020. The older profile also
displays an arrow icon to indicate that there's a newer version to replace it.
2. On the Change Version pane, there are instructions for moving the configuration
details from the older baseline to a profile that uses the new format. The pane also
identifies the selected baselines name and version, and what the latest baseline
version is.
a. Select Export Profile Settings to create a .csv file that lists the settings in the
selected baseline along with their current configurations if they aren't set to the
baselines default. When you select the option to export the baseline details,
Intune prepares the export, and then requires you to agree to continue. Select
Yes to download the .CSV file export.
b. After the file downloads, you can open it to view the older baselines current
configuration.
The Change Version pane also includes a button to Create a new profile for the
selected baseline, which has the same function as the Create profile option that is
more commonly used to create new baseline instances.
The following screen capture shows an export for the Microsoft Edge profile
version 85, as viewed in Microsoft Excel. Of the Microsoft Edge baselines 17
settings found in the older profile, only one has been changed the baselines
default: Enable site isolation for every site was set to Disabled. The baseline
default was Enabled:
In the preceding image, there are three columns of information. The information
identifies the settings in the new profile, and the configuration for each of them
that you had in the old profile.
DefinitionId – This column displays the settings registry name. The

information after the underscore ( _ ) identifies the settings name as it
appears in the new baseline profile and format, but without spaces in the
name. This value is also the name of the CSP setting that this baseline setting
manages.
For example, our modified setting of Enable site isolation for every site appears in
this export as admx--microsoftedge_SitePerProcess. The last portion, SitePerProcess,
helps identify the setting.
defaultJson – This column identifies the default configuration for this setting
as seen in the new baseline format. Our sample setting for the SitePerProcess
CSP is set to enabled by default.
customizedJson – The final column displays the configuration of each setting

from the older profile version. This information helps you understand which
settings in the new profile require modification to match the older profiles’
configuration. Our sample setting was set to disabled. All other settings
display “NotApplicable” as they weren't modified from the default
configuration in the older baseline version we have been using.
You might note that the updated Microsoft Edge baseline profile has more than
the 17 settings found in the older profile. The baseline export doesn’t identify
these new settings, as they weren't available in the older baseline version you're
reviewing.
Later, when you create and configure the new profile, you can use the list from the
CSV export to ensure each setting from the previous profile is set in the new
profile with the same configuration.
Update baselines that use the previous format

The information in this section applies to updating an existing baseline created before
May 2023 to a version of that same baseline that was also released before May 2023.
７ Note
baseline release or update. Intune also introduced a new update process for
migrating an existing security baseline profile to a newly released security baseline.
This new behavior replaces existing behavior when moving to a baseline version
released in May 2023 or later.
The following guidance is for use when updating a baseline to a newer version that
was released before May 2023. If you’re updating a baseline to a version that was
released in May 2023 or later, see Update a profile to the latest version.
When a new version for a baseline becomes available, plan to update your existing
profiles to the new version:
Existing profiles don’t upgrade to new versions automatically.

Settings in baseline profiles that don’t use the latest version become read-only.
You can continue using those older profiles, including editing their name,
description, and assignments, but you can't edit settings for them or create new
profiles based on those older versions.
We recommend you test the version update on a copy of your existing profiles before
you update your live profiles.
When you change the profile version:
You select the latest instance of the same baseline. You can't change between two
different baseline types, such as changing a profile from using a baseline for
Defender for Endpoint to using the MDM security baseline.
You can export and download a CSV file that lists the changes between the two
baseline versions involved.
You choose how to update the profile:

You can keep all your customizations from the original baseline version.
You can choose to use the default values for all settings in the new baseline
version.
You don't have the option to change only some settings in a profile during the
update.
During conversion:
New settings that weren't in the older version you were using are added. Any new
settings from the new version use their default values.
Settings that aren't in the new baseline version you select are removed and no
longer enforced by this security baseline profile.
When a setting is no longer managed by a baseline profile, that setting doesn't

reset on the device. Instead, the setting on the device remains set to its last
configuration until some other process manages the setting to change it. Examples
of processes that can change a setting after you stop managing it include a
different baseline profile, a group policy setting, or manual configuration that's
made on the device.
After the conversion to the new baseline version is complete:

The baseline immediately redeploys to assigned groups.
You can edit the baseline to change individual settings.
Test the conversion and updated baseline

Before you update a baseline profile to a new version, create a copy of it so you can test
the new version of your profile on a group of devices. See Duplicate a security baseline
later in this article.
When you create a copy, group assignments aren't included, which means your
baseline copy won't deploy to any devices at the time you make a copy or at the
time you update it to a new version.
After you update the profile to the latest version, you can edit its settings. You can
assign the updated copy to a group of devices and edit it to introduce changes to
individual settings in the profile.
To change the baseline version for a profile

Before you update the version of a profile that's assigned to groups, test the version
update on a copy of profile so you can then validate the new baselines settings on test
group of devices.
2. Select Endpoint security > Security baselines, and then select the tile for the
baseline type that has the profile you want to change.
3. Next, select Profiles, and then select the check box for the profile you want to edit,
and then select Change Version.
4. On the Change Version pane, use the Select a security baseline to update to
dropdown, and select the version instance you want to use.
5. Select Review update to download a CSV file that displays the difference between
the profiles current instance version and the new version you've selected. Review
this file so that you understand which settings are new or removed, and what the
default values for these settings are in the updated profile.
When ready, continue to the next step.
6. Choose one of the two options for Select a method to update the profile:
Accept baseline changes but keep my existing setting customizations - This

option keeps the customizations you made to the baseline profile and applies
them to the new version you've selected to use.
Accept baseline changes and discard existing setting customizations - This
option overwrites your original profile completely. The updated profile uses
the default values for all settings.
7. Select Submit. The profile updates to the selected baseline version and after the
conversion is complete, the baseline immediately redeploys to assigned groups.
Remove a security baseline assignment

When a security baseline setting no longer applies to a device, or settings in a baseline
are set to Not configured, those settings on a device might not revert to a premanaged
configuration depending on the settings in the security baseline. The settings are based
on CSPs, and each CSP can handle the change removal differently.
Other processes that might later change settings on the device include a different or
new security baseline, device configuration profile, Group Policy configurations, or
manual edit of the setting on the device.
Duplicate a security baseline

You can create duplicates of your security baselines. Duplicating a baseline can be useful
when you want to assign a similar but distinct baseline to a subset of devices. By
creating a duplicate, you don't need to manually recreate the entire baseline. Instead,
you can duplicate any of your current baselines and then introduce only the changes the
new instance requires. You might only change a specific setting and the group the
baseline is assigned to.
When you create a duplicate, give the copy a new name. The copy is made with the
same setting configurations and scope tags as the original, but doesn't have any
assignments. You must edit the new baseline to add assignments.
All security baselines support creating a duplicate.
After you duplicate a baseline, review and edit the new instance to make changes to its
configuration.
To duplicate a baseline
2. Go to Endpoint security > Security baselines, select the type of baseline you want
to duplicate, and then select Profiles.
3. Right-click on the profile you want to duplicate and select Duplicate, or select the
ellipsis (…) to the right of the baseline and select Duplicate.
4. Provide a New name for the baseline, and then select Save.
After a Refresh, the new baseline profile appears in the admin center.
To edit a baseline
1. Select the baseline, and then select Properties.
2. From this view you can select Edit for the following categories to modify the
profile:
Basics
Assignments
Scope tags
Configuration settings
You can Edit a profiles Configuration settings only when that profile uses the latest
version of that security baseline. For profiles that use older versions, you can
expand Settings to view the configuration of settings in the profile, but you can't
modify them. After a profile is updated to the most recent baseline version, you'll
be able to edit the profiles settings.
3. After you’ve made changes, select Save to save your edits. You save edits to one
category before you can introduce edits to additional categories.
Older baseline versions

Microsoft Intune updates the versions of built-in Security Baselines depending on the
changing needs of a typical organization. Each new release results in a version update to
a particular baseline. The expectation is that customers will use the latest baseline
version as a starting point to their Device Configuration profiles.
When there are no longer any profiles that use an older baseline listed in your tenant,
Microsoft Intune lists the latest baseline version available.
If you have a profile associated with an older baseline, that older baseline continues to
be listed.
Co-managed devices
Security baselines on Intune-managed devices are similar to co-managed devices with
Configuration Manager. Co-managed devices use Configuration Manager and Microsoft
Intune to manage the Windows 10/11 devices simultaneously. It lets you cloud-attach
your existing Configuration Manager investment to the benefits of Intune. Co-
management overview is a great resource if you use Configuration Manager, and also
want the benefits of the cloud.
When using co-managed devices, you must switch the Device configuration workload
(its settings) to Intune. Device configuration workloads provides more information.
Next steps
Check the status and monitor the baseline and profile
View the settings in the latest versions of the available baselines:

Windows 10 and later - MDM security baseline
Microsoft 365 Apps for Enterprise (Office baseline)
Microsoft Edge (Version 112 and later)
Monitor security baselines and profiles
in Microsoft Intune
Article • 02/22/2023
Intune provides several options to monitor security baselines. You can:
Monitor a security baseline, and any devices that match (or don't match) the
recommended values.
Monitor the security baselines profile that applies to your users and devices.
View how the settings from a selected profile are set on a selected device.
You can also view the Device configuration report to see which device configuration
based policies apply to individual devices, which include security baselines.
For more information about the feature, see Security baselines in Intune.
Monitor the baseline and your devices

When you monitor a baseline, you get insight into the security state of your devices
based on Microsoft's recommendations. To view these insights, sign in to the Microsoft
Intune admin center , go to Endpoint security > Security baselines and select a
security baseline type like the MDM Security Baseline. Then, from the Versions pane,
select the profile instance for which you want to view details to open its Overview pane.
The Overview pane displays two status views for the selected baseline:
Security baseline posture chart - This chart displays high-level details about device
status for the baseline version. The available details:
Matches default baseline – This status identifies when a devices configuration
matches the default (unmodified) baseline configuration.
Matches custom settings – This status identifies when a devices configuration
matches the customized version of the baseline that you've deployed.
Misconfigured – This status is a roll-up that represents three status conditions
from a device: Error, Pending, or Conflict. These separate states are available
from other views, like the Security baseline posture by category, a list view that
appears below this chart.
Not applicable - This status represents a device that can’t receive the policy. For
example, the policy updates a setting specific to the latest version of Windows,
but the device runs an older (earlier) version that doesn’t support that setting.
Security baseline posture by category - A list view that displays device status by
category. In this list view, the same details as the Security baseline posture chart are
available. However, in place of Misconfigured you’ll see three columns for the status
states that make up Misconfigured:
Error: The policy failed to apply. The message typically displays with an error
code that links to an explanation.
Conflict: Two settings are applied to the same device, and Intune can't sort out
the conflict. An administrator should review.
Pending: The device hasn't checked in with Intune to receive the policy yet.
When you drill-in to the two preceding views, you can view the following details for the
setting status and the device status list views:
Succeeded: Policy is applied.

Error: The policy failed to apply. The message typically displays with an error code
that links to an explanation.
Conflict: Two settings are applied to the same device, and Intune can't sort out the
conflict. An administrator should review.
Not applicable: The device can't receive the policy. For example, the policy
updates a setting specific to the latest version of Windows, but the device runs an
older (earlier) version that doesn’t support that setting.
From the Version view, you can select Device Status. The Device Status view displays a
list of the devices that receive this baseline and includes the following details:
USER PRINCIPAL NAME - The user profile associated with the baseline on the
device.
SECURITY BASELINE POSTURE - This column displays the devices state:
Succeeded: Policy is applied.
Conflict: Two settings are applied to the same device, and Intune can't sort out
the conflict. An administrator should review.
updates a setting specific to the latest version of Windows, but the device runs
an older (earlier) version that doesn’t support that setting
Last CHECK-IN - When status was last received from the device.
 Tip
It takes up to 24 hours for data to appear after you first assign a baseline. Later
changes take up to six hours to appear.
Monitor the profile

Monitoring the profile gives insight into the deployment state of your devices, but not
the security state based on the baseline recommendations.
1. In Intune, select Endpoint security > Security baselines, select a security baseline
type like the MDM Security Baseline > select an instance of that baseline >
Properties.
2. In the Properties of the baseline, expand Settings to drill-in and view all the
settings categories and individual settings in the baseline, including their
configuration for this instance of the baseline.
3. Use the options for Monitor to view the deployment status of the profile on
individual devices, the status for each user, and the status for the settings from the
instance of the baseline:
Resolve conflicts for security baselines

To help resolve a conflict or error for settings in your security baseline profiles or
Endpoint security policies, view the Device configuration report for a device. This report
view helps you identify where your profiles and policies contain settings that drive a
status of Conflict or Error.
You can also reach information about settings in conflict or error through two paths
from within Microsoft Intune admin center:
Endpoint security > Security baselines > select a baseline type > Profiles > select a
baseline instance > Device status
Devices > All devices > select a device > Device configuration > select a Policy >
select a setting from the list of settings that shows a Conflict or Error.
Drill in to identify and resolve conflicts

1. While viewing the Device configuration report for a device, select a policy to drill-
in to learn more about the issue that results in a conflict or error status.
When you drill-in, Intune displays a list of settings for that policy that includes each
setting that wasn’t set as Not configured, and the status of that setting.
2. To view details about a specific setting, select it to open the Settings details pane.
In this pane you’ll see:
Setting – The name of the setting.

State – The status of the setting on the device.
Source Profiles – A list of each conflicting profile that configures the same
setting but with a different value.
3. To reconfigure conflicting profiles, select a record from the Source Profile list to
open Overview for that profile. Select the profiles Properties and you can then
review and edit settings in that profile to remove the conflict.
View settings from profiles that apply to a
device
You can select a profile for a Security Baseline, and drill-in to view a list of settings from
that profile as they apply to an individual device. To drill in:
Endpoint Security > All devices > select a device > Device configuration > select a
baseline policy instance
After you drill in, the admin center displays a list of the settings from that profile and the
settings status. Status states include:
Succeeded – The setting on the device matches the value as configured in the
profile. This is either the baselines default and recommended value, or a custom
value specified by an administrator when the profile was configured.
Conflict – The setting is in conflict with another policy, has an error, or is pending
an update.
Error - The settings failed to apply.
Troubleshoot using per-setting status

You deployed a security baseline, but the deployment status shows an error. The
following steps give you some guidance on troubleshooting the error.
1. In Intune, select Endpoint security > Security Baselines > select a baseline >
Profiles.
2. Select a profile > Under Monitor > Per-setting status.
3. The table shows all the settings, and the status of each setting. Select the Error
column or the Conflict column to see the setting causing the error.
MDM diagnostic information

Now you know the problematic setting. The next step is to find out why this setting is
causing an error or conflict.
On Windows 10/11 devices, there's a built-in MDM diagnostic information report. This
report includes default values, current values, lists the policy, shows if it's deployed to
the device or the user, and more. Use this report to help determine why the setting is
causing a conflict or error.
1. On the device, go to Settings > Accounts > Access work or school.

2. Select the account > Info > Advanced Diagnostic Report > Create report.
3. Choose Export, and open the generated file.
4. In the report, look for the error or conflict setting in the different sections of the
report.
For example, look in the Enrolled configuration sources and target resources section or
the Unmanaged policies section. You may get an idea of why it's causing an error or
conflict.
Diagnose MDM failures in Windows 10 provides more information on this built-in

report.
 Tip
Some settings also list the GUID. You can search for this GUID in the local
registry (regedit) for any set values.
The Event Viewer logs may also include some error information on the
problematic setting (Event viewer > Applications and Services Logs >
Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-
Provider > Admin).
Next steps
Learn about security baselines
Avoid conflicts
Monitor device profiles
Common issues and resolutions.

Use Intune to remediate vulnerabilities
identified by Microsoft Defender for
Endpoint
Article • 04/14/2023
When you integrate Intune with Microsoft Defender for Endpoint, you can take
advantage of Defender for Endpoint's threat and vulnerability management and use
Intune to remediate endpoint weakness identified by Defender's vulnerability
management capability. This integration brings a risk-based approach to the discovery
and prioritization of vulnerabilities that can improve remediation response time across
your environment.
Threat & Vulnerability Management is part of Microsoft Defender for Endpoint.
How integration works

After you connect Intune to Microsoft Defender for Endpoint, Defender for Endpoint
receives threat and vulnerability details from managed devices.
Vulnerabilities that are discovered aren't based on configurations from Intune.

They're based on Microsoft Defender for Endpoint configurations and scan details.
Not all issues that Defender for Endpoint flags for remediation support
remediation through the creation of a security task for Intune.
In the Microsoft Defender Security Center console, Defender for Endpoint security
admins review data about endpoint vulnerabilities. The admins then use a few clicks to
create security tasks that flag the vulnerable devices for remediation. The security tasks
are immediately passed to the Microsoft Intune admin center where Intune admins can
view them. The security task identifies the type of vulnerability, priority, status, and the
steps to take to remediate the vulnerability. The Intune admin chooses to accept or
reject the task.
When a task is accepted, the Intune admin then acts to remediate the vulnerability
through Intune, using the guidance provided as part of the security task.
Each task is identified by a Remediation Type:
Application – An application is identified that has a vulnerability or issue you can

mitigate with Intune. For example, Microsoft Defender for Endpoint identifies a
vulnerability for an app named Contoso Media Player v4, and an admin creates a
security task to update that app. The Contoso Media player is an unmanaged app
that was deployed with Intune, and there could be a security update or newer
version of an application that resolves the issue.
Configuration – Vulnerabilities or risks in your environment can be mitigated

through use of Intune endpoint security policies. For example, Microsoft Defender
for Endpoint identifies that devices lack protection from Potentially Unwanted
Applications (PUA). An admin creates a security task for this, which identifies a
mitigation of configuring the setting Action to take on potentially unwanted apps
as part of the Microsoft Defender Antivirus profile for Antivirus policy.
For configuration issues, when there isn’t a plausible remediation that Intune can
provide, then Microsoft Defender for Endpoint won’t create a security task for it.
Common actions for remediation include:
Block an application from being run.

Deploy an operating system update to mitigate the vulnerability.
Deploy endpoint security policy to mitigate the vulnerability.
Modify a registry value.
Disable or Enable a configuration to affect the vulnerability.
Require Attention alerts the admin to the threat when there's no suitable
recommendation to provide.
Following is an example workflow for an application. This same general workflow applies
for configuration issues:
A Microsoft Defender for Endpoint scan identifies a vulnerability for an app named
Contoso Media Player v4, and an admin creates a security task to update that app.
The Contoso Media player is an unmanaged app that was not deployed with
Intune.
This security task appears in the Microsoft Intune admin center with a status of
Pending:
The Intune admin selects the security task to view details about the task. The
admin then selects Accept, which updates the status in Intune, and in Defender for
Endpoint to be Accepted.
The admin then remediates the task based on the guidance provided. The
guidance varies depending on the type of remediation that's needed. When
available, remediation guidance includes links that open relevant panes for
configurations in Intune.
Because the media player in this example isn't a managed app, Intune can only
provide text instructions. If the app was managed, Intune could provide
instructions to download an updated version, and provide a link to open the
deployment for the app so that the updated files can be added to the deployment.
After completing the remediation, the Intune admin opens the security task and
selects Complete Task. The remediation status is updated for Intune and in
Defender for Endpoint, where security admins confirm the revised status for the
vulnerability.
Prerequisites
Subscriptions:

Microsoft Defender for Endpoint (Sign up for a free trial .)
Intune configurations for Defender for Endpoint:
Configure a service-to-service connection with Microsoft Defender for Endpoint.
Deploy a device configuration policy with a profile type of Microsoft Defender for
Endpoint (desktop devices running Windows 10 or later) to devices that will have
risk assessed by Defender for Endpoint.
For information about how to set up Intune to work with Defender for Endpoint,
see Enforce compliance for Microsoft Defender for Endpoint with Conditional
Access in Intune.
Work with security tasks

Before you can work with security tasks, they must be created from within the Defender
Security Center. For information on using the Microsoft Defender Security Center to
create security tasks, see Remediate vulnerabilities with threat and vulnerability
management in the Defender for Endpoint documentation.
To manage security tasks:
2. Select Endpoint security > Security tasks.
3. Select a task from the list to open a resource window that displays more details for
that security task.
While viewing the security task resource window, you can select additional links:
MANAGED APPS - View the app that is vulnerable. When the vulnerability
applies to multiple apps, you'll see a filtered list of apps.
DEVICES - View a list of the Vulnerable devices, from which you can link
through to an entry with more details for the vulnerability on that device.
REQUESTOR - Use the link to send mail to the admin who submitted this
security task.
NOTES - Read custom messages submitted by the requestor when opening
the security task.
4. Select Accept or Reject to send notification to Defender for Endpoint for your
planned action. When you accept or reject a task, you can submit notes, which are
sent to Defender for Endpoint.
5. After accepting a task, reopen the security task (if it closed), and follow the
REMEDIATION details to remediate the vulnerability. The instructions provided by
Defender for Endpoint in the security task details vary depending on the
vulnerability involved.
When it's possible to do so, the remediation instructions include links that open
the relevant configuration objects in the Microsoft Intune admin center.
6. After completing the remediation steps, open the security task and select
Complete Task. This action updates the security task status in both Intune and
After remediation is successful, the risk exposure score in Defender for Endpoint can
drop, based on new information from the remediated devices.
Next Steps
Learn more about Intune and Microsoft Defender for Endpoint.
Review Intune Mobile Threat Defense.
Review the Threat & Vulnerability Management dashboard in Microsoft Defender for
Endpoint.
Manage device security with endpoint
security policies in Microsoft Intune
Article • 06/19/2023
Use Intune endpoint security policies to manage security settings on devices. Each
endpoint security policy supports one or more profiles. These profiles are similar in
concept to a device configuration policy template, a logical group of related settings.
As a security admin concerned with device security, you can use these security-focused
profiles to avoid the overhead of device configuration profiles or security baselines.
Device configuration profiles and baselines include a large body of diverse settings
outside the scope of securing endpoints. In contrast, each endpoint security profile
focuses on a specific subset of device settings intended to configure one aspect of
device security.
When using endpoint security policies along side other policy types like security
baselines or endpoint protection templates from device configuration policies, it’s
important to develop a plan for using multiple policy types to minimize the risk of
conflicting settings. Security baselines, device configuration policies, and endpoint
security policies are all treated as equal sources of device configuration settings by
Intune. A settings conflict occurs when a device receives two different configurations for
a setting from multiple sources. Multiple sources can include separate policy types and
multiple instances of the same policy.
When Intune evaluates policy for a device and identifies conflicting configurations for a
setting, the setting that's involved can be flagged for an error or conflict and fail to
apply. Each type of configuration policy supports identifying and resolving conflicts
should they arise:
Device configuration profiles

Endpoint security profiles
Security baselines
You'll find endpoint security policies under Manage in the Endpoint security node of the
Following are brief descriptions of each endpoint security policy type. To learn more
about them, including the available profiles for each, follow the links to content
dedicated to each policy type:
Account protection - Account protection policies help you protect the identity and
accounts of your users. The account protection policy is focused on settings for
Windows Hello and Credential Guard, which is part of Windows identity and access
management.
Antivirus - Antivirus policies help security admins focus on managing the discrete
group of antivirus settings for managed devices.
Application Control (Preview) - Manage approved apps for Windows devices with
Application Control policy and Managed Installers for Microsoft Intune. Intune
Application Control policies are an implementation of Windows Defender
Application Control (WDAC).
Attack surface reduction - When Defender antivirus is in use on your Windows

10/11 devices, use Intune endpoint security policies for Attack surface reduction to
manage those settings for your devices.
Disk encryption - Endpoint security Disk encryption profiles focus on only the
settings that are relevant for a devices built-in encryption method, like FileVault or
BitLocker. This focus makes it easy for security admins to manage disk encryption
settings without having to navigate a host of unrelated settings.
Endpoint detection and response - When you integrate Microsoft Defender for
Endpoint with Intune, use the endpoint security policies for endpoint detection and
response (EDR) to manage the EDR settings and onboard devices to Microsoft
Firewall - Use the endpoint security Firewall policy in Intune to configure a devices
built-in firewall for devices that run macOS and Windows 10/11.
The following sections apply to all of the endpoint security policies.
Create an endpoint security policy

2. Select Endpoint security and then select the type of policy you want to configure,
and then select Create Policy. Choose from the following policy types:
Account protection
Antivirus
Application control (Preview)
Attack surface reduction
Disk encryption
Firewall
Platform: Choose the platform that you're creating policy for. The available
options depend on the policy type you select.
Profile: Choose from the available profiles for the platform you selected. For
information about the profiles, see the dedicated section in this article for
your chosen policy type.
4. Select Create.
5. On the Basics page, enter a name and description for the profile, then choose
Next.
6. On the Configuration settings page, expand each group of settings, and configure
the settings you want to manage with this profile.
When your done configuring settings, select Next.
7. On the Scope tags page, choose Select scope tags to open the Select tags pane to

8. On the Assignments page, select the groups that will receive this profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
9. On the Review + create page, when you're done, choose Create. The new profile is
displayed in the list when you select the policy type for the profile you created.
Duplicate a policy
Endpoint security policies support duplication to create a copy of the original policy. A
scenario when duplicating a policy is useful, is if you need to assign similar policies to
different groups but don't want to manually recreate the entire policy. Instead, you can
duplicate the original policy and then introduce only the changes the new policy
requires. You might only change a specific setting and the group the policy is assigned
to.
When creating a duplicate, you'll give the copy a new name. The copy is made with the
same setting configurations and scope tags as the original, but won't have any
assignments. You'll need to edit the new policy later to create assignments.
The following policy types support duplication:
Account protection
Application Control (preview)
Antivirus
Disk encryption
Firewall
After creating the new policy, review and edit the policy to make changes to its
configuration.
To duplicate a policy
2. Select the policy that you want to copy. Next, select Duplicate or select the ellipsis
(…) to the right of the policy and select Duplicate.
3. Provide a New name for the policy, and then select Save.
To edit a policy
1. Select the new policy, and then select Properties.
2. Select Settings to expand a list of the configuration settings in the policy. You can’t
modify the settings from this view, but you can review how they're configured.
3. To modify the policy, select Edit for each category where you want to make a
change:
Basics
Assignments
Scope tags
Configuration settings
4. After you’ve made changes, select Save to save your edits. Edits to one category
must be saved before you can introduce edits to additional categories.
Manage conflicts
Many of the device settings that you can manage with Endpoint security policies
(security policies) are also available through other policy types in Intune. These other
policy types include device configuration policy and security baselines. Because settings
can be managed through several different policy types or by multiple instances of the
same policy type, be prepared to identify and resolve policy conflicts for devices that
don't adhere to the configurations you expect.
Security baselines can set a non-default value for a setting to comply with the
recommended configuration that baseline addresses.
Other policy types, including the endpoint security policies, set a value of Not
configured by default. These other policy types require you to explicitly configure
settings in the policy.
Regardless of the policy method, managing the same setting on the same device
through multiple policy types, or through multiple instances of the same policy type can
result in conflicts that should be avoided.
The information at the following links can help you identify and resolve conflicts:

Next steps
Manage endpoint security in Intune
Use reusable groups of settings with
Intune policies
Article • 04/12/2023
This feature is in public preview.
Intune supports reusable settings groups that you can add to configuration policies and
profiles to help simplify management of common settings. A good time to use reusable
groups is when you need to use the settings with the same configuration in more than a
single profile.
When you edit the settings in a reusable group, the changes you make automatically
apply to each profile that includes the group. When you save your changes to the
reusable settings group, Intune updates the profiles with those new configurations and
deploys the updated profile to devices based on the profile’s assignments.
The following profiles support reusable groups.
Device control (Attack Surface Reduction policy)

Microsoft Defender Firewall Rules (Firewall policy)
Overview of reusable settings groups

Each reusable settings group is a single object that can include multiple settings. After
configuring one or more reusable groups for use with a specific profile type, you create
or edit a profile to add the groups. Profiles can support multiple groups.
To manage groups of reusable settings, in the Microsoft Intune admin center you use
the Reusable settings tab that’s associated with the policy and profiles you want to use a
group with. On the tab, you can create a group, edit the settings in a group, and view
the count of policies that inherit settings from each group. Each reusable settings group
is used with only its related profile type.
For example, the following image shows the Reusable settings tab you would use to
manage reusable groups for the Microsoft Defender Firewall Rules profile:
After creating reusable groups, you use an option in a profiles Configuration settings
page to add groups to that profile. Profiles that include one or more reusable groups
use each setting from each included group as if the settings were directly configured in
the profile.
Prerequisites
The following profiles support use of reusable settings groups:
Endpoint security policy
Antivirus > Microsoft Defender Firewall rules:

Platforms: Windows 10 and Windows 11
Windows versions: Devices must run Windows 10 20H2 or later, or Windows 11.
Attack surface reduction > Device control:

Platforms: Windows 10 and later
Endpoint Privilege Management
Windows elevation rules policy
７ Note
Reusable settings groups are not currently supported for use with Security
Management for Microsoft Defender for Endpoint
Create a reusable group

Each reusable settings group includes a subset of settings from the full profile you’re
creating the group for. Use the following links to view the settings you can configure in
a settings group for each profile:
Device Control
Microsoft Defender Firewall rules
To create a reusable settings group:
1. Open the Microsoft Intune admin center , navigate to the policy for which you
want to create a reusable group and then select the Reusable settings (preview)
tab.
2. Select Add to open the Configure reusable settings (preview) workflow.
3. On the Basics page, configure a name. The description is optional.
4. On the Configuration settings page, select Add and then configure settings for this
group as if configuring settings directly in the supported profile.
For Device Control, when you select Add you then must choose the type of group
settings to configure, and then select Edit instance to continue. If you add more
than one instance, review the Match type configuration for the group.
There's a limit of 100 instances per group. Use the information text in the admin
center for each setting in the reusable settings group as guidance. Follow the Learn
more link for a setting to view details about the setting from that settings content
source.
 Tip
Carefully Name each reusable group you create to ensure you can identify it
later. This is important because each reusable group that you create, for any
policy type, is visible when adding reusable groups to a policy, even if the
group contains settings that would not normally apply to the policy you’re
configuring. For example, if you have a reusable group created for Microsoft
Defender Firewall rules, that group will be visible and can be selected when
adding reusable groups to Device Control policies.
5. On the Review + Add page, select Add to save your reusable settings group.
Modify a reusable group

When you edit the configuration of a reusable group, each profile that uses that group
automatically updates to apply the new configuration to devices.
1. Open the Microsoft Intune admin center , navigate to the policy for which you
want to create a reusable group and then select the Reusable settings (preview)
tab.
2. Select the reusable settings group you want to edit. This opens the configuration
workflow that resembles the workflow for creating a new reusable group.
3. On the Basics page you can rename the group, and on the Configuration settings
page you can reconfigure settings. On the last page, select Save to save your
configuration and update the profiles that use the settings group.
Add reusable groups to a Microsoft Defender

Firewall rule profile
Add reusable settings groups to profiles while editing or creating the profile. On the
profiles Configuration settings page, use an option that supports adding one or more
previously created groups.
1. In the Microsoft Intune admin center , create a new profile or select and edit an
existing profile.
2. On the Configuration settings page, select Add to add a new rule, or Edit rule to
manage a previously created rule.
3. On the Configure instance pane for the rule, configure Action to determine how
this rule manages settings like IP Addresses or FQDNs. For example, you might set
Action to allow or block. This configuration applies to both the settings you add
directly to this rule and to the settings that are in each reusable group that is
added to this rule.
Save the rule configuration.
4. For the rule you saved, select Set reusable settings to open the Select reusable
settings pane.
5. Select one or more of the available groups to add them to this rule, and then save
your selections.
6. After adding reusable groups to a profile, save your configuration. When saved,
Intune includes the settings from the reusable groups and deploys the profile to
devices based on the profile’s assignments.
Add reusable groups to a Device Control profile

Add reusable settings groups to profiles while editing or creating the profile. Reusable
groups for Device Control profiles support the following types of settings:
Printer device
Removable storage
On the profiles Configuration settings page, use an option that supports adding one or
more previously created groups.
1. In the Microsoft Intune admin center , create a new profile or select and edit an
existing profile.
2. On the Configuration settings page, expand the Device Control category and select
Add to add a new rule, or Edit Entry to manage a previously created rule.
Select Add to add more rules.

Select Edit Entry to open the Configure Entry pane to further configure use of
the group.
3. On the Configure Entry pane, give the entry a Name, and then configure the
following and then select OK to save the rule:
Type: Defines the action for the removable storage groups. When there are
conflicts for Type for the same media, the first type that’s defined in the
policy is applied.
Options: Defines whether to display a notification to the device user. The
options available depend on the Type that is selected.
Access mask: Choose one or more from Read, Write, Execute.
Sid: Local user Sid or user Sid group or the Sid of the AD object, defines
whether to apply this policy over a specific user or user group; one entry can
have a maximum of one Sid and an entry without any Sid means it applies
the policy over the machine.
Computer Sid: Local computer Sid or computer Sid group or the Sid of the
AD object, defines whether to apply this policy over a specific machine or
machine group; one entry can have a maximum of one ComputerSid and an
entry without any ComputerSid means it applies the policy over the machine.
If you want to apply an Entry to a specific user and specific machine, add
both Sid and ComputerSid into the same Entry.
For more information about these options, see the following articles in the
Microsoft Defender for Endpoint documentation:
Microsoft Defender for Endpoint Device Control Removable Storage Access

Control in the Microsoft Defender for Endpoint documentation.
Printer Protection Overview
4. For the rule you saved, select Set reusable settings for Included ID and Excluded ID
to meet your needs. Both selections open a Select reusable settings pane.
5. Select one or more of the available groups to add them to this rule, and then save
your selections.
The following shows a configuration with only one group selected
for Excluded ID:
6. After adding reusable groups to a profile, complete the policy configuration. When
saved, Intune includes the settings from the reusable groups and deploys the
profile to devices based on the profile’s assignments. A maximum of 100 reusable
groups can be added per profile.
If you have an E5 license, you can use Microsoft Defender for Endpoint to view device
control events under the Device Control report and Advanced hunting. See Protect your
organization's data with device control | Microsoft Docs in the Defender for Endpoint
documentation.
Use reusable groups for Endpoint Privilege
Manager
For information about support for using reusable groups for Endpoint Privilege
Manager, see Policies for Endpoint Privilege Manager
About policy conflicts

The device settings you can manage through reusable settings groups are applied by
Intune the same as settings that are directly configured in a profile. If conflicts or
overlaps are introduced by settings from your reusable groups, you can use the same
troubleshooting process to identify and resolve those conflicts.
For more information, review guidance that might be specific to the profile types you
use. For general guidance, see Troubleshoot policies and profiles in Microsoft Intune,
and Common questions and answers with device policies and profiles in Microsoft
Intune.
Next steps
Device configuration overview
Account protection policy for endpoint
security in Intune
Article • 02/24/2023
Use Intune endpoint security policies for account protection to protect the identity and
accounts of your users and manage the built-in group memberships on devices.
Find the endpoint security policies for Account protection under Manage in the
Endpoint security node of the Microsoft Intune admin center .
View settings for account protection profiles.
Prerequisites for Account protection profiles

To support the Account protection (preview) profile, devices must run Windows 10
or Windows 11.
To support the Local user group membership (preview) profile, devices must run
Windows 10 20H2 or later, or Windows 11.
Account protection profiles

Account protection profiles are in preview.
Windows 10/11 profiles:
Account protection (preview) – Settings for account protection policies help you
protect user credentials.
The account protection policy is focused on settings for Windows Hello and
Credential Guard, which is part of Windows identity and access management.
Windows Hello for Business replaces passwords with strong two-factor
authentication on PCs and mobile devices.
Credential Guard helps protect credentials and secrets that you use with your
devices.
To learn more, see Identity and access management in the Windows identity and
access management documentation.
Local user group membership (preview) – Use this profile to add, remove, or
replace members of the built-in local groups on Windows devices. For example,
the Administrators local group has broad rights. You can use this policy to edit the
Admin group's membership to lock it down to a set of exclusively defined
members.
Use of this profile is detailed in the following section, Manage local groups on
Windows devices.
Manage local groups on Windows devices

Use the Local user group membership (preview) profile to manage the users that are
members of the built-in local groups on devices that run Windows 10 20H2 and later,
and Windows 11 devices.
 Tip
To learn more about support for managing administrator privileges using Azure
Active Directory (Azure AD) groups, see Assign local admins to Azure AD joined
devices in the Azure AD documentation.
Configure the profile

This profile manages the local group membership on devices through Policy CSP -
LocalUsersAndGroups. The CSP documentation includes additional details on how
configurations apply, and an FAQ about the use of the CSP.
When configuring this profile, on the Configuration settings page you can create
multiple rules to manage which built-in local groups you want to change, the group
action to take, and the method to select the users.
The following are the configurations you can make:
Local group: Select one or more groups from the drop-down. These groups will all
apply the same Group and user action to the users you assign. You can create
more than one grouping of local groups in a single profile and assign different
actions and groups of users to each grouping of local groups.
７ Note
The list of local groups is limited to the six built-in local groups which are
guaranteed to be evaluated at logon, as referenced in the Managing administrator
privileges using Azure AD groups documentation.
Group and user action: Configure the action to apply to the selected groups. This
action will apply to the users you select for this same action and grouping of local
accounts. Actions you can choose include:
Add (Update): Adds members to the selected groups. The group membership
for users that aren’t specified by the policy are not changed.
Remove (Update): Remove members from the selected groups. The group
membership for users that aren’t specified by the policy are not changed.
Add (Replace): Replace the members of the selected groups with the new
members you specify for this action. This option works in the same way as a
Restricted Group and any group members that are not specified in the policy
are removed.
Ｕ Caution
If the same group is configured with both a Replace and Update action, the
Replace action wins. This is not considered a conflict. Such a configuration can
occur when you deploy multiple policies to the same device, or when this CSP
is also configured by use of Microsoft Graph.
User selection type: Choose how to select users. Options include:

Users: Select the users and user groups from your Azure AD. (Supported for
Azure AD joined devices only).
Manual: Specify Azure AD users and groups manually, by username,
domain\username, or the groups security identifier (SID). (Supported for Azure
AD joined and hybrid joined devices).
Selected user(s): Depending on your selection for User selection type, you’ll use
one of the following options:
Select user(s): Select the users and user groups from your Azure AD.
Add users(s): This opens the Add users pane where you can then specify one or
more user identifiers as they appear on a device. You can specify the user by
security identifier (SID), Domain\username, or by Username.
Choosing the Manual option can be helpful in scenarios where you want to manage
your on-prem Active Directory users from Active Directory to a local group for a hybrid
Azure AD joined device. The supported formats of identifying the user selection in order
of most to least preferred is through the SID, domain\username, or member’s username.
Values from Active Directory must be used for hybrid joined devices, while values from
Azure AD must be used for Azure AD join. Azure AD group SIDs can be obtained using
Graph API for Groups.
Conflicts
If policies create a conflict for a group membership, the conflicting settings from each
policy are not sent to the device. Instead, the conflict is reported for those policies in the
Microsoft Intune admin center. To resolve the conflict, reconfigure one or more policies.
Reporting
As devices check in and apply the policy, the admin center displays the status of the
devices and users as successful or in error.
Because the policy can contain multiple rules, consider the following:
When processing the policy for devices, the per-setting status view displays a
status for the group of rules as if it’s a single setting.
Each rule in the policy that results in an error is skipped, and not sent to devices.
Each rule that is successful is sent to devices to be applied.
Next steps
Configure Endpoint security policies
Antivirus policy for endpoint security in
Intune
Article • 08/21/2023
Intune Endpoint security Antivirus policies can help security admins focus on managing
the discrete group of antivirus settings for managed devices.
Antivirus policy includes several profiles. Each profile contains only the settings that are
relevant for Microsoft Defender for Endpoint antivirus for macOS and Windows devices,
or for the user experience in the Windows Security app on Windows devices.
You'll find the antivirus policies under Manage in the Endpoint security node of the
Antivirus policies include the same settings as found endpoint protection or device
restriction templates for device configuration policy. However, those policy types include
additional categories of settings that are unrelated to Antivirus. The additional settings
can complicate the task of configuring Antivirus workload. Additionally, the settings
found in the Antivirus policy for macOS aren't available through the other policy types.
The macOS Antivirus profile replaces the need to configure the settings by using .plist
files.
Applies to:
Linux
macOS
Windows 10/11
Prerequisites for antivirus policy

Support for Microsoft Intune (MDM) enrolled devices:
macOS
Any supported version of macOS
For Intune to manage antivirus settings on a device, Microsoft Defender for
Endpoint must be installed on that device. See. Microsoft Defender for Endpoint
for macOS (In the Microsoft Defender for Endpoint documentation)
Windows 10, Windows 11, and Windows Server

No additional prerequisites are required.
Support for Configuration Manager clients:
This scenario is in preview and requires use of Configuration Manager current branch
version 2006 or later.
Set up tenant attach for Configuration Manager devices - To support deploying

antivirus policy to devices managed by Configuration Manager, configure tenant
attach. Set up of tenant attach includes configuring Configuration Manager device
collections to support endpoint security policies from Intune.
To set up tenant attach, see Configure tenant attach to support endpoint

Support for Microsoft Defender for Endpoint clients:
Defender for Endpoint security settings management - To configure support for

deploying antivirus policy to devices that are managed by Defender, but not
enrolled with Intune, see Manage Microsoft Defender for Endpoint on devices with
Microsoft Intune. This article also includes the information about platforms
supported by this capability, and the policies and profiles that those platforms
support.
Prerequisites for tamper protection

Tamper protection is available for devices that are running one of the following
operating systems:
macOS (any supported version)

Windows 10 and 11 (including Enterprise multi-session)
Windows Server version 1803 or later, Windows Server 2019, Windows Server 2022
Windows Server 2012 R2 and Windows Server 2016 (using the modern, unified
solution)
７ Note
Devices are required to be onboarded to Microsoft Defender for Endpoint (P1 or

P2). Devices may see a delay enabling tamper protection if previously not
onboarded to Microsoft Defender for Endpoint. Tamper protection will enable on
the first device check-in after onboarding to Microsoft Defender for Endpoint.
You can use Intune to manage tamper protection on Windows devices as part of
Windows Security Experience profile (an Antivirus policy). This includes both devices you
manage with Intune, and devices you manage with Configuration Manager through the
tenant attach scenario.
Intune managed devices
Prerequisites to support tamper protection for devices managed by Intune:
Your environment must meet the prerequisites for managing tamper protection
with Intune
Devices are onboarded to Microsoft Defender for Endpoint (P1 or P2)
Profiles for Antivirus policy that support tamper protection for devices managed by
Microsoft Intune:
Platform: Windows 10, Windows 11, and Windows Server

Profile: Windows Security experience
７ Note
Beginning on April 5, 2022, the Windows 10 and later platform was replaced
by the Windows 10, Windows 11, and Windows Server platform.
The Windows 10, Windows 11, and Windows Server platform supports devices
communicating with Intune through Microsoft Intune or Microsoft Defender
for Endpoint. These profiles also add support for the Windows Server platform
which is not supported through Microsoft Intune natively.
Profiles for this new platform use the settings format as found in the Settings
Catalog. Each new profile template for this new platform includes the same
settings as the older profile template it replaces. With this change you can no
longer create new versions of the old profiles. Your existing instances of the
old profile remain available to use and edit.
You can also use the Endpoint protection profile for Device configuration policy to
configure tamper protection for devices managed by Intune.
Configuration Manager clients managed through the tenant attach

scenario
Prerequisites to support managing tamper protection with these profiles:

Your environment must meet the prerequisites for managing tamper protection
with Intune as detailed in the Windows documentation.
You must use Configuration Manager current branch 2006 or later.
You must configure tenant attach to support endpoint protection policies. This
includes configuring Configuration Manager device collections for synchronization
with Intune.
Devices are onboarded to Microsoft Defender for Endpoint (P1 or P2)
Profiles for Antivirus policy that support tamper protection for devices managed by
Configuration Manager:
Platform: Windows 10, Windows 11, and Windows Server (ConfigMgr)

Profile: Windows Security experience (preview)
Antivirus profiles
Devices managed by Microsoft Intune

The following profiles are supported for devices you manage with Intune:
macOS:
Platform: macOS
Profile: Antivirus - Manage Antivirus policy settings for macOS.
When you use Microsoft Defender for Endpoint for Mac, you can configure and
deploy Antivirus settings to your managed macOS devices through Intune
instead of configuring those settings by use of .plist files.
Windows:

Profiles for this platform can be used with devices enrolled with Intune, and
devices managed through Security Management for Microsoft Defender for
Endpoint.
７ Note
communicating with Intune through Microsoft Intune or Microsoft Defender
for Endpoint. These profiles also add support for the Windows Server platform
which is not supported through Microsoft Intune natively.
Profile: Microsoft Defender Antivirus - Manage Antivirus policy settings for

Windows devices.
Defender Antivirus is the next-generation protection component of Microsoft

Defender for Endpoint. Next-generation protection brings together
technologies like machine learning and cloud infrastructure to protect devices in
your enterprise organization.
The Microsoft Defender Antivirus profile is a separate instance of the antivirus

settings that are found in the Device Restriction profile for Device Configuration
policy.
Unlike the antivirus settings in a Device Restriction profile, you can use these
settings with devices that are co-managed. To use these settings, the co-
management workload slider for Endpoint Protection must be set to Intune.
Profile: Microsoft Defender Antivirus exclusions - Manage policy settings for

only Antivirus exclusion.
With this policy, you can manage settings for the following Microsoft Defender
Antivirus configuration service providers (CSPs) that define Antivirus exclusions:
Defender/ExcludedPaths
Defender/ExcludedExtensions
Defender/ExcludedProcesses
These CSPs for antivirus exclusion are also managed by Microsoft Defender
Antivirus policy, which includes identical settings for exclusions. Settings from
both policy types (Antivirus and Antivirus exclusions) are subject to policy
merge, and create a super set of exclusions for applicable devices and users.
Profile: Windows Security experience - Manage the Windows Security app

settings that end users can view in the Microsoft Defender Security center and
the notifications they receive.
The Windows security app is used by a number of Windows security features to

provide notifications about the health and security of the machine. Security app
notifications include firewalls, antivirus products, Windows Defender
SmartScreen, and others.
Profile: Defender Updates controls - Manage update settings for Microsoft

Defender, including the following settings that are taken directly from the
Defender CSP:
Devices managed by Configuration Manager
Antivirus
Manage Antivirus settings for Configuration Manager devices, when you use tenant
attach.
Policy path:
Endpoint security > Antivirus > Windows 10, Windows 11, and Windows Server
(ConfigMgr)
Profiles:
Microsoft Defender Antivirus (preview)

Windows Security experience (preview)
Required version of Configuration Manager:
Configuration Manager current branch version 2006 or later
Supported Configuration Manager device platforms:
Windows 8.1 (x86, x64), starting in Configuration Manager version 2010

Windows 10 and later (x86, x64, ARM64)
Windows Server 2012 R2 (x64), starting in Configuration Manager version 2010
Windows Server 2016 and later (x64)
） Important
On October 22, 2022, Microsoft Intune ended support for devices running Windows
8.1. Technical assistance and automatic updates on these devices aren't available.
If you currently use Windows 8.1, then we recommend moving to Windows 10/11
devices. Microsoft Intune has built-in security and device features that manage
Windows 10/11 client devices.
Policy merge for settings

Some Antivirus policy settings support policy merge. Policy merge helps avoid conflicts
when multiple policies apply to the same devices and configure the same setting. Intune
evaluates the settings that policy merge supports, for each user or device as taken from
all applicable policies. Those settings are then merged into a single superset of policy.
For example, you create three separate antivirus policies that define different antivirus
file path exclusions. Eventually, all three policies are assigned to the same user. Because
the Microsoft Defender file path exclusion CSP supports policy merge, Intune evaluates
and combines the file exclusions from all applicable policies for the user. The exclusions
are added to a superset and the single list of exclusions is delivered to the users’ device.
When policy merge isn’t supported for a setting, a conflict can occur. Conflicts can result
in the user or device not receiving any policy for the setting. For example, policy merge
doesn't support the CSP for preventing installation of matching device IDs
(PreventInstallationOfMatchingDeviceIDs). Configurations for this CSP don’t merge, and
are processed separately.
When processed separately, policy conflicts are resolved as follows:
1. The most secure policy applies.

2. If two policies are equally secure, the last modified policy applies.
3. If the last modified policy can’t resolve the conflict, no policy is delivered to the
device.
Settings and CSPs that support policy merge

The following settings support policy merge:
Excluded Processes - CSP: Defender/ExcludedProcesses

Excluded Extensions - CSP: Defender/ExcludedExtensions
Excluded Paths - CSP: Defender/ExcludedPaths
Antivirus policy reports
Antivirus policy reports display status details about your endpoint security Antivirus
policies and device status. These reports are available in the Endpoint security node of
To view the reports, in the Microsoft Intune admin center , go to Endpoint security and
select Antivirus. Selecting Antivirus opens the Summary page. Additional report and
status views are available as additional pages.
In addition to reports detailed in the following sections, additional reports for Microsoft
Defender Antivirus are found in the Reports node of the Microsoft Intune admin center,
as documented in the Intune Reports article:
Antivirus agent status report (Organizational)

Detected malware report (Organizational)
Summary
On the Summary page, you can create new policies and view a list of the policies that
were previously created. The list includes high-level details about the profile that policy
includes (Policy Type), and if the policy is assigned.
When you select a policy from the list, the Overview page for that policy instance opens
and displays more information. After selecting a tile from this view, Intune displays
additional details for that profile if they’re available.
Unhealthy endpoints
On the Unhealthy endpoints page, you can view information about the antivirus status
of your MDM-managed Windows devices. This information is returned from Windows
Defender Antivirus that runs on the device, as Threat agent status. On this page, select
Columns to view the full list of details that are available in the report.
Only devices with detected issues appear in this view. This view doesn't display details
for devices that are identified as clean.
The information for this report is based on details available from the following CSPs,
which are documented in the Windows client-management documentation:
Defender CSP
WindowsAdvancedThreatProtection CSP.
Next steps
View details for the Windows settings in the deprecated profiles for the Windows 10 and
later platform:
Antivirus policy settings

Antivirus exclusions
Windows Security app settings
Manage approved apps for Windows
devices with Application Control policy
and Managed Installers for Microsoft
Intune
Article • 07/25/2023
Every day new malicious files and apps appear in the wild. When run on devices in your
organization they present a risk, which can be hard to manage or prevent. To help
prevent undesired apps from running on your managed Windows devices, you can use
Microsoft Intune Application Control policies.
Intune's Application Control policies are part of endpoint security and use the Windows
ApplicationControl CSP to manage allowed apps on Windows devices. Also available
through endpoint security Application Control, managed installer policy adds the Intune
Management Extension to your Tenant as a managed installer. With this extension as a
managed installer, the apps you deploy through Intune are automatically tagged by the
installer. Tagged apps can be identified by your Application Control policies as safe apps
that can be allowed to run on your devices.
The Intune Management Extension is an Intune service that supplements Windows

10 MDM features for Windows 10 and Windows 11 devices. It facilitates the
installation of Win32 apps and PowerShell scripts on managed devices.
A managed installer uses an AppLocker rule to tag applications you install as

trusted by your organization For more information, see Allow apps installed by a
managed installer in the Windows Security documentation.
The information in this article can help you configure both the Intune Management
Extension as a managed installer and endpoint security Application Control policies.
Combined, they make it easy to control the apps that are allowed to run on Windows
devices in your environment. For more information, see Windows Defender Application
Control in the Windows Security documentation.
７ Note
Application Control policy vs Application control profiles:

Intune Application Control policies use the ApplicationControl CSP. Intune’s Attack
surface reduction policies use the AppLocker CSP for their Application control
profiles.
Windows introduced the ApplicationControl CSP to replace the AppLocker CSP.

Windows continues to support the AppLocker CSP but no longer adds no features
to it. Instead, development continues through the ApplicationControl CSP.
Applies to:
Windows 10
Windows 11
Prerequisites
Devices
The following devices are supported when enrolled with Intune:
Windows Enterprise or Education:

Windows 10 version 1903 or later
Windows 11 version 1903 or later
Windows Professional:
Windows 10 with KB5019959
Windows 11:
Version 22H2 with KB5019980
Version 21H2 with KB5019961
Windows 11 SE:
Windows 11 SE is supported for Educational tenants only. For more information,
see Application Control policies for Education tenants later in this article.
Azure Virtual Desktop (AVD):

AVD devices are supported to use Application Control policies
Co-managed devices:
To support co-managed devices, set the slider for Endpoint Protection slider to
Intune.
Windows Defender Application Control

See Windows edition and licensing requirements in About application control for
Windows in the Windows Security documentation.
Role based access controls

To manage Application Control policies, an account must have sufficient role-based
access control (RBAC) permissions to complete a desired task. The following are the
available tasks with their required permissions:
Enable use of a managed installer* - Accounts must be assigned the role of Global
Administrator or Intune Service Administrator.
Manage Application Control policy - Accounts must have the Security Baseline
permissions for Delete, Read, Assign, Create, and Update.
View reports for Application Control policy - Accounts must have the
Organization permission of Read.
For more information, see Role-based access control for Microsoft Intune.
Get started with managed installers

With Intune’s endpoint security Application control, you can use policy to the Intune
Management Extension as a managed installer on your managed Windows devices.
After you enable a managed installer, all subsequent applications you deploy to
Windows devices through Intune are marked with the managed installer tag. The tag
identifies that the app was installed by a known source, and can be trusted. The
managed installer tagging of apps is then used by Intune’s Endpoint security Application
Control policy to automatically identify apps as approved to run on devices in your
environment.
Intune’s endpoint security Application Control policies are an implementation of

Windows Defender Application Control (WDAC). To learn more about WDAC and app
tagging, see About application control for Windows and WDAC Application ID (AppId)
Tagging guide in the Windows Defender Application Control documentation.
Considerations for using a managed installer:
Setting a managed installer is a tenant-wide configuration that applies to all your

managed Windows devices.
After you enable the Intune Management extension as a managed installer, all
apps you deploy to Windows devices through Intune are tagged with the mark of
the managed installer.
By itself, this tag has no effect on which apps can run on your devices. The tag is
used only when you also WDAC policies that determine which apps are allowed to
run on your managed devices.
Because there's no retroactive tagging, all apps on your devices that were
deployed before enabling the managed installer aren't tagged. If you apply a
WDAC policy, you must include explicit configurations to allow these untagged
apps to run.
You can turn off this policy by editing the Managed Installer policy. Turning off the
policy prevents subsequent apps from being tagged with the managed installer.
Apps that were previously installed and tagged remain tagged. For information
about manual clean-up of a managed installer after turning off the policy, see
Remove the Intune Management Extension as a managed installer later in this
article.
Learn more about how Intune set the managed installer in the Windows Security
documentation.
） Important
Potential impact to events collected by any Log Analytics integrations
Log Analytics is a tool in the Azure Portal which customers may be using to collect
data from AppLocker policy events. With this public preview, if you complete the
opt-in action, AppLocker policy will begin to deploy to applicable devices in your
tenant. Depending on your Log Analytics configuration, especially if you are
collecting some of the more verbose logs, this will result in an increase in events
generated by AppLocker policy. If your organization uses Log Analytics, our
recommendation is to review your Log Analytics setup so that you:
Understand your Log Analytics setup and ensure there is an appropriate data
collection cap in place to avoid unexpected billing costs.
Turn off the collection of AppLocker events altogether in Log Analytics (Error,
Warning, Information) with the exception of MSI and Script logs.
Add a managed installer to your tenant

The following procedure guides you through adding the Intune Management Extension
as a managed installer for your tenant. Intune supports a single managed installer
policy.
1. In the Microsoft Intune admin center, go to Endpoint security (Preview), select the
Managed installer tab and then select *Add. The Add managed installer pane
opens.
2. Select Add, and then Yes to confirm the addition of the Intune Management
Extension as a managed installer.
3. After adding the Managed installer, in some rare cases, you may need to wait up to
10 minutes before the new policy is added to your tenant. Select Refresh to update
the admin center periodically, until it's available.
The policy is ready in the service when Intune displays a managed installer policy
with the name Managed installer – Intune Management Extension with the status
of Active. From the client side, you may need to wait up to an hour for the policy
to start getting delivered.

4. You can now select the policy to edit its configuration. Only the following two
policy areas support edits:
Settings: Editing the policy settings opens the Opt-out for managed installer
pane, where you can change the value for Set managed installer between On
and Off. When you add the installer, the setting Set managed installer
defaults to On. Before changing the configuration, be sure to review the
behavior detailed on the pane for On and Off.
Scope tags: You can add and modify scope tags that are assigned to this
policy. This allows you to specify which admins can view the policy details.
Before the policy has any effect, you must create and deploy an Application Control
policy to specify rules for which apps can run on your Windows devices.
For more information, see Allow apps installed by a managed installer in the Windows
Security documentation.
Remove the Intune Management Extension as a managed

installer
Should you need to, you can stop configuring the Intune Management Extension as a
managed installer for your tenant. This requires you to turn off the managed installer
policy. After the policy is turned off, you can choose to use additional clean-up actions.
Turn off the Intune Management Extension policy (required)
The following configuration is required to stop adding the Intune Management

Extension as a managed installer to your devices.
1. In the admin center, go to Endpoint security (Preview), select the Managed
installer tab, and then select the Managed installer – Intune Management
Extension policy.
2. Edit the policy, and change Set managed installer to Off, and save the policy.
New devices won’t be configured with the Intune Management Extension as a managed
installer. This doesn’t remove the Intune Management Extension as managed installer
from devices that have already been configured to use it.
Remove the Intune Management Extension as a managed installer

on devices (optional)
As an optional clean-up step, you can run a script to remove the Intune Management
Extension as a managed installer on devices that have already installed it. This is
optional as this configuration has no effect on devices unless you also use application
control policies that reference the managed installer.
1. Download the CatCleanIMEOnly.ps1 PowerShell script. This script is available at

https://aka.ms/intune_WDAC/CatCleanIMEOnly from download.microsoft.com.
2. Run this script on devices that have set the Intune Management Extension as a
managed installer. This script removes only the Intune Management Extension as a
managed installer.
3. Please restart the Intune Management Extension service for the above changes to
take effect.
To run this script, you can use Intune to run PowerShell scripts, or other methods of your
choice.
Remove all AppLocker policies from a device (optional)

To remove all Windows AppLocker policies from a device, you can use the
CatCleanAll.ps1 PowerShell script. This script removes not only the Intune Management
Extension as a managed installer, but all managed installers as well as all policies based
on Windows AppLocker from a device. Before using this script, be sure you understand
your organizations use of AppLocker policies.
1. Download the CatCleanAll.ps1 PowerShell script. This script is available at

https://aka.ms/intune_WDAC/CatCleanAll from download.microsoft.com.
2. Run this script on devices that have set the Intune Management Extension as a
managed installer. This script removes only the Intune Management Extension as a
managed installer.
3. Please restart the Intune Management Extension service for the above changes to
take effect.
To run this script, you can use Intune to run PowerShell scripts, or other methods of your
choice.
Get started with Application Control policies

With Intune's endpoint security Application Control policies, you can manage which
apps on your managed Windows devices are allowed to run. Any apps that aren’t
explicitly allowed to run by a policy are blocked from running unless you’ve configured
the policy to use an Audit mode. With audit mode, the policy allows all apps to run and
logs the details about them locally on the client.
To manage which apps are allowed or blocked, Intune uses the Windows
ApplicationControl CSP on Windows devices.
When you create an Application Control policy, you must choose a Configuration
settings format to use:
Enter xml data - When you choose to enter xml data, you must provide the policy
with a set of custom XML properties that define your Application Control policy.
Built-in controls – This option is the simplest path to configure, yet remains a
powerful choice. With the built-in controls, you can easily approve all apps that are
installed by a managed installer, and allow trust of Windows components and
store apps.
More details about these options are available from the UI when creating a policy,
and also detailed in the following procedure that walks you through creating a
policy.
After you create an Application Control policy, you can expand the scope of that policy
by creating supplemental policies that add additional rules in XML format to that
original policy. When you use supplemental policies, the original policy is referred to as
the base policy.
７ Note
If your tenant is an Educational Tenant, see Application Control policies for
Education tenants to learn about additional device support and Application
Control policy for those devices.
Create an Application Control policy

Use the following procedure to help you create a successful Application Control policy.
This policy is considered a base policy if you go on to create supplemental policies to
expand the scope of trust you define with this policy.
1. Sign in to the Microsoft Intune admin center and go to Endpoint security >
Application control (Preview) > select the Application control tab > and then
select Create Policy. Application Control policies are automatically assigned to a
platform type of Windows 10 and later.
2. On Basics, enter the following properties:
Name: Enter a descriptive name for the profile. Name profiles so you can
easily identify them later.
Description: Enter a description for the profile. This setting is optional but
recommended.
3. On Configuration settings, choose a Configuration settings format:
Enter xml data - With this option you must provide custom XML properties to
define your Application Control policy. If you select this option but don’t add XLM
properties to the policy, it acts as Not configured. An Application Control policy
that isn't configured results in default behaviors on a device, with no added
options from the ApplicationControl CSP.
Built-in controls – With this option the policy doesn’t use custom XML. Instead,
configure the following settings:
Enable trust of Windows components and store apps – When this setting is
Enabled (the default), managed devices can run Windows components and
store apps, as well as other apps you might configure as trusted. Apps that
aren't defined as trusted by this policy are blocked from running.
This setting also supports an Audit only mode. With audit mode, all events
are logged in the local client logs, but apps aren't blocked from running.
Select additional options for trusting apps – For this setting you can select
one or both of the following options:
Trust apps with a good reputation – This option allows devices to run
reputable apps as defined by the Microsoft Intelligent Security Graph.
Trust apps from managed installers – This option allows devices to run
the apps that were deployed by an authorized source, which is a managed
installer. This applies to apps you deploy through Intune after you
configure the Intune Management Extension as a managed installer.
Behavior for all other apps and files that aren’t specified by rules in this
policy depend on the configuration of Enable trust of Windows components
and store apps:
If Enabled, files and apps are blocked from running on devices
If set to Audit only, files and apps are audited only in local client logs

4. On the Scope tags page, select any desired scope tags to apply, then select Next.
5. For Assignments, select the groups that receive the policy, but consider that
WDAC policies apply to only the device scope. To continue, select Next.
For more information on assigning profiles, see Assign user and device profiles.
6. For Review + create, review your settings and then select Create. When you select
Create, your changes are saved, and the profile is assigned. The policy is also
shown in the policy list.
Use supplemental policy

One or more supplemental policies can help you expand on an Application Control base
policy to increase the circle of trust of that policy. A supplemental policy can expand
only one base policy, but multiple supplementals can expand the same base policy.
When you add supplemental policies, the applications allowed by the base policy and its
supplemental policies are allowed to run on devices.
Supplemental policies must be in XML format, and must reference the Policy ID of the
base policy.
The Policy ID of an Application Control base policy is determined by the configuration of

the base policy:
Base policies that are created using custom XML have a unique PolicyID that’s
based on that XML configuration.
Base policies that are created using the built-in controls for Application Control,
have one of four possible PolicyID’s that are determined by the possible
combinations of the built-in settings. The following table identifies the
combinations and the related PolicyID:
PolicyID of a base policy Options in WDAC policy (Audit or Enforce)
{A8012CFC-D8AE-493C-B2EA- Enable app control policy to trust Windows

510F035F1250} components and Store apps
{D6D6C2D6-E8B6-4D8F-8223- Enable app control policy to trust Windows

14BE1DE562FF} components and Store apps
And
Trust apps with good reputation
{63D1178A-816A-4AB6-8ECD- Enable app control policy to trust Windows

127F2DF0CE47} components and Store apps
And
Trust apps from managed installers
{2DA0F72D-1688-4097-847D- Enable app control policy to trust Windows

C42C39E631BC} components and Store apps
And
Trust apps with good reputation
And
Trust apps from managed installers
Even though two Application Control policies that use the same configuration of built-in
controls have the same PolicyID, you can apply different supplemental policies based on
the assignments for your policies.
Consider the following scenario:
You create two base policies that use the same configuration and therefore they
have the same PolicyID. You deploy one of them to your Executive team, and the
second policy deploys to your Help Desk team.
Next, you create a supplemental policy that allows other apps to run that your
Executive team requires. You assign this supplemental policy to that same group,
the Executive team.
Then you create a second supplemental policy that allows various tools required
by your Help Desk team to be run. This policy is assigned to the Help Desk group.
As a result of these deployments, both supplemental policies could modify both
instances of the base policy. However, due to the distinct and separate assignments, the
first supplemental policy modifies only the allowed apps assigned to the Executive team,
and the second policy modifies only the allowed apps used by the Help Desk team.
Create a supplemental policy
1. Use the Windows Defender Application Control Wizard or PowerShell cmdlets to

generate an Application Control policy in XML format.
To learn about the Wizard, see aka.ms/wdacWizard or Microsoft WDAC Wizard

at webapp-wdac-wizard.azurewbsites.net.
When you create a policy in XML format, it must reference the Policy ID of the base
policy.
2. After your Application Control supplemental policy has been created in XML
format, sign in to the Microsoft Intune admin center and go to Endpoint
security > Application control (Preview) > select the Application control tab, and
then select Create Policy.
recommended.
4. On Configuration settings, for Configuration settings format select Enter xml

data and upload your XML file.
5. For Assignments, select the same groups as assigned to the base policy you want
the supplemental policy to apply to, and then select Next.
Application Control policies for Education

tenants
Application Control policies in tenants for Educational organizations also support
Windows 11 SE in addition to the supported platforms in the Prerequisites.
Windows 11 SE is a cloud-first operating system that's optimized for use in classrooms.

Much like Intune for Education, Windows SE 11 prioritizes productivity, student privacy,
and learning, and only supports features and apps that are essential for education.
To aid this optimization, WDAC policy and the Intune management Extension are
configured automatically for Windows 11 SE devices:
Intune support for Windows 11 SE devices is scoped to deploying predefined

WDAC policies with a set list of apps in EDU tenants. These policies are
automatically deployed and can't be changed.
For Intune EDU tenants, the Intune Management Extension is automatically set as a
Managed Installer. This configuration is automatic and can’t be changed.
Delete Application Control policy

As detailed in Deploy WDAC policies using Mobile Device Management (MDM)
(Windows 10) - Windows security in the Windows Security documentation, policies
deleted from the Intune UI are removed from the system, and from devices, but stay in
effect until the next reboot of the machine.
To disable or delete WDAC enforcement:
1. Replace the existing policy with a new version of the policy that will Allow /* , like
the rules in the example policy found on Windows devices at
%windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml
This configuration removes any blocks that might otherwise be left in place on a
device after the policy is removed.
2. After the updated policy is deployed, you can then delete the new policy from the
Intune portal.
This sequence prevents anything from being blocked and fully removes the WDAC
policy on the next reboot.
Monitor Application Control policies and the

managed installer
After devices are assigned Application Control and Managed installer policies, you can
view policy details within the admin center.
To view reports, your account must have the Read permission for the Intune role-
based access control category of Organization.
To view reports, sign in to the Intune admin center and navigate to the Account Control
node. (Endpoint security > Account Control (Preview)). Here you can select the tab for
the policy details you want to view:
Managed installer
On the Managed Installer tab, you can view the status, success count, and error details
for the Managed installer – Intune Management Extension policy:
Select the policy name to open its Overview page, where you can view the following
information:
Device status, a static count of success vs errors
Device status trend, a historical chart that displays a timeline and count of devices
in each detail category.
Report details include:
Succeeded - Devices that have successfully applied the policy.
Error - Devices with errors.
New devices – New devices identifies devices that have recently applied the policy.

It can take up to 24 hours for the Device status and Device status trend sections to
update in the Overview.
While viewing the policy details, you can select Device status (below Monitor), to open a
device-based view of the policy details. The Device status view displays the following
details that you can use to identify problems should a device fail to successfully apply
the policy:
Device name
User name
OS version
Managed installer status (Succeeded or Error)
It can take several minutes for the device-based view of the policy details to update
after the device actually receives the policy.
Application Control
On the Application Control tab, you can view the list of your Application Control
policies and basic details including if its assigned and when it was last modified.
Select a policy to open a view that more report options:


Report options for the policy include:
Device and user check-in status - A simple chart that displays the count of devices
reporting each available status for this policy.
View Report - This opens a view with a list of the devices that received this policy.
Here you can select devices to drill in and view their Application Control policy
settings format.
The policy view also includes the following report tiles:
Device assignment status - This report shows all the devices that are targeted by
the policy, including devices in a pending policy assignment state.
With this report, you can select the Assignment status values you want to view, and
then select Generate report to refresh the report view individual devices that
received the policy, their last active user, and the assignment status.
You can also select devices to drill in and view their Application Control policy
settings format.
Per setting status - This report displays a count of devices that report status as
Success, Error, or Conflict for the settings from this policy.
Frequently asked Questions

When should I set the Intune Management Extension as
the managed installer?
We recommend configuring the Intune Management Extension as the managed installer
at your next available opportunity.
Once set, subsequent apps you deploy to devices are appropriately tagged to support
WDAC policies that Trust apps from managed installers.
In environments where apps deployed before a managed installer was configured, we

recommend you deploy new WDAC policies in audit-mode so you can identify the apps
were deployed but not tagged as trusted. You can then review the audit results and
determine which apps should be trusted. For apps you'll trust and allow to run, you can
then create custom WDAC policies to allow those apps.
It can be helpful to explore Advanced Hunting, which is a feature in Microsoft Defender

for Endpoint that makes it easier to query audit events across the many machines that IT
admins manage and help them craft policies.
What do I do with the old Application Control policy from

my Attack surface reduction policy
You may have noticed other instances of the Application Control policy in the Intune UI
under Endpoint Security > Attach Surface Reduction or under Device Configuration.
These will be deprecated in a future release.
What if I have multiple base or supplemental policies on

the same device?
From the Windows Application Control Docs, prior to Windows 10 1903, Application
Control only supported a single active on a system at any given time. This significantly
limits customers in situations where multiple policies with different intents would be
useful.
Beginning with Windows 10 version 1903, WDAC supports only up to 32 active policies
on a device before running into boot issues. Learn more about the Known Issue here. To
avoid unintended device impact as a result of more than 32 active policies, you can:
1. Use CITool.exe on the device to inventory policy count prior to deploying any new
WDAC policies to that device.
2. Consider merging multiple WDAC policies prior to deployment if that meets your
organization’s needs.
3. Redesign the WDAC policy plan for your organization to reduce the number of
policies needed to ensure security and productivity.
Does the Managed Installer opt-in capability for my

tenant set apps installed from Configuration Manager
with the appropriate tag?
No. This release focuses on setting apps installed from Intune, using the Intune
Management Extension, as the Managed Installer. It can't set Configuration Manager as
the Managed Installer.
If setting Configuration Manager as the Managed Installer is desired, you can allow that
behavior from within Configuration Manager. If you already have Configuration
Manager set as the Managed Installer, the expected behavior is that the new Intune
Management Extension AppLocker policy merges with the existing Configuration
Manager policy.
Next Steps
Attack surface reduction policy for
endpoint security in Intune
Article • 04/18/2023
When Defender antivirus is in use on your Windows 10/11 devices, you can use Intune
endpoint security policies for Attack surface reduction to manage those settings for your
devices.
Attack surface reduction policies help reduce your attack surfaces, by minimizing the
places where your organization is vulnerable to cyberthreats and attacks. For more
information, see Overview of attack surface reduction in the Windows Threat protection
documentation.
Find the endpoint security policies for attack surface reduction under Manage in the
Endpoint security node of the Microsoft Intune admin center . Each attack surface
reduction profile manages settings for a specific area of a Windows 10/11 device.
Prerequisites for Attack surface reduction

profiles
General:
Windows 10 or Windows 11
Defender antivirus must be the primary antivirus on the device
This scenario is in preview and requires use of Configuration Manager current branch
version 2006 or later.

attack surface reduction policy to devices managed by Configuration Manager,
configure tenant attach. Set up of tenant attach includes configuring Configuration
Manager device collections to support endpoint security policies from Intune.
To set up tenant attach, see Configure tenant attach to support endpoint

Attack surface reduction profiles

７ Note
Beginning in April 2022, new profiles for Attack surface reduction policy have
begun to release. When a new profile becomes available, it uses the same name of
the profile it replaces and includes the same settings as the older profile but in the
newer settings format as seen in the Settings Catalog. Your previously created
instances of these profiles remain available to use and edit, but all new instances
you create will be in the new format. The following profiles have been updated:
Attack surface reduction rules (April 5, 2022)

Exploit protection (April 5, 2022)
Device control (May 23, 2022)
App and browser isolation (April 18, 2023)
Devices managed by Intune

Platform: Windows 10 and later: Profiles for this platform are supported on Windows 10
and Windows 11 devices enrolled with Intune. Profiles include:
App and browser isolation – Manage settings for Windows Defender Application
Guard (Application Guard), as part of Defender for Endpoint. Application Guard
helps to prevent old and newly emerging attacks and can isolate enterprise-
defined sites as untrusted while defining what sites, cloud resources, and internal
networks are trusted.
To learn more, see Application Guard in the Microsoft Defender for Endpoint
documentation.
Web protection (Microsoft Edge Legacy) – Settings you can manage for Web
protection in Microsoft Defender for Endpoint configure network protection to
secure your machines against web threats. By integrating with Microsoft Edge and
popular third-party browsers like Chrome and Firefox, web protection stops web
threats without a web proxy and can protect machines while they're away or on-
premises. Web protection stops access to:
Phishing sites
Malware vectors
Exploit sites
Untrusted or low-reputation sites
Sites that you've blocked in your custom indicator list.
To learn more, see Web protection in the Microsoft Defender for Endpoint
documentation.
Application control - Application control settings can help mitigate security

threats by restricting the applications that users can run and the code that runs in
the System Core (kernel). Manage settings that can block unsigned scripts and
MSIs, and restrict Windows PowerShell to run in Constrained Language Mode.
To learn more, see Application Control in the Microsoft Defender for Endpoint
documentation.
７ Note
If you use this setting, AppLocker CSP behavior currently prompts end user to
reboot their machine when a policy is deployed.
Attack Surface Reduction Rules – Configure settings for attack surface reduction
rules that target behaviors that malware and malicious apps typically use to infect
computers, including:
Executable files and scripts used in Office apps or web mail that attempt to
download or run files
Obfuscated or otherwise suspicious scripts
Behaviors that apps don't usually start during normal day-to-day work
Reducing
your attack surface means offering attackers fewer ways to perform attacks.
Merge behavior for Attack surface reduction rules in Intune:
Attack surface reduction rules support a merger of settings from different policies,
to create a superset of policy for each device. Settings that aren't in conflict are
merged, while settings that are in conflict aren't added to the superset of rules.
Previously, if two policies included conflicts for a single setting, both policies were
flagged as being in conflict, and no settings from either profile would be deployed.
Attack surface reduction rule merge behavior is as follows:

Attack surface reduction rules from the following profiles are evaluated for each
device the rules apply to:
Devices > Configuration policy > Endpoint protection profile > Microsoft
Defender Exploit Guard > Attack Surface Reduction
Endpoint security > Attack surface reduction policy > Attack surface
reduction rules
Endpoint security > Security baselines > Microsoft Defender for Endpoint
Baseline > Attack Surface Reduction Rules.
Settings that don't have conflicts are added to a superset of policy for the
device.
When two or more policies have conflicting settings, the conflicting settings
aren't added to the combined policy, while settings that don’t conflict are
added to the superset policy that applies to a device.
Only the configurations for conflicting settings are held back.
Device Control – With settings for device control, you can configure devices for a
layered approach to secure removable media. Microsoft Defender for Endpoint
provides multiple monitoring and control features to help prevent threats in
unauthorized peripherals from compromising your devices.
Device control profiles support policy merge for USB device IDs.
To learn more, see How to control USB devices and other removable media using
Microsoft Defender for Endpoint in the Microsoft Defender for Endpoint
documentation.
Exploit Protection - Exploit protection settings can help protect against malware
that uses exploits to infect devices and spread. Exploit protection consists of many
mitigations that can apply to either the operating system or individual apps.
Add reusable settings groups to profiles for Device control
In public preview, Device control profiles support use of reusable settings groups to
help manage settings for the following settings groups on devices for the Windows 10
and later platform:
Printer device
Removable storage
The following device control profile settings are available for printer device:
PrimaryId
PrinterConnectionID
VID_PID
The following device control profile settings are available in for removable storage:
Device class
Device ID
Hardware ID
Instance ID
Primary ID
Product ID
Serial number
Vendor ID
Vendor ID and Product ID
For information about these options, see the following articles in the Microsoft Defender
for Endpoint documentation:
Printer Protection Overview

Microsoft Defender for Endpoint Device Control Removable Storage Access
Control
When you configure a Device control profile and one or more reusable settings groups,
you also configure Actions to define how the settings in those groups are used.
Each rule you add to the profile can include both reusable settings groups and
individual settings that are added directly to the rule. However, consider using each rule
for either reusable settings groups or to manage settings you add directly to the rule.
This separation can help simplify future configurations or changes you might make.
For guidance on configuring reusable groups, and then adding them to this profile, see
Use reusable groups of settings with Intune policies.
Exclusions for Attack Surface Reduction Rules
Intune supports the following two settings to exclude specific file and folder paths from
evaluation by Attack Surface Reduction rules:
Global: Use Attack Surface Reduction Only Exclusions.

When a device is assigned at least one policy that configures Attack Surface
Reduction Only Exclusions, the configured exclusions apply to all attack surface
reduction rules that target that device. This occurs because devices receive a
superset of attack surface reduction rule settings from all applicable policies, and
the settings exclusions can't be managed for individual settings. To avoid having
exclusions applied to all settings on a device, don't use this setting and instead
configure ASR Only Per Rule Exclusions for individual settings.
For more information, see the documentation for the Defender CSP:
Defender/AttackSurfaceReductionOnlyExclusions.
Individual settings: Use ASR Only Per Rule Exclusions
When you set an applicable setting in an attack surface reduction rule profile to
anything other than Not configured, Intune presents the option to use ASR Only
Per Rule Exclusions for that individual setting. With this option, you can configure
a file and folder exclusion that are isolated to individual settings, which is in
contrast to use of the global setting Attack Surface Reduction Only Exclusions
which applies its exclusions to all settings on the device.
By default, ASR Only Per Rule Exclusions is set to Not configured.
） Important
ASR polices do not support merge functionality for ASR Only Per Rule
Exclusions and a policy conflict can result when multiple polices that configure
ASR Only Per Rule Exclusions for the same device conflict. To avoid conflicts,
combine the configurations for ASR Only Per Rule Exclusions into a single ASR
policy. We are investigating adding policy merge for ASR Only Per Rule
Exclusions in a future update.

Support for devices managed by Configuration Manager is in Preview.
Manage attack surface reduction settings for Configuration Manager devices, when you
use tenant attach.
Policy path:
Endpoint security > Attach surface reduction > Windows 10 and later (ConfigMgr)
Profiles:
Attack Surface Reduction Rules (ConfigMgr)

Exploit Protection(ConfigMgr)(preview)
Web Protection (ConfigMgr)(preview)

Devices managed by Security Management for Defender

for Endpoint
Profiles for this platform can be used with Windows 10 and Windows 11 devices
enrolled with Intune, and with devices managed through Security Management for
Profiles include:
Attack Surface Reduction Rules - Configure settings for attack surface reduction
rules that target behaviors that malware and malicious apps typically use to infect
computers, including:
Executable files and scripts used in Office apps or web mail that attempt to
download or run files.
Obfuscated or otherwise suspicious scripts.
Behaviors that apps don't usually start during normal day-to-day work Reducing
your attack surface means offering attackers fewer ways to perform attacks.
Policy merge for settings

Policy merge helps avoid conflicts when multiple profiles that apply to the same device
configure the same setting with different values, creating a conflict. To avoid conflicts,
Intune evaluates the applicable settings from each profile that applies to the device.
Those settings then merge into a single superset of settings.
For Attack surface reduction policy, the following profiles support policy merge:
Device control
Policy merge for device control profiles

Device control profiles support policy merge for USB Device IDs. The profile settings
that manage Device IDs and that support policy merge include:
Allow hardware device installation by device identifiers

Block hardware device installation by device identifiers
Allow hardware device installation by setup classes
Block hardware device installation by setup classes
Allow hardware device installation by device instance identifiers
Block hardware device installation by device instance identifiers
Policy merge applies to the configuration of each setting across the different profiles
that apply that specific setting to a device. The result is a single list for each of the
supported settings being applied to a device. For example:
Policy merge evaluates the lists of setup classes that were configured in each
instance of Allow hardware device installation by setup classes that applies to a
device. The lists are merged into a single allowlist where any duplicate setup
classes are removed.
Removal of duplicates from the list is done to remove the common source of
conflicts. The combined allowlist is then delivered to the device.
Policy merge doesn’t compare or merge the configurations from different settings. For
example:
Expanding on the first example, in which multiple lists from Allow hardware device
installation by setup classes were merged into a single list, you have several
instances of Block hardware device installation by setup classes that applies to the
same device. All the related blocklists merge into a single blocklist for the device
that then deploys to the device.
The allowlist for setup classes isn’t compared nor merged with the blocklist for
setup classes.
Instead, the device receives both lists, as they are from two distinct settings. The
device then enforces the most restrictive setting for installation by setup classes.
With this example, a setup class defined in the blocklist will override the same
setup class if found on the allowlist. The result would be that the setup class is
blocked on the device.
Next steps
View details for the settings in profiles for Attack surface reduction profiles.
Disk encryption policy for endpoint
security in Intune
Article • 08/02/2023
Endpoint security Disk encryption profiles focus on only the settings that are relevant for
a devices built-in encryption method, like FileVault or BitLocker. This focus makes it easy
for security admins to manage disk encryption settings without having to navigate a
host of unrelated settings.
While you can configure the same device settings by using Endpoint Protection profiles
for device configuration, the device configuration profiles include additional categories
of settings. These additional settings are unrelated to disk encryption and can
complicate the task of configuring only disk encryption.
Find the endpoint security policies for disk encryption under Manage in the Endpoint
security node of the Microsoft Intune admin center .
Prerequisites for disk encryption policy

macOS - macOS 10.13 or later
Windows - Windows 10/11
Disk encryption profiles

macOS profiles:
FileVault - FileVault provides built-in Full Disk Encryption for macOS devices.
Manage FileVault settings for macOS.
To create a FileVault profile, see Use FileVault disk encryption for macOS.
Windows profiles:
BitLocker - BitLocker Drive Encryption is a data protection feature that integrates

with the operating system and addresses the threats of data theft or exposure
from lost, stolen, or inappropriately decommissioned computers.
７ Note
Beginning on June 19, 2023, the BitLocker profile for Windows 10 and later
was updated to use the settings format as found in the Settings Catalog. The
new profile format includes the same settings as the older profile. With this
change you can no longer create new versions of the old profiles. Your
existing instances of the old profile remain available to use and edit.
With the new profile format, we no longer publish a dedicated list of settings
as found in the profile. Instead, use the Learn more link in the UI while viewing
information for a setting, to open BitLocker CSP in the Windows
documentation, where the setting is detailed in full.
You can continue to find a list of settings from the original BitLocker profile at
BitLocker settings in the Intune documentation.
To create a BitLocker profile, see Use BitLocker disk encryption for Windows.
Manage device encryption

After you deploy policy to encrypt a device disk, see the following articles for
information on managing encryption:
Manage BitLocker
Manage FileVault
Monitor device encryption
Next steps
To create a FileVault profile
To create a BitLocker profile
for endpoint security in Intune
Article • 08/21/2023
When you integrate Microsoft Defender for Endpoint with Intune, you can use endpoint
security policies for endpoint detection and response (EDR) to manage the EDR settings
and onboard devices to Microsoft Defender for Endpoint.
Applies to:
Windows 10/11
Windows Server 2012 R2 and later
The capabilities of Microsoft Defender for Endpoint endpoint detection and response
provide advanced attack detections that are near real-time and actionable. Security
analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and
take response actions to remediate threats.
EDR policies include platform-specific profiles to manage settings for EDR. The profiles
automatically include an onboarding package for Microsoft Defender for Endpoint.
Onboarding packages are how devices are configured to work with Microsoft Defender
for Endpoint. After a device onboards, you can start to use threat data from that device.
EDR policies deploy to groups of devices in Azure Active Directory (Azure AD) that you
manage with Intune, and to collections of on-premises devices that you manage with
Configuration Manager, including Windows servers. The EDR policies for the different
management paths require different onboarding packages. Therefore, you'll create
separate EDR policies for the different types of devices you manage.
Find the endpoint security policies for EDR under Manage in the Endpoint security node
of the Microsoft Intune admin center .
Prerequisites for EDR policies

General:
Tenant for Microsoft Defender for Endpoint – Your Microsoft Defender for
Endpoint tenant must be integrated with your Microsoft Intune tenant (Intune
subscription) before you can create EDR policies. See Use Microsoft Defender for
Endpoint in the Intune documentation.

EDR policy to devices managed by Configuration Manager, configure tenant
attach. This includes configuring Configuration Manager device collections to
support endpoint security policies from Intune.
To set up tenant attach, including the synchronization of Configuration Manager

collections to the Microsoft Intune admin center and enabling them to work with
endpoint security policies, see Configure tenant attach to support endpoint
EDR profiles
Devices managed by Microsoft Intune

Intune – The following are supported for devices you manage with Intune:

Profile: Endpoint detection and response - Intune deploys the policy to devices
in your Azure AD groups. Profiles for this platform can be used with devices
enrolled with Intune, and with devices managed through Security Management
for Microsoft Defender for Endpoint.
７ Note
communicating through Microsoft Intune or Microsoft Defender for Endpoint.
These profiles also add support for the Windows Server platform which is not
supported through Microsoft Intune natively.
Options for Microsoft Defender for Endpoint client configuration package type:
After you configure the service-to-service connection between Intune and Microsoft
Defender for Endpoint, the Auto from connector option becomes available for the
setting Microsoft Defender for Endpoint client configuration package type. This
option is not available until you've configured the connection.
When you select Auto from connector, Intune automatically gets the onboarding
package (blob) from your Defender for Endpoint deployment. This replaces the need to
manually configure an Onboard package for this profile. There is no option to
automatically configure an offboard package.

Manage Endpoint detection and response policy settings for Configuration Manager
devices, when you use tenant attach.
Policy path:
Endpoint security > Endpoint detection and response > Windows 10, Windows 11,
and Windows Server (ConfigMgr)
Profiles:
Endpoint detection and response (ConfigMgr) (Preview)
Configuration Manager current branch version 2002 or later, with in-console

update Configuration Manager 2002 Hotfix (KB4563473)
Configuration Manager technical preview 2003 or later

Windows Server 2016 and later(x64)
） Important
Set up Configuration Manager to support EDR

policy
Before you can deploy EDR policies to Configuration Manager devices, complete the
configurations detailed in the following sections.
These configurations are made within the Configuration Manager console and to your
Configuration Manager deployment. If you're not familiar with Configuration Manager,
plan to work with a Configuration Manager admin to complete these tasks.
The following sections cover the required tasks:
1. Install the update for Configuration Manager

2. Enable tenant attach
 Tip
To learn more about using Microsoft Defender for Endpoint with Configuration
Manager, see the following articles in the Configuration Manager content:
Onboard Configuration Manager clients to Microsoft Defender for Endpoint

via the Microsoft Intune admin center
Microsoft Intune tenant attach: Device sync and device actions
Task 1: Install the update for Configuration Manager

Configuration Manager version 2002 requires an update to support use with Endpoint
detection and response policies you deploy from the Microsoft Intune admin center.
Update details:
Configuration Manager 2002 Hotfix (KB4563473)
You'll find this update as an in-console update for Configuration Manager 2002.
To install this update, follow the guidance from Install in-console updates in the
Configuration Manager documentation.
After installing the update, return here to continue configuring your environment to
support EDR policy from the Microsoft Intune admin center.
Task 2: Configure tenant attach and synchronize

collections
With Tenant attach you specify collections of devices from your Configuration Manager
deployment to synchronize with the Microsoft Intune admin center. After collections
synchronize, use the admin center to view information about those devices and to
deploy EDR policy from Intune to them.
For more information about the Tenant attach scenario, see Enable tenant attach in the
Configuration Manager content.
Enable tenant attach when co-management hasn't been enabled
 Tip
You use the Co-management Configuration Wizard in the Configuration Manager

console to enable tenant attach, but you don't need to enable co-management.
If you're planning to enable co-management, be familiar with co-management, its

prerequisites, and how to manage workloads before you continue. See What is co-
management? in the Configuration Manager documentation.
1. In the Configuration Manager admin console, go to Administration > Overview >

Cloud Services > Co-management.
2. In the ribbon, click Configure co-management to open the wizard.
3. On the Tenant onboarding page, select AzurePublicCloud for your environment.
Azure Government cloud isn't supported.
a. Click Sign In. Use your Global Administrator account to sign in.
The following are supported for devices you manage with Intune:
Platform: Windows 10, Windows 11, and Windows Server - Intune deploys the
policy to devices in your Azure AD groups.
Profile: Endpoint detection and response
Create and deploy EDR policies

When you integrate your Microsoft Defender for Endpoint subscription with Intune, you
can create and deploy EDR policies. There are two distinct types of EDR policy you can
create. One policy type for devices you manage with Intune through MDM. The second
type is for devices you manage with Configuration Manager.
You choose the type of policy to create while configuring a new EDR policy, by choosing
a platform for the policy.
Before you can deploy policy to devices managed by Configuration Manager, set up
Configuration Manager to support EDR policy from the Microsoft Intune admin center.
See Configure tenant attach to support endpoint protection policies.
 Tip
In addition to EDR policy, you can use device configuration policy to onboard
devices to Microsoft Defender for Endpoint. However, device configuration policies
don't support tenant attached devices.
When using multiple polices or policy types like device configuration policy and
endpoint detection and response policy to manage the same device settings (such as
onboarding to Defender for Endpoint), you can create policy conflicts for devices.
To learn more about conflicts, see Manage conflicts in the Manage security policies
article.
Create EDR policies

2. Select Endpoint security > Endpoint detection and response > Create Policy.
3. Select the platform and profile for your policy. The following information identifies
your options:
Intune - Intune deploys the policy to devices in your Azure AD groups. When
you create the policy, select:
Profile: Endpoint detection and response
Configuration Manager - Configuration Manager deploys the policy to

devices in your Configuration Manager collections. When you create the
policy, select:
Platform: Windows 10, Windows 11, and Windows Server (ConfigMgr)
Profile: Endpoint detection and response (ConfigMgr)
4. Select Create.
Next.
6. On the Configuration settings page, Choose Auto from Connector for Microsoft
Defender for Endpoint Client configuration package type. Configure the Sample
Sharing and Telemetry Reporting Frequency settings you want to manage with
this profile.
７ Note
To onboard or offboard tenants using the onboarding file from the Microsoft
Defender for Endpoint portal, select either Onboard or Offboard and supply the
contents of the onboarding file to the input directly below the selection.
When you're done configuring settings, select Next.
7. This step only applies for the Endpoint detection and response profile and the
Windows 10, Windows 11, and Windows Server platform:
On the Scope tags page, choose Select scope tags to open the Select tags pane to
8. On the Assignments page, select the groups or collections that will receive this
policy. The choice depends on the platform and profile you selected:
For Intune, you'll select groups from Azure AD.

For Configuration Manager, you'll select collections from Configuration
Manager that you've synced to Microsoft Intune admin center and enabled
for Microsoft Defender for Endpoint policy.
You can choose not to assign groups or collections at this time, and later edit the
policy to add an assignment.
When ready to continue, select Next.
9. On the Review + create page, when you're done, choose Create.
The new profile is displayed in the list when you select the policy type for the
profile you created.
Updating the onboarding state for a device
Organizations may need to update the onboarding information on a device via
Microsoft Intune.
This can be necessary due to a change in the onboarding payload for Microsoft
Defender for Endpoint, or when directed by Microsoft support.
Updating the onboarding information will direct the device to start utilizing the new
onboarding payload at the next Restart.
７ Note
This information will not necessarily move a device between tenants without fully
offboarding the device from the original tenant. For options migrating devices
between Microsoft Defender for Endpoint organizations, engage Microsoft
Support.
Process to update the payload

1. Download the new Mobile Device Management New onboarding payload from
the Microsoft Defender for Endpoint console.
2. Create a New Group to validate the new policies effectiveness.
3. Exclude the New Group from your existing EDR policy.
4. Create a New Endpoint Detection and Response policy, outlined in Create EDR
policies.
5. While creating the policy, select Onboard from the client package configuration
type, and specify the contents of the onboarding file from the Microsoft Defender
for Endpoint console.
6. Assign the policy to the new group created for validation.
7. Add existing devices to the validation group and ensure the changes work as
expected.
8. Expand the deployment gradually, eventually decommissioning the original policy.
７ Note
If previously using the Auto from connector option to retrieve the onboarding
information, engage Microsoft support to confirm the use of the new onboarding
information.
For organizations updating onboarding information at the direction of Microsoft

support, Microsoft will direct you when the connector has been updated to
leverage the new onboarding payload.
EDR policy reports

You can view details about the EDR policies you deploy in the Microsoft Intune admin
center. To view details, go to Endpoint security > Endpoint deployment and response,
and select a policy for which you want to view compliance details:
For policies that target the Windows 10, Windows 11, and Windows Server
platform (Intune), you'll see an overview of compliance to the policy. You can also
select the chart to view a list of devices that received the policy, and drill-in to
individual devices for more details.
The chart for Devices with Defender for Endpoint sensor displays only devices
that successfully onboard to Microsoft Defender for Endpoint through use of the
Windows 10, Windows 11, and Windows Server profile. To ensure you have full
representation of your devices in this chart, deploy the onboarding profile to all
your devices. Devices that onboard to Microsoft Defender for Endpoint by external
means, like Group Policy or PowerShell, are counted as Devices without the
Defender for Endpoint sensor.
For policies that target the Windows 10, Windows 11, and Windows Server
(ConfigMgr) platform (Configuration Manager), you'll see an overview of
compliance to the policy but can't drill-in to view additional details. The view is
limited because the admin center receives limited status details from Configuration
Manager, which manages the deployment of the policy to Configuration Manager
devices.
Next steps
Learn more about endpoint detection and response in the Microsoft Defender for
Endpoint documentation.
View details for the settings in the deprecated Endpoint detection and response profile
for the Windows 10 and later platform:
Endpoint detection and response profile settings you can configure for both
platforms and profiles.
Firewall policy for endpoint security in
Intune
Article • 03/15/2023
Use the endpoint security Firewall policy in Intune to configure a devices built-in firewall
for devices that run macOS and Windows devices.
While you can configure the same firewall settings by using Endpoint Protection profiles
for device configuration, the device configuration profiles include additional categories
of settings. These additional settings are unrelated to firewalls and can complicate the
task of configuring only firewall settings for your environment.
Find the endpoint security policies for firewalls under Manage in the Endpoint security
node of the Microsoft Intune admin center .
Prerequisites for Firewall profiles

Windows 10
Windows 11
Windows Server 2012 R2 or later
Any supported version of macOS
Firewall profiles
Devices managed by Intune

Platform: macOS:
macOS firewall – Enable and configure settings for the built-in firewall on macOS.
Platform: Windows 10, Windows 11, and Windows Server:
For information about configuring settings in the following profiles, see the Firewall
configuration service provider (CSP).
Microsoft Defender Firewall – Configure settings for Windows Defender Firewall

with Advanced Security. Windows Defender Firewall provides host-based, two-way
network traffic filtering for a device and can block unauthorized network traffic
flowing into or out of the local device.
Microsoft Defender Firewall rules - Define granular Firewall rules, including
specific ports, protocols, applications and networks, and to allow or block network
traffic. Each instance of this profile supports up to 150 custom rules.
７ Note
Beginning on April 5, 2022, the Windows 10 and later platform was replaced by the
Windows 10, Windows 11, and Windows Server platform.
communicating through Microsoft Intune or Microsoft Defender for Endpoint.
These profiles also add support for the Windows Server platform which is not
supported through Microsoft Intune natively.
Catalog. Each new profile template for this new platform includes the same settings
as the older profile template it replaces. With this change you can no longer create
new versions of the old profiles. Your existing instances of the old profile remain
available to use and edit.
For information about configuring settings in the following profiles, see the Firewall
configuration service provider (CSP).
Microsoft Defender Firewall – Configure settings for Windows Defender Firewall

with Advanced Security. Windows Defender Firewall provides host-based, two-way
network traffic filtering for a device and can block unauthorized network traffic
flowing into or out of the local device.
Microsoft Defender Firewall rules - Define granular Firewall rules, including

specific ports, protocols, applications and networks, and to allow or block network
traffic. Each instance of this profile supports up to 150 custom rules.
 Tip
Use of the Policy App Id setting, which is described in the

MdmStore/FirewallRules/{FirewallRuleName}/PolicyAppId CSP, requires that
your environment use Windows Defender Application Control (WDAC) tagging.
For more information see the following Windows Defender articles:
Add reusable settings groups to profiles for Firewall rules
In public preview, Microsoft Defender Firewall rule profiles support use of reusable
settings groups for the following platforms:
Windows 10 and Windows 11
The following firewall rule profile settings are available in reusable settings groups:
Remote IP address ranges

FQDN definitions and auto-resolution
When you configure a firewall rule to add one or more reusable settings groups, you’ll
also configure the rules Action to define how the settings in those groups are used.
Each rule you add to the profile can include both reusable settings groups and
individual settings that are added directly to the rule. However, consider using each rule
for either reusable settings groups or to manage settings you add directly to the rule.
This separation can help simplify future configurations or changes you might make.
For prerequisites and guidance on configuring reusable groups, and then adding them
to this profile, see Use reusable groups of settings with Intune policies.
Firewall
Manage Firewall policy settings for Configuration Manager devices, when you use
tenant attach.
Policy path:
Endpoint security > Firewall > Windows 10 and later
Profiles:
Microsoft Defender Firewall (ConfigMgr) (preview)


Firewall rule mergers and policy conflicts

Plan for Firewall policies to be applied to a device using only one policy. Use of a single
policy instance and policy type helps avoid having two separate policies apply different
configurations to the same setting, which creates conflicts. When a conflict exists
between two policy instances or types of policy that manage the same setting with
different values, the setting isn't sent to the device.
That form of policy conflict applies to the Microsoft Defender Firewall profile,
which can conflict with other Microsoft Defender Firewall profiles, or a firewall
configuration that’s delivered by a different policy type, like device configuration.
Microsoft Defender Firewall profiles don't conflict with Microsoft Defender Firewall
rules profiles.
When you use Microsoft Defender Firewall rules profiles, you can apply multiple rules
profiles to the same device. However, when different rules exist for the same thing with
different configurations, both are sent to the device and create a conflict, on that device.
For example, if one rule blocks Teams.exe through the firewall and a second rule
allows Teams.exe, both rules are delivered to the client. This result is different from
conflicts created through other policies for Firewall settings.
When rules from multiple rules profiles don't conflict with each other, devices merge the
rules from each profile to create a combined firewall rule configuration on the device.
This behavior enables you to deploy more than the 150 rules that each individual profile
supports to a device.
For example, you have two Microsoft Defender Firewall rules profiles. The first
profile allows Teams.exe through the firewall. The second profile allows Outlook.exe
through the firewall. When a device receives both profiles, the device is configured
to allow both apps through the firewall.
Firewall policy reports

The reports for Firewall policy display status details about the firewall status for your
managed devices. Firewall reports support managed devices that run the following
operating systems.
Windows 10/11
Summary
Summary is the default view when you open the Firewall node. Open the Microsoft
Intune admin center , and then go to Endpoint security > Firewall > Summary.
This view provides:
An aggregate count of devices that have the firewall turned off.

A list of your Firewall policies, including the name, type, if it's assigned, and when it
was last modified.
MDM devices running Windows 10 or later with firewall

off
This report is located in the Endpoint security node. Open the Microsoft Intune admin
center , and then go to Endpoint security > Firewall > MDM devices running
Windows 10 or later with firewall off.
Data is reported through the Windows DeviceStatus CSP, and identifies each device
where the Firewall is off. By default, visible details include:
Device name
Firewall status
User principal name
Target (The method of device management)
Last check in time
MDM Firewall status for Windows 10 and later
This organizational report is also described in Intune Reports.
As an organizational report, this report is available from the Reports node. Open the
Microsoft Intune admin center , and then go to Reports > Firewall > MDM Firewall
status for Windows 10 and later.
Data is reported through the Windows DeviceStatus CSP, and reports on the status of
the firewall on your managed devices. You can filter returns for this report by using one
or more of the status detail categories.
Status details include:
Enabled – The firewall on, and successfully reporting.

Disabled - The firewall is turned off.
Limited – The firewall isn’t monitoring all networks, or some rules are turned off.
Temporarily Disabled (default) – The firewall is temporarily not monitoring all
networks
Not applicable – The device doesn’t support firewall reporting.
You can filter returns for this report by using one or more of the status detail categories.
Investigate issues for Firewall rules
To learn more about Firewall rules in Intune, and how to troubleshoot common
problems, see the following Intune Customer Success blog:
How to trace and troubleshoot the Intune Endpoint Security Firewall rule creation
process
Additional common firewall rule issues:
Event Viewer: RemotePortRanges or LocalPortRanges "The parameter is incorrect"
Verify configured ranges are ascending (Example: 1-5 is correct, 5-1 will cause this
error)
Verify configured ranges are within the overall port range of 0-65535
If either remote port ranges or local port ranges are configured in a rule, protocol
must also be configured with 6 (TCP) or 17 (UDP)
Event Viewer: "...Name), Result: (The parameter is incorrect)"
If edge traversal is enabled in a rule, the rule direction must be set to "This rule
applies to inbound traffic".
Event Viewer: "...InterfaceTypes), Result: (The parameter is incorrect)"
If "All" interface type is enabled in a rule, the other interface types must not be
selected.
Next steps
View details for the settings in the deprecated Firewall profiles for the Windows 10 and
later platform:
Firewall profile settings.

Enforce compliance for Microsoft
Defender for Endpoint with Conditional
Access in Intune
Article • 03/21/2023
You can integrate Microsoft Defender for Endpoint with Microsoft Intune as a Mobile
Threat Defense solution. Integration can help you prevent security breaches and limit
the impact of breaches within an organization.
Microsoft Defender for Endpoint works with devices that run:
Android
iOS/iPadOS
Windows 10
Windows 11
Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2016
Windows Server Semi-Annual Enterprise Channel
Windows Server 2019 and later
Windows Server 2019 Core edition
Windows Server 2022
To be successful, you'll use the following configurations in concert:
Establish a service-to-service connection between Intune and Microsoft

Defender for Endpoint. This connection lets Microsoft Defender for Endpoint
collect data about machine risk from supported devices you manage with Intune.
Use a device configuration profile to onboard devices with Microsoft Defender
for Endpoint. You onboard devices to configure them to communicate with
Microsoft Defender for Endpoint and to provide data that helps assess their risk
level.
Use a device compliance policy to set the level of risk you want to allow. Risk
levels are reported by Microsoft Defender for Endpoint. Devices that exceed the
allowed risk level are identified as noncompliant.
Use a conditional access policy to block users from accessing corporate resources
from devices that are noncompliant.
When you integrate Intune with Microsoft Defender for Endpoint, you can take
advantage of Microsoft Defender for Endpoints Threat & Vulnerability Management
(TVM) and use Intune to remediate endpoint weakness identified by TVM.
Example of using Microsoft Defender for

Endpoint with Intune
The following example helps explain how these solutions work together to help protect
your organization. For this example, Microsoft Defender for Endpoint and Intune are
already integrated.
Consider an event where someone sends a Word attachment with embedded malicious
code to a user within your organization.
The user opens the attachment, and enables the content.

An elevated privilege attack starts, and an attacker from a remote machine has
admin rights to the victim's device.
The attacker then remotely accesses the user's other devices. This security breach
can impact the entire organization.
Microsoft Defender for Endpoint can help resolve security events like this scenario.
In our example, Microsoft Defender for Endpoint detects that the device executed
abnormal code, experienced a process privilege escalation, injected malicious
code, and issued a suspicious remote shell.
Based on these actions from the device, Microsoft Defender for Endpoint classifies
the device as high-risk and includes a detailed report of suspicious activity in the
Microsoft Defender Security Center portal.
You can integrate Microsoft Defender for Endpoint with Microsoft Intune as a Mobile
Threat Defense solution. Integration can help you prevent security breaches and limit
the impact of breaches within an organization.
Because you have an Intune device compliance policy to classify devices with a Medium
or High level of risk as noncompliant, the compromised device is classified as
noncompliant. This classification allows your conditional access policy to kick in and
block access from that device to your corporate resources.
For devices that run Android, you can use Intune policy to modify the configuration of
Microsoft Defender for Endpoint on Android. For more information, see Microsoft
Defender for Endpoint web protection.
Prerequisites
Subscriptions:
To use Microsoft Defender for Endpoint with Intune, you must have the following
subscriptions:
Microsoft Defender for Endpoint - This subscription provides you access to the
Microsoft Defender Security Center (ATP portal).
For Defender for Endpoint licensing options, see Licensing requirements in

Minimum requirements for Microsoft Defender for Endpoint and How to set up a
Microsoft 365 E5 Trial Subscription.
Microsoft Intune – A Microsoft Intune Plan 1 subscription provides access to Intune

and the Microsoft Intune admin center.
For Intune licensing options, see Microsoft Intune licensing.
Devices managed with Intune:
The following platforms are supported for Intune with Microsoft Defender for Endpoint:
Android
iOS/iPadOS
Windows 10/11 (Hybrid Azure Active Directory Joined or Azure Active Directory
Joined)
For the system requirements for Microsoft Defender for Endpoint, see Minimum
requirements for Microsoft Defender for Endpoint.
Next steps
To connect Microsoft Defender for Endpoint to Intune, onboard devices, and
configure conditional access policies, see Configure Microsoft Defender for
Endpoint in Intune.
Learn more from the Intune documentation:
Use security tasks with Defender for Endpoints Vulnerability Management to

remediate issues on devices
Get started with device compliance policies
Learn more from the Microsoft Defender for Endpoint documentation:
Microsoft Defender for Endpoint Conditional Access

Microsoft Defender for Endpoint risk dashboard
Configure Microsoft Defender for
Endpoint in Intune
Article • 03/01/2023
Use the information and procedures in this article to configure integration of Microsoft
Defender for Endpoint with Intune. Configuration includes the following general steps:
Enable Microsoft Defender for Endpoint for your tenant

Onboard devices that run Android, iOS/iPadOS, and Windows 10/11
Use compliance policies to set device risk levels
Use conditional access policies to block devices that exceed your expected risk
levels
Android and iOS/iPadOS, use app protection policies that set device risk levels.
App protection polices work with both enrolled and unenrolled devices.
Before you start, your environment must meet the prerequisites to use Microsoft
Defender for Endpoint with Intune.
In addition to managing settings for Microsoft Defender for Endpoint on devices you
manage with Intune, you can manage Defender for Endpoint security configurations on
devices that aren’t enrolled with Intune. This scenario is called Security Management for
Microsoft Defender for Endpoint and requires configuring the Allow Microsoft Defender
for Endpoint to enforce Endpoint Security Configurations toggle to On. For more
information, see MDE Security Configuration Management.
Enable Microsoft Defender for Endpoint in

Intune
The first step you take is to set up the service-to-service connection between Intune and
Microsoft Defender for Endpoint. Set up requires administrative access to both the
Microsoft Defender Security Center, and to Intune.
You only need to enable Microsoft Defender for Endpoint a single time per tenant.
To enable Microsoft Defender for Endpoint

2. Select Endpoint security > Microsoft Defender for Endpoint, and then select
Open the Microsoft Defender Security Center.
This opens the Microsoft 365 Defender portal at security.microsoft.com, which
replaces the use of the previous portal at securitycenter.windows.com.
 Tip
If the Connection status at the top of the page is already set to Enabled, the
connection to Intune has already been made, and the admin center displays
different UI than in the following screen shot. In this event, you can use the
link Open the Microsoft Defender for Endpoint admin console to open the
Microsoft Defender Security Center and use the guidance in the following
step to confirm that the Microsoft Intune connection is set to On.
3. In Microsoft 365 Defender, (previously the Microsoft Defender Security Center):
a. Select Settings > Endpoints >Advanced features .
b. For Microsoft Intune connection, choose On:
c. Select Save preferences.
７ Note
Once the connection is established, the services are expected to sync with
each other at least once every 24 hours. The number of days without sync
until the connection is considered unresponsive is configurable in the
Microsoft Intune admin center . Select Endpoint security > Microsoft
Defender for Endpoint > Number of days until partner is unresponsive
4. Return to Microsoft Defender for Endpoint page in the Microsoft Intune admin
center.
a. To use Defender for Endpoint with compliance policies, configure the following
under MDM Compliance Policy Settings for the platforms you support:
Set Connect Android devices to Microsoft Defender for Endpoint to On

Set Connect iOS devices to Microsoft Defender for Endpoint to On
Set Connect Windows devices to Microsoft Defender for Endpoint to On
When these configurations are On, applicable devices that you manage with
Intune, and devices you enroll in the future, are connected to Microsoft
Defender for Endpoint for compliance.
For iOS devices, Defender for Endpoint also supports the following settings that
help provide the Vulnerability Assessment of apps on Microsoft Defender for
Endpoint for iOS. For more information about using the following two settings,
see Configure vulnerability assessment of apps.
Enable App Sync for iOS Devices: Set to On to allow Defender for
Endpoint to request metadata of iOS applications from Intune to use for
threat analysis purposes. The iOS device must be MDM-enrolled and will
provide updated app data during device check-in.
Send full application inventory data on personally-owned iOS/iPadOS

Devices: This setting controls the application inventory data that Intune
shares with Defender for Endpoint when Defender for Endpoint syncs app
data and requests the app inventory list.
When set to On, Defender for Endpoint can request a list of applications
from Intune for personally-owned iOS/iPadOS devices. This includes
unmanaged apps and apps that were deployed through Intune.
When set to Off, data about unmanaged apps isn’t provided. Intune does
share data for the apps that were deployed through Intune.
For more information, see Mobile Threat Defense toggle options.
b. To use Defender for Endpoint with app protection policies, configure the
following under App Protection Policy Settings for the platforms you support.
These capabilities are available for Android and iOS/iPadOS.
Set Connect Android devices to Microsoft Defender for Endpoint for app
protection policy evaluation to On.
Set Connect iOS devices to Microsoft Defender for Endpoint for app
protection policy evaluation to On.
To set up an integration Microsoft Defender for Endpoint for compliance and app
protection policy evaluation, you must have a role that includes the Mobile Threat
Defense permission in Intune. The Endpoint Security Manager built-in admin role
for Intune has this permission included. For more information about both MDM
Compliance Policy Settings and App Protection Policy Settings, see Mobile Threat
Defense toggle options.
5. Select Save.
 Tip
When you integrate a new application to Intune Mobile Threat Defense and enable
the connection to Intune, Intune creates a classic conditional access policy in Azure
Active Directory. Each MTD app you integrate, including Microsoft Defender for
Endpoint or any of our additional MTD partners, creates a new classic conditional
access policy. These policies can be ignored, but should not be edited, deleted, or
disabled.
If the classic policy is deleted, you will need to delete the connection to Intune that
was responsible for its creation, and then set it up again. This recreates the classic
policy. It's not supported to migrate classic policies for MTD apps to the new policy
type for conditional access.
Classic conditional access policies for MTD apps:
Are used by Intune MTD to require that devices are registered in Azure AD so
that they have a device ID before communicating to MTD partners. The ID is
required so that devices and can successfully report their status to Intune.
Have no effect on any other Cloud apps or Resources.
Are distinct from conditional access policies you might create to help manage
MTD.
By default, don't interact with other conditional access policies you use for
evaluation.
To view classic conditional access policies, in Azure , go to Azure Active Directory
> Conditional Access > Classic policies.
Onboard devices
When you enabled support for Microsoft Defender for Endpoint in Intune, you
established a service-to-service connection between Intune and Microsoft Defender for
Endpoint. You can then onboard devices you manage with Intune to Microsoft Defender
for Endpoint. Onboarding enables collection of data about device risk levels.
When onboarding devices, be sure to use most recent version of Microsoft Defender for
Endpoint for each platform.
Onboard Windows devices

After you connect Intune and Microsoft Defender for Endpoint, Intune receives an
onboarding configuration package from Microsoft Defender for Endpoint. You use a
device configuration profile for Microsoft Defender for Endpoint to deploy the package
to your Windows devices.
The configuration package configures devices to communicate with Microsoft Defender

for Endpoint services to scan files and detect threats. The device also reports its risk level
to Microsoft Defender for Endpoint based on your compliance policies.
After onboarding a device using the configuration package, you don't need to do it
again.
You can also onboard devices using:
Endpoint detection and response (EDR) policy. Intune EDR policy is part of
endpoint security in Intune. Use EDR policies to configure device security without
the overhead of the larger body of settings found in device configuration profiles.
You can also use EDR policy with tenant attached devices, which are devices you
manage with Configuration Manager.
To view the onboarded devices from Microsoft Defender for Endpoint within the
Microsoft Defender for Endpoint connector page, you need an Intune role with the
Microsoft Defender ATP permission.
When you configure EDR policy after connecting Intune and Microsoft Defender for
Endpoint, the policy setting Microsoft Defender for Endpoint client configuration package
type has a new configuration option: Auto from connector. With this option, Intune
automatically gets the onboarding package (blob) from your Defender for Endpoint
deployment, replacing the need to manually configure an Onboard package.
Group policy or Microsoft Configuration Manager.
 Tip
When using multiple policies or policy types like device configuration policy and
endpoint detection and response policy to manage the same device settings (such as
onboarding to Defender for Endpoint), you can create policy conflicts for devices.
To learn more about conflicts, see Manage conflicts in the Manage security policies
article.
Create the device configuration profile to onboard

Windows devices
2. Select Endpoint security > Endpoint detection and response > Create Policy.
3. For Platform, select Windows 10 and Later.
4. For Profile type, select Endpoint detection and response, and then select Create.
5. On the Basics page, enter a Name and Description (optional) for the profile, then
choose Next.
6. On the Configuration settings page, configure the following options for Endpoint
Detection and Response:
Sample sharing for all files: Returns or sets the Microsoft Defender for
Endpoint Sample Sharing configuration parameter.
Expedite telemetry reporting frequency: For devices that are at high risk,
Enable this setting so it reports telemetry to the Microsoft Defender for
Endpoint service more frequently.
Onboard Windows machines using Microsoft Configuration Manager has more

details on the Microsoft Defender for Endpoint settings.
７ Note
The preceding screen capture shows your configuration options after you’ve
configured a connection between Intune and Microsoft Defender for
Endpoint. When connected, the details for the onboarding and offboarding
blobs are automatically generated and transferred to Intune.
If you haven’t configured this connection successfully, the setting Microsoft

Defender for Endpoint client configuration package type displays with options
to specify onboarding and offboarding blobs.
7. Select Next to open the Scope tags page. Scope tags are optional. Select Next to
continue.
When you deploy to user groups, a user must sign in on a device before the policy
applies and the device can onboard to Defender for Endpoint.
Select Next.
OK,
and then Create to save your changes, which creates the profile.
Onboard macOS devices

After you establish the service-to-service connection between Intune and Microsoft
Defender for Endpoint, you can onboard macOS devices to Microsoft Defender for
Endpoint. Onboarding configures devices to communicate with Microsoft Defender
Endpoint, which then collects data about devices risk level.
For configuration guidance for Intune, see Microsoft Defender for Endpoint for macOS.
For more information about Microsoft Defender for Endpoint for Mac, including what's
new in the latest release, see Microsoft Defender for Endpoint for Mac in the Microsoft
365 security documentation.
Onboard Android devices

Defender for Endpoint, you can onboard Android devices to Microsoft Defender for
Endpoint. Onboarding configures devices to communicate with Defender for Endpoint,
which then collects data about the devices risk level.
There isn't a configuration package for devices that run Android. Instead, see Overview
of Microsoft Defender for Endpoint for Android in the Microsoft Defender for Endpoint
documentation for the prerequisites and onboarding instructions for Android.
For devices that run Android, you can also use Intune policy to modify Microsoft
Defender for Endpoint on Android. For more information, see Microsoft Defender for
Endpoint web protection.
Onboard iOS/iPadOS devices

Defender for Endpoint, you can onboard iOS/iPadOS devices to Microsoft Defender for
Endpoint. Onboarding configures devices to communicate with Defender for Endpoint,
which then collects data about the devices risk level.
There isn't a configuration package for devices that run iOS/iPadOS. Instead, see
Overview of Microsoft Defender for Endpoint for iOS in the Microsoft Defender for
Endpoint documentation for prerequisites and onboarding instructions for iOS/iPadOS.
For devices that run iOS/iPadOS (in Supervised Mode), there is specialized ability given
the increased management capabilities provided by the platform on these types of
devices. To take advantage of these capabilities, the Defender app needs to know if a
device is in Supervised Mode. Intune allows you to configure the Defender for iOS app
through an App Configuration policy (for managed devices) that should be targeted to
all iOS Devices as a best practice. For more information, see Complete deployment for
supervised devices.
2. Select Apps > App configuration policies > Managed devices.
3. On the Basics page, enter a Name and Description (optional) for the profile, select
Platform as iOS/iPadOS then choose Next.
4. Select Targeted app as Microsoft Defender for iOS.
5. On the Settings page, set the Configuration key as issupervised, then Value type
as string with the {{issupervised}} as the Configuration value.
continue.
7. On the Assignments page, select the groups that will receive this profile. For this
scenario, it's a best practice to target All Devices. For more information on
assigning profiles, see Assign user and device profiles.
When deploying to user groups, a user must sign-in on a device before the policy
applies.
Select Next.
displayed in the list of configuration profiles.
Further, for devices that run iOS/iPadOS (in Supervised Mode), the Defender for iOS
team has made available a custom .mobileconfig profile to deploy to iPad/iOS devices.
The .mobileconfig profile will be used to analyze network traffic to ensure a safe
browsing experience - a feature of Defender for iOS.
1. Download the .mobile profile, which is hosted here:

https://aka.ms/mdatpiossupervisedprofile .
3. Select Devices > Configuration profiles > Create profile.
4. For Platform, select iOS/iPadOS
5. For Profile type, select Custom, and then select Create.
6. On the Basics page, enter a Name and Description (optional) for the profile, then
choose Next.
7. Enter a Configuration profile name, and select a .mobileconfig file to Upload.

continue.
9. On the Assignments page, select the groups that will receive this profile. For this
scenario, it's a best practice to target All Devices. For more information on
assigning profiles, see Assign user and device profiles.
When you deploy to user groups, a user must sign in on a device before the policy
applies.
Select Next.
displayed in the list of configuration profiles.
Create and assign compliance policy to set

device risk level
For Android, iOS/iPadOS, and Windows devices, the compliance policy determines the
level of risk that you consider as acceptable for a device.
If you're not familiar with creating compliance policy, reference the Create a policy
procedure from the Create a compliance policy in Microsoft Intune article. The following
information is specific to configuring Microsoft Defender for Endpoint as part of a
compliance policy.
2. Select Devices > Compliance policies > Policies > Create Policy.
3. For Platform, use the drop-down box to select one of the following options:

Android Enterprise
iOS/iPadOS
Next, select Create to open the Create policy configuration window.
4. Specify a Name that helps you identify this policy later. You can also choose to
specify a Description.
5. On the Compliance settings tab, expand the Microsoft Defender for Endpoint
group and set the option Require the device to be at or under the machine risk
score to your preferred level.
Threat level classifications are determined by Microsoft Defender for Endpoint.
Clear: This level is the most secure. The device can't have any existing threats
and still access company resources. If any threats are found, the device is
evaluated as noncompliant. (Microsoft Defender for Endpoint uses the value
Secure.)
Low: The device is compliant if only low-level threats exist. Devices with
medium or high threat levels aren't compliant.
Medium: The device is compliant if the threats found on the device are low or
medium. If high-level threats are detected, the device is determined as
noncompliant.
High: This level is the least secure and allows all threat levels. Devices with
high, medium, or low threat levels are considered compliant.
6. Complete the configuration of the policy, including assignment of the policy to

applicable groups.
Create and assign app protection policy to set

device risk level
Use the procedure to create an application protection policy for either iOS/iPadOS or
Android, and use the following information on the Apps, Conditional launch, and
Assignments pages:
Apps: Select the apps you wish to be targeted by app protection policies. For this
feature set, these apps are blocked or selectively wiped based on device risk
assessment from your chosen Mobile Threat Defense vendor.
Conditional launch: Below Device conditions, use the drop-down box to select Max
allowed device threat level.
Options for the threat level Value:

Secured: This level is the most secure. The device can't have any threats present
evaluated as noncompliant.
Low: The device is compliant if only low-level threats are present. Anything
higher puts the device in a noncompliant status.
medium level. If high-level threats are detected, the device is determined as
noncompliant.
High: This level is the least secure and allows all threat levels, using Mobile
Threat Defense for reporting purposes only. Devices are required to have the
MTD app activated with this setting.
Options for Action:

Block access
Wipe data
Assignments: Assign the policy to groups of users. The devices used by the
group's members are evaluated for access to corporate data on targeted apps via
Intune app protection.
） Important
If you create an app protection policy for any protected app, the device's threat
level is assessed. Depending on the configuration, devices that don’t meet an
acceptable level are either blocked or selectively wiped through conditional launch.
If blocked, they are prevented from accessing corporate resources until the threat
on the device is resolved and reported to Intune by the chosen MTD vendor.
Create a conditional access policy

Conditional access policies can use data from Microsoft Defender for Endpoint to block
access to resources for devices that exceed the threat level you set. You can block access
from the device to corporate resources, such as SharePoint or Exchange Online.
 Tip
Conditional access is an Azure Active Directory (Azure AD) technology. The

Conditional access node found in the Microsoft Intune admin center is the node
from Azure AD.
2. Select Endpoint security > Conditional Access > New policy.
3. Enter a policy Name and select Users and groups. Use the Include or Exclude
options to add your groups for the policy, and then select Done.
4. Select Cloud apps, and then choose which apps to protect. For example, choose
Select apps, and select Office 365 SharePoint Online and Office 365 Exchange
Online.
Select Done to save your changes.
5. Select Conditions > Client apps to apply the policy to apps and browsers. For
example, select Yes, and then enable Browser and Mobile apps and desktop
clients.
Select Done to save your changes.
6. Select Grant to apply Conditional Access based on device compliance. For

example, select Grant access > Require device to be marked as compliant.
Choose Select to save your changes.
7. Select Enable policy, and then Create to save your changes.
Next steps
Configure Microsoft Defender for Endpoint settings on Android
Monitor compliance for risk levels
Learn more from the Intune documentation:

remediate issues on devices
Get started with device compliance policies

Configure Microsoft Defender for
Endpoint on Android devices managed
by Intune
Article • 02/22/2023
When you integrate Microsoft Intune and Microsoft Defender for Endpoint, you can use
device configuration profiles to modify some Defender for Endpoint settings on Android
devices.
Before you begin, you must successfully configure Microsoft Defender for Endpoint in
Intune and onboard Android devices to Defender for Endpoint.
Configure web protection on devices that run

Android
By default, Microsoft Defender for Endpoint for Android includes and enables the web
protection feature. Web protection helps to secure devices against web threats and
protect users from phishing attacks.
While this protection is enabled by default, there are valid reasons to disable it on some
Android devices. For example, you might decide to use only the Defender for Endpoint
app scan feature or to prevent web protection from using your VPN while it scans for
harmful URLs.
Intune allows you to turn off all or part of the web protection feature. The method you
use and the capabilities you can disable depend on how the Android device is enrolled
with Intune:
Android device administrator. Use a configuration profile to set custom OMA-URI

settings on the device that disable the entire web protection feature or that disable
only the use of VPNs. For general information about custom settings for Android
devices, see Custom settings.
Android Enterprise personally owned work profile. Use an app configuration

profile and the configuration designer to disable web protection. This method and
enrollment type support disabling all web protection capabilities but don't support
disabling only the use of VPNs. For general information about app configuration
policies, see Use the configuration designer.
Android Enterprise Fully Managed profile. Use an app configuration profile and
the configuration designer to disable the entire web protection feature or to
disable only the use of VPNs.
To configure web protection on devices, use the following procedures to create and
deploy the applicable configuration.
Disable web protection for Android device administrator

3. Enter these settings:
Platform: Select Android device administrator.

Profile: Select Custom.
Select Create.
4. In Basics, enter these details:
can easily identify them later. For example, Android custom profile for
Defender for Endpoint web protection.
recommended.
5. In Configuration settings, select Add.
Specify settings for the configuration you want to deploy:
Disable web protection:

Name: Enter a unique name for this OMA-URI setting so you can find it
easily. For example, Disable Defender for Endpoint web protection.
Description: (Optional) Enter a description that provides an overview of
the setting and any other important details.
OMA-URI: Enter ./Vendor/MSFT/DefenderATP/AntiPhishing.
Data type: Select Integer in the drop-down list.
Value: Enter 0 to disable web protection, including the VPN-based scan.
７ Note
Enter 1 to enable web protection. This setting is the default.

Disable only the use of VPN by web protection:
Name: Enter a unique name for this OMA-URI setting so you can find it
easily. For example, Disable Microsoft Defender for Endpoint web
protection VPN.
Description: (Optional) Enter a description that provides an overview of
the setting and any other important details.
OMA-URI: Enter ./Vendor/MSFT/DefenderATP/Vpn.
Data type: Select Integer in the drop-down list.
Value: Enter 0 to disable the VPN-based scan.
７ Note
Enter 1 to enable VPN-based scan. This setting is the default.
Select Add to save the OMA-URI settings configuration, and then select Next to
continue.
6. In Assignments, specify the groups that will receive the profile. For more
7. In Review + create, when you're done, select Create. The new profile is displayed
in the list when you select the policy type for the profile you created.
Disable web protection for the Android Enterprise

personally owned work profile
７ Note
You can't disable web protection for the Android Enterprise personally owned work
profile if you've configured the Auto Setup of Always-on VPN device
configuration policy on the enrolled devices.
2. Select Apps > App configuration policies > Add, and then select Managed
devices.
3. In Basics, enter these details:
can easily identify them later. For example, Android app configuration for
Microsoft Defender for Endpoint web protection.
recommended.
Profile Type: Select Personally-Owned Work Profile Only.
Targeted app: Click Select app.
4. In Associated app, find and select Defender for Endpoint, and then select OK >
Next.
5. In Settings, in Configuration settings format, select Use configuration designer,

and then select Add. The JSON editor opens.
6. Find and select configuration keys Anti-Phishing and VPN, and then select OK to
return to the Settings page.
7. For the Configuration values of both configuration keys (Anti-Phishing and VPN),

enter 0 to disable web protection.
７ Note
The Web Protection configuration key is deprecated. If you've used this key in
the past, complete the previous steps to re-configure the setting by setting
the keys Anti-Phishing and VPN to enable or disable web protection.
７ Note
Enter 1 for both configuration values (Anti-Phishing and VPN) to enable web
protection. This setting is the default.
8. In Assignments, specify the groups that will receive the profile. For more
9. In Review + create, when you're done, select Create. The new profile is displayed
in the list when you select the policy type for the profile you created.
Disable web protection for the Android Enterprise Fully

Managed profile
1. Complete the same configuration steps described previously, and add web
protection configuration keys Anti-phishing and VPN. The only difference is the
Profile Type value. For this value, select Fully Managed, Dedicated, and
Corporate-Owned Work Profile Only.
To disable web protection, enter 0 for configuration values Anti-Phishing and

VPN.
To disable only the use of VPN by web protection, enter these configuration
values:
0 for VPN
1 for Anti-Phishing
７ Note
You can't disable VPN for the Android Enterprise Fully Managed profile if
you've configured the Auto Setup of Always-on VPN device configuration
policy on the enrolled devices.
７ Note
Enter 1 for both configuration values (Anti-Phishing and VPN) to enable web
protection. This setting is the default.
Select Next to continue.
2. In Assignments, specify the groups that will receive the profile. For more
information on assigning profiles, see Assign user and device profiles.
3. In Review + create, when you're done, select Create. The new profile is displayed in
the list when you select the policy type for the profile you
created.
Next steps
Monitor compliance for risk levels

remediate problems on devices

Monitor device status when you
integrate Microsoft Defender for
Endpoint with Intune
Article • 02/22/2023
When you integrate Microsoft Intune and Microsoft Defender for Endpoint, you can
view information about device compliance and onboarding in the Microsoft Intune
admin center.
Monitor device compliance

Monitor the state of devices that have the Microsoft Defender for Endpoint compliance
policy.
2. Select Devices > Monitor > Policy compliance.
3. Find your Microsoft Defender for Endpoint policy in the list, and see which devices
are compliant or noncompliant.
You can also use the operational report for noncompliant devices from the same
location:
Select Devices > Monitor > Noncompliant devices.
For more information about reports, see Intune reports.
View onboarding status

To view the onboarding status of your Intune-managed devices, go to Endpoint security
> Microsoft Defender for Endpoint. From this page, you can also create a device
configuration profile to onboard more devices to Microsoft Defender for Endpoint.
Next steps
Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in
Intune
Manage Microsoft Defender for
Endpoint on devices with Microsoft
Intune
Article • 08/14/2023
When you use Microsoft Defender for Endpoint, you can deploy policies from Microsoft
Intune to manage the Defender security settings on the devices you’ve onboarded to
Defender without enrolling those devices with Intune. This capability is known as
Defender for Endpoint security settings management.
The following describes behavior that is generally available.
７ Note
Beginning in July of 2023, an opt-in public preview for security settings

management is available. To view content that reflects the capabilities of the opt-in
public preview, select the Opt-in Public Preview option.
You can opt-in to the public preview by enabling the use of Preview features from
within the Microsoft 365 Defender portal . For more information on this, see
Microsoft Defender for Endpoint preview features in the Defender
documentation.
When you manage devices through security settings management without participation
in the public preview:
You use the Microsoft Intune admin center to configure endpoint security policies
for Defender for Endpoint and assign those policies to Azure AD groups
Devices get the policies based on their Azure Active Directory device object. A
device that isn’t already present in Azure Active Directory is joined as part of this
solution
When a device receives a policy, the Defender for Endpoint components on the
device enforce the policy and report on the device's status. The device's status is
available in the Microsoft Intune admin center
This scenario extends the Microsoft Intune Endpoint Security surface to devices that
aren't capable of enrolling in Intune. When a device is managed by Intune (enrolled to
Intune) the device won't process policies for Security Management for Microsoft
Defender for Endpoint. Instead, use Intune to deploy policy for Defender for Endpoint to
your devices.
Applies to:
Windows 10
Windows 11
Prerequisites
Review the following sections for requirements for the Defender for Endpoint security
settings management Scenario.
Environment
When a supported device onboards to Microsoft Defender for Endpoint:
The device is surveyed for an existing Microsoft Intune presence, which is a mobile
device management (MDM) enrollment to Intune.
Devices without an Intune presence enable the security settings management
feature.
A trust is created with Azure Active Directory if one doesn't already exist.
Policies retrieved from Microsoft Intune are enforced on the device by Microsoft
Active Directory requirements

When a device that is domain joined creates a trust with Azure Active Directory, this
scenario is referred to as a Hybrid Azure Active Directory Join scenario. Security settings
management fully supports this scenario with the following requirements:
Azure Active Directory Connect (Azure AD Connect) must be synchronized to the

tenant that is used from Microsoft Defender for Endpoint.
Hybrid Azure Active Directory Join must be configured in your environment (either
through Federation or Azure AD Connect Sync).
Azure AD Connect Sync must include the device objects in scope for
synchronization with Azure Active Directory (when needed for join).
Azure AD Connect rules for sync must be modified for Server 2012 R2 (when
support for Server 2012 R2 is needed).
All devices must register in the Azure Active Directory of the tenant that hosts
Microsoft Defender for Endpoint. Cross-tenant scenarios aren't supported.
７ Note
If a device is deleted (from either Azure AD or the on-premises Active Directory), or

the device is shifted to a different organizational unit (OU) that isn’t synchronized
by Azure AD Connect, the device's record is removed from Azure AD and the group
membership is also removed. As a result, Intune policies no longer target the
device.
If the device was part of a dynamic Azure AD group, the policy targeting the device
will be resolved within a minimum of 48 hours. However, if the device was targeted
as part of a static Azure AD group, administrators will need to go back and retarget
the device.
This is a known issue with Azure AD.
Connectivity requirements
Devices must have access to the following endpoints:
enterpriseregistration.windows.net - For Azure AD registration.
login.microsoftonline.com - For Azure AD registration.
service scales.
７ Note
You need to configure an endpoint system-wide proxy in an environment that is
not connected to the internet. Use of only the EDR static proxy configuration is not
sufficient.
If your organization uses Secure Socket Layer (SSL) inspection, the endpoints
should be excluded from inspection.
Supported platforms
Policies for Microsoft Defender for Endpoint security management are supported for the
following device platforms:
Windows:
Windows 10 Professional/Enterprise (with KB5006738 )

Windows 11 Professional/Enterprise
Windows Server 2012 R2 with Microsoft Defender for Down-Level Devices
Windows Server 2016 with Microsoft Defender for Down-Level Devices
Windows Server 2019 (with KB5006744 )
Windows Server 2022 (with KB5006745 )
Security settings management doesn't work on and is not supported with the following:
Non-persistent desktops, like Virtual Desktop Infrastructure (VDI) clients or Azure

Virtual Desktops.
Domain Controllers
） Important
In some cases, Domain Controllers that are run a down level server Operating
system (2012 R2 or 2016) can unintentionally be managed by Microsoft Defender
for Endpoint. In order to ensure that this doesn’t happen in your environment, we
recommend making sure your domain controllers are neither tagged “MDE-
Management” or managed by MDE.
Licensing and subscriptions

To use security settings management, you need:
A subscription that grants licenses for Microsoft Defender for Endpoint, like
Microsoft 365, or a standalone license for only Microsoft Defender for Endpoint. A
subscription that grants Microsoft Defender for Endpoint licenses also grants your
tenant access to the Endpoint security node of the Microsoft Intune admin center.
７ Note
Exception: If you have access to Microsoft Defender for Endpoint only

through Microsoft Defender for servers (part of Microsoft Defender for Cloud,
formerly Azure Security Center), the security settings management
functionality isn't available. You will need to have at least one Microsoft
Defender for Endpoint (user) subscription license active.
The Endpoint security node is where you configure and deploy policies to manage
Microsoft Defender for Endpoint for your devices and monitor device status.
For current information about options, see Minimum requirements for Microsoft
Architecture
The following diagram is a conceptual representation of the Microsoft Defender for
Endpoint security configuration management solution.
1. Devices onboard to Microsoft Defender for Endpoint.

2. A trust is established between each device and Azure AD. When a device has an
existing trust, it uses that trust. When devices haven't registered, a new trust is
created.
3. Devices use their Azure AD Identity to communicate with Intune. This identity
enables Microsoft Intune to distribute policies that are targeted to the devices
when they check in.
4. Defender for Endpoint reports the status of the policy back to Microsoft Intune.
Which solution should I use?

Microsoft Intune includes several methods and policy types to manage the
configuration of Defender for Endpoint on devices. The following table identifies the
Intune policies and profiles that support deployment to devices managed by Defender
for Endpoint security settings management and can help you identify if this solution is
right for your needs.
When you deploy an endpoint security policy that’s supported for both Defender for
Endpoint security settings management and Microsoft Intune, a single instance of that
policy can be processed by devices supported through security settings management
(Microsoft Defender), and by devices that are managed by either Intune or
Profiles for the Windows 10 and later platform aren't supported for devices managed by
security settings management.
Endpoint security Platform Profile Defender for Endpoint Microsoft

policy security settings Intune
management
Windows 10, Antivirus Antivirus

Windows 11, and
Windows Server
Windows 10, Antivirus Antivirus

Windows 11, and Exclusions
Windows Server
Windows 10, Attack Surface Attack Surface

Windows 11, and Reduction Reduction
Windows Server Rules
Windows 10, Endpoint Endpoint

Windows 11, and detection and detection and
Windows Server response response
Windows 10, Firewall Firewall

Windows 11, and
Windows Server
Endpoint security Platform Profile Defender for Endpoint Microsoft
policy security settings Intune
management
Windows 10, Firewall Firewall Rules

Windows 11, and
Windows Server
Endpoint security policies are discrete groups of settings intended for use by security
admins who focus on protecting devices in your organization. The following are
descriptions of the policies that support security settings management:
Antivirus policies manage the security configurations found in Microsoft Defender

for Endpoint. See antivirus policy for endpoint security.
Attack surface reduction (ASR) policies focus on minimizing the places where your
organization is vulnerable to cyberthreats and attacks. With security settings
management, ASR rules apply to devices that run Windows 10, Windows 11, and
Windows Server. For more information, see:
Overview of attack surface reduction in the Windows Threat protection
documentation.
ASR rules supported operating systems in the Windows Threat protection
documentation.
Attack surface reduction policy for endpoint security, in the Intune
documentation.
Endpoint detection and response (EDR) policies manage the Defender for
Endpoint capabilities that provide advanced attack detections that are near real-
time and actionable. Based on EDR configurations, security analysts can prioritize
alerts effectively, gain visibility into the full scope of a breach, and take response
actions to remediate threats. See endpoint detection and response policy for
endpoint security.
Firewall policies focus on the Defender firewall on your devices. See firewall policy
for endpoint security.
Firewall Rules configure granular rules for Firewalls, including specific ports,
protocols, applications, and networks. See firewall policy for endpoint security.
Configure your tenant to support Defender for

Endpoint security settings management
To support security settings management through the Microsoft Intune admin center,
you must enable communication between them from within each console.
The following sections guide you through that process.
Configure Microsoft Defender for Endpoint

In Microsoft Defender for Endpoint portal, as a security admin, your account needs at
minimum permissions to view and edit security settings (Manage security settings in
Security Center).
1. Sign in to Microsoft 365 Defender portal and go to Settings > Endpoints >
Configuration Management > Enforcement Scope and enable the platforms for
2. Initially, we recommend testing the feature for each platform by selecting the
platforms option for On tagged devices, and then tagging the devices with the
MDE-Management tag.
3. Configure the feature for Microsoft Defender for Cloud onboarded devices and
Configuration Manager authority settings to fit your organization's needs:

 Tip
Use the proper device tags to test and validate your rollout on a small number
of devices. Without using pilot mode, any device that falls into the scope
configured will automatically be enrolled.
4. Make sure the relevant users have permissions to manage endpoint security
settings in Microsoft Intune. If not already provided, request for your IT
administrator to grant applicable users the Microsoft Intune's Endpoint Security
Manager built-in RBAC role.
Configure Intune
In the Microsoft Intune admin center, your account need permissions equal to Endpoint
Security Manager built-in Role based access control (RBAC) role.
2. Select Endpoint security > Microsoft Defender for Endpoint, and set Allow
Microsoft Defender for Endpoint to enforce Endpoint Security Configurations to
On.
When you set this option to On, all devices in the platform scope for Microsoft
Defender for Endpoint that aren't managed by Microsoft Intune qualify to onboard
to Microsoft Defender for Endpoint.
Onboard devices to Microsoft Defender for
Endpoint
Microsoft Defender for Endpoint supports several options to onboard devices. For
current guidance, see Onboard devices and configure Microsoft Defender for Endpoint
capabilities in the Defender for Endpoint documentation.
Coexistence with Microsoft Configuration

Manager
In some environments it might be desired to use security settings management with
devices managed by Configuration Manager. If you use both, you’ll need to control
policy through a single channel, as using more than one channel creates the opportunity
for conflicts and undesired results.
To support this, configure the Manage Security settings using Configuration Manager
toggle to Off. Sign in to the Microsoft 365 Defender portal and go to Settings >
Endpoints > Configuration Management > Enforcement Scope:
Create Azure AD Groups

After devices onboard to Defender for Endpoint, you'll need to create device groups to
support deployment of policy for Microsoft Defender for Endpoint. To identify devices
that have enrolled with Microsoft Defender for Endpoint but aren't managed by Intune
or Configuration Manager:
2. Go to Devices > All devices, and then select the column Managed by to sort the
view of devices. Devices that onboard to Microsoft Defender for Endpoint but
aren't managed by Intune display Microsoft Defender for Endpoint in the Managed
by column. These are the devices that can receive policies for security settings
management.
Devices that onboard to Microsoft Defender for Endpoint and have registered but
aren't managed by Intune display Microsoft Defender for Endpoint in the
Managed by column. These are the devices that can receive policy for security
management for Microsoft Defender for Endpoint.
You can also find two labels for devices that are using security management for
Microsoft Defender for Endpoint:
MDEJoined - Added to devices that are joined to the directory as part of this
scenario.
MDEManaged - Added to devices that are actively using the security
management scenario. This tag is removed from the device if Defender for
Endpoint stops managing the security configuration.
You can create groups for these devices in Azure AD or from within the Microsoft Intune
admin center. When creating groups, you can use the OS value for a device if you're
deploying policies to devices running Windows Server vs devices that run a client
version of Windows:
Windows 10 and Windows 11 - The deviceType or OS displays as Windows

Windows Server - The deviceType or OS displays as Windows Server
） Important
In May 2023, deviceType updated to distinguish between Windows clients and

Windows Servers.
Custom scripts and Azure AD dynamic device groups created before this change
that specify rules that reference only Windows might exclude Windows Servers
when used with the Security Management for Microsoft Defender for Endpoint
solution. For example:
If you have a rule that uses the equals or not equals operator to identify
Windows, this change will affect your rule. That is because previously both
Windows and Windows Server were reported as Windows. To continue to
include both, you must update the rule to also reference Windows Server.
If you have a rule that use the contains or like operator to specify Windows,
then the rule won’t be affected by this change. These operators can find both
Windows and Windows Server.
 Tip
Users that are delegated the ability to manage endpoint security settings may not
have the ability to implement tenant-wide configurations in Microsoft Intune.
Check with your Intune administrator for more information on roles and
permissions in your organization.
Deploy policy
After creating one or more Azure AD groups that contain devices managed by Microsoft
Defender for Endpoint, you can create and deploy the following policies for security
settings management to those groups. The policies and profiles available vary by
platform.
For the list of policy and profile combinations supported for security settings
management, see the chart in Which solution should I use? earlier in this article.
 Tip
Avoid deploying multiple policies that manage the same setting to a device.
Microsoft Intune supports deploying multiple instances of each endpoint security

policy type to the same device, with each policy instance being received by the
device separately. Therefore, a device might receive separate configurations for the
same setting from different policies, which results in a conflict. Some settings (like
Antivirus Exclusions) will merge on the client and apply successfully.
2. Go to Endpoint security, select the type of policy you want to configure, and then
select Create Policy.
3. For the policy, select the Platform and the Profile that you want to deploy. For a list
of the Platforms and Profiles that support security settings management, see the
chart in Which solution should I use? earlier in this article.
７ Note
The supported profiles apply to devices that communicate through Mobile

Device Management (MDM) with Microsoft Intune and devices that
communicate using the Microsoft Defender for Endpoint client.
Ensure you review your targeting and groups as necessary.

4. Select Create.
Next.
6. On the Configuration settings page, select the settings you want to manage with
this profile.
To learn more about a setting, expand its information dialog and select the Learn
more link to view the on-line Configuration Service Provider (CSP) documentation
or related details, for that setting.
7. On the Assignments page, select the Azure AD groups that will receive this profile.
 Tip
Assignment filters are not supported for devices managed by security

settings management.
Only Device Objects are applicable for Microsoft Defender for Endpoint
management. Targeting users is not supported.
Policies configured will apply to both Microsoft Intune and Microsoft
Defender for Endpoint clients.
8. Complete the policy creation process and then on the Review + create page,
select Create. The new profile is displayed in the list when you select the policy
type for the profile you created.
9. Wait for the policy to be assigned and view a success indication that policy was
applied.
10. You can validate that settings have applied locally on the client by using the Get-
MpPreference command utility.
Monitor status
Status and reports for policies that target devices in this channel are available from the
policy node under Endpoint security in the Microsoft Intune admin center.
Drill in to the policy type and then select the policy to view its status. You can view the
list of platforms, policy types, and profiles that support security settings management in
the table in Which solution should I use, earlier in this article.
When you select a policy, you can view information about the device check-in status,
and can select:
View report - View a list of devices that received the policy. You can select a device
to drill in and see its per-setting status. You can then select a setting to view more
information about it, including other policies that manage that same setting, which
could be a source of conflict.
Per setting status - View the settings that are managed by the policy, and a count
of success, errors, or conflicts for each setting.
Frequently asked questions and considerations
Device check-in frequency

Devices managed by this capability check-in with Microsoft Intune every 90 minutes to
update policy.
You can manually sync a device on-demand from the Microsoft 365 Defender portal .
Sign-in to the portal and go to Devices. Select a device that is managed by Microsoft
Defender for Endpoint, and then select the Policy sync button:
The Policy sync button only appears for devices that are successfully managed by
Devices protected by Tamper Protection
If a device has Tamper Protection turned on, it isn't possible to edit the values of Tamper
Protected settings without disabling Tamper Protection first.
Assignment Filters and security settings management

Assignment filters aren't supported for devices communicating through the Microsoft
Defender for Endpoint channel. While assignment filters can be added to a policy that
could target these devices, the devices ignore assignment filters. For assignment filter
support, the device must be enrolled in to Microsoft Intune.
Deleting and removing devices

You can delete devices that use this flow using one of two methods:
From within the Microsoft Intune admin center go to Devices > All devices,
select a device that displays either MDEJoined or MDEManaged in the Managed by
column, and then select Delete.
You can also remove devices from the scope of Configuration Management in the
Security Center.
Once a device is removed from either location, that change propagates to the other
service.
Unable to enable the Security Management for Microsoft

Defender for Endpoint workload in Endpoint Security
Most initial provisioning flows are typically completed by an Administrator of both
services (such as a Global Administrator). There are some scenarios where Role-based
Administration is used to customize the permissions of administrators. Today, individuals
who are delegated the Endpoint Security Manager role might not have the necessary
permissions to enable this feature.
Active Directory joined devices

Devices that are joined to Active Directory use their existing infrastructure to complete
the Hybrid Azure Active Directory join process. While the Defender for Endpoint
component starts this process, the join action uses your Federation provider or Azure
Active Directory Connect (Azure AD Connect) to complete the join. Review Plan your
hybrid Azure Active Directory join implementation to learn more about configuring your
environment.
To troubleshoot Azure Active Directory onboarding issues, see Troubleshoot Security

Configuration Management Azure Active Directory onboarding issues.
Unsupported security settings

The following security settings are pending deprecation. The Defender for Endpoint
security settings management flow doesn't support these settings:
Expedite telemetry reporting frequency (under Endpoint Detection and Response)

AllowIntrusionPreventionSystem (under Antivirus)
Use of security settings management on domain

controllers
Because an Azure Active Directory trust is required, domain controllers aren't currently
supported. We're looking at ways to add this support.
） Important
In some cases, Domain Controllers that are run a down level server Operating
system (2012 R2 or 2016) can unintentionally be managed by Microsoft Defender
for Endpoint. In order to ensure that this doesn’t happen in your environment, we
recommend making sure your domain controllers are neither tagged “MDE-
Management” or managed by MDE.
Server Core installation

Due to the platform limitations of Server core installations, these aren't supported by
PowerShell restrict mode

Security settings management won't work for a device that has PowerShell
LanguageMode configured with ConstrainedLanguage mode enabled . For more
information, see about_Language_Modes in the PowerShell documentation.
Next steps
Monitor Defender for Endpoint in Intune
Endpoint security firewall rule migration
tool overview
Article • 02/24/2023
Many organizations are moving their security configuration to Microsoft Intune to make
use of modern, cloud-based management. Endpoint security in Endpoint Manager offers
rich management experiences of Windows Firewall configuration and granular firewall
rule management.
Because it can be challenging to move large numbers of existing Group Policies for
Windows Firewall rules to Endpoint security policies in Endpoint Manager, we've created
the Endpoint security firewall rule migration tool, which is a PowerShell script.
When you run the Endpoint security firewall rule migration tool on a reference
Windows 10/11 client that has firewall rules based on Group Policy applied, the tool can
automatically create Endpoint security firewall rule policies in Endpoint Manager. After
the endpoint security rules are created, administrators can target the rules to Azure AD
groups to configure MDM and co-managed clients.
Download the Endpoint security firewall rule migration tool :
Tool usage
 Tip
The tool's PowerShell script looks for endpoint security policies that target MDM.
When there are no policies that target MDM, the script can loop and fail to exit. To
work around this condition, either add a policy that targets MDM before running
the script, or edit the line 46 of the script to the following:
while(($profileNameExist) -and ($profiles.Count -gt 0))
Run the tool on a reference machine to migrate that machines current Windows Firewall
rule configuration. When run, the tool exports all enabled firewall rules that are present
on the device, and automatically creates new Intune policies with the collected rules.
1. Sign in to the reference machine with local administrator privileges.

2. Download and unzip the file Export-FirewallRules.zip .
The zip file contains the script file Export-FirewallRules.ps1 .
3. Run the Export-FirewallRules.ps1 script on the machine.
The script downloads all the prerequisites it requires to run. When prompted,
provide appropriate Intune administrator credentials. For more information about
required permissions, see Required permissions.
4. Provide a policy name when prompted. The policy name must be unique for the
tenant.
When more than 150 firewall rules are found, multiple policies are created.
Policies created by the tool are visible in the Microsoft Intune admin center in
the Endpoint security > Firewall pane.
７ Note
By default, only enabled firewall rules are migrated and only firewall rules
created by GPO are migrated. The tool supports switches you can use to
modify these defaults.
The time the tool takes to run depends on the number of firewall rules found.
5. After the tool runs, it outputs a count of firewall rules that it couldn't automatically
migrate. For more information, see Unsupported configuration.
Switches
Use the following switches (parameters) to modify the tool's default behavior.
IncludeLocalRules - Use this switch to include all locally created/default Windows

firewall rules in the export. Use of this switch can result in a large count of included
rules.
IncludedDisabledRules - e this switch to include all enabled and disabled Windows

firewall rules in the export. Use of this switch can result in a large count of included
rules.
Unsupported configuration
The following registry-based settings aren't supported because of a lack of MDM
support in Windows. While these settings are uncommon, should you require these
settings consider logging this need through your standard support channels.
GPO Field Reason
TYPE-VALUE =/ "Security=" IFSECURE- IPSec related setting not supported by Windows MDM
VAL
TYPE-VALUE =/ "Security2_9=" IPSec related setting not supported by Windows MDM

IFSECURE2-9-VAL
TYPE-VALUE =/ "Security2=" IPSec related setting not supported by Windows MDM

IFSECURE2-10-VAL
TYPE-VALUE =/ "IF=" IF-VAL Interface Identifier (LUID) is not manageable
TYPE-VALUE =/ "Defer=" DEFER-VAL Inbound NAT Traversal related not exposed via Group
Policy or Windows MDM
TYPE-VALUE =/ "LSM=" BOOL-VAL Loose Source Mapped not exposed via Group Policy or
Windows MDM
TYPE-VALUE =/ "Platform=" OS Versioning not exposed via Group Policy or Windows

PLATFORM-VAL MDM
TYPE-VALUE =/ "RMauth=" STR-VAL IPSec related setting not supported by Windows MDM
TYPE-VALUE =/ "RUAuth=" STR-VAL IPSec related setting not supported by Windows MDM
TYPE-VALUE =/ "AuthByPassOut=" IPSec related setting not supported by Windows MDM

BOOL-VAL
TYPE-VALUE =/ "LOM=" BOOL-VAL Local Only Mapped not exposed via Group Policy or
Windows MDM
TYPE-VALUE =/ "Platform2=" Redundant setting not exposed via Group Policy or

PLATFORM-OP-VAL Windows MDM
TYPE-VALUE =/ "PCross=" BOOL-VAL Allow profile crossing not exposed via Group Policy or
Windows MDM
TYPE-VALUE =/ "LUOwn=" STR-VAL Local User Owner SID not applicable in MDM
TYPE-VALUE =/ "TTK=" TRUST-TUPLE- Match traffic with the trust tuple keyword not exposed
KEYWORD-VAL via Group Policy or Windows MDM
TYPE-VALUE =/ “TTK2_22=” TRUST- Match traffic with the trust tuple keyword not exposed
TUPLE-KEYWORD-VAL2-22 via Group Policy or Windows MDM
GPO Field Reason
TYPE-VALUE =/ "NNm=" STR-ENC-VAL IPSec related setting not supported by Windows MDM
TYPE-VALUE =/ "SecurityRealmId=" IPSec related setting not supported by Windows MDM

STR-VAL
Unsupported setting values

The following setting values aren't supported for migration:
Ports:
PlayToDiscovery isn't supported as a local or remote port range.
Address ranges:
LocalSubnet6 isn't supported as a local or remote address range.

LocalSubnet4 isn't supported as a local or remote address range.
PlatToDevice isn't supported as a local or remote address range.
After the tool completes, it generates a report with rules that weren't successfully
migrated. You can view these rules by viewing RulesError.csv found in C:\<folder> .
Required permissions
Users assigned the Intune roles for Endpoint Security Manager, Intune Service Admin, or
Global Admin can migrate Windows Firewall rules to Endpoint security policies.
Alternatively, you can assign the user a custom role where Security baselines
permissions are set with Delete, Read, Assign, Create, and Update grants are applied.
For more information, see Grant admin permissions to Intune.
Next steps
After creating Endpoint security policies for Firewall rules, assign those policies to Azure
AD groups to configure both your MDM and co-managed clients. For more information,
see Add groups to organize users and devices.
Configure tenant attach to support
endpoint security policies from Intune
Article • 03/02/2023
When you use the Configuration Manager tenant attach scenario, you can deploy
endpoint security policies from Intune to devices you manage with Configuration
Manager. To use this scenario, you must first configure tenant attach for Configuration
Manager and enable collections of devices from Configuration Manager for use with
Intune. After collections are enabled for use, you use the Microsoft Intune admin center
to create and deploy policies.
Requirements to use Intune policy for tenant

attach
To support using Intune endpoint security policies with Configuration Manager devices,
your Configuration Manager environment requires the following configurations.
Configuration guidance is provided in this article:
General requirements for tenant attach

Configure tenant attach - With the tenant attach scenario, you synchronize
devices from Configuration Manager to the Microsoft Intune admin center. You
can then use the admin center to deploy supported policies to those collections.
Tenant attach is often configured with co-management, but you can configure
tenant attach on its own.
Synchronize Configuration Manager devices and collections – After you

configure tenant attach, you can select the Configuration Manager devices to
synchronize with Microsoft Intune admin center. You can also return later to
modify the devices you sync.
After selecting devices to synchronize, you must enable collections for use with
endpoint security policies from Intune. Supported policies for Configuration
Manager devices can only be assigned to collections you’ve enabled.
Permissions to Azure AD - To complete setup of tenant attach, you’ll need an

account with Global Administrator permissions to your Azure subscription.
Tenant for Microsoft Defender for Endpoint – Your Microsoft Defender for
Endpoint tenant must be integrated with your Microsoft Intune tenant (Microsoft
Intune Plan 1 subscription). See Use Microsoft Defender for Endpoint in the Intune
documentation.
Configuration Manager version requirements for Intune

endpoint security policies
Antivirus
Manage Antivirus settings for Configuration Manager devices, when you use tenant
attach.
Policy path:
Endpoint security > Antivirus > Windows 10, Windows 11, and Windows Server
(ConfigMgr)
Profiles:
Microsoft Defender Antivirus (preview)

Windows Security experience (preview)

Windows Server 2016 and later (x64)
） Important
Manage Endpoint detection and response policy settings for Configuration Manager
devices, when you use tenant attach.
Policy path:
Endpoint security > Endpoint detection and response > Windows 10, Windows 11,
and Windows Server (ConfigMgr)
Profiles:
Endpoint detection and response (ConfigMgr) (Preview)

Configuration Manager technical preview 2003 or later

Windows Server 2016 and later(x64)
） Important
Firewall
Manage Firewall policy settings for Configuration Manager devices, when you use
tenant attach.
Policy path:
Endpoint security > Firewall > Windows 10 and later
Profiles:
Microsoft Defender Firewall (ConfigMgr) (preview)


Set up Configuration Manager to support

Intune policies
Before you deploy Intune policies to Configuration Manager devices, complete the
configurations detailed in the following sections. These configurations onboard your
Configuration Manager devices with Microsoft Defender for Endpoint, and enable them
to work with the Intune policies.
The following tasks are completed in the Configuration Manager console. If you’re not
familiar with Configuration Manager, work with a Configuration Manager admin to
complete these tasks.
1. Confirm your Configuration Manager environment

2. Configure tenant attach and synchronize devices
3. Select devices to synchronize
4. Enable collections for endpoint security policies
 Tip
To learn more about using Microsoft Defender for Endpoint with Configuration
Manager, see the following articles in the Configuration Manager content:
Onboard Configuration Manager clients to Microsoft Defender for Endpoint

via the Microsoft Intune admin center
Microsoft Intune tenant attach: Device sync and device actions
Task 1: Confirm your Configuration Manager environment
Intune policies for Configuration Manager devices require different minimum versions of
Configuration Manager, depending on when the policy was first released. Review the
Configuration Manager version requirements for Intune endpoint security policies found
earlier in this article to ensure your environment supports the policies you plan to use. A
more recent version of Configuration Manager will support policies that require an
earlier version.
When a Configuration Manager hotfix is necessary, you can find the hotfix as an in-
console update for Configuration Manager. For more information see Install in-console
updates in the Configuration Manager documentation.
After installing necessary updates, return here to continue configuring your environment
to support endpoint security policies from the Microsoft Intune admin center.
Task 2: Configure tenant attach and synchronize devices

With Tenant attach you specify collections of devices from your Configuration Manager
deployment to synchronize with the Microsoft Intune admin center. After collections
synchronize, use the admin center to view information about those devices and to
deploy endpoint security policy from Intune to them.
For more information about the tenant attach scenario, see Enable tenant attach in the
Configuration Manager content.
Enable tenant attach when co-management hasn’t been enabled
 Tip
You use the Co-management Configuration Wizard in the Configuration Manager

console to enable tenant attach, but you don’t need to enable co-management.
If you plan to enable co-management, be familiar with co-management, its

prerequisites, and how to manage workloads before you continue. See What is co-
management? in the Configuration Manager documentation.

2. In the ribbon, click Configure co-management to open the wizard.

3. On the Tenant onboarding page, select AzurePublicCloud for your environment.
Azure Government cloud isn't supported.
a. Click Sign In. Use your Global Administrator account to sign in.
b. Ensure the option Upload to Microsoft Intune admin center is selected on the
Tenant onboarding page.
c. Remove the check from Enable automatic client enrollment for co-
management.
When this option is selected, the Wizard presents additional pages to complete
the setup of co-management. For more information, see Enable co-
management in the Configuration Manager content.
4. Click Next and then Yes to accept the Create AAD Application notification. This
action provisions a service principal and creates an Azure AD application
registration to facilitate the sync of collections to the Microsoft Intune admin
center.
5. On the Configure upload page, configure which collections of devices you want to
sync.
You can limit your configuration to device collections or use the
recommended device upload setting for All my devices managed by Microsoft
Endpoint Configuration Manager.
 Tip
You can skip selecting collections now, and later use the information in the
following task, Task 3, to configure which collections of devices to synchronize
with the Microsoft Intune admin center.
6. Click Summary to review your selection, then click Next.
7. When the wizard is complete, click Close.
Tenant attach is now configured, and selected devices sync to Microsoft Intune
admin center.
Enable tenant attach when you already use co-management

2. Right-click your co-management settings and select Properties.
3. In the Configure upload tab, select Upload to Microsoft Intune admin center.
Click Apply.
The default setting for device upload is All my devices managed by Microsoft
Endpoint Configuration Manager. You can also choose to limit your configuration
to one or few device collections.
4. Sign in with your Global Administrator account when prompted.
5. Click Yes to accept the Create AAD Application notification. This action provisions
a service principal and creates an Azure AD application registration to facilitate the
sync.
6. Click OK to exit the co-management properties if you're done making changes.

Otherwise move to Task 3 to selectively enable device upload to the Microsoft
Tenant attach is now configured, and selected devices sync to Microsoft Intune
admin center.
Task 3: Select devices to synchronize

When tenant attach is configured, you can select devices to sync. If you haven't already
synchronized devices or need to reconfigure which ones you do sync, you can edit the
properties of co-management in the Configuration Manager console to do so.
Select devices to upload

2. Right-click your co-management settings and select Properties.
3. In the Configure upload tab, select Upload to Microsoft Intune admin center.
Click Apply.
The default setting for device upload is All my devices managed by Microsoft
Endpoint Configuration Manager. You can also choose to limit your configuration
to one or few device collections.
Task 4: Enable collections for endpoint security policies

After you configure devices to sync to Microsoft Intune admin center, you must enable
collections to work with endpoint security policies. When you enable collections of
devices to work with endpoint security policies from Intune, you're making the
configured collections available to be targeted with endpoint security policies.
Enable collections for use with endpoint security policies

1. From a Configuration Manager console connected to your top-level site, right-click
on a device collection that you synchronize to Microsoft Intune admin center and
select Properties.
2. On the Cloud Sync tab, enable the option to Make this collection available to
assign Endpoint security policies from Microsoft Intune admin center.
You can't select this option if your Configuration Manager hierarchy isn't
tenant attached.
The collections available for this option are limited by the collection scope
selected for tenant attach upload.
3. Select Add and then select the Azure Active Directory group that you would like to
synchronize with Collect membership results.
4. Select OK to save the configuration.
Devices in this collection can now onboard with Microsoft Defender for Endpoint,
and support use of Intune endpoint security policies.
Next steps
Configure Endpoint security policies for Antivirus, Firewall, and Endpoint detection
and response.
Learn more about Microsoft Defender for Endpoint.

Manage BitLocker policy for Windows
devices with Intune
Article • 06/26/2023
Use Intune to configure BitLocker Drive Encryption on devices that run Windows 10/11.
BitLocker is available on devices that run Windows 10/11. Some settings for BitLocker
require the device have a supported TPM.
Use one of the following policy types to configure BitLocker on your managed devices:
Endpoint security disk encryption policy for BitLocker. The BitLocker profile in
Endpoint security is a focused group of settings that is dedicated to configuring
BitLocker.
View the BitLocker settings that are available in BitLocker profiles from disk
encryption policy.
Device configuration profile for endpoint protection for BitLocker. BitLocker

settings are one of the available settings categories for Windows 10/11 endpoint
protection.
View the BitLocker settings that are available for BitLocker in endpoint protection
profiles from device configuration policy.
 Tip
Intune provides a built-in encryption report that presents details about the
encryption status of devices, across all your managed devices. After Intune encrypts
a Windows device with BitLocker, you can view and manage BitLocker recovery
keys when you view the encryption report.
You can also access important information for BitLocker from your devices, as
found in Azure Active Directory (Azure AD).
Permissions to manage BitLocker

To manage BitLocker in Intune, your account must have the applicable Intune role-based
access control (RBAC) permissions.
Following are the BitLocker permissions, which are part of the Remote tasks category,
and the built-in RBAC roles that grant the permission:
Rotate BitLocker Keys

Help Desk Operator
Create and deploy policy

Use one of the following procedures to create the policy type you prefer.
Create an endpoint security policy for BitLocker

2. Select Endpoint security > Disk encryption > Create Policy.
3. Set the following options:

a. Platform: Windows 10/11
b. Profile: BitLocker
4. On the Configuration settings page, configure settings for BitLocker to meet your
business needs.
Select Next.
5. On the Scope (Tags) page, choose Select scope tags to open the Select tags pane
to assign scope tags to the profile.
Select Next.
Create a device configuration profile for BitLocker

2. Select Devices > Configuration profiles > On the Profiles tab, select Create profile.
3. Set the following options:

a. Platform: Windows 10 and later
b. Profile type: Select Templates > Endpoint protection, and then select Create.
4. On the Configuration settings page, expand Windows Encryption.

5. Configure settings for BitLocker to meet your business needs.
If you want to enable BitLocker silently, see Silently enable BitLocker on devices, in
this article for additional prerequisites and the specific setting configurations you
must use.
6. Select Next to continue.
7. Complete configuration of additional settings, and then save the profile.
Manage BitLocker
To view information about devices that receive BitLocker policy, see Monitor disk
encryption.
Silently enable BitLocker on devices

You can configure a BitLocker policy to automatically and silently enable BitLocker on a
device. That means that BitLocker enables successfully without presenting any UI to the
end user, even when that user isn't a local Administrator on the device. You can use
either the BitLocker profile from an endpoint security disk encryption policy, or the
endpoint protection template from a device configuration policy.
Devices must meet the following prerequisites, receive applicable settings to silently
enable BitLocker, and not have incompatible settings for TPM startup PIN or key.
Device Prerequisites
A device must meet the following conditions to be eligible for silently enabling
BitLocker:
If end users sign in to the devices as Administrators, the device must run Windows
10 version 1803 or later, or Windows 11.
If end users sign in to the devices as Standard Users, the device must run Windows
10 version 1809 or later, or Windows 11.
The device must be Azure AD Joined or Hybrid Azure AD Joined.
Device must contain at least TPM (Trusted Platform Module) 1.2.
The BIOS mode must be set to Native UEFI only.
Required settings to silently enable BitLocker

Depending on the type of policy that you use to silently enable BitLocker, configure the
following settings.
Endpoint security disk encryption policy - Configure the following settings in the
BitLocker profile:
Hide prompt about third-party encryption = Yes

Allow standard users to enable encryption during Autopilot = Yes
Require Key File Creation = Allowed or Blocked
Recovery Password Creation = Allowed or Required
２ Warning
In the Endpoint Security policy, some of these settings are not visible if *Startup
Authentication Required, System Drive Recovery, or Fixed Drive Recovery are set to
Not Configured
Device configuration policy - Configure the following settings in the Endpoint

protection template or a custom settings profile:
Warning for other disk encryption = Block.

Allow standard users to enable encryption during Azure AD Join = Allow
User creation of recovery key = Allow or Do not allow 256-bit recovery key
User creation of recovery password = Allow or Require 48-digit recovery password
 Tip
While the setting labels and options in the following two policy types are different
from each other, they both apply the same configuration to Windows encryption
CSPs that manage BitLocker on Windows devices.
TPM startup PIN or key

A device must not be set to require a startup PIN or startup key.
When a TPM startup PIN or startup key is required on a device, BitLocker can't silently
enable on the device, and instead requires interaction from the end user. Settings to
configure the TPM startup PIN or key are available in both the endpoint protection
template and the BitLocker policy. By default, these policies don't configure these
settings.
Following are the relevant settings for each profile type:
Endpoint security disk encryption policy - In the BitLocker profile you'll find the
following settings in the BitLocker - OS Drive Settings category when BitLocker system
drive policy is set to Configure, and then Startup authentication required is set to Yes.
Compatible TPM startup - Configure this as Allowed or Required

Compatible TPM startup PIN - Configure this as Blocked
Compatible TPM startup key - Configure this as Blocked
Compatible TPM startup key and PIN - Configure this as Blocked
Device configuration policy - In the endpoint protection template you'l find the
following settings in the Windows Encryption category:
Compatible TPM startup - Configure this as Allow TPM or Require TPM

Compatible TPM startup PIN - Configure this as Do not allow startup PIN with
TPM
Compatible TPM startup key - Configure this as Do not allow startup Key with TPM
Compatible TPM startup key and PIN - Configure this as Do not allow startup Key
and PIN with TPM
２ Warning
While neither the endpoint security or device configuration policies configure the
TPM settings by default, some versions of the security baseline for Microsoft
Defender for Endpoint will configure both Compatible TPM startup PIN and
Compatible TPM startup key by default. These configurations might block silent
enablement of BitLocker.
If you deploy this baseline to devices on which you want to silently enable
BitLocker, review your baseline configurations for possible conflicts. To remove
conflicts, either reconfigure the settings in the baselines to remove the conflict, or
remove applicable devices from receiving the baseline instances that configure
TPM settings that block silent enablement of BitLocker.
Full disk vs Used Space only encryption

Three settings determine whether an OS drive will be encrypted by encrypting the used
space only, or by full disk encryption:
Whether the hardware of the device is modern standby capable

Whether silent enablement has been configured for BitLocker
('Warning for other disk encryption' = Block or 'Hide prompt about third-party
encryption' = Yes)
Configuration of the SystemDrivesEncryptionType
(Enforce drive encryption type on operating system drives)
Assuming that SystemDrivesEncryptionType hasn't been configured, the following is the

expected behavior. When silent enablement is configured on a modern standby device,
the OS drive is encrypted using the used space only encryption. When silent enablement
is configured on a device that isn't capable of modern standby, the OS drive is
encrypted using full disk encryption. The result is the same whether you're using an
Endpoint Security disk encryption policy for BitLocker or a Device Configuration profile
for endpoint protection for BitLocker. If a different end state is required, the encryption
type can be controlled by configuring the SystemDrivesEncryptionType using settings
catalog.
To verify whether the hardware is modern standby capable, run the following command
from a command prompt:
Console
powercfg /a
If the device supports modern standby, it shows that Standby (S0 Low Power Idle)
Network Connected is available
If the device doesn't support modern standby, such as a virtual machine, it shows that
Standby (S0 Low Power Idle) Network Connected isn't supported
To verify the encryption type, run the following command from an elevated (admin)
command prompt:
Console
manage-bde -status c:
The 'Conversion Status' field reflects the encryption type as either Used Space Only
encrypted or Fully Encrypted.
To change the disk encryption type between full disk encryption and used space only
encryption, use the'Enforce drive encryption type on operating system drives' setting
within settings catalog.
View details for recovery keys

Intune provides access to the Azure AD blade for BitLocker so you can view BitLocker
Key IDs and recovery keys for your Windows 10/11 devices, from within the Microsoft
Intune admin center. Support to view recovery keys can also extend to your tenant-
attached devices.
To be accessible, the device must have its keys escrowed to Azure AD.
2. Select Devices > All devices.
3. Select a device from the list, and then under Monitor, select Recovery keys.
4. Hit Show Recovery Key. Selecting this generates an audit log entry under
'KeyManagement' activity.
When keys are available in Azure AD, the following information is available:
BitLocker Key ID
BitLocker Recovery Key
Drive Type
When keys aren't in Azure AD, Intune will display No BitLocker key found for this
device.
７ Note
Currently, Azure AD supports a maximum of 200 BitLocker recovery keys per

device. If you reach this limit, silent encryption will fail due to the failing backup of
recovery keys before starting encryption on the device.
Information for BitLocker is obtained using the BitLocker configuration service provider
(CSP). BitLocker CSP is supported on Windows 10 version 1703 and later, Windows 10
Pro version 1809 and later, and Windows 11.
IT admins need to have a specific permission within Azure Active Directory to be able to
see device BitLocker recovery keys: microsoft.directory/bitlockerKeys/key/read . There
are some roles within Azure AD that come with this permission, including Cloud Device
Administrator, Helpdesk Administrator, etc. For more information on which Azure AD
roles have which permissions, see Azure AD role descriptions.
All BitLocker recovery key accesses are audited. For more information on Audit Log
entries, see Azure portal audit logs.
７ Note
If you delete the Intune object for an Azure AD joined device protected by
BitLocker, the deletion triggers an Intune device sync and removes the key
protectors for the operating system volume. Removing the key protector leaves
BitLocker in a suspended state on that volume. This is necessary because BitLocker
recovery information for Azure AD joined devices is attached to the Azure AD
computer object and deleting it may leave you unable to recover from a BitLocker
recovery event.
View recovery keys for tenant-attached devices

When you’ve configured the tenant attach scenario, Microsoft Intune can display
recovery key data for tenant attached devices.
To support the display of recovery keys for tenant attached devices, your
Configuration Manager sites must run version 2107 or later. For sites that run 2107,
you must install an update rollup to support Azure AD joined devices: See
KB11121541.
To view the recovery keys, your Intune account must have the Intune RBAC
permissions to view BitLocker keys, and must be associated with an on-premises
user that has the related permissions for Configuration Manager of Collection Role,
with Read Permission > Read BitLocker Recovery Key Permission. For more
information, see Configure role-based administration for Configuration Manager.
Rotate BitLocker recovery keys

You can use an Intune device action to remotely rotate the BitLocker recovery key of a
device that runs Windows 10 version 1909 or later, and Windows 11.
Prerequisites
Devices must meet the following prerequisites to support rotation of the BitLocker
recovery key:
Devices must run Windows 10 version 1909 or later, or Windows 11
Azure AD-joined and Hybrid-joined devices must have support for key rotation
enabled via BitLocker policy configuration:
Client-driven recovery password rotation to Enable rotation on Azure AD-joined
devices or Enable rotation on Azure AD and Hybrid-joined devices
Save BitLocker recovery information to Azure Active Directory to Enabled
Store recovery information in Azure Active Directory before enabling
BitLocker to Required
For information about BitLocker deployments and requirements, see the BitLocker
deployment comparison chart.
To rotate the BitLocker recovery key
2. Select Devices > All devices.
3. In the list of devices that you manage, select a device, select More, and then select
the BitLocker key rotation device remote action.
4. On the Overview page of the device, select the BitLocker key rotation. If you don't
see this option, select the ellipsis (…) to show additional options, and then select
the BitLocker key rotation device remote action.
Next steps
Manage FileVault policy
Monitor disk encryption
Troubleshooting BitLocker policy
Known issues for Enforcing BitLocker policies with Intune
BitLocker management for enterprises, in the Windows security documentation
Use FileVault disk encryption for macOS
with Intune
Article • 02/22/2023
Intune supports macOS FileVault disk encryption. FileVault is a whole-disk encryption

program that is included with macOS. You can use Intune to configure FileVault on
devices that run macOS 10.13 or later.
Use one of the following policy types to configure FileVault on your managed devices:
Endpoint security policy for macOS FileVault. The FileVault profile in Endpoint
security is a focused group of settings that is dedicated to configuring FileVault.
View the FileVault settings that are available in profiles for disk encryption policy.
Device configuration profile for endpoint protection for macOS FileVault.

FileVault settings are one of the available settings categories for macOS endpoint
protection. For more information about using a device configuration profile, see
Create a device profile in Intune.
View the FileVault settings that are available in endpoint protection profiles for
device configuration policy.
To manage BitLocker for Windows 10/11, see Manage BitLocker policy.
 Tip
Intune provides a built-in encryption report that presents details about the
encryption status of devices, across all your managed devices.
After you create a policy to encrypt devices with FileVault, the policy is applied to
devices in two stages. First, the device is prepared to enable Intune to retrieve and back
up the recovery key. This action is referred to as escrow. After the key is escrowed, the
disk encryption can start.
In addition to using Intune policy to encrypt a device with FileVault, you can deploy
policy to a managed device to enable Intune to assume management of FileVault when
the device was encrypted by the user. This scenario requires the device to receive
FileVault policy from Intune, followed by the user uploading their personal recovery key
to Intune.
User-approved device enrollment is required for FileVault to work on a device. The user
must manually approve of the management profile from system preferences for
enrollment to be considered user-approved.
Permissions to manage FileVault

To manage FileVault in Intune, your account must have the applicable Intune role-based
access control (RBAC) permissions.
Following are the FileVault permissions, which are part of the Remote tasks category,
and the built-in RBAC roles that grant the permission:
Get FileVault key:

Help Desk Operator
Endpoint security manager
Rotate FileVault key

Help Desk Operator
Create device configuration policy for FileVault

3. On the Create a profile page, set the following options, and then click Create:
Platform: macOS
Profile type: Templates
Template name: Endpoint protection
4. On the Basics page, enter the following properties:
easily identify them later. For example, a good policy name might include the
profile type and platform.
recommended.
5. On the Configuration settings page, select FileVault to expand the available

settings:
For Enable FileVault, select Yes.
For Recovery key type, select Personal key.
For Escrow location description of personal recovery key, add a message to

help guide users on how to retrieve the recovery key for their device. This
information can be useful for your users when you use the setting for
Personal recovery key rotation, which can automatically generate a new
recovery key for a device periodically.
For example: To retrieve a lost or recently rotated recovery key, sign in to the
Intune Company Portal website from any device. In the portal, go to Devices
and select the device that has FileVault enabled, and then select Get recovery
key. The current recovery key is displayed.
Configure the remaining FileVault settings to meet your business needs, and then
select Next.
Select Next.
Create endpoint security policy for FileVault

2. Select Endpoint security > Disk encryption > Create Policy.
3. On the Basics page, enter the following properties, and then choose Next.
Platform: macOS
Profile: FileVault
4. On the Configuration settings page:

a. Set Enable FileVault to Yes.
b. For Recovery key type, only Personal Recovery Key is supported.
c. Configure additional settings to meet your requirements.
Consider adding a message to help guide users on how to retrieve the recovery
key for their device. This information can be useful for your users when you use the
setting for Personal recovery key rotation, which can automatically generate a new
recovery key for a device periodically.
For example: To retrieve a lost or recently rotated recovery key, sign in to the
Intune Company Portal website from any device. In the portal, go to Devices and
select the device that has FileVault enabled, and then select Get recovery key. The
current recovery key is displayed.
5. When your done configuring settings, select Next.
Select Next.
Manage FileVault
To view information about devices that receive FileVault policy, see Monitor disk
encryption.
When Intune first encrypts a macOS device with FileVault, a personal recovery key is
created. Upon encryption, the device displays the personal key a single time to the
device user.
For managed devices, Intune can escrow a copy of the personal recovery key. Escrow of
keys enables Intune administrators to rotate keys to help protect devices, and users to
recover a lost or rotated personal recovery key.
Intune escrows a recovery key when Intune policy encrypts a device, or after a user
uploads their recovery key for device that they manually encrypted.
After Intune escrows the personal recovery key:
Admins can manage and rotate the FileVault recovery keys for any managed
macOS device, by using the Intune encryption report.
Admins can view the personal recovery key for only managed macOS devices that
are marked as corporate. They can’t view the recovery key for personal devices.
Users can view and retrieve their personal recovery key from a supported location.
For example, from the Company Portal website, the user can choose to Get
recovery key as a remote device action.
Assume management of FileVault on previously

encrypted devices
Intune can’t manage FileVault disk encryption on a macOS device that was encrypted by
a device user, unless you apply FileVault policy through Intune. There are two methods
you can use that enable Intune to take-over management of FileVault in this scenario:
Upload a personal recovery key to Intune – Use this method when the user knows
their personal recovery key.
The user generates a new recovery key on the device – Use this method if the
personal recovery key isn’t known by the user.
Both methods require that the device has active policy from Intune that manages
FileVault encryption. To deliver this policy, you can use an endpoint security disk
encryption profile, or a device configuration endpoint protection profile to encrypt
devices with FileVault.
Upload a personal recovery key
To enable Intune to manage FileVault on a previously encrypted device, the user who
encrypted the device can use the Company Portal website to upload their personal
recovery key for the device to Intune. Upload of the key enables Intune to assume
management of the encryption.
Upon upload, Intune rotates the key to create a new personal recovery key. Intune
stores the new key for future recovery needs and makes it available to the device user.
Prerequisites:
The encrypted device must have an Intune FileVault policy for disk encryption.
Before Intune can assume management of encryption of a user-encrypted device,

that device must receive an Intune FileVault policy for disk encryption.
Use either an endpoint security disk encryption profile, or a device configuration

endpoint protection profile to encrypt devices with FileVault.
The user who encrypted the device must have access to their personal recovery
key for the device and be directed to upload it to Intune.
Intune doesn’t alert users that they must upload their personal recovery key to
complete encryption. Instead, use your normal IT communication channels to alert
users who have previously encrypted their macOS device with FileVault that they
must upload their personal recovery key to Intune.
７ Note
Based on your compliance policy, devices might be blocked from accessing

corporate resources until Intune successfully assumes management of
FileVault encryption on the device
Upload a personal recovery key to Intune:
1. After the device receives the FileVault profile, direct the user to use the Company
Portal website .
2. In the Company Portal website, the user locates their encrypted macOS device and
selects the option Store recovery key.
3. The user must enter their personal recovery key, and Intune then attempts to
rotate the key to generate a new key.
If the key rotation is successful, Intune stores the new key for future use, and
makes the key available to the user should the user need to recover their
device.
If the key rotation fails, then either the device hasn’t processed the FileVault
policy, or the key that is entered isn't accurate for the device.
4. After successful rotation, a user can retrieve their new personal recovery key from a
supported location.
For more information, see end-user content for upload of the personal recovery key.
Generate a new recovery key on the device

To enable Intune to manage FileVault on a previously encrypted device, the user who
encrypted the device can use the Terminal app on the device to rotate their personal
recovery key. If the device has an active FileVault policy from Intune when the key is
rotated, Intune then assumes management of the encryption.
Prerequisites:
The encrypted device must have an Intune FileVault policy for disk encryption.
Before Intune can assume management of encryption of a user-encrypted device,
that device must receive an Intune FileVault policy for disk encryption.
Use either an endpoint security disk encryption profile, or a device configuration

endpoint protection profile to encrypt devices with FileVault.
The device user must have access to the Terminal app on the encrypted device.
Use Terminal to generate a new personal recovery key:
1. After the device receives the FileVault profile, the user who encrypted the device
must sign-in to the device, open Terminal, and run the following two commands, in
order:
a. cd /Applications/Utilities
b. sudo fdesetup changerecovery -personal
When this command runs, the user is prompted to provide their device
password. After the password is provided, the device rotates the personal
recovery key and presents the new personal recovery key to the user.
After recording the new recovery key, complete the remaining prompts from
the command.
2. After the command prompts are completed, the personal recovery key on the
device has been rotated. If the device successfully received the FileVault policy,
Intune assumes management of the device’s encryption the next time the device
checks-in with Intune.
By default, the device checks in about every eight hours. To expedite device check-
in, use one of the following options:
An Intune admin can sign-in to Microsoft Intune admin center, go to Devices,

select the device, and then select Sync. This notifies the device to
immediately check in with Intune.
The device user can open the Company Portal app and go to Settings > Sync.
This directs the device to immediately check for policy or profile updates.
3. After Intune assumes management of the encryption, a user can retrieve their new
personal recovery key from a supported location.
For additional information, see end-user content for upload of the personal recovery
key.
Retrieve a personal recovery key
For a macOS device that has its FileVault encryption managed by Intune, end users can
retrieve their personal recovery key (FileVault key) from the following locations, using
any device:
Company Portal website (https://portal.manage.microsoft.com/ )

iOS/iPadOS Company Portal app
Android Company Portal app
Intune app
Administrators can view personal recovery keys for encrypted macOS devices that are
marked as a corporate device. They can’t view the recovery key for a personal device.
The device that has the personal recovery key must be enrolled with Intune and
encrypted with FileVault through Intune. Using the iOS Company Portal app, Android
Company Portal app, the Android Intune app, or the Company Portal website, the user
can see the FileVault recovery key needed to access their Mac devices.
Device users can select Devices > the encrypted and enrolled macOS device > Get
recovery key. The browser will show the Web Company Portal and display the recovery
key.
Rotate recovery keys

Intune supports multiple options to rotate and recover personal recovery keys. One
reason to rotate a key is if the current personal key is lost or thought to be at risk.
Automatic rotation: As an admin, you can configure the FileVault setting Personal
recovery key rotation to automatically generate new recovery key's periodically.
When a new key is generated for a device, the key isn't displayed to the user.
Instead, the user must get the key either from an admin, or by using the company
portal app.
Manual rotation: As an admin, you can view information for a device that you
manage with Intune and that's encrypted with FileVault. You can then choose to
manually rotate the recovery key for corporate devices. You can't rotate recovery
keys for personal devices.
To rotate a recovery key:
2. Select Devices > All devices.

3. From the list of devices, select the device that is encrypted and for which you
want to rotate its key. Then under Monitor, select Recovery keys.
4. On the Recovery keys pane, select Rotate FileVault recovery key.
The next time the device checks in with Intune, the personal key is rotated.
When needed, the new key can be obtained by the user through the
company portal.
Recover recovery keys

Administrator: Administrators can't view personal recovery keys for devices that
are encrypted with FileVault.
End-user: End-users use the Company Portal website from any device to view the
current personal recovery key for any of their managed devices. You can't view
recovery keys from the Company Portal app.
To view a recovery key:
1. Sign in to the Intune Company Portal website from any device.
2. In the portal, go to Devices and select the macOS device that is encrypted
with FileVault.
3. Select Get recovery key. The current recovery key is displayed.
Next steps
Manage BitLocker policy
Monitor disk encryption

Monitor device encryption with Intune
Article • 02/23/2023
The Microsoft Intune encryption report is a centralized location to view details about a
device's encryption status and find options to manage device recovery keys. The
recovery key options that are available depend on the type of device you're viewing.
To find the report, Sign in to the Microsoft Intune admin center . Select Devices >
Monitor, and then under Configuration, select Encryption report.
View encryption details

The encryption report shows common details across the supported devices you manage.
The following sections provide details about the information that Intune presents in the
report.
Prerequisites
The encryption report supports reporting on devices that run the following operating
system versions:

Windows version 1607 or later
Report details
The Encryption report pane displays a list of the devices you manage with high-level
details about those devices. You can select a device from the list to drill-in and view
additional details from the devices Device encryption status pane.
Device name - The name of the device.
OS – The device platform, such as Windows or macOS.
OS version – The version of Windows or macOS on the device.
TPM version (applies to Windows 10/11 only) – The version of the Trusted Platform
Module (TPM) chip detected on the Windows device.
For more information on how we query the TPM version, see DeviceStatus CSP -
TPM Specification.
Encryption readiness – An evaluation of the devices readiness to support an
applicable encryption technology, like BitLocker or FileVault encryption. Devices
are identified as:
Ready: The device can be encrypted by using MDM policy, which requires the
device meet the following requirements:
For macOS devices:

macOS version 10.13 or later
For Windows devices:

Windows 10 version 1709 or later of Business, Enterprise, Education, Windows
10 version 1809 or later of Pro, and Windows 11.
The device must have a TPM chip
For more information on Windows prerequisites for encryption, see the

BitLocker configuration service provider (CSP) in the Windows documentation.
Not ready: The device doesn't have full encryption capabilities, but may still
support encryption.
Not applicable: There isn't enough information to classify this device.
Encryption status – Whether the OS drive is encrypted.
User Principal Name - The primary user of the device.
Device encryption status

When you select a device from the Encryption report, Intune displays the Device
encryption status pane. This pane provides the following details:
Device name – The name of the device you're viewing.
Encryption readiness - An evaluation of the device's readiness to support

encryption through the MDM policy based on an activated TPM.
When a Windows 10/11 device has a readiness of Not ready, it might still support
encryption. To have the Ready designation, the Windows device must have a TPM
chip activated. However, TPM chips aren't required to support encryption, as the
device can still be manually encrypted. or through a MDM/Group Policy setting
that can be set to allow encrypting without a TPM.
Encryption status - Whether the OS drive is encrypted. It can take up to 24 hours

for Intune to report on a device's encryption status or a change to that status. This
time includes time for the OS to encrypt, plus time for the device to report back to
Intune.
To speed up the reporting of FileVault encryption status before device check-in

normally occurs, have users sync their devices after encryption completes.
For Windows devices, this field does not look at whether other drives, such as fixed
drives, are encrypted. Encryption status is coming from DeviceStatus CSP -
DeviceStatus/Compliance/EncryptionCompliance.
Profiles – A list of the Device configuration profiles that apply to this device and are
configured with the following values:
macOS:
Profile type = Endpoint protection
Settings > FileVault > FileVault = Enable
Windows 10/11:
Profile type = Endpoint protection
Settings > Windows Encryption > Encrypt devices = Require
You can use the list of profiles to identify individual policies for review should the
Profile state summary indicate problems.
Profile state summary – A summary of the profiles that apply to this device. The
summary represents the least favorable condition across the applicable profiles.
For example, if only one out of several applicable profiles results in an error, the
Profile state summary will display Error.
To view more details of a status, go to Intune > Device configuration > Profiles,
and select the profile. Optionally, select Device status and then select a device.
Status details – Advanced details about the device's encryption state.
This field displays information for each applicable error that can be detected. You
can use this information to understand why a device might not be encryption
ready.
The following are examples of the status details Intune can report:
macOS:
The recovery key hasn't been retrieved and stored yet. Most likely, the device
hasn't been unlocked, or it hasn't checked in.
Consider: This result doesn't necessarily represent an error condition but a
temporary state that could be because of timing on the device where escrow for
recovery keys must be set up before the encryption request is sent to the device.
This status might also indicate the device remains locked or hasn't checked in with
Intune recently. Finally, because FileVault encryption doesn't start until a device is
plugged in (charging), it's possible for a user to receive a recovery key for a device
that isn't yet encrypted.
The user is deferring encryption or is currently in the process of encryption.
Consider: Either the user hasn't yet logged out after receiving the encryption
request, which is necessary before FileVault can encrypt the device, or the user has
manually decrypted the device. Intune can't prevent a user from decrypting their
device.
The device is already encrypted. Device user must decrypt the device to
continue.
Consider: Intune can't set up FileVault on a device that is already encrypted.

However, after a device receives policy to enable FileVault, a user can upload their
personal recovery key to enable Intune to then manage encryption on that device.
Alternately, but not recommended as the following can leave a device
unencrypted for a time, the user can manually decrypt their device before so it
can then be encrypted by Intune policy.
FileVault needs the user to approve their management profile in macOS Catalina
and higher.
Consider: Beginning with macOS version 10.15 (Catalina), user approved

enrollment settings can result in the requirement that users manually approve
FileVault encryption. For more information, see User Approved enrollment in the
Intune documentation.
Unknown.
Consider: One possible cause for an unknown status is that the device is locked
and Intune can't start the escrow or encryption process. After the device is
unlocked, progress can continue.
Windows 10/11:
For Windows devices, Intune only shows Status details for devices that run the
Windows 10 April 2019 Update or later, or Windows 11. Status details are coming
from BitLocker CSP - Status/DeviceEncryptionStatus.
The BitLocker policy requires user consent to launch the BitLocker Drive
Encryption Wizard to start encryption of the OS volume but the user didn't
consent.
The encryption method of the OS volume doesn't match the BitLocker policy.
The policy BitLocker requires a TPM protector to protect the OS volume, but a
TPM isn't used.
The BitLocker policy requires a TPM-only protector for the OS volume, but TPM
protection isn't used.
The BitLocker policy requires TPM+PIN protection for the OS volume, but a
TPM+PIN protector isn't used.
The BitLocker policy requires TPM+startup key protection for the OS volume,
but a TPM+startup key protector isn't used.
The BitLocker policy requires TPM+PIN+startup key protection for the OS

volume, but a TPM+PIN+startup key protector isn't used.
The OS volume is unprotected.
Consider: A BitLocker policy to encrypt OS drives was applied on the machine but
encryption was suspended or did not complete for the OS drive.
Recovery key backup failed.
Consider: Check the Event log on device to see why the recovery key backup failed.
You may need to run the manage-bde command to manually escrow recovery
keys.
A fixed drive is unprotected.
Consider: A BitLocker policy to encrypt fixed drives was applied on the machine
but encryption was suspended or did not complete for the fixed drive.
The encryption method of the fixed drive doesn't match the BitLocker policy.
To encrypt drives, the BitLocker policy requires either the user to sign in as an
Administrator or, if the device is joined to Azure AD, the
AllowStandardUserEncryption policy must be set to 1.
Windows Recovery Environment (WinRE) isn't configured.

Consider: Need to run command line to configure the WinRE on separate
partition; as that was not detected. For more information, see REAgentC
command-line options.
A TPM isn't available for BitLocker, either because it isn't present, it's been made
unavailable in the Registry, or the OS is on a removable drive.
Consider: The BitLocker policy applied to this device requires a TPM, but on this
device, the BitLocker CSP has detected that the TPM may be disabled at the BIOS
level.
The TPM isn't ready for BitLocker.
Consider: The BitLocker CSP sees that this device has an available TPM, but the
TPM may need to be initialized. Consider running intialize-tpm on the machine
to initialize the TPM.
The network isn't available, which is required for recovery key backup.
Export report details

While viewing the Encryption report pane, you can select Export to create a .csv file
download of the report details. This report includes the high-level details from the
Encryption report pane and Device encryption status details for each device you manage.
This report can be of use in identifying problems for groups of devices. For example,
you might use the report to identify a list of macOS devices that all report FileVault is
already enabled by the user, which indicates devices that must be manually decrypted
before Intune can manage their FileVault settings.
Manage recovery keys

For details on managing recovery keys, see the following in the Intune documentation:
macOS FileVault:
Retrieve personal recovery key

Rotate recovery keys
Recover recovery keys
Windows BitLocker:
Rotate BitLocker recovery keys
Next steps
Manage BitLocker policy
Troubleshooting BitLocker policy
Manage FileVault policy
Known issues for Enforcing BitLocker policies with Intune
Microsoft Intune support for Windows
LAPS
Article • 04/28/2023
Every Windows machine has a built-in local administrator account that can’t be deleted,
and which has full permissions to the device. Securing this account is an important step
in securing your organization. Windows devices include Windows Local Administrator
Password Solution (LAPS), a built-in solution to help manage local admin accounts.
You can use Microsoft Intune endpoint security policies for account protection to
manage LAPS on devices that have enrolled with Intune. Intune policies can:
Enforce password requirements for local admin accounts

Back up a local admin account from devices to your Active Directory (AD) or Azure
AD
Schedule rotation of those account passwords to help keep them safe.
You can also view details about the managed local admin accounts in the Intune Admin
center, and manually rotate their account passwords outside of a scheduled rotation.
Use of Intune LAPS policies helps you protect Windows devices from attacks that are
aimed at exploiting local user accounts like pass-the-hash or lateral-traversal attacks.
Managing LAPS with Intune can also help improve security for remote help desk
scenarios and recover devices that are otherwise inaccessible.
Intune LAPS policy manages the settings available from the Windows LAPS CSP. Intune's
use of the CSP replaces the use of Legacy Microsoft LAPS or other LAPS management
solutions, with CSP based taking precedence over other LAPS management sources.
Intune support for Windows LAPS includes the following capabilities:
Set password requirements – Define password requirements including complexity

and length for the local administrator account on a device.
Rotate passwords – With policy you can have devices automatically rotate the
local admin account passwords on a schedule. You can also use the Intune admin
center to manually rotate the password for a device as a device action.
Backup accounts and passwords – You can choose to have devices back up their
account and password in either Azure Active Directory (Azure AD) in the cloud, or
your on-premises Active Directory. Passwords are stored using strong encryption.
Configure post authenticating actions – Define actions that a device takes when
its local admin account password expires. Actions range from resetting the
managed account to use a new secure password, logging off the account, or doing
both and then powering down the device. You can also manage how long the
device waits after the password expires before taking these actions.
View account details – Intune administrators with sufficient role-based
administrative control (RBAC) permissions can view information about a devices
local admin account and its current password. You can also see when that
password was last rotated (reset) and when it's next scheduled to rotate.
View reports – Intune provides reports on password rotation including details
about past manual and scheduled password rotation.
To learn about Windows LAPS in more detail, start with the following articles in the
Windows documentation:
What is Windows LAPS? – Introduction to Windows LAPS and the Windows LAPS
documentation set.
Windows LAPS CSP – View the full details for LAPS settings and options. Intune
policy for LAPS uses these settings to configure the LAPS CSP on devices.
Applies to:
Windows 10
Windows 11
Prerequisites
The following are requirements for Intune to support Windows LAPS in your tenant:
Licensing requirements
Intune subscription - Microsoft Intune Plan 1, which is the basic Intune
subscription. You can also use Windows LAPS with a free trial subscription for
Intune.
Active Directory subscription – Azure Active Directory Free, which is the free
version of Azure AD that’s included when you subscribe to Intune. With Azure AD
Free, you can use all the features of LAPS.
Active Directory support

Intune policy for Windows LAPS can configure a device to back up a local administrator
account and password to one of the following Directory types:
７ Note
Devices that are workplace-joined (WPJ) are not supported by Intune for LAPS.
Cloud – Cloud supports back up to your Azure AD for the following scenarios:
Hybrid (Hybrid Azure AD join)
Azure AD Join
Support for Azure AD Join requires you to enable LAPS in your Azure AD. The
following steps can help you complete this configuration. For the larger context,
view these steps in the Azure AD documentation at Enabling Windows LAPS
with Azure AD. Hybrid Azure AD Join does not require LAPS to be enabled in
Azure AD.
Enable LAPS in Azure AD:
1. Sign in to the Azure portal as a Cloud Device Administrator.

2. Browse to Azure Active Directory > Devices > Device settings.
3. Select Yes for the Enable Local Administrator Password Solution (LAPS)
setting and select Save. You may also use the Microsoft Graph API Update
deviceRegistrationPolicy
On-premises – On-premises supports back up to Windows Server Active Directory

(on-premises Active Directory).
） Important
LAPS on Windows devices can be configured to use one directory type or the
other, but not both. Also consider, the backup directory must be supported by
the devices join type – if you set the directory to an on-premises Active
Directory and the device is not domain joined, it will accept the policy settings
from Intune, but LAPS cannot successfully use that configuration.
Device Edition and Platform

Devices can have any Windows edition that Intune supports, but must run of one of the
following versions to support the Windows LAPS CSP:
Windows 10, version 22H2 (19045.2846 or later) with KB5025221

GCC High support

Intune policy for Windows LAPS is supported for GCC High environments.
Role based access controls for LAPS

To manage LAPS, an account must have sufficient role-based access control (RBAC)
permissions to complete a desired task. The following are the available tasks with their
required permissions:
Create and access LAPS policy – To work with and view LAPS policies, your
account must be assigned sufficient permissions from the Intune RBAC category
for Security baselines. By default, these are included in the built-in role Endpoint
Security Manager. To use custom roles, ensure the custom role includes the rights
from the Security baselines category.
Rotate local Administrator password – To use the Intune admin center to view or
rotate a devices local admin account password, your account must be assigned the
following Intune permissions:
Managed devices: Read
Organization: Read
Remote tasks: Rotate Local Admin Password
Retrieve local Administrator password – To view password details, your account

must have one of the following Azure Active Directory permissions:
microsoft.directory/deviceLocalCredentials/password/read
microsoft.directory/deviceLocalCredentials/standard/read
During the public preview, these permissions aren't available to add to custom
Azure AD roles. Instead, your account must be assigned one of the following Azure
AD built-in rules, which include these permissions by default:
Cloud Device Administrator
In the future, Azure AD will add support for assigning the required permissions to
custom Azure AD roles.
View Azure AD audit logs and events – To view details about LAPS policies and
recent device actions such as password rotation events, your account must
permissions equivalent to the built-in Intune role Read Only Operator.
LAPS Architecture
For information about Windows LAPS architecture, see Key concepts in Windows LAPS
in the Windows documentation.
Frequently Asked Questions
Can I use Intune LAPS policy to manage any local admin

account on a device?
Yes. Intune LAPS policy can be used to manage any local administrator account on a
device. However, LAPS supports only one account per device:
When a policy doesn’t specify an account name, Intune manages the default built-
in administrator account regardless of its current name on the device.
You can change the account that Intune manages for a device by changing the
device’s assigned policy or editing its current policy to specify a different account.
If two separate policies are assigned to a device that both specify a different
account, a conflict occurs that must be resolved before the device’s account can be
managed.
What if I deploy LAPS policy with Intune to a device that

already has LAPS configurations from a different source?
The CSP-based policy from Intune overrides all other sources of LAPS policy, such as
from GPOs or a configuration from Legacy Microsoft LAPS . For more information, see
Supported Policy roots in the Windows LAPS documentation.
Can Windows LAPS create local admin accounts based on

the administrator account name that’s configured using
LAPS policy?
No. Windows LAPS can only manage accounts that already exist on the device. If a
policy specifies an account by name that doesn't exist on the device, the policy applies
and doesn’t report an error. However, no account is backed up.
Does Windows LAPS rotate and backup the password for

a device that is disabled in Azure AD?
No. Windows LAPS requires the device to be in an enabled state before password
rotation and backup operations can apply.
What happens when a device is deleted in Azure AD?

When a device is deleted in Azure AD, the LAPS credential that was tied to that device is
lost and the password that is stored in Azure AD is lost. Unless you have a custom
workflow to retrieve LAPS passwords and store them externally, there's no method in
Azure AD to recover the LAPS managed password for a deleted device.
What roles are needed to recover LAPS passwords?

The following built-in roles Azure AD roles have permission to recover LAPS passwords:
Global Admin, Cloud Device Admin, and Intune Service Admin.
What roles are needed to read LAPS metadata?

The following built-in roles are supported to view metadata about LAPS including the
device name, last password rotation, and next password rotation: Global Admin, Cloud
Device Admin, Intune Service Admin, Helpdesk Admin, Security Reader, Security Admin,
and Global Reader.
Why is the Local admin password button greyed out and

inaccessible?
Currently, access to this area requires the Rotate local Administrator password Intune
permission. See Role-based access control for Microsoft Intune.
What happens when the account specified by policy is

changed?
Because Windows LAPS can only manage one local admin account on a device at a time,
the original account is no longer managed by LAPS policy. If policy has the device back
up that account, the new account is backed up and details about the previous account
are no longer available from within the Intune admin center or from the Directory that is
specified to store the account information.
Next steps
Create policy for LAPS
View reports for LAPS
Account protection policy for endpoint security in Intune
Manage Windows LAPS policy with
Microsoft Intune
Article • 04/19/2023
When you’re ready to manage the Windows Local Administrator Password Solution
(Windows LAPS) on Windows devices you manage with Microsoft Intune, the
information in this article can help you use the Intune admin center to:
Create and assign Intune LAPS policy to devices.

View a device’s local admin account details.
Manually rotate the password for the managed account.
Use reports on LAPS policy.
Before creating policies, be familiar with the information in Microsoft Intune support for
Windows LAPS, which includes:
An overview of Intune’s Windows LAPS policy and capabilities.

The perquisites for using Intune policies for LAPS.
The role-based admin control (RBAC) permissions your account needs to have to
manage LAPS policy.
Frequently asked questions that can provide insight to configuring and using
Intune LAPS policy.
Applies to:
Windows 10
Windows 11
About Intune LAPS policy

Intune’s provides support to configure Windows LAPS on devices through the Local
admin password solution (Windows LAPS) (preview) profile, available through
endpoint security policies for account protection.
Intune policies manage LAPS by using the Windows LAPS configuration service provider
(CSP). Windows LAPS CSP configurations take precedence over, and overwrite, any
existing configurations from other LAPS sources, like GPOs or the Legacy Microsoft
LAPS tool.
Windows LAPS allows for the management of a single local administrator account per
device. Intune policy can specify which local admin account it applies to by use of the
policy setting Administrator Account Name. If the account name specified in the policy
isn’t present on the device, no account is managed. However, when Administrator
Account Name is left blank, the policy defaults to the devices built-in local admin
account that is identified by its well-known relative identifier (RID).
７ Note
Ensure the prerequisites for Intune to support Windows LAPS in your tenant are
met before creating policies.
Intune’s LAPS policies do not create new accounts or passwords. Instead, they
manage an account that’s already on the device.
Configure and assign LAPS policies carefully. The Windows LAPS CSP supports a single
configuration for each LAPS setting on a device. Devices that receive multiple Intune
policies that include conflicting settings can fail to process policy. Conflicts can also
prevent the backup of the managed local admin account and password to your tenants
Directory.
To help reduce potential conflicts, we recommend assigning a single LAPS policy to each
device through device groups, and not through user groups. While LAPS policy supports
user group assignments, they can result in a cycle of changing LAPS configurations each
time a different user signs-in to a device. Frequently changing policies can introduce
conflicts, a lack of device compliance with requirements, and create confusion around
which local admin account from a device is currently being managed.
Create a LAPS policy
） Important
Ensure that you have enabled LAPS in Azure AD, as covered in the Enabling
WindowsLAPS with Azure AD documentation.
To create or manage LAPS policy, your account must have applicable rights from the
Security baseline category. By default, these permissions are included in the built-in role
Endpoint Security Manager. To use custom roles, ensure the custom role includes the
rights from the Security baselines category. See Role based access controls for LAPS.
Before you create a policy, you can review details about the available settings in the
Windows LAPS CSP documentation.
Account protection, and then select Create Policy.
Set the Platform to Windows 10 and later, Profile to Local admin password
solution (Windows LAPS) (preview), and then select Create.
recommended.
3. On Configuration settings, Configure a choice for Backup Directory to define the

type of Directory to use to back up the local admin account. You can also choose
not to back up an account and password. The type of Directory also determines
which additional settings are available in this policy.

） Important
When configuring a policy, keep in mind that the backup directory type in the
policy must be supported by the join type of the device the policy is assigned
to. For example, if you set the directory to Active Directory and the device isn’t
domain joined (but a member of Azure AD), the device can apply the policy
settings from Intune without error, but LAPS on the device will not be able to
successfully use that configuration to back up the account.
After configuring Backup Directory, review and configure the available settings to
meet your organization’s requirements.
5. For Assignments, select the groups to receive this policy.

We recommend
assigning LAPS policy to device groups. Policies assigned to user groups follow a
user from device to device. When the user of a device changes, a new policy might
apply to the device and introduce inconsistent behavior, including which account
the device backs up or when the managed accounts password is next rotated.
７ Note
As with all Intune policies, when a new policy applies to a device, Intune
attempts to notify that device to check in and process the policy.
Until a device successfully checks in with Intune and successfully processes its
LAPS policy, data about its managed local admin account won’t be available
to view or manage from within the admin center.
6. In Review + create, review your settings and then select Create. When you select
View Device actions status

When your account has permissions equivalent to the Security Baselines permissions
that grant rights to all policy templates in the Endpoint security workload, you can use
the Intune admin center to view the status of device actions that have been requested
for the device.
For more information, see Role based access controls for LAPS.
1. In the Microsoft Intune admin center , go to Devices > All devices , and select a
device that has a LAPS policy that backs up a local admin account. Intune displays
that devices Overview pane.
2. On the device Overview pane, you can view Device actions status. Previously
requested actions and pending actions display, including the time of the request,
and if the action failed or was successful. In the following example screenshot, a
device has had its Local Admin account Password successfully rotated.

3. Selecting an action from the list opens the Device action status pane, which can
display additional details about that action.
View account and password details

During the public preview, your account must be assigned one of the following built-in
Azure AD roles that grant access to view an account name and password:
Global Admin
Cloud Device Admin
For more information, see Role based access controls for LAPS.
1. In the Microsoft Intune admin center , go to Devices > All devices > select a
Windows device to open its Overview pane.
From the overview pane, you can view the devices Device actions status. The status
displays current and past actions, such as password rotation.
2. On the devices Overview pane, below Monitor select Local admin password. If your
account has sufficient permissions, the Local admin password pane for the device
opens, which is the same view that’s available from within the Azure portal.

The following information can be viewed from within the admin center. However,
the Local admin password can only be viewed when the account was backed up to
Azure AD. It can’t be viewed for an account that’s backed up to an on-premises
Active Directory (Windows Server Active Directory):
Account name – The name of the local admin account that was backed up
from the device.
Security ID – The well-known SID for the account that is backed up from the
device.
Local admin password – Obscured by default. If your account has permission,
you can select Show to reveal the password. You can then use the Copy
option to copy the password to your clipboard. This information isn't
available for devices that back up to an on-premises Active Directory.
Last password rotation – In UTC, the date and time that the password was
last changed or rotated by policy.
Next password rotation – In UTC, the next date and time when the password
will be rotated per policy.
The following are considerations for viewing a devices account and password
information:
Retrieving (viewing) the password for a local admin account triggers an audit
event.
You cannot view password details for the following devices:

Devices that have their local admin account backed up to an on-premises Active
Directory
Devices that are set to use Active Directory to back up the account password.
Manually rotate passwords

LAPS policy includes a schedule for automatically rotating account passwords. In
addition to a scheduled rotation, you can use the Intune device action of Rotate local
admin password to manually rotate a devices password independent of the rotation
schedule set by the devices LAPS Policy.
To use this device action, your account must have the following three Intune
permissions:
Managed devices: Read

Organization: Read
Remote tasks: Rotate Local Admin Password
See Role based access controls for LAPS.
To rotate a password
1. In the Microsoft Intune admin center , go to Devices > All devices, and select the
Windows device with the account you want to rotate.
2. While viewing the device details, expand the ellipsis (…) on the right side of the
menu bar to reveal the available options, and then select Rotate Local admin
password.
3. When you select Rotate Local admin password, Intune displays a warning that
requires confirmation before the password is rotated.
After you confirm the intent to rotate the password, Intune initiates the process,
which can take a few minutes to complete. During this time, the device details
pane displays a banner and a Device actions status that indicate the action is
Pending.
After a successful rotation, the confirmation will be visible in the Device actions status as
Complete.
The following are considerations for manual password rotation:
The Rotate local admin password device action is available for all Windows
devices, but any device that hasn’t successfully backed up its account and
password data fails to complete a rotate request.
Each manual rotation attempt results in an audit event. Scheduled password

rotations also log an audit event.
When a password is manually rotated, the time to the next scheduled password
rotation is reset. The time to the next scheduled rotation is managed through the
PasswordAgeDays setting in the LAPS policy.
Here's how this works: A device receives a policy on March 1, which sets
PasswordAgeDays to 10 days. The result is that the device will automatically rotate
its password after 10 days, on March 11. On March 5, an admin manually rotates
that device’s password, and action that resets the start date for PasswordAgeDays
to March 5. As a result, the device will now automatically rotate its password 10
days later, on March 15.
For Azure AD Joined devices, the device must be online at the time the manual
rotation is requested. If the device isn’t online at the time of the request, it results
in a failure.
Password rotation isn't supported as Bulk Action. You can only rotate a single
device at a time.
Avoid policy conflicts

The following details can help you avoid conflicts and understand the expected behavior
from devices managed by LAPS policy.
When a device with successful policy is assigned an two or more policies that introduce
a conflict:
Settings that were in use on the device remain on the device at the value last set.
Both policies, the original and the new, report as being in conflict.
To resolve the conflict, either remove policy assignments until the conflicting policy
doesn’t apply, or reconfigure applicable policies to set the same configuration,
removing the conflict.
When a device that doesn’t have a LAPS policy then receives two conflicting policies at
the same time:
Settings aren't sent to the device, and both policies are reported as having
conflicts.
While a conflict remains, settings from the policies don't apply to the device.
To resolve conflicts, you must either remove policy assignments from the device, or
reconfigure settings in applicable policies until no more conflicts remain.
Next steps
Introduction to Intune policy for LAPS
View reports for LAPS
Reports for LAPS policy in Intune
Article • 04/19/2023
After devices are assigned Microsoft Intune policy for Windows LAPS, you can view
policy details from within the Microsoft Intune admin center. Reports for LAPS include
details about the devices and users that have been assigned policies, which settings
from those policies have been set successfully, have errors or conflicts, and which
devices are pending the submission of device status for assigned policy.
Reports for Windows LAPS policies are found in the Endpoint security node for Account
protection policies. The Reports node of the Intune admin center doesn't have
dedicated reports for Windows LAPS.
LAPS policy report

You can use the LAPS policy report to view the configuration and assignments for a
LAPS policy, and to drill in and identify the source of conflicts that prevent devices from
applying your policies.
To use the report, sign into the Intune admin center and navigate to the Account
protection policy node. (Endpoint security > Account protection). Here you can view a
list of all Account protection policies, including the policies for LAPS that use the Local
admin password solution (Windows LAPS) (preview) profile. You can identify the profile by
the Policy type column:
When you select any row from the list of policies, Intune displays details for that policy
that include:
A summarization of the Device and user check-in status that displays the count of
devices that the policy targets and that have succeeded in reporting status, have
errors, and so forth.
A link labeled View report that opens a detailed report for each device or user
that’s been assigned the policy. This report can help you understand the policy
configuration and identify the source of conflicts that might prevent the policy
from applying to a device.
Each policy includes tiles you can use to investigate specific aspects of the LAPS
report:
Device assignment status - This tile opens a customized report you can use to
review details for a subset of assignment status, like devices with Success,
Conflict, or devices that are Pending and haven’t yet reported their status.
To use this report option, select one or more Assignment status options and
then select Generate again to run the report for current details.
The results you see are a subset of the results that are available from the View
report option. This custom view includes support to drill in to device details to
view more information about the selected assignment status that was selected
for this report.
Per setting status - A report that lists each setting in policy, and the count of
devices that have Success in applying the setting, have an Error, or a Conflict.
This report view doesn’t support drilling in for more detail.
In the following image, we’ve selected the policy named LAPSSHTest. We use this policy
as we examine what you can learn by using the View report button to drill in for more
information:

While viewing the details for a policy, select the View report button to view a list that
identifies each device that has been assigned the policy. The device list includes the
Device name - Devices that have been assigned this policy.
Logged in user – Identifies the name of the user logged into the device at the time
the policy last reported status.
Check-in status - The policy status for the device. In the following example, the
device shows a status of Conflict. Conflicts indicate that one or more other policies
that are assigned to this device uses a different configuration for a setting.
Filter
Last report modification time – When the policy was last updated.
In the following image, we see that our example policy is assigned to a single device.
The view also shows that there's a conflict for the devices Check-in status:

When you select the name of a device from the Device name column Intune displays
details about the settings assigned to that device. In the following image, we see that
the device we selected has two assigned settings. Of the twos settings, Password Age
Days is identified as being in conflict per the Setting status column. When you select a
setting from the setting name column, Intune opens the Settings Details pane where you
can view details about that setting.
In the following image, we’ve selected Password Age Days so we can learn more about
its conflict:
The Settings Details pane shows us that the selected setting, Password Age Days, is
configured through two profiles, one named LAPSSHTest (the profile we have been
viewing), and the other named Lapsshtestapril.
With the source profiles that are in conflict now identified by name, you can go back to
the list of policies to view the Password Age Days, setting from each, and resolve the
conflict.
Events and Audit logs
When you use Intune policies to manage Windows LAPS, the following events are
audited and logged in Azure Active Directory (Azure AD):
Automatic password rotation managed by policy

Manual password rotation through a device action.
Requests to view the password for an account.
For information about Azure AD event logs, see Audit logs in Azure Active Directory.
Next steps
Introduction to Intune policy for LAPS
Create policy for LAPS
Use Endpoint Privilege Management
Article • 07/24/2023
７ Note
This capability is available as an Intune add-on. For more information, see Use
Intune Suite add-on capabilities.
Microsoft Intune Endpoint Privilege Management (EPM) allows your organization’s users
to run as a standard user (without administrator rights) and complete tasks that require
elevated privileges.
Tasks that commonly require administrative privileges are application installs (like
Microsoft 365 Applications), updating device drivers, and running certain Windows
diagnostics.
Endpoint Privilege Management supports your Zero Trust journey by helping your
organization achieve a broad user base running with least privilege, while allowing users
to still run tasks allowed by your organization to remain productive. For more
information, see Zero Trust with Microsoft Intune
The following sections of this article discuss requirements to use EPM, provide a
functional overview of how this capability works, and introduce important concepts for
EPM.
Applies to:
Windows 10
Windows 11
Prerequisites
Licensing
Endpoint Privilege Management requires an additional license beyond the Microsoft
Intune Plan 1 license. You can choose between an stand-alone license that adds only
EPM, or license EPM as part of the Microsoft Intune Suite. For more information, see Use
Windows Client requirements
Endpoint Privilege Management has the following operating system requirements:

） Important
Elevation settings policy will show as not applicable if a device is not at the
minimum version specified above.
Endpoint Privilege Management has some new networking requirements, see

Network Endpoints for Intune.
Only devices with a Hybrid Azure Active Directory join or Azure Active Directory
join are supported. Workplace join is not a supported trust type.
Endpoint Privilege Management is supported for Intune-managed devices,

including co-managed devices.
Getting started with Endpoint Privilege

Management
Endpoint Privilege Management (EPM) is built into Microsoft Intune, which means that
all configuration is completed within the Microsoft Intune Admin Center . When
organizations get started with EPM, they use the high-level process that's outlined as
follows:
License Endpoint Privilege Management - Before you can use Endpoint Privilege
Management policies, you must license EPM in your tenant as an Intune add-on.
For licensing information, see Use Intune Suite add-on capabilities.
Deploy an elevation settings policy - An elevation settings policy activates EPM on

the client device. This policy also allows you to configure settings that are specific
to the client but aren't necessarily related to the elevation of individual
applications or tasks.
Deploy elevation rule policies - An elevation rule policy links an application or task
to an elevation action. Use this policy to configure the elevation behavior for
applications your organization allows when the applications run on the device.
Important concepts for Endpoint Privilege

Management
When you configure the elevation settings and elevation rules policies mentioned
previously, there are some important concepts that should be understood to ensure you
configure EPM to meet the needs of your organization. Before you widely deploy EPM,
the following concepts should be well understood as well as the impact they have on
your environment:
Run with elevated access - A right-click context menu option that appears when
EPM is activated on a device. When this option is used, the devices elevation rules
policies are checked for a match to determine if, and how, that file can be elevated
to run in an administrative context. If there's no applicable elevation rule, then the
device uses the default elevation configurations as defined by the elevation
settings policy.
File elevation and elevation types – EPM allows users without administrative
privileges to run processes in the administrative context. When you create an
elevation rule, that rule allows EPM to proxy the target of that rule to run with
administrator privileges on the device. The result is that the application has full
administrative capability on the device.
When you use Endpoint Privilege Management, there are a few options for
elevation behavior:
For automatic elevation rules, EPM automatically elevates these applications
without input from the user. Broad rules in this category can have widespread
impact to the security posture of the organization.
For user confirmed rules, end users use a new right-click context menu Run with
elevated access. User confirmed rules require the end-user to complete some
additional requirements before the application is allowed to elevate. These
requirements provide an extra layer of protection by making the user
acknowledge that the app will run in an elevated context, before that elevation
occurs.
７ Note
Each elevation rule can also set the elevation behavior for child processes that
the elevated process creates.
Child process controls - When processes are elevated by EPM, you can control
how the creation of child processes is governed by EPM. This allows you to have
granular control over any subprocesses that may be created by your elevated
application.
Client-side components – To use Endpoint Privilege Management, Intune

provisions a small set of components on the device that receive elevation policies
and enforces them. The components are provisioned only when an elevation
settings policy is received, and the policy has expressed the intent to enable
Endpoint Privilege management.
Disabling and deprovisioning – As a component that installs on a device, Endpoint

Privilege Management can be disabled from within an elevation settings policy.
Use of the elevation settings policy is required to remove Endpoint Privilege
Management from a device.
Once the device has received an elevation settings policy requiring EPM to be
disabled, Intune immediately disables the client-side components. EPM will remove
the EPM component after a period of seven days. The delay is to ensure temporary
or accidental changes in policy or assignments don't result in mass de-
provisioning/re-provisioning events that might have a substantial impact on
business operations.
Managed elevations vs unmanaged elevations – These terms might be used in

our reporting and usage data. These terms refer to the following descriptions:
Managed elevation: Any elevation that Endpoint Privilege Management
facilitates. Managed elevations include all elevations that EPM ends up
facilitating for the standard user. This could include elevations that happen as
the result of an elevation rule or as part of default elevation action.
Unmanaged elevation: All file elevations that happen without use of Endpoint
Privilege Management. These elevations can happen when a user with
administrative rights uses the Windows default action of Run as administrator.
Role-based access controls for Endpoint

Privilege Management
To manage Endpoint Privilege Management, your account must be assigned an Intune
role-based access control (RBAC) role that includes the following permission with
sufficient rights to complete the desired task:
Endpoint Privilege Management Policy Authoring – This permission is required to

work with policy or data and reports for Endpoint Privilege Management, and
supports the following rights:
View Reports
Read
Create
Update
Delete
Assign
You can add this permission with one or more rights to your own custom RBAC roles, or
use a built-in RBAC role dedicated to managing Endpoint Privilege Management:
Endpoint Privilege Manager – This built-in role is dedicated to managing Endpoint

Privilege Management in the Intune console. This role includes all rights for
Endpoint Privilege Management Policy Authoring.
Endpoint Privilege Reader - Use this built-in role to view Endpoint Privilege
Management policies in the Intune console, including reports. This role includes
the following rights for Endpoint Privilege Management Policy Authoring:
View Reports
Read
In addition to the dedicated roles, the following built-in roles for Intune also include
rights for Endpoint Privilege Management Policy Authoring:
Endpoint Security Manager - This role includes all rights for Endpoint Privilege
Management Policy Authoring.
Read Only Operator - This role includes the following rights for Endpoint Privilege
Management Policy Authoring:
View Reports
Read
EpmTools PowerShell module

Each device that receives Endpoint Privilege Management policies installs the EPM
Microsoft Agent to manage those policies. The agent includes the EpmTools PowerShell
module, a set of cmdlets that you can import to a device. You can use the cmdlets from
EpmTools to:
Diagnose and troubleshoot issues with Endpoint Privilege Management.

Get File attributes directly from a file or application for which you want to build a
detection rule.
Install the EpmTools PowerShell module

The EPM Tools PowerShell module is available from any device that has received EPM
policy. To import the EpmTools PowerShell module:
1. Open PowerShell with admin privileges and go to C:\Program Files\Microsoft EPM

Agent\EpmTools.
2. From the EpmTools folder, run Import-Module .\EpmCmdlets.dll .
Following are the available cmdlets:
Get-Policies: Retrieves a list of all policies received by the Epm Agent for a given
PolicyType (ElevationRules, ClientSettings).
DeclaredConfiguration: Retrieves a list of WinCD documents that identify the
policies targeted to the device.
Get-DeclaredConfigurationAnalysis: Retrieves a list of WinDC documents of type
MSFTPolicies and checks if the policy is already present in Epm Agent (Processed
column).
Get-ElevationRules: Query the EpmAgent lookup functionality and retrieves rules
given lookup and target. Lookup is supported for FileName and CertificatePayload.
Get-ClientSettings: Process all existing client settings policies to display the
effective client settings used by the EPM Agent.
Get-FileAttributes: Retrieves File Attributes for a .exe file and extracts its Publisher
and CA certificates to a set location that can be used to populate Elevation Rule
Properties for a particular application.
For more information about each cmdlet, review the readme.txt file from the EpmTools
folder on the device.
Next steps
Guidance for creating Elevation Rules
Configure policies for Endpoint Privilege Management
Reports for Endpoint Privilege Management
Data collection and privacy for Endpoint Privilege Management
Deployment considerations and frequently asked questions
Guidance for creating elevation rules
with Endpoint Privilege Management
Article • 07/24/2023
７ Note
Overview
diagnostics.
Endpoint Privilege Management supports your zero-trust journey by helping your

to still run tasks allowed by your organization to remain productive.
Defining rules for use with Endpoint Privilege

Management
Endpoint Privilege Management rules consist of two fundamental elements: a detection
and an elevation action.
Detections are classified as the set of attributes that are used to identify an application
or binary. Detections are comprised of attributes such as file name, file version, or
attributes of a signature.
Elevation actions are the resulting elevation that occurs after an application or binary
has been detected.
It's important when defining detections that they're defined to be as descriptive as

possible. To be descriptive, use strong attributes, or multiple attributes to increase the
strength of the detection. The goal when defining detections should be to eliminate the
ability for multiple files to fall into the same rule, unless that is explicitly the intent.
File hash rules

File hash rules are the strongest rules that can be created with Endpoint Privilege
Management. These rules are highly recommended to ensure the file you intend to
elevate is the file that is elevated.
File hash can be gathered from the direct binary using the Get-Filehash PowerShell
method or directly from the reports for Endpoint Privilege Management.
Certificate rules
Certificate rules are a strong type of attribute and should be paired with other attributes.
Pairing a certificate with attributes like product name, internal name, and description,
drastically improves the security of the rule. These attributes are protected by a files
signature, and often indicate specifics about the signed file.
Ｕ Caution
Using just a certificate and a file name provides very limited protection for misuse
of a rule. File names can be changed by any standard user provided they have
access to the directory where the file resides. This might not be a concern for files
that reside in a write-protected directory.
Rules containing file name

File name is an attribute that can be utilized to detect an application that needs to be
elevated. However, file names aren't protected by the signature of the file.
This means that file names are highly susceptible to change. Files that are signed by a
certificate that you trust could have their name changed to be detected and
subsequently elevated, which might not be your intended behavior.
） Important
Always ensure that rules including a file name include other attributes that provide
a strong assertion to the file's identity. Attributes like file hash or properties that are
included in the files signature are good indicators that the file you intend is likely
the one being elevated.
Rules based on attributes gathered by PowerShell

To help you build more accurate file detection rules, you can use the Get-FileAttributes
PowerShell cmdlet. Available from the EpmTools PowerShell module, Get-FileAttributes
can retrieve file attributes for a .exe file and extract its Publisher and CA certificates to a
set location that you can use to populate Elevation Rule Properties for a particular
application.
Controlling child process behavior

Child process behavior allows you to control the context when a child process is created
by a process elevated with EPM. This behavior allows you to further restrict processes
which normally would be automatically delegated the context of it's parent process.
Windows automatically delegates a the context of a parent to a child, so take special

care in controlling the behavior for your allowed applications. Ensure you evaluate what
is needed when you create elevation rules, and implement the principle of least
privilege.
７ Note
Changing the child process behavior may have compatiability issues with certain
applications that expect the default Windows behavior. Make sure you thoroughly
test applications when manipulating the child process behavior.
Deploying rules created with Endpoint Privilege

Management
Endpoint Privilege Management rules are deployed like any other policy in Microsoft
Intune. This means that rules can be deployed to users or devices, and rules are merged
on the client side and selected at run time. Any conflicts are resolved based on the
policy conflict behavior.
Rules deployed to a device are applied to every user that uses that device. Rules that are
deployed to a user apply only to that user on each device that they utilize. When an
elevation action occurs, rules deployed to the user are given precedence to rules
deployed to a device. This behavior allows you to deploy a set of rules to devices that
might apply to all users on that device, and a more permissive set of rules to a support
admin to allow them to elevate a broader set of applications when they sign-in to the
device temporarily.
Default Elevation behavior is used only when no rule match can be found. This also
requires use of the Run with elevated access right-click menu, which is interpreted as a
user explicitly asking for an application to be elevated.
Endpoint Privilege Management and User

Account Control
Endpoint Privilege Management and Windows built-in user account control (UAC) are
separate products with separate functionality.
When moving users to run as standard users and utilizing Endpoint Privilege
Management, you might choose to change the default UAC behavior for standard users.
This change can reduce confusion when an application requires elevation and create a
better end user experience. Examine behavior of the elevation prompt for standard
users for more information.
７ Note
Endpoint Privilege Management will not interfere with user account control actions
(or UAC) being run by an Administrator on the device. It is possible to create rules
that apply to Administrators on the device, so special considerations should be
given to rules that are applied to all users on a device and the impact on users with
Administrator rights.
Next steps
Learn about Endpoint Privilege Management
Configure policies for Endpoint Privilege
Management
Article • 07/24/2023
７ Note
diagnostics.

The information in this article can help you to configure the following policies and
reusable settings for EPM:
Windows elevation settings policy

Reusable settings groups, which are optional configurations for your elevation
rules.
Applies to:
Windows 10
Windows 11
Get started with EPM policies

Endpoint Privilege Management uses two policy types that you configure to manage
how a file elevation request is handled. Together, the policies configure the behavior for
file elevations when standard users request to run with administrative privileges.
Before you can create Endpoint Privilege Management policies, you must license EPM in
your tenant as an Intune add-on. For licensing information, see Use Intune Suite add-on
capabilities.
About Windows elevation settings policy

Use Windows elevation settings policy when you want to:
Enable Endpoint Privilege Management on devices. By default, this policy enables

EPM. When first enabled for EPM, a device provisions the components that collect
usage data on elevation requests and that enforce elevation rules.
If a device has EPM disabled, the client components immediately disable. There's a
delay of seven days before the EPM component is completely removed. The delay
helps to reduce the time it takes to restore EPM should a device accidentally have
EPM disabled or its elevation settings policy unassigned.
Default elevation response - Set a default response for an elevation request of any
file that’s not managed by a Windows elevation rule policy. For this setting to have
an effect, no rule can exist for the application AND an end user must have explicitly
requested elevation through the Run with elevated access right-click menu. By
default, this option isn't configured. If no setting is delivered, the EPM components
fall back to their built-in default, which is to deny all requests.
Options include:
Deny all requests - This option blocks the elevate request action for files that
aren't defined in a Windows elevation rules policy.
Require user confirmation - When user confirmation is required, you can
choose from the same validation options as found for Windows elevation rules
policy.
７ Note
Default responses are only processed for requests coming through the Run
with elevated access right-click menu.
Validation options - Set validation options when the default elevation response is
defined as Require user confirmation.
Options include:
Business justification - This option requires the end user to provide a
justification before completing an elevation that is facilitated by the default
elevation response.
Windows authentication - This option requires the end user to authenticate
before completing an elevation that is facilitated by the default elevation
response.
７ Note
Multiple validation options can be selected to satisfy the needs of the

organization. If no options are selected, then the user is only required to click
continue to complete the elevation.
Send elevation data for reporting - This setting controls whether your device
shares diagnostic and usage data with Microsoft. When enabled to share data, the
type of data is configured by the Reporting scope setting.
Diagnostic data is used by Microsoft to measure the health of the EPM client
components. Usage data is used to show you elevations that happen within your
tenant. For more information about the types of data and how it's stored, see Data
collection and privacy for Endpoint Privilege Management.
Options include:
Yes - This option sends data to Microsoft based on the Reporting Scope setting.
No - This option does not send data to Microsoft.
Reporting Scope - This setting controls the amount of data being sent to
Microsoft when Send elevation data for reporting is set to Yes. By default,
Diagnostic data and all endpoint elevations is selected.
Options include:
Diagnostic data and managed elevations only - This option sends diagnostic
data to Microsoft about the health of the client components AND data about
elevations being facilitated by Endpoint Privilege Management.
Diagnostic data and all endpoint elevations - This option sends diagnostic data
to Microsoft about the health of the client components AND data about all
elevations happening on the endpoint.
Diagnostic data only - This option sends only the diagnostic data to Microsoft
about the health of the client components.
About Windows elevation rules policy

Use profiles for Windows elevation rules policy to manage the identification of specific
files, and how elevation requests for those files are handled. Each Windows elevation rule
policy includes one or more elevation rules. It's with elevation rules that you configure
details about the file being managed and requirements for it to be elevated.
Each elevation rule:
Uses the file name (including extension) to identify the file the rule applies to.
The rule also supports optional conditions like a minimum build version, product
name, or internal name. Optional conditions are used to further validate the file
when elevation is attempted.
Supports use of a certificate to validate the files integrity before it runs on a

device. Certificates can be added directly to a rule, or by using a reusable settings
group. We recommend the use of reusable settings groups as they can be more
efficient and simplify a future change to the certificate. For more information, see
the next section Reusable settings groups.
Supports use of a file hash to validate the file. A file hash is required for
automatic rules. For user confirmed rules, you can choose to either use a certificate
or a file hash, in which case the file hash becomes optional.
Configures the files elevation type. Elevation type identifies what happens when
an elevation request is made for the file. By default, this option is set to User
confirmed, which is our recommendation for elevations.
User confirmed (Recommended): A user confirmed elevation always requires

the user to click on a confirmation prompt to run the file. There are more user
confirmations you can add. One requires users to authenticate using their
organization credentials. Another option requires the user to enter a business
justification. While the text entered for a justification is up to the user, EPM can
collect and report it when the device is configured to report elevation data as
part of its Windows elevation settings policy.
Automatic elevation happens invisibly to the user. There's no prompt, and no

indication that the file is running in an elevated context.
７ Note
For more information about creating strong rules, see our guidance for
creating elevation rules with Endpoint Privilege Management.
You can also use the Get-FileAttributes PowerShell cmdlet from the
EpmTools PowerShell module. This cmdlet can retrieve file attributes for a
.exe file and extract its Publisher and CA certificates to a set location that
you can use to populate Elevation Rule Properties for a particular
application.
Manage the behavior of child processes. You can set the elevation behavior that
applies to any child processes that the elevated process creates.
Require rule to elevate - Configure a child processes to require its own rule
before that child process can run in an elevated context
Deny all - All child processes launch without elevated context
Allow child processes to run elevated - Configure a child process to always run
elevated.
７ Note
For more information about creating strong rules, see our guidance for creating
elevation rules with Endpoint Privilege Management.
Ｕ Caution
We recommend automatic elevation be used sparingly, and only for trusted files
that are business critical. End users will automatically elevate these applications at
every launch of that application.
Reusable settings group

Endpoint Privilege Management supports using reusable settings groups to manage the
certificates in place of adding that certificate directly to an elevation rule. Like all
reusable settings groups for Intune, configurations and changes made to a reusable
settings group are automatically passed to the policies that reference the group. We
recommend using a reusable settings group when you plan to use the same certificate
to validate files in multiple elevation rules. The use of reusable settings groups is more
efficient when you use the same certificate in multiple elevation rules:
Certificates you add directly to an elevation rule: Each certificate that's added
directly to a rule is uploaded as a unique instance by Intune, and that certificate
instance is then associated with that rule. Adding the same certificate directly to
two separate rules results in it uploading twice. Later, if you must change the
certificate, you must edit each individual rule that contains it. With each rule
change, Intune uploads the updated certificate a single time for each rule.
Certificates you manage through a reusable settings group: Each time a certificate
is added to a reusable settings group, Intune uploads the certificate a single time
no matter how many elevation rules include that group. That instance of the
certificate is then associated with the file from each rule that uses that group. Later,
any change to the certificate you make can be made a single time in the reusable
settings group. This change results in Intune uploading the updated file a single
time, and then applying that change to each elevation rule that references the
group.
Windows elevation settings policy

Deploy Windows elevation settings policy to users or devices to configure the following
options on devices:
Enable Endpoint Privilege Management on a device.

Set default rules for elevation requests for any file that isn't managed by an
Endpoint Privilege Management elevation rule on that device.
Configure what information EPM reports back to Intune.
A device must have an elevation settings policy that enables support for EPM before the
device can process an elevation rules policy or manage elevation requests. When
support is enabled, the C:\Program Files\Microsoft EPM Agent folder is added to the
device along with the EPM Microsoft Agent which is responsible for processing the EPM
policies.
Create a Windows elevation settings policy

Endpoint Privilege Management > select the Policies tab > and then select Create
Policy. Set the Platform to Windows 10 and later, Profile to Windows elevation
settings policy, and then select Create.
recommended.
3. On Configuration settings, configure the following to define default behaviors for

elevation requests on a device:

Endpoint Privilege Management: Set to Enabled (default). When Enabled, a

device uses Endpoint Privilege Management. When set to Disabled, the
device doesn't use Endpoint Privilege Management, and immediately disables
EPM if it was previously enabled. After seven days, the device will deprovision
the components for Endpoint Privilege Management.
Default elevation response: Configure how this device manages elevation

requests for files that aren't directly managed by a rule:
Not Configured: This option functions the same as Deny all requests.
Deny all requests: EPM doesn't facilitate the elevation of files and the user
is shown a pop-up window with information about the denial. This
configuration doesn't prevent users with administrative permissions from
using Run as administrator to run unmanaged files.
Require user confirmation: This behavior applies to elevation requests for
files that aren't managed by an elevation rule policy. The user receives a
simple prompt to confirm their intent to run the file. You can also require
more prompts that are available from the Validation drop down:
Business justification: Require the user to enter a justification for
running the file. There's no required format for this justification. User
input is saved and can be reviewed through logs if the Reporting scope
includes collection of endpoint elevations.
Windows authentication: This option requires the user to authenticate
using their organization credentials.
Send elevation data for reporting: By default, this behavior is set to Yes.
When set to yes, you can then configure a Reporting scope. When set to No, a
device doesn’t report diagnostic data or information about file elevations to
Intune.
Reporting scope: Choose what type of information a device reports to

Intune:
Diagnostic data and all endpoint elevations (Default): The device reports
diagnostic data and details about all file elevations that are facilitated by
EPM.
This level of information can help you identify additional files that aren't
yet managed by an elevation rule that users seek to run in an elevated
context.
Diagnostic data and managed elevations only: The device reports

diagnostic data and details about file elevations for only those files that
are managed by an elevation rule policy. File requests for unmanaged files,
and files that are elevated through the Windows default action of Run as
administrator, aren't reported as managed elevations.
Diagnostic data only: Only diagnostic data for the operation of Endpoint
Privilege Management is collected. Information about file elevations isn’t
reported to Intune.
When ready, select Next to continue.
5. For Assignments, select the groups that receive the policy. For more information
on assigning profiles, see Assign user and device profiles.
Select Next.

Deploy a Windows elevation rules policy to users or devices to deploy one or more rules
for files that are managed for elevation by Endpoint Privilege Management. Each rule
you add to this policy:
Identifies a file for which you want to manage elevation requests.
Can include a certificate to help validate that file’s integrity before it’s run. You can
also add a reusable group that contains a certificate that you then use with one or
more rules or policies.
Specifies if the elevation type of the file as automatic (silently) or requiring user
confirmation. With user confirmation, you can add additional user actions that
must be completed before the file is run. In addition to this policy, a device must
also be assigned a Windows elevation settings policy that enables Endpoint
Privilege Management.
Create a Windows elevation rules policy

Endpoint Privilege Management > select the Policies tab > and then select Create
Policy. Set the Platform to Windows 10 and later, Profile to Windows elevation
rules policy, and then select Create.
recommended.
3. On Configuration settings, add a rule for each file that this policy manages. When
you create a new policy, the policy starts includes a blank rule with an elevation
type of User confirmed and no rule name. Start by configuring this rule, and later
you can select Add to add more rules to this policy. Each new rule you add has an
elevation type of User confirmed, which can be changed when you configure the
rule.

To configure a rule, select Edit instance to open its Rule properties page, and then
configure the following:

Rule name: Like a policy name, enter a descriptive name for the rule. Name
your rules so you can easily identify them later.
Description (Optional): Enter a description for the profile.
Elevation conditions are conditions that define how a file runs, and user validations
that must be met before the file this rule applies to can be run.
Elevation type: By default, this option is set to User confirmed, which is the
elevation type we recommend for most files.
User confirmed: We recommend this option for most rules. When a file is
run, the user receives a simple prompt to confirm their intent to run the
file. The rule can also include additional prompts that are available from
the Validation drop down:
Business justification: Require the user to enter a justification for running
the file. There's no required format for the entry, however the user input
is saved and can be reviewed through logs if the Reporting scope
includes collection of endpoint elevations.
Windows authentication: This option requires the user to authenticate
using their organization credentials.
Automatic: This elevation type automatically runs the file in question with
elevated permissions. Automatic elevation is transparent to the user,
without prompting for confirmation or requiring justification or
authentication by the user.
Ｕ Caution
Only use automatic elevation for files you trust. These files will
automatically elevate without user interaction. Rules that are not well
defined could allow unapproved applications to elevate. For more
information on creating strong rules, see the guidance for creating
rules.
Child process behavior: By default, this option is set to Require rule to

elevate, which requires the child process to match the same rule as process
that creates it. Other options include:
Allow all child processes to run elevated: This option should be used with
caution as it allows applications to create child processes unconditionally.
Deny all: This configuration prevents any child process from being created.
File information is where you specify the details that identify a file that this rule
applies to.
File name: Specify the file name and its extension. For example:
myapplication.exe
File path (Optional): Specify the location of the file. If the file can be run from
any location or is unknown, you can leave this blank. You can also use a
variable.
Signature source: Choose one of the following options:
Use a certificate file in reusable settings (Default): This option uses a

certificate file that has been added to a reusable settings group for
Endpoint Privilege Management. You must create a reusable settings
group before you can use this option.
To identify the Certificate, select Add or remove a certificate, and then

select the reusable group that contains the correct certificate. Then, specify
the Certificate type of Publisher or Certificate authority.
Upload a certificate file: Add a certificate file directly to the elevation rule.
For File upload, specify a .cer file that can validate the integrity of the file
that this rule applies to. Then, specify the Certificate type of Publisher or
Certificate authority.
Not configured: Use this option when you don't want to use a certificate
to validate the integrity of the file. When no certificate is used, you must
provide a file hash.
File hash: The file hash is required when Signature source is set to Not
configured, and optional when set to use a certificate.
Minimum version: (Optional) Use x.x.x.x format to specify a minimum version

of the file that is supported by this rule.
File description: (Optional) Provide a description of the file.
Product name: (Optional) Specify the name of the product that the file is
from.
Internal name: (Optional) Specify the internal name of the file.
Select Save to save the rule configuration. You can then Add additional rules, and
when you've added all the rules this policy will include, select Next to continue.
on assigning profiles, see Assign user and device profiles. Select Next.
6. In Review + create, review your settings and then select Create. When you select
Reusable settings groups

Endpoint Privilege Management uses reusable settings groups to manage the
certificates that validate the files you manage with Endpoint Privilege Management
elevation rules. Like all reusable settings groups for Intune, changes to a reusable group
are automatically passed to the policies that reference the group. If you must update the
certificate you use for file validation, you only need to update it in the reusable settings
group a single time. Intune applies the updated certificate to all your elevation rules that
use that group.
To create the reusable settings group for Endpoint Privilege Management:
Endpoint Privilege Management > select the Reusable settings (preview) tab >
and then select Add.

Name: Enter a descriptive name for the reusable group. Name groups so you
can easily identify each later.
recommended.
3. In Configuration settings, select the folder icon for Certificate file, and browse to a
.CER file to add it to this reusable group. The Base 64 value field fills in based on
the certificate selected.
4. In Review + create, review your settings and then select Add. When you select
Add, your configuration is saved, and group is then shown in the reusable settings
group list for Endpoint Privilege Management.
Policy conflict handling for Endpoint Privilege
Management
Except for the following situation, conflicting policies for EPM are handled like any other
policy conflict.
Windows elevation settings policy:
When a device receives two separate elevation settings policies with conflicting values,
the EPM client reverts to the default client behavior until the conflict is resolved.
７ Note
If the Enable Endpoint Privilege Management is in conflict the default behavior of

the client is to Enable EPM. This means the client components will continue to
function until an explicit value is delivered to the device.
Windows elevation rules policy:
If a device receives two rules targeting the same application, both rules are consumed
on the device. When EPM goes to resolve rules that apply to an elevation, it uses the
following logic:
Rules deployed to a user take precedence over rules deployed to a device.

Rules with a hash defined are always deemed the most specific rule.
If more than one rule applies (with no hash defined), the rule with the most
defined attributes wins (most specific).
If applying the above logic results in more than one rule, the following order
determines the elevation behavior: User Confirmed, Support Approved (once
available), and then Automatic.
７ Note
If a rule does not exist for an elevation and that elevation was requested through
the Run with elevated access right-click context menu, then the Default Elevation
Behavior will be used.
Next steps
Reports for Endpoint Privilege
Management
Article • 08/21/2023
７ Note
Elevation reports for Endpoint Privilege Management are currently in preview.
diagnostics.

The information available in EPM reports depends on the reporting scope of a device.
The reporting scope for each device is configured as part of a Windows elevation
settings policy, and different devices can have different reporting scope configurations.
The EPM reports are available from the Reports tab of the Endpoint Privilege
Management node from within the Microsoft Intune admin center . Go to Endpoint
security > Endpoint Privilege Management, and select the Reports tab. Select from the
following tiles to view a report:
Elevation report
Managed elevations report
Elevation report by applications
７ Note
Data is processed once every 24 hours. There may be a delay before seeing data in
the elevation usage reports.
Elevation report
The Elevation report displays a list view with details about all reported elevations. This
list includes elevations that are managed by specific rules and elevations that are
captured by default elevation setting policies. Several columns of information are
available by default, including but not limited to:
File name - The name of the file that received an elevation request.
User - The user who requested elevation of the file.
Device - The name of the device on which the file request was made.
Result - Whether the elevation was successful.
Date and time - When the elevation request was made.
By selecting an entry in the report, you can drill in to view more details about the
elevation request and the file involved.
Managed elevation report

The Managed elevation report displays the same types of detail as the Elevation report,
but reports on only the elevations that are managed by a Windows elevation rule policy.
Elevation report by applications

The Elevation report by applications report displays details for all managed and
unmanaged elevations, aggregated by the application that elevated. Details include:
Internal file name

File version
Publisher
Elevation type
Elevation count
The information in this report can help identify applications that might require elevation
rules to function properly, including rules for child processes.
Endpoint Privilege Management policy details

In addition to the dedicated reports, you can view basic details about EPM policies from
the Policies tab of the Endpoint Privilege Management node. This node is the same
location in the Microsoft Intune admin center where you create policies for EPM: In
the admin center, go to Endpoint security > Endpoint Privilege Management, and
select the Policies node.
Next steps
Data collection and privacy for Endpoint
Article • 04/18/2023
７ Note
diagnostics.

This article provides information about the data that EPM can collect from devices.
Applies to:
Windows 10
Windows 11
Overview of data collection

Endpoint Privilege Management on devices can be configured to report on the
following data types:
Diagnostic data
Usage data
When configuring EPM, you configure the Send elevation data for reporting and
Reporting scope settings in a Windows elevation settings policies to determine which
data is reported to Microsoft.
Diagnostic Data
Diagnostic data is event data that is used by Microsoft to monitor the health of the
client side components that provide the capability to elevate as a standard user.
Usage Data
Usage data is elevation data that is used by customers to determine what elevations
have occurred in their environment. This data is stored with your Intune infrastructure
and is used to populate the elevation reports. When configuring reporting scope, you
have the ability to configure what scope of data is collected. You can choose between
none, only elevations completed by EPM, or all elevations that take place on a device.
Data collection reference
Data Type Property Name Description
Usage Tenant Identifier Identifier (GUID) unique to the tenant.

Data
Device Identifier Identifier (GUID) unique to the device.
User Name Identifier ("AzureAd\User") of the user completing the elevation.
Justification Justification string (if provided) provided by the user when

completing the elevation
File name Name of the file (String) that completed the elevation
Event Id Internal identifier (Integer) used to identify the type of elevation

described in the event.
Event Name Internal Name (String) used to identify the type of elevation
Time Created Time the event was generated on the device.
Product Name File metadata (String) that completed the elevation.
Publisher File metadata (String) that completed the elevation.
File Version File metadata (String) that completed the elevation.
File Description File metadata (String) that completed the elevation.
Internal File File metadata (String) that completed the elevation.

name
Data Type Property Name Description
Certificate File metadata (String) that completed the elevation.

Payload
Elevation Type Type of elevation that was facilitated
Result Exit code of elevation operation (Success/Failure)
Account Type Type of account (local or organizational) that completed the

elevation.
Product Name File metadata (String) that completed the elevation.
Diagnostic Device Identifier Identifier (GUID) unique to the device.

Data
Event Id Internal identifier (Integer) used to identify the type of elevation

Event Name Internal Name (String) used to identify the type of elevation
Time Created Time the event was generated on the device.
Publisher File metadata (String) that completed the elevation.
File Version File metadata (String) that completed the elevation.
Account Type Type of account (local or organizational) that completed the

elevation.
Error Code Exit code of elevation operation (Success/Failure)
Parent Process Id Process Id of the parent process that facilitates the elevation
Policy Type Type of policy that facilitated the elevation (if applicable)
Policy Identifier Identifier (GUID) unique to the policy that facilitated the
elevation
Policy Version Version of the policy that facilitated the elevation
Elevation Type Type of elevation that was facilitated
Operation Type Type of policy application, used for policy application

operations
Cancellation Type of cancellation generated by the Administrator

Action Type
Next steps
Deployment Considerations and
frequently asked questions for Endpoint
Article • 07/11/2023
７ Note
diagnostics.

The following sections of this article discuss deployment considerations and frequently
asked questions for EPM.
Applies to:
Windows 10
Windows 11
Deployment considerations for Endpoint

Authoring files with a file name as one of the sole

attributes for identification
File name is an attribute that can be utilized to detect an application that needs to be
elevated. However, it isn't protected by the signature of the file.
File names are highly susceptible to change, and files that are signed by a certificate that
you trust could have their name changed to be detected and subsequently elevated
which may not be your intended behavior.
） Important
Always ensure that rules including a file name include other attributes that provide
a strong assertion to the file's identity. Attributes like file hash or properties that are
included in the files signature are good indicators that the file you intend is likely
the one being elevated.
Elevation settings policies may show conflict if changed

in quick succession
Endpoint Privilege Management reports status of individual settings applied using the
Elevation Settings profile. If settings in this profile (Default elevation behavior for
instance) are changed multiple times in quick succession, it may result device reporting
conflict or falling back to the default behavior of Denying the elevation. This is a
transient state and resolves without further action (in less than 60 minutes). This issue
will be fixed in a future release.
Blocked files downloaded from the internet fail to elevate

Behavior exists in Windows to set an attribute on files that are downloaded directly from
the internet and prevent them from executing until validated. Windows has functionality
to validate the reputation of files downloaded from the internet. When a files reputation
isn't validated, it might fail to elevate. To correct this behavior, unblock the file by
unblocking the file from the file properties pane. Unblocking a file should only be done
when you trust the file.
Windows devices that are "work place joined" fail to

enable Endpoint Privilege Management
Devices that are workplace joined are not supported by Endpoint Privilege
Management. These devices will not show success or process EPM policies (elevation
settings or elevation rules) when deployed to the device.
Rules for a network file might fail to elevate

Endpoint Privilege Management supports executing files that are locally stored on disk.
Executing files from a network location, such as a network share or mapped drive, is not
supported.
Endpoint Privilege Management doesn't receive policy

when I use a 'SSL-inspection' on my network
infrastructure
Endpoint Privilege Management doesn't support SSL inspection, which is known as
'break and inspect'. In order to use Endpoint Privilege Management, ensure the URLs
listed in the Intune Endpoints for Endpoint Privilege Management are exempt from
inspection.
Why is my virtual device not onboarding to Endpoint

Privilege Management?
Currently virtual desktop infrastructure (VDI) is not supported by Endpoint Privilege
Management (including Windows 365 and Azure Virtual Desktop). This issue will be
fixed in future release.
Why is my elevation settings policy showing error/not

applicable?
The elevation settings policy controls the enablement of EPM and the configuration of
the client side components. When this policy is in error or shows not applicable, it
indicates the device had an issue enabling EPM. The two most common reasons are
missing the required Windows updates or failure to communicate with required Intune
Endpoints for Endpoint Privilege Management.
What happens when someone with administrative

privileges uses a device that is enabled for EPM?
Endpoint Privilege Management doesn’t manage elevation requests by users that have
administrative permissions on a device. There might be instances where an
administrator launches a file that has an elevation rule (specifically an automatic
elevation rule) that's defined on the device. This application launches as it normally does
for the administrator.
What files can be elevated to administrator?

Endpoint Privilege Management supports executable files. Microsoft is currently working
on extending support for other file types (MSI, etc.) and providing an easy method to
elevate common operating system tasks.
Why doesn't 'Run with elevated access" show on start

menu items?
Certain items that reside in the start menu or taskbar have a curated right-click menu
and the EPM right-click context menu isn't able to be added to those menus. We plan to
fix this issue in a future release.
Can I launch multiple files as elevated with the "Run with

elevated access" right-click context menu?
Only one file can be elevated at a time. To launch multiple files elevated, right-click each
file individually and select Run with elevated access.
Next steps
Microsoft Tunnel for Microsoft Intune
Article • 02/22/2023
Microsoft Tunnel is a VPN gateway solution for Microsoft Intune that runs in a container
on Linux and allows access to on-premises resources from iOS/iPadOS and Android
Enterprise devices using modern authentication and Conditional Access.
This article introduces the tunnel, how it works, and its architecture.
If you're ready to deploy the Microsoft Tunnel, see Prerequisites for the Microsoft
Tunnel, and then Configure the Microsoft Tunnel.
７ Note
Microsoft Tunnel does not use Federal Information Processing Standard (FIPS)
compliant algorithms.
 Tip
Download the Microsoft Tunnel Deployment Guide v2 from the Microsoft

Download Center .
Overview of Microsoft Tunnel

Microsoft Tunnel Gateway installs onto a container that runs on a Linux server. The Linux
server can be a physical box in your on-premises environment or a virtual machine that
runs on-premises or in the cloud. You'll deploy a Microsoft Defender for Endpoint as the
Microsoft Tunnel client app and Intune VPN profiles to your iOS and Android devices to
enable them to use the tunnel to connect to corporate resources. When the tunnel is
hosted in the cloud, you’ll need to use a solution like Azure ExpressRoute to extend your
on-premises network to the cloud.
Through the Microsoft Intune admin center, you’ll:
Download the Microsoft Tunnel installation script that you’ll run on the Linux
servers.
Configure aspects of Microsoft Tunnel Gateway like IP addresses, DNS servers, and
ports.
Deploy VPN profiles to devices to direct them to use the tunnel.
Deploy the Microsoft Tunnel client apps to your devices.
Through the Defender for Endpoint app, iOS/iPadOS and Android Enterprise devices:
Use Azure Active Directory (Azure AD) to authenticate to the tunnel.

Use Active Directory Federation Services (AD FS) to authenticate to the tunnel.
Are evaluated against your Conditional Access policies. If the device isn’t
compliant, then it won’t have access to your VPN server or your on-premises
network.
You can install multiple Linux servers to support Microsoft Tunnel, and combine servers
into logical groups called Sites. Each server can join a single Site. When you configure a
Site, you’re defining a connection point for devices to use when they access the tunnel.
Sites require a Server configuration that you’ll define and assign to the Site. The Server
configuration is applied to each server you add to that Site, simplifying the
configuration of more servers.
To direct devices to use the tunnel, you create and deploy a VPN policy for Microsoft
Tunnel. This policy is a device configuration VPN profile that uses Microsoft Tunnel for
its connection type.
） Important
Prior to support for using Microsoft Defender for Endpoint as the tunnel client app
on Android and iOS devices, a standalone tunnel client app was available in
preview and used a connection type of Microsoft Tunnel (standalone client)
(preview).
For Android:
As of June 14 2021, both the standalone tunnel app and standalone client
connection type are deprecated and drop from support after January 31,
2022.
For iOS/iPadOS:
On April 29, 2022 both the Microsoft Tunnel connection type and Microsoft
Defender for Endpoint as the tunnel client app became generally available.
With this general availability, the use of the Microsoft Tunnel (standalone
client)(preview) connection type and the standalone tunnel client app are
deprecated and soon will drop from support.
On July 29, 2022, the standalone tunnel client app will no longer be
available for download. Only the generally available version of Microsoft
Defender for Endpoint will be available as the tunnel client app.
On August 1, 2022, the Microsoft Tunnel (standalone client) (preview)
connection type will cease to connect to Microsoft Tunnel.
To avoid a disruption in service for Microsoft Tunnel, plan to migrate your use
of the deprecated tunnel client app and connection type to those that are
now generally available.
Features of the VPN profiles for the tunnel include:
A friendly name for the VPN connection that your end users will see.
The site that the VPN client connects to.
Per-app VPN configurations that define which apps the VPN profile is used for, and
if it's always-on or not. When always-on, the VPN will automatically connect and is
used only for the apps you define. If no apps are defined, the always-on
connection provides tunnel access for all network traffic from the device.
For iOS devices that have the Tunnel client app configured to support per-app
VPNs and TunnelOnly mode set to True, users don’t need to open or sign-in to
Microsoft Defender on their device for the Tunnel to be used. Instead, with the
user signed-in to the Company Portal on the device or to any other app that uses
multi-factor authentication that has a valid token for access, the Tunnel per-app
VPN is used automatically. TunnelOnly mode is supported for iOS/iPadOS, and
disables the Defender functionality, leaving only the Tunnel capabilities.
Manual connections to the tunnel when a user launches the VPN and selects
Connect.
On-demand VPN rules that allow use of the VPN when conditions are met for
specific FQDNs or IP addresses. (iOS/iPadOS)
Proxy support (iOS/iPadOS, Android 10+)
Server configurations include:
IP address range – The IP addresses that are assigned to devices that connect to a
Microsoft Tunnel.
DNS servers – The DNS server devices should use when they connect to the server.
DNS suffix search.
Split tunneling rules – Up to 500 rules shared across include and exclude routes.
For example, if you create 300 include rules, you can then have up to 200 exclude
rules.
Port – The port that Microsoft Tunnel Gateway listens on.
Site configuration includes:

A public IP address or FQDN, which is the connection point for devices that use the
tunnel. This address can be for an individual server or the IP or FQDN of a load-
balancing server.
The Server configuration that is applied to each server in the Site.
You assign a server to a Site at the time you install the tunnel software on the Linux
server. The installation uses a script that you can download from within the admin
center. After starting the script, you’ll be prompted to configure its operation for your
environment, which includes specifying the Site the server will join.
To use the Microsoft Tunnel, devices will need to install the Microsoft Defender for
Endpoint app. You get the applicable app from the iOS/iPadOS or Android app stores
and deploy it to users.
Architecture
The Microsoft Tunnel Gateway runs in containers that run on Linux servers.
Components:
A – Microsoft Intune.
B- Azure Active Directory (AD).
C – Linux server with Podman or Docker CE (See the Linux server requirements for
details about which versions require Podman or Docker)
C.1 - Microsoft Tunnel Gateway.
C.2 – Management Agent.
C.3 – Authentication plugin – Authorization plugin, which authenticates with
Azure AD.
D – Public facing IP or FQDN of the Microsoft Tunnel, which can represent a load
balancer.
E – Mobile Device Management (MDM) enrolled device or an unenrolled mobile
device using Tunnel for Mobile Application Management.
F – Firewall
G – Internal Proxy Server (optional).
H – Corporate Network.
I – Public internet.
Actions:
1 - Intune administrator configures Server configurations and Sites, Server

configurations are associated with Sites.
2 - Intune administrator installs Microsoft Tunnel Gateway and the authentication
plugin authenticates Microsoft Tunnel Gateway with Azure AD. Microsoft Tunnel
Gateway server is assigned to a site.
3 - Management Agent communicates to Intune to retrieve your server
configuration policies, and to send telemetry logs to Intune.
4 - Intune administrator creates and deploys VPN profiles and the Defender app to
devices.
5 - Device authenticates to Azure AD. Conditional Access policies are evaluated.
6 - With split tunnel:
6.a - Some traffic goes directly to the public internet.
6.b - Some traffic goes to your public facing IP address for the Tunnel. The VPN
channel will use TCP, TLS, UDP, and DTLS over port 443. This requires inbound
and outbound Firewall ports to be open
7 - The Tunnel routes traffic to your internal proxy (optional) and/or your
corporate network. IT Admins must ensure that traffic from the Tunnel Gateway
server internal interface can successfully route to internal corporate resource (IP
address ranges and ports).
７ Note
Tunnel gateway maintains two channels with the client. A control channel is
established over TCP, and TLS. This also serves as a backup data channel. It
then looks to establish a UDP channel using DTLS (Datagram TLS, an
implementation of TLS over UDP) that serves as the main data channel. If the
UDP channel fails to establish or is temporarily unavailable, the backup
channel over TCP/TLS is used. By default port 443 is used for both TCP and
UDP, but this can be customized via the Intune Server Configuration - Server
port setting. If changing the default port (443) ensure your inbound firewall
rules are adjusted to the custom port.
The assigned client IP addresses (the IP address range setting in a Server

configuration for Tunnel) are not visible to other devices on the network.
Microsoft Tunnel Gateway uses port address translation (PAT). PAT is a type of
network address translation (NAT) where multiple private IP addresses from
the Server configuration are mapped into a single IP (many-to-one) by using
ports. Client traffic will have the source IP address of the Linux server host.
Break and inspect:
Many enterprise networks enforce network security for internet traffic using
technologies like proxy servers, firewalls, SSL break and inspect, deep packet inspection,
and data loss prevention systems. These technologies provide important risk mitigation
for generic internet requests but can dramatically reduce performance, scalability, and
the quality of end user experience when applied to Microsoft Tunnel Gateway and
Intune service endpoints.
The following outlines where break and inspect isn't supported. References are to the
architecture diagram from the preceding section.
Break and inspect is not supported in the following areas:

Tunnel Gateway doesn't support SSL break and inspect, TLS break and inspect,
or deep packet inspection for client connections.
The Use of firewalls, proxies, load balancers, or any technology that terminates
and inspects the client sessions that go into the Tunnel Gateway isn't supported
and will cause clients connections to fail. (Refer to F, D, and C in the Architecture
diagram).
If Tunnel Gateway uses an outbound proxy for internet access, the proxy server
can't perform break and inspect. This is because Tunnel Gateway Management
Agent uses TLS mutual authentication when connecting to Intune (Refer to 3 in
the Architecture diagram above). If break and inspect is enabled on the proxy
server, network admins that manage the proxy server must add the Tunnel
Gateway server IP address and Fully Qualified Domain Name (FQDN) to an
approve-list to these Intune endpoints.
Additional details:
Conditional Access is done in the VPN client and based on the cloud app Microsoft
Tunnel Gateway. Non-compliant devices won’t receive an access token from Azure
AD and can't access the VPN server. For more information about using Conditional
Access with Microsoft Tunnel, see Use Conditional Access with the Microsoft
Tunnel.
The Management Agent is authorized against Azure AD using Azure app ID/secret
keys.
Next steps
Prerequisites for the Microsoft Tunnel in Intune
Prerequisites for the Microsoft Tunnel in
Intune
Article • 07/17/2023
Before you can install the Microsoft Tunnel VPN gateway for Microsoft Intune, you must
configure prerequisites. Prerequisites include use of a Linux server that runs containers
to host the Tunnel server software. You'll also need to configure your network, firewalls,
and proxies to support communications for the Microsoft Tunnel.
At a high level, you'll need the following to use the Microsoft Tunnel:
An Azure subscription.
A Microsoft Intune Plan 1 subscription
A Linux server that runs containers. This server can be on-premises or in the cloud:
Podman for Red Hat Enterprise Linux (RHEL) (See the Linux server requirements.)
Docker for all other Linux distributions
A Transport Layer Security (TLS) certificate for the Linux server to secure
connections from devices to the Tunnel Gateway server.
Devices that run Android or iOS/iPadOS.
Prerequisites you'll configure include preparing your network, firewalls, and proxy to
support the use of the Microsoft Tunnel.
After configuring prerequisites, we recommend you then run the readiness tool to help
validate that your environment is well configured for a successful installation.
The following sections detail the prerequisites for the Microsoft Tunnel, and provide
guidance on using the readiness tool.
Linux server
Set up a Linux based virtual machine or a physical server on which Microsoft Tunnel
Gateway will install.
７ Note
Only the operating systems and container versions that are listed in the following
table are supported. Versions not listed are not supported. Only after testing and
supportability are verified are newer versions added to this list.
Supported Linux distributions - The following table details which versions of Linux
are supported for the Tunnel server, and the container they require:
Distribution Container Considerations

version requirements
CentOS 7.4+ Docker CE CentOS 8+ isn't supported
Red Hat Docker CE

(RHEL) 7.4+
Red Hat Podman 3.0

(RHEL) 8.4
Red Hat Podman 3.0 This version of RHEL doesn't automatically load the
(RHEL) 8.5 ip_tables module into the Linux kernel. When you use
this version, plan to manually load the ip_tables before
Tunnel is installed.
(RHEL) 8.6 (default) ip_tables module into the Linux kernel. When you use
Podman 3.0 this version, plan to manually load the ip_tables before
Containers created by Podman v3 and earlier are not

usable with Podman v4.0. If upgrading and changing
containers from v3 to v4.0, plan to create new
containers and to uninstall and then reinstall Microsoft
Tunnel.

usable with Podman v4.2 and later. If upgrading and
changing containers, plan to create new containers and
to uninstall and then reinstall Microsoft Tunnel.
Red Hat Podman 4.4.1 This version of RHEL doesn't automatically load the
(RHEL) 8.8 ip_tables module into the Linux kernel. When you use

Distribution Container Considerations
version requirements



Ubuntu 18.04 Docker CE Support ends April 2023. See the following note for
more information.
Ubuntu 20.04 Docker CE
Ubuntu 22.04 Docker CE
） Important
In April of 2023, Ubuntu will end support for Ubuntu 18.04. With the end of
support by Ubuntu, Intune will also end support for Ubuntu 18.04 for use with
Microsoft Tunnel. For more information, see
https://wiki.ubuntu.com/Releases .
Size the Linux server: Use the following guidance to meet your expected use:
# Devices # CPUs Memory GB  # Servers # Sites Disk Space GB 
1,000  4 4 1 1 30
2,000  4 4 1 1 30
5,000  8 8 2 1 30
10,000  8 8 3 1 30
20,000  8 8 4 1 30
40,000  8 8 8 1 30
Support scales linearly. While each Microsoft Tunnel supports up to 64,000

concurrent connections, individual devices can open multiple connections.
CPU: 64-bit AMD/Intel processor.
Install Docker CE or Podman: Depending on the version of Linux you use for your
Tunnel server, you'll need to install one of the following on the Linux server:
Docker version 19.03 CE or later
Podman version 3.0 or 4.0 depending on the version of RHEL
Microsoft Tunnel requires Docker or Podman on the Linux server to provide

support for containers. Containers provide a consistent execution environment,
health monitoring and proactive remediation, and a clean upgrade experience.
For information about installing and configuring Docker or Podman, see:

Install Docker Engine on CentOS or Red Hat Enterprise Linux 7
７ Note
The preceding link directs you to the CentOS download and installation
instructions. Use those same instructions for RHEL 7.4. The version installed
on RHEL 7.4 by default is too old to support Microsoft Tunnel Gateway.
Install Docker Engine on Ubuntu

Install Podman on Red Hat Enterprise Linux 8.4 and later (scroll down to
RHEL8)
These versions of RHEL don't support Docker. Instead, these versions use
Podman, and podman is part of a module called "container-tools". In this
context, a module is a set of RPM packages that represent a component and
that usually install together. A typical module contains packages with an
application, packages with the application-specific dependency libraries,
packages with documentation for the application, and packages with helper
utilities. For more information, see Introduction to modules in the Red Hat
documentation.
Transport Layer Security (TLS) certificate: The Linux server requires a trusted TLS
certificate to secure the connection between devices and the Tunnel Gateway
server. You'll add the TLS certificate, including the full trusted certificate chain, to
the server during installation of the Tunnel Gateway.
The Subject Alternative Name (SAN) of the TLS certificate you use to secure the
Tunnel Gateway endpoint must match the IP address or FQDN of the Tunnel
Gateway server.
TLS certificate can't have an expiration date longer than two years. If the date is
longer than two years, it won't be accepted on iOS devices.
Use of wildcards has limited support. For example, *.contoso.com is supported.

cont*.com isn't supported.
During installation of the Tunnel Gateway server, you must copy the entire
trusted certificate chain to your Linux server. The installation script provides the
location where you copy the certificate files and prompts you to do so.
If you use a TLS certificate that's not publicly trusted, you must push the entire
trust chain to devices using an Intune Trusted certificate profile.
The TLS certificate can be in PEM or pfx format.
TLS version: By default, connections between Microsoft Tunnel clients and servers
use TLS 1.3. When TLS 1.3 isn't available, the connection can fall back to use TLS
1.2.
Default bridge network

Both Podman and Docker containers use a bridge network to forward traffic through the
Linux host. When the containers bridge network conflicts with a corporate network,
Tunnel Gateway can't successfully route traffic to that corporate network.
The default bridge networks are:
Docker: 172.17.0.0/16
Podman: 10.88.0.0/16
To avoid conflicts, you can reconfigure both Podman and Docker to use a bridge
network that you specify.
） Important
The Tunnel Gateway server must be installed before you can change the bridge
network configuration.
Change the default bridge network used by Docker

Docker uses the file /etc/docker/daemon.json to configure a new default bridge IP
address. In the file, the bridge IP address must be specified in CIDR (Classless inter-
domain routing) notation, a compact way to represent an IP address along with its
associated subnet mask and routing prefix.
） Important
The IP address that's used in the following steps is an example. Be sure the IP
address you use doesn't conflict with your corporate network.
1. Use the following command to stop the MS Tunnel Gateway container: sudo mst-
cli server stop ; sudo mst-cli agent stop
2. Next, run the following command to remove the existing Docker bridge device:
sudo ip link del docker0
3. If the file /etc/docker/daemon.json is present on your server, use a file editor like
vi or nano to modify the file. Run the file editor with root or sudo permissions:
When the "bip": entry is present with an IP address, modify it by adding a

new IP address in CIDR notation.
When the "bip": entry isn't present, you must add both the value "bip": and
the new IP address in CIDR notation.
The following example shows the structure of a daemon.json file with an updated
"bip": entry that uses a modified IP address of "192.168.128.1/24".
Example of daemon.json:
{
"bip": "192.168.128.1/24"
}
4. If the file /etc/docker/daemon.json isn't present on your server, run a command
similar to the following example to create the file and define the bridge IP that you
want to use.
Example: sudo echo '{ "bip":"192.168.128.1/24" }' > /etc/docker/daemon.json
5. Use the following command to start the MS Tunnel Gateway container: sudo mst-
cli agent start ; sudo mst-cli server start
For more information, see Use bridge networks in the Docker documentation.
Change the default bridge network used by Podman
Podman uses the file /etc/cni/net.d as 87-podman-bridge.conflist to configure a new

default bridge IP address.
1. Use the following command to stop the MS Tunnel Gateway container: sudo mst-
cli server stop ; sudo mst-cli agent stop
2. Next, run the following command to remove the existing Podman bridge device:
sudo ip link del cni-podman0
3. Using root permissions and a file editor like vi or nano, modify /etc/cni/net.d as
87-podman-bridge.conflist to update the defaults for "subnet:" and "gateway:"
by replacing the Podman default values with your desired subnet and gateway
addresses. The subnet address must be specified in CIDR notation.
The Podman defaults are:
subnet: 10.88.0.0/16
gateway: 10.88.0.1
4. Use the following command to restart the MS Tunnel Gateway containers: sudo
mst-cli agent start ; sudo mst-cli server start
For more information, see Configuring container networking with Podman in the Red
Hat documentation.
Network
Enable packet forwarding for IPv4: Each Linux server that hosts the Tunnel server
software must have IP forwarding for IPv4 enabled. To check on the status of IP
forwarding, on the server run one of the following generic commands as root or
sudo. Both commands return a value of 0 for disabled and a value of 1 for enabled:
sysctl net.ipv4.ip_forward
cat /proc/sys/net/ipv4/ip_forward
If not enabled, you can temporarily enable IP forwarding by running one of the
following generic commands as root or sudo on the server. These commands can
change the IP forwarding configuration until the server restarts. After a restart, the
server returns IP forwarding behavior to its previous state. For both commands,
use a value of 1 to enable forwarding. A value of 0 will disable forwarding. The
following command examples use a value of 1 to enable forwarding:
sysctl -w net.ipv4.ip_forward=1
echo 1 > /proc/sys/net/ipv4/ip_forward
To make IP forwarding permanent, on each Linux server edit the /etc/sysctl.conf

file and remove the leading hashtag (#) from #net.ipv4.ip_forward=1 to enable
packet forwarding. After your edit, the entry should appear as follows:
# Uncomment the next line to enable packet forwarding for IPv4

net.ipv4.ip_forward=1
For this change to take effect, you must either reboot the server or run sysctl -p .
If the expected entry isn't present in the sysctl.conf file, consult the documentation
for the distribution you use for how to enable IP forwarding. Typically, you can edit
sysctl.conf to add the missing line at the end of the file to permanently enable IP
forwarding.
Configure multiple NICs per server (Optional): We recommend using two Network
Interface controllers (NICs) per Linux server to improve performance, though use of
two is optional.
NIC 1 - This NIC handles traffic from your managed devices and should be on a
public network with public IP address.  This IP address is the address that you
configure in the Site configuration. This address can represent a single server or
a load balancer.
NIC 2 - This NIC handles traffic to your on-premises resources and should be on
your private internal network without network segmentation.
Ensure cloud-based Linux VMs can access your on-premises network: If you run
Linux as a VM in a cloud, ensure the server can access your on-premises network.
For example, for a VM in Azure, you can use Azure ExpressRoute or something
similar to provide access. Azure ExpressRoute isn't necessary when you run the
server in a VM on-premises.
Load balancers (Optional): If you choose to add a load balancer, consult your
vendors documentation for configuration details. Take into consideration network
traffic and firewall ports specific to Intune and the Microsoft Tunnel.
The Tunnel server responds to GET requests with a static page. The response is
used as a probe by load balancers as a way to check for the liveness of Tunnel
server. The response is static and does not contain sensitive information.
Per-app VPN and Top-level domain support - Per-app-VPN use with internal use
of local top-level domains is not supported by Microsoft Tunnel.
Firewall
By default, the Microsoft Tunnel and server use the following ports:
Inbound ports:
TCP 443 – Required by Microsoft Tunnel.

UDP 443 – Required by Microsoft Tunnel.
TCP 22 – Optional. Used for SSH/SCP to the Linux server.
Outbound ports:
TCP 443 – Required to access Intune services. Required by Docker or Podman to

pull images.
When creating the Server configuration for the tunnel, you can specify a different port
than the default of 443. If you specify a different port, configure firewalls to support
your configuration.
More requirements:
To access the security token service and Azure storage for logs, provide access to
the following FQDNs:
Security Token Service: *.sts.windows.net
Azure storage for tunnel logs: *.blob.core.windows.net
Additional storage endpoint urls:
*.blob.storage.azure.net
The Tunnel shares the same requirements as Network endpoints for Microsoft
Intune, with the addition of port TCP 22, and graph.microsoft.com.
Configure firewall rules to support the configurations detailed in Microsoft Artifact

Registry (MAR) Client Firewall Rules Configuration .
Proxy
You can use a proxy server with Microsoft Tunnel.
７ Note
Proxy server configurations are not supported with versions of Android prior to
version 10. For more information, see VpnService.Builder in that Android
developer documentation.
７ Note
Make sure your Android LOB applications support direct proxy or Proxy Auto-
Configuration (PAC) for both MDM and MAM.
７ Note
Known Issue: Users who are trying to sign in to Edge using their personal or
corporate accounts may face issues when a Proxy Auto-Configuration (PAC) is
configured. In this scenario, the sign-in process may fail, preventing the user from
accessing internal resources.
Workarounds: To resolve this issue, Microsoft Tunnel offers split tunneling as an

option. Split tunneling allows users to include only the routes that require a proxy
while excluding login servers and authentication paths from routing through the
Tunnel. This workaround ensures that the sign-in process is not affected by the PAC
configuration, allowing the user to access internal resources and browse the
internet.
Direct proxy is also an option without split tunneling for sign in to work in Edge
using corporate accounts. This involves configuring Microsoft Tunnel to use a direct
proxy instead of a PAC URL.
If no user sign in required in Edge then PAC is supported for normal browsing and
accessing internal resources.
The following considerations can help you configure the Linux server and your
environment for success:
Configure an outbound proxy for Docker

If you use an internal proxy, you might need to configure the Linux host to use
your proxy server by using environment variables. To use the variables, edit the
/etc/environment file on the Linux server, and add the following lines:
http_proxy=[address]
https_proxy=[address]
Authenticated proxies aren't supported.
The proxy can't perform break and inspect because the Linux server uses TLS
mutual authentication when connecting to Intune.
Configure Docker to use the proxy to pull images. To do so, edit the
/etc/systemd/system/docker.service.d/http-proxy.conf file on the Linux server
and add the following lines:
[Service]
Environment="HTTP_PROXY=http://your.proxy:8080/"
Environment="HTTPS_PROXY=https://your.proxy:8080/"
Environment="NO_PROXY=127.0.0.1,localhost"
７ Note
Microsoft Tunnel doesn't support Azure AD App Proxy, or similar proxy

solutions.
Configure an outbound proxy for Podman

The following details can help you configure an internal proxy when using Podmam:
Authenticated proxies aren't supported.

The proxy can't perform break and inspect because the Linux server uses TLS
mutual authentication when connecting to Intune.
Podman reads HTTP Proxy information stored in /etc/profile.d/http_proxy.sh. If

this file doesn't exist on your server, create it. Edit http_proxy.sh to add the
following two lines. In the following lines, 10.10.10.1:3128 is an example
address:port entry. When you add these lines, replace 10.10.10.1:3128 with the
values for your proxy IP address:port:
export HTTP_PROXY=http://10.10.10.1:3128
export HTTPS_PROXY=http://10.10.10.1:3128
If you have access to Red Hat Customer Portal, you can view the knowledge base
article associated with this solution. See Setting up HTTP Proxy variables for
Podman - Red Hat Customer Portal .
When you add those two lines to http_proxy.sh before you install Microsoft Tunnel
Gateway by running the mstunnel-setup, the script will automatically configure the
Tunnel Gateway proxy environment variables in /etc/mstunnel/env.sh.
To configure a proxy after the Microsoft Tunnel Gateway setup has completed, do
the following actions:
1. Modify or create the file /etc/profile.d/http_proxy.sh and add the two lines
from the previous bullet point.
2. Edit /etc/mstunnel/env.sh and add the following two lines to end of the file.
Like the previous lines, replace the example address:port value of
10.10.10.1:3128 with the values for your proxy IP address:port:
HTTP_PROXY=http://10.10.10.1:3128
HTTPS_PROXY=http://10.10.10.1:3128
3. Restart the Tunnel Gateway server: Run mst-cli server restart
Be aware that RHEL uses SELinux. Because a proxy that doesn't run on a SELinux
port for http_port_t can require extra configuration, check on the use of SELinux
managed ports for http. Run the following command to view the configurations:
sudo semanage port -l | grep "http_port_t"
Example of the results of the port check command. In this example, the proxy uses
3128 and isn't listed:
If your proxy runs on one of the SELinux ports for http_port_t, then you can
continue with the Tunnel Gateway install process.
If your proxy does't run on a SELunux port for http_port_t as in the preceding
example, you'll need to make extra configurations.
If your proxy port is not listed for http_port_t, check if the proxy port is used by
another service. Use the semnage command to first check the port that your
proxy uses and then later if needed, to change it. To check the port your proxy
uses, run: sudo semanage port -l | grep "your proxy port"
Example of the results of checking for a service that might use the port:
In the example, the port we expect (3128) is used by squid, which happens to
be an OSS proxy service. Squid proxy SELinux policies are part of many
common distributions. Because squid uses port 3128 (our example port), we
must modify the http_port_t ports and add port 3128 to be allowed via
SELinux for the proxy used by Tunnel. To modify the port use, run the
following command: sudo semanage port -m -t http_port_t -p tcp "your
proxy port"
Example of the command to modify the port:
After running the command to change the port, run the following command
to check if the port is used by another service: sudo semanage port -l | grep
"your proxy port"
Example of the command to check the port after modifying the port:
In this example, port 3128 is now associated with both http_port-t and
squid_port_t. That result is expected. If your proxy port isn't listed when
running the sudo semanage port -l | grep "your_proxy_port" command, then
run the command to modify the port again, but the -m in the semanage
command with -a: sudo semanage port -a -t http_port_t -p tcp "your
proxy port"
Configure Podman to use the proxy to download image

updates
You can configure Podman to use the proxy to download (pull) updated images for
Podman:
1. On the tunnel server, use a command prompt to run the following command to
open an editor for the override file for the Microsoft Tunnel service:
systemctl edit --force mstunnel_monitor
2. Add the following four lines to the file. Replace each instance of [address] with your
proxy DN or address, and then save the file:
[Service]
Environment="http_proxy=[address]"
Environment="https_proxy=[address]"
PassEnvironment=http_proxy, https_proxy
3. Next, run the following at the command prompt:
systemctl restart mstunnel_monitor
4. Finally, run the following at the command prompt to confirm the configuration is
successful:
systemctl show mstunnel_monitor | grep http_proxy
If configuration is successfully, the results will resemble the following information:
Environment="http_proxy=address:port"
Environment="https_proxy=address:port"
PassEnvironment=http_proxy https_proxy
Update the proxy server in use by the tunnel server

To change the proxy server configuration that is in use by the Linux host of the tunnel
server, use the following procedure:
1. On the tunnel server, edit /etc/mstunnel/env.sh and specify the new proxy server.
2. Run mst-cli install .
This command rebuilds the containers with the new proxy server details. During
this process, you're asked to verify the contents of /etc/mstunnel/env.sh and to
make sure that the certificate is installed. The certificate should already be present
from the previous proxy server configuration.
To confirm both and complete the configuration, enter yes.
Platforms
Devices must be enrolled to Intune to be supported with Microsoft Tunnel. Only the
following device platforms are supported:
iOS/iPadOS
Android Enterprise:
Fully Managed
Personally-Owned Work profile
７ Note
Android Enterprise dedicated devices aren't supported by the Microsoft

Tunnel.
The following functionality is supported by all platforms:
Azure Active Directory (Azure AD) authentication to the Tunnel using username
and password.
Active Directory Federation Services (AD FS) authentication to the Tunnel using
Per-app support.
Manual full-device tunnel through a Tunnel app, where the user launches VPN and
selects Connect.
Split tunneling. However, on iOS split tunneling rules are ignored when your VPN
profile uses per app VPN.
Support for a Proxy is limited to the following platforms:
Android 10 and later

iOS/iPadOS
Permissions
To manage the Microsoft Tunnel, users must have permissions that are included in the
Microsoft Tunnel Gateway permissions group in Intune. By default, Intune
Administrators and Azure AD administrators have these permissions. You can also add
them to custom roles you create for your Intune tenant.
While configuring a role, on the Permissions page, expand Microsoft Tunnel Gateway
and then select the permissions you want to grant.
The Microsoft Tunnel Gateway permissions group grants the following permissions:
Create - Configure Microsoft Tunnel Gateway Servers and Sites. Server

configurations include settings for IP address ranges, DNS servers, ports, and split
tunneling rules. Sites are logical groupings of multiple servers that support
Microsoft Tunnel.
Update (modify) - Update Microsoft Tunnel Gateway server configurations and

sites. Server configurations include settings for IP address ranges, DNS servers,
ports, and split tunneling rules. Sites are logical groupings of multiple servers that
support Microsoft Tunnel.
Delete - Delete Microsoft Tunnel Gateway server configurations and sites. Server
Microsoft Tunnel.
Read - View Microsoft Tunnel Gateway server configurations and sites. Server
Microsoft Tunnel.
Run the readiness tool

Before you start a server install, we recommend you download and run the most recent
version of the mst-readiness tool. The tool is a script that runs on your Linux server and
does the following actions:
Validates that the Azure Active Directory (Azure AD) account you use to install
Microsoft Tunnel has the required roles to complete enrollment.
Confirms that your network configuration allows Microsoft Tunnel to access the
required Microsoft endpoints.
Checks for the presence of the ip_tables module on the Linux server. This check
was added to the script on February 11 2022, when support for RHEL 8.5 was
added. RHEL 8.5 later don't load the ip_tables module by default. If they're missing
after the Linux server installs, you must manually load the ip_tables module.
） Important
The readiness tool doesn't validate inbound ports, which is a common

misconfiguration. After the readiness tool runs, review the firewall prerequisites
and manually validate your firewalls pass inbound traffic.
The mst-readiness tool has a dependency on jq, a command-line JSON processor.

Before you run the readiness tool, ensure jq is installed. For information about how to
get and install jq, see the documentation for the version of Linux that you use.
To use the readiness tool:
1. Get the most recent version of the readiness tool by using one of the following
methods:
Download the tool directly by using a web browser. Go to

https://aka.ms/microsofttunnelready to download a file named mst-
readiness.
Sign in to Microsoft Intune admin center > Tenant administration >

Microsoft Tunnel Gateway, select the Servers tab, select Create to open the
Create a server pane, and then select Download readiness tool.
Use a Linux command to get the readiness tool directly. For example, you can
use wget or curl to open the link https://aka.ms/microsofttunnelready .
For example, to use wget and log details to mst-readiness during the
download, run wget --output-document=mst-readiness
https://aka.ms/microsofttunnelready
You can run the script from any Linux server that is on the same network as the
server you plan to install, allowing network admins to run it and troubleshoot
network issues independently.
2. To validate your network and Linux configuration, run the script with the following
commands to set the execute permissions on the script, to validate the Tunnel can
connect to the correct endpoints, and then to check for the presence of utilities
that Tunnel uses:
sudo chmod +x ./mst-readiness
sudo ./mst-readiness network - This command runs the following actions
and reports on success or error for both:

Tries to connect to each Microsoft endpoint the tunnel will use.
Checks that the required ports are open in your firewall.
sudo ./mst-readiness utils - This command validates that utilities that are
used by Tunnel like Docker or Podman and ip_tables are available.
3. To validate that the account you'll use to install Microsoft Tunnel has the required
roles and permissions to complete enrollment, run the script with the following
command line: ./mst-readiness account
The script prompts you to use a different machine with a web browser, which you
use to authenticate to Azure AD and to Intune. The tool will report success or an
error.
For more information about this tool, see Reference for mst-cli in the reference article
for Microsoft Tunnel article.
Manually load ip_tables

While most Linux distributions automatically load the ip_tables module, some
distributions might not. For example, REHL 8.5 doesn't load the ip_tables by default.
To check for the presence of this module, run the most recent version of mst-readiness
tool on the Linux server. The check for ip_tables was added to the readiness tools script
on February 11 2022.
If the module isn't present, the tool stops on the ip_tables module check. In this
scenario, you can run the following commands to manually load the module.
Manually load the ip_tables module

In the context of sudo, run the following commands on your Linux server:
1. Validate the presence of ip_tables on the server: lsmod |grep ip_tables
2. If ip_tables isn't present, run the following to load the module into the kernel
immediately, without a restart: /sbin/modprobe ip_tables
3. Rerun the validation to confirm the tables are now loaded: lsmod |grep ip_tables
） Important
When updating the Tunnel server, a manually loaded ip_tables module might not
persist. This can require you to reload the module after the update completes. After
your server update is completed, review the server for the presence of the ip_tables
module.
If the tables aren't present, use the preceding steps to reload the module, with the
additional step to restart the server after the module is loaded.
Configure Linux to load ip_tables at boot
In the context of sudo, run the following command on your Linux server to create a
config file that will load the ip_tables into kernel during boot time: echo ip_tables >
/etc/modules-load.d/mstunnel_iptables.conf
Manually load the tun module

Some Linux distributions will not load the tun module by default, which is required by
Tunnel.
To validate the present of the tun module on the server, run: lsmod |grep tun
1. If tun isn't present, run the following to load the module into the kernel
immediately, without a restart: /sbin/modprobe tun
2. Rerun the validation to confirm the tun module is now loaded: lsmod |grep tun
） Important
When updating the Tunnel server, a manually loaded tun module might not persist.
This can require you to reload the module after the update is completed. After your
server update is completed, review the server for the presence of the tun module.
If not present, use the preceding steps to reload the module, with the additional
step to restart the server after the module is loaded.
Configure Linux to load tun at boot
In the context of sudo, run the following command on your Linux server to create a
config file that will load tun into kernel during boot time: echo tun > /etc/modules-
load.d/mstunnel_tun.conf
Next steps
Configure Microsoft Tunnel
Configure Microsoft Tunnel for Intune
Article • 05/22/2023
To Install Microsoft Tunnel Gateway, you’ll need at least one Linux server with Docker
installed, which runs either on-premises or in the cloud. Depending on your
environment and infrastructure, additional configurations and software like Azure
ExpressRoute might be needed.
Before you start installation be sure to complete the following tasks:
Review and Configure prerequisites for Microsoft Tunnel.

Run the Microsoft Tunnel readiness tool to confirm your environment is ready to
support use of the tunnel.
After your prerequisites are ready, return to this article to begin installation and
configuration of the tunnel.
Create a Server configuration

Use of a Server configuration lets you create a configuration a single time and have that
configuration used by multiple servers. The configuration includes IP address ranges,
DNS servers, and split-tunneling rules. Later, you’ll assign a Server configuration to a
Site, which automatically applies that configuration to each server that joins that Site.
To create a Server configuration

1. Sign in to Microsoft Intune admin center > Tenant administration > Microsoft
Tunnel Gateway > select the Server configurations tab > Create new.
2. On the Basics tab, enter a Name and Description (optional) and select Next.
3. On the Settings tab, configure the following items:
IP address range: IP addresses within this range are leased to devices when
they connect to Tunnel Gateway. The Tunnel Client IP address range specified
must not conflict with an on-premises network range.
Consider using the Automatic Private IP Addressing (APIPA) range of
169.254.0.0/16, as this range avoids conflicts with other corporate
networks.
If the client IP address range conflicts with the destination, it will loopback
and fail to communicate with the corporate network.
You can select any client IP address range you want to use if it doesn't
conflict with your corporate network IP address ranges.
Server port: Enter the port that the server listens to for connections.
DNS servers: These servers are used when a DNS request comes from a
device that's connected to Tunnel Gateway.
DNS suffix search (optional): This domain is provided to clients as the default
domain when they connect to Tunnel Gateway.
Disable UDP Connections (optional): When selected, clients only connect to

the VPN server using TCP connections. Because the standalone tunnel client
requires use of UDP, only select the checkbox to disable UDP connections
after you’ve configured your devices to use Microsoft Defender for Endpoint
as the tunnel client app.
4. Also on the Settings tab, configure Split tunneling rules, which are optional.
You can include or exclude addresses. Included addresses are routed to Tunnel
Gateway. Excluded addresses aren’t routed to Tunnel Gateway. For example, you
might configure an include rule for 255.255.0.0 or 192.168.0.0/16.
Use the following options to include or exclude addresses:
IP ranges to include
IP ranges to exclude
７ Note
Do not use an IP range that specifies 0.0.0.0 in any of the include or exclude
addresses, Tunnel Gateway cannot route traffic when this range is used.
5. On the Review + create tab, review the configuration, and then select Create to
save it.
７ Note
By default, each VPN session will stay active for only 3,600 seconds (one hour)
before it disconnects (a new session will be established immediately in case
the client is set to use Always On VPN).
However, you can modify the session
timeout value along with other server configuration settings using graph calls
(microsoftTunnelConfiguration).
Create a Site
Sites are logical groups of servers that host Microsoft Tunnel. You’ll assign a Server
configuration to each Site you create. That configuration is applied to each server that
joins the Site.
To create a Site configuration

Tunnel Gateway > select the Sites tab > Create.
2. On the Create a site pane, specify the following properties:
Name: Enter a name for this Site.
Description (optional)
Public IP address or FQDN: Specify a public IP address or FQDN, which is the

connection point for devices that use the tunnel. This IP address or FQDN can
identify an individual server or a load-balancing server. The IP address or
FQDN must be resolvable in public DNS and the resolved IP address must be
publicly routable.
Server configuration: Use the drop-down to select a server configuration to

associate with this Site.
URL for internal network access check: Specify an HTTP or HTTPS URL for a
location on your internal network. Every five minutes, each server that's
assigned to this site will attempt to access the URL to confirm that it can
access your internal network. Servers report the status of this check as
Internal network accessibility on the servers Health check tab.
Automatically upgrade servers at this site: If Yes, servers upgrade

automatically when an upgrade is available. If No, upgrade is manual and an
administrator must approve an upgrade before it can start.
For more information, see Upgrade Microsoft Tunnel.
Limit server upgrades to maintenance window: If Yes, server upgrades for

this site can only start between the start time and end time specified. There
must be at least an hour between the start time and end time. When set to
No, there's no maintenance window and upgrades start as soon as possible
depending on how Automatically upgrade servers at this site is configured.
When set to Yes, configure the following options:
Time zone – The time zone you select determines when the maintenance
window starts and ends on all servers in the site, regardless of the time
zone of individual servers.
Start time – Specify the earliest time that the upgrade cycle can start,
based on the time zone you selected.
End time - Specify the latest time that upgrade cycle can start, based on
the time zone you selected. Upgrade cycles that start before this time will
continue to run and can complete after this time.
For more information, see Upgrade Microsoft Tunnel.
3. Select Create to save the Site.
Install Microsoft Tunnel Gateway

Before installing Microsoft Tunnel Gateway on a Linux server, configure your tenant with
at least one Server configuration, and then create a Site. Later, you’ll specify the Site that
a server joins when you install the tunnel on that server.
Use the script to install Microsoft Tunnel

1. Download the Microsoft Tunnel installation script by using one of the following
methods:
Download the tool directly by using a web browser. Go to

https://aka.ms/microsofttunneldownload to download the file mstunnel-
setup.
Sign in to Microsoft Intune admin center > Tenant administration >

Microsoft Tunnel Gateway, select the Servers tab, select Create to open the
Create a server pane, and then select Download script.
Use a Linux command to download the tunnel software directly. For example,
on the server where you’ll install the tunnel, you can use wget or curl to open
the link https://aka.ms/microsofttunneldownload .
For example, to use wget and log details to mstunnel-setup during the
download, run wget --output-document=mstunnel-setup
https://aka.ms/microsofttunneldownload
2. To start the server installation, run the script as root. For example, you might use
the following command line: sudo chmod +x ./mstunnel-setup . The script always
installs the most recent version of Microsoft Tunnel.
To see detailed console output during the tunnel and installation agent enrollment
process:
a. Run export mst_verbose_log="true" before you run the ./mstunnel-setup script.
To confirm verbose logging is enabled, run export .
b. After setup completes, edit the environment file /etc/mstunnel/env.sh to add a
new line: mst_verbose_log="true" . After adding the line, run mst-cli server
restart to restart the server.
） Important
For the U.S. government cloud, the command line must reference the
government cloud environment. To do so, run the following commands to
add intune_env=FXP to the command line:
a. Run sudo chmod +x ./mstunnel-setup
b. Run sudo intune_env=FXP ./mstunnel-setup
 Tip
If you stop the installation and script, you can restart it by running the
command line again. Installation continues from where you left off.
When you start the script, it downloads container images from Microsoft Tunnel
Gateway container images from the Intune service, and creates necessary folders
and files on the server.
During setup, the script will prompt you to complete several admin tasks.
3. When prompted by the script, accept the license agreement (EULA).
4. Review and configure variables in the following files to support your environment.
Environment file: /etc/mstunnel/env.sh. For more information on these

variables, see Environment variables in the reference for Microsoft Tunnel
article.
5. When prompted, copy the full chain of your Transport Layer Security (TLS)
certificate file to the Linux server. The script displays the correct location to use on
the Linux server.
The TLS certificate secures the connection between the devices that use the tunnel
and the Tunnel Gateway endpoint. The certificate must have the IP address or
FQDN of the Tunnel Gateway server in its SAN.
The private key will remain available on the machine where you create the
certificate signing request for the TLS certificate. This file must be exported with a
name of site.key.
Install the TLS certificate and private key. Use the following guidance that matches
your file format:
PFX:
The certificate file name must be site.pfx. Copy the certificate file to
/etc/mstunnel/private/site.pfx.
PEM:
The full chain (root, intermediate, end-entity) must be in a single file

named site.crt. If your using a certificate issued by a public provider like
Digicert, you have the option of downloading the complete chain as a
single .pem file.
The certificate file name must be *site.crt. Copy the full chain certificate
into /etc/mstunnel/certs/site.crt. For example: cp [full path to cert]
/etc/mstunnel/certs/site.crt
Alternatively, create a link to the full chain cert in

/etc/mstunnel/certs/site.crt. For example: ln -s [full path to cert]
/etc/mstunnel/certs/site.crt
Copy the private key file into /etc/mstunnel/private/site.key. For example:

cp [full path to key] /etc/mstunnel/private/site.key
Alternatively, create a link to the private key file in

/etc/mstunnel/private/site.key. For example: ln -s [full path to key
file] /etc/mstunnel/private/site.key This key shouldn't be encrypted
with a password. The private key file name must be site.key.
6. After setup installs the certificate and creates the Tunnel Gateway services, you’re
prompted to sign in and authenticate with Intune. The user account must have
either the Intune Administrator or Global Administrator roles assigned. The
account you use to complete the authentication must have an Intune license. The
credentials of this account aren't saved and are only used for initial sign-in to
Azure Active Directory. After successful authentication, Azure app IDs/secret keys
are used for authentication between the Tunnel Gateway and Azure Active
Directory.
This authentication registers Tunnel Gateway with Microsoft Intune and your
Intune tenant.
a. Open a web browser to https://Microsoft.com/devicelogin and enter the

device code that’s provided by the installation script, and then sign in with your
Intune admin credentials.
b. After Microsoft Tunnel Gateway registers with Intune, the script gets
information about your Sites and Server configurations from Intune. The script
then prompts you to enter the GUID of the tunnel Site you want this server to
join. The script presents you with a list of your available sites.
c. After you select a Site, setup pulls the Server configuration for that Site from
Intune, and applies it to your new server to complete the Microsoft Tunnel
installation.
7. After the installation script finishes, you can navigate in Microsoft Intune admin
center to the Microsoft Tunnel Gateway tab to view high-level status for the
tunnel. You can also open the Health status tab to confirm that the server is online.
8. If you’re using RHEL 8.4 or later, be sure to restart the Tunnel Gateway server by
entering mst-cli server restart before you attempt to connect clients to it.
Deploy the Microsoft Tunnel client app

To use the Microsoft Tunnel, devices need access to a Microsoft Tunnel client app. You
can deploy the tunnel client app to devices by assigning it to users. The following apps
are available:
Android:
Microsoft Defender for Endpoint - Download Microsoft Defender for Endpoint

for use as the Microsoft Tunnel client app from the Google Play store. See Add
Android store apps to Microsoft Intune.
When you use Microsoft Defender for Endpoint as your tunnel client application
and as a mobile threat defense (MTD) application, see Use Microsoft Defender
for Endpoint for MTD and as the Microsoft Tunnel client app for important
configuration guidance.
iOS/iPadOS:
Microsoft Defender for Endpoint - Download Microsoft Defender for Endpoint

for use as the Microsoft Tunnel client app from the Apple App store. See Add
iOS store apps to Microsoft Intune.
If you still use the standalone Microsoft Tunnel client app or a preview version
of Defender for Endpoint (available prior to April 29 2022), plan to migrate
devices to the latest version of Defender for Endpoint.
Microsoft Tunnel client app - For iOS/iPadOS, download the Microsoft Tunnel
client app from the Apple App Store. See Add iOS store apps to Microsoft
Intune.
） Important
Plan for change. On April 29, 2022 both the Microsoft Tunnel connection type
and Microsoft Defender for Endpoint as the tunnel client app became generally
available. With this general availability, the use of the Microsoft Tunnel
(standalone client)(preview) connection type and the standalone tunnel client
app are deprecated and soon will drop from support.
For more information on deploying apps with Intune, see Add apps to Microsoft Intune.
Create a VPN profile

After the Microsoft Tunnel installs and devices install the Microsoft Tunnel client app,
you can deploy VPN profiles to direct devices to use the tunnel. To do so, you’ll create
VPN profiles with one of the following connection types:
Android:
Microsoft Tunnel - Use this connection type with Defender for Endpoint as the
tunnel client app.
７ Note
Prior to support for using Microsoft Defender for Endpoint as the tunnel
client app, a standalone tunnel client app was available in preview and
used a connection type of Microsoft Tunnel (standalone client). As of June
14 2021, both the standalone tunnel app and standalone client connection
type are deprecated and drop from support after October 26, 2021.
The Android platform supports routing of traffic through a per-app VPN and split
tunneling rules independently, or at the same time.
７ Note
Prior to support for using Microsoft Defender for Endpoint as the tunnel client
app, a standalone tunnel client app was available in preview and used a
connection type of Microsoft Tunnel (standalone client). As of June 14 2021,
both the standalone tunnel app and standalone client connection type are
deprecated and drop from support after January 31, 2022.
iOS/iPadOS:
Microsoft Tunnel – Use this connection type with Microsoft Defender for
Endpoint as the tunnel client app.
Microsoft Tunnel (standalone client) (preview) – Use this connection type when
you use the standalone Microsoft Tunnel client app. This connection type
doesn’t support Microsoft Defender for Endpoint as the client Tunnel app.
） Important
Plan for change. On April 29, 2022 both the Microsoft Tunnel connection
type and Microsoft Defender for Endpoint as the tunnel client app became
generally available. With this general availability, the use of the Microsoft
Tunnel (standalone client)(preview) connection type and the standalone
tunnel client app are deprecated and soon will drop from support.
To avoid a disruption in service for Microsoft Tunnel, plan to migrate your

use of the deprecated tunnel client app and connection type to those that
are now generally available.
The iOS platform supports routing traffic by either a per-app VPN or by split
tunneling rules, but not both simultaneously. If you enable a per-app VPN for iOS,
your split tunneling rules are ignored.
Android
1. Sign in to Microsoft Intune admin center > Devices > Configuration profiles >
Create profile.
2. For Platform, select Android Enterprise. For Profile select VPN for either
Corporate-Owned Work Profile or Personally-Owned Work Profile, and then
select Create.
７ Note
Android Enterprise dedicated devices aren't supported by the Microsoft
Tunnel.
4. For Connection type select Microsoft Tunnel, and then configure the following
details:
Base VPN:
For Connection name, specify a name that will display to users.
For Microsoft Tunnel Site, select the Tunnel site that this VPN profile will
use.
Per-app VPN:
Apps that are assigned in the per-app VPN profile send app traffic to the
tunnel.
On Android, launching an app won't launch the per-app VPN. However,
when the VPN has Always-on VPN set to Enable, the VPN will already be
connected and app traffic will use the active VPN. If the VPN isn't set to be
Always-on, the user must manually start the VPN before it can be used.
If you're using the Defender for Endpoint app to connect to Tunnel, have
web protection enabled, and are using per-app VPN, web protection will
only apply to the apps in the per-app VPN list. On devices with a work
profile, in this scenario we recommend adding all web browsers in the
work profile to the per-app VPN list to ensure all work profile web traffic is
protected.
To enable a per-app VPN, select Add and then browse to the custom or
public apps you’ve imported to Intune.
Always-on VPN:
For Always-on VPN, select Enable to set the VPN client to automatically
connect and reconnect to the VPN. Always-on VPN connections stay
connected. If Per-app VPN is set to Enable, only the traffic from apps you
select go through the tunnel.
Proxy:
Configure proxy server details for your environment.
７ Note
Proxy server configurations are not supported with versions of

Android prior to version 10. For more information, see
VpnService.Builder in that Android developer documentation.
For more information about VPN settings, see Android Enterprise device settings
to configure VPN
） Important
For Android Enterprise devices that use Microsoft Defender for Endpoint as a
Microsoft Tunnel client application and as a MTD app, you must use custom
settings to configure Microsoft Defender for Endpoint instead of using a
separate app configuration profile. If you do not intend to use any Defender
for Endpoint functionality, including web protection, use custom settings in
the VPN profile and set the defendertoggle setting to 0.
5. On the Assignments tab, configure groups that will receive this profile.
6. On the Review + create tab, review the configuration, and then select Create to
save it.
iOS
1. Sign in to Microsoft Intune admin center > Devices > Device Configuration >
Create profile.
2. For Platform, select iOS/iPadOS, and then for Profile select VPN, and then Create.
4. For Connection type, select Microsoft Tunnel and then configure the following
items:
Base VPN:
For Connection name, specify a name that will display to users.
For Microsoft Tunnel Site, select the tunnel Site that this VPN profile will
use.
７ Note
When using the Tunnel VPN connection and Defender web protection
together in combined mode, the Disconnect on sleep setting is not
supported. If this Intune VPN setting is set to Enabled and the iOS device
goes to sleep, both the Tunnel VPN and the Defender VPN are
disconnected.
Per-app VPN:
To enable a per-app VPN, select Enable. Extra configuration steps are

required for iOS per-app VPNs. When the per-app VPN is configured, your
split tunneling rules are ignored by iOS.
For more information, see Per-App VPN for iOS/iPadOS.
On-Demand VPN Rules:
Define on-demand rules that allow use of the VPN when conditions are met
for specific FQDNs or IP addresses.
For more information, see Automatic VPN settings
Proxy:
Configure proxy server details for your environment.
Use custom settings for Microsoft Defender for

Endpoint
Intune supports Microsoft Defender for Endpoint as both an MTD app and as the
Microsoft Tunnel client application on Android Enterprise devices. If you use Defender
for Endpoint for both the Microsoft Tunnel client application and as an MTD app, you
can use custom settings in your VPN profile for Microsoft Tunnel to simplify your
configurations. Use of custom settings in the VPN profile replaces the need to use a
separate app configuration profile.
For devices enrolled as Android Enterprise personally-owned work profile that use
Defender for Endpoint for both purposes, you must use custom settings instead of an
app configuration profile. On these devices, the app configuration profile for Defender
for Endpoint conflicts with Microsoft Tunnel and can prevent the device from
connecting to Microsoft Tunnel.
If you use Microsoft Defender for Endpoint for Microsoft Tunnel but not MTD , then you
continue to use the app tunnel configuration profile to configure Microsoft Defender for
Endpoint as a Tunnel Client.
Add app configuration support for Microsoft Defender
for Endpoint to a VPN profile for Microsoft Tunnel
Use the following information to configure the custom settings in a VPN profile to
configure Microsoft Defender for Endpoint in place of a separate app configuration
profile. Available settings vary by platform.
For Android Enterprise devices:
Configuration Value Configuration Description

key type value
vpn Integer Options:

Set to Enable to allow the Microsoft Defender for
1 - Enable Endpoint anti-phishing capability to use a local VPN.
(default)
0 - Disable
antiphishing Integer Options:

Set to Enable to turn on Microsoft Defender for
1 - Enable Endpoint anti-phishing. When disabled, the anti-
(default)
phishing capability is turned off.
0 - Disable
defendertoggle Integer Options:

Set to Enable to use Microsoft Defender for
1 - Enable Endpoint. When disabled, no Microsoft Defender for
(default)
Endpoint functionality is available.
0 - Disable
For iOS/iPad devices:
Configuration Values Description

key
TunnelOnly True – All Defender for Determines whether the Defender app is
Endpoint functionality is limited to only Microsoft Tunnel, or if the app
disabled. This setting should be also supports the full set of Defender for
used if you're using the app Endpoint capabilities.
only for Tunnel capabilities.
False (default) - Defender for

Endpoint functionality is
enabled.
WebProtection True (default) – Web Protection Determines whether Defender for Endpoint
is enabled, and users will see Web Protection (anti-phishing functionality) is
the web protection tab in the enabled for the app. By default, this
Defender for Endpoint app.
functionality is on.
False – Web Protection is

disabled. If a Tunnel VPN profile
is deployed, users will only see
the Dashboard and Tunnel tabs
in the Defender for Endpoint
app.
Configuration Values Description
key
AutoOnboard True – If Web Protection is Determines whether Defender for Endpoint

enabled, the Defender for Web Protection is enabled without prompting
Endpoint app is automatically the user to add a VPN connection (because a
granted permissions for adding local VPN is needed for Web Protection
VPN connections and the user functionality). This setting only applies if
isn’t prompted to allow this.
WebProtection is set to True.
False (default) – If Web

Protection is enabled, the user
is prompted to allow the
Defender for Endpoint app to
add VPN configurations.
Configure TunnelOnly mode to comply with the

European Union Data Boundary
By end of calendar year 2022, all personal data, including customer Content (CC), EUII,
EUPI and Support Data must be stored and processed in the European Union (EU) for EU
tenants.
The Microsoft Tunnel VPN feature in Defender for Endpoint is European Union Data
Boundary (EUDB) compliant. However, the Defender for Endpoint threat protection
components related to logging are not yet EUDB compliant. EUBD compliance will
become available in a future release.
In the meantime, Microsoft Tunnel customers with EU tenants can enable TunnelOnly
mode in the Defender for Endpoint Client app. To configure this, use the following steps:
1. Follow the steps found in Install and configure Microsoft Tunnel VPN solution for
Microsoft Intune | Microsoft Learn to create an app configuration policy which
disables Defender for Endpoint functionality.
2. Create a key called TunnelOnly and set the value to True.
By configuring TunnelOnly mode, all Defender for Endpoint functionality is disabled

while Tunnel functionality remains available for use in the app.
Guest accounts and Microsoft Accounts (MSA) that are not specific to your
organization's tenant are not supported for cross-tenant access using Microsoft Tunnel
VPN. This means that these types of accounts cannot be used to access internal
resources securely through the VPN. It is important to keep this limitation in mind when
setting up secure access to internal resources using Microsoft Tunnel VPN.
For more information about the EU Data Boundary, see EU Data Boundary for the
Microsoft Cloud | Frequently Asked Questions on the Microsoft security and
compliance blog.
Upgrade Microsoft Tunnel

Intune periodically releases updates to the Microsoft Tunnel server. To stay in support,
tunnel servers must run the most recent release, or at most be one version behind.
By default, after a new upgrade is available Intune automatically starts the upgrade of
tunnel servers as soon as possible, at each of your tunnel sites. To help you manage
upgrades, you can configure options that manage the upgrade process:
You can allow automatic upgrade of servers at a site, or require admin approval
before upgrades being.
You can configure a maintenance window, which limits when upgrades at a site can
start.
For more information about upgrades for Microsoft Tunnel, including how to view
tunnel status and configure upgrade options, see Upgrade Microsoft Tunnel.
Update the TLS certificate on the Linux server

You can use the ./mst-cli command-line tool to update the TLS certificate on the server:
PFX:
1. Copy the certificate file to /etc/mstunnel/private/site.pfx

2. Run: mst-cli import_cert
3. Run: mst-cli server restart
PEM:
1. Copy the new certificate to /etc/mstunnel/certs/site.crt

2. Copy the private key to /etc/mstunnel/private/site.key
3. Run: mst-cli import_cert
4. Run: mst-cli server restart
For more information about mst-cli, see Reference for Microsoft Tunnel.
Uninstall the Microsoft Tunnel
To uninstall the product, run ./mst-cli uninstall from the Linux server as root.
After the product is uninstalled, delete the corresponding server record in the Microsoft
Intune admin center under Tenant administration > Microsoft Tunnel Gateway >
Servers.
Next steps
Use Conditional Access with the Microsoft Tunnel
Monitor Microsoft Tunnel

Microsoft Tunnel for Mobile Application
Management
Article • 04/13/2023
７ Note
This capability is available when you add Microsoft Intune Plan 2 or Microsoft
Intune Suite as an add-on license. For more information, see Use Intune Suite add-
on capabilities.
When you use the Microsoft Tunnel VPN Gateway, you can extend Tunnel support by
adding Tunnel for Mobile Application Management (MAM). Tunnel for MAM extends
the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that
aren't enrolled with Microsoft Intune. With this solution, your users can use a single
device that hasn't enrolled with Intune to gain secure access to the organizations on-
premises apps and resources using modern authentication, Single Sign On and
conditional access. With Tunnel for MAM, your users can use their own device (BYOD)
for both work and personal use, without having to grant the organization’s IT
department control over that device.
Applies to:
Android
iOS/iPadOS
Platform requirements and feature overview

Before you begin, you must already have deployed the Microsoft Tunnel gateway. To
learn more about Microsoft Tunnel gateway and how to install and configure it, see:
Learn about the Microsoft Tunnel VPN solution for Microsoft Intune
Identify the prerequisites to install and use the Microsoft Tunnel VPN solution for
Microsoft Intune
Install and configure Microsoft Tunnel VPN solution for Microsoft Intune
Microsoft Tunnel for MAM supports the following platforms:
Android Enterprise version 10.0 or higher

iOS version 14.0 or higher
The following table identifies key features for the supported platforms:
Requirements Tunnel for Android Tunnel for iOS

and Features
Requirements: - Company Portal app (sign-in not - No Company Portal app or Defender
required)
for Endpoint app requirement
- Defender for Endpoint app
Features: - VPN is provided via the Defender for - VPN is provided via Tunnel for MAM
Endpoint app:
SDK for iOS integration
--- Per App VPN
--- Device-wide VPN - Per-App VPN. Tunnel connection is

restricted to each targeted app
- Auto-launch: VPN automatically starts

on app launch - Auto-launch: VPN automatically
starts on app launch
- No Device-wide VPN
- Trusted root certificate support for

on-premises CA trust
Line of - Intune App SDK for Android

- Intune App SDK for iOS
Business app
requirements - Microsoft Authentication Library - Microsoft Authentication Library
(MSAL) integration (MSAL) integration
--- Azure AD App registration
- Tunnel for MAM SDK for iOS
Microsoft - Identity switch: VPN connects when - Identity switch: VPN connects when
Edge browser using a work or school account and using a work/school account and
support: disconnects when switching to a disconnects when switching to a
personal account or in-Private personal account or in-Private
browsing
browsing
- Device-wide and Per-App VPN

support
Third-party - Only with device-wide VPN enabled - None

browser
support:
Next steps
Learn about the Microsoft Tunnel VPN solution for Microsoft Intune
Use MAM Tunnel for Android
MAM Tunnel for iOS
Management for Android
Article • 06/07/2023
７ Note
When you add Microsoft Tunnel for Mobile Application Management (MAM) to your
tenant, you can use Microsoft Tunnel VPN Gateway with unenrolled Android devices to
support MAM scenarios. With support for MAM, your unenrolled devices can use Tunnel
to securely connect to your organization allowing users and apps safe access to your
organizational data.
Applies to:
Android Enterprise
To extend your existing Microsoft Tunnel configuration to support MAM, you'll create
and deploy three profiles that configure this support on your unenrolled devices:
App configuration policy for Microsoft Defender. This policy configures Microsoft
Defender for Endpoint on a device as the VPN tunnel client app.
App configuration policy for Microsoft Edge. This policy configures Microsoft Edge
to support identity-switch, which automatically connects and disconnects the VPN
tunnel when switching from a Microsoft "Work or school" account to a Microsoft
"personal account" in Microsoft Edge.
App protection policy to automatically start the connection to Microsoft Tunnel
when the MAM enabled app on the device accesses corporate resources.
With these policies in place, your existing Site and Server configurations for Tunnel
support access from devices that aren't enrolled in Intune. In addition, you can choose
to deploy your configurations for MAM Tunnel to enrolled devices instead of using
MDM Tunnel configurations. However, an enrolled device must use only the MDM
Tunnel configurations or the MAM Tunnel configurations, but not both. For example,
enrolled devices can't have an app like Microsoft Edge that uses MAM tunnel
configurations while other apps use MDM Tunnel configurations.
Prerequisites
Infrastructure and tenant:
Tunnel for MAM requires the same considerations and prerequisites as using Tunnel for
enrolled devices. For more information, see Tunnel prerequisites.
After configuring Microsoft Tunnel, you'll be ready to add the two App configuration
policies and the App protection policy that enables unenrolled devices to use Tunnel.
Configuration of these policies is detailed in the following sections.
Devices:
Users of devices that aren't enrolled with Intune must install the following apps on their
Android device before they can use the Tunnel for MAM scenario. These apps can all be
manually installed from the Google Play store:
1. Microsoft Defender – Get it from Microsoft Defender - Apps on Google Play .

Microsoft Defender includes the tunnel client app that the device uses to connect
to Microsoft Tunnel. To support Tunnel for MAM, Microsoft Defender for Endpoint
must be version 1.0.4722.0101 or higher.
2. Microsoft Edge – Get it from Microsoft Edge: Web Browser - Apps on Google
Play . Each device must manually enable the Tunnel functionality for Microsoft
Edge before the device can use Tunnel. To enable support for Tunnel, users must
browse to edge://flags from within the Microsoft Edge app, and then search for
and select Tunnel to enable it.
3. Company Portal – Get it at Intune Company Portal - Apps on Google Play .

Devices must install the Company Portal app, even though users won't need to
sign into the app or enroll their device with Intune.
Line of Business apps:
For your Line of Business (LOB) apps, integrate them with the MAM SDK. Later, you'll
need to add your LOB apps to your app protection policy and app configuration polices
for MAM Tunnel. See Getting started with MAM for Android.
７ Note
Make sure your Android LOB applications support direct proxy or Proxy Auto-
Configuration (PAC) for both MDM and MAM.
MAM SDK Version:

To use the Android Trusted Roots Functionality for Microsoft Tunnel for MAM require a
MAM SDK version of 9.5.0 or later. See Release Version 9.5.0 · msintuneappsdk/ms-
intune-app-sdk-android on github.com.
Configure policies to support Microsoft Tunnel

for MAM
To support using Tunnel for MAM, create and deploy the three profiles detailed in the
following sections. These policies can be created in any order:
App configuration policy for Microsoft Edge

App configuration policy for Microsoft Defender
App protection policy for Tunnel
When all three are configured and deployed to the same groups, the app protection
policy will automatically trigger Tunnel to connect to the VPN whenever Microsoft Edge
is launched.
In addition, you can configure a Trusted certificate profile for use with your line-of-
business apps when they must connect to on-premises resources and are protected by
an SSL/TLS certificate issued by an on-premises or private certificate authority (CA).
App configuration policy for Microsoft Defender

Create an App configuration policy to configure Microsoft Defender for Endpoint on the
device for use as the tunnel client app.
７ Note
Ensure only a single Defender app configuration policy targets the unenrolled
device. Targeting more than 1 app configuration policy with different tunnel
settings for Defender for Endpoint will create tunnel connection issues on the
device.
1. Sign in to the Microsoft Intune admin center and go to Apps > App
Configuration polices > Add > Managed Apps.
2. On the Basics tab:

a. Enter a Name for this policy, and a Description (optional).
b. Click on Select public apps, select Microsoft Defender Endpoint for Android,
and then click Select.
When Microsoft Defender Endpoint is listed for Public apps, select Next.
3. On the Settings tab, skip the General configuration settings category, which isn't
used for this policy. For the Microsoft Tunnel settings category, make the following
configurations:
Set Use Microsoft Tunnel VPN to Yes.

For Connection name, specify the connection name of your VPN.
Next, click Select a site:
For Site Name, select an available site, and then click OK.
Per-App VPN (Android only) is an optional setting. Select public or custom

apps, to restrict the use of use the Tunnel VPN connection to these specified
apps.
） Important
MAM Tunnel for Android doesn't support the use of Always-on VPN.
When Always-on VPN is set to Enable, Tunnel does not connect
successfully and sends connection failure notifications to the device user.
Proxy is an optional setting. Configure proxy settings to meet your on-
premises network requirements.
７ Note
Proxy server configurations are not supported with versions of Android

prior to version 10. For more information, see VpnService.Builder in
that Android developer documentation.
When ready, select Next to continue.
4. On the Assignments tab, select Add Groups, and then select the same Azure Active
Directory groups that you deployed the Microsoft Edge App configuration profile
to, and then select Next.
5. On the Review + Create tab, select Create to complete creation of the policy and
deploy the policy to the assigned groups.
The new policy will appear in the list of App configuration policies.
App configuration policy for Microsoft Edge

Create an App configuration policy for Microsoft Edge. This policy configures Microsoft
Edge to support identity-switch, providing the ability to automatically connect the VPN
Tunnel when signing-in or switching to a Microsoft "Work or school" account, and
automatically disconnect the VPN tunnel when switching to a Microsoft personal
account.

a. Enter a Name for the policy, and a Description (optional).
b. Click on Select public apps, select Microsoft Edge for Android, and then click
Select.
After Microsoft Edge is listed for Public apps, select Next.
3. On the Settings tab, configure the Name and Value pair in the General
configuration settings category as follows:
Name =
com.microsoft.intune.mam.managedbrowser.TunnelAvailable.IntuneMAMOnly
Value = True
７ Note
Ensure there are no trailing spaces at the end of the General configuration
setting. This setting provides "Identity switch" support to Edge on Android.
This enables Edge on Android to automatically connect the VPN when signing
in with a "Work account or School account" and disconnect the VPN when
switching to a "Personal account" enabling in-Private browsing.
You can also use this same policy to configure other configurations for Microsoft
Edge in the Microsoft Edge configuration settings category. After any additional
configurations for Microsoft Edge are ready, select Next.
4. On the Assignments tab, select Add Groups, and then select one or more Azure
Active Directory groups that will receive this policy. After configuring groups, select
Next.
The new policy will appear in the list of App configuration policies.
App protection policy for Tunnel

Create an app protection policy to automatically start the Microsoft Tunnel VPN
connection when the app is launched.
７ Note
When the app is started, the Tunnel VPN connection will attempt to start, once
started, the device will have access to the on-premises network routes available via
the Microsoft Tunnel Gateway. If you wish to limit the tunnel network access to
specific apps, then configure the "Per-App VPN (Android only) settings.
1. Sign in to the Microsoft Intune admin center and go to Apps > App protection
policies > Create policy > Android.
2. On the Basics tab, enter a Name for this policy, and a Description (optional), and
then select Next.
3. On the Apps tab, click Select public apps, select Microsoft Edge, and then click
Select.
When Microsoft Edge is listed for Public apps, select Next.
4. On the Data protection tab, scroll to the bottom and set Start Microsoft Tunnel
connection on app-launch to Yes, and then select Next.
5. Continue past the Access requirements and Conditional launch tabs.
6. On the Assignments tab, select Add Groups, and then select the same Azure Active
Directory groups that you deployed the two app configuration profiles to, and
then select Next.
The new policy will appear in the list of app configuration policies.
Configure Line of Business applications

If you've integrated your LOB apps with the MAM SDK, you can use them with Microsoft
Tunnel by adding them as custom apps to the three MAM Tunnel policies you've
previously created.
For more information about adding custom apps to policies, see the following articles
for the two policy types:
App configuration policies for Intune App SDK managed apps

To support LOB apps on your unenrolled devices, the apps must deploy as available
apps from within Microsoft Intune admin center. You can't use Intune to deploy apps as
required apps to unenrolled devices.
Use a trusted certificate profile
LOB apps that use the MAM tunnel on Android are required to integrate with the Intune
App SDK and must use the new Tunnel for MAM trust manager to utilize trusted root
certificate support for their LOB apps. To support trusted root certificates, you must use
the minimum SDK version (or later) as detailed in the Prerequisites section of this article.
Trusted Root Certificates Management:
If your application requires SSL/TLS certificates issued by an on-premise or private

certificate authority to provide secure access to internal websites and applications, the
Intune App SDK has added support for certificate trust management using the API
classes MAMTrustedRootCertsManager and MAMCertTrustWebViewClient .
Requirements:
Certificate formats supported by Tunnel for MAM Android:

DER encoded binary X.509
PEM
MAMCertTrustWebViewClient supports:
Android 10 or higher
MAMTrustedRootCertsManager supports:
SSLContext
SSLSocketFactory
TrustManager
WebView
During configuration of the app configuration profile for an app that will use Tunnel for
MAM, select the certificate profile that will be used:
1. On the Settings tab of your app configuration profile, expand Microsoft Tunnel for
Mobile Application Management settings.

2. Configure the following options:

a. Set Use Microsoft Tunnel for MAM to Yes.
b. For Connection name, specify a user facing name for this connection, like mam-
tunnel-vpn.
c. Next, select Select a Site, and choose one of your Microsoft Tunnel Gateway
sites. If you haven't configured a Tunnel Gateway site, see Configure Microsoft
Tunnel.
d. If your app requires a trusted certificate, select Root Certificate to open the
Select Root Certificates pane, and then select a trusted certificate profile to use.

For information about configuring root certificate profiles, see Trusted root
certificate profiles for Microsoft Intune.
3. After configuring the Tunnel MAM settings, Select Next to open the Assignments
tab.
Known Issues
The following are known issues or limitations for MAM Tunnel for Android.
MAM Tunnel not supported when using the MDM Tunnel

You can choose to use MAM Tunnel with enrolled devices instead of using MDM Tunnel
configurations. However, an enrolled device must use only the MDM Tunnel
configurations or the MAM Tunnel configurations, but not both. For example, enrolled
devices can't have an app like Microsoft Edge that uses MAM tunnel configurations
while other apps use MDM Tunnel configurations.
Workaround: None.
Delivering trusted root certificates to Microsoft Edge on

Android
When unenrolled devices access resources protected by SSL/TLS certificates issued by
an on-premises certificate authority (CA), the devices require the trusted certificate
public keychain of the issuing CA to establish a chain of trust with the on-premises
endpoint (that is, web server, application web service). As a result, a browser (Microsoft
Edge or third party browser), or application won't trust the endpoint without the
necessary on-premises CA keychain (trusted cert). For example, Microsoft Edge reports
that the connection isn't private or is untrusted, and SSL or https connections aren't
available. Users can ignore this warning and connect to the endpoint.
Workaround: Manually deploy and install the trusted root certificate on unenrolled
Android devices that will use Microsoft Edge with Tunnel.
Line of business application using WebView and Intune

SDK for Trusted root support, internal endpoints are
unrenderable
Workaround: Manually deploy and install the trusted root certificate on unenrolled
Android devices that will use LOB Apps with WebView on Tunnel.
Android fails to build the certificate chain when you use

private certification authority
When using WebView with MAMCertTrustWebViewClient in MAM to validate
certificates, MAM delegates to Android to build a certificate chain from certificates
provided by the admins and the server. If a server that uses private certificates provides
the full chain to the connecting WebView but the admin deploys only the root
certificate, Android may fail building the cert chain and will fail checking the server trust.
This is because Android requires intermediate certificates to build the chain to an
acceptable level.
Workaround: To ensure proper certificate validation, admins must deploy the root
certificate and all intermediate certificates in Intune. If the root certificate along with all
intermediate certificates are not deployed, Android can fail to build the certificate chain
and fail to trust the server.
Defender for Endpoint certificate error when using a

TLS/SSL certificate from a private certificate authority
When Microsoft Tunnel Gateway server uses a TLS/SSL certificate issued by a private
(on-premises) CA, Microsoft Defender for Endpoint generates a certificate error when
attempting to connect.
Workaround: Manually install the corresponding trusted root certificate of the private
certificate authority on the Android device. A future update of the Defender for
Endpoint app will provide support and remove the need to manually install the trusted
root certificate.
Microsoft Edge can't reach internal resources for a short

time after being launched
Immediately after Microsoft Edge opens, the browser attempts to connect to internal
resources before successfully connecting to Tunnel. This behavior results in the browser
reporting that the resource or destination URL is unavailable.
Workaround: Refresh the browser connection on the device. The resource becomes
available after the connection to Tunnel is established.
The three apps required to support Tunnel for unenrolled

devices aren't visible in the Company Portal app on a
device
After Microsoft Edge, Microsoft Defender for Endpoint, and the Company Portal, are
assigned to a device as available with or without enrollment, the targeted user can't find
the apps in the Company Portal or at portal.manage.microsoft.com.
Workaround: Install all three apps manually from the Google Play store. You'll find links
to all three apps on Google Play in this articles Prerequisites section.
Error: "MSTunnel VPN is failed to start, contact your IT

administrator for help"
This error message can occur even though the tunnel is connected.
Workaround: This message can be ignored.
Error: Invalid Licensing, please contact administrator

This error occurs when the version of Microsoft Defender for Endpoint doesn't support
Tunnel.
Workaround: Install the supported version of Defender for Endpoint from Microsoft
Defender - Apps on Google Play .
Using multiple policies for Defender to configure

different tunnel sites for different apps isn't supported
Use of two or more app configuration policies for Microsoft Defender that specify
different Tunnel Sites isn't supported and can result in a race condition that prevents
successful use of Tunnel.
Workaround: Target each device with a single app configuration policy for Microsoft
Defender, ensuring each unenrolled device is configured to use only one Site.
GCC High and FIPS support

Microsoft Tunnel for MAM is supported for GCC High environments, but doesn't
support Federal Information Processing Standard (FIPS).
Next steps
Overview of Microsoft Tunnel for Mobile Application Management
MAM Tunnel for iOS
Also see:

Management for iOS/iPadOS
Article • 08/30/2023
７ Note
When you add Microsoft Tunnel for Mobile Application Management (MAM) to your
tenant, you can use Microsoft Tunnel VPN Gateway with unenrolled iOS devices to
support MAM the following scenarios:
Provide secure access to on-premises resources using modern authentication,

single sign-on (SSO), and Conditional Access.
Allow end users to use their personal device to access company on-premises
resources. MDM (Mobile Device Management) enrollment isn't required and
company data stays protected.
Allow organizations to adopt a bring-your-own-device (BYOD) program. BYOD or
personal devices reduce the overall total cost of ownership, ensure user privacy,
and corporate data remains protected on these devices.
Applies to:
iOS/iPadOS
Tunnel for MAM iOS is a powerful tool that allows organizations to securely manage
and protect their mobile applications. The VPN connection for this solution is provided
through the Microsoft Tunnel for MAM iOS SDK.
In addition to using MAM Tunnel with unenrolled devices, you can also use it with
enrolled devices. However, an enrolled device must use either the MDM Tunnel
configurations or the MAM Tunnel configurations, but not both. For example, enrolled
devices can't have an app like Microsoft Edge that uses MAM tunnel configurations
while other apps use MDM Tunnel configurations.
To use the Microsoft Tunnel for MAM iOS, you must update your Line of Business (LOB)
apps to integrate the following three SDKs. Find guidance for integrating each SDK later
in this article:
Intune App SDK for iOS

Microsoft Authentication Library (MSAL)
Tunnel for MAM iOS SDK
Tunnel for MAM iOS SDK Architecture

The following diagram describes the flow from a managed app that has successfully
been integrated with Tunnel for MAM SDK for iOS.
Actions
0. Upon initial launch of the app, a connection is made via the Tunnel for MAM SDK.
1. An authentication token is required to authenticate.
a. The device may already have an Azure AD auth token obtained from a previous
sign-in using another MAM enabled app on the device (like Outlook, Microsoft
Edge, and Microsoft 365 Office mobile apps).
2. A TCP Connect (TLS Handshake occurs with the token to the tunnel server.
3. If UDP is enabled on the Microsoft Tunnel Gateway, a data-channel connection
using DTLS is made. If UDP is disabled, then TCP is used to establish the data
channel to Tunnel gateway. See TCP, UDP notes in the Microsoft Tunnel
Architecture.
4. When the mobile app makes a connection to an on-premises corporate resource:
a. A Microsoft Tunnel for MAM API connect request for that company resource
occurs.
b. An encrypted web request gets made to the corporate resource.
７ Note
The Tunnel for MAM iOS SDK provides VPN Tunnel. It’s scoped to the networking
layer within the app. VPN connections are not displayed in iOS settings.
Each active line-of-business (LOB) app that's integrated with Tunnel for MAM iOS-
SDK and that runs in the foreground represents an active client connection on the
Tunnel Gateway server. The mst-cli command line tool can be used to monitor
active client connections. For information about the mst-cli command-line tool, see
Reference for Microsoft Tunnel Gateway.
Configure Intune policies for Microsoft Tunnel

for MAM iOS
Microsoft Tunnel for MAM iOS uses the following Intune policies and profiles:
App configuration policy - Configures the Microsoft Tunnel Gateway settings for
Edge and LOB apps. You can add any trusted certificates required for on-premises
resource access.
App protection policy - Configures data protection settings. It also establishes a
way to deploy an app configuration policy that configures the Microsoft Tunnel
settings for Edge and LOB apps.
Trusted certificate profile - For apps that connect to on-premises resources and
are protected by an SSL/TLS certificate issued by an on-premises or private
certificate authority (CA).
Configure an app configuration policy for LOB apps

Create an app configuration policy for apps that use Tunnel for MAM. This policy
configures an app to use a specific Microsoft Tunnel Gateway Site, proxy, and trusted
certificate(s) for Edge and line-of-business (LOB) apps. These resources are used when
connecting to on-premises resources.
2. On the Basics tab, enter a Name for the policy and a Description (optional).
3. For LOB apps, select + Select custom apps to open the Select apps to target pane.
On the Select apps to target pane:
a. For Bundle or Package ID, specify the LOB apps Bundle ID
b. For Platform, select iOS/iPadOS, and then select Add.
c. Select the app you just added, and then Select.
７ Note
LOB apps require Intune App SDK for iOS and MSAL integration. MSAL
requires an Azure AD app registration. Ensure the Bundle ID used in the App
configuration policy is the same Bundle ID specified in the Azure AD app
registration and the Xcode app project. Xcode is the Apple Integrated
Developer Environment that that runs on macOS and used to integrate the
Tunnel for MAM iOS SDK with your app.
After selecting an app, select Next.
For more information about adding custom apps to policies, see App configuration
policies for Intune App SDK managed apps.
4. On the Settings tab, expand *Microsoft Tunnel for Mobile Application Management
settings and configure the following options:
７ Note
When configuring proxy and split tunneling, if the proxy server is configured in the
included routes, all traffic will flow through the proxy. If the proxy server is not
configured in the included routes, then all traffic will be blocked. Enabling both split
tunneling and proxy is not supported.
1. Set Use Microsoft Tunnel for MAM to Yes.

2. For Connection name, specify a user facing name for this connection, like mam-
tunnel-vpn.
3. Next, select Select a Site, and choose one of your Microsoft Tunnel Gateway sites.
If you haven’t configured a Tunnel Gateway site, see Configure Microsoft Tunnel.
4. If your app requires a trusted certificate, select Root Certificate, and then select a
trusted certificate profile to use. For more information, see Configure a trusted
certificate profile later in this article.
For Federated Azure active directory tenants, the following configurations are required
to ensure that your applications can authenticate and access the required resources.
This configuration will bypass the URL of the publicly available secure token service:
1. On the Settings tab, expand General configuration settings and then configure the
Name and Value pair as follows to set up the Edge profile for Tunnel:
Name = com.microsoft.tunnel.custom_configuration
Value = {"bypassedUrls":["Company’sSTSURL"]}
７ Note
The bypassedUrl should include the federation STS endpoint.
For example, Value might appear as {"bypassedUrls":["ipcustomer.com",

"whatsmyip.org"]}.
After configuring the Tunnel MAM settings, Select Next to open the Assignments tab.
5. On the Assignments tab, select Add Groups, and then select one or more Azure AD
user groups that will receive this policy. After configuring groups, select Next.
The new policy appears in the list of App configuration policies.
Configure an app configuration policy for Microsoft Edge

Create an App configuration policy for Microsoft Edge. This policy configures Edge on
the device to connect to Microsoft Tunnel.
７ Note
If you already have an app configuration policy created for your LOB App, you can
edit that policy to include Edge and the required key/value pair settings.
1. In the Microsoft Intune admin center , go to Apps > App Configuration polices
> Add > Managed Apps.

a. Enter a Name for the policy and a Description (optional).
b. Click on Select public apps, select Microsoft Edge for iOS/iPadOS, and then
click Select.
c. After Microsoft Edge is listed for Public apps, select Next.
3. On the Settings tab, expand General configuration settings and then configure the
Name and Value pair as follows to set up the Edge profile for Tunnel:
Name =
com.microsoft.intune.mam.managedbrowser.TunnelAvailable.IntuneMAMOnly
Value = True
７ Note
Ensure there are no trailing spaces at the end of the General configuration
settings. These settings provide Identity switch support to Microsoft Edge on
iOS. This enables Edge on iOS to automatically connect the VPN when signing
in with a Work account or School account and to disconnect the VPN when
switching to a Personal account enabling in-Private browsing.
For Federated Azure active directory tenants, the following configurations are
required to ensure that Edge can authenticate and access the required resources.
This configuration will bypass the URL of the publicly available secure token
service:
a. On the Settings tab, expand General configuration settings and then configure
the Name and Value pair as follows to set up the Edge profile for Tunnel:
Name = com.microsoft.tunnel.custom_configuration
Value = {"bypassedUrls":["Company’sSTSURL"]}
７ Note

For example, Value might appear as {"bypassedUrls":["ipcustomer.com",
"whatsmyip.org"]}.
If you have other Microsoft Edge specific configurations to configure, do so with

this same policy including configurations in the Edge configuration settings
category.
After any additional configurations for Microsoft Edge are ready, select Next.
groups that will receive this policy. After configuring groups, select Next.
Configure an app protection policy

An App protection policy is required to configure Microsoft Tunnel for apps that use the
Microsoft Tunnel for MAM iOS.
This policy provides the necessary data protection and establishes a means of delivering
app configuration policy to apps. To create an app protection policy, use the following
steps:
1. Sign in to the Microsoft Intune admin center and go to Apps > App protection
policies > + Create policy > and select iOS/iPadOS.
2. On the Basics tab, enter a Name for the policy, and a Description (optional), and
then select Next.
3. On the Apps tab:

a. Set Target apps on all device types to No.
b. For Device types, select Unmanaged.
4. For LOB apps, select on + Select custom apps to open the Select apps to target
pane. Next, on the Select apps to target pane:
a. For Bundle ID, specify the LOB apps Bundle ID and then select Add.
b. Select the app you just added, and then Select.
７ Note
LOB apps require Intune App SDK for iOS and MSAL integration. MSAL
requires an Azure AD app registration. Ensure the Bundle ID used in the App
configuration policy is the same Bundle ID specified in the Azure AD app
registration and the Xcode app project.
5. In the Data protection, Access requirements, and Conditional launch tabs, configure
any remaining app protection policy settings based on your deployment and data
protection requirements.
user groups that will receive this policy. After configuring groups, select Next.
The new policy appears in the list of App protection policies.
Configure a trusted certificate profile

Apps that use the MAM Tunnel to connect to an on-premises resource protected by an
SSL/TLS certificate issued by an on-premises or private certificate authority (CA) require
a trusted certificate profile. If your apps don't require this type of connection, then you
can skip this section. The trusted certificate profile isn't added to the app configuration
policy.
A trusted certificate profile is required to establish a chain of trust with your on-
premises infrastructure. The profile allows the device to trust the certificate that's used
by the on-premises web or application server, ensuring secure communication between
the app and the server.
Tunnel for MAM uses the public-key certificate payload contained in the Intune trusted
certificate profile but doesn’t require the profile be assigned to any Azure AD user or
device groups. As a result, a trusted certificate profile for any platform can be used. So,
an iOS device can use a trusted certificate profile for Android, iOS, or Windows to meet
this requirement.
） Important
Tunnel for MAM iOS SDK requires that trusted certificates use the DER encoded
binary X.509 or PEM certificate format.
During configuration of the app configuration profile for an app that will use Tunnel for
MAM, you select the certificate profile that will be used. For information on configuring
these profiles, see Trusted root certificate profiles for Microsoft Intune.
Configure Line of Business apps in the Azure

AD portal
Line of Business apps that use Microsoft Tunnel for MAM iOS require:
A Microsoft Tunnel Gateway service principal Cloud app

Azure AD app registration
Microsoft Tunnel Gateway service principal

If not already created for Microsoft Tunnel MDM Conditional Access, provision the
Microsoft Tunnel Gateway service principal Cloud app. For guidance, see Use Microsoft
Tunnel VPN gateway with Conditional Access policies.
Azure AD app registration
When you integrate the Tunnel for MAM iOS SDK into a line-of-business app, the
following app registration settings must match your Xcode app project:
Application ID
Tenant ID
Depending on your needs, choose one of the following options:
Create a new app registration

If you have an iOS app that hasn’t been previously integrated with the Intune App
SDK for iOS, or the Microsoft Authentication Library (MSAL), then you need to
create a new app registration. The steps to create a new app registration include:
App registration
Authentication configuration
Adding API Permissions
Token configuration
Verify using Integration assistant
Update an existing app registration

If you have an iOS app that previously integrated with the Intune App SDK for iOS,
then you need to review and update the existing app registration.
Create a new app registration

The Azure AD online docs provide detailed instruction and guidance on how to create
an app registration.
The following guidance is specific to requirements for the Tunnel for MAM iOS SDK
integration.
1. In the Azure AD portal for your tenant, go to Azure Active Directory, and then
under Manage, select App registrations > + New registration.
2. On the Register an application page:
Specify a **Name for the app registration

Select Account in this organizational directory only (YOUR_TENANT_NAME
only - Single tenant).
A Redirect URI doesn't need to be provided at this time. One is created
automatically during a later step.
Select Register button to complete the registration and opens an Overview page
for the app registration.
3. On the Overview pane, note the values for Application (client) ID and the Directory
(tenant) ID. These values are required for the app registrations Xcode project. After
recording the two values, select under Manage, select Authentication.
4. On the Authentication pane for your app registration, select + Add a platform, and
then select the tile for iOS/macOS. The Configure your iOS or macOS app pane
opens.
5. On the Configure your iOS or macOS app pane, Enter the Bundle ID for the Xcode
app to be integrated with the Tunnel for MAM iOS SDK, and then select Configure.
The iOS/macOS configuration pane opens.
The Bundle ID in this view must exactly match the Bundle ID in Xcode. This detail
can be found in the following locations in the Xcode project:
info.plist > IntuneMAMSettings: ADALRedirectUri

Project > General > Identity: Bundle ID
A Redirect URI and MSAL Configuration are automatically generated. Select Done at
the bottom of the dialog window to finish. No other settings are required for
Authentication.
6. Next, while viewing the app registration, select API permissions and then + Add a
permission. Add the API permissions for Microsoft Mobile Application Management
and Microsoft Tunnel Gateway:
On the Request API permissions page, select the tab for APIs my organization
uses.
Search for Microsoft Mobile Application Management, select the result, and
then select the checkbox.
Select Add permissions.
Next, repeat the process for the second permission:
Select + Add a permission and go to the APIs my organization uses tab.

Search for Microsoft Tunnel Gateway, select the result, and then select the
checkbox for Tunnel Allow.
Select Add permissions.
To complete the configuration, return to the API permissions pane and select Grant
admin consent for YOUR_TENANT, and then select Yes.
7. Next, while viewing the app registration, select Token configuration, and then +
Add optional claim. On the Add optional claim page, for Token type select Access,
and then for Claim, select the checkbox for acct. Tunnel for MAM requires this
Auth token to authenticate users to Azure AD.
Select Add to complete configuration of the Token.
8. To verify that all settings were applied successfully, select Integration assistant:
For What application types are you building? select Mobile app (Android, iOS,
Xamarin, UWP).
Set Is this application calling APIs? to No, and then select Evaluate my app
registration.
The results should show a status of Complete for both Recommended

configurations and Discouraged configurations.
Update an existing app registration

When you already have an app registration, you can choose to update it instead of
creating a new one. Review the following settings and make changes when needed.
Application ID and Tenant ID

Authentication configuration
API Permissions
Token configuration
Integration assistant
1. In the Azure AD portal , go to Azure Active Directory, and then under Manage,
select App registrations. Next, select the app registration that you want to review
and update to open its Overview pane. Record the values for the Application
(client) ID and the Directory (tenant) ID.
These values must exactly match the following values in your Xcode app project:
info.plist > IntuneMAMSettings

Application (client) ID = ADALClientId
Directory (tenant) ID = ADALAuthority
2. Select Authentication and review the app platform type. It must be iOS/macOS
and have a Bundle ID and Redirect URI. The Redirect URI must be formed as
msauth.Your_Bundle_ID://auth .
Next, select View to view the details of the Bundle ID and Redirect URI. Ensure that
a MSAL Configuration is present. If it isn't, see Create an Azure AD app and service
principal in the portal - Microsoft Entra for guidance.
As in the previous step, compare the values Bundle ID and Redirect URI with these
values from your Xcode app project:
Project > General > Identity: Bundle ID

info.plist > IntuneMAMSettings: ADALRedirectUri
Also ensure the Xcode Bundle Identifier in your app project matches the app
registration Bundle ID:
3. Verify, and update the API permissions. Ensure you have Microsoft Graph, and
Microsoft Mobile Application Management permissions already set.
Next add permissions for the Microsoft Tunnel Gateway service principal:
a. Select + Add a permission.
b. Select the API my organization uses tab
c. Search for Microsoft Tunnel Gateway, and select it to Request API permissions.
If Microsoft Tunnel Gateway doesn't appear in the list, then it hasn't been
provisioned. To provision it, see Use Microsoft Tunnel VPN gateway with
Conditional Access policies.
d. Select the Tunnel_Allow permission and select on Add permission to continue.
Next, grant admin consent for the new permissions:

a. Select Grant admin consent for YOUR_TENANT_NAME.
b. In the Grant admin consent confirmation dialog, select Yes.
After being updated, you should see the following three API permissions with the
status of Granted for YOUR_TENANT_NAME:
Microsoft Graph
Microsoft Mobile Management
Microsoft Tunnel Gateway
4. Select Token configuration to confirm the settings. For Claim, you should see a
value for acct with a Token type of Access.
If acct isn't present, select +Add optional claim to add a claim:

a. For Token type, select Access.
b. Select the checkbox for acct.
c. Select Add to complete the configuration.
5. Select Integration assistant to validate the app registration:

a. For What application types are you building? select Mobile app (Android, iOS,
Xamarin, UWP)
b. Set Is this application calling APIs? to No, and then select Evaluate my app
registration.
The results should show a status of Complete for both Recommended

configurations and Discouraged configurations.
Xcode Line of Business app integration

Xcode is the Apple Integrated Developer Environment that that runs on macOS and
used to integrate the Tunnel for MAM iOS SDK with your app.
The following are requirements for using Xcode to successfully integrate an iOS App to
use Microsoft Tunnel for MAM iOS:
macOS - To run Xcode

Xcode 14.0 or later
MAM-SDK – min version: 16.1.1
MSAL-SDK – min version: 1.2.3
Tunnel for MAM iOS SDK, available on GitHub
For guidance on integrating the SDK, see Tunnel for MAM iOS SDK developer guide.
Known Issues
The following are known issues or limitations for Tunnel for MAM on iOS. For known
issues with the Microsoft Tunnel for MAM iOS SDK, go to Tunnel for MAM iOS SDK
developer guide.
MAM Tunnel not supported when using the MDM Tunnel
You can choose to use MAM Tunnel with enrolled devices instead of using MDM Tunnel
configurations. However, deploying both MAM and MDM Tunnel App configuration
policies containing Microsoft Tunnel settings, to the same device isn't supported and
results in client networking failures.
For example, enrolled devices can't have an app like Microsoft Edge that uses MAM
tunnel App configuration policy setting while other apps use MDM Tunnel
configurations.
Workaround: To use MAM Tunnel with enrolled devices, ensure, the Defender for
Endpoint iOS app does not have an App configuration policy with Microsoft Tunnel
settings configured.
Firebase Integration with Tunnel for MAM iOS

When using Microsoft Tunnel for iOS with an app that integrates Firebase, if the app
doesn’t establish a connection to Tunnel before initializing Firebase, initialization issues
and unexpected behavior may occur.
Workaround: To avoid this issue, ensure that the app logic prioritizes establishing a
successful connection to Tunnel before initializing Firebase.
To learn more about Firebase, see https://firebase.google.com/ .
Newly created custom app not showing in UX

When you create a custom app configuration policy, the newly added app may not
appear in the list of targeted apps or the list of available custom apps.
Workaround: This issue can be resolved by refreshing the Intune admin center and
accessing the policy again:
1. In the Intune admin center, go to Apps > App Configuration Policies > Add.
2. Select custom apps, add a Bundle or Package ID for iOS, complete the flow, and
create the app config policy.
3. Edit the basic settings. The newly added bundle ID should appear in the list of
targeted custom apps.
Microsoft Azure Authenticator app does not work with

Tunnel for MAM iOS Conditional Access
Workaround: If you have a Conditional Access policy for Microsoft Tunnel Gateway that
requires multifactor authentication as a Grant Access control, you must implement the
"onTokenRequiredWithCallback" method in the Microsoft Tunnel Delegate Class within
your Line of Business Applications.
Federated Azure active directory tenants

Create a General configuration setting in App config to exclude the customers STS
(federated server URL) to address the MAM-Tunnel connect login issue:
Experienced in Edge browser when users sign-in with work account.Also experienced
when users sign-in to LOB app for the 1st time.
Workaround: Create a "General configuration setting":
key: com.microsoft.tunnel.custom_configuration
value: {"bypassedUrls":["ipchicken.com", "whatsmyip.org"]}
７ Note
Limitations when using Edge on iOS/iPadOS

Tunnel for MAM doesn't support:
On-premises sites using Kerberos or NTLM integrated authentication webserver

sign-in.
Workaround: None.
Next steps
MAM Tunnel for Android
Article • 02/22/2023
After installation of Microsoft Tunnel, you can view the server configuration and server health in
the Microsoft Intune admin center .
Use the admin center UI

Sign in to Microsoft Intune admin center , and go to Tenant administration > Microsoft Tunnel
Gateway > Health status.
Select a server and then open the Health check tab to view that servers health status metrics. By
default, each metric uses predefined threshold values that determine the status. The following
metrics support customization of these thresholds:
CPU usage
Memory usage
Disk space usage
Latency
Default values for server health metrics:
Last check-in – When the Tunnel Gateway server last checked in with Intune.
Healthy – The last check-in was within the last five minutes.
Unhealthy – More than five minutes have passed since the last check-in.
Current connections – The number of unique connections that were active at the last server
check-in.
Healthy – There were 4,990 or fewer connections
Unhealthy – There were more than 4,990 active connections
Throughput – The megabits bits per second of traffic passing through the Tunnel Gateway
NIC at the last server check-in.
CPU usage – The average CPU use by the Tunnel Gateway server every five minutes.
Healthy - 95% or less
Warning - 96% to 99%
Unhealthy - 100% use
Memory usage – The average memory use by the Tunnel Gateway server every 5 minutes.
Healthy - 95% or less
Warning - 96% to 99%
Unhealthy - 100% use
Latency – The average amount of time it takes for IP packets to arrive and then exit the
network interface.
Healthy - Less than 10 milliseconds
Warning - 10 milliseconds to 20 milliseconds
Unhealthy - More than 20 milliseconds
TLS certificate - The number of days until the TLS certificate that secures traffic between
clients and the Tunnel Gateway server will expire.
Healthy - More than 30 days
Warning - 30 days or less
Unhealthy - The certificate is expired
Internal network accessibility – Status from the most recent check of the internal URL. You
configure the URL as part of a Tunnel Site configuration.
Healthy - The server can access the URL specified in the site properties.
Unhealthy - The server can't access the URL specified in the site properties.
Unknown - This status appears when you haven't set a URL in the site properties. This
status doesn’t affect the overall status of the site.
Server version - The status of the Tunnel Gateway Server software, in relation to the most
recent version.
Healthy - Up to date with the most recent software version
Warning - One version behind
Unhealthy - Two or more versions behind, and out of support
When Server version isn’t Healthy, plan to install upgrades for Microsoft Tunnel.
Manage health status thresholds

You can customize the following Microsoft Tunnel health status metrics to change the thresholds
each uses to report their status. Customizations are tenant-wide and apply to all Tunnel severs.
The health check metrics you can customize include:
CPU usage
Memory usage
Disk space usage
Latency
To modify a metrics threshold value:

1. Sign in to Microsoft Intune admin center and go to Tenant administration > Microsoft
Tunnel Gateway > Health status.
2. Select Configure thresholds.
3. On the Configure thresholds page, set new thresholds for each health check category that
you want to customize.
Threshold values apply to all servers at all sites.

Select Revert to default to restore all thresholds back to their default values.
4. Select Save.
5. On the Health status pane, select Refresh to update the status of all servers based on the
customized threshold values.
After you modify thresholds, the values on a servers Health check tab automatically update to
reflect its status, based on the current thresholds.
Health status trends for Tunnel servers
View health status trends Microsoft Tunnel Gateway health metrics in the form of a chart. Data
for the charts is averaged over a three-hour block and as such can be delayed up to three hours.
The health status trend charts are available for the following metrics:
Connections
CPU usage
Disk space usage
Memory usage
Average latency
Throughput
To view trend charts:
2. Go to Tenant administration > Microsoft Tunnel Gateway > Health status > Select a
server, and then select Trends
3. Use the Metric drop-down to select the metric chart you want to view.
Use mst-cli command-line tool

Use the mst-cli command-line tool to get information about the Microsoft Tunnel server. This file
is added to the Linux server when the Microsoft Tunnel installs. The tool is located at:
/usr/sbin/mst-cli.
For more information and command-line examples, see mst-cli command-line tool for Microsoft
Tunnel.
View Microsoft Tunnel logs

Microsoft Tunnel logs information to the Linux server logs in the syslog format. To view log
entries, use the journalctl -t command followed by one or more tags that are specific to
Microsoft Tunnel entries:
mstunnel-agent: Display agent logs.
mstunnel_monitor: Display monitoring task logs.
ocserv - Display server logs.
ocserv-access - Display access logs.
By default, access logging is disabled. Enabling access logs can reduce performance,
depending on the number of active connections and usage patterns on the server. Logging
for DNS connections increases the verbosity of the logs, which can become noisy.
Access logs have the following format: <Server timestamp><Server Name><ProcessID on

Server><userId><deviceId><protocol><src IP and port><dst IP and port><bytes sent>
<bytes received><connection time in seconds> For example:

Feb 25 16:37:56 MSTunnelTest-VM ocserv-access[9528]: ACCESS_LOG,41150dc4-238x-
4dwv-9q89-55e987f30c32,f5132455-ef2dd-225a-a693-
afbbqed482dce,tcp,169.254.54.149:49462,10.88.0.5:80,112,60,10
） Important
In ocserv-access, the deviceId value identifies the unique installation instance of

Microsoft Defender that runs on a device, and does not identify either the Intune
device ID or Azure AD device ID. If Defender is uninstalled and then reinstalled on a
device, a new instance for the DeviceId* is generated.
To enable access logging:
1. set TRACE_SESSIONS=1 in /etc/mstunnel/env.sh

2. set TRACE_SESSIONS=2 to include logging for DNS connections
3. Run mst-cli server restart to restart the server.
If access logs are too noisy, you can turn off DNS connection logging by setting
TRACE_SESSIONS=1 and restarting the server.
OCSERV_TELEMETRY - Display telemetry details for connections to Tunnel.

Telemetry logs have the following format, with the values for bytes_in, bytes_out, and
duration being used only for disconnect operations: <operation><client_ip><server_ip>
<gateway_ip><assigned_ip><user_id><device_id><user_agent><bytes_in><bytes_out>
<duration> For example:

Oct 20 19:32:15 mstunnel ocserv[4806]:
OCSERV_TELEMETRY,connect,31258,73.20.85.75,172.17.0.3,169.254.0.1,169.254.107.209,3780e1fc-
3ac2-4268-a1fd-dd910ca8c13c,5A683ECC-D909-4E5F-9C67-C0F595A4A70E,MobileAccess
iOS 1.1.34040102
） Important
In OCSERV_TELEMETRY, the deviceId value identifies the unique installation instance of

Microsoft Defender that runs on a device, and does not identify either the Intune
device ID or Azure AD device ID. If Defender is uninstalled and then reinstalled on a
device, a new instance for the DeviceId* is generated.
Command line examples for journalctl:
To view information for only the tunnel server, run journalctl -t ocserv .
To view the telemetry log, run journalctl -t ocserv | grep TELEMETRY
To view information for all log options, you can run journalctl -t ocserv -t ocserv-access
-t mstunnel-agent -t mstunnel_monitor .
Add -f to the command to display an active and continuing view of the log file. For
example, to actively monitor ongoing processes for Microsoft Tunnel, run journalctl -t
mstunnel_monitor -f .
More options for journalctl:
journalctl -h – Display command help for journalctl.
man journalctl – Display additional information.

man journalctl.conf Display information on configuration
For more information about
journalctl, see the documentation for the version of Linux that you use.
Known issues
The following are known issues for Microsoft Tunnel.
Server health
Clients can successfully use the Tunnel when Server health status shows as
offline
Issue: On the Tunnel Health status tab, a server’s health status reports as offline indicating it's
disconnected, even though users can reach the tunnel server and connect to the organization’s
resources.
Solution: To resolve this issue, you must reinstall Microsoft Tunnel, which re-enrolls the Tunnel
server agent with Intune. To prevent this issue, install updates for the Tunnel agent and server
soon after they're released. Use the Tunnel server health metrics in the Microsoft Intune admin
center to monitor server health.
With Podman, you see “Error executing checkup” in the mstunnel_monitor

log
Issue: Podman fails to identify or see the active containers are running, and reports “Error
executing checkup” in the mstunnel_monitor log of the Tunnel server. The following are
examples of the errors:
Agent:
Error executing Checkup
Error details
\tscript: 561 /usr/sbin/mst-cli
\t\tcommand: $ctr_cli exec $agent_name mstunnel checkup 2> >(FailLogger)
\tstack:
\t\t<> Checkup /usr/sbin/mst-cli Message: NA
\t\t<> MonitorServices /usr/sbin/mst-cli Message: Failure starting service

mstunnel-agent
\t\t<> main /usr/sbin/mstunnel_monitor Message: NA
Server:
Error executing Checkup
Error details
\tscript: 649 /usr/sbin/mst-cli
\t\tcommand: $ctr_cli exec $agent_name mstunnel checkup 2> >(FailLogger)
\tstack:
\t\t<> Checkup /usr/sbin/mst-cli Message: NA
\t\t<> MonitorServices /usr/sbin/mst-cli Message: Failure starting service

mstunnel-server
\t\t<> main /usr/sbin/mstunnel_monitor Message: NA
Solution: To resolve this issue, manually restart the Podman containers . Podman should then
be able to identify the containers. If the problem persists, or returns, consider using cron to
create a job that automatically restarts the containers when this issue is seen.
With Podman, you see System.DateTime errors in the mstunnel-agent log

Issue: When you use Podman, the mstunnel-agent log might contain errors similar to the
following entries:
Failed to parse version-info.json for version information.
System.Text.Json.JsonException: The JSON value could not be converted to

System.DateTime
This issue occurs due to differences in formatting dates between Podman and Tunnel Agent.
These errors don't indicate a fatal issue or prevent connectivity. Beginning with containers
released after October 2022, the formatting issues should be resolved.
Solution: To resolve these issues, update the agent container (Podman or Docker) to the latest
version. As new sources of these errors are discovered, we’ll continue to fix them in subsequent
version updates.
Connectivity to Tunnel
Devices fail to connect to the Tunnel server
Issue: Devices fail to connect to the server, and the Tunnel server ocserv log file contains an entry
similar to the following entry: main: tun.c:655: Can't open /dev/net/tun: Operation not
permitted
For guidance on viewing Tunnel logs, see View Microsoft Tunnel logs in this article.
Solution: Restart the server using mst-cli server restart after the Linux server reboots.
If this issue persists, consider automating the restart command by using the cron scheduling
utility. See How to use cron on Linux at opensource.com.
Users can't connect to resources while using Microsoft Edge

Issue: After you've migrated from the stand-alone tunnel client app to Microsoft Defender for
Endpoint and are then using Microsoft Edge, users are unable to access any internal or external
websites. Users might also see a message similar to: You’re not Connected .
Solution: This issue can occur when the standalone Tunnel client app remains installed while the
Microsoft Defender for Endpoint app is in use. To resolve this issue, uninstall the standalone
Tunnel client app. It's also possible to uninstall the standalone client app prior to installing
Microsoft Defender for Endpoint, but doing so might leave your devices unable to use Microsoft
Tunnel until the new Tunnel app is in place and fully configured.
Next steps
Reference for Microsoft Tunnel
Upgrade Microsoft Tunnel for Microsoft
Intune
Article • 07/26/2023
Microsoft Tunnel, a VPN gateway solution for Microsoft Intune, periodically receives
software upgrades, which must install on the tunnel servers to keep them in support. To
stay in support, servers must run the most recent release, or at most be one version
behind. The information in this article explains the upgrade process, upgrade controls,
and status reports you use to understand the software version of tunnel servers, when
upgrades are available, and how to control when upgrades happen.
Intune handles the upgrade of servers assigned to each tunnel site for you. When
upgrades for site begin, all servers in the site will upgrade one at a time, which is
referred to as an upgrade cycle. While a server is upgrading, the Microsoft Tunnel on the
server isn't available for use. Upgrading a single server at a time helps minimize
disruptions to users when the site includes multiple servers.
During an upgrade cycle:
Intune begins by upgrading one server in the site. The upgrade can start as soon
as 10 minutes after the release becomes available.
If a server was off, upgrade begins after the server turns on.
After a successful upgrade of one server at a site, Intune waits a short time before
it starts the upgrade of the next server.
Use upgrade controls

To help control when Intune begins the upgrade cycle, configure the following settings
at each site. You can configure the settings when creating a new site, or by editing the
properties of an existing site:
Automatically upgrade servers at this site

Limit server upgrades to maintenance window
Automatically upgrade servers at this site

This setting determines if an upgrade cycle for the site can begin automatically, or if an
admin must explicitly approve the upgrade before the cycle can begin.
Yes (default) – When set to Yes, the site automatically upgrade servers as soon as
possible after a new tunnel version becomes available. Upgrades begin without
admin intervention.
If you set a maintenance window for the site, the upgrade cycle begins between
the windows start and end time. When no maintenance window is set, the upgrade
cycle starts as soon as possible.
No – When set to No, Intune won’t upgrade servers until an admin explicitly
chooses to begin the upgrade cycle.
After upgrade is approved for a site with a maintenance window, the upgrade cycle
begins between the windows start and end time. If there's no maintenance
window, the upgrade cycle starts as soon as possible.
） Important
When you configure site for manual upgrades, periodically review the Health
check tab to understand when newer versions of Microsoft Tunnel are
available to install. The report also identifies when the current tunnel version
at the site is out of support.
Limit server upgrades to maintenance window

Use this setting to define a maintenance window for the site.
When configured for site, the server upgrade cycle can begin only during the configured
period. However, once begun, the cycle continues to update servers one-by-one until all
servers assigned to the site complete the upgrade.
No (default) – No maintenance window is set. Sites configured to upgrade

automatically will do so as soon as possible. Sites configured to require explicit
action to start the upgrade will do so as soon as possible after the upgrade is
approved.
Yes – Set a maintenance window. The window limits when a server upgrade cycle
can begin at the site. The maintenance window doesn’t define when individual
servers assigned to the site might start to upgrade.
Sites configured to upgrade automatically will start the upgrade cycle only during
the configured period. Sites configured to require the admin to approve the
upgrade before beginning, will do during the next maintenance window after the
upgrade is approved.
When set to Yes, configure the following options:

Time zone – The time zone you select determines when the maintenance
window starts and ends on all servers in the site. The time zone of individual
servers isn't used.
Start time – Specify the earliest time that the upgrade cycle can start, based on
the time zone you selected.
End time - Specify the latest time that upgrade cycle can start, based on the
time zone you selected. Upgrade cycles that start before this time will continue
to run and can complete after this time.
View tunnel server status

You can view information about the status of Microsoft Tunnel servers, including the
version of Microsoft Tunnel on a server.
For sites that don't support automatic upgrade, you can also view when upgrades to a
new version are available.
Sign in to Microsoft Intune admin center > Tenant administration > Microsoft Tunnel
Gateway > Health status. Select a server and then open the Health check tab to view
the following information about it:
Server version - The status of the Tunnel Gateway Server software, in the context
of the most recent version available.
Healthy - Up to date with the most recent software version.
Warning - One version behind.
Unhealthy - Two or more versions behind, and out of support.
When a server doesn’t run the most recent software version, plan to install an available
upgrade to keep the Microsoft Tunnel in support.
Approve upgrades
Sites that have the setting Automatically upgrade servers at this site set to No won't
automatically upgrade servers. Instead, an admin must approve upgrades for servers at
that site before the upgrade cycle starts.
To understand when an upgrade is available for servers, use the Health check tab to
review server status.
To approve an upgrade
Tunnel Gateway > Sites.
2. Select the site with an Upgrade type of Manual.
3. On the site’s properties, select Upgrade servers.
After you choose to upgrade servers, Intune starts the process to do so, which cannot be
canceled. The time that upgrades begin at the site depends on the configuration of
maintenance windows for the site.
Microsoft Tunnel update history

Updates for the Microsoft Tunnel release periodically. When a new version is available,
read about the changes here.
After an update releases, it rolls out to tenants over the following days. This rollout time
means new updates might not be available for your tunnel servers for a few days.
The Microsoft Tunnel version for a server isn’t available in the Intune UI at this time.
Instead, run the following command on the Linux server that hosts the tunnel to identify
the hash values of agentImageDigest and serverImageDiegest: cat
/etc/mstunnel/images_configured
） Important
Container releases take place in stages. If you notice that your container images are
not the most recent, please be assured that they will be updated and delivered
within the following week.
July 24, 2023

Image hash values:
agentImageDigest:
sha256:683f756e15678264599f005f2eefe128e30a39ad74673da84426837b67bc083
7
serverImageDigest:
sha256:7665f4407f8f5a0b67d352c7c7291fa5d4011c55bd718b6e390247e85585b3c
1
Changes in this release:
Minor bug fixes

Server upgrades
June 12, 2023

Image hash values:
agentImageDigest:
sha256:ef5c23cc4c56263732124be7215f01a0904b5abaf78f5f033672d139205fcc3a
serverImageDigest:
sha256:1b11852378c1a0f0f595d76d841dafe4d23cc962b296eae365629c5c31adcc9
a
Minor bug fixes

Agent container fixes
April 3, 2023
Image hash values:
agentImageDigest:
sha256:73b95c79b430c4ae88199132f62d1da08c7ce7bdf76484dbb0b28fa324c5f8a
d
serverImageDigest:
sha256:e424c4bb707d3a18c59f18259549de007f2916c995dea92212a1d3396cf05bf
5
Minor bug fixes
March 1, 2023
Image hash values:
agentImageDigest:
sha256:c4478f5e54dc1536523113885095b6eda37da1b2a31461347cd85ea8a7d487
b5
serverImageDigest:
sha256:cf706bc6a5ea8a743bab84ed8be9901733738881e2e84d0f9083654e9c5cd3
17
Minor bug fixes

Updated Microsoft Tunnel Server Gateway EULA
February 2, 2023
Image hash values:
agentImageDigest:
sha256:9140d4e7f397d0a7c6c203b0c74a4f11b66affee3d36837298a50821b5dca9a
4
serverImageDigest:
sha256:709219327f6aff5f81f6b6dc9f644334ccefd6af2f75ed4461ae06885bff9551
Minor bug fixes
November 16, 2022

Image hash values:
agentImageDigest:
sha256:517a2267b5b4fbbd58ab46be22202158e55562bfb8f79eb7ef4fc35a0fc3cc8d
serverImageDigest:
sha256:3a367955746522fe89fc8f0fb6edc259aefe0e681db652281b1ff264fdcce6dc
Minor bug fixes

Security improvements
Journalctl logging fix in mst-cli
September 23, 2022
Image hash values:
agentImageDigest:
sha256:df03d4ad8469511a4b649dcbbad5dbaa5c7f10cdc9640b7801190623090a67
ae
serverImageDigest:
sha256:0f66f2b5463e283c1621fc4250f69fac97ebda77bef8f570ed181b78000d762c
Minor bug fixes

Mst-readiness script enhancements
Add Azure storage endpoint
August 22, 2022

Image hash values:
agentImageDigest:
sha256:186ff8d5c9a70085adc01778251f577988fef9b456801dc30e846f1a2bc3784c
serverImageDigest:
sha256:ec5bd023b5582e58b6b9eb6aa41a9b064003f5b2b228508115bf6d42be956
4a3
Mst-readiness script enhancements
July 27, 2022

Image hash values:
agentImageDigest:
sha256:94e08d27c4f18706b2e3d92594d8a173446638a641240ae86a18a583be257c
ae
serverImageDigest:
sha256:683ff13cfc16824741e961f04b94bce766777a5dcc80f019af234b4c9948fd66
Minor bug fixes

Set process limit to 6000 in the server container
Next steps
Reference for Microsoft Tunnel
Use Conditional Access with Microsoft
Tunnel in Intune
Article • 02/22/2023
If your Microsoft Intune environment uses both Azure Active Directory (AD) and
Conditional Access, you can use Conditional Access policies to gate device access to
your Microsoft Tunnel VPN gateway.
To support integration of Conditional Access and Microsoft Tunnel, you’ll use Azure AD
PowerShell to enable your tenant to support Microsoft Tunnel. After enabling your
tenant to support Microsoft Tunnel, you can then create Conditional Access policies that
apply to the Microsoft Tunnel app.
Provision your tenant

Before you can configure Conditional Access policies for the tunnel, you must enable
your tenant to support Microsoft Tunnel for Conditional Access. Use the Azure Active
Directory PowerShell module and run a PowerShell script to modify your tenant to add
Microsoft Tunnel Gateway as a cloud app. After the tunnel is added as a cloud app, you
can select it as part of a Conditional Access policy.
1. Download and install the AzureAD PowerShell module.
2. Download the PowerShell script named mst-ca-provisioning.ps1 from aka.ms/mst-

ca-provisioning.
3. Using credentials that have the Azure Role permissions equivalent to Global
Administrator, run the script from any location in your environment, to provision
your tenant.
The script modifies your tenant by creating a service principal with the following
details:
App ID: 3678c9e9-9681-447a-974d-d19f668fcd88

Name: Microsoft Tunnel Gateway
The addition of this service principal is required so you can select the tunnel cloud
app while configuring Conditional Access policies. It's also possible to use Graph to
add the service principal information to your tenant.
4. After the script completes, you can use your normal process to create Conditional
Access policies.
Conditional Access to limit access to Microsoft

Tunnel
If you'll use Conditional Access policy to limit user access, we recommend configuring
this policy after you provision your tenant to support the Microsoft Tunnel Gateway
cloud app, but before you install the Tunnel Gateway.
1. Sign in to Microsoft Intune admin center > Endpoint Security > Conditional
access > New policy.
2. Specify a name for this policy.
3. To configure user and group access, below Assignments, select Users and groups.
a. Select Include > All users.
b. Next, select Exclude and configure the groups you want to grant access to, and
then save the user and Group configuration.
4. Under Cloud apps or actions > Select apps, select the Microsoft Tunnel Gateway
app.
5. Below Access controls, select Grant, select Block access, and then save the
configuration.
6. Set Enable policy to On.
7. Select Create.
For more information about creating policies for Conditional Access, see Create a
device-based Conditional Access policy.
Next steps
Migrate to Microsoft Defender for
Endpoint for the Microsoft Tunnel in
Intune
Article • 02/22/2023
If you use Microsoft Tunnel as a VPN gateway solution for Microsoft Intune, plan to
migrate from the standalone Microsoft Tunnel client app to Microsoft Defender for
Endpoint with support for Microsoft Tunnel.
Platform support
If you've previously configured Microsoft Tunnel for iOS using the standalone Microsoft
Tunnel client app, you must migrate your devices to use Microsoft Defender for
Endpoint as the tunnel client app before support for the iOS standalone tunnel client
app ends by the end of July 29, 2022.
Support for the Android standalone tunnel client app ended on January 31, 2022.
The following device platforms support Microsoft Defender for Endpoint as the tunnel
client app:
Android Enterprise:
Fully managed
Corporate-owned work profile
Personally owned work Profile
On June 14, 2021, Microsoft Defender for Endpoint became generally available as
the Microsoft Tunnel client app for Android for use with the Microsoft Tunnel
Gateway in Microsoft Intune.
If you've previously configured Microsoft Tunnel for Android using the standalone
Microsoft Tunnel client app, you must migrate your devices to use Microsoft
Defender for Endpoint as the Tunnel client app before support for the Android
standalone Tunnel client app ends on October 26, 2021.
When using Microsoft Defender for Endpoint to connect to Tunnel for Android,
use custom settings in the VPN profile to manage Defender for Endpoint instead
of using a separate app configuration profile. If you don't intend to use any
Defender for Endpoint functionality, including web protection, use custom settings
in the VPN profile and set the defendertoggle setting to 0.
iOS/iPadOS devices:
On April 29, 2022, Microsoft Defender for Endpoint became available as the
Microsoft Tunnel client app for iOS/iPadOS devices for use with the Microsoft
Tunnel Gateway in Microsoft Intune.
If you've previously configured Microsoft Tunnel for iOS/iPadOS using the

standalone Microsoft Tunnel client app, you must migrate your devices to use
Microsoft Defender for Endpoint as the Tunnel client app. Support for the iOS
standalone Tunnel client app ends on July 29, 2022.
To configure the Microsoft Defender for Endpoint app to connect to Tunnel, you'll
need to create a new VPN profile with the Microsoft Tunnel connection type.
When using Microsoft Defender for Endpoint to connect to Tunnel for iOS/iPadOS,
use custom settings in the VPN profile to manage Defender for Endpoint. If you
don't intend to use any Defender for Endpoint functionality, including web
protection, use custom settings in the VPN profile and set the TunnelOnly setting
to True.
Changes introduced to support Defender for

Endpoint
The introduction of Microsoft Defender for Endpoint as the tunnel client app brings the
following changes.
Renamed connection type for VPN profiles for all tenants:
To support Defender for Endpoint, all VPN profiles created before March 2, 2021 that
have a connection type of Microsoft Tunnel were updated to a connection type of
Microsoft Tunnel (standalone client).
This change:
Applies to all tenants.

Applies to both the Android and iOS/iPadOS platforms.
Has no effect on the functionality of those existing profiles other than the change
of connection type name.
Supports the change to use Microsoft Defender for Endpoint to support Microsoft
Tunnel functionality now or at a future time.
Cannot be reversed. You can’t edit existing profiles to change their connection
type.
The following connection types are now available in VPN profiles:
Android:
Microsoft Tunnel
A VPN profile with this connection type configures the Microsoft Defender
for Endpoint app to connect to Microsoft Tunnel Gateway.
Use this VPN connection type for devices that run Android Enterprise.
A connection type of Microsoft Tunnel (standalone client) should no longer be
created for Android. Existing VPN profiles with this connection type should
be migrated to Microsoft Tunnel and you should use Defender for Endpoint
as the Tunnel client app.
iOS/iPadOS:
Microsoft Tunnel
A VPN profile with this connection type configures the Microsoft Defender
for Endpoint app to connect to Microsoft Tunnel Gateway.
A connection type of Microsoft Tunnel (standalone client) (preview) should no
longer be created for iOS/iPadOS. Existing VPN profiles with this connection
type should be migrated to Microsoft Tunnel, which requires Defender for
Endpoint as the Tunnel client app.
７ Note
On April 29, 2022, the Microsoft Tunnel connection type became generally
available and supports Microsoft Defender for Endpoint as a tunnel client
app. However, the connection type continues to reflect preview.
End-user changes:
The Microsoft Defender for Endpoint app that you use as the Tunnel client app includes
a new tab for the Microsoft Tunnel functionality.
Functionality in the Defender for Endpoint app

The Microsoft Defender for Endpoint app combines functionality of Microsoft Defender
for Endpoint with the functionality of the Microsoft Tunnel app. You can use the new
Defender app with Microsoft Tunnel to connect to Tunnel Gateway, even if you don’t
otherwise use or have a license for Microsoft Defender for Endpoint.
The functionality that’s available in the Microsoft Defender for Endpoint app depends on
the policy settings you deploy to manage the app on a device. The following tabs are
available:
Tunnel - This tab is where users connect to the Tunnel Gateway and can view
connection statistics and client configuration settings.
The Tunnel tab is available after a device receives a VPN profile for Microsoft
Tunnel that supports Defender for Endpoint.
Dashboard – This tab displays a summary of the device’s overall health, app
security status, web protection status, and Tunnel status.
App security (Android only) – On this tab, users can view the status of automatic
scans on the device. Users can also uninstall the apps identified as threats and run
a manual scan. This tab isn’t available when the VPN profile turns off the Defender
for Endpoint functionality or when the Defender for Endpoint functionality is
turned off by a separate app configuration profile.
Web Protection – This tab displays the status of the feature enabled or disabled by
administrators, and details of the feature described in the flip cards. This tab isn’t
available when the VPN profile turns off the Defender for Endpoint functionality
(iOS/iPadOS and Android) or the Defender for Endpoint functionality is turned off
by a separate app configuration profile (Android).
Screenshot of the Defender for Endpoint app on Android:
For information about license requirements for Microsoft Defender for Endpoint, see
Get Microsoft Defender for Endpoint.
Migrate Android devices to Defender for

Endpoint
When you're ready to use Microsoft Defender for Endpoint with Android devices,
migrate supported devices from the standalone tunnel client app to the new app. You
can also deploy the new app to other devices that haven't previously used Microsoft
Tunnel.
Migrating to Microsoft Defender for Endpoint requires the following broad actions,
which are described in the following sections:
1. Review and record your current Tunnel configurations.

2. Deploy Microsoft Defender for Endpoint to supported devices.
3. Create new VPN profiles.
4. Clean up your previous deployments.
Deploy Defender for Endpoint for Android

Microsoft Defender for Endpoint with support for Microsoft Tunnel on Android, is
available from the Managed Google Play store.
1. Locate and Approve the app in the Managed Google Play store for your tenant,
and then Sync it. For information on this process, see Managed Google Play store
apps.
2. Assign the app to groups.
3. Complete the assignment, and then ask users to install the Microsoft Defender for
Endpoint app.
Review and record your current Tunnel configurations for

Android
Before you begin your migration to Defender for Endpoint, take the time to review and
record the settings you currently use for the following Intune configurations for Android
devices:
VPN profiles for Microsoft Tunnel

App deployments of the Microsoft Tunnel
You'll use this information when you deploy new VPN profiles and the Defender for
Endpoint app, to mirror your existing deployments.
1. Sign in to Microsoft Intune admin center > Devices > Configuration profiles.
Locate the VPN profiles you use for Microsoft Tunnel for your Android devices.
They display a connection type of Microsoft Tunnel (standalone client). You’ll
replace these profiles with new profiles that use the Defender for Endpoint app.
a. Select each profile and then Properties.
b. From Properties, record the available values. This information will help you
create new VPN profiles that mirror your current configurations.
2. Next, record details for your Tunnel app deployments. In the admin center, go to
Apps. Locate your deployments of Microsoft Tunnel to Android Enterprise devices.
a. Select each applicable deployment and review its Properties.
b. From Properties, record the available values. This information will help you to
create similar deployments for the Microsoft Defender for Endpoint app.
Create new VPN profiles for Android

To enable devices to use Microsoft Defender for Endpoint to connect to Microsoft
Tunnel Gateway, deploy new VPN profiles with the Microsoft Tunnel connection type.
Editing the connection type of an existing profile isn’t supported.
1. Use the information from Create a VPN Profile to create and deploy new VPN
profiles for your Android Enterprise devices.
2. During configuration, reference the settings you recorded from your existing
profiles, but use a connection type of Microsoft Tunnel.
If you’re using only the Tunnel functionality from the Defender for Endpoint app,
and not Defender-specific functionality, add a custom setting of defendertoggle
that is set to 0. This configuration disables the Defender for Endpoint functionality,
leaving only the Tunnel capabilities.
７ Note
If you are using the Microsoft Defender for Endpoint app for Android, have web
protection enabled, and are using per-app VPN, web protection will only apply to
the apps in the per-app VPN list. On devices with a work profile, in this scenario we
recommend adding all web browsers in the work profile to the per-app VPN list to
ensure all work profile web traffic is protected.
Clean up previous deployments for Android

After devices install the Microsoft Defender for Endpoint app and receive new VPN
profiles, you can remove configurations for the original deployments.
For deployments of the original Microsoft Tunnel app:
1. Remove Required and Available for enrolled devices.
2. Add Uninstall to trigger removal of the application.
Migrate iOS/iPadOS devices to Defender for

Endpoint
When you're ready to use the generally available version of Microsoft Defender for
Endpoint for iOS/iPadOS devices, migrate supported devices from the standalone tunnel
client app to the new app. You can also deploy the new app to other devices that
haven't previously used the Microsoft Tunnel.
Migrating to Defender for Endpoint requires the following broad actions, which are
described in the following sections:
1. Deploy Microsoft Defender for Endpoint to supported devices.

2. Review and record your current Tunnel configurations.
3. Create new VPN profiles or reconfigure existing profiles to use Microsoft Tunnel as
the connection type.
4. Clean up your previous deployments.
The server settings stay exactly the same regardless of the client you’re using.
Install Microsoft Defender for Endpoint

Microsoft Defender for Endpoint with support for Microsoft Tunnel for iOS is available
from the Apple app store.
1. Locate and Approve the app in the Apple app store for your tenant, and then Sync
it. For information on this process, see Add iOS store apps to Microsoft Intune.
2. Assign the app to groups.
3. Complete the assignment, and then ask users to install the Microsoft Defender for
Endpoint app.
Review and record your current Tunnel configurations for

iOS/iPadOS
Before you begin your migration to Defender for Endpoint, use the Microsoft Intune
admin center to review and record the settings you currently use for the following
Intune configurations:
VPN profiles for Microsoft Tunnel (standalone client) (preview)
1. Go to Devices > Configuration profiles and select each applicable profile and
review its Properties.
2. From Properties, record the available values. This information will help you
create new VPN profiles that mirror your current configurations.
If you use per-app VPN, look at your iOS app deployments and record details for
apps that are assigned to a Microsoft Tunnel (standalone client) (preview) profile.
1. Go to Apps and select each applicable deployment and review its Properties.
2. From Properties, record the available values including those that are assigned
as required or are assigned as available. This information will help you to
create similar deployments for the Microsoft Defender for Endpoint app.
Manage VPN profiles for iOS/iPadOS

To enable devices to use Microsoft Defender for Endpoint to connect to Microsoft
Tunnel Gateway, deploy VPN profiles that use the Microsoft Tunnel connection type.
During migration you can choose to edit your existing profiles to use the new
connection type, or create new VPN profiles with the new connection type.
Modify a VPN Profile for Microsoft Tunnel

Use the following steps to modify a VPN profile to migrate devices from the standalone
tunnel client app to Microsoft Defender for Endpoint as the tunnel client app.
1. Sign in to the Microsoft Intune admin center and go to > Devices >
Configuration profiles > iOS/iPadOS.
2. Select the VPN profile you want to edit, and then select Properties, and then Edit
the Configuration settings.
3. On the Configuration settings page:
a. Review the current settings for each category. When you change the Connection
type the profiles settings are cleared and you’ll need to restore them.
b. Change the Connection type from Microsoft Tunnel (standalone client)(preview)
to Microsoft Tunnel(preview).
c. Reenter the applicable settings for this VPN profile.
） Important
Even when a setting appears to remain configured and not cleared, reenter
each setting to ensure the correct values are applied.
d. If you’re using only the Tunnel functionality from the Defender for Endpoint
app, and not Defender-specific functionality, add a custom setting of
TunnelOnly that is set to True. This configuration disables the Defender
functionality, leaving only the Tunnel capabilities.
4. Select Review + save to save the profile.
5. After the profile redeploys, wait for devices to check in or force devices to sync to
get the new policies.
6. Verify that users can connect to Tunnel manually in the Defender for Endpoint app.
If your VPN profile includes on-demand rules, users must open the Defender for
Endpoint app one time before the new on-demand rules can apply.
Create a new VPN profile for Microsoft Tunnel

Use the following steps to create a new VPN profile for devices that will use Microsoft
Defender for Endpoint as the tunnel client app. When the profile is configured as a per-
app VPN, the last step requires you to restart devices after they receive the VPN profile.
To avoid this you can choose to modify an existing VPN profile instead of creating and
deploying a new one.
1. Use the information from Create a VPN Profile to create and deploy new VPN
profiles for your iOS/iPadOS devices.
2. During configuration, reference the settings you recorded from your existing
profiles, but use a connection type of Microsoft Tunnel.
If you’re using only the
Tunnel functionality from the Defender for Endpoint app, and not Defender-
specific functionality, add a custom setting of TunnelOnly that is set to True. This
configuration disables the Defender for Endpoint functionality, leaving only the
Tunnel capabilities.
3. After the profile deploys, wait for devices to check in or force devices to sync to
get the new policies.
4. Verify that users can connect to Tunnel manually in the Defender for Endpoint app.
If your VPN profile includes on-demand rules, users must open the Defender for
Endpoint app one time before the new on-demand rules can apply.
5. If you’re using per-app VPN:
a. Wait at least 10 minutes after creating the new VPN profile. After 10 minutes
you can then change the app deployment assignments from the Microsoft
Tunnel (standalone client) (preview) VPN profile to the new VPN profile for
Microsoft Tunnel.
b. After the new VPN profile deploys to a device, that device must restart before
the new VPN profile is used. To restart a device, see remotely restart devices
with Intune.
Next Steps
Use Conditional Access with Microsoft Tunnel

Configure Windows Hello for Business
on devices when they enroll with Intune
Article • 08/17/2023
With Microsoft Intune, you can create a tenant-wide policy that configures use of
Windows Hello for Business on Windows 10 or Windows 11 devices at the time those
devices enroll with Intune. This policy targets your entire organization and supports the
Windows Autopilot out-of-box-experience (OOBE).
For Windows 10/11 devices, use of Windows Hello for Business replaces the use of
passwords with strong two-factor authentication on devices. This authentication consists
of a user credential that’s tied to a device and uses a biometric or PIN.
After device enrollment, or when you choose not to use the tenant-wide enrollment
policy, Intune supports the following methods to manage Windows Hello on discrete
groups of devices:
Identity protection - Device configuration policy includes the Identity protection

profile, which you can use to configure groups of devices for Windows Hello.
Security baselines: Some settings for Windows Hello can be managed by security
baselines like the baselines for Microsoft Defender for Endpoint security or Security
Baseline for Windows 10 and later.
Endpoint security Account protection policy: Account protection policies include

some of the settings used by Windows Hello.
） Important
Prior to the Anniversary Update (Windows version 1607), you could set two
different PINS that could be used to authenticate to resources:
The device PIN could be used to unlock the device and connect to cloud
resources.
The work PIN was used to access Azure AD resources on user's personal
devices (BYOD).
In the Anniversary Update, these two PINS were merged into one single device PIN.
Any Intune configuration policies you set to control the device PIN, and
additionally, any Windows Hello for Business policies you configured, now both set
this new PIN value. If you have set both policy types to control the PIN, the
Windows Hello for Business policy is applied. To ensure policy conflicts are resolved
and that the PIN policy is applied correctly, update your Windows Hello for
Business Policy to match the settings in your configuration policy, and ask your
users to sync their devices in the Company Portal app.
Create a Windows Hello for Business policy

2. Go to Devices > Enroll devices > Windows enrollment > Windows Hello for
Business. The Windows Hello for Business pane opens.
3. Select from the following options for Configure Windows Hello for Business:
Enabled. Select this setting if you want to configure Windows Hello for
Business settings. When you select Enabled, other settings for Windows Hello
are visible and can be configured for devices.
Disabled. If you don't want to enable Windows Hello for Business during
device enrollment, select this option. When disabled, users can't provision
Windows Hello for Business. When set to Disabled, you can still configure the
subsequent settings for Windows Hello for Business even though this policy
won't enable Windows Hello for Business.
Not configured. Select this setting if you don't want to use Intune to control
Windows Hello for Business settings. Any existing Windows Hello for Business
settings on 10/11 devices isn't changed. All other settings on the pane are
unavailable.
4. If you selected Enabled in the previous step, configure the required settings that
are applied to all enrolled Windows 10/11 devices. After you configure these
settings, select Save.
Use a Trusted Platform Module (TPM):
A TPM chip provides another layer of data security. Choose one of the
following values:
Required (default). Only devices with an accessible TPM can provision
Windows Hello for Business.
Preferred. Devices first attempt to use a TPM. If this option isn't available,
they can use software encryption.
Minimum PIN length and Maximum PIN length:

Configures devices to use the minimum and maximum PIN lengths that you
specify to help ensure secure sign-in. The default PIN length is six characters,
but you can enforce a minimum length of four characters. The maximum PIN
length is 127 characters.
Lowercase letters in PIN, Uppercase letters in PIN, and Special characters in

PIN.
You can enforce a stronger PIN by requiring the use of uppercase letters,
lowercase letters, and special characters in the PIN. For each, select from:
Allowed. Users can use the character type in their PIN, but it isn't
mandatory.
Required. Users must include at least one of the character types in their
PIN. For example, it's common practice to require at least one uppercase
letter and one special character.
Not allowed (default). Users must not use these character types in their
PIN. (This is also the behavior if the setting isn't configured.)
Special characters include: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ `

{|}~
PIN expiration (days):
It's a good practice to specify an expiration period for a PIN, after which users
must change it. The default is 41 days.
Remember PIN history:
Restricts the reuse of previously used PINs. By default, the last 5 PINs can't be
reused.
Allow biometric authentication:
Enables biometric authentication, such as facial recognition or fingerprint, as

an alternative to a PIN for Windows Hello for Business. Users must still
configure a work PIN in case biometric authentication fails. Choose from:
Yes. Windows Hello for Business allows biometric authentication.
No. Windows Hello for Business prevents biometric authentication (for all
account types).
Use enhanced anti-spoofing, when available:

Configures whether the anti-spoofing features of Windows Hello are used on
devices that support it. For example, detecting a photograph of a face instead
of a real face.
When set to Yes, Windows requires all users to use anti-spoofing for facial
features when that is supported.
Allow phone sign-in:
If this option is set to Yes, users can use a remote passport to serve as a
portable companion device for desktop computer authentication. The
desktop computer must be Azure Active Directory joined, and the companion
device must be configured with a Windows Hello for Business PIN.
Use security keys for sign-in:
When set to Enable, this setting provides the capacity for remotely turning
ON/OFF Windows Hello Security Keys for all computers in a customer's
organization.
Windows Holographic for Business support

Windows Holographic for Business supports the following settings for Windows Hello
for Business:
Use a Trusted Platform Module (TPM)

Minimum PIN length
Maximum PIN length
Lowercase letters in PIN
Uppercase letters in PIN
Special characters in PIN
PIN expiration (days)
Remember PIN history
Next steps
Learn more about Windows Hello from the following subjects in the Windows
documentation:
Planning a Windows Hello for Business deployment

Windows Hello for Business Deployment Prerequisite Overview
Use identity protection profiles to
manage Windows Hello for Business in
Microsoft Intune
Article • 02/22/2023
Use an Identity protection profile to manage Windows Hello for Business on groups of
devices in Microsoft Intune. Windows Hello for Business is a method for signing in to
Windows devices by replacing passwords, smart cards, and virtual smart cards. Intune
includes built-in settings so Administrators can configure and use Windows Hello for
Business. For example, you can use these settings to:
Enable Windows Hello for Business for devices and users

Set device PIN requirements, including a minimum or maximum PIN length
Allow gestures, such as a fingerprint, that users can (or can't use) to sign in to
devices
This feature applies to devices running:
Windows 10
Windows 11
In addition to use of an Identity protection profile, Intune supports the following options
to manage settings for Windows Hello for Business:
During device enrollment: Manage Windows Hello when a device enrolls with a
tenant-wide policy.
Security baselines: Some settings for Windows Hello can be managed by security
baselines like the baselines for Microsoft Defender for Endpoint security or Security
Baseline for Windows 10 and later.
Endpoint security Account protection policy: Account protection policies include
some of the settings used by Windows Hello.
７ Note
For customers looking to configure Windows Holographic for Business, please use
DeviceLock CSP
Intune uses configuration profiles to create and customize these settings for your
organization's needs. After you add these features in a profile, push or deploy these
settings to user and device groups in your organization.
This article shows you how to create a device configuration profile. For a list of all the
settings, and what they do, see Windows device settings to enable Windows Hello for
Business.
） Important
Due to how Intune determines the scope and applicability of Windows Hello for
Business policy, the device may log Event ID 454 as a result of applying policy. This
can be safely ignored when policy is being successful applied (and enforced).
Create the device profile


Profile: Select Templates > Identity protection.
4. Select Create.
Name: Enter a descriptive name for the new profile. Name your policies so
you can easily identify them later.
recommended.
6. In Configuration settings, configure the following settings:
Configure Windows Hello for Business: Choose how you want to configure
Windows Hello for Business:
Not configured (default): Provisions Windows Hello for Business on the

device. When identity protection profiles are assigned to users only, the
device context defaults to Not configured.
Disabled: If you don't want to use Windows Hello for Business, select this
option. This option disables Windows Hello for Business for all users.
Enabled: Choose this option to provision, and configure Windows Hello
for Business settings in Intune. Enter the settings you want to configure.
For a list of all settings, and what they do, see - Windows device settings
to enable Windows Hello for Business.
Use security keys for sign-in: Enable Windows Hello security key as a sign-in
credential for all PCs in the tenant.
Enable
Not configured (default)
7. In Assignments, select the user and device groups that will receive this profile. For
more information on assigning profiles, see Assign user and device profiles.
） Important
To allow multiple users to be provisioned to a device, specify that the

Windows Hello for Business policy be applied to the devices. If the policy is
applied only to users, only one user can be provisioned to a device.
Select Next.
8. In Applicability Rules, use the Rule, Property, and Value options to define how this
profile applies within assigned groups. Intune applies the profile to devices that
meet the rules you enter. For more information about applicability rules, see
Applicability rules.
Select Next.
saved, and the profile is assigned. The policy is also shown in the profiles list.
Next steps
Review settings, and what they do
Monitor the profile status
Learn about Conditional Access and
Intune
Article • 02/21/2023
Use Conditional Access with Microsoft Intune compliance policies to control the devices
and apps that can connect to your email and company resources. When integrated, you
can gate access to keep your corporate data secure, while giving users an experience
that allows them to do their best work from any device, and from any location.
Conditional Access is an Azure Active Directory capability that is included with an Azure
Active Directory Premium license. Through Azure Active Directory, Conditional Access
brings signals together to make decisions, and enforce organizational policies. Intune
enhances this capability by adding mobile device compliance and mobile app
management data to the solution. Common signals include:
User or group membership.

IP location information.
Device details, including device compliance or configuration status.
Application details, including requiring use of managed apps to access corporate
data.
Real-time and calculated risk detection, when you also use a mobile threat defense
partner.
７ Note
Conditional Access also extends its capabilities to Microsoft 365 services.

Ways to use Conditional Access with Intune
Conditional Access works with Intune device configuration and compliance policies, and
with Intune Application protection policies.
Device-based Conditional Access
Intune and Azure Active Directory work together to make sure only managed and
compliant devices can access email, Microsoft 365 services, Software as a service
(SaaS) apps, and on-premises apps. Additionally, you can set a policy in Azure
Active Directory to enable only domain-joined computers or mobile devices that
have enrolled in Intune to access Microsoft 365 services. Including:
Conditional Access based on network access control
Conditional Access based on device risk
Conditional Access for Windows PCs. Both corporate-owned and bring your
own device (BYOD).
Conditional Access for Exchange on-premises
Learn more about device-based Conditional Access with Intune
App-based Conditional Access
Intune and Azure Active Directory work together to make sure only managed apps
can access corporate e-mail or other Microsoft 365 services.
Learn more about app-based Conditional Access with Intune.
Next steps
Common ways to use Conditional Access with Intune
Common ways to use Conditional
Access with Intune
Article • 02/22/2023
There are two types of Conditional Access policies you can use with Intune: device-
based Conditional Access and app-based Conditional Access. To support each, you'll
need to configure the related Intune policies. When the Intune policies are in place and
deployed, you can then use Conditional Access to do things like allow or block access to
Exchange, control access to your network, or integrate with a Mobile Threat Defense
solution.
The information in this article can help you understand how to use the Intune mobile
device compliance capabilities and the Intune mobile application management (MAM)
capabilities.
７ Note
Conditional Access is an Azure Active Directory (Azure AD) capability that is

included with an Azure AD Premium license. Intune enhances this capability by
adding mobile device compliance and mobile app management to the solution.
The Conditional Access node accessed from Intune is the same node as accessed
from Azure AD.
Device-based Conditional Access

Intune and Azure AD work together to make sure only managed and compliant devices
can access your organization's email, Microsoft 365 services, Software as a service (SaaS)
apps, and on-premises apps. Additionally, you can set a policy in Azure AD to only
enable domain-joined computers or mobile devices that are enrolled in Intune to access
Microsoft 365 services.
With Intune, you deploy device compliance policies to determine if a device meets your
expected configuration and security requirements. The compliance policy evaluation
determines the devices compliance status, which is reported to both Intune and Azure
AD. It's in Azure AD that Conditional Access policies can use a device's compliance
status to make decisions on whether to allow or block access to your organization's
resources from that device.
Device-based Conditional Access policies for Exchange online and other Microsoft 365
products are configured through the Microsoft Intune admin center.
Learn more about Require managed devices with Conditional Access in Azure
Active Directory.
Learn more about Intune device compliance.
Learn more about Supported browsers with Conditional Access in Azure Active
Directory.
７ Note
When you enable Device Based Access for content that users access from browser
apps on their Android personally-owned work profile devices, users that enrolled
before January 2021 must enable browser access as follows:
1. Launch the Company Portal app.

2. Go to the Settings page from the menu.
3. In the Enable Browser Access section, tap the ENABLE button.
4. Close and then restart the browser app.
This enables access in browser apps, but not to browser WebViews that open within
apps.
Applications available in Conditional Access for

controlling Microsoft Intune
When you configure Conditional Access in the Azure AD portal, you have two
applications to choose from:
1. Microsoft Intune - This application controls access to the Microsoft Intune admin
center and data sources. Configure grants/controls on this application when you
want to target the Microsoft Intune admin center and data sources.
2. Microsoft Intune Enrollment - This application controls the enrollment workflow.
Configure grants/controls on this application when you want to target the
enrollment process. For more information, see Require multi-factor authentication
for Intune device enrollments.
Conditional Access based on network access
control
Intune integrates with partners like Cisco ISE, Aruba Clear Pass, and Citrix NetScaler to
provide access controls based on the Intune enrollment and the device compliance
state.
Users can be allowed or denied access to corporate Wi-Fi or VPN resources based on
whether the device they're using is managed and compliant with Intune device
Learn more about the NAC integration with Intune.
Conditional Access based on device risk

Intune partners with Mobile Threat Defense vendors that provide a security solution to
detect malware, Trojans, and other threats on mobile devices.
How the Intune and Mobile Threat Defense integration

works
When mobile devices have the Mobile Threat Defense agent installed, the agent sends
compliance state messages back to Intune reporting when a threat is found on the
mobile device itself.
The Intune and mobile threat defense integration plays a factor in the Conditional
Access decisions based on device risk.
Learn more about Intune mobile threat defense.
Conditional Access for Windows PCs

Conditional Access for PCs provides capabilities similar to those available for mobile
devices. Let's talk about the ways you can use Conditional Access when managing PCs
with Intune.
Corporate-owned
Hybrid Azure AD joined: This option is commonly used by organizations that are
reasonably comfortable with how they're already managing their PCs through AD
group policies or Configuration Manager.
Azure AD domain joined and Intune management: This scenario is for

organizations that want to be cloud-first (that is, primarily use cloud services, with
a goal to reduce use of an on-premises infrastructure) or cloud-only (no on-
premises infrastructure). Azure AD Join works well in a hybrid environment,
enabling access to both cloud and on-premises apps and resources. The device
joins to the Azure AD and gets enrolled to Intune, which can be used as a
Conditional Access criteria when accessing corporate resources.
Bring your own device (BYOD)

Workplace join and Intune management: Here the user can join their personal
devices to access corporate resources and services. You can use Workplace join
and enroll devices into Intune MDM to receive device-level policies, which are
another option to evaluate Conditional Access criteria.
Learn more about Device Management in Azure Active Directory.
App-based Conditional Access

Intune and Azure AD work together to make sure only managed apps can access
corporate e-mail or other Microsoft 365 services.
Learn more about app-based Conditional Access with Intune.
Intune Conditional Access for Exchange on-

premises
Conditional Access can be used to allow or block access to Exchange on-premises
based on the device compliance policies and enrollment state. When Conditional Access
is used in combination with a device compliance policy, only compliant devices are
allowed access to Exchange on-premises.
You can configure advanced settings in Conditional Access for more granular control
such as:
Allow or block certain platforms.
Immediately block devices that aren't managed by Intune.

Any device used to access Exchange on-premises is checked for compliance when
device compliance and Conditional Access policies are applied.
When devices don't meet the conditions set, the end user is guided through the process
of enrolling the device to fix the issue that is making the device noncompliant.
７ Note
Beginning in July of 2020, support for the Exchange connector is deprecated, and
replaced by Exchange hybrid modern authentication (HMA). Use of HMA does not
require Intune to setup and use the Exchange Connector. With this change, the UI
to configure and manage the Exchange Connector for Intune has been removed
from the Microsoft Intune admin center, unless you already use an Exchange
connector with your subscription.
If you have an Exchange Connector set up in your environment, your Intune tenant
remains supported for its use, and you’ll continue to have access to UI that
supports its configuration. For more information, see Install Exchange on-premises
connector. You can continue to use the connector or configure HMA and then
uninstall your connector.
Hybrid Modern Authentication provides functionality that was previously provided

by the Exchange Connector for Intune: Mapping of a device identity to its Exchange
record. This mapping now happens outside of a configuration you make in Intune
or the requirement of the Intune connector to bridge Intune and Exchange. With
HMA, the requirement to use the ‘Intune' specific configuration (the connector) has
been removed.
What's the Intune role?

Intune evaluates and manages the device state.
What's the Exchange server role?

Exchange server provides API and infrastructure to move devices to quarantine.
） Important
Keep in mind that the user who's using the device must have a compliance profile
and Intune license assigned to them so the device can be evaluated for compliance.
If no compliance policy is deployed to the user, the device is treated as compliant
and no access restrictions are applied.
Next steps
How to configure Conditional Access in Azure Active Directory
Set up app-based Conditional Access policies
How to create a Conditional Access policy for Exchange on-premises

Set up the on-premises Intune Exchange
connector
Article • 02/22/2023
） Important
The information in this article applies to customers who are supported to use an
Exchange Connector.
replaced by Exchange hybrid modern authentication (HMA). If you have an
Exchange Connector set up in your environment, your Intune tenant remains
supported for its use, and you’ll continue to have access to UI that supports its
configuration. You can continue to use the connector or configure HMA and then
Use of HMA does not require Intune to setup and use the Exchange Connector.
With this change, the UI to configure and manage the Exchange Connector for
Intune has been removed from the Microsoft Intune admin center, unless you
already use an Exchange connector with your subscription.
To help protect access to Exchange, Intune relies on an on-premises component that's

known as the Microsoft Intune Exchange connector. This connector is also called the
Exchange ActiveSync on-premises connector in some locations of the Intune admin
center.
） Important
Intune will be removing support for the Exchange On-Premises Connector feature
from the Intune service beginning in the 2007 (July) release. Existing customers with
an active connector will be able to continue with the current functionality at this
time. New customers and existing customers that do not have an active connector
will no longer be able to create new connectors or manage Exchange ActiveSync
(EAS) devices from Intune. For those tenants, Microsoft recommends the use of
Exchange hybrid modern authentication (HMA) to protect access to Exchange on-
premises. HMA enables both Intune App Protection Policies (also known as MAM)
and Conditional Access through Outlook Mobile for Exchange on-premises.
The information in this article can help you install and monitor the Intune Exchange
connector. You can use the connector with your conditional access policies to allow or
block access to your Exchange on-premises mailboxes.
The connector is installed and runs on your on-premises hardware. It discovers devices
that connect to Exchange, communicating device information to the Intune service. The
connector allows or blocks devices based on whether the devices are enrolled and
compliant. These communications use the HTTPS protocol.
When a device tries to access your on-premises Exchange server, the Exchange
connector maps Exchange ActiveSync (EAS) records in Exchange Server to Intune
records to make sure the device enrolls with Intune and complies with your device's
policies. Depending on your conditional access policies, the device can be allowed or
blocked. For more information, see What are common ways to use conditional access
with Intune?
Both discovery and allow and block operations are done by using standard Exchange
PowerShell cmdlets. These operations use the service account that's provided when the
Exchange connector is initially installed.
Intune supports the installation of multiple Intune Exchange connectors per

subscription. If you've more than one on-premises Exchange organization, you can set
up a separate connector for each. However, only one connector can be installed for each
Exchange organization.
Follow these general steps to set up a connection that enables Intune to communicate
with the on-premises Exchange server:
1. Download the on-premises connector from the Microsoft Intune admin center.
2. Install and configure the Exchange connector on a computer in the on-premises
Exchange organization.
3. Validate the Exchange connection.
4. Repeat these steps for each additional Exchange organization you want to connect
to Intune.
How conditional access for Exchange on-

premises works
Conditional access for Exchange on-premises works differently than Azure Conditional
Access based policies. You install the Intune Exchange on-premises connector to directly
interact with Exchange server. The Intune Exchange connector pulls in all the Exchange
Active Sync (EAS) records that exist at the Exchange server so Intune can take these EAS
records and map them to Intune device records. These records are devices enrolled and
recognized by Intune. This process allows or blocks e-mail access.
If the EAS record is new and Intune isn't aware of it, Intune issues a cmdlet (pronounced
"command-let") that directs the Exchange server to block access to e-mail. Following are
more details on how this process works:
1. User tries to access corporate email, which is hosted on Exchange on-premises

2010 SP1 or later.
2. If the device is not managed by Intune, access to email will be blocked. Intune
sends a block notification to the EAS client.
3. EAS receives the block notification, moves the device to quarantine, and sends the
quarantine email with remediation steps that contain links so the users can enroll
their devices.
4. The Workplace join process happens, which is the first step to have the device
managed by Intune.
5. The device gets enrolled into Intune.
6. Intune maps the EAS record to a device record, and saves the device compliance
state.
7. The EAS client ID gets registered by the Azure AD Device Registration process,
which creates a relationship between the Intune device record, and the EAS client
ID.
8. The Azure AD Device Registration saves the device state information.

9. If the user meets the conditional access policies, Intune issues a cmdlet through
the Intune Exchange connector that allows the mailbox to sync.
10. Exchange server sends the notification to EAS client so the user can access e-mail.
Intune Exchange connector requirements

To connect to Exchange, you need an account that has an Intune license that the
connector can use. You specify the account when you install the connector.
The following table lists the requirements for the computer on which you install the
Intune Exchange connector.
Requirement More information
Operating Intune supports the Intune Exchange connector on a computer that runs any
systems edition of Windows Server 2008 SP2 64-bit, Windows Server 2008 R2, Windows
Server 2012, Windows Server 2012 R2, or Windows Server 2016.
The connector isn't supported on any Server Core installation.
Microsoft On-premises connectors require Microsoft Exchange 2010 SP3 or later or

Exchange legacy Exchange Online Dedicated. To determine if your Exchange Online
Dedicated environment is in the new or legacy configuration, contact your
account manager.
Mobile device Set the mobile device management authority to Intune.

management
authority
Hardware The computer on which you install the connector requires a 1.6 GHz CPU with 2
GB of RAM and 10 GB of free disk space.
Active Directory Before you use the connector to connect Intune to your Exchange server, set up
synchronization Active Directory synchronization. Your local users and security groups must be
synced with your instance of Azure Active Directory.
Additional The computer that hosts the connector must have a full installation of
software Microsoft .NET Framework 4.5 and Windows PowerShell 2.0.
Requirement More information
Network The computer on which you install the connector must be in a domain that has
a trust relationship with the domain that hosts your Exchange server.
Configure the computer to allow it to access the Intune service through

firewalls and proxy servers over ports 80 and 443. Intune uses these domains:
- manage.microsoft.com
- *manage.microsoft.com
- *.manage.microsoft.com
The Intune Exchange connector communicates with the following services:
- Intune service: HTTPS port 443
- Exchange Client Access server (CAS): WinRM service port 443
- Exchange Autodiscover 443
- Exchange Web Services (EWS) 443
Exchange cmdlet requirements

Create an Active Directory user account for the Intune Exchange connector. The account
must have permission to run the following Windows PowerShell Exchange cmdlets:
Get-ActiveSyncOrganizationSettings , Set-ActiveSyncOrganizationSettings
Get-CasMailbox , Set-CasMailbox
Get-ActiveSyncMailboxPolicy , Set-ActiveSyncMailboxPolicy , New-

ActiveSyncMailboxPolicy , Remove-ActiveSyncMailboxPolicy
Get-ActiveSyncDeviceAccessRule , Set-ActiveSyncDeviceAccessRule , New-
ActiveSyncDeviceAccessRule , Remove-ActiveSyncDeviceAccessRule
Get-ActiveSyncDeviceStatistics
Get-ActiveSyncDevice
Get-ExchangeServer
Get-ActiveSyncDeviceClass
Get-Recipient
Clear-ActiveSyncDevice , Remove-ActiveSyncDevice
Set-ADServerSettings
Get-Command
Download the installation package

Support for new installations of the Exchange connector was deprecated in July of 2020,
and the connector installation package is no longer available for download. Instead, use
Exchange hybrid modern authentication (HMA).
Install and configure the Intune Exchange
connector
Exchange hybrid modern authentication (HMA). The following instructions are maintained
for the use of reinstalling the connector.
Follow these steps to install the Intune Exchange connector. If you have multiple
Exchange organizations, repeat the steps for each Exchange connector you want to set
up.
1. On a supported operating system for the Intune Exchange connector, extract the
files in Exchange_Connector_Setup.zip to a secure location.
） Important
Don't rename or move the files that are in the Exchange_Connector_Setup

folder. These changes would cause the connector installation to fail.
2. After the files are extracted, open the extracted folder and double-click
Exchange_Connector_Setup.exe to install the connector.
） Important
If the destination folder isn't a secure location, delete the certificate file
MicrosoftIntune.accountcert when you finish installing your on-premises
connectors.
3. In the Microsoft Intune Exchange Connector dialog box, select either On-
premises Microsoft Exchange Server or Hosted Microsoft Exchange Server.
For an on-premises Exchange server, provide either the server name or the fully
qualified domain name of the Exchange server that hosts the Client Access Server
role.
For a hosted Exchange server, provide the Exchange server address. To find the
hosted Exchange server URL:
a. Open Outlook for Microsoft 365.
b. Choose the ? icon in the upper-left corner, and then select About.
c. Locate the POP External Server value.
d. Choose Proxy Server to specify proxy server settings for your hosted Exchange
server.
i. Select Use a proxy server when synchronizing mobile device information.
ii. Enter the proxy server name and the port number to be used to access the
server.
iii. If user credentials are required to access the proxy server, select Use
credentials to connect to the proxy server. Then enter the domain\user and
the password.
iv. Choose OK.
4. In the User (domain\user) and Password fields, enter credentials to connect to

your Exchange server. The account you specify must have a license to use Intune.
5. Provide credentials to send notifications to a user's Exchange Server mailbox. This

user can be dedicated to just notifications. The notifications user needs an
Exchange mailbox to send notifications by email. You can configure these
notifications by using conditional access policies in Intune.
Make sure the Autodiscover service and Exchange Web Services are configured on
the Exchange CAS. For more information, see Client Access server.
6. In the Password field, provide the password for this account to enable Intune to
access the Exchange server.
７ Note
The account you use to sign in to the tenant needs to be at least an Intune
service administrator. Without this administrator account, you'll get a failed
connection with the error "The remote server returned an error: (400) Bad
Request".
7. Choose Connect.
７ Note
It might take a few minutes to configure the connection.
During configuration, the Exchange connector stores your proxy settings to enable
access to the internet. If your proxy settings change, reconfigure the Exchange
connector to apply the updated proxy settings to the Exchange connector.
After the Exchange connector sets up the connection, mobile devices that are associated
with Exchange-managed users are automatically synchronized and added to the
Exchange connector. This synchronization might take some time to complete.
７ Note
If you install the Intune Exchange connector

and later need to delete the Exchange
connection, you must uninstall the connector
from the computer where it was installed.
Install connectors for multiple Exchange

organizations
Support for new installations of the Exchange connector was deprecated in July of 2020.
Instead, use Exchange hybrid modern authentication (HMA). The information in the
following sections is provided to support customers who might still use the on-premises
On-premises Intune Exchange connector high availability

support
For the on-premises connector, high availability means that if the Exchange CAS that the
connector uses becomes unavailable, the connector can switch to a different CAS for
that Exchange organization. The Exchange connector itself doesn't support high
availability. If the connector fails, there's no automatic failover and you must install a
new connector to replace the failed connector.
To fail over, the connector uses the specified CAS to create a successful connection to
Exchange. It then discovers additional CASs for that Exchange organization. This
discovery enables the connector to fail over to another CAS if one is available, until the
primary CAS becomes available.
By default, discovery of additional CASs is enabled. If you need to turn off failover:
1. On the server where the Exchange connector is installed, go to

%ProgramData%\Microsoft\Windows Intune Exchange Connector.
2. Using a text editor, open
OnPremisesExchangeConnectorServiceConfiguration.xml.
3. Change <IsCasFailoverEnabled>true</IsCasFailoverEnabled> to
<IsCasFailoverEnabled>false</IsCasFailoverEnabled>.
Performance-tune the Exchange connector (optional)

When Exchange ActiveSync supports 5,000 or more devices, you can configure an
optional setting to improve the performance of the connector. You improve
performance by enabling Exchange to use multiple instances of a PowerShell command
run space.
Before you make this change, ensure the account you use to run the Exchange
connector isn't used for other Exchange management purposes. An Exchange account
has a limited number of run spaces, and the connector will use most of them.
Performance tuning isn't suitable for connectors that run on older or slower hardware.
To improve the Exchange connector performance:
1. On the server where the connector installed, open the connector's installation
directory. The default location is C:\ProgramData\Microsoft\Windows Intune
Exchange Connector.
2. Edit the file OnPremisesExchangeConnectorServiceConfiguration.xml.
3. Locate EnableParallelCommandSupport and set the value to true:
<EnableParallelCommandSupport>true</EnableParallelCommandSupport>
4. Save the file, and then restart the Microsoft Intune Exchange connector service.
Reinstall the Intune Exchange connector

Exchange hybrid modern authentication (HMA). The following information is provided to
support customers who might still use the on-premises Intune Exchange connector.
You might need to reinstall an Intune Exchange connector. Because only a single
connector can connect to each Exchange organization, if you install a second connector
for the organization, the new connector you install replaces the original connector.
1. To reinstall the new connector, follow the steps in the Install and configure the
Exchange connector section.
2. When prompted, select Replace to install the new connector.
3. Continue the steps from the Install and configure the Intune Exchange connector
section, and sign in to Intune again.
4. In the final window, select Close to complete the installation.
Monitor an Exchange connector

After you successfully configure the Exchange connector, you can view the status of the
connections and the last successful synchronization attempt:
2. Select Tenant administration > Exchange access.
3. Select Exchange ActiveSync on-premises connector, and then select the

connector you want to view.
4. The console displays details for the connector you select, where you can view the
Status and the date and time of the last successful synchronization.
In addition to the in-console status, you can use the System Center Operations Manager
management pack for Exchange connector and Intune . The management pack offers
different ways to monitor the Exchange connector when you need to troubleshoot
issues.
Manually force a quick sync or full sync

Support for new installations of the Exchange connector was deprecated in July of 2020.
Instead, use Exchange hybrid modern authentication (HMA). The information in the
following sections is provided to support customers who might still use the on-premises
An Intune Exchange connector automatically synchronizes EAS and Intune device

records regularly. If the compliance status of a device changes, the automatic sync
process regularly updates records so that device access can be blocked or allowed.
A quick sync occurs regularly, several times a day. A quick sync retrieves device
information for Intune-licensed and on-premises Exchange users that are targeted
for conditional access and that have changed since the last sync.
A full sync occurs once daily by default. A full sync retrieves device information for
all Intune-licensed and on-premises Exchange users that are targeted for
conditional access. A full sync also retrieves Exchange Server information and
ensures that the configuration that Intune specifies is updated on the Exchange
server.
You can force a connector to run a sync by using the Quick Sync or Full Sync options on
the Intune dashboard:
2. Select Tenant administration > Exchange access > Exchange ActiveSync on-
premises connector.
3. Select the connector you want to sync, and then choose Quick Sync or Full Sync.
Next steps
Create a conditional access policy for on-premises Exchange servers.
Configure Exchange on-premises access
for Intune
Article • 02/22/2023
This article shows you how to configure Conditional Access for Exchange on-premises
based on device compliance.
If you have an Exchange Online Dedicated environment and need to find out whether it
is in the new or the legacy configuration, contact your account manager. To control
email access to Exchange on-premises or to your legacy Exchange Online Dedicated
environment, configure Conditional Access to Exchange on-premises in Intune.
） Important
The information in this article applies to customers who are supported to use an
Exchange Connector.
replaced by Exchange hybrid modern authentication (HMA). If you have an
Exchange Connector set up in your environment, you’re Intune tenant remains
supported for its use, and you’ll continue to have access to UI that supports its
configuration. You can continue to use the connector or configure HMA and then
Use of HMA does not require Intune to setup and use the Exchange Connector.
With this change, the UI to configure and manage the Exchange Connector for
Intune has been removed from the Microsoft Intune admin center, unless you
already use an Exchange connector with your subscription.
Before you begin

Before you can configure Conditional Access, verify the following configurations exist:
Your Exchange version is Exchange 2010 SP3 or later. Exchange server Client
Access Server (CAS) array is supported.
You have installed and use the Exchange ActiveSync on-premises Exchange
connector, which connects Intune to on-premises Exchange.
） Important
Intune supports multiple on-premises Exchange connectors per subscription.

However, each on-premises Exchange connector is specific to a single Intune
tenant and cannot be used with any other tenant. If you have more than one
on-premises Exchange organization, you can set up a separate connector for
each Exchange organization.
The connector for an on-premises Exchange organization can install on any

machine as long as that machine can communicate with the Exchange server.
The connector supports Exchange CAS environment. Intune supports installing the
connector on the Exchange CAS server directly. We recommend you install it on a
separate computer because of the additional load the connector puts on the
server. When configuring the connector, you must set it up to communicate to one
of the Exchange CAS servers.
Exchange ActiveSync must be configured with certificate-based authentication, or

user credential entry.
When Conditional Access policies are configured and targeted to a user, before a
user can connect to their email, the device they use must be:
Either enrolled with Intune or is a domain joined PC.
Registered in Azure Active Directory. Additionally, the client Exchange
ActiveSync ID must be registered with Azure Active Directory.
Azure AD Device Registration Service (DRS) is activated automatically for Intune

and Microsoft 365 customers. Customers who have already deployed the ADFS
Device Registration Service don't see registered devices in their on-premises Active
Directory. This does not apply to Windows PCs and devices.
Compliant with device compliance policies deployed to that device.
If the device doesn't meet Conditional Access settings, the user is presented with
one of the following messages when they sign in:
If the device isn't enrolled with Intune, or isn't registered in Azure Active
Directory, a message displays with instructions about how to install the
Company Portal app, enroll the device, and activate email. This process also
associates the device's Exchange ActiveSync ID with the device record in Azure
Active Directory.
If the device isn't compliant, a message displays that directs the user to the
Intune Company Portal website, or the Company Portal app. From the company
portal, they can find information about the problem and how to remediate it.
Support for mobile devices

Native email app on iOS/iPadOS - To create Conditional Access policy, see Create
Conditional Access policies
EAS mail clients such as Gmail on Android 4 or later - To create Conditional

Access policy, see Create Conditional Access policies
EAS mail clients on Android device administrator - To create Conditional Access

policy, see Create Conditional Access policies
EAS mail clients on Android Enterprise Personally-Owned Work Profile devices -

Only Gmail and Nine Work for Android Enterprise are supported on Android
Enterprise personally-owned work profile devices. For Conditional Access to work
with Android Enterprise Personally-Owned Work Profiles, you must deploy an
email profile for the Gmail or Nine Work for Android Enterprise app, and also
deploy those apps as a required installation. After you deploy the app, you can set
up device-based Conditional Access.
To set up Conditional Access for Android Enterprise Personally-

Owned Work Profile devices
2. Deploy the Gmail or Nine Work app as Required.
3. Select Devices > Configuration profiles > Create profile, enter Name and
Description for the profile.
4. Select Android enterprise in Platform, select Email in Profile type.
5. Configure the email profile settings.
6. When you're done, select OK > Create to save your changes.
7. After you create the email profile, assign it to groups.
8. Set up device-based conditional access.
７ Note
Microsoft Outlook for Android and iOS/iPadOS is not supported via the Exchange
on-premises connector. If you want to leverage Azure Active Directory Conditional
Access policies and Intune App Protection Policies with Outlook for iOS/iPadOS and
Android for your on-premises mailboxes, please see Using hybrid Modern
Authentication with Outlook for iOS/iPadOS and Android.
Support for PCs

It currently supports the native Mail application on Windows 8.1 and later (when
enrolled into MDM with Intune).
） Important
Configure Exchange on-premises access

Exchange hybrid modern authentication (HMA).
Before you can use the following procedure to set up Exchange on-premises access
control, you must install and configure at least one Intune on-premises Exchange
connector for Exchange on-premises.
2. Go to Tenant administration > Exchange access, and then select Exchange On-
premises access.
3. On the Exchange on-premises access pane, choose Yes to Enable Exchange on-
premises access control.
4. Under Assignment, choose Select groups to include, and then select one or more
groups to configure access.
Members of the groups you select have the Conditional Access policy for Exchange
on-premises access applied to them. Users who receive this policy must enroll their
devices in Intune and be compliant with the compliance profiles before they can
access Exchange on-premises.
5. To exclude groups, choose Select groups to exclude, and then select one or more
groups that are exempt from requirements to enroll devices and to be compliant
with the compliance profiles before accessing Exchange on-premises.
Select Save to save your configuration, and return to the Exchange access pane.
6. Next, configure settings for the Intune on-premises Exchange connector. In the
admin center, select Tenant administration > Exchange Access> Exchange
ActiveSync on-premises connector and then select the connector for the
Exchange organization that you want to configure.
7. For User notifications, select Edit to open the Edit Organization workflow where
you can modify the User notification message.
Modify the default email message that's sent to users if their device isn't compliant
and they want to access Exchange on-premises. The message template uses
Markup language. You can also see the preview of how the message looks as you
type
Select Review + save, and then Save to save your edits to complete configuration
of Exchange on-premises access.
 Tip
To learn more about Markup language see this Wikipedia article .
8. Next, select Advanced Exchange ActiveSync access settings to open the Advanced
Exchange ActiveSync access settings workflow where you configure device access
rules.
For Unmanaged device access, set the global default rule for access from
devices that are not affected by Conditional Access or other rules:
Allow access - All devices can access Exchange on-premises immediately.

Devices that belong to the users in the groups you configured as included
in the previous procedure are blocked if they're later evaluated as not
compliant with the compliant policies or not enrolled in Intune.
Block access and Quarantine – All devices are immediately blocked from
accessing Exchange on-premises initially. Devices that belong to users in
the groups you configured as included in the previous procedure get
access after the device enrolls in Intune and is evaluated as compliant.
Android devices that do not run Samsung Knox standard don't support this
setting and are always blocked.
For Device platform exceptions, select Add, and then specify details as
needed for your environment.
If the Unmanaged device access setting is set to Blocked, devices that are
enrolled and compliant are allowed even if there's a platform exception to
block them.
9. Select OK to save your edits.
10. Select Review + save, and then Save to save the Exchange Conditional Access
policy.
Next steps
Next, create a compliance policy and assign it to the users for Intune to evaluate their
mobile devices, See Get started with device compliance.
Troubleshooting Intune on-premises Exchange connector in Microsoft Intune

Create a device-based Conditional
Access policy
Article • 02/22/2023
With Microsoft Intune device compliance policies, your Azure Active Directory (Azure
AD) Conditional Access policies can use a devices status to either grant or deny access
to your organizations apps and services.
You can use the Microsoft Intune admin center to configure your device-based
Conditional Access policies. From within the admin center you have access to the
Conditional Access policy UI as found in Azure AD. Use of the Azure AD UI provides
access to all the options you would have if you were to configure the policy from within
the Azure portal. The policies you create can specify the apps or services you want to
protect, the conditions under which the apps or services can be accessed, and the users
the policy applies to.
To Create a device-based Conditional Access policy your account must have one of the
following permissions in Azure AD:
Global administrator
Security administrator
Conditional Access administrator
To take advantage of device compliance status, configure Conditional Access policies to

Require device to be marked as compliant. This option is set while configuring Grant
access during step 6 of the following procedure.
） Important
Before you set up Conditional Access, you'll need to set up Intune device
compliance policies to evaluate devices based on whether they meet specific
requirements. See Get started with device compliance policies in Intune.
Create the Conditional Access policy

2. Select Endpoint security > Conditional access > Policies > New policy.
The New pane opens, which is the configuration pane from Azure AD. The policy
you’re creating is an Azure AD policy for Conditional Access. To learn more about
this pane and Conditional Access policies, see Conditional Access policy
components in the Azure AD content.
3. Under Assignments, configure Users to select the Identities in the directory that
the policy applies to. To learn more, see Users and groups in the Azure AD
documentation.
On the Include tab, configure the user and groups you want to include.
Use the Exclude tab if there are any users, roles, or groups you want to
exclude from this policy.
 Tip
Test the policy against a smaller group of users to make sure it works as
expected before deploying it to larger groups.
4. Next configure Cloud apps or actions, which is also under Assignments. For the
drop-down selection for what this policy applies to, choose Cloud apps.
On the Include tab, use available options to identify the apps and services
you want to protect with this Conditional Access policy.
If you choose Select apps, select the apps and services you want to protect
with this policy.
Ｕ Caution
If you choose All cloud apps, be sure to review the warning, and then
Exclude from this policy your account or other relevant users and groups
that should retain access to use the Azure portal or Microsoft Intune
admin center after this policy takes effect.
Use the Exclude tab if there are any apps or services you want to exclude
from this policy.
For more information, see Cloud apps or actions in the Azure AD documentation.
5. Next, configure Conditions. Select the signals you want to use as conditions for
this policy. Options include:
User risk
Sign-in risk
Device platforms
Locations
Client apps
Filter for devices
For information about these options, see Conditions in the Azure AD

documentation.
 Tip
If you want to protect both Modern authentication clients and Exchange

ActiveSync clients, create two separate Conditional Access policies, one for
each client type. Although Exchange ActiveSync supports modern
authentication, the only condition that is supported by Exchange ActiveSync is
platform. Other conditions, including multi-factor authentication, are not
supported. To effectively protect access to Exchange Online from Exchange
ActiveSync, create a Conditional Access policy that specifies the cloud app
Microsoft 365 Exchange Online and the client app Exchange ActiveSync with
Apply policy only to supported platforms selected.
6. Under Access controls, select Grant and then one or more requirements. To learn
about the options for Grant, see Grant in the Azure AD Documentation.
Block access: The users specified in this policy will be denied access to the
apps or services under the conditions you've specified.
Grant access: The users specified in this policy will be granted access, but you
can require any of the following further actions:
Require multi-factor authentication
Require device to be marked as compliant - This option is required for the
policy to use device compliance status.
Require Hybrid Azure AD joined device
Require approved client app
Require app protection policy
Require password change
7. Under Enable policy, select On. By default, the policy is set to Report-only.
8. Select Create.
Next steps
Troubleshooting Intune Conditional Access

Use app-based Conditional Access
policies with Intune
Article • 02/21/2023
Intune app protection policies work with Conditional Access, an Azure Active (Azure AD)
capability, to help protect your organizational data on devices your employees use.
These policies work on devices that enroll with Intune and on employee owned devices
that don't enroll.
contained in a managed app.
An app protection policy can be a rule that's enforced when the user attempts to
access or move "corporate" data, or a set of actions that are prohibited or
monitored when the user is inside the app.
A managed app is an app that has app protection policies applied to it, and can be
managed by Intune.
You can also block the built-in mail apps on iOS/iPadOS and Android when you
allow only the Microsoft Outlook app to access Exchange Online. Additionally, you
can block apps that don't have Intune app protection policies applied from
accessing SharePoint Online.
App-based Conditional Access with client app management adds a security layer by
making sure only client apps that support Intune app protection policies can access
Exchange online and other Microsoft 365 services.
Prerequisites
Before you create an app-based Conditional Access policy, you must have:
Enterprise Mobility + Security (EMS) or an Azure AD Premium subscription

Users must be licensed for EMS or Azure AD
For more information, see Enterprise Mobility pricing or Azure Active Directory
pricing .
Supported apps
A list of apps that support app-based Conditional Access can be found in Conditional
Access: Conditions in the Azure AD documentation.
App-based Conditional Access also supports line-of-business (LOB) apps, but these apps
need to use Microsoft 365 modern authentication.
How app-based Conditional Access works

In this example, the admin has applied app protection policies to the Outlook app
followed by a Conditional Access rule that adds the Outlook app to an approved list of
apps that can be used when accessing corporate e-mail.
７ Note
The following flowchart can be used for other managed apps.
1. The user tries to authenticate to Azure AD from the Outlook app.
2. The user gets redirected to the app store to install a broker app when trying to
authenticate for the first time. The broker app can be the Microsoft Authenticator
for iOS, or Microsoft Company portal for Android devices.
If users try to use a native e-mail app, they'll be redirected to the app store to then
install the Outlook app.
3. The broker app gets installed on the device.
4. The broker app starts the Azure AD registration process, which creates a device
record in Azure AD. This process isn't the same as the mobile device management
(MDM) enrollment process, but this record is necessary so the Conditional Access
policies can be enforced on the device.
5. The broker app confirms the Azure AD device ID, the user, and the application. This
information is passed to the Azure AD sign-in servers to validate access to the
requested service.
6. The broker app sends the App Client ID to Azure AD as part of the user
authentication process to check if it's in the policy approved list.
7. Azure AD allows the user to authenticate and use the app based on the policy
approved list. If the app isn't on the list, Azure AD denies access to the app.
8. The Outlook app communicates with Outlook Cloud Service to initiate

communication with Exchange Online.
9. Outlook Cloud Service communicates with Azure AD to retrieve Exchange Online

service access token for the user.
10. The Outlook app communicates with Exchange Online to retrieve the user's
corporate e-mail.
11. Corporate e-mail is delivered to the user's mailbox.
Next steps
Create an app-based Conditional Access policy
Block apps that don't have modern authentication
Set up app-based Conditional Access
policies with Intune
Article • 02/22/2023
Set up app-based Conditional Access policies for apps that are part of the list of
approved apps. The list of approved apps consists of apps that were tested by
Microsoft.
Before you can use app-based Conditional Access policies, you need to have Intune app
protection policies applied to your apps.
） Important
This article walks through the steps to add a simple app-based Conditional Access
policy. You can use the same steps for other cloud apps. For more information, see
Plan Conditional Access deployment
Create app-based Conditional Access policies

Conditional Access is an Azure Active Directory (Azure AD) technology. The Conditional
Access node you access from Intune is the same node that you access from Azure AD.
Because it's the same node, you don't need to switch between Intune and Azure AD to
configure policies.
Before you can create Conditional Access policies from the Microsoft Intune admin
center, you must have an Azure AD Premium license.
To create an app-based Conditional Access policy

1. Sign in to the Microsoft Intune admin center
2. Select Endpoint security > Conditional access > New policy.
3. Enter a policy Name, and then under Assignments, select Users or workload
identities, and apply the policy to Users and groups. Use the Include or Exclude
options to add your groups for the policy.
4. Select Cloud apps or actions, and apply the policy to Cloud apps. Use the Include
or Exclude options to select the apps to protect. For example, choose Select apps,
and select Office 365 (preview).
5. Select Conditions > Client apps to apply the policy to apps and browsers. For
example, select Yes, and then select the checkboxes for enable Browser and
Mobile apps and desktop clients.
6. Under Access controls, select Grant to apply Conditional Access based on a device
compliance status. For example, select Grant access > Require approved client
app and Require app protection policy, then select Require one of the selected
controls.
7. For Enable policy, select On, and then select Create to save your changes. By
default, Enable policy is set to Report-only.
Next steps
Block apps that don't have modern authentication
Protect app data with app protection policies
Learn about Conditional Access in Azure Active Directory
Block apps that don't use modern
authentication (MSAL)
Article • 07/19/2023
App-based Conditional Access with app protection policies rely on applications using
modern authentication , which is an implementation of OAuth2. Most current Office
mobile and desktop applications use modern authentication. However, there are third-
party apps and older Office apps that use other authentication methods, like basic
authentication and forms-based authentication.
Block access to apps

To block access to apps that don't use modern authentication, use Intune app
protection policies to implement conditional access. For more information, see App-
based Conditional Access with Intune.
For more information about Azure AD Conditional Access, see the following topics:
What is Conditional Access in Azure Active Directory?

How app-based Conditional Access works
Set up SharePoint Online and Exchange Online for Azure Active Directory
Conditional Access
Next steps
Configure the Jamf Cloud Connector to
integrate with Microsoft Intune
Article • 08/30/2023
） Important
Jamf macOS device support for Conditional Access is being deprecated.
Beginning on September 1, 2024, the platform that Jamf Pro’s Conditional Access
feature is built on will no longer be supported.
If you use Jamf Pro’s Conditional Access integration for macOS devices, follow
Jamf’s documented guidelines to migrate your devices to Device Compliance
integration at Migrating from macOS Conditional Access to macOS Device
Compliance – Jamf Pro Documentation .
If you need help, contact Jamf Customer Success . For more information, see the
blog post at https://aka.ms/Intune/Jamf-Device-Compliance .
This article can help you install the Jamf Cloud Connector to integrate Jamf Pro with
Microsoft Intune. Through integration, you can require that your macOS devices that are
managed by Jamf Pro meet your Intune device compliance requirements before those
devices are allowed to access your organization's resources. Resource access is
controlled by your Azure Active Directory (Azure AD) Conditional Access policies in the
same way as for devices managed through Intune.
We recommend use of the Jamf Cloud Connector as it automates many of the steps that
are required when you manually configure integration as documented in Integrate Jamf
Pro with Intune for compliance.
When you set up the Cloud Connector:
Set up automatically creates the Jamf Pro applications in Azure, replacing the need
to manually configure them.
You can integrate multiple instances of Jamf Pro with the same Azure tenant that
hosts your Intune subscription.
Connecting multiple instances of Jamf Pro with a single Azure tenant is supported only
when you use the Cloud Connector. When you use a manually configured connection,
only a single instance of Jamf can integrate with an Azure tenant.
Use of the Cloud Connector is optional:
For new tenants that don't yet integrate with Jamf, you can choose to configure
the Cloud Connector as described in this article. Or you can manually configure
integration as described in Integrate Jamf Pro with Intune for compliance
For tenants that already have a manual configuration, you can choose to remove
that integration, and then set up the Cloud Connector. Both the removal of an
existing integration and setup of the Cloud Connector are described in this article.
If you plan to replace your previous integration with the Jamf Cloud Connector:
Use the procedure to remove your current configuration, which includes deleting
the Enterprise apps for Jamf Pro and disabling the manual integration. Then you
can use the procedure to configure the Cloud Connector.
You won't need to re-register devices. Devices that are already registered can use
the Cloud Connector without further configuration.
Be sure to configure the Cloud Connector within 24 hours of removing your
manual integration to ensure your registered devices can continue to report their
status.
For more information about the Jamf Cloud Connector, see Configuring the macOS
Intune Integration using the Cloud Connector on docs.jamf.com.
Prerequisites
Products and services:
Jamf Pro 10.18 or later

A Jamf Pro user account with Conditional Access privileges
Microsoft Intune
Microsoft Azure AD Premium
Company Portal app for macOS
macOS devices with OS X 10.12 Yosemite or later
Network:
The following ports and endpoints must be accessible for Jamf and Intune to integrate
correctly:
Intune: Port 443
Apple: Ports 2195, 2196, and 5223 (push notifications to Intune)
Jamf: Ports 80 and 5223

Endpoints:
login.microsoftonline.com
graph.windows.net
*.manage.microsoft.com
For APNS to function correctly on the network, you must enable outgoing connections
to, and redirects from the following ports:
The Apple 17.0.0.0/8 block over TCP ports 5223 and 443 from all client networks.
Ports 2195 and 2196 from Jamf Pro servers.
For more information about these ports, see the following articles:
Intune network configuration requirements and bandwidth.

Network Ports Used by Jamf Pro on jamf.com.
TCP and UDP ports used by Apple software products on support.apple.com
Accounts:
Procedures in this article require use of accounts with the following permissions:
Jamf Pro console: An account with permissions to manage Jamf Pro

Microsoft Intune admin center: Global Administrator
Azure portal: Global Administrator
Remove the Jamf Pro integration for a

previously configured tenant
Use the following procedure to remove a manually configured integration of Jamf Pro
from your Azure tenant before you can configure the Cloud Connector.
If you have not previously set up a connection between Jamf Pro and Intune, or if you've
one or more connections that already use the Cloud Connector, skip this procedure and
begin with Configure the Cloud Connector for a new tenant.
Remove a manually configured Jamf Pro integration

1. Sign in to the Jamf Pro console.
2. Select Settings (the gear icon in the upper right corner), and then go to Global
Management > Conditional Access.
3. Select Edit.
4. De-select the checkbox for Enable Intune Integration for macOS.
When you deselect this setting, you disable the connection but save your
configuration.
5. Sign in to the Microsoft Intune admin center and go Tenant administration >
Partner device management.
On the Partner device management node, delete the Application ID in the

Specify the Azure Active Directory App ID for Jamf field, and then select Save.
The Application ID is the ID of the Azure Enterprise app that is created in Azure
when you set up a manual integration if Jamf Pro.
6. Sign in to the Azure portal with an account that has Global Admin permissions,
and go to Azure Active Directory > Enterprise applications.
Locate the two Jamf apps and delete them. New applications will be automatically
created when you configure the Jamf Cloud Connector in the next procedure.
After you've disabled integration in Jamf Pro, and deleted the Enterprise
applications, the Partner device management node displays the connection status
of Terminated.
Now that you've successfully removed the manual configuration for Jamf Pro
integration, you can set up integration using the Cloud Connector. To do so, see
Configure the Cloud Connector for a new tenant in this article.
Configure the Cloud Connector for a new

tenant
Use the following procedure to configure the Jamf Cloud Connector to integrate Jamf
Pro and Microsoft Intune when:
You don't have any integration between Jamf Pro and Intune configured for your
Azure tenant.
You already have a Cloud Connector set up between Jamf Pro and Intune in your
Azure tenant and want to integrate another Jamf instance with your subscription.
If you currently have a manually configured integration between Intune and Jamf Pro,
see Remove the Jamf Pro integration for a previously configured tenant in this article to
remove that integration before proceeding. Removal of a manually configured
integration is required before you can successfully set up the Jamf the Cloud Connector.
Create a new connection

1. Sign in to the Jamf Pro console.
2. Select Settings (the gear icon in the upper right corner0, and then go to Global
Management > Conditional Access.
3. Select Edit.
4. Select the checkbox for Enable Intune Integration for macOS.
Select this setting to have Jamf Pro send inventory updates to Microsoft
Intune.
You can deselect this setting to disable the connection but save your
configuration.
） Important
If Enable Intune Integration for macOS is already selected and the

Connection Type is set to Manual, you must remove that integration before
continuing. See Remove the Jamf Pro integration for a previously
configured tenant in this article before continuing.
5. Under Connection Type, select Cloud Connector.
6. From the Sovereign Cloud pop-up menu, select the location of your Sovereign
Cloud from Microsoft. If you're replacing your previous integration with the Jamf
Cloud Connector, you can skip this step if the location has been specified.
7. Select one of the following landing page options for computers that aren't
recognized by Microsoft Azure:
The Default Jamf Pro Device Registration page - Depending on the state of
the macOS device, this option redirects users to either the Jamf Pro device
enrollment portal (to enroll with Jamf Pro) or the Intune Company Portal app
(to register with Azure AD).
The Access Denied page
Custom URL
If you're replacing your previous integration with the Jamf Cloud Connector, you
can skip this step if the landing page has been specified.
8. Select Connect. You're redirected to register the Jamf Pro applications in Azure.
When prompted, specify your Microsoft Azure credentials and follow the onscreen
instructions to grant the requested permissions. You'll grant permissions for the
Cloud Connector, and then again for the Cloud Connector user registration app.
Both apps are registered in Azure as Enterprise Applications.
After permissions are granted for both apps, the Application ID page opens.
9. On the Application ID page, select Copy and open Intune.
The Application ID is copied to your system clipboard for use in the next step, and
the Partner device management node in the Microsoft Intune admin center opens.
(Tenant administration > Partner device management).
10. On the Partner device management node, Paste the Application ID in to the
Specify the Azure Active Directory App ID for Jamf field, and then select Save.
11. Return to the Application ID page in Jamf Pro and select Confirm.
12. Jamf Pro completes and tests the configuration and displays the success or failure
of the connection on the Conditional Access settings page. The following image is
an example of success:
13. In the Microsoft Intune admin center, refresh the Partner device management
node. The connection should now show as Active:
When the connection between Jamf Pro and Microsoft Intune is successfully established,
Jamf Pro sends inventory information to Microsoft Intune for each computer that is
registered with Azure AD (registering with Azure AD is an end-user workflow). You can
view the Conditional Access Inventory State for a user and a computer in the Local User
Account category of a computer's inventory information in Jamf Pro.
After you integrate one instance of Jamf Pro by using the Jamf Cloud Connector, you
can use this same procedure to configure more instances of Jamf Pro with the same
Intune subscription in your Azure tenant.
Set up compliance policies and register devices

After you configure integration between Intune and Jamf, you need to apply compliance
policies to Jamf-managed devices.
Disconnect Jamf Pro and Intune

To remove integration of Jamf Pro with Intune, use the following steps to remove the
connection from within the Jamf Pro console. This information applies to both the Cloud
Connector and for a manually configured integration.
Deprovision Jamf Pro from within the Microsoft Intune

admin center
1. In the Microsoft Intune admin center , go to Tenant administration > Connectors
and tokens > Partner device management.
2. Select the option Terminate. Intune displays a message about the action. Review
the message and when ready, select OK. The option to Terminate the integration
only appears when the Jamf connection exists.
After you terminate the integration, refresh the view of the admin center to update the
view. Your organization's macOS devices are removed from Intune in 90 days.
Deprovision Jamf Pro from within the Jamf Pro console

Use the following steps to remove the connection from within the Jamf Pro console.
1. In the Jamf Pro console, go to Global Management > Conditional Access. On the
macOS Intune Integration tab, select Edit.
2. Clear the Enable Intune Integration for macOS check box.
3. Select Save. Jamf Pro sends your configuration to Intune and the integration will
be terminated.
5. Select Tenant administration > Connectors and tokens > Partner device
management to verify that the status is now Terminated.
After you terminate the integration, your organization's macOS devices will be removed
at the date shown in your console, which is after three months.
Get support for the Cloud Connector

Because the cloud connector automatically creates the Azure Enterprise apps necessary
for integration, your first point of contact for support should be Jamf. Options include:
Email support at support@jamf.com

Use the support portal at Jamf Nation: https://www.jamf.com/support/
Prior to contacting support:
Review the Prerequisites such as ports and product version you use.
Confirm that permissions for the following two Jamf Pro apps created in Azure
haven't been modified. Changes to the app permissions aren't supported by Intune
and can cause integration to fail.
Cloud Connector user registration app:

API Name: Microsoft Graph
Permission: Sign in and read user profile
Type: Delegated
Granted through: Admin consent
Granted by: An administrator
Cloud Connector app:
API Name: Microsoft Graph (instance 1)

Permission: Sign in and read user profile
Type: Delegated
API Name: Microsoft Graph (instance 2)

Permission: Read directory data
Type: Application
API Name: Intune API

Permission: Send device attribute to Microsoft Intune
Type: Application
Common questions about the Jamf Cloud

Connector
What data is shared via the Cloud Connector?

The Cloud Connector authenticates with Microsoft Azure and sends device inventory
data from Jamf Pro to Azure. In addition, the Cloud Connector manages service
discovery in Azure, token exchange, communication errors, and disaster recovery.
Where is device inventory data stored?

Device inventory data is stored in the Jamf Pro database.
What credentials are stored?

No credentials are stored. When you configure the Cloud Connector, you must consent
to adding the Jamf multi-tenant app and the native macOS connector app to their Azure
AD tenant. Once the multi-tenant application is added, the Cloud Connector requests
access tokens to interact with the Azure API. Application access can be revoked in
Microsoft Azure at any time to restrict access.
How is data encrypted?

The Cloud Connector uses Transport Layer Security (TLS) for data sent between Jamf Pro
and Microsoft Azure.
How does Jamf know which device is associated with

which instance of Jamf Pro?
Jamf Pro uses microservices in AWS to correctly route the device information to the
correct instance.
Can I switch from using the Cloud Connector to the

Manual connection type?
Yes. You can change the connection type back to manual and follow the steps for
manual setup. If you have questions, they should be directed to Jamf for assistance.
Permissions were modified on one or both required apps

(Cloud Connector and Cloud Connector user registration
app) and registration isn't working. Is the permissions
change supported?
Modifying the permissions on the apps isn't supported.
Is there a log file in Jamf Pro that shows if the Connection

Type has been changed?
Yes, the changes are logged to the JAMFChangeManagement.log file. To view the
Change Management logs, sign in to Jamf Pro, go to Settings > System Settings >
Change Management > Logs, search Object type for Conditional Access, and then
select Details to view the changes.
Next steps
Apply compliance policies to Jamf-managed devices
Data Jamf sends to Intune
Manually Integrate Jamf Pro with Intune
for compliance
Article • 08/30/2023
） Important
Microsoft Intune supports integrating your Jamf Pro deployment to bring device
compliance and Conditional Access policies to your macOS devices. Through
integration, you can require that your macOS devices that are managed by Jamf Pro
meet your Intune device compliance requirements before those devices are allowed to
access your organization's resources. Resource access is controlled by your Azure Active
Directory (Azure AD) Conditional Access policies in the same way as for devices
managed through Intune.
When Jamf Pro integrates with Intune, you can sync the inventory data from macOS
devices with Intune, through Azure AD. Intune's compliance engine then analyzes the
inventory data to generate a report. Intune's analysis is combined with intelligence
about the device user's Azure AD identity to drive enforcement through Conditional
Access. Devices that are compliant with the Conditional Access policies can gain access
to protected company resources.
This article can help you manually integrate Jamf Pro with Intune.
 Tip
Instead of manually configuring Jamf Pro integration with Intune, we recommend

configuring and using the Jamf Cloud Connector with Microsoft Intune. The Cloud
Connector automates many of the steps that are required when you manually
configure integration.
After you configure integration, you'll then configure Jamf and Intune to enforce
compliance with Conditional Access on devices managed by Jamf.
Prerequisites
Products and services

You need the following to configure Conditional Access with Jamf Pro:
Jamf Pro 10.1.0 or later

Microsoft Intune and Microsoft Azure AD Premium P1 licenses (recommended
Microsoft Enterprise Mobility + Security license bundle)
Global admin role in Azure AD.
A user with Microsoft Intune Integration privileges in Jamf Pro
Company Portal app for macOS
macOS devices with OS X 10.12 Yosemite or later
Network ports
The following ports should be accessible for Jamf and Intune to integrate correctly:
Intune: Port 443

Apple: Ports 2195, 2196, and 5223 (push notifications to Intune)
Jamf: Ports 80 and 5223
To allow APNS to function correctly on the network, you must also enable outgoing
connections to, and redirects from:
the Apple 17.0.0.0/8 block over TCP ports 5223 and 443 from all client networks.
ports 2195 and 2196 from Jamf Pro servers.
For more information about these ports, see the following articles:
Intune network configuration requirements and bandwidth.

Network Ports Used by Jamf Pro on jamf.com.
TCP and UDP ports used by Apple software products on support.apple.com
Connect Intune to Jamf Pro

To connect Intune with Jamf Pro:
1. Create a new application in Azure.

2. Enable Intune to integrate with Jamf Pro.
3. Configure Conditional Access in Jamf Pro.
Create an application in Azure Active Directory

1. In the Azure portal , go to Azure Active Directory > App Registrations, and then
select New registration.
2. On the Register an application page, specify the following details:
In the Name section, enter a meaningful application name, for example Jamf
Conditional Access.
For the Supported account types section, select Accounts in any
organizational directory.
For Redirect URI, leave the default of Web, and then specify the URL for your
Jamf Pro instance.
3. Select Register to create the application and to open the Overview page for the
new app.
4. On the app Overview page, copy the Application (client) ID value and record it for
later use. You'll need this value in later procedures.
5. Select Certificates & secrets under Manage. Select the New client secret button.
Enter a value in Description, select any option for Expires and choose Add.
） Important
Before you leave this page, copy the value for the client secret and record it
for later use. You will need this value in later procedures. This value isn't
available again, without recreating the app registration.
6. Select API permissions under Manage.
7. On the API permissions page, remove all permissions from this app by selecting
the ... icon next to each existing permission. This removal is required; the
integration won't succeed if there are any unexpected extra permissions in this app
registration.
8. Next, add permissions to update device attributes. At the top left of the API
permissions page, select Add a permission to add a new permission.
9. On the Request API permissions page, select Intune, and then select Application
permissions. Select only the check box for update_device_attributes and save the
new permission.
10. Under Microsoft Graph, select Application permissions, then select

Application.Read.All.
11. Select Add permissions.
12. Navigate to APIs my organization uses. Search for and select Windows Azure
Active Directory. Select Application permissions, and then select
Application.Read.All.
13. Select Add permissions.
14. Next, grant admin consent for this app by selecting Grant admin consent for
<your tenant> in the top left of the API permissions page. You may need to
reauthenticate your account in the new window and grant the application access
by following the prompts.
15. Refresh the page by selecting Refresh at the top of the page. Confirm that admin
consent has been granted for the update_device_attributes permission.
16. After the app is registered successfully, the API permissions should only contain
one permission called update_device_attributes, and should appear as follows:
The app registration process in Azure AD is complete.
７ Note
If the client secret expires, you must create a new client secret in Azure and then
update the Conditional Access data in Jamf Pro. Azure allows you to have both the
old secret and new key active to prevent service disruptions.
Enable Intune to integrate with Jamf Pro

management.
3. Enable the Compliance Connector for Jamf by pasting the Application ID you saved
during the previous procedure into the Specify the Azure Active Directory App ID
for Jamf field.
4. Select Save.
Configure Microsoft Intune Integration in Jamf Pro

1. Activate the connection in the Jamf Pro console:
a. Open the Jamf Pro console and navigate to Global Management > Conditional
Access. Select Edit on the macOS Intune Integration tab.
b. Select the check box for Enable Intune Integration for macOS. When this
setting is enabled, Jamf Pro sends inventory updates to Microsoft Intune. Clear
the selection if you want to disable the connection but save your configuration.
c. Select Manual under Connection type.
d. From the Sovereign Cloud pop-up menu, select the location of your Sovereign
Cloud from Microsoft.
e. Select Open administrator consent URL and follow the onscreen instructions to
allow the Jamf Native macOS Connector app to be added to your Azure AD
tenant.
f. Add the Azure AD Tenant Name from Microsoft Azure.
g. Add the Application ID and Client Secret (previously called Application Key) for
the Jamf Pro application from Microsoft Azure.
h. Select Save. Jamf Pro tests your settings and verifies your success.
Return to the Partner device management page in Intune to complete the

configuration.
2. In Intune, go to the Partner device management page. Under Connector Settings

configure groups for assignment:
Select Include and specify which User groups you want to target for macOS
enrollment with Jamf.
Use Exclude to select groups of Users that won't enroll with Jamf and instead
will enroll their Macs directly with Intune.
Exclude overrides Include, which means any device that is in both groups is
excluded from Jamf and directed to enroll with Intune.
７ Note
This method of including and excluding user groups affects the enrollment
experience of the user. Any user with a macOS device thats already enrolled in
either Jamf or Intune who is then targeted to enroll with the other MDM must
unenroll their device and then re-enroll it with the new MDM before
management of the device works properly.
3. Select Evaluate to determine how many devices will be enrolled with Jamf, based
on your group configurations.
4. Select Save when you're ready to apply the configuration.
5. To proceed, you'll next need to use Jamf to deploy the Company Portal for Mac so
that users can register their devices to Intune.
Set up compliance policies and register devices

After you configure integration between Intune and Jamf, you need to apply compliance
policies to Jamf-managed devices.
Disconnect Jamf Pro and Intune

Should you need to remove integration of Jamf Pro with Intune, use one of the
following methods. Both methods apply to integration that is configured manually or by
using the Cloud Connector.
Deprovision Jamf Pro from within the Microsoft Intune

admin center
1. In the Microsoft Intune admin center , go to Tenant administration > Connectors
and tokens > Partner device management.
2. Select the option Terminate. Intune displays a message about the action. Review
the message and when ready, select OK. The option to Terminate the integration
only appears when the Jamf connection exists.
After you terminate the integration, refresh the view of the admin center to update the
view. Your organization's macOS devices are removed from Intune in 90 days.
Deprovision Jamf Pro from within the Jamf Pro console

Use the following steps to remove the connection from within the Jamf Pro console.
1. In the Jamf Pro console, go to Global Management > Conditional Access. On the
macOS Intune Integration tab, select Edit.
2. Clear the Enable Intune Integration for macOS check box.
3. Select Save. Jamf Pro sends your configuration to Intune and the integration will
be terminated.
management to verify that the status is now Terminated.
After you terminate the integration, your organization's macOS devices will be removed
at the date shown in your console, which is after three months.
Next steps
Apply compliance policies to Jamf-managed devices
Data Jamf sends to Intune
Enforce compliance on Macs managed
with Jamf Pro
Article • 08/30/2023
） Important
After you integrate Jamf Pro with Intune, configure Intune compliance policies and
Azure Active Directory (Azure AD) Conditional Access policies to enforce compliance of
macOS devices with your organizational requirements.
This article can help you with the following tasks:
Create Conditional Access policies.

Configure Jamf Pro to deploy the Intune Company Portal app to devices you
manage with Jamf.
Configure devices to register with Azure AD when the device user signs in to the
Company Portal app they start from within the Jamf Self Service app. Device
registration establishes an identity in Azure AD that allows the device to be
evaluated by Conditional Access policies for access to company resources.
The procedures in this article require access to both the Intune and Jamf Pro consoles.
Intune supports two methods to integrate Jamf Pro, which you configure separately
from the procedures in this article:
Recommended - Use the Jamf Cloud Connector to integrate Jamf Pro with Intune
Manually configure integration of Jamf Pro with Intune
After integration is configured, device users learn about Jamf Pro and Intune integration
through either a communication from your IT department about how to register a
device, or by discovering the Intune Company Portal app that you deploy through Jamf
Pro Self Service. After device registration completes, inventory data collected by Jamf Pro
for that device is shared with Intune. Information is shared for only those Mac devices
that have completed.
Set up device compliance policies in Intune

2. Select Devices > Compliance policies. If you're using a previously created policy,
select that policy in the admin center and then go to the next step of this
procedure. To create a new policy, select Create Policy and then specify details for
a policy with a Platform of macOS. Configure Settings and Actions for
noncompliance to meet your organizational requirements, and then select Create
to save the policy.
3. On the policies Overview pane, select Assignments. Use the available options to
configure which Azure Active Directory (Azure AD) users and security groups
receive this policy. Jamf integration with Intune doesn't support compliance
policy that targets device groups.
７ Note
Jamf integration with Intune only supports Azure AD user groups. Device
compliance policies that are targeted to device groups will not apply.
4. When you select Save, the policy deploys to the users.
Policies you deploy target the devices that are used by the assigned users. Those
devices are evaluated for compliance. Compliant devices are marked as compliant for
the setting "Require device to be marked as compliant" in Azure AD.
７ Note
Intune requires full disk encryption to be compliant.

Deploy the Company Portal app for macOS in
Jamf Pro
Create a policy in Jamf Pro to deploy the Intune Company Portal. This policy deploys the
company portal app so that it's available in Jamf Self Service. Create this policy before
you create policy in Jamf Pro for users to register devices with Azure AD.
To complete the following procedure, you need access to a macOS device and the Jamf
Pro portal.
To deploy the company portal app

1. On a macOS device, download but don't install the current version of the Company
Portal app for macOS . You only need a copy of the app so you can upload the
app to Jamf Pro.
2. Open Jamf Pro and go to Computer management > Packages.
3. Create a new package with the Company Portal app for macOS, then select Save.
4. Open Computers > Policies, then select New.
5. Use the General payload to configure settings for the policy. These settings should
be:
Trigger: select Enrollment Complete and Recurring Check-in

Execution Frequency: select Once per computer
6. Select the Packages payload and select Configure.
7. Select Add to select the package with the Company Portal app.
8. Select Install from the Action pop-up menu.
9. Configure the settings for the package.
10. Select the Scope tab to specify on which computers the Company Portal app
should install. Select Save. The policy runs on scoped devices the next time the
selected trigger occurs on the computer and the criteria in the General payload is
met.
Create a policy in Jamf Pro to have users

register their devices with Azure Active
Directory
After you deploy the Company Portal for macOS through Jamf Pro Self-Service, you can
create the Jamf Pro policy that registers a user's device with Azure AD.
Device registration requires a device user to manually select the Intune Company Portal
app from within Jamf Self Service. We recommend you contact your end users through
email, Jamf Pro notifications, or any other method your organization uses to direct them
to complete this action to get their devices registered.
２ Warning
Launching the Company Portal app manually (such as from the Applications or
Downloads folders) won't register the device. If device user launches the Company
Portal manually, they'll see a warning, 'AccountNotOnboarded'.
To create the registration policy

1. In Jamf Pro, go to Computers > Policies, and then create a new policy for device
registration.
2. Configure the Microsoft Intune Integration payload, including the trigger and
execution frequency.
3. Select the Scope tab, and then scope the policy to all targeted devices.
4. Select the Self Service tab to make the policy available in Jamf Self Service. Include
the policy in the Device Compliance category. Select Save.
Validate Intune and Jamf integration

Use the Jamf Pro console to confirm that communication between Jamf Pro and
Microsoft Intune is successful.
In Jamf Pro, go to Settings > Global Management > Microsoft Intune Integration,
and then select Test.
The console displays a message with the success or failure of the connection. Should the
connection test from the Jamf Pro console fail, review the Jamf configuration.
Removing a Jamf-managed device from Intune

To remove a Jamf-managed device, open the Microsoft Intune admin center, and select
Devices > All devices, select the device, and then select Delete. Bulk device deletion can
be enabled by selecting multiple devices and clicking Delete.
Get information on how to remove a Jamf-managed device in the Jamf Pro docs . You
can also file a support ticket with Jamf support for more help.
Next steps
Conditional Access in Azure Active Directory
Get started with Conditional Access in Azure Active Directory
Add Endpoint protection settings in
Intune
Article • 02/22/2023
With Intune, you can use device configuration profiles to manage common Endpoint
protection security features on devices, including:
Firewall
BitLocker
Allowing and blocking apps
Microsoft Defender and encryption
For example, you can create an Endpoint protection profile that only allows macOS
users to install apps from the Mac App Store. Or, enable Windows SmartScreen when
running apps on Windows 10/11 devices.
Before you create a profile, review the following articles that detail the Endpoint
protection settings Intune can manage for each supported platform:
macOS settings
Windows settings
Create a device profile containing Endpoint

protection settings
Platform: Choose the platform of your devices. Your options:

macOS
Profile: Select Templates > Endpoint protection.
4. Select Create.

recommended.
Select Next.
6. In Configuration settings, depending on the platform you chose, the settings you
can configure are different. Choose your platform for detailed settings:
macOS settings
Windows settings
7. Select Next.
8. In Assignments, select the users or groups that will receive your profile. For more
Select Next.
Select Next.
Add custom Firewall rules for Windows 10/11

devices
When you configure the Microsoft Defender Firewall as part of a profile that includes
endpoint protection rules for Windows 10/11, you can configure custom rules for
Firewalls. Custom rules let you expand on the pre-defined set of Firewall rules supported
for Windows devices.
When you plan for profiles with custom Firewall rules, consider the following
information, which could affect how you choose to group firewall rules in your profiles:
Each profile supports up to 150 firewall rules. When you use more than 150 rules,
create additional profiles, each limited to 150 rules.
For each profile, if a single rule fails to apply, all rules in that profile are failed and
none of the rules are applied to the device.
When a rule fails to apply, all rules in the profile are reported as failed. Intune
cannot identify which individual rule failed.
The Firewall rules that Intune can manage are detailed in the Windows Firewall
configuration service provider (CSP). To review the list of custom firewall settings for
Windows devices that Intune supports, see Custom Firewall rules.
To add custom firewall rules to an Endpoint protection

profile
2. Select Devices > Configuration profiles > Create Profile.
Platform: Choose Windows 10 and later.
Profile: Select Templates > Endpoint protection.
4. Select Create.
recommended.
Select Next.
6. In Configuration settings, expand Microsoft Defender Firewall. Next, for Firewall

rules, select Add to open the Create Rule page.
7. Specify settings for the Firewall rule, and then select Save to save it. To review the
available custom firewall rule options in documentation, see Custom Firewall rules.
a. The rule appears on the Microsoft Defender Firewall page in the list of rules.
b. To modify a rule, select the rule from the list, to open the Edit Rule page.
c. To delete a rule from a profile, select the ellipsis (…) for the rule, and then select
Delete.
d. To change the order in which rules display, select the up arrow, down arrow icon
at the top of the rule list.
Select Next.
8. In Assignments, select the device groups that will receive this profile. For more
Select Next.
Select Next.
Next steps
Monitor the profile status.
Mobile Threat Defense integration with
Intune
Article • 07/07/2023
７ Note
This article is about third-party Mobile Threat Defense vendors, for more
information on Microsoft Defender for Endpoint, see Microsoft Defender for
Endpoint.
Intune can integrate data from a Mobile Threat Defense (MTD) vendor as an information
source for device compliance policies and device Conditional Access rules. You can use
this information to help protect corporate resources like Exchange and SharePoint, by
blocking access from compromised mobile devices.
Intune can use this same data as a source for unenrolled devices using Intune app
protection policies. As such, admins can use this information to help protect corporate
data within a Microsoft Intune protected app, and issue a block or selective wipe.
７ Note
Intune for GCC High only supports the Mobile Threat Defense (MTD) connector for
Android and iOS devices with MTD vendors that also have support in this
environment. You will see connectors enabled for those specific vendors when you
log in with a GCC-H tenant. Learn more about Microsoft Intune for US
Government GCC High support.
Protect corporate resources

Integrating information from MTD vendors can help you protect your corporate
resources from threats that affect mobile platforms.
Typically, companies are proactive in protecting PCs from vulnerabilities and attack while
mobile devices often go unmonitored and unprotected. Where mobile platforms have
built-in protection such as app isolation and vetted consumer app stores, these
platforms remain vulnerable to sophisticated attacks. As more employees use devices
for work and to access sensitive information, the information from MTD vendors can
help you protect devices and your resources from increasingly sophisticated attacks.
Intune Mobile Threat Defense connectors
Intune uses a Mobile Threat Defense connector to create a channel of communication
between Intune and your chosen MTD vendor. Intune MTD partners offer intuitive, easy
to deploy applications for mobile devices. These applications actively scan and analyze
threat information to share with Intune. Intune can use the data for either reporting or
enforcement purposes.
For example: A connected MTD app reports to the MTD vendor that a phone on your
network is currently connected to a network that is vulnerable to Man-in-the-Middle
attacks. This information is categorized to an appropriate risk level of low, medium, or
high. This risk level is then compared with the risk level allowances you set in Intune.
Based on this comparison, access to certain resources of your choice can be revoked
while the device is compromised.
Connector status
Once you add a Mobile Threat Defense connector to your tenant, the status will show
one of the following states:
Connector Definition Device threat AppSync

status messages request
blocked? messages
blocked?
Unavailable Connector is/was deprovisioned. The MTD Yes (starting Yes (starting
partner will need to talk to Intune to 2308) 2308)
provision it once more.
Not Set Up Connector setup is not complete. There may No No

be additional steps or permissions required
within Intune or the MTD partner for this
status to change to Available
Available Connector setup is complete. At least 1 No No

platform toggle must be turned on for this
status to change to Enabled.
Enabled Connector setup is complete, and at least 1 No No

platform toggle is currently turned on for this
connector.
Unresponsive Connector is not responsive. If the connector No No

status continues to be unresponsive for the
days defined in Number of days until partner
Connector Definition Device threat AppSync
status messages request
blocked? messages
blocked?
is unresponsive, Intune will ignore the

compliance state.
Error Connector has an error code. Some MTD No No

partners may choose to send this in an error
case.
Data that Intune collects for Mobile Threat

Defense
If enabled, Intune collects app inventory information from both personal and corporate-
owned devices and makes it available for MTD providers to fetch, such as Lookout for
Work. You can collect an app inventory from the users of iOS devices.
This service is opt-in; no app inventory information is shared by default. An Intune

administrator must enable App Sync for iOS devices in the Mobile Threat Defense
connector settings before any app inventory information is shared.
App inventory
If you enable App Sync for iOS/iPadOS devices, inventories from both corporate and
personally owned iOS/iPadOS devices are sent to your MTD service provider. Data in the
app inventory includes:
App ID
App Version
App Short Version
App Name
App Bundle Size
App Dynamic Size
Whether the app is validated or not
Whether the app is managed or not
Sample scenarios for enrolled devices using

device compliance policies
When a device is considered infected by the Mobile Threat Defense solution:
Access is granted when the device is remediated:
Sample scenarios for unenrolled devices using

Intune app protection policies
When a device is considered infected by the Mobile Threat Defense solution:
Access is granted when the device is remediated:
７ Note
We recommend using one Mobile Threat Defense vendor per tenant per platform.
For Device Compliance, you can use multiple Mobile Defense vendors with a single
Intune tenant. However, when two or more vendors are configured for use for the
same platform, all devices that run that platform must install each MTD app and
scan for threats. Failure to submit a scan from any configured app results in the
device being marked as non-compliant.
This recommendation does not apply to Microsoft Defender for Endpoint. You can
use Defender for Endpoint with a third-party MTD app and check compliance
separately by deploying different compliance policies to different groups.
Mobile Threat Defense partners

Learn how to protect access to company resource based on device, network, and
application risk with:
Better Mobile
BlackBerry Protect Mobile
Check Point Harmony Mobile
Lookout for Work
MVISION Mobile
Pradeo
SentinelOne
Sophos Mobile
Symantec Endpoint Protection Mobile
Trend Micro Mobile Security as a Service
Wandera Mobile Threat Defense
Zimperium
Add Mobile Threat Defense apps to
unenrolled devices
Article • 02/21/2023
By default, when using Intune app protection policies with Mobile Threat Defense,
Intune does the work to guide the end user on their device to install and sign in to all
required apps to enable the connections with the relevant services.
End users need the Microsoft Authenticator (iOS) to register their device, and the Mobile
Threat Defense (both Android and iOS) to receive notifications when a threat is
identified in their mobile devices, and to receive guidance to remediate the threats.
Optionally, you can use Intune to add and deploy the Microsoft Authenticator, and
Mobile Threat Defense (MTD) apps as well.
７ Note
This article applies to all Mobile Threat Defense partners that support app
protection policies:
Microsoft Defender for Endpoint (Android, iOS/iPadOS)

Better Mobile (Android, iOS/iPadOS)
Check Point Harmony Mobile (Android, iOS/iPadOS)
Lookout for Work (Android, iOS/iPadOS)
MVISION Mobile (Android, iOS/iPadOS)
SentinelOne (Android, iOS/iPadOS)
Symantec Endpoint Security (Android, iOS/iPadOS)
Wandera (Android, iOS/iPadOS)
Zimperium (Android, iOS/iPadOS)
For unenrolled devices, you do not need an iOS app configuration policy that sets
up the Mobile Threat Defense for iOS app you use with Intune. This is a key
difference compared to Intune enrolled devices.
Configure Microsoft Authenticator for iOS via

Intune (optional)
When using Intune app protection policies with Mobile Threat Defense, Intune will guide
the end user to install, sign in to, and register their device with the Microsoft
Authenticator (iOS).
However, should you wish to make the app available to end users via the Intune
Company Portal, see the instructions for adding iOS store apps to Microsoft Intune. Use
this Microsoft Authenticator - iOS App Store URL when completing the Configure app
information section. Don't forget to assigning app to groups with Intune as the final
step.
７ Note
For iOS devices, you need the Microsoft Authenticator so users can have their
identities checked by Azure AD. The Intune Company Portal works as the broker on
Android devices so users can have their identities checked by Azure AD.
Making Mobile Threat Defense apps available

via Intune (optional)
When you use Intune app protection policies with Mobile Threat Defense, Intune guides
the end user to install and sign in to the required Mobile Threat Defense client app.
However, should you wish to make the app available to end users via the Intune
Company Portal, you can follow the steps provided in the following sections. Make sure
you're familiar with the process of:
Adding an app into Intune

Assigning an app with Intune
Making Better Mobile available to end users

Android
See the instructions for adding Android store apps to Microsoft Intune. Use this
Active Shield - Play Store URL when completing the Configure app
information section.
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this
ActiveShield - App Store URL when completing the Configure app
Making Check Point Harmony Mobile Protect available to
end users
Android
Harmony Mobile Protect - Play Store URL when completing the Configure
app information section.
iOS
Harmony Mobile Protect - App Store URL when completing the Configure
app information section.
Making Lookout for Work available to end users

Android
Lookout for Work - Play Store URL when completing the Configure app
iOS
Lookout for Work - iOS App Store URL when completing the Configure app
Making MVISION Mobile available to end users

Android
MVISION Mobile - Play Store URL when completing the Configure app
iOS
MVISION Mobile - App Store URL when completing the Configure app
Making SentinelOne available to end users

Android
SentinelOne - Play Store URL when completing the Configure app
iOS
SentinelOne - App Store URL when completing the Configure app
Making Symantec Endpoint Protection Mobile available

to end users
Android
See the instructions for adding Android store apps to Microsoft Intune. When
completing the Configure app information section, use this SEP Mobile app
store URL . For Minimum operating system, select Android 4.0 (Ice Cream
Sandwich).
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this SEP
Mobile - App Store URL when completing the Configure app information
section.
Making Wandera available to end users

Android
Wandera Mobile - Play Store URL when completing the Configure app
iOS
Wandera Mobile - App Store URL when completing the Configure app
Making Zimperium available to end users

Android
Zimperium - Play Store URL when completing the Configure app information
section.
iOS
Zimperium - App Store URL when completing the Configure app information
section.
Next steps
Enable the Mobile Threat Defense connector in Intune for unenrolled devices
Create Mobile Threat Defense app
protection policy with Intune
Article • 02/21/2023
Intune with Mobile Threat Defense (MTD) helps you detect threats and assess risk on
mobile devices. You can create an Intune app protection policy that assesses risk to
determine if the device is allowed to access corporate data or not.
７ Note
Better Mobile (Android, iOS/iPadOS)

Check Point Harmony Mobile (Android, iOS/iPadOS)
Microsoft Defender for Endpoint (Android, iOS/iPadOS)
MVISION Mobile (Android, iOS/iPadOS)
SentinelOne (Android, iOS/iPadOS)
Wandera (Android, iOS/iPadOS)
Zimperium (Android, iOS/iPadOS)
Before you begin

As part of the MTD setup, in the MTD partner console, you created a policy that
classifies various threats as high, medium, and low. You now need to set the Mobile
Threat Defense level in the Intune app protection policy.
Prerequisites for app protection policy with MTD:
Set up MTD integration with Intune. Without this integration, the MTD app
protection policy will have no effect.
To create an MTD app protection policy

Use the procedure to create an Application protection policy for either iOS/iPadOS or
Android, and use the following information on the Apps, Conditional launch, and
Assignments pages:
Apps: Select the apps you wish to be targeted by app protection policies. For this
feature set, these apps are blocked or selectively wiped based on device risk
assessment from your chosen Mobile Threat Defense vendor.
Conditional launch: Below Device conditions, use the drop-down box to select Max
allowed device threat level.
Options for the threat level Value:

Secured: This level is the most secure. The device can't have any threats present
evaluated as noncompliant.
noncompliant.
High: This level is the least secure and allows all threat levels, using Mobile
Threat Defense for reporting purposes only. Devices are required to have the
MTD app activated with this setting.
Options for Action:

Block access
Wipe data
Assignments: Assign the policy to groups of users. The devices used by the
group's members are evaluated for access to corporate data on targeted apps via
Intune app protection.
） Important
If you create an app protection policy for any protected app, the device's threat
level is assessed. Depending on the configuration, devices that don’t meet an
acceptable level are either blocked or selectively wiped through conditional launch.
If blocked, they are prevented from accessing corporate resources until the threat
on the device is resolved and reported to Intune by the chosen MTD vendor.
Next steps
Learn more about Mobile Threat Defense in Microsoft Intune.
Enable the Mobile Threat Defense
connector in Intune for unenrolled
devices
Article • 08/21/2023
During Mobile Threat Defense (MTD) setup, you've configured a policy for classifying
threats in your Mobile Threat Defense partner console and you've created the app
protection policy in Intune. If you've already configured the Intune connector in the
MTD partner console, you can now enable the MTD connection for MTD partner
applications.
７ Note
Better Mobile (Android,iOS/iPadOS)

Check Point Harmony Mobile Protect (Android, iOS/iPadOS)
MVISION Mobile (Android,iOS/iPadOS)
SentinelOne (Android,iOS/iPadOS)
Wandera (Android,iOS/iPadOS)
Zimperium (Android,iOS/iPadOS)
Classic conditional access policies for Mobile

Threat Defense (MTD) apps
When you integrate a new application to Intune Mobile Threat Defense and enable the
connection to Intune, Intune creates a classic conditional access policy in Azure Active
Directory. Each 3rd party MTD partners you integrate with creates a new classic
conditional access policy. These policies can be ignored, but shouldn't be edited,
deleted, or disabled.
If the classic policy is deleted, you'll need to delete the connection to Intune that was
responsible for its creation, and then set it up again. This process recreates the classic
policy. It's not supported to migrate classic policies for MTD apps to the new policy type
for conditional access.
Are used by Intune MTD to require that devices are registered in Azure AD so that
they have a device ID before communicating to MTD partners. The ID is required
so that devices and can successfully report their status to Intune.
MTD.
evaluation.
To view classic conditional access policies, in Azure , go to Azure Active Directory >
Conditional Access > Classic policies.
７ Note
With the 2308 service release of Intune, a classic Conditional Access (CA) policy is
no longer created for the Microsoft Defender for Endpoint connector. If your
tenant has one previously created due to an integration with Microsoft Defender
for Endpoint, it can be deleted. Classic CA policies continue to be needed for 3rd
party MTD partners.
To enable the MTD connector

2. Select Tenant administration > Connectors and tokens > Mobile Threat Defense.
To set up an integration with a 3rd party Mobile Threat Defense vendor, you must
be a Global administrator.
3. On the Mobile Threat Defense pane, choose Add.
4. Choose your MTD solution as the Mobile Threat Defense connector to setup from
the drop-down list.
5. Enable the toggle options according to your organization's requirements. Toggle

options visible will vary depending on the MTD partner.
Mobile Threat Defense toggle options
７ Note
Ensure your tenant's MDM Authority is set to Intune (and not SCCM) to see the full
list of toggle options.
You can decide which MTD toggle options you need to enable according to your
organization's requirements. Here are more details:
App Protection Policy Settings
Connect Android devices of version 4.4 and above to <MTD partner name> for
app protection policy evaluation: When you enable this option, app protection
policies using the Device Threat Level rule will evaluate devices including data from
this connector.
Connect iOS devices version 11 and above to <MTD partner name> for app
protection policy evaluation: When you enable this option, app protection policies
using the Device Threat Level rule will evaluate devices including data from this
connector.
Common Shared Settings
Number of days until partner is unresponsive: Number of days of inactivity before

Intune considers the partner to be unresponsive because the connection is lost.
Intune ignores compliance state for unresponsive MTD partners.
 Tip
You can see the Connection status and the Last synchronized time between Intune
and the MTD partner from the Mobile Threat Defense pane.
Next Steps
Create Mobile Threat Defense (MTD) app protection policy with Intune.
Add and assign Mobile Threat Defense
(MTD) apps with Intune
Article • 02/22/2023
You can use Intune to add and deploy Mobile Threat Defense (MTD) apps so that end
users can receive notifications when a threat is identified in their mobile devices, and to
receive guidance to remediate the threats.
７ Note
This article applies to all Mobile Threat Defense partners.
Before you begin

Complete the following steps in Intune. Make sure you're familiar with the process of:
Adding an app into Intune.

Adding an iOS app configuration policy into Intune.
Assigning an app with Intune.
 Tip
The Intune Company Portal works as the broker on Android devices so users can
have their identities checked by Azure AD.
Configure Microsoft Authenticator for iOS

For iOS devices, you need the Microsoft Authenticator so users can have their identities
checked by Azure AD. Additionally, you need an iOS app configuration policy that sets
the MTD iOS app you use with Intune.
See the instructions for adding iOS store apps to Microsoft Intune. Use this Microsoft
Authenticator app store URL when you configure App information.
Configure your MTD apps with an app

configuration policy
To simplify user onboarding, the Mobile Threat Defense apps on MDM-managed
devices use app configuration. For unenrolled devices, MDM based app configuration
isn't available. See Add Mobile Threat Defense apps to unenrolled devices.
BlackBerry Protect configuration policy

See the instructions for using Microsoft Intune app configuration policies for iOS to add
the BlackBerry Protect iOS app configuration policy.
Better Mobile app configuration policy

the Better Mobile iOS app configuration policy.
For Configuration settings format, select Enter XML data, copy the following
content and paste it into the configuration policy body. Replace the
https://client.bmobi.net URL with the appropriate console URL.
<dict>
<key>better_server_url</key>
<string>https://client.bmobi.net</string>
<key>better_udid</key>
<string>{{aaddeviceid}}</string>
<key>better_user</key>
<string>{{userprincipalname}}</string>
</dict>
Check Point Harmony Mobile Protect app configuration

policy
the Check Point Harmony Mobile iOS app configuration policy.
For Configuration settings format, select Enter XML data, copy the following
content and paste it into the configuration policy body.
<dict><key>MDM</key><string>INTUNE</string></dict>
Lookout for Work app configuration policy

Create the iOS app configuration policy as described in the using iOS app configuration
policy article.
MVISION Mobile app configuration policy

Android Enterprise
See the instructions for using Microsoft Intune app configuration policies for
Android to add the MVISION Android app configuration policy.
For Configuration settings format, select Use configuration designer, and add the
following settings:
Configuration Value Configuration value

key type
MDMDeviceID string {{AzureADDeviceId}}
tenantid string Copy value from admin console “Manage” page in the MVISION
console
defaultchannel string Copy value from admin console “Manage” page in the MVISION
console
iOS
See the instructions for using Microsoft Intune app configuration policies for iOS
to add the MVISION Mobile iOS app configuration policy.
following settings:

key type
tenantid string Copy value from admin console “Manage” page in the MVISION
console
defaultchannel string Copy value from admin console “Manage” page in the MVISION
console
Pradeo app configuration policy

Pradeo doesn't support application configuration policy on iOS/iPadOS. Instead, to get a
configured app, work with Pradeo to implement custom IPA or APK files that are
preconfigured with the settings you want.
SentinelOne app configuration policy

Android Enterprise
Android to add the SentinelOne Android app configuration policy.
following settings:

key type
tenantid string Copy value from admin console “Manage” page in the
SentinelOne console
defaultchannel string Copy value from admin console “Manage” page in the
SentinelOne console
iOS
to add the SentinelOne iOS app configuration policy.
following settings:

key type
tenantid string Copy value from admin console “Manage” page in the
SentinelOne console
defaultchannel string Copy value from admin console “Manage” page in the
SentinelOne console
SEP Mobile app configuration policy

Use the same Azure AD account previously configured in the Symantec Endpoint
Protection Management console , which should be the same account used to sign in
to the Intune.
Download the iOS app configuration policy file:
Go to Symantec Endpoint Protection Management console and sign in with

your admin credentials.
Go to Settings, and under Integrations, choose Intune. Choose EMM

Integration Selection. Choose Microsoft, and then save your selection.
Select the Integration setup files link and save the generated *.zip file. The .zip
file contains the *.plist file that will be used to create the iOS app configuration
policy in Intune.
iOS to add the SEP Mobile iOS app configuration policy.
For Configuration settings format, select Enter XML data, copy the content
from the *.plist file, and paste its content into the configuration policy body.
７ Note
If you are unable to retrieve the files, contact Symantec Endpoint Protection
Mobile Enterprise Support .
Sophos Mobile app configuration policy

Create the iOS app configuration policy as described in the using iOS app configuration
policy article. For more information, see Sophos Intercept X for Mobile iOS - Available
managed settings in the Sophos knowledge base.
Trend Micro Mobile Security as a Service app

the Trend Micro Mobile Security as a Service app configuration policy.
Wandera app configuration policy
７ Note
For initial testing, use a test group when assigning users and devices in the
Assignments section of the configuration policy.
Android Enterprise
Android to add the Wandera Android app configuration policy using the
information below when prompted.
1. In the RADAR Wandera Portal, select the Add button under Configuration
settings format.
2. Select Activation Profile URL from the list of Configuration Keys. Select OK.
3. For Activation Profile URL select string from the Value type menu then copy the
Shareable Link URL from the desired Activation Profile in RADAR.
4. In the Intune admin center app configuration UI, select Settings, define
Configuration settings format > Use Configuration Designer and paste the
Shareable Link URL.
７ Note
Unlike iOS, you will need to define a unique Android Enterprise app configuration
policy for each Wandera Activation Profile. If you don’t require multiple Wandera
Activation Profiles, you may use a single Android app configuration for all target
devices. When creating Activation Profiles in Wandera, be sure to select “Azure
Active Directory” under the Associated User configuration to ensure Wandera is
able to synchronize the device with Intune via UEM Connect.
iOS
to add the Wandera iOS app configuration policy using the information below
when prompted.
1. In RADAR Wandera Portal, navigate to Devices > Activations and select any
activation profile. Select Deployment Strategies > Managed Devices > Microsoft
Intune and locate the iOS App Configuration settings.
2. Expand the box to reveal the iOS app configuration XML and copy it to your
system clipboard.
3. In Intune admin center app configuration UI Settings, define Configuration
settings format > Enter XML data.
4. Paste the XML in the app configuration text box.
７ Note
A single iOS configuration policy may be used across all devices that are to be
provisioned with Wandera.
Zimperium app configuration policy

Android Enterprise
Android to add the Zimperium Android app configuration policy.
following settings:

key type
tenantid string Copy value from admin console “Manage” page in the Zimperium
console
defaultchannel string Copy value from admin console “Manage” page in the Zimperium
console
iOS
to add the Zimperium iOS app configuration policy.
following settings:

key type
tenantid string Copy value from admin console “Manage” page in the Zimperium
console
defaultchannel string Copy value from admin console “Manage” page in the Zimperium
console
Assigning Mobile Threat Defense apps to end
users via Intune
To install the Mobile Threat Defense app on the end user device, you can follow the
steps that are detailed in the following sections. Make sure you're familiar with the
process of:
Assigning apps to groups with Intune
Choose the section that corresponds to your MTD provider:
Better Mobile
Check Point Harmony Mobile Protect
Lookout for Work
MVISION Mobile
Pradeo
SentinelOne
Sophos Mobile
Symantec Endpoint Protection Mobile (SEP Mobile)
Wandera
Zimperium
Assigning Better Mobile

Android
Active Shield app store URL for the Appstore URL.
iOS
ActiveShield app store URL for the Appstore URL.
Assigning Check Point Harmony Mobile Protect

Android
Check Point Harmony Mobile Protect app store URL for the Appstore URL.
iOS
Check Point Harmony Mobile Protect app store URL for the Appstore URL.
Assigning Lookout for Work
Android
Lookout for work Google app store URL for the Appstore URL.
iOS
Lookout for Work iOS app store URL for the Appstore URL.
Lookout for Work app outside the Apple store
You must re-sign the Lookout for Work iOS app. Lookout distributes its Lookout
for Work iOS app outside of the iOS App Store. Before distributing the app, you
must re-sign the app with your iOS Enterprise Developer Certificate.
For detailed instructions to re-sign the Lookout for Work iOS apps, see Lookout
for Work iOS app re-signing process on the Lookout website.
Enable Azure AD authentication for Lookout for Work iOS app users.
1. Go to the Azure portal , sign in with your credentials, then navigate to

the application page.
2. Add the Lookout for Work iOS app as a native client application.
3. Replace the com.lookout.enterprise.yourcompanyname with the

customer bundle ID you selected when you signed the IPA.
4. Add another redirect URI: <companyportal://code/> followed by a URL

encoded version of your original redirect URI.
5. Add Delegated Permissions to your app.
７ Note
See configure a native client application with Azure AD for more details.
Add the Lookout for Work ipa file.

Upload the re-signed .ipa file as described in the Add iOS LOB apps with
Intune article. You also need to set the minimum OS version to iOS 8.0 or
later.
Assigning MVISION Mobile

Android
MVISION Mobile app store URL for the Appstore URL.
iOS
MVISION Mobile app store URL for the Appstore URL.
Assigning Pradeo
Android
Pradeo app store URL for the Appstore URL.
iOS
Pradeo app store URL for the Appstore URL.
Assigning SentinelOne
Android
SentinalOne app store URL for the Appstore URL.
iOS
SentinalOne app store URL for the Appstore URL.
Assigning Sophos
Android
Sophos app store URL for the Appstore URL.
iOS
ActiveShield app store URL for the Appstore URL.
Assigning Symantec Endpoint Protection Mobile

Android
SEP Mobile app store URL for the Appstore URL. For Minimum operating
system, select Android 4.0 (Ice Cream Sandwich).
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this SEP
Mobile app store URL for the Appstore URL.
Assigning Wandera
Android
Wandera Mobile app store URL for the Appstore URL. For Minimum
operating system, select Android 8.0.
iOS
Wandera Mobile app store URL for the Appstore URL.
Assigning Zimperium
Android
Zimperium app store URL for the Appstore URL.
iOS
Zimperium app store URL for the Appstore URL.
Next steps
Configure the device compliance policy for MTD
Create Mobile Threat Defense (MTD)
device compliance policy with Intune
Article • 02/22/2023
Intune with MTD helps you detect threats and assess risk on mobile devices. You can
create an Intune device compliance policy rule that assesses risk to determine if the
device is compliant or not. You can then use a Conditional Access policy to block access
to services based on device compliance.
７ Note
This information applies to all Mobile Threat Defense partners.
Before you begin

As part of the MTD setup, in the MTD partner console, you created a policy that
classifies various threats as high, medium, and low. Next you'll set the Mobile Threat
Defense level in the Intune device compliance policy.
Prerequisites for device compliance policy with MTD:
Set up MTD integration with Intune
To create an MTD device compliance policy

2. Select Endpoint security > Device Compliance > Create Policy.
3. Select the Platform, and then Create.
4. On Basics, specify a device compliance policy Name, and Description (optional).

5. On Compliance settings, expand and configure Device Health. Choose the Mobile
Threat Level from the drop-down list for Require the device to be at or under the
Device Threat Level.
Secured: This level is the most secure. The device can't have any threats
present and still access company resources. If any threats are found, the
device is evaluated as noncompliant.
noncompliant.
High: This threat level is the least secure as it allows all threat levels and uses
Mobile Threat Defense for reporting purposes only. Devices are required to
have the MTD app activated with this setting.
6. Select Next to advance through to Assignments. Select the groups that will receive
this profile.
） Important
You will see the option to either select user groups, or device based groups under
Select groups to include. The Require the device to be at or under the Device
Threat Level setting is currently only supported with user groups. Targeting device
groups is currently not supported and they should not be selected.
Select Next.
） Important
If you create Conditional Access policies for Microsoft 365 or other services, the
device compliance evaluation is assessed and noncompliant devices are blocked
from accessing corporate resources until the threat is resolved in the device and
reported to Intune via the chosen MTD vendor.
To assign an MTD device compliance policy

To assign, or change the assignment of a device compliance policy to users:
2. Select Endpoint security > Device compliance.

3. Select the policy you want to assign to users, and then select Properties.
4. Select Edit for Assignments, and then use the available options to Include and
Exclude groups to receive this policy. As a reminder, targeting device groups is
currently not supported and they should not be selected.
5. Select Review + save to complete the assignment. When you save the assignment,
the policy deploys to your selected users and their devices are evaluated for
compliance.
Next steps
Enable MTD with Intune
Enable the Mobile Threat Defense
connector in Intune
Article • 07/31/2023
During Mobile Threat Defense (MTD) setup, you've configured a policy for classifying
threats in your Mobile Threat Defense partner console and you've created the device
compliance policy in Intune. If you've already configured the Intune connector in the
MTD partner console, you can now enable the MTD connection for MTD partner
applications.
７ Note
This topic applies to all Mobile Threat Defense partners.
Classic conditional access policies for Mobile

Threat Defense (MTD) apps
When you integrate a new application to Intune Mobile Threat Defense and enable the
connection to Intune, Intune creates a classic conditional access policy in Azure Active
Directory. Each 3rd party MTD partners you integrate with creates a new classic
conditional access policy. These policies can be ignored, but shouldn't be edited,
deleted, or disabled.
If the classic policy is deleted, you'll need to delete the connection to Intune that was
responsible for its creation, and then set it up again. This process recreates the classic
policy. It's not supported to migrate classic policies for MTD apps to the new policy type
for conditional access.
Are used by Intune MTD to require that devices are registered in Azure AD so that
they have a device ID before communicating to MTD partners. The ID is required
so that devices and can successfully report their status to Intune.
MTD.
evaluation.
To view classic conditional access policies, in Azure , go to Azure Active Directory >
Conditional Access > Classic policies.
７ Note
With the 2308 release of Intune, a classic Conditional Access (CA) policy is no
longer created for the Microsoft Defender for Endpoint connector. If your tenant
has one previously created due to an integration with Microsoft Defender for
Endpoint, it can be deleted. Classic CA policies continue to be needed for 3rd party
MTD partners.
To enable the Mobile Threat Defense connector

2. Select Tenant administration > Connectors and tokens > Mobile Threat Defense.
To set up an integration with a third-party Mobile Threat Defense vendor, you
must be an Azure Global administrator or be assigned the Endpoint Security
Manager built-in admin role for Intune. You may also use a custom role that
includes the Mobile Threat Defense permission in Intune.
3. On the Mobile Threat Defense pane, select Add.
4. For Mobile Threat Defense connector to setup, select your MTD solution from the
drop-down list.
5. Enable the toggle options according to your organization's requirements. Toggle

options visible will vary depending on the MTD partner. For example, the following
image shows the options that are available for Symantec Endpoint Protection:
Mobile Threat Defense toggle options
７ Note
Ensure your tenant's MDM Authority is set to Intune (and not SCCM) to see the full
list of toggle options.
You can decide which MTD toggle options you need to enable according to your
organization's requirements. Not all of the following options are supported by all
Mobile Threat Defense partners:
Compliance policy evaluation
Connect Android devices version <supported versions> and above to <MTD

partner name>: When you enable this option, compliance policies using the
Device Threat Level rule for Android devices (on supported OS versions) will
evaluate devices including data from this connector.
Connect iOS/iPadOS devices version <supported versions> and above to <MTD

partner name>: When you enable this option, compliance policies using the
Device Threat Level rule for iOS/iPadOS devices (on supported OS versions) will
evaluate devices including data from this connector.
Enable App Sync for iOS Devices: Allows this Mobile Threat Defense partner to
request metadata of iOS applications from Intune to use for threat analysis
purposes. This iOS device must be MDM-enrolled device and will provide updated
app data during device check-in. You can find standard Intune policy check-in
frequencies in the Refresh cycle times.
７ Note
App Sync data is sent to Mobile Threat Defense partners at an interval based
on device check-in, and should not be confused with the refresh interval for
the Discovered Apps report.
Send full application inventory data on personally-owned iOS/iPadOS Devices:

This setting controls the application inventory data that Intune shares with this
Mobile Threat Defense partner when the partner syncs app data and requests the
app inventory list.
Choose from the following options:

On - Allows this Mobile Threat Defense partner to request a list of iOS/iPadOS
applications from Intune for personally-owned iOS/iPadOS devices. This list
includes unmanaged apps (apps not deployed through Intune) and the apps
that were deployed through Intune.
Off - Data about unmanaged apps isn't provided to the partner. Intune does
share data for the apps that are deployed through Intune.
This setting has no effect for corporate devices. For corporate devices, Intune
sends data about both managed and unmanaged apps when requested by this
MTD vendor.
Block unsupported OS versions: Block if the device is running an operating system

less than the minimum supported version. Details of the minimum supported
version would be shared within the docs for the Mobile Threat Defense vendor.
App protection policy evaluation
Connect Android devices of version <supported versions> to <MTD partner

name> for app protection policy evaluation: When you enable this option, app
protection policies using the "Max allowed threat level" rule will evaluate devices
including data from this connector.
Connect iOS devices version <supported versions> to <MTD partner name> for
app protection policy evaluation: When you enable this option, app protection
policies using the "Max allowed threat level" rule will evaluate devices including
data from this connector.
To learn more about using Mobile Threat Defense connectors for Intune App Protection
Policy evaluation, see Set up Mobile Threat Defense for unenrolled devices.
Common Shared Settings
Number of days until partner is unresponsive: Number of days of inactivity before

Intune considers the partner to be unresponsive because the connection is lost.
Intune ignores compliance state for unresponsive MTD partners.
） Important
When possible, we recommend that you add and assign the MTD apps before
creating the device compliance and the Conditional Access policy rules. This helps
ensures that the MTD app is ready and available for end users to install before they
can get access to email or other company resources.
 Tip
You can see the Connection status and the Last synchronized time between Intune
and the MTD partner from the Mobile Threat Defense pane.
Next steps
Create Mobile Threat Defense (MTD) device compliance policy with Intune.
Better Mobile Threat Defense connector
with Intune
Article • 02/21/2023
You can control mobile device access to corporate resources using Conditional Access
based on risk assessment conducted by Better Mobile, a Mobile Threat Defense (MTD)
solution that integrates with Microsoft Intune. Risk is assessed based on telemetry
collected from devices running the Better Mobile app.
You can configure Conditional Access policies based on Better Mobile risk assessment
enabled through Intune device compliance policies for enrolled devices, which you can
use to allow or block noncompliant devices to access corporate resources based on
detected threats. For unenrolled devices, you can use app protection policies to enforce
a block or selective wipe based on detected threats.
How do Intune and Better Mobile help protect

your company resources?
The Better Mobile app is installed and run on mobile devices. This app captures file
system, network stack, device, and application telemetry where available, and then sends
the data to the Better Mobile cloud service to assess the device's risk for mobile threats.
Support for enrolled devices - Intune device compliance policy includes a rule for
Mobile Threat Defense (MTD), which can use risk assessment information from
Better Mobile. When the MTD rule is enabled, Intune evaluates device compliance
with the policy that you enabled. If the device is found noncompliant, users are
blocked access to corporate resources like Exchange Online and SharePoint Online.
Users also receive guidance from the Better Mobile app installed in their devices to
resolve the issue and regain access to corporate resources. To support using Better
Mobile with enrolled devices:
Add MTD apps to devices
Create a device compliance policy that supports MTD
Enable the MTD connector in Intune
Support for unenrolled devices - Intune can use the risk assessment data from the
Better Mobile app on unenrolled devices when you use Intune app protection
policies. Admins can use this combination to help protect corporate data within a
Microsoft Intune protected app, Admins can also issue a block or selective wipe for
corporate data on those unenrolled devices. To support using Better Mobile with
unenrolled devices:
Add the MTD app to unenrolled devices
Create a Mobile Threat Defense app protection policy
Enable the MTD connector in Intune for unenrolled devices
Supported platforms
iOS 8.0 and later
Prerequisites
Azure Active Directory Premium
Microsoft Intune Plan 1 subscription
Better Mobile Threat Defense subscription

For more information, see the Better Mobile website .
Sample scenarios
Here are some common scenarios.
Control access based on threats from malicious apps

When malicious apps such as malware are detected on devices, you can block devices
from the following actions until the threat is resolved:
Connecting to corporate e-mail
Syncing corporate files with the OneDrive for Work app
Accessing company apps
Block when malicious apps are detected:

Access is granted on remediation:
Control access based on threat to network

Detect threats to your network like Man-in-the-middle attacks, and protect access to
Wi-Fi networks based on the device risk.
Block network access through Wi-Fi:
Control access to SharePoint Online based on threat to

network
Detect threats to your network like Man-in-the-middle attacks, and prevent
synchronization of corporate files based on the device risk.
Block SharePoint Online when network threats are detected:
Access granted on remediation:

Control access on unenrolled devices based on threats
from malicious apps
When the BETTER Mobile Threat Defense solution considers a device to be infected:

Next steps
Integrate Better Mobile with Intune
Set up Better Mobile apps
Create Better Mobile device compliance policy
Enable Better Mobile MTD connector
Create an MTD app protection policy

Integrate Better Mobile with Intune
Article • 02/21/2023
Complete the following steps to integrate the Better Mobile Threat Defense solution
with Intune.
Before you begin

The following steps are to be completed in the Better Mobile admin console and will
enable a connection to Better Mobile's service for both Intune enrolled devices (using
device compliance) and unenrolled devices (using app protection policies).
Before starting the process of integrating Better Mobile with Intune, make sure you have
the following:
Azure Active Directory admin credentials to grant the following permissions:
Sign in and read user profile
Access the directory as the signed-in user
Read directory data
Send device information to Intune
Admin credentials to access the Better Mobile admin console.
Better Mobile app authorization

The Better Mobile app authorization process follows:
Allow the Better Mobile service to communicate information related to device

health state back to Intune.
Better Mobile syncs with Azure AD Enrollment Group membership to populate its
device's database.
Allow the Better Mobile admin console to use Azure AD Single Sign On (SSO).
Allow the Better Mobile app to sign in using Azure AD SSO.

To set up Better Mobile integration
1. Go to the Better Mobile admin console and sign in with your credentials.
2. Choose Integration > EMM/MDM > ADD ACCOUNT.
3. Choose Intune.
4. Next to ACCOUNT NAME, type a descriptor.
5. In the Microsoft Sign in window, enter your Intune credentials.
6. In the Permissions requested window, choose Accept.
7. Search for the Azure AD Security groups that you want Better Mobile to sync
devices from, and select them in the list. Then select Continue.
8. Select Done.
9. The Add account page reappears. Close the page.
Next steps
Set up Better Mobile apps for enrolled devices
Set up Better Mobile apps for unenrolled devices
Use BlackBerry Protect Mobile with
Intune
Article • 02/21/2023
Control mobile device access to corporate resources using Conditional Access based on
risk assessment conducted by BlackBerry Protect Mobile (powered by Cylance AI), a
mobile threat defense (MTD) solution that integrates with Microsoft Intune. Risk is
assessed based on telemetry collected from devices running the BlackBerry Protect
Mobile app.
You can configure Conditional Access policies based on a BlackBerry Protect risk
assessment, enabled through Intune device compliance policies for enrolled devices.
You can set up your policies to allow or block noncompliant devices from accessing
corporate resources based on detected threats.
For more information about how to integrate BlackBerry UES with Microsoft Intune, see
the BlackBerry UES documentation .
７ Note
This Mobile Threat Defense vendor is not supported for unenrolled devices.
Supported platforms
iOS 13.0 and later
Prerequisites
BlackBerry UES account with access to UES management console
How do Intune and the BlackBerry MTD

connector help protect your company
resources?
The BlackBerry Protect Mobile app for Android and iOS/iPadOS captures file system,
network stack, device, and application telemetry where available, then sends the
telemetry data to the Cylance AI Protection cloud service to assess the device's risk for
mobile threats.
MTD, which can use risk assessment information from BlackBerry Protect. When
the MTD rule is enabled, Intune evaluates device compliance with the policy that
you enabled. If the device is found noncompliant, users are blocked access to
corporate resources, such as Exchange Online and SharePoint Online. Users also
receive guidance from the BlackBerry Protect app installed on their devices to
resolve the issue and regain access to corporate resources. To support using
BlackBerry Protect with enrolled devices:
Sample scenarios
The following scenarios demonstrate the use of BlackBerry Protect Mobile MTD when
integrated with Intune:

until the threat is resolved:


Detect threats like Man-in-the-middle in network, and protect access to Wi-Fi networks
based on the device risk.

network
Detect threats like Man-in-the-middle in network, and prevent synchronization of
corporate files based on the device risk.

Next steps
Integrate BlackBerry Protect Mobile with Intune
Set up BlackBerry Protect Mobile app
Create BlackBerry Protect Mobile device compliance policy
Enable BlackBerry Protect Mobile MTD connector

Connect BlackBerry Protect Mobile MTD
connector in Microsoft Intune
Article • 03/30/2023
Connect the BlackBerry Protect Mobile MTD connector to monitor and mitigate device
risk levels on Intune-managed devices. BlackBerry Protect Mobile (powered by Cylance
AI) works by reporting device risk levels to Microsoft Intune. Intune then uses that
information to enforce the appropriate app configuration and risk assessment policies.
For more information about BlackBerry Protect Mobile, see Key features of BlackBerry
Protect Mobile (opens BlackBerry UES docs).
This article describes the requirements and steps to connect the MTD connector in your
tenant.
Before you begin

The following subscriptions and accounts are required to integrate UES with Microsoft
Intune.
Azure Active Directory (Azure AD) account with Global Administrator rights to
grant the following permissions:
Read directory data
Admin sign-in credentials to access the UES management console
App authorization
The following authorization process happens when you connect the BlackBerry Protect
Mobile MTD connector:
Allow BlackBerry UES to communicate information related to device health state

back to Intune. To grant these permissions, you must use Global Administrator
credentials. Granting permissions is a one-time operation. After the permissions
are granted, the Global Administrator credentials aren't needed for day-to-day
operation.
Allow BlackBerry UES to sync Azure AD enrollment group membership to populate

its device's database.
Allow BlackBerry UES management console to use Azure AD Single Sign On (SSO).
Allow BlackBerry Protect app to sign in using Azure AD SSO.
For more information about consent and Azure AD applications, see Request the
permissions from a directory admin.
Set up BlackBerry Protect Mobile MTD

connector
1. Sign in to the Microsoft Intune admin center with an Intune administrator
account.
2. Go to All services > Tenant administration.
3. Select Connectors and tokens.
4. Under Cross platform, select Mobile Threat Defense.
5. Select Add.
6. For Select the Mobile Threat Defense connector to setup, choose BlackBerry
Protect Mobile.
7. Select Open the BlackBerry Protect Mobile admin console. Keep the Microsoft
Intune admin center tab open for later.
8. Sign in with your Azure AD account, and then follow the instructions in Integrating
UES with Intune to respond to mobile threats (opens BlackBerry UES docs) to
complete setup.
9. After you finish setup in the UES management console, return to your tab in the
Microsoft Intune admin center.
10. Under MDM Compliance Policy Settings, turn on the following settings:
Connect Android devices to BlackBerry Protect Mobile

Connect iOS devices to BlackBerry Protect Mobile
These settings allow
BlackBerry Protect Mobile to evaluate the devices in your organization.
11. Select Create to save your connector configurations.
Next steps
Set up BlackBerry Protect app for enrolled devices
Check Point Harmony Mobile Threat
Defense connector with Intune
Article • 03/15/2023
based on risk assessment conducted by Check Point Harmony Mobile, a mobile threat
defense solution that integrates with Microsoft Intune. Risk is assessed based on
telemetry collected from devices running the Harmony Mobile Protect app.
You can configure Conditional Access policies based on Check Point Harmony Mobile
risk assessment enabled through Intune device compliance policies, which you can use
to allow or block noncompliant devices to access corporate resources based on
detected threats.
Supported platforms
Android 8 and later
iOS 12 and later
Pre-requisites
Check Point Harmony Mobile Threat Defense subscription

See the CheckPoint Harmony website .
How do Intune and Check Point Harmony

Mobile help protect your company resources?
Check Point Harmony Mobile app for Android and iOS/iPadOS captures file system,
network stack, device and application telemetry where available, then sends the
telemetry data to the Check Point Harmony cloud service to assess the device's risk for
mobile threats.
The Intune device compliance policy includes a rule for Check Point Harmony Mobile
Threat Defense, which is based on the Check Point Harmony risk assessment. When this
rule is enabled, Intune evaluates device compliance with the policy that you enabled. If
the device is found noncompliant, users are blocked access to corporate resources like
Exchange Online and SharePoint Online. Users also receive guidance from the Harmony
Mobile Protect app installed in their devices to resolve the issue and regain access to
corporate resources.
Here are some common scenarios:




network


from malicious apps
When the Check Point Harmony Mobile Threat Defense solution considers a device to
be infected:
Next steps
Integrate Check Point Harmony Mobile with Intune
Set up Harmony Mobile Protect app
Create Check Point Harmony Mobile device compliance policy
Enable Check Point Harmony Mobile MTD connector

Integrate Check Point Harmony Mobile
with Intune
Article • 02/21/2023
Complete the following steps to integrate the Check Point Harmony Mobile Threat
Defense solution with Intune.
７ Note
Before you begin

The instructions in this article are done in the Check Point Harmony Mobile console .
Before starting the process of integrating Check Point Harmony Mobile with Intune,
make sure you've the following configurations:
Read directory data
Admin credentials to access Check Point Harmony Mobile MTD console.
Harmony Mobile Protect app authorization

The Harmony Mobile Protect app authorization process consists of the following steps:
Allow the Check Point Harmony Mobile service to communicate information

related to device health state back to Intune.
CheckPoint Harmony Mobile syncs with Azure AD Enrollment Group membership

to populate its device's database.
Allow Check Point Harmony admin console to use Azure AD Single Sign On (SSO).
Allow the Harmony Mobile Protect app to sign in using Azure AD SSO.
To set up Check Point Harmony Mobile

integration
1. Go to Check Point Harmony Mobile MTD console and sign in with your
credentials.
2. Select on the Settings tab.
3. Choose Device management, then Settings.
4. Choose Microsoft Intune from the MDM Service drop-down list.
5. Once you set Microsoft Intune as the MDM Service, the Microsoft Intune
Configuration window pops up, choose the Add to my organization for each
device platform: iOS/iPadOS, Android and Windows to authorize Harmony Mobile
Protect to communicate with Intune and Azure AD.
） Important
You must add all device platforms to proceed to the next step.
6. Choose Accept to authorize the Harmony Mobile Protect app to communicate

with Intune and Azure Active Directory.
7. Once you enabled all device platforms, you need to enter the Azure AD security
group.
8. Choose Verify, once the Azure AD security group is successfully verified, choose
Save.
Next steps
Set up Harmony Mobile Protect apps
Lookout Mobile Endpoint Security
connector with Intune
Article • 02/21/2023
You can control mobile device access to corporate resources based on risk assessment
conducted by Lookout, a Mobile Threat Defense solution integrated with Microsoft
Intune. Risk is assessed based on telemetry collected from devices by the Lookout
service including:
Operating system vulnerabilities

Malicious apps installed
Malicious network profiles
You can configure Conditional Access policies based on Lookout's risk assessment
enabled through Intune compliance policies for enrolled devices, which you can use to
allow or block noncompliant devices to access corporate resources based on detected
threats. For unenrolled devices, you can use app protection policies to enforce a block
or selective wipe based on detected threats.
How do Intune and Lookout Mobile Endpoint

Security help protect company resources?
Lookout's mobile app, Lookout for work, is installed and run on mobile devices. This
app captures file system, network stack, and device and application telemetry where
available, then sends it to the Lookout cloud service to assess the device's risk for
mobile threats. You can change risk level classifications for threats in the Lookout
console to suit your requirements.
Lookout for work. When the MTD rule is enabled, Intune evaluates device
compliance with the policy that you enabled. If the device is found noncompliant,
users are blocked access to corporate resources like Exchange Online and
SharePoint Online. Users also receive guidance from the Lookout for work app
installed in their devices to resolve the issue and regain access to corporate
resources. To support using Lookout for work with enrolled devices:
Lookout for work app on unenrolled devices when you use Intune app protection
corporate data on those unenrolled devices. To support using Lookout for work
with unenrolled devices:
Supported platforms
The following platforms are supported for Lookout when enrolled in Intune:

iOS 12 and later
For additional information about platform and language support, visit the Lookout
website .
Prerequisites
Lookout Mobile Endpoint Security enterprise subscription
Enterprise Mobility and Security (EMS) E3 or E5, with licenses assigned to users.
For more information, see Lookout Mobile Endpoint Security
Sample scenarios
Here are the common scenarios when using Mobile Endpoint Security with Intune.

from the following until the threat is resolved:


Detect threats to your network such as man-in-the-middle attacks and protect access to
WiFi networks based on the device risk.
Block network access through WiFi:

network
Detect threats to your network such as Man-in-the-middle attacks, and prevent

from malicious apps
When the Lookout Mobile Threat Defense solution considers a device to be infected:

Next steps
Here are the main steps you must do to implement this solution:
Set up your Lookout integration

Enable Mobile Endpoint Security in Intune
Add and assign the Lookout for Work app
Configure Lookout device compliance policy
Set up Lookout Mobile Endpoint
Security integration with Intune
Article • 02/21/2023
With an environment that meets the prerequisites, you can integrate Lookout Mobile
Endpoint Security with Intune. The information in this article will guide you in setting up
integration and configuring important settings in Lookout for use with Intune.
） Important
An existing Lookout Mobile Endpoint Security tenant that is not already associated
with your Azure AD tenant cannot be used for the integration with Azure AD and
Intune. Contact Lookout support to create a new Lookout Mobile Endpoint Security
tenant. Use the new tenant to onboard your Azure AD users.
Collect Azure AD information

To integrated Lookout with Intune, you associate your Lookout Mobility Endpoint
Security tenant with your Azure Active Directory (AD) subscription.
To enable your Lookout Mobile Endpoint Security subscription integration with Intune,
you provide the following information to Lookout support
(enterprisesupport@lookout.com):
Azure AD tenant Directory ID
Azure AD group Object ID for the group with full Lookout Mobile Endpoint
Security (MES) Console access.
You create this user group in Azure AD to contain the users that have full access to
sign in to the Lookout console. Users must be members of this group, or the
optional restricted access group, to sign in to the Lookout Console.
Azure AD group Object ID for the group with restricted Lookout MES Console
access (optional group).
You create this optional user group in Azure AD to contain
users that shouldn't have access to several configuration and enrollment-related
modules of the Lookout console. Instead, these users have read-only access to the
Security Policy module of the Lookout console. Users must be members of this
optional group, or the required full access group, to sign in to the Lookout
Console.
 Tip
For more details on the permissions, read this article on the Lookout website.
Collect information from Azure AD

1. Sign in to the Azure portal with a Global Administrator account.
2. Go to Azure Active Directory > Properties and locate your Directory ID. Use the
Copy button to copy the Directory ID, and then save it in a text file.
3. Next, find the Azure AD Group ID for the accounts you use to grant Azure AD users
access to the Lookout Console. One group is for full access, and the second group,
for restricted access is optional. To get the Object ID, for each account:
a. Go to Azure Active Directory > Groups to open the Groups - All groups pane.
b. Select the group you created for full access to open its Overview pane.
c. Use the Copy button to copy the Object ID, and then save it in a text file.
d. Repeat the process for the restricted access group if you use that group.
After you gather this information, contact Lookout support (email:
enterprisesupport@lookout.com). Lookout Support will work with your primary
contact to onboard your subscription and create your Lookout Enterprise account,
using the information that you provide.
Configure your Lookout subscription

The following steps are to be completed in the Lookout Enterprise admin console and
will enable a connection to Lookout's service for Intune enrolled devices (via device
compliance) and unenrolled devices (via app protection policies).
After Lookout support creates your Lookout Enterprise account, Lookout support sends
an email to the primary contact for your company with a link to the sign-in url:
https://aad.lookout.com/les?action=consent .
Initial sign-in
The first sign-in to the Lookout MES Console displays a consent page
(https://aad.lookout.com/les?action=consent ). An Azure AD Global Administrator just
sign-in and Accept. Subsequent sign-in doesn't require the user to have this level of
Azure AD privilege.
A consent page is displayed. Choose Accept to complete the registration.
When you accept and consent, you're redirected to the Lookout Console.
After the initial sign-in and consent is complete, users that sign in from
https://aad.lookout.com are redirected to the MES Console. If consent wasn't yet
granted, all sign-in attempts result in a Bad Login Error.
Configure the Intune Connector

The following procedure assumes you've previously created a user group in Azure AD
for testing your Lookout deployment. The best practice is to start with a small group of
users to allow your Lookout and Intune admins to become familiar with the product
integrations. After they're familiar, you can extend the enrollment to additional groups
of users.
1. Sign in to the Lookout MES Console and go to System > Connectors, and then
select Add Connector. Select Intune.
2. On the Microsoft Intune pane, select Connection Settings and specify the
Heartbeat Frequency in minutes.
3. Select Enrollment Management, and for Use the following Azure AD security
groups to identify devices that should be enrolled in Lookout for Work, specify
the Group name of an Azure AD group to use with Lookout, and then select Save
changes.
About the groups you use:

As a best practice, start with an Azure AD security group that contains a small
number of users to test Lookout integration.
The Group name is case-sensitive as shown in the Properties of the security
group in the Azure portal.
The groups you specify for Enrollment Management define the set of users
whose devices will be enrolled with Lookout. When a user is in an enrollment
group, their devices in Azure AD are enrolled and eligible for activation in
Lookout MES. The first time a user opens the Lookout for Work application on
a supported device, they're prompted to activate it.
4. Select State Sync and ensure both device status and threat status are set to On.
Both are required for the Lookout Intune integration to work correctly.
5. Select Error Management, specify the email address that should receive the error
reports, and then select Save changes.
6. Select Create connector to complete configuration of the connector. Later, when

you're satisfied with your results, you can extend enrollment to additional user
groups.
Configure Intune to use Lookout as a Mobile

Threat Defense provider
After you configure Lookout MES, you must set up a connection to Lookout in Intune.
Additional settings in the Lookout MES Console

The following are additional settings you can configure in the Lookout MES Console.
Configure Enrollment settings

In the Lookout MES Console, select System > Manage Enrollment > Enrollment
settings.
For Disconnected Status, specify the number of days before an unconnected

device is marked as disconnected.
Disconnected devices are considered as noncompliant and will be blocked from

accessing your company applications based on the Intune conditional access
policies. You can specify values between 1 and 90 days.
Configure Email Notifications

To receive email alerts for threats, sign in to the Lookout MES Console with the user
account that should receive notifications.
Go to Preferences and then set the notifications you want to receive to ON, and
then Save the changes.
If you no longer want to receive email notifications, set the notifications to OFF
and save your changes.
Configure threat classifications
Lookout Mobile Endpoint Security classifies mobile threats of various types. The Lookout
threat classifications have default risk levels associated with them. The risk levels can be
changed at any time to suit your company requirements.
For information about the threat level classifications, and how to manage the risk levels
associated with them, see Lookout Threat Reference .
） Important
Risk levels are an important aspect of Mobile Endpoint Security because the Intune
integration calculates device compliance according to these risk levels at runtime.
The Intune administrator sets a rule in policy to identify a device as noncompliant if

the device has an active threat with a minimum level of High, Medium, or Low. The
threat classification policy in Lookout Mobile Endpoint Security directly drives the
device compliance calculation in Intune.
Monitor enrollment
After setup is complete, Lookout Mobile Endpoint Security starts to poll Azure AD for
devices that correspond to the specified enrollment groups. You can find information
about enrolled devices by going to Devices in the Lookout MES Console.
Initial status for devices is pending.

The device status updates after the Lookout for Work app is installed, opened, and
activated on the device.
For details on how to get the Lookout for Work app deployed to a device, see Add
Lookout for work apps with Intune.
Next steps
Set up Lookout apps for enrolled devices
Set up Lookout apps for unenrolled devices
Use MVISION Mobile with Intune
Article • 02/21/2023
based on risk assessment conducted by McAfee MVISION Mobile, a Mobile Threat
Defense (MTD) solution that integrates with Microsoft Intune. Risk is assessed based on
telemetry collected from devices running the MVISION Mobile app.
You can configure Conditional Access policies based on MVISION Mobile risk
assessment enabled through Intune device compliance policies for enrolled devices,
which you can use to allow or block noncompliant devices to access corporate resources
based on detected threats. For unenrolled devices, you can use app protection policies
to enforce a block or selective wipe based on detected threats.
Supported platforms
iOS 10 and later
Prerequisites
MVISION Mobile subscription
For more information, see the documentation for McAfee MVISION Mobile.
How do Intune and MVISION help protect your

company resources?
The MVISION Mobile app for Android and iOS/iPadOS captures file system, network
stack, device, and application telemetry where available, then sends the telemetry data
to the MVISION Mobile cloud service to assess the device's risk for mobile threats.
MVISION Mobile. When the MTD rule is enabled, Intune evaluates device
compliance with the policy that you enabled. If the device is found noncompliant,
users are blocked access to corporate resources like Exchange Online and
SharePoint Online. Users also receive guidance from the MVISION Mobile app
installed in their devices to resolve the issue and regain access to corporate
resources. To support using MVISION Mobile with enrolled devices:
MVISION Mobile app on unenrolled devices when you use Intune app protection
corporate data on those unenrolled devices. To support using MVISION Mobile
with unenrolled devices:
Sample scenarios
See below a few scenarios when integrating MVISION Mobile with Intune:




network

from malicious apps
When the MVISION Mobile mobile threat defense solution considers a device to be
infected:

Next steps
Integrate MVISION Mobile with Intune
Set up MVISION Mobile apps
Create MVISION Mobile device compliance policy
Enable MVISION Mobile MTD connector

Integrate MVISION Mobile with Intune
Article • 02/21/2023
Complete the following steps to integrate the MVISION Mobile mobile threat defense
solution with Intune.
Before you begin

The following steps are done in the MVISION Mobile console and will enable a
connection to MVISION Mobile's service for Intune enrolled devices (using device
compliance) and unenrolled devices (using app protection policies).
Before starting the process of integrating MVISION Mobile with Intune, make sure you
have the following subscription and credentials:
Azure Active Directory Global Administrator admin credentials to grant the

following permissions:
Read directory data
Admin credentials to access the MVISION Mobile console.
MVISION Mobile app authorization

The MVISION Mobile app authorization process follows:
Grant the MVISION Mobile service permissions to communicate information

related to device health state back to Intune. To grant these permissions, you must
use Global Administrator credentials. Granting permissions is a one-time
operation. After the permissions are granted, the Global Administrator credentials
aren't needed for day to day operation.
MVISION Mobile syncs with Azure Active Directory (AD) Enrollment Group
membership to populate its device's database.
Allow MVISION Mobile admin console to use Azure AD Single Sign On (SSO).
Allow the MVISION Mobile app to sign in using Azure AD SSO.
For more information about consent and Azure Active Directory applications, see
Request the permissions from a directory admin in the Azure Active Directory article
Permissions and consent in the Azure Active Directory v2.0 endpoint.
To set up MVISION Mobile integration

The actual console name, link, and following step details are pending
1. Go to MVISION Mobile console and sign in with your credentials. To perform the
MVISION Mobile integration setup process, you must sign in with an Azure Active
Directory user who has the Global Administrator role. This one-time setup
operation uses the Global Administrator rights to grant permission in your
organization for the MVISION Mobile apps to communicate with Intune.
2. Choose Management from the left menu.
3. Choose the MDM settings tab.
4. Choose Add MDM, then select Microsoft Intune from the MDM provider list.
5. After you set Microsoft Intune as the MDM service, the Microsoft Intune
Configuration window pops up, choose the Add Azure Active Directory for each
option: MVISION Mobile console, MVISION Mobile iOS and Android apps to
authorize MVISION Mobile to communicate with Intune and Azure AD through
Azure AD Single Sign-On.
） Important
You must add the console, and the MVISION Mobile iOS and Android apps to
complete the integration process with Intune.
6. Choose Accept to authorize the MVISION Mobile app to communicate with Intune
and Azure Active Directory.
7. After you add the console and MVISION Mobile iOS and Android apps to Azure
AD, add the Azure AD security groups. This addition allows MVISION Mobile to
synchronize the Azure AD security group with its service.
8. Choose Finish to save the configuration and start the first Azure AD security group
synchronization.
9. Sign out of the MVISION Mobile MTD console.
Next steps
Set up MVISION Mobile apps for enrolled devices
Set up MVISION Mobile apps for unenrolled devices
Pradeo Mobile Threat Defense
Article • 02/21/2023
based on risk assessment conducted by Pradeo, a Mobile Threat Defense (MTD) solution
that integrates with Microsoft Intune. Risk is assessed based on telemetry collected from
devices running the Pradeo app.
You can configure Conditional Access policies based on Pradeo risk assessment enabled
through Intune device compliance policies, which you can use to allow or block
noncompliant devices to access corporate resources based on detected threats.
７ Note
Supported platforms
iOS 12.1 and later
Prerequisites
Pradeo Security for Mobile Threat Defense subscription

For more information, see the Pradeo website .
How do Intune and Pradeo help protect your

company resources?
Pradeo app for Android and iOS/iPadOS captures file system, network stack, device, and
application telemetry where available, and then sends the telemetry data to the Pradeo
cloud service to assess the device's risk for mobile threats.
The Intune device compliance policy includes a rule for Pradeo Mobile Threat Defense,
which is based on the Pradeo risk assessment. When this rule is enabled, Intune
evaluates device compliance with the policy that you enabled. If the device is found
noncompliant, users are blocked access to corporate resources like Exchange Online and
SharePoint Online. Users also receive guidance from the Pradeo app installed in their
devices to resolve the issue and regain access to corporate resources.
Sample scenarios




network

Next steps
Integrate Pradeo with Intune
Set up Pradeo apps

Create Pradeo device compliance policy
Enable Pradeo MTD connector

Integrate Pradeo Mobile Threat Defense
with Intune
Article • 02/21/2023
Complete the following steps to integrate the Pradeo Mobile Threat Defense solution
with Intune.
７ Note
Before you begin
７ Note
The following steps are to be completed in the Pradeo Security console .
Before starting the process of integrating Pradeo with Intune, make sure you have the
following:
Read directory data
Admin credentials to access Pradeo Security console.
Pradeo app authorization

The Pradeo app authorization process follows:
Allow the Pradeo service to communicate information related to device health

state back to Intune.
Pradeo syncs with Azure AD Enrollment Group membership to populate its
device's database.
Allow Pradeo admin console to use Azure AD Single Sign On (SSO).
Allow the Pradeo app to sign in using Azure AD SSO.
To set up Pradeo integration

1. Go to Pradeo Security console and sign in with your credentials.
2. Choose Administration - Enterprise Mobility Management from the menu.
3. Choose the Intune logo.
4. In the EMM (Enterprise mobility management - Intune window, under Step 1,

choose the Pradeo Connector button.
5. In the Microsoft Intune connection window, enter your Intune credentials.
6. The Pradeo web page reopens. Under Step 2, choose the Pradeo Device Health
button.
7. In the Pradeo-Intune Connector window, select Accept.
8. In the Pradeo device API connector window, select Accept.

9. The Pradeo web page reopens. Under Step 3, choose the Connect to Microsoft
button.
10. In the Microsoft Intune authentication window, enter your Intune credentials.
11. When the message Successful Integration appears, integration is complete.
Next steps
Set up Pradeo apps for enrolled devices
SentinelOne Mobile Threat Defense
Article • 02/21/2023
based on risk assessment conducted by SentinelOne, a Mobile Threat Defense (MTD)
collected from devices running the SentinelOne app.
You can configure Conditional Access policies based on SentinelOne risk assessment
Supported platforms
iOS 10.0 and later
Prerequisites
SentinelOne Mobile Threat Defense subscription

For more information, see SentinelOne website .
How do Intune and SentinelOne help protect

The SentinelOne app for Android and iOS/iPadOS captures file system, network stack,
device, and application telemetry where available, then sends the telemetry data to the
SentinelOne cloud service to assess the device's risk for mobile threats.
SentinelOne. When the MTD rule is enabled, Intune evaluates device compliance
Users also receive guidance from the SentinelOne app installed in their devices to
SentinelOne with enrolled devices:
SentinelOne app on unenrolled devices when you use Intune app protection
corporate data on those unenrolled devices. To support using SentinelOne with
unenrolled devices:
Sample scenarios
See below a few scenarios when integrating SentinelOne with Intune:




network

from malicious apps
When the sentinelone Mobile Threat Defense solution considers a device to be infected:

Next steps
Integrate sentinelone with Intune
Set up sentinelone apps
Create sentinelone device compliance policy
Enable sentinelone MTD connector

Integrate SentinelOne with Intune
Article • 02/21/2023
Complete the following steps to integrate the SentinelOne Mobile Threat Defense
Before you begin

The following steps are done in the SentinelOne Management Console and will
enable a connection to SentinelOne’s service for both Intune enrolled devices (using
device compliance) and unenrolled devices (using app protection policies).
Before starting the process of integrating SentinelOne with Intune, make sure you have
the following subscription and credentials:

Read directory data
Admin credentials to access the SentinelOne Management Console.
SentinelOne app authorization

The SentinelOne app authorization process follows:
Grant the SentinelOne service permissions to communicate information related to

device health state back to Intune. To grant these permissions, you must use
Global Administrator credentials. Granting permissions is a one-time operation.
After the permissions are granted, the Global Administrator credentials aren't
needed for day to day operation.
SentinelOne syncs with Azure Active Directory (AD) Enrollment Group membership
Allow SentinelOne Management Console to use Azure AD Single Sign On (SSO).
Allow the SentinelOne app to sign in using Azure AD SSO.
To set up SentinelOne integration

1. Go to SentinelOne Management Console and sign in with your credentials. To
perform the SentinelOne integration setup process, you must sign in with an Azure
Active Directory user who has the Global Administrator role. This one-time setup
organization for the SentinelOne apps to communicate with Intune.
option: SentinelOne Management Console, SentinelOne iOS and Android apps,
to authorize SentinelOne to communicate with Intune and Azure AD through
Azure AD Single Sign-On.
） Important
You must add the SentinelOne Management Console and SentinelOne iOS
and Android apps to complete the integration process with Intune.
6. Choose Accept to authorize the SentinelOne app to communicate with Intune and
Azure Active Directory.
7. After you add the SentinelOne Management Console and the SentinelOne iOS
and Android apps apps to Azure AD, add the Azure AD security groups. This
addition allows SentinelOne to synchronize the Azure AD security group with its
service.
synchronization.
9. Sign out of the SentinelOne MTD console.
Next steps
Set up SentinelOne apps for enrolled devices
Set up SentinelOne apps for unenrolled devices
Sophos Mobile Threat Defense
Article • 02/21/2023
based on risk assessment conducted by Sophos Mobile, a Mobile Threat Defense (MTD)
collected from devices running the Sophos Mobile app.
You can configure Conditional
Access policies based on Sophos Mobile risk assessment enabled through Intune device
compliance policies, which you can use to allow or block noncompliant devices to access
corporate resources based on detected threats.
７ Note
Supported platforms
iOS 14.0 and later
Prerequisites
Sophos Mobile Threat Defense subscription
For more information, see the Sophos website .
How do Intune and Sophos Mobile help

protect your company resources?
Sophos Mobile app for Android and iOS/iPadOS captures file system, network stack,
device, and application telemetry where available, and then sends the telemetry data to
the Sophos Mobile cloud service to assess the device's risk for mobile threats.
The Intune device compliance policy includes a rule for Sophos Mobile Threat Defense,
which is based on the Sophos Mobile risk assessment. When this rule is enabled, Intune
evaluates device compliance with the policy that you enabled. If the device is found
noncompliant, users are blocked access to corporate resources like Exchange Online and
SharePoint Online. Users also receive guidance from the Sophos Mobile app installed in
their devices to resolve the issue and regain access to corporate resources.
Sample scenarios




Block network access through Wi-Fi

network

Next steps
Integrate Sophos with Intune
Set up Sophos apps
Create Sophos device compliance policy
Enable Sophos MTD connector
Integrate Sophos Mobile with Intune
Article • 02/22/2023
Complete the following steps to integrate the Sophos Mobile Threat Defense solution
with Intune.
７ Note
Before you begin

Before starting the process of integrating Sophos Mobile with Intune, make sure you
have the following:

Read directory data
Admin credentials to access the Sophos Mobile admin console.
Sophos Mobile app authorization

The Sophos Mobile app authorization process follows:
Allow the Sophos Mobile service to communicate information related to device

health state back to Intune.
Sophos Mobile syncs with Azure AD Enrollment Group membership to populate its
device's database.
Allow the Sophos Mobile admin console to use Azure AD Single Sign On (SSO).
Allow the Sophos Mobile app to sign in using Azure AD SSO.
To set up Sophos Mobile integration

1. Sign in to the Microsoft Intune admin center , go to Tenant administration >
Connectors and tokens > Mobile Threat Defense > and select Add.
2. On the Add Connector page, use the dropdown and select Sophos. And then
select Create.
3. Select the link Open the Sophos admin console.
4. Sign in to the Sophos admin console with your Sophos credentials.
5. Go to Mobile > Settings > Setup > Sophos setup.
6. On the Sophos setup page, select the Intune MTD tab.
7. Select Bind, and then select Yes. Sophos connects to Intune and requires you to
sign in to your Intune subscription.
8. In the Microsoft Intune authentication window, enter your Intune credentials and
Accept the permissions request for Sophos Mobile Threat Defense.
9. On the Sophos setup page, select Save to complete the configuration for Intune:
10. When the message Successful Integration appears, integration is complete.
11. In the Intune admin center, Sophos is now available.
Next Steps
Configure Sophos client apps
Symantec Endpoint Protection Mobile
connector
Article • 02/21/2023
based on risk assessment conducted by Symantec Endpoint Protection Mobile (SEP
Mobile), a mobile threat defense solution that integrates with Microsoft Intune. Risk is
assessed based on telemetry collected from devices running SEP Mobile, including:
Physical defense
Network defense
Application defense
Vulnerabilities defense
You can enable SEP Mobile risk assessment through Intune device compliance policies,
and then use Conditional Access policies to allow or block noncompliant device access
to corporate resources based on detected threats.
７ Note
Supported platforms
iOS 10 and later
Pre-requisites
Symantec Endpoint Protection Mobile subscription
For more information, check Symantec website .

How do Intune and SEP Mobile help protect
SEP Mobile app for Android or iOS/iPadOS captures file system, network stack, device
and application telemetry where available, then sends it to the Symantec cloud service
to assess the device's risk for mobile threats.
The Intune device compliance policy includes a rule for SEP Mobile, which is based on
the SEP Mobile risk assessment. When this rule is enabled, Intune evaluates device
compliance with the policy that you enabled.
If the device is found noncompliant, access to resources like Exchange Online and
SharePoint Online are blocked. Users on blocked devices receive guidance from the SEP
Mobile app to resolve the issue and regain access to corporate resources.
Intune supports two modes of integration with SEP Mobile:
Basic setup which is a read only mode that allows SEP Mobile visibility for devices
in Intune.
Full integration which allows SEP Mobile to report device risk and security incident
details to Intune.
Sample scenarios
Here are some common scenarios:




network

from malicious apps
When the Symantec Endpoint Protection Mobile Threat Defense solution considers a
device to be infected:

Next steps
Here are the steps you need to complete to integrate Intune with SEP Mobile:
Set up SEP Mobile integration with Intune
Add and assign SEP Mobile apps, Microsoft Authenticator and iOS/iPadOS app
Create SEP Mobile device compliance policy with Intune
Enable SEP Mobile MTD connector in Intune

Set up Symantec Endpoint Protection
Mobile integration with Intune
Article • 02/21/2023
Complete the following steps to integrate the Symantec Endpoint Protection Mobile
(SEP Mobile) solution with Intune. You need to add SEP Mobile apps into Azure AD to
have Single Sign On capabilities.
７ Note
Before you begin
Azure AD account used to integrate Intune and SEP

Mobile
Make sure you have the Azure AD account properly configured in the Symantec
Endpoint Protection Mobile Management console before starting the SEP
Mobile Basic setup process.
The Azure AD account must be a global administrator account to perform the
integration.
Network Setup
You can make sure your network is properly configured for integration with SEP Mobile
setup by referring to the Symantec article Configuring SEP Manager after installation .
Full integration vs. Read-only

SEP Mobile supports two modes of integration with Intune:
Read-only integration (Basic setup): Only inventories devices from Azure Active
Directory and populates them in the Symantec Endpoint Protection Mobile
Management console.
If the Report the health and risk of devices to Intune, and Also report security
incidents to Intune boxes are not selected in the Symantec Endpoint Protection
Mobile Management console, the integration is read-only and therefore will
never change a device's state (compliant or noncompliant) in Intune.
Full integration: Allows SEP Mobile to report devices on risk and security incident
details to Intune, which creates a bi-directional communication between both
cloud services.
How are the SEP Mobile apps used with Azure AD and
Intune?
iOS app: Allows end-users to sign in to Azure AD using an iOS/iPadOS app.
Android app: Allows end-users to sign in to Azure AD using an Android app.
Management app: This is the SEP Mobile Azure AD multi-tenant app which
enables service-to-service communication with Intune.
To set up the read-only integration between

Intune and SEP Mobile
） Important
The SEP Mobile admin credentials must consist of an e-mail account that belongs
to a valid user in the Azure Active Directory, otherwise the login will fail. SEP Mobile
uses Azure Active Directory to authenticate its admin using Single Sign On (SSO).
1. Go to Symantec Endpoint Protection Mobile Management Console .
2. Enter your SEP Mobile admin credentials, and then choose Continue.
3. Go to Settings, and under Intune Integration, choose Basic Setup.
4. Next to iOS App, choose Add to Active Directory.

5. When the login page opens, enter your Intune credentials, and then choose
Accept.
6. After the app is added to Azure AD, you'll see an indication that the app was
added successfully.
7. Repeat these steps for the SEP Mobile Android and Management apps.
Add an Azure AD Security group into SEP Mobile

You need to add an Azure AD security group that contains all devices running SEP
Mobile.
Enter and select all the security groups of devices that are running SEP Mobile, and
then save the changes.
SEP Mobile syncs the devices running its Mobile Threat Defense service with the Azure
AD security groups.
To set up the full integration between Intune

and SEP Mobile
Retrieve the Directory ID in Azure AD

1. Sign in to the Azure portal .
2. Type "Active Directory" in the search box, and then select Azure Active Directory.
3. Choose Properties.
4. Next to the Directory ID, choose the copy icon, and then paste it to a safe location.
You'll need this identifier in a later step.
(Optional) Create a dedicated Security Group for devices
that need to run the SEP Mobile apps
1. In the Azure portal , under Manage, choose Users and groups, and then choose
All groups.
2. Choose the Add button. Type a group Name. Under Membership type, choose
Assigned.
3. In the Members blade, select the group members, and then choose the Select
button.
4. In the Group blade, choose Create.
Set up the integration between Symantec Endpoint

Protection Mobile and Intune
1. Go to Symantec Endpoint Protection Mobile Management Console .
2. Enter your SEP Mobile admin credentials, then choose Continue.
3. Go to the Settings > Integrations > Intune > EMM Integration Selection section.
4. In the Directory ID box, paste the Directory ID you copied from Azure Active
Directory in the previous section and save the settings.
5. Go to the Settings > Integrations > Intune > Basic Setup section.
6. Next to iOS App, choose the Add to Active Directory button.
7. Sign in using the Azure Active Directory credentials for the Microsoft 365 account
that manages the directory.
8. Choose the Accept button to add the SEP Mobile iOS/iPadOS app to Azure Active
Directory.
9. Repeat the same process for the Android app and the Management App.
10. Select all user groups that need to run the SEP Mobile apps, for example, the
security group you created earlier.
11. SEP Mobile syncs the devices in the selected groups and starts reporting
information to Intune. You can view this data in the Full Integration section. Go to
the Settings > Integrations > Intune > Full Integration section.
Next steps
Set up SEP Mobile apps
Use Trend Micro Mobile Security as a
Service with Microsoft Intune
Article • 02/23/2023
Control mobile device access to corporate resources using Conditional Access based on
risk assessment conducted by Trend Micro Mobile Security as a Service, a mobile threat
defense (MTD) solution that integrates with Microsoft Intune. Risk is assessed based on
telemetry collected from devices protected by the Trend Micro Mobile Security as a
Service, including:

Malicious network behavior and profiles
Device misconfiguration
You can configure Conditional Access policies based on Trend Micro Mobile Security as
a Service’s risk assessment, enabled through Intune device compliance policies for
enrolled devices. You can set up your policies to allow or block noncompliant devices
from accessing corporate resources based on detected threats.
７ Note
Supported platforms
iOS 11.0 and later
Prerequisites
Trend Micro account with administrative access to the Trend Micro Vision One
console
How do Intune and the Trend Micro MTD
connector help protect your company
resources?
The Trend Micro Mobile Security as a Service mobile agent app for Android and
iOS/iPadOS captures file system, network stack, device, and application telemetry where
available, then sends the telemetry data to Trend Micro Mobile Security as a Service to
assess the device's risk for mobile threats.
MTD, which can use risk assessment information from Trend Micro. When the MTD
rule is enabled, Intune evaluates device compliance with the policy that you
enabled. If the device is found noncompliant, users are blocked access to
corporate resources, such as Exchange Online and SharePoint Online. Users also
receive guidance from the Trend Micro Mobile Security as a Service mobile agent
app installed on their devices to resolve the issue and regain access to corporate
resources. To support using Trend Micro with enrolled devices:
Add MTD apps to devices (This is done automatically when setting up Trend
Micro Mobile Security as a Service integration)
Sample scenarios
The following scenarios demonstrate the use of Trend Micro MTD when integrated with
Intune:





network
Detect threats like Man-in-the-middle in network and prevent synchronization of

Next steps
Integrate Trend Micro Mobile Security as a Service with Intune
Set up Trend Micro Mobile Security as a Service mobile agent app
Create Trend Micro Mobile Security as a Service device compliance policy
Enable Trend Micro Mobile Security as a Service MTD connector
Connect Trend Micro Mobile Security as
a Service with Microsoft Intune
Article • 02/23/2023
Connect Trend Micro Mobile Security as a Service to monitor and mitigate device risk
levels on Intune-managed devices. Trend Micro Mobile Security as a Service works by
reporting device risk levels to Microsoft Intune. Intune then uses that information to
enforce the appropriate app configuration and risk assessment policies. For more
information about Trend Micro Mobile Security as a Service, see Getting Started with
Mobile Security in the Trend Micro documentation.
This article describes the requirements and steps to connect Trend Micro Mobile
Security as a Service in your tenant.
Before you begin

The following subscriptions and accounts are required to integrate Trend Micro Mobile
Security as a Service with Microsoft Intune.

Azure Active Directory (Azure AD) account with Global Administrator rights to
Read directory data
Admin sign-in credentials to access the Trend Micro Vision One management
console
Trend Micro Mobile Security as a Service App

authorization
The following authorization process happens when you configure the integration with
Trend Micro Mobile Security as a Service:
Allow Trend Micro Mobile Security as a Service to communicate information

related to device health state back to Intune. To grant these permissions, you must
use Global Administrator credentials. Granting permissions is a one-time
operation. After the permissions are granted, the Global Administrator credentials
aren't needed for day-to-day operation.
Allow Trend Micro Mobile Security as a Service to sync Azure AD enrollment group
membership to populate its device's database.
Allow Trend Micro Vision One management console to use Azure AD Single Sign
On (SSO).
Allow Trend Micro Mobile as a Service agent app to sign in using Azure AD SSO.
Allow Trend Micro Mobile Security as a Service to get installed app information to
perform malware scanning.
Allow Trend Micro Mobile Security as a Service to add its mobile apps in Intune for
deployment.
Allow Trend Micro Mobile Security as a Service to create device configuration
profiles.
Allow Trend Micro Mobile Security as a Service to perform remote actions when
necessary.
For more information about consent and Azure AD applications, see Request the
permissions from a directory admin.
Configuration Overview
The configuration of Trend Micro Mobile Security as a Service and Intune integration can
be done on Trend Micro Vision One console with the following steps:
1. Configure Intune integration settings. - Grant permissions required by Trend

Micro Mobile Security as a Service, select the platforms of your mobile devices,
and choose data synchronization frequency. Device configuration profiles and app
configuration policies are created automatically in Intune.
2. Select groups to install Trend Micro Mobile Security as a Service mobile app. -
Trend Micro Mobile Security as a Service mobile app installs automatically on
devices in the selected groups.
3. (Optional) Create mobile policies. - Optionally create customized mobile security

policies provided by Trend Micro Mobile Security as a Service. For more
information, see Configuring Mobile Policies .
4. Confirm mobile app status update.
Set up Mobile Security as a Service integration

1. Sign in to the Microsoft Intune admin center with an Intune administrator
account.
2. Go to All services > Tenant administration.
3. Select Connectors and tokens.
4. Under Cross platform, select Mobile Threat Defense.
5. Select Add.
6. For Select the Mobile Threat Defense connector to setup, choose Trend Micro.
7. Select Open the Trend Micro Vision One console . Keep the Microsoft Endpoint
Manager tab open for later.
8. Sign in with your Trend Micro Vision One administration account, and then follow
the instructions in Setting up Intune Integration (opens Trend Micro Mobile
Security documentation) to complete setup.
9. After you finish setup in the Trend Micro Vision One console, Trend Micro Mobile
Security as a Service is now available in Intune.
Next steps
Customize Mobile Policies in Trend Micro Mobile Security as a Service
Create Mobile Threat Defense (MTD) device compliance policy with Intune
Wandera Mobile Threat Defense
Article • 02/21/2023
Control mobile device access to corporate resources using conditional access based on
risk assessment conducted by Wandera. Wandera is a Mobile Threat Defense (MTD)
collected from devices by the Wandera service, including:

Malicious network profiles
Cryptojacking
You can configure conditional access policies that are based on Wandera's risk
assessment, enabled through Intune device compliance policies. Risk assessment policy
can allow or block noncompliant devices from accessing corporate resources based on
detected threats.
How do Intune and Wandera Mobile Threat

Defense help protect your company resources?
Wandera's mobile app seamlessly installs using Microsoft Intune. This app captures file
system, network stack, and device and application telemetry (where available). This
information synchronizes to the Wandera cloud service to assess the device's risk for
mobile threats. These risk level classifications are configurable to suit your needs in the
Wandera console, RADAR.
The compliance policy in Intune includes a rule for MTD based on Wandera's risk
assessment. When this rule is enabled, Intune evaluates device compliance with the
policy that you enabled.
For devices that are noncompliant, access to resources like Microsoft 365 can be
blocked. Users on blocked devices receive guidance from the Wandera app to resolve
the issue and regain access.
Wandera will update Intune with each device’s latest threat level (Secure, Low, Medium,
or High) whenever it changes. This threat level is continuously re-calculated by the
Wandera Security Cloud and is based upon device state, network activity, and numerous
mobile threat intelligence feeds across various threat categories.
These categories and their associated threat levels are configurable in Wandera's RADAR
console such that the total calculated threat level for each device is customizable per
your organization’s security requirements. With threat level in hand, there are two
Intune policy types that make use of this information to manage access to corporate
data:
Using Device Compliance Policies with Conditional Access, administrators set

policies to automatically mark a managed device as “out of compliance” based
upon the Wandera-reported threat level. This compliance flag subsequently drives
Conditional Access Policies to allow or deny access to applications that utilize
modern authentication. See Create Mobile Threat Defense (MTD) device
compliance policy with Intune for configuration details.
Using App Protection Policies with Conditional Launch, administrators can set
policies that are enforced at the native app level (e.g. Android and iOS/iPad OS
apps like Outlook, OneDrive, etc.) based upon the Wandera-reported threat level.
These policies may also be used for unenrolled devices with MAM managed
applications to provide uniform policy across all device platforms and ownership
modes. See Create Mobile Threat Defense app protection policy with Intune for
configuration details.
Supported platforms
The following platforms are supported for Wandera when enrolled in Intune:

iOS 13.7 and later
For more information about platform and device, see the Wandera website .
Prerequisites
Azure Active Directory
Wandera Mobile Threat Defense (formerly Wandera Secure)
For more information, see Wandera Mobile Security .
Sample scenarios
Here are the common scenarios when using Wandera MTD with Intune.
from common tools until you can resolve the threat. Common blocks include:


Detect threats to your network such as man-in-the-middle attacks and protect access to

Control access to SharePoint Online based on

threat to network
Detect threats to your network such as Man-in-the-middle attacks, and prevent


from malicious apps
When the Wandera Mobile Threat Defense solution considers a device to be infected:
Next steps
Integrate Wandera with Intune
Set up Wandera apps
Create Wandera device compliance policy
Enable Wandera MTD connector
Integrate Wandera Mobile Threat
Protection with Intune
Article • 02/22/2023
Complete the following steps to integrate the Wandera Mobile Threat Defense solution
with Intune.
Before you begin

Before you start the process to integrate Wandera with Intune, make sure you have the
following prerequisites in place:
Azure Active Directory administrator credentials and assigned role that is able to
Read directory data
Send device risk information to Intune
A valid Wandera subscription

An administrator account with super admin privileges
Integration overview
Enabling Mobile Threat Defense integration between Wandera and Intune entails:
Enabling Wandera’s UEM Connect service to synchronize information with Azure

and Intune. This includes user and device Life Cycle Management (LCM) metadata,
along with Mobile Threat Defense (MTD) device threat level.
Create Activation Profiles in Wandera to define device enrollment behavior.
Deploy Wandera over-the-air to managed iOS and Android devices.
Configure Wandera for end user self-service using MAM on iOS and Android
devices.
Set up Wandera Mobile Threat Defense

integration
Setting up integration between Wandera and Intune does not require any support from
Wandera staff and can be easily accomplished in a matter of minutes.
Enable support for Wandera in Intune

2. Select Tenant administration > Connectors and tokens > Mobile Threat Defense
> Add.
3. On the Add Connector page, use the dropdown and select Wandera. And then
select Create.
4. On the Mobile Threat Defense pane, select the Wandera MTD Connector from the
list of connectors to open the Edit connector pane. Select Open the Wandera
admin console to open RADAR , the Wandera admin console, and sign in.
5. In the Wandera RADAR console, go to Integrations > UEM Integration, and select
the UEM Connect tab. Use the EMM Vendor drop-down and select Microsoft
Intune.
6. You will be presented with a screen similar to the below, indicating the permission
grants required to complete the integration:
7. Next to Intune User and Device Sync, click the Grant button to start the process to
provide consent for Wandera to perform Life Cycle Management (LCM) functions
with Azure and Intune.
8. When prompted, select or enter your Azure admin credentials. Review the
requested permissions, then select the checkbox to Consent on behalf of your
organization. Finally, click Accept to authorize the LCM integration.
9. You will be automatically returned back to the RADAR admin console. If the
authorization was successful, you will see a green tick mark next to the Grant
button.
10. Repeat the consent process for the remaining listed integrations by clicking on
their corresponding Grant buttons until you have green tick marks next to each.
11. Return to the Intune admin center, and resume editing the Wandera MTD
Connector. Set all of the available toggles to On, and then Save the configuration.
Intune and Wandera are now connected.
Create Activation Profiles in Wandera

Intune-based deployments are facilitated using Wandera Activation Profiles defined in
RADAR. Each Activation Profile defines specific configuration options like authentication
requirements, service capabilities, and initial group membership.
After creating an Activation Profile in Wandera, you “assign” it to users and devices in
Intune. While an Activation Profile is universal across device platforms and management
strategies, the steps below define how to configure Intune based upon these
differences.
The steps from here assume you have created an Activation Profile in Wandera that you
would like to deploy via Intune to your target devices. Please see the Activation Profiles
Guide for more details on creating and using Wandera Activation Profiles.
７ Note
When creating Activation Profiles for deployment via Intune, be sure to set
Associated User to the Authenticated by Identity Provider > Azure Active Directory
option for maximum security, cross-platform compatibility, and a streamlined end
user experience.
Deploying Wandera Over-the-Air to MDM-

Managed Devices
For iOS and Android devices that are managed by Intune, Wandera can be deployed
over-the-air for rapid push-based activations. Be sure you have already created the
Activation Profile(s) you need before proceeding with this section. Deploying Wandera
to managed devices involves:
Adding Wandera configuration profiles to Intune and assigning to target devices.

Adding the Wandera app and respective app configurations to Intune and
assigning to target devices.
Configure and deploy iOS Configuration Profiles

In this section, you will download required iOS device configuration files and then
deliver them over-the-air via MDM to your Intune managed devices.
1. In RADAR, navigate to the Activation Profile you want to deploy (Devices >
Activations), then click the Deployment Strategies tab > Managed Devices >
Microsoft Endpoint Manager.
2. Expand the Apple iOS Supervised or Apple iOS Unsupervised sections based
upon your device fleet configuration.
3. Download the provided configuration profile(s) and prepare to upload them in a
following step.
4. Open Microsoft Intune admin center and navigate to Devices > iOS/iPadOS >
Configuration profiles. Click Create profile.
5. In the panel that appears, choose iOS/iPadOS under Platform, then Custom under
Profile. Then click Create.
6. In the Name field, provide a descriptive title for the configuration, ideally matching
what you named the Activation Profile in RADAR. This will help ease cross
referencing in the future. Alternatively, provide the Activation Profile code if
desired. We recommend indicating if the configuration is for Supervised or
Unsupervised devices by suffixing the name as such.
7. Optionally provide a Description providing more details for other administrators
about the purpose/use of the configuration. Click Next.
8. Click Select a file and locate the downloaded configuration profile that
corresponds to the appropriate Activation Profile downloaded in step 3. Take care
to select the appropriate Supervised or Unsupervised profile if you downloaded
both. Click Next.
9. Define Scope tags as required by your Intune RBAC practices. Click Next.
10. Assign the configuration profile to groups of users or devices that should have
Wandera installed. We recommend starting with a test group then expanding after
validating activations work correctly. Click Next.
11. Review the configuration for correctness editing as needed, the click Create to
create and deploy the configuration profile.
７ Note
Wandera offers an enhanced deployment profile for supervised iOS devices. If you
have a mixed fleet of supervised and unsupervised devices, repeat the above steps
for the other profile type as needed. These same steps need to be followed for any
future Activation Profiles that are to be deployed via Intune. Please contact
Wandera support if you have a mixed fleet of supervised and unsupervised iOS
devices and need assistance with supervised mode-based policy assignments.
Deploying Wandera to unenrolled devices with
MAM managed applications
For unenrolled devices with MAM managed applications, Wandera utilizes an integrated
authentication-based onboarding experience to activate and protect company data
within MAM managed apps.
The following sections describe how to configure Wandera and Intune to enable end
users to seamlessly activate Wandera before being able to access company data.
Configure Azure Device Provisioning in a Wandera

Activation Profile
Activation Profiles to be used with MAM must have Associated User set to the
Authenticated by Identity Provider > Azure Active Directory option.
1. In the Wandera RADAR portal, select an existing, or create a new, Activation Profile
that unenrolled devices with MAM managed applications will use during
enrollment in Devices > Activations.
2. Click the Deployment Strategies tab then Unmanaged Devices then scroll to the
Azure Device Provisioning section.
3. Enter your Azure AD Tenant ID into the appropriate text field. If you don’t have
your tenant ID on hand, click the Get my Tenant ID link to open Azure AD in a new
tab where you can easily copy this value to your clipboard.
4. (Optional) Specify Group ID(s) to limit user activations to specific groups.
If one or more Group IDs are defined, a user activating MAM must be a
member of at least one of the specified groups to activate using this
Activation Profile.
You can set up multiple Activation Profiles configured with the same Azure
Tenant ID but with different Group IDs. This allows you to enroll devices into
Wandera based upon Azure group membership, enabling differentiated
capabilities by group at activation time.
You may configure a single “default” Activation Profile that doesn’t specify
any Group IDs. This group will serve as a catch-all for all activations in which
the authenticated user isn’t a member of a group with an association to
another Activation Profile.
5. Click Save in the upper-right corner of the page.

Next Steps
With your Wandera Activation Profiles loaded in RADAR, create client apps in
Intune to deploy the Wandera app to Android and iOS/iPadOS devices. The
Wandera app config provides essential functionality to complement the pushed
Device configuration profile(s) and is recommended for all deployments. See Add
MTD apps for the procedures and custom details specific to the Wandera apps.
Now that you have Wandera integrated with Endpoint Manager, you can now tune
your configuration, view reports, and deploy more broadly across your fleet of
mobile devices. For detailed configuration guides, see the Support Center Getting
Started Guide in the Wandera documentation.
Zimperium Mobile Threat Defense
Article • 02/21/2023
based on risk assessment conducted by Zimperium, a Mobile Threat Defense (MTD)
collected from devices running the Zimperium app.
You can configure Conditional Access policies based on Zimperium risk assessment
Supported platforms
iOS 10 and later
Prerequisites
Zimperium Mobile Threat Defense subscription

For more information, see Zimperium website .
How do Intune and Zimperium help protect

The Zimperium app for Android and iOS/iPadOS captures file system, network stack,
device, and application telemetry where available, then sends the telemetry data to the
Zimperium cloud service to assess the device's risk for mobile threats.
Zimperium. When the MTD rule is enabled, Intune evaluates device compliance
Users also receive guidance from the Zimperium app installed in their devices to
Zimperium with enrolled devices:
Zimperium app on unenrolled devices when you use Intune app protection
corporate data on those unenrolled devices. To support using Zimperium with
unenrolled devices:
Sample scenarios
See below a few scenarios when integrating Zimperium with Intune:




network

from malicious apps
When the Zimperium Mobile Threat Defense solution considers a device to be infected:

Next steps
Integrate Zimperium with Intune
Set up Zimperium apps
Create Zimperium device compliance policy
Enable Zimperium MTD connector

Integrate Zimperium with Intune
Article • 02/21/2023
Complete the following steps to integrate the Zimperium Mobile Threat Defense
Before you begin

The following steps are done in the Zimperium MTD console and will enable a
connection to Zimperium's service for both Intune enrolled devices (using device
compliance) and unenrolled devices (using app protection policies).
Before starting the process of integrating Zimperium with Intune, make sure you have
the following subscription and credentials:

Read directory data
Admin credentials to access Zimperium MTD console.
Zimperium app authorization

The Zimperium app authorization process follows:
Grant the Zimperium service permissions to communicate information related to

device health state back to Intune. To grant these permissions, you must use
Global Administrator credentials. Granting permissions is a one-time operation.
After the permissions are granted, the Global Administrator credentials aren't
needed for day to day operation.
Zimperium syncs with Azure Active Directory (AD) Enrollment Group membership
Allow Zimperium admin console to use Azure AD Single Sign On (SSO).
Allow the Zimperium app to sign in using Azure AD SSO.
To set up Zimperium integration

1. Go to Zimperium MTD console and sign in with your credentials. To perform the
Zimperium integration setup process, you must sign in with an Azure Active
Directory user who has the Global Administrator role. This one-time setup
organization for the Zimperium apps to communicate with Intune.
option: Zimperium zConsole, zIPS iOS and Android apps to authorize Zimperium
to communicate with Intune and Azure AD through Azure AD Single Sign-On.
） Important
You must add the Zimperium zConsole, zIPS iOS and Android apps to
complete the integration process with Intune.
6. Choose Accept to authorize the Zimperium app to communicate with Intune and
Azure Active Directory.
7. After you add the Zimperium zConsole and the zIPS iOS and Android apps to
Azure AD, add the Azure AD security groups. This addition allows Zimperium to
synchronize the Azure AD security group with its service.
synchronization.
9. Sign out of the Zimperium MTD console.

Next steps
Set up Zimperium apps for enrolled devices
Set up Zimperium apps for unenrolled devices
Network access control (NAC)
integration with Intune
Article • 07/24/2023
Intune integrates with network access control (NAC) partners to help organizations
secure corporate data when devices try to access on-premises resources.
７ Note
A new NAC service (CR service) was released in July 2021 and many of our NAC
partners are transitioning to this new service. While we have extended the timeline
for supporting the legacy NAC service through December 31, 2023, we recommend
you to migrate to the new CR serivce to avoid service disruption.Currently, the
following NAC partner product supports the new NAC service:
Cisco ISE 3.1 and later

Citrix Gateway 13.0-84.11 and later
Citrix Gateway 13.1-12.50 and later
F5 BIG-IP Access Policy Manager 14.1.5.2 and later
F5 BIG-IP Access Policy Manager 15.1.7 and later
F5 BIG-IP Access Policy Manager 16.1.3.1 and later
F5 BIG-IP Access Policy Manager 17.0 and later
Ivanti Connect Secure 9.1R16 and later
Aruba ClearPass with Microsoft Intune Extension v6 and later
Contact your NAC partner if you have questions on the impact of this transition. For
more information, see our blog post on the new compliance retrieval service .
How do Intune and NAC solutions help protect

your organization resources?
NAC solutions check the device enrollment and compliance state with Intune to make
access control decisions. If the device isn't enrolled, or is enrolled and not compliant
with Intune device compliance policies, then the device should be redirected to Intune
for enrollment, or for a device compliance check.
Example
If the device is enrolled and compliant with Intune, the NAC solution should allow the
device access to corporate resources. For example, users can be allowed or denied
access when trying to access corporate Wi-Fi or VPN resources.
Feature behaviors
Devices that are actively syncing to Intune can't move from Compliant / Noncompliant
to Not Synced (or Unknown). The Unknown state is reserved for newly enrolled devices
that haven't been evaluated for compliance yet.
For devices that are blocked from access to resources, the blocking service should
redirect all users to the management portal to determine why the device is blocked. If
the users visit this page, their devices are synchronously reevaluated for compliance.
NAC and Conditional Access

NAC works with Conditional Access to provide access control decisions. For more
information, see Common ways to use Conditional Access with Intune.
How the NAC integration works

The following list is an overview on how NAC integration works when integrated with
Intune. The first three steps, 1-3, explain the onboarding process. Once the NAC solution
is integrated with Intune, steps 4-9 describe the ongoing operation.
1. Register the NAC partner solution with Azure Active Directory (Azure AD), and
grant delegated permissions to the Intune NAC API.
2. Configure the NAC partner solution with the appropriate settings including the
Intune discovery URL.
3. Configure the NAC partner solution for certificate authentication.
4. User connects to corporate Wi-Fi access point or makes a VPN connection request.
5. NAC partner solution forwards the device information to Intune, and asks Intune
about the device enrollment and compliance state.
6. If the device isn't compliant or isn't enrolled, the NAC partner solution instructs the
user to enroll or fix the device compliance.
7. The device tries to reverify its compliance and enrollment state when applicable.
8. Once the device is enrolled and compliant, NAC partner solution gets the state
from Intune.
9. Connection is successfully established which allows the device access to corporate
resources.
７ Note
NAC partner solutions will typically make two different types of query to Intune to
ask about device compliance state:
Queries filtering based on a known property value of a single device such as

its IMEI or Wi-Fi MAC address
Broad, unfiltered queries for all non-compliant devices.
NAC Solutions are permitted to make as many of the device-specific queries as

required. However the broad unfiltered queries may be throttled. The NAC solution
should be configured to only submit the all non-compliant devices queries, at most,
once every four hours. Queries made more frequently will receive an http 503 error
from the Intune service.
Enable NAC
To enable use of NAC and the compliance retrieval service that became available in July
2021, reference your NAC product's most recent documentation for enabling NAC
integration with Intune. This integration might require you to make changes after you
upgrade to their new NAC product or version.
The compliance retrieval service requires certificate-based authentication and the use of
the Intune device ID as the subject alternative name of the certificates. For Simple
Certificate Enrollment Protocol (SCEP) and Private and public key pair (PKCS) certificates,
you can add an attribute of the URI type with a value defined by your NAC provider. For
example, your NAC provider's instructions might say to include
IntuneDeviceId://{{DeviceID}} as the Subject alternative name.
Other NAC products might require you include a device ID when using NAC with iOS
VPN profiles.
To learn more about certificate profiles, see: Use SCEP certificate profiles with Microsoft
Intune and Use a PKCS certificate profile to provision devices with certificates in
Microsoft Intune
Data shared with NAC partners

The specific device properties that are shared with NAC partners depend on the version
of the NAC API the NAC product uses. Contact your NAC partner for more information
on which version of the NAC or Compliance Retrieval API your NAC product uses.
Also, the data returned will be limited if:
The device isn't enrolled in Intune. In this case, no information other than that the
device isn't managed by Intune will be shared with the NAC product.
The OS prevents the specific device property from being shared with Microsoft.
Intune will share empty values back to the NAC product for data properties not
shared with Intune by the OS.
Device property Available in Available in Available in Available in Compliance

NAC 1.0 NAC 1.1 NAC 1.3 Retrieval/NAC 2.0
Compliance state Yes Yes Yes Yes
Managed by Intune Yes Yes Yes Yes
Personal or No Yes Yes No

corporate
ownership
MAC address Yes Yes Yes Yes
Serial number Yes Yes Yes No
IMEI Yes Yes Yes No
UDID Yes Yes Yes No
MEID Yes Yes Yes No
OS version Yes Yes Yes No
Device model Yes Yes Yes No
Manufacturer Yes Yes Yes No

Device property Available in Available in Available in Available in Compliance
NAC 1.0 NAC 1.1 NAC 1.3 Retrieval/NAC 2.0
Azure Active Yes Yes Yes No

Directory device ID
Last contact time Yes Yes Yes No

with Intune
Intune device ID No No No Yes
Next steps
Integrate Cisco ISE with Intune
Integrate Citrix Gateway with Intune
Integrate F5 BIG-IP Access Policy Manager with Intune
Integrate HPE Aruba ClearPass with Intune
Integrate Squadra security Removable Media Manager (secRMM) with Intune
Use certificates for authentication in
Microsoft Intune
Article • 08/21/2023
Use certificates with Intune to authenticate your users to applications and corporate
resources through VPN, Wi-Fi, or email profiles. When you use certificates to
authenticate these connections, your end users don't need to enter usernames and
passwords, which can make their access seamless. Certificates are also used for signing
and encryption of email using S/MIME.
Introduction to certificates with Intune

Certificates provide authenticated access without delay through the following two
phases:
Authentication phase: The user’s authenticity is checked to confirm the user is who
they claim to be.
Authorization phase: The user is subjected to conditions for which a determination
is made on whether the user should be given access.
Typical use scenarios for certificates include:
Network authentication (for example, 802.1x) with device or user certs

Authenticating with VPN servers using device or user certs
Signing e-mail based on user certs
Intune supports Simple Certificate Enrollment Protocol (SCEP), Public Key Cryptography
Standards (PKCS), and imported PKCS certificates as methods to provision certificates on
devices. The different provisioning methods have different requirements, and results. For
example:
SCEP provisions certificates that are unique to each request for the certificate.
PKCS provisions each device with a unique certificate.
With Imported PKCS, you can deploy the same certificate that you’ve exported
from a source, like an email server, to multiple recipients. This shared certificate is
useful to ensure all your users or devices can then decrypt emails that were
encrypted by that certificate.
To provision a user or device with a specific type of certificate, Intune uses a certificate
profile.
In addition to the three certificate types and provisioning methods, you need a trusted
root certificate from a trusted Certification Authority (CA). The CA can be an on-
premises Microsoft Certification Authority, or a third-party Certification Authority. The
trusted root certificate establishes a trust from the device to your root or intermediate
(issuing) CA from which the other certificates are issued. To deploy this certificate, you
use the trusted certificate profile, and deploy it to the same devices and users that
receive the certificate profiles for SCEP, PKCS, and imported PKCS.
 Tip
Intune also supports use of Derived credentials for environments that require use
of smartcards.
What’s required to use certificates

A Certification Authority. Your CA is the source of trust that the certificates
reference for authentication. You can use a Microsoft CA or a third-party CA.
On-premises infrastructure. The infrastructure you require depends on the
certificate types you use:
SCEP
PKCS
Imported PKCS
A trusted root certificate. Before you deploy SCEP or PKCS certificate profiles,
deploy the trusted root certificate from your CA using a trusted certificate profile.
This profile helps establish the trust from the device back to the CA and is required
by the other certificate profiles.
With a trusted root certificate deployed, you're ready to deploy certificate profiles to
provision users and devices with certificates for authentication.
Which certificate profile to use

The following comparisons aren’t comprehensive but intended to help distinguish the
use of the different certificate profile types.
Profile type Details
Trusted Use to deploy the public key (certificate) from a root CA or intermediary CA to
certificate users and devices to establish a trust back to the source CA. Other certificate
profiles require the trusted certificate profile and its root certificate.
Profile type Details
SCEP Deploys a template for a certificate request to users and devices. Each certificate
certificate that’s provisioned using SCEP is unique and tied to the user or device that
requests the certificate.
With SCEP, you can deploy certificates to devices that lack a user affinity,
including use of SCEP to provision a certificate on KIOSK or user-less device.
PKCS Deploys a template for a certificate request that specifies a certificate type of
certificate either user or device.
- Requests for a certificate type of user always require user affinity. When
deployed to a user, each of the user’s devices receives a unique certificate. When
deployed to a device with a user, that user is associated with the certificate for
that device. When deployed to a userless device, no certificate is provisioned.
- Templates with a certificate type of device don’t require user affinity to provision
a certificate. Deployment to a device provisions the device. Deployment to a user
provisions the device the user is signed into with a certificate.
PKCS Deploys a single certificate to multiple devices and users, which supports
imported scenarios like S/MIME signing and encryption. For example, by deploying the
certificate same certificate to each device, each device can decrypt email received from that
same email server.
Other certificate deployment methods are insufficient for this scenario, as SCEP
creates a unique certificate for each request, and PKCS associates a different
certificate for each user, with different users receiving different certificates.
Intune supported certificates and usage

Type Authentication S/MIME S/MIME
Signing encryption
Public Key Cryptography Standards (PKCS)

imported certificate
PKCS#12 (or PFX)
Simple Certificate Enrollment Protocol

(SCEP)
To deploy these certificates, create and assign certificate profiles to devices.
Each individual certificate profile you create supports a single platform. For example, if
you use PKCS certificates, you create PKCS certificate profile for Android and a separate
PKCS certificate profile for iOS/iPadOS. If you also use SCEP certificates for those two
platforms, you create a SCEP certificate profile for Android, and another for iOS/iPadOS.
General considerations when you use a Microsoft

Certification Authority
When you use a Microsoft Certification Authority (CA):
To use SCEP certificate profiles:

setup a Network Device Enrollment Service (NDES) server for use with Intune.
Install the Certificate Connector for Microsoft Intune.
To use PKCS certificate profiles:

To use PKCS imported certificates:

Export certificates from the certification authority and then import them to
Microsoft Intune. See the PFXImport PowerShell project .
Deploy certificates by using the following mechanisms:

Trusted certificate profiles to deploy the Trusted Root CA certificate from your
root or intermediate (issuing) CA to devices
SCEP certificate profiles
PKCS certificate profiles
PKCS imported certificate profiles
General considerations when you use a third-party

Certification Authority
When you use a third-party (non-Microsoft) Certification Authority (CA):
To use SCEP certificate profiles:

Configure integration with a third-party CA from one of our supported partners.
Setup includes following the instructions from the third-party CA to complete
integration of their CA with Intune.
Create an application in Azure AD that delegates rights to Intune to do SCEP
certificate challenge validation.
PKCS imported certificates require you to Install the Certificate Connector for
Microsoft Intune.
Deploy certificates by using the following mechanisms:

Trusted certificate profiles to deploy the Trusted Root CA certificate from your
root or intermediate (issuing) CA to devices
PKCS certificate profiles (only supported with the Digicert PKI Platform)
PKCS imported certificate profiles
Supported platforms and certificate profiles

Platform Trusted PKCS SCEP PKCS imported
certificate certificate certificate certificate profile
profile profile profile
Android device
administrator
(see Note 1)
Android Enterprise
- Fully Managed
(Device Owner)
Android Enterprise
- Dedicated (Device
Owner)
Android Enterprise
- Corporate-Owned
Work Profile
Android Enterprise
- Personally-Owned
Work Profile
Android (AOSP)
iOS/iPadOS
macOS
Windows 8.1 and

later
Windows 10/11
(see Note 2) (see Note 2) (see Note 2)
Note 1 - Beginning with Android 11, trusted certificate profiles can no longer install
the trusted root certificate on devices that are enrolled as Android device
administrator. This limitation doesn't apply to Samsung Knox. For more
information, see Trusted certificate profiles for Android device administrator.
Note 2 - This profile is supported for Windows Enterprise multi-session remote
desktops.
） Important
Next steps
More resources:
Use S/MIME to sign and encrypt emails

Use third-party certification authority
Create certificate profiles:
Configure a trusted certificate profile

Configure infrastructure to support SCEP certificates with Intune
Configure and manage PKCS certificates with Intune
Create a PKCS imported certificate profile
Learn about the Certificate Connector for Microsoft Intune

Trusted root certificate profiles for
Microsoft Intune
Article • 02/22/2023
When using Intune to provision devices with certificates to access your corporate
resources and network, use a trusted certificate profile to deploy the trusted root
certificate to those devices. Trusted root certificates establish a trust from the device to
your root or intermediate (issuing) CA from which the other certificates are issued.
You deploy the trusted certificate profile to the same devices and users that receive the
certificate profiles for Simple Certificate Enrollment Protocol (SCEP), Public Key
Cryptography Standards (PKCS), and imported PKCS.
 Tip
Trusted certificate profiles are supported for Windows Enterprise multi-session

remote desktops.
Export the trusted root CA certificate

To use PKCS, SCEP, and PKCS imported certificates, devices must trust your root
Certification Authority. To establish trust, export the Trusted Root CA certificate, and any
intermediate or issuing Certification Authority certificates, as a public certificate (.cer).
You can get these certificates from the issuing CA, or from any device that trusts your
issuing CA.
To export the certificate, refer to the documentation for your Certification Authority.
You'll need to export the public certificate as a DER-encoded .cer file. Don't export the
private key, a .pfx file.
You'll use this .cer file when you create trusted certificate profiles to deploy that
certificate to your devices.
Create trusted certificate profiles

Create and deploy a trusted certificate profile before you create a SCEP, PKCS, or PKCS
imported certificate profile. Deploying a trusted certificate profile to the same groups
that receive the other certificate profile types ensures that each device can recognize the
legitimacy of your CA. This includes profiles like those for VPN, Wi-Fi, and email.
SCEP certificate profiles directly reference a trusted certificate profile. PKCS certificate
profiles don't directly reference the trusted certificate profile but do directly reference
the server that hosts your CA. PKCS imported certificate profiles don't directly reference
the trusted certificate profile but can use it on the device. Deploying a trusted certificate
profile to devices ensures this trust is established. When a device doesn't trust the root
CA, the SCEP or PKCS certificate profile policy will fail.
Create a separate trusted certificate profile for each device platform you want to
support, just as you'll do for SCEP, PKCS, and PKCS imported certificate profiles.
） Important
Trusted root profiles that you create for the platform Windows 10 and later, display
in the Microsoft Intune admin center as profiles for the platform Windows 8.1 and
later.
This is a known issue with the presentation of the platform for Trusted certificate
profiles. While the profile displays a platform of Windows 8.1 and later, it is
functional for Windows 10/11.
７ Note
The Trusted Certificate profile in Intune can only be used to deliver either root or
intermediate certificates. The purpose of deploying such certificates is to establish a
chain of trust. Using the trusted certificate profile to deliver certificates other than
root or intermediate certificates is not supported by Microsoft. You might be
blocked from importing certificates which are not deemed to be root or
intermediate certificates when selecting the trusted certificate profile in the
Microsoft Intune admin center. Even if you are able to import and deploy a
certificate which is neither a root or intermediate certificate using this profile type,
you will likely encounter unexpected results between different platforms such as
iOS and Android.
Trusted certificate profiles for Android device

administrator
Beginning with Android 11, you can no longer use a trusted certificate profile to deploy
a trusted root certificate to devices that are enrolled as Android device administrator.
This limitation doesn't apply to Samsung Knox.
Because SCEP certificate profiles require both the trusted root certificate be installed on
a device, and must reference a trusted certificate profile that in turn references that
certificate, use the following steps to work around this limitation:
1. Manually provision the device with the trusted root certificate. For sample
guidance, see the following section.
2. Deploy to the device, a trusted root certificate profile that references the trusted
root certificate that you’ve installed on the device.
3. Deploy a SCEP certificate profile to the device that references the trusted root
certificate profile.
This issue isn’t limited to SCEP certificate profiles. Therefore, plan to manually install the
trusted root certificate on applicable devices should your use of PKCS certificate profiles,
or PKCS Imported certificate profiles require it.
Learn more about changes in support for Android device administrator from
techcommunity.microsoft.com.
Manually provision a device with the trusted root certificate
The following guidance can help you manually provision devices with a trusted root
certificate.
1. Download or transfer the trusted root certificate to the Android device. For
example, you might use email to distribute the certificate to device users, or have
users download it from a secure location. After the certificate is on the device, it
must be opened, named, and saved. Saving the certificate adds it to the User
certificate store on the device.
a. To open the certificate on the device, a user must locate and tap (open) the
certificate. For example, after sending the certificate by email, a device user can
tap on or open the certificate attachment.
b. When the certificate opens, the user must provide their PIN or otherwise
authenticate to the device before they can manage the certificate.
2. After authentication, the certificate opens and must be named before it can be
saved to the Users certificate store. The certificate name must match the certificate
name that’s specified in the Trusted Root Certificate profile that will be sent to the
device.
After naming the certificate, it can be saved.
3. After being saved the certificate is ready for use. A user can confirm the certificate
is in the correct location on the device:
a. Open Settings > Security > Trusted credentials. The actual path to Trusted
credentials can vary by device.
b. Open the User tab and locate the certificate.
c. If present in the list of User certificates, the certificate is installed correctly.
4. With a root certificate installed on a device, you must still deploy the following to
provision the SCEP or PKCS certificates:
A Trusted Certificate profile that references that certificate

The SCEP or PKCS profile that references the certificate profile to provision
the SCEP or PKCS certificates.
To create a trusted certificate profile

Platform: Choose the platform of the devices that will receive this profile.
Profile: Select Trusted certificate. Or, select Templates > Trusted certificate.
4. Select Create.

can easily identify them later. For example, a good profile name is Trusted
certificate profile for entire company.
recommended.
6. Select Next.
7. In Configuration settings, specify the .cer file for the trusted Root CA Certificate
you previously exported.
For Windows 8.1 and Windows 10/11 devices only, select the Destination Store for
the trusted certificate from:
Computer certificate store - Root

Computer certificate store - Intermediate
User certificate store - Intermediate
） Important
On October 22, 2022, Microsoft Intune ended support for devices running
Windows 8.1. Technical assistance and automatic updates on these devices
aren't available.
If you currently use Windows 8.1, then we recommend moving to Windows

10/11 devices. Microsoft Intune has built-in security and device features that
manage Windows 10/11 client devices.
8. Select Next.
9. In Assignments, select the user or groups that will receive your profile. For more
Select Next.
10. (Applies to Windows 10/11 only) In Applicability Rules, specify applicability rules to
refine the assignment of this profile. You can choose to assign or not assign the
profile based on the OS edition or version of a device.
For more information, see Applicability rules in Create a device profile in Microsoft
Intune.
Next steps
Create certificate profiles:

Certificate Connector for Microsoft
Intune
Article • 02/22/2023
For Microsoft Intune to support use of certificates for authentication and the signing
and encryption of email using S/MIME, you can use the Certificate Connector for
Microsoft Intune. The certificate connector is software you install on an on-premises
server to help deliver and manage certificates for your Intune-managed devices.
This article introduces the Certificate Connector for Microsoft Intune, its lifecycle, and
how to keep it up to date.
 Tip
Beginning on July 29, 2021, the Certificate Connector for Microsoft Intune
replaces the use of PFX Certificate Connector for Microsoft Intune and Microsoft
Intune Connector. The new connector includes the functionality of both previous
connectors. With the release of version 6.2109.51.0 of the Certificate Connector for
Microsoft, the previous connectors are no longer supported.
Connector overview
To use the certificate connector, you’ll first download software from within the Microsoft
Intune admin center, which you’ll then install on a Windows Server.
During the installation, you can install one or more connector features, including
support for:
Private and public key pair (PKCS) certificates

PKCS imported certificates
Simple Certificate Enrollment Protocol (SCEP)
Certificate revocation
You'll also assign a service account to run the connector. This account is used for all
interactions with your Certification Authority, and for certificate issuance, revocation,
and renewal. Supported options for the service account include the connector servers
SYSTEM account or a Domain account.
After the connector installs, you can run configuration of the connector again at any
time to update it or change the features you’ve installed. After it's installed and
configured, the connector can automatically install future updates to keep your
connectors current to the most recent release.
Intune supports installing of multiple instances of the connector in a tenant, and each
instance can support different features. If you use multiple connectors that support
different features, certificate requests are always routed to a relevant connector. For
example, if you install two connectors that support PKCS, and install two more that
support both PKCS and SCEP, certificate tasks for PKCS can be managed by any of the
four connectors, but tasks for SCEP are only directed to the two connectors that support
SCEP.
Each instance of the certificate connector has the same network requirements as devices
that are managed by Intune. For more information, see Network endpoints for Microsoft
Intune, and Intune network configuration requirements and bandwidth.
Capabilities of the certificate connector

The Certificate Connector for Microsoft Intune supports:
PKCS #12 certificate requests.
PKCS imported certificates (PFX file) for S/MIME email encryption for a specific
user.
Issuing Simple Certificate Enrollment Protocol (SCEP) certificates. When you use an
Active Directory Certificate Services Certification Authority (CA), also called a
Microsoft CA, you must also configure the Network Device Enrollment Service
(NDES) on the server that hosts the connector.
Use of SCEP with a third-party Certification Authority, doesn’t require use of the
Certificate Connector for Microsoft Intune.
Certificate revocation.
Automatic updates to new versions. When servers that host the certificate
connector can access the internet, they automatically install new updates to stay
current. When a connector fails to automatically update, you can manually update
the connector.
Installation of up to 100 instances of the connector per Intune tenant, with each
instance on a separate Windows Server. When you use multiple connectors:
Each instance of the connector must have access to the private key used to
encrypt the passwords of each uploaded PFX file.
Each instance of the connector should be at the same version. Because the
connector supports automatic updates to the newest version, updates can be
managed for you by Intune.
Your infrastructure supports redundancy and load balancing, as any available

connector instance that supports the same connector features can process your
certificate requests.
You can configure a proxy to allow the connector to communicate with Intune.
７ Note
Any instance of the connector that supports PKCS can be used to retrieve
pending PKCS requests from the Intune Service queue, process Imported
certificates, and handle revocation requests. It's not possible to define
which connector handles each request.
Therefore, each connector that supports PKCS must have the same
permissions and be able to connect with all the certification authorities
defined later in the PKCS profiles.
Lifecycle
Periodically, updates to the certificate connector are released. Announcements for new
connector updates, including the version and release date for each update, appear in
the What's new for the Certificate Connector section in this article.
Each new connector release:
Is supported for six months after its release date. During this period, automatic
updates can install a newer connector version. Updated connector versions can
include but aren't limited to bug fixes and performance and feature improvements.
If an out of support connector fails, you’ll need to update to the latest supported
version.
If you block the automatic update of the connector, plan to manually update the
connector within six months, before support for the installed version ends. After
support ends, you’ll need to update the connector to a version that remains in
support to receive support for problems with the connector.
Connectors that are out of support will continue to function for up to 18 months
after its release date. After 18 months, a connectors functionality might fail due to
service level improvements, updates, or in addressing common security
vulnerabilities that might surface in the future.
For example, the connector version 6.2203.12.0 that released on May 4, 2022, will drop
from support on November 4, 2022. The same connector should continue to function
(though not be supported) until November 2023. After November 2023 the connector
might stop communicating with Intune.
Automatic update
Intune can automatically update the connector to the latest version shortly after that
connector version is released.
To update automatically, the server that hosts the connector must access the Azure
update service:
Port: 443
Endpoint: autoupdate.msappproxy.net
When firewalls, infrastructure, or network configurations limit access for automatic

update, resolve the blocking issues or manually update the connector to the new
version.
Manual update
The process to manually update a certificate connector is the same for reinstalling a
connector.
You can manually update a certificate connector even when it supports automatic
updates. For example, you can manually update the connector when your network
configuration blocks an automatic update.
Reinstall a certificate connector

1. On the Windows Server that hosts the connector, run the connector installation
program to uninstall the connector.
2. To install the new version, use the procedure to install a new version of the
connector. Be sure to check for any new or updated prerequisites when installing a
newer version of a connector.
Connector status
In the Microsoft Intune admin center, you can select a certificate connector to view
information about its status:
2. Go to Tenant administration > Connectors and tokens > Certificate connectors.
3. Select a connector to view its status.
When viewing the connector status:
Deprecated connectors show a Warning. After the six-month grace period, the
warning changes to an Error.
Connectors that are beyond the grace period show an Error. These connectors are
no longer supported and can stop working at any time.
Logging
Logs for the Certificate Connector for Microsoft Intune are available as Event logs on the
server where the connector is installed:
Event Viewer > Application and Service Logs > Microsoft > Intune > Certificate
Connectors
The following logs are available and default to 50 MB, and have automatic archiving
enabled:
Admin Log - This log contains one log event per request to the connector. Events
include either a success with information about the request, or an error with
information about the request and the error.
Operational Log - This log displays additional information to that found in the
Admin log, and can be of use in debugging issues. This log also displays ongoing
operations instead of single events.
In addition to the default log level, you can enable debug logging for each log to obtain
more details.
Event IDs
All events have one of the following IDs:
0001-0999 - Not associated with any specific scenario

1000-1999 - PKCS
2000-2999 - PKCS Import
3000-3999 - Revoke
4000-4999 - SCEP
5000-5999 - Connector Health
Task Categories
All events are tagged with a Task Category to aid in filtering. Task categories contain but
aren't limited to the following list:
PKCS
Admin
Event ID: 1000 - PkcsRequestSuccess
Successfully uploaded a PKCS Request to Intune.
Event ID: 1001 - PkcsRequestFailure
Failed to fulfill or upload a PKCS Request to Intune.
Event ID: 1200 - PkcsRecryptRequestSuccess
Successfully processed PKCS Reencrypt request.
Event ID: 1201 - PkcsRecryptRequestFailure
Failed to process PKCS Reencrypt request.
Operational
Event ID: 1002 - PkcsDownloadSuccess
Successfully downloaded PKCS requests from Intune.
Event ID: 1003 - PkcsDownloadFailure
Failed to download PKCS requests from Intune.
Event ID: 1020 - PkcsDownloadedRequest
Successfully downloaded PKCS request from Intune
Event ID: 1032 - PkcsDigiCertRequest
Successfully downloaded a PKCS request for DigiCert CA from Intune.
Event ID: 1050 - PkcsIssuedSuccess
Successfully issued a PKCS certificate.

Event ID: 1051 - PkcsIssuedFailedAttempt
Failed to issue a PKCS certificate, will try again.
Event ID: 1052 - PkcsIssuedFailure
Failed to issue a PKCS certificate.
Event ID: 1100 - PkcsUploadSuccess
Successfully uploaded PKCS request results to Intune.
Event ID: 1101 - PkcsUploadFailure
Failed to upload PKCS request results to Intune.
Event ID: 1102 - PkcsUploadedRequest
Successfully uploaded PKCS request to Intune.
Event ID: 1202 - PkcsRecryptDownloadSuccess
Successfully downloaded PKCS Reencrypt requests.
Event ID: 1203 - PkcsRecryptDownloadFailure
Failed to download PKCS Reencrypt requests.
Event ID: 1220 - PkcsRecryptDownloadedRequest
Successfully downloaded a PKCS Reencrypt request.
Event ID: 1250 - PkcsRecryptReencryptSuccess
Successfully re-encrypted PKCS certificate payload.
Event ID: 1251 - PkcsRecryptDecryptSuccess
Successfully decrypted PKCS certificate payload.
Event ID: 1252 - PkcsRecryptDecryptFailure
Failed to decrypt PKCS certificate payload.
Event ID: 1253 - PkcsRecryptReencryptFailure
Failed to re-encrypt PKCS certificate payload.
Event ID: 1300 - PkcsRecryptUploadSuccess
Successfully uploaded PKCS Reencrypt request results to Intune.
Event ID: 1301 - PkcsRecryptUploadFailure
Failed to upload PKCS Reencrypt request results to Intune.
Event ID: 1302 - PkcsRecryptUploadedRequest
Successfully uploaded a PKCS Reencrypt request to Intune.
PKCS Import
Admin
Event ID: 2000 - PkcsImportRequestSuccess
Successfully downloaded PKCS Import requests from Intune.
Event ID: 2001 - PkcsImportRequestFailure
Failed to process a PKCS Import request from Intune.
Operational
Event ID: 2202 - PkcsImportDownloadSuccess
Successfully downloaded PKCS Import requests from Intune.
Event ID: 2203 - PkcsImportDownloadFailure
Failed to download PKCS Import requests from Intune.
Event ID: 2020 - PkcsImportDownloadedRequest
Successfully downloaded a PKCS Import request from Intune.
Event ID: 2050 - PkcsImportReencryptSuccess
Successfully re-encrypted a PKCS Import certificate.
Event ID: 2051 - PkcsImportReencryptFailedAttempt
Failed to re-encrypt a PKCS Import certificate, will try again.
Event ID: 2052 - PkcsImportReencryptFailure

Failed to re-encrypt an imported certificate.
Event ID: 2100 - PkcsImportUploadSuccess
Successfully uploaded PKCS Import request results to Intune.
Event ID: 2101 - PkcsImportUploadFailure
Failed to upload PKCS request results to Intune.
Event ID: 2102 - PkcsImportUploadedRequest
Successfully uploaded a PKCS Import request to Intune.
Revocation
Admin
Event ID: 3000 - RevokeRequestSuccess

Successfully downloaded Revocation requests from Intune.
Event ID: 3001 - RevokeRequestFailure
A failure occurred when downloading Revocation requests from Intune.

Operational
Event ID: 3002 - RevokeDownloadSuccess
Successfully downloaded Revocation requests from Intune.
Event ID: 3003 - RevokeDownloadFailure
A failure occurred when downloading Revocation requests from Intune.
Event ID: 3020 - RevokeDownloadedRequest
Details of a single downloaded request from Intune
Event ID: 3032 - RevokeDigicertRequest
Received revoke request from Intune and forwarding request to Digicert for
fulfillment of request.
Event ID: 3050 - RevokeSuccess
Successfully revoked certificate.
Event ID: 3051 - RevokeFailure
A failure occurred while revoking a certificate.
Event ID: 3052 - RevokeFailedAttempt
Failed to revoke a certificate, will try again.
Event ID: 3100 - RevokeUploadSuccess
Successfully uploaded Revocation request results to Intune.
Event ID: 3101 - RevokeUploadFailure
Failed to upload Revocation request results to Intune.
Event ID: 3102 - RevokeUploadedRequest
Successfully uploaded Revocation request to Intune.
SCEP
Admin
Event ID: 4000 - ScrepRequestSuccess
Successfully processed a SCEP request and notified Intune.
Event ID: 4001 - ScepRequestIssuedFailure
Failed to process a SCEP request and notified Intune.
Event ID: 4002 - ScepRequestUploadFailure
Successfully processed SCEP request but failed to notify Intune.

Operational
Event ID: 4003 - ScepRequestReceived
Successfully received a SCEP request from a device.
Event ID: 4004 - ScepVerifySuccess
Successfully verified a SCEP request with Intune.
Event ID: 4005 - ScepVerifyFailure
Failed to verify a SCEP request with Intune.
Event ID: 4006 - ScepIssuedSuccess
Successfully issued certificate for a SCEP request.
Event ID: 4007 - ScepIssuedFailure
Failed to issue certificate for SCEP request.
Event ID: 4008 - ScepNotifySuccess
Successfully notified Intune of the result for a SCEP request.
Event ID: 4009 - ScepNotifyAttemptFailed
Failed to notify Intune of the result of a SCEP request, will try again.
Event ID: 4010 - ScepNotifySaveToDiskFailed
Failed to write notification to disk and cannot notify Intune of the request
status.
Connector Health
Operational
Event ID: 5000 - HealthMessageUploadSuccess

Successfully uploaded health
messages to Intune.
Event ID: 5001 - HealthMessageUploadFailedAttempt

Failed to upload health
messages to Intune, will try again.
Event ID: 5002 - HealthMessageUploadFailure

Failed to upload health messages
to Intune.
What's new for the Certificate Connector

Updates for the Certificate Connector for Microsoft Intune are released periodically and
then supported for six months. When we update the connector, you can read about the
changes here.
New updates for the connector can take a week or more to become available for each
tenant.
） Important
Starting April 2022, certificate connectors earlier than version 6.2101.13.0 will be
deprecated and will show a status of Error. Starting August 2022, these connector
versions won't be able to revoke certificates. Starting September 2022, these
connector versions won't be able to issue certificates. This includes both the PFX
Certificate Connector for Microsoft Intune and Microsoft Intune Connector, which
on July 29, 2021 were replaced by the Certificate Connector for Microsoft Intune (as
detailed in this article).
February 15, 2023

Version 6.2301.1.0 - Changes in this release:
Logging information to correlate with Intune Service logs

Logging improvements in PFX Certificate issuance flow
September 21, 2022

Improved telemetry in addition to bug fixes and performance improvements
June 30, 2022

Updated telemetry channel to Intune to allow Intune Administrator to collect data

in the portal
May 4, 2022
Support CNG providers for client authentication certificates

Improved support for automatic renewal of client authentication certificates
March 10, 2022

Version 6.2202.38.0. This update includes:
Changes to support TLS 1.2 for auto-update
Next steps
Review prerequisites for the Certificate Connector for Microsoft Intune
Prerequisites for the Certificate
Connector for Microsoft Intune
Article • 02/21/2023
Before you install and configure the Certificate Connector for Microsoft Intune, review
the prerequisites and infrastructure requirements, which can vary depending on the
features you’ll configure a connector instance to support.
General prerequisites
Requirements for the computer where you install the connector software:
Windows Server 2012 R2 or later.
７ Note
The Server installation must include the Desktop Experience and support use
of a browser. For more information, see Install Server with Desktop
Experience in the Windows Server 2016 documentation.
.NET 4.7.2
Transport Layer Security (TLS) 1.2. For more information, see Enable support for
TLS 1.2 in your environment in the Azure Active Directory documentation.
The server must meet the same network requirements as managed devices. See
Network endpoints for Microsoft Intune, and Intune network configuration
requirements and bandwidth
To support automatic updates of the connector software, the server must have
access to the Azure update service:
Port: 443
The Enhanced Security Configuration must be deactivated.
PKCS
Requirements for PKCS certificate templates:
Certificate templates you’ll use for PKCS requests must be configured with
permissions that allow the certificate connector service account to enroll the
certificate.
The certificate templates must be added to the Certification Authority (CA).
７ Note
Any instance of the connector that supports PKCS can be used to retrieve pending
PKCS requests from the Intune Service queue, process Imported certificates, and
handle revocation requests. It's not possible to define which connector handles
each request.
Therefore, each connector that supports PKCS must have the same permissions and
be able to connect with all the certification authorities defined later in the PKCS
profiles.
PKCS imported certificates

To support PKCS imported certificates, the server that hosts the connector requires
additional configurations, such as configuring a Key storage provider access to allow the
Connector Service User to retrieve keys.
For information about support for PKCS imported certificates, see Configure and use
imported PKCS certificates with Intune
Revocation Prerequisites
The Certification Authority must be configured to allow the connector service
account to revoke certificates.
SCEP
The Windows Server that hosts the connector must meet the following prerequisites
that are in addition to the general prerequisites:
IIS 7 or higher
Network Device Enrollment Service (NDES) service, which is part of the Active
Directory Certification Services role. The connector isn't supported on the same
server as your issuing Certification Authority (CA). For more information,see
Configure infrastructure to support SCEP with Intune
On the Windows Server, configure select the following Server Roles and Features:
Server Roles:
Active Directory Certificate Services
Web Server (IIS)
Features:
.NET Framework 4.7 Features
.NET Framework 4.7
ASP.NET 4.7
WCF Services
HTTP Activation
AD CS > Role Services:

Network Device Enrollment Service - For the connector SCEP when you use a
Microsoft CA, install and configure the Network Device Enrollment Service
(NDES) server role. When you configure NDES, you’ll need to assign a user
account for use by the NDES application pool. NDES also has its own
requirements.
Web Server Role (IIS) > Role Services:

Security
Request Filtering
Application Development
.NET Extensibility 4.7
ASP.NET 4.7
Management Tools
IIS Management Console
IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
In addition, NDES requires the following.NET Framework 3.5 Features:

.NET Framework 3.5
HTTP Activation
Requirements for SCEP certificate templates:
Certificate templates you’ll use for SCEP requests must be configured with
permissions that allow the Certificate Connector service account to auto enroll the
certificate.
The certificate templates must be added to the CA.
Accounts
Prepare the following accounts before you install the certificate connector software.
Installation account
You can use any user account that has local administrative permissions on the Windows
Server to install the connector software. You can use this same account to configure the
Windows Server with the NDES Windows server role should you use SCEP and a
Microsoft CA.
Certificate connector service account

The certificate connector requires an account to use as a service account. This account is
used by the connector to access the Windows Server, communicate with Intune, and
access the Certification Authority to service PKI requests.
The connector service account must have the following permissions:
Logon as Service
Issue and Manage Certificates permissions on the Certification Authority (required
only for revocation scenarios).
Read and Enroll permissions on any certificate template that you’ll use to issue
certificates.
Permissions to the Key Storage Provider (KSP) that’s used by PFX Import. See
Import PFX Certificates to Intune.
The following options are supported for use as the certificate connector service account:
SYSTEM
Domain user - Use any domain user account that is an administrator on the
Windows Server.
For more information, see Install the Certificate Connector for Microsoft Intune.
NDES application pool user

To use SCEP with a Microsoft CA, you’ll need to add NDES to the server that hosts the
connector before installing the connector. When you configure NDES, you’ll need to
specify an account for use as the application pool user, which can also be referred to as
the NDES service account. This account can be a local or domain user account and must
have the following permissions:
Read and Enroll permissions on each SCEP certificate template you’ll use to issue
certificates.
Member of the IIS_IUSRS group.
For guidance on configuring the NDES server role for the Certificate Connector for
Microsoft Intune, see Set up NDES in Configure infrastructure to support SCEP with
Intune.
Azure Active Directory User

When configuring the connector, you'll need to use a user account that: is either a
Global Admin or Intune Admin, has an Intune license assigned, and must be a
synchronized account from your local Active Directory.
Next steps
Install the Certificate Connector for Microsoft Intune
Install the Certificate Connector for
Microsoft Intune
Article • 02/22/2023
To support your use of certificates with Intune, you can install the Certificate Connector
for Microsoft Intune on any Windows Server that meets the connector prerequisites. The
following sections will help you install and then configure the connector. This article also
explains how to modify a previously installed connector, and how to remove the
connector from a server.
Download and install the connector software

2. Select Tenant administration > Connectors and tokens > Certificate connectors >
Add.
3. Select the certificate connector link to download the connector software. Save the
file to a location that’s accessible from the server where you're going to install the
connector.
4. Sign in to the Windows Server that will host the certificate connector and confirm
that the prerequisites for the certificate connector are installed.
If you’ll use SCEP with a Microsoft Certification Authority (CA), confirm that the
Network Device Enrollment Service (NDES) role is installed.
5. Use an account with admin permissions to the server to run the installer
(IntuneCertificateConnector.exe). The installer also installs the policy module for
NDES. The policy module runs as an application in IIS.
７ Note
When IntuneCertificateConnector.exe runs to install a new connector or an

existing connector auto upgrades while the Windows Event Viewer is open,
the installation process logs a message similar to the following with an Event
ID 1000 from the source Microsoft-Intune-CertificateConnectors cannot be
found:
Either the component that raises this event is not installed on your local
computer or the installation is corrupted. You can install or repair the
component on the local computer.
You can safely ignore this message. This message displays because the event
viewer manifest for the connector could not load while the event viewer is
open. After the event viewer closes and then reopens, the correct messages
display.
6. Review and agree to the license terms and conditions, and then select Install to
continue. Select Options to choose a different installation folder.
7. The connector installation takes only a moment. After installation, the setup
presents two options:
Configure Now – Select this option to close the connector installation and
open the Certificate Connector for Microsoft Intune wizard, which you use to
configure the certificate connector on the local server.
Close - This option closes the connector installation without configuring the
connector. If you choose to Close the install at this time, later you can run the
Certificate Connector for Microsoft Intune wizard to launch the connector
configuration program. By default, the wizard is found in
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Intune.
After a connector installs, you can run the installation program again to uninstall the
connector.
 Tip
The installer will attempt to install the .NET Framework 4.7.2. If you experience
issues during this process you can choose to pre-install the .NET Framework using
the Microsoft .NET Framework 4.7.2 offline installer for Windows
Configure the certificate connector

To configure the certificate connector, you use the Certificate Connector for Microsoft
Intune wizard. The configuration can start automatically when you choose Configure
Now at the end of a certificate connector install, or manually by opening an elevated
command prompt and running C:\Program Files\Microsoft
Intune\PFXCertificateConnector\ConnectorUI\PFXCertificateConnectorUI.exe. An
example is provided below. The command must be run as an administrator.
command
C:\Program Files\Microsoft
Intune\PFXCertificateConnector\ConnectorUI\PFXCertificateConnectorUI.exe
Each time Certificate Connector for Microsoft Intune starts on a server you’ll see the
following Welcome page:
 Tip
When you run Certificate Connector for Microsoft Intune to modify a previously
configure connector, you won’t see the Azure AD Sign In page. This is because the
connector has already been authenticated to your Azure Active Directory.
Use the following procedure to both configure a new connector and modify a previously
configured connector.
1. On the Welcome page of Microsoft Intune Certificate Connector, select Next.
2. On Features, select the checkbox for each connector feature you want to install on
this server, and then select Next. Options include:
SCEP: Select this option to enable certificate delivery to devices from a

Microsoft Active Directory Certification Authority using the SCEP protocol.
Devices that submit a certificate request will generate a private/public key
pair and submit only the public key as part of that request.
PKCS: Select this option to enable certificate delivery to devices from a

Microsoft Active Directory Certification Authority in PKCS #12 format. Ensure
you’ve set up all the necessary prerequisites.
PKCS imported certificates: Select this option to enable certificate delivery to

devices for pfx certificates that you've imported to Intune. Ensure you’ve set
up all the necessary prerequisites.
Certificate revocation: Select this option to enable automatic certificate

revocation for certificates issued from a Microsoft Active Directory
Certification Authority.
3. On Service Account, select the type of account to use for the service account of this
connector. The account you select must have the permissions described in
prerequisites for the certificate connector service account.
Options include:
SYSTEM
Domain user account – Use any domain user account that is an administrator
on the Windows Server.
4. On the Proxy page, add details for your proxy server if you require a proxy for
internet access. For example, http://proxy.contoso.com .
） Important
Be sure to include the HTTP or HTTPS prefix. This is a change from the proxy
configuration for previous versions of the connector.
5. On the Prerequisites page, the wizard runs several checks on the server before the
configuration can begin. Review and resolve any errors or warnings before you
continue.
6. On the Azure AD Sign In page, select the environment that hosts your Azure Active
Directory, and then select Sign In. You’ll then be asked to authenticate your access.
This user account must be a Global Admin or an Intune Admin with an Intune
license assigned.
Unless you use a government cloud, use the default of Public Commercial Cloud
for Environment.
After you successfully authenticate to your Azure Active Directory, select Next to
continue:
7. On the Configure page, Intune applies your selections to the connector. If
successful, the utility continues to the Finish page where you select Exit to
complete configuration of the connector.
If configuration isn’t successful, the wizard displays details about the errors to help
you resolve the problem.
After the configuration completes successfully and the wizard closes, the Certificate
Connector for Microsoft Intune is now ready for use.
 Tip
It might be helpful to rename the connector to reference the server the connector
is installed on.
To rename the connector, in the Microsoft Intune admin center, select Tenant
administration > Connectors and tokens > Certificate connectors. Select the
connector you want to rename. In Name, enter the name you want to use, and then
select save.
Modify the connector configuration

After you configure a Certificate Connector for Microsoft Intune on a server, you can run
the configuration wizard on that server to modify the connectors configuration.
Remove the connector

To uninstall the Certificate Connector for Microsoft Intune from a Windows Server, on
the server run IntuneCertificateConnector.exe, which is the same software you use to
install the connector. When run on a server that has the connector installed, the only
available option is to remove the current connector installation.
Next steps
Deploy:

PKCS certificates
Imported PKCS certificates
Configure infrastructure to support
SCEP with Intune
Article • 06/26/2023
Intune supports use of the Simple Certificate Enrollment Protocol (SCEP) to authenticate
connections to your apps and corporate resources. SCEP uses the Certification Authority
(CA) certificate to secure the message exchange for the Certificate Signing Request
(CSR). When your infrastructure supports SCEP, you can use Intune SCEP certificate
profiles (a type of device profile in Intune) to deploy the certificates to your devices.
The Certificate Connector for Microsoft Intune is required to use SCEP certificate profiles
with Intune when you also use an Active Directory Certificate Services Certification
Authority, also called a Microsoft CA. The connector isn't supported on the same server
as your issuing Certification Authority (CA). The connector isn't required when using
Third-party Certification Authorities.
The information in this article can help you configure your infrastructure to support
SCEP when using Active Directory Certificate Services. After your infrastructure is
configured, you can create and deploy SCEP certificate profiles with Intune.
 Tip
Intune also supports use of Public Key Cryptography Standards #12 certificates.
Prerequisites for using SCEP for certificates

Before you continue, ensure you've created and deployed a trusted certificate profile to
devices that use SCEP certificate profiles. SCEP certificate profiles directly reference the
trusted certificate profile that you use to provision devices with a Trusted Root CA
certificate.
Servers and server roles

Accounts
Network requirements
Certificates and templates
PIN requirement for Android Enterprise
Servers and server roles

To support SCEP, the following on-premises infrastructure must run on servers that are
domain-joined to your Active Directory, with the exception of the Web Application Proxy
Server.
Certificate Connector for Microsoft Intune – The Certificate Connector for

Microsoft Intune is required to use SCEP certificate profiles with Intune when you
use a Microsoft CA. It installs on the server that also runs the NDES server role.
However, the connector isn't supported on the same server as your issuing
Certification Authority (CA).
For information about the certificate connector, see:

Overview of the Certificate Connector for Microsoft Intune.
Prerequisites.
Installation and configuration.
Certification Authority – Use a Microsoft Active Directory Certificate Services

Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 with service pack 1, or later. The version of Windows
Server you use must remain in support by Microsoft. A Standalone CA isn't
supported. For more information, see Install the Certification Authority.
If your CA runs Windows Server 2008 R2 SP1, you must install the hotfix from
KB2483564 .
NDES server role – To support using the Certificate Connector for Microsoft Intune
with SCEP, you must configure the Windows Server that hosts the certificate
connector with the Network Device Enrollment Service (NDES) server role. The
connector supports installation on Windows Server 2012 R2 or later. In a later
section of this article, we guide you through installing NDES.
The server that hosts NDES and the connector must be domain-joined and in
the same forest as your Enterprise CA.
Don't use NDES that's installed on the server that hosts the Enterprise CA. This
configuration represents a security risk when the CA services internet requests,
and installation of the connector isn't supported on the same server as your
issuing Certification Authority (CA).
Internet Explorer Enhanced Security Configuration must be disabled on the
server that hosts NDES and the Microsoft Intune Connector.
To learn more about NDES, see Network Device Enrollment Service Guidance in the
Windows Server documentation, and Using a Policy Module with the Network
Device Enrollment Service. To learn how to configure high availability for NDES, see
High Availability.
Support for NDES on the internet
To allow devices on the internet to get certificates, you must publish your NDES URL
external to your corporate network. To do this, you can use a reverse proxy like Azure
AD Application Proxy, Microsoft’s Web Application Proxy Server, or a third-party reverse
proxy service or device.
Azure AD Application Proxy – You can use the Azure AD Application Proxy instead
of a dedicated Web Application Proxy (WAP) Server to publish your NDES URL to
the internet. This solution allows both intranet and internet facing devices to get
certificates. For more information, see Integrate with Azure AD Application Proxy
on a Network Device Enrollment Service (NDES) server.
Web Application Proxy Server - Use a server that runs Windows Server 2012 R2 or
later as a Web Application Proxy (WAP) server to publish your NDES URL to the
internet. This solution allows both intranet and internet facing devices to get
certificates.
The server that hosts WAP must install an update that enables support for the long
URLs that are used by the Network Device Enrollment Service. This update is
included with the December 2014 update rollup , or individually from
KB3011135 .
The WAP server must have an SSL certificate that matches the name that's
published to external clients and trust the SSL certificate that's used on the
computer that hosts the NDES service. These certificates enable the WAP server to
terminate the SSL connection from clients and create a new SSL connection to the
NDES service.
For more information, see Plan certificates for WAP and general information about
WAP servers.
Third-party reverse proxy – When you use a third-party reverse proxy, ensure that
the proxy supports a long URI get request. As part of the certificate request flow,
the client makes a request with the certificate request in the query string. As a
result, the URI length can be large, up to 40 kb in size.
SCEP protocol limitations prevent use of preauthentication. When you publish the NDES
URL via a reverse proxy server, you must have Pre Authentication set to Passthrough.
Intune secures the NDES URL when you install the Intune Certificate connector, by
installing an Intune-SCEP policy module on the NDES server. The module helps to
secure the NDES URL by preventing certificates from being issued to invalid or digitally
tampered certificate requests. This limits access to only Intune enrolled devices that you
manage with Intune and that have well-formed certificate requests.
When an Intune SCEP certificate profile is delivered to a device, Intune generates a

custom challenge blob that it encrypts and signs. The blob isn't readable by the device.
Only the policy module and the Intune service can read and verify the challenge blob.
The blob includes details that Intune expects to be provided by the device in its
certificate signing request (CSR). For example, the expected Subject and Subject
Alternative Name (SAN).
The Intune policy module works to secure NDES in the following ways:
When attempting to access the published NDES URL directly, the server returns a
403 – Forbidden: Access is denied response.
When a well-formed SCEP certificate request is received and the request payload
includes both the challenge blob and the device CSR, the policy module compares
the details of the device CSR against the challenge blob:
If the validation fails, no certificate is issued.
Only the certificate requests from an Intune enrolled device that passes the
challenge blob validation are issued a certificate.
Accounts
To configure the connector to support SCEP, use an account that has permissions to
configure NDES on the Windows Server and to manage your Certification Authority. For
details, see Accounts in the Prerequisites for the Certificate Connector for Microsoft Intune
article.
Network requirements
In addition to the network requirements for the certificate connector, we recommend
publishing the NDES service through a reverse proxy, such as the Azure AD application
proxy, Web Access Proxy, or a third-party proxy. If you don't use a reverse proxy, then
allow TCP traffic on port 443 from all hosts and IP addresses on the internet to the NDES
service.
Allow all ports and protocols necessary for communication between the NDES service
and any supporting infrastructure in your environment. For example, the computer that
hosts the NDES service needs to communicate with the CA, DNS servers, domain
controllers, and possibly other services or servers within your environment, like
Certificates and templates

The following certificates and templates are used when you use SCEP.
Object Details
SCEP Template that you configure on your issuing CA that's used to fullfil the devices
Certificate SCEP requests.
Template
Server Web Server certificate requested from your issuing CA or public CA.
authentication You install and bind this SSL certificate in IIS on the computer that hosts NDES.
certificate
Trusted Root To use a SCEP certificate profile, devices must trust your Trusted Root
CA certificate Certification Authority (CA). Use a trusted certificate profile in Intune to provision
the Trusted Root CA certificate to users and devices.
- Use a single Trusted Root CA certificate per operating system platform and
associate that certificate with each trusted certificate profile you create.
- You can use additional Trusted Root CA certificates when needed. For example,
you might use additional certificates to provide a trust to a CA that signs the
server authentication certificates for your Wi-Fi access points. Create additional
Trusted Root CA certificates for issuing CAs. In the SCEP certificate profile you
create in Intune, be sure to specify the Trusted Root CA profile for the issuing
CA.
For information about the trusted certificate profile, see Export the trusted root
CA certificate and Create trusted certificate profiles in Use certificates for
authentication in Intune.
７ Note
The following certificate is not used with the Certificate Connector for Microsoft
Intune. This information is provided for those who have not yet replaced the older
connector for SCEP (installed by NDESConnectorSetup.exe) with the new connector
software.
Object Details
Object Details
Client Requested from your issuing CA or public CA.
authentic You install this certificate on the computer that hosts the NDES service and it's
ation used by the Certificate Connector for Microsoft Intune.
certificat If the certificate has the client and server authentication key usages set
e (Enhanced Key Usages) on the CA template that you use to issue this certificate,
you can then use the same certificate for server and client authentication.
PIN requirement for Android Enterprise

For Android Enterprise, the version of encryption on a device determines whether the
device must be configured with a PIN before SCEP can provision that device with a
certificate. The available encryption types are:
Full-disk encryption, which requires the device have a PIN configured.
File-based encryption, which is required on devices that are installed by the OEM
with Android 10 or later. These devices won’t require a PIN. Devices that upgrade
to Android 10 might still require a PIN.
７ Note
Microsoft Intune can’t identify the type of encryption on an Android device.
The version of Android on a device can affect the available encryption type:
Android 10 and later: Devices installed with Android 10 or later by the OEM use
file-based encryption and won't require a PIN for SCEP to provision a certificate.
Devices that upgrade to version 10 or later and begin to use file-based encryption
might still require a PIN.
Android 8 to 9: These versions of Android support the use of file-based

encryption, but it’s not required. Each OEM chooses which encryption type to
implement for a device. It’s also possible that OEM modifications will result in a
PIN not being required even when full-disk encryption is in use.
For more information, see the following articles in the Android documentation:
File-Based Encryption
Full-Disk Encryption
Considerations for devices enrolled as Android Enterprise
dedicated
For devices enrolled as Android Enterprise dedicated, password enforcement can

present challenges.
For devices that run 9.0 and later and receive a kiosk-mode policy, you can use a device
compliance or device configuration policy to enforce the password requirement. View
Support Tip: New Google-based Compliance Screens for Kiosk Mode from the Intune
Support Team, to understand the device experience.
For devices that run 8.x and earlier, you can also use a device compliance or device
configuration policy to enforce the password requirement. However, to set up a PIN, you
need to manually enter the settings application on the device and configure the PIN.
Configure the certification authority

In the following sections, you'll:
Configure and publish the required template for NDES

Set the required permissions for certificate revocation.
The following sections require knowledge of Windows Server 2012 R2 or later, and of
Active Directory Certificate Services (AD CS).
Access your Issuing CA

1. Sign in to your issuing CA with a domain account with rights sufficient to manage
the CA.
2. Open the Certification Authority Microsoft Management Console (MMC). Either

Run 'certsrv.msc' or in Server Manager, select Tools, and then Certification
Authority.
3. Select the Certificate Templates node, select Action > Manage.
Create the SCEP certificate template

1. Create a v2 Certificate Template (with Windows 2003 compatibility) for use as the
SCEP certificate template. You can:
Use the Certificate Templates snap-in to create a new custom template.

Copy an existing template (like the Web Server template) and then update
the copy to use as the NDES template.
2. Configure the following settings on the specified tabs of the template:
General:
Uncheck Publish certificate in Active Directory.
Specify a friendly Template display name so you can identify this template
later.
Subject Name:
Select Supply in the request. The Intune policy module for NDES enforces
security.
Extensions:
Ensure that Description of Application Policies includes Client

Authentication.
） Important
Only add the application policies that you require. Confirm your
choices with your security admins.
For iOS/iPadOS and macOS certificate templates, also edit Key Usage and
make sure Signature is proof of origin isn't selected.
Security:
Add the NDES service account. This account requires Read and Enroll
permissions to this template.
Add additional Accounts for Intune administrators who will create SCEP
profiles. These accounts require Read permissions to the template to
enable these admins to browse to this template while creating SCEP
profiles.
Request Handling:
The following image is an example. Your configuration might vary.

Issuance Requirements:
The following image is an example. Your configuration might vary.
3. Save the certificate template.
Create the client certificate template
７ Note
The following certificate is not used with the Certificate Connector for Microsoft
Intune. This information is provided for those who have not yet replaced the older
connector for SCEP (installed by NDESConnectorSetup.exe) with the new connector
software.
The Microsoft Intune Connector requires a certificate with the Client Authentication
Enhanced Key Usage and Subject name equal to the FQDN of the machine where the
connector is installed. A template with the following properties is required:
Extensions > Application Policies must contain Client Authentication

Subject name > Supply in the request.
If you already have a template that includes these properties, you can reuse it, otherwise
create a new template by either duplicating an existing one or creating a custom
template.
Create the server certificate template

Communications between managed devices and IIS on the NDES server use HTTPS,
which requires use of a certificate. You can use the Web Server certificate template to
issue this certificate. Or, if you prefer to have a dedicated template, the following
properties are required:
Extensions > Application Policies must contain Server Authentication.

Subject name > Supply in the request.
On the Security tab, the computer account of the NDES server must have Read
and Enroll permissions.
７ Note
If you have a certificate that satisfies both requirements from the client and server
certificate templates, you can use a single certificate for both IIS and the certificate
connector.
Grant permissions for certificate revocation

For Intune to be able to revoke certificates that are no longer required, you must grant
permissions in the Certificate Authority.
On the server that hosts the certificate connector, use either the NDES server system
account or a specific account such as the NDES service account.
1. On your Certificate Authority console, Right-click the CA name and select

Properties.
2. In Security tab, select Add.
3. Grant Issue and Manage Certificates permission:
If you opt to use the NDES server system account, provide the permissions to
the NDES server.
If you opt to use the NDES service account, provide permissions for that
account instead.
Modify the validity period of the certificate template
It's optional to modify the validity period of the certificate template.
After you create the SCEP certificate template, you can edit the template to review the
Validity period on the General tab.
By default, Intune uses the value configured in the template, but you can configure the
CA to allow the requester to enter a different value, so that value can be set from within
Plan to use a validity period of five days or greater. When the validity period is less than
five days, there's a high likelihood of the certificate entering a near-expiry or expired
state, which can cause the MDM agent on devices to reject the certificate before it’s
installed.
） Important
For iOS/iPadOS and macOS, always use a value set in the template.
To configure a value that can be set from within the Microsoft

Intune admin center
On the CA, run the following commands:
certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
net stop certsvc
net start certsvc
Publish certificate templates

1. On the issuing CA, use the Certification Authority snap-in to publish the certificate
template. Select the Certificate Templates node, select Action > New > Certificate
Template to Issue, and then select the certificate template you created in the
previous section.
2. Validate that the template has published by viewing it in the Certificate Templates
folder.
Set up NDES
The following procedures can help you configure the Network Device Enrollment Service
(NDES) for use with Intune. These are provided as examples as the actual configuration
might vary depending on your version of Windows Server. Ensure required
configurations you add like those for .NET Framework meet the prerequisites for the
For more information about NDES, see Network Device Enrollment Service Guidance.
Install the NDES service

1. On the server that will host your NDES service, sign in as an Enterprise
Administrator, and then use the Add Roles and Features Wizard to install NDES:
a. In the Wizard, select Active Directory Certificate Services to gain access to the
AD CS Role Services. Select Network Device Enrollment Service, uncheck
Certification Authority, and then complete the wizard.
 Tip
In Installation progress, don't select Close. Instead, select the Configure

Active Directory Certificate Services on the destination server link. The
AD CS Configuration wizard opens, which you use for the next procedure
in this article, Configure the NDES service. After AD CS Configuration opens,
you can close the Add Roles and Features wizard.
b. When NDES is added to the server, the wizard also installs IIS. Confirm that IIS
has the following configurations:
Web Server > Security > Request Filtering
Web Server > Application Development > ASP.NET 3.5
Installing ASP.NET 3.5 installs .NET Framework 3.5. When installing .NET
Framework 3.5, install both the core .NET Framework 3.5 feature and
HTTP Activation.
Web Server > Application Development > ASP.NET 4.7.2
Installing ASP.NET 4.7.2 installs .NET Framework 4.7.2. When installing .NET
Framework 4.7.2, install the core .NET Framework 4.7.2 feature, ASP.NET
4.7.2, and the WCF Services > HTTP Activation feature.
Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase
Compatibility
Management Tools > IIS 6 Management Compatibility > IIS 6 WMI

Compatibility
On the server, add the NDES service account as a member of the local
IIS_IUSR group.
2. On the computer that hosts the NDES service, run the following command in an
elevated command prompt. The following command sets the SPN of the NDES
Service account:
setspn -s http/<DNS name of the computer that hosts the NDES service> <Domain
name>\<NDES Service account name>
For example, if the computer that hosts the NDES service is named Server01, your
domain is Contoso.com, and the service account is NDESService, use:
setspn –s http/Server01.contoso.com contoso\NDESService
Configure the NDES service

To configure the NDES service, use an account that is an Enterprise Administrator.
1. On the computer that hosts the NDES service, open the AD CS Configuration
wizard, and then make the following updates:
 Tip
If you're continuing on from the last procedure and clicked the Configure
Active Directory Certificate Services on the destination server link, this
wizard should already be open. Otherwise, open Server Manager to access the
post-deployment configuration for Active Directory Certificate Services.
In Role Services, select the Network Device Enrollment Service.

In Service Account for NDES, specify the NDES Service Account.
In CA for NDES, click Select, and then select the issuing CA where you
configured the certificate template.
In Cryptography for NDES, set the key length to meet your company
requirements.
In Confirmation, select Configure to complete the wizard.
2. After the wizard completes, update the following registry key on the computer that
hosts the NDES service:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\
To update this key, identify the certificate templates' Purpose (found on its
Request Handling tab). Then, update the corresponding registry entry by replacing
the existing data with the name of the certificate template (not the display name of
the template) that you specified when you created the certificate template.
The following table maps the certificate template purpose to the values in the
registry:
Certificate template Purpose Registry value to edit Value seen in the

(On the Request Handling tab) Microsoft Intune admin
center for the SCEP
profile
Signature SignatureTemplate Digital Signature
Encryption EncryptionTemplate Key Encipherment
Signature and encryption GeneralPurposeTemplate Key Encipherment
Digital Signature
For example, if the Purpose of your certificate template is Encryption, then edit the
EncryptionTemplate value to be the name of your certificate template.
3. Restart the server that hosts the NDES service. Don't use iisreset; iireset doesn't
complete the required changes.
4. Browse to http://Server_FQDN/certsrv/mscep/mscep.dll. You should see an NDES

page similar to the following image:
If the web address returns a 503 Service unavailable, check the computers event
viewer. This error commonly occurs when the application pool is stopped due to a
missing permission for the NDES service account.
Install and bind certificates on the server that hosts NDES
On the NDES server, add a Server authentication certificate.
Server authentication certificate
This certificate is used in IIS. It's a simple Web server certificate that allows the
client to trust NDES URL.
1. Request a server authentication certificate from your internal CA or public

CA, and then install the certificate on the server.
Depending how you expose your NDES to the internet, there are different
requirements.
A good configuration is:

A Subject Name: Set a CN (Common Name) with a value that must be
equal to the FQDN of the server where you're installing the certificate (the
NDES Server).
A Subject Alternative Name: Set DNS entries for every URL your NDES is
responding to, such as the internal FQDN and the external URLs.
７ Note
If you are using Azure AD App Proxy, the AAD App Proxy connector will
translate the requests from the external URL to the internal URL.
As such,
NDES will only respond to requests directed to the internal URL, usually
the FQDN of the NDES Server.
In this situation, the external URL is not required.
2. Bind the server authentication certificate in IIS:
a. After installing the server authentication certificate, open IIS Manager, and
select the Default Web Site. In the Actions pane, select Bindings.
b. Select Add, set Type to https, and then confirm the port is 443.
c. For SSL certificate, specify the server authentication certificate.
７ Note
When configuring NDES for the Certificate Connector for Microsoft Intune , only
the Server authentication certificate is used. If you're configuring NDES to support
the older certificate connector (NDESConnectorSetup.exe), you must also configure
a Client authentication certificate. You can use a single certificate for both server
authentication and client authentication when that certificate is configured to meet
the criteria of both uses.
Regarding the Subject Name, it must meet the client
authentication certificate requirements.
The following information is provided for those who have not yet replaced the
older connector for SCEP (installed by NDESConnectorSetup.exe) with the new
connector software.
Client authentication certificate
This certificate is used during install of the Certificate Connector for Microsoft
Intune to support SCEP.
Request and install a client authentication certificate from your internal CA, or
a public certificate authority.
The certificate must meet the following requirements:

Enhanced Key Usage: This value must include Client Authentication.
Subject Name: Set a CN (Common Name) with a value that must be equal
to the FQDN of the server where you're installing the certificate (the NDES
Server).
Download, install, and configure the Certificate

For guidance, see Install and configure the Certificate Connector for Microsoft Intune.
The certificate connector installs on the server that runs your NDES service.
The connector isn't supported on the same server as your issuing Certification
Authority (CA).
Next steps
Create a SCEP certificate profile
Create and assign SCEP certificate
profiles in Intune
Article • 08/23/2023
After you configure your infrastructure to support Simple Certificate Enrollment Protocol
(SCEP) certificates, you can create and then assign SCEP certificate profiles to users and
devices in Intune.
For devices to use a SCEP certificate profile, they must trust your Trusted Root
Certification Authority (CA). Trust of the root CA is best established by deploying a
trusted certificate profile to the same group that receives the SCEP certificate profile.
Trusted certificate profiles provision the Trusted Root CA certificate.
Devices that run Android Enterprise might require a PIN before SCEP can provision them
with a certificate. For more information, see PIN requirement for Android Enterprise.
７ Note
Beginning with Android 11, trusted certificate profiles can no longer install the
trusted root certificate on devices that are enrolled as Android device administrator.
This limitation does not apply to Samsung Knox.
For more information about this limitation, see Trusted certificate profiles for
Android device administrator.
） Important
 Tip
SCEP certificate profiles are supported for Windows Enterprise multi-session

remote desktops.
Platform: Choose the platform of your devices.
Profile: Select SCEP certificate. Or, select Templates > SCEP certificate.
For Android Enterprise, Profile type is divided into two categories, Fully
Managed, Dedicated, and Corporate-Owned Work Profile and Personally-
Owned Work Profile. Be sure to select the correct SCEP certificate profile for
the devices you manage.
SCEP certificate profiles for the Fully Managed, Dedicated, and Corporate-
Owned Work Profile profile have the following limitations:
a. Under Monitoring, certificate reporting isn't available for Device Owner
SCEP certificate profiles.
b. You can't use Intune to revoke certificates that were provisioned by SCEP
certificate profiles for Device Owner. You can manage revocation through
an external process or directly with the certification authority.
c. For Android Enterprise dedicated devices, SCEP certificate profiles are
supported for Wi-Fi network configuration, VPN, and authentication. SCEP
certificate profiles on Android Enterprise dedicated devices aren't
supported for app authentication.
For Android (AOSP), the following limitations apply:

a. Under Monitoring, certificate reporting isn't available for Device Owner
b. You can't use Intune to revoke certificates that were provisioned by SCEP
certificate profiles for Device Owners. You can manage revocation through
an external process or directly with the certification authority.
c. SCEP certificate profiles are supported for Wi-Fi network configuration.
VPN configuration profile support is not available. A future update may
include support for VPN configuration profiles.
d. The following 3 variables are not available for use on Android (AOSP) SCEP
certificate profiles. Support for these variables will come in a future
update.
onPremisesSamAccountName
OnPrem_Distinguished_Name
Department
７ Note
Device Owner is equivalent to Corporate Owned devices. The following

are considered as Device Owner:
Android Enterprise - Fully Managed, Dedicated, and Corporate-
Owned Work Profile
Android AOSP
User-affinity
User-less
4. Select Create.
can easily identify them later. For example, a good profile name is SCEP
profile for entire company.
recommended.
6. Select Next.
7. In Configuration settings, complete the following configurations:
Certificate type:
(Applies to: Android, Android Enterprise, Android (AOSP), iOS/iPadOS, macOS,

Windows 8.1, and Windows 10/11)
Select a type depending on how you'll use the certificate profile:
User: User certificates can contain both user and device attributes in the
subject and SAN of the certificate.
Device: Device certificates can only contain device attributes in the subject
and SAN of the certificate.
Use Device for scenarios such as user-less devices, like kiosks, or for
Windows devices. On Windows devices, the certificate is placed in the
Local Computer certificate store.
７ Note
Storage of certificates provisioned by SCEP:
macOS - Certificates you provision with SCEP are always placed in the
system keychain (System store) of the device.
Android - Devices have both a VPN and apps certificate store, and a
WIFI certificate store. Intune always stores SCEP certificates in the
VPN and apps store on a device. Use of the VPN and apps store
makes the certificate available for use by any other app.
However, when a SCEP certificate is also associated with a Wi-Fi

profile, Intune also installs the certificate in the Wi-Fi store.
When configured for VPN apps, user will be prompted to select the
correct certificate. Silent certificate approval for Fully Managed (or
BYOD scenarios) is not supported. If everything is setup correctly, the
correct certificate should already be preselected in the dialog box.
Subject name format:
Enter text to tell Intune how to automatically create the subject name in the
certificate request. Options for the subject name format depend on the
Certificate type you select, either User or Device.
 Tip
If your subject name length exceeds 64 characters, you might need to

disable name length enforcement on your internal Certification
Authority. For more information, see Disable DN Length Enforcement
７ Note
There is a known issue for using SCEP to get certificates when the
subject name in the resulting Certificate Signing Request (CSR) includes
one of the following characters as an escaped character (proceeded by a
backslash \):
+
;
,
=
７ Note
Beginning with Android 12, Android no longer supports use of the

following hardware identifiers for personally-owned work profile devices:
Serial number
IMEI
MEID
Intune certificate profiles for personally-owned work profile devices that

rely on these variables in the subject name or SAN will fail to provision a
certificate on devices that run Android 12 or later at the time the device
enrolled with Intune. Devices that enrolled prior to upgrade to Android
12 can still receive certificates so long as Intune previously obtained the
devices hardware identifiers.
For more information about this and other changes introduced with
Android 12, see the Android Day Zero Support for Microsoft Endpoint
Manager blog post.
User certificate type
Use the text box to enter a custom subject name format, including static
text and variables. Two variable options are supported: Common Name
(CN) and Email (E).
Email (E) would usually be set with the {{EmailAddress}} variable. For
example: E={{EmailAddress}}
Common Name (CN) can be set to any of the following variables:

CN={{UserName}}: The user name of the user, such as janedoe.
CN={{UserPrincipalName}}: The user principal name of the user, such
as janedoe@contoso.com.
CN={{AAD_Device_ID}}: An ID assigned when you register a device in
Azure Active Directory (AD). This ID is typically used to authenticate
with Azure AD.
CN={{DeviceId}}: An ID assigned when you enroll a device in Intune.
７ Note
Avoid using {{DeviceId}} for subject name on Windows devices. In
certain instances, certificate generated with this subject name causes
sync with Intune to fail.
CN={{SERIALNUMBER}}: The unique serial number (SN) typically used

by the manufacturer to identify a device.
CN={{IMEINumber}}: The International Mobile Equipment Identity

(IMEI) unique number used to identify a mobile phone.
CN={{OnPrem_Distinguished_Name}}: A sequence of relative

distinguished names separated by comma, such as CN=Jane
Doe,OU=UserAccounts,DC=corp,DC=contoso,DC=com.
To use the {{OnPrem_Distinguished_Name}} variable:

Be sure to sync the onpremisesdistinguishedname user attribute using
Azure AD Connect to your Azure AD.
If the CN value contains a comma, the Subject name format must be
in quotes. For example: CN="{{OnPrem_Distinguished_Name}}"
CN={{OnPremisesSamAccountName}}: Admins can sync the

samAccountName attribute from Active Directory to Azure AD using
Azure AD connect into an attribute called onPremisesSamAccountName.
Intune can substitute that variable as part of a certificate issuance
request in the subject of a certificate. The samAccountName attribute is
the user sign-in name used to support clients and servers from a
previous version of Windows (pre-Windows 2000). The user sign-in
name format is: DomainName\testUser, or only testUser.
To use the {{OnPremisesSamAccountName}} variable, be sure to sync the

OnPremisesSamAccountName user attribute using Azure AD Connect to
your Azure AD.
All device variables listed in the following Device certificate type section
can also be used in user certificate subject names.
By using a combination of one or many of these variables and static text

strings, you can create a custom subject name format, such as: CN=
{{UserName}},E={{EmailAddress}},OU=Mobile,O=Finance
Group,L=Redmond,ST=Washington,C=US
That example includes a subject name format that uses the CN and E
variables, and strings for Organizational Unit, Organization, Location, State,
and Country values. CertStrToName function describes this function, and
its supported strings.
User attributes are not supported for devices that don’t have user
associations, such as devices that are enrolled as Android Enterprise
dedicated. For example, a profile that uses CN={{UserPrincipalName}} in
the subject or SAN won’t be able to get the user principal name when
there is no user on the device.
Device certificate type
Format options for the Subject name format include the following
variables:
{{AAD_Device_ID}} or {{AzureADDeviceId}} - Either variable can be used
to identify a device by its Azure AD ID.
{{DeviceId}} - The Intune device ID
{{Device_Serial}}
{{Device_IMEI}}
{{SerialNumber}}
{{IMEINumber}}
{{WiFiMacAddress}}
{{IMEI}}
{{DeviceName}}
{{FullyQualifiedDomainName}} (Only applicable for Windows and
domain-joined devices)
{{MEID}}
You can specify these variables and static text in the textbox. For example,
the common name for a device named Device1 can be added as CN=
{{DeviceName}}Device1.
） Important
When you specify a variable, enclose the variable name in double
curly brackets {{ }} as seen in the example, to avoid an error.
Device properties used in the subject or SAN of a device certificate,
like IMEI, SerialNumber, and FullyQualifiedDomainName, are
properties that could be spoofed by a person with access to the
device.
A device must support all variables specified in a certificate profile
for that profile to install on that device. For example, if {{IMEI}} is
used in the subject name of a SCEP profile and is assigned to a
device that doesn't have an IMEI number, the profile fails to install.
Subject alternative name:

Select how Intune automatically creates the subject alternative name (SAN) in
the certificate request. You can specify multiple subject alternative names. For
each one, you may select from four SAN attributes and enter a text value for
that attribute. The text value can contain variables and static text for the
attribute.
７ Note
The following Android Enterprise profiles don’t support use of the

{{UserName}} variable for the SAN:
Fully Managed, Dedicated, and Corporate-Owned Work Profile
Select from the available SAN attributes:

Email address
User principal name (UPN)
DNS
Uniform Resource Identifier (URI)
Variables available for the SAN value depend on the Certificate type you
selected; either User or Device.
７ Note
Beginning with Android 12, Android no longer supports use of the

following hardware identifiers for personally-owned work profile devices:
Serial number
IMEI
MEID
Intune certificate profiles for personally-owned work profile devices that

rely on these variables in the subject name or SAN will fail to provision a
certificate on devices that run Android 12 or later at the time the device
enrolled with Intune. Devices that enrolled prior to upgrade to Android
12 can still receive certificates so long as Intune previously obtained the
devices hardware identifiers.
For more information about this and other changes introduced with
Android 12, see the Android Day Zero Support for Microsoft Endpoint
Manager blog post.
With the User certificate type, you can use any of the user or device
certificate variables described above in the Subject Name section.
For example, user certificate types can include the user principal name
(UPN) in the subject alternative name. If a client certificate is used to
authenticate to a Network Policy Server, set the subject alternative name
to the UPN.
With the Device certificate type, you can use any of the variables described
in the Device certificate type section for Subject Name.
To specify a value for an attribute, include the variable name with curly
brackets, followed by the text for that variable. For example, a value for the
DNS attribute can be added {{AzureADDeviceId}}.domain.com where
.domain.com is the text. For a user named User1 an Email address might
appear as {{FullyQualifiedDomainName}}User1@Contoso.com.
By using a combination of one or many of these variables and static text

strings, you can create a custom subject alternative name format, such as:
{{UserName}}-Home
） Important
When using a device certificate variable, enclose the variable name
in double curly brackets {{ }}.
Don't use curly brackets { }, pipe symbols |, and semicolons ;, in the
text that follows the variable.
Device properties used in the subject or SAN of a device certificate,
like IMEI, SerialNumber, and FullyQualifiedDomainName, are
properties that could be spoofed by a person with access to the
device.
A device must support all variables specified in a certificate profile
for that profile to install on that device. For example, if {{IMEI}} is
used in the SAN of a SCEP profile and is assigned to a device that
doesn't have an IMEI number, the profile fails to install.
Certificate validity period:
You can enter a value that is lower than the validity period in the certificate
template, but not higher. If you configured the certificate template to support
a custom value that can be set from within the Intune admin center, use this
setting to specify the amount of remaining time before the certificate expires.
Intune supports a validity period of up to 24 months.
For example, if the certificate validity period in the certificate template is two
years, you can enter a value of one year, but not a value of five years. The
value must also be lower than the remaining validity period of the issuing
CA's certificate.
Plan to use a validity period of five days or greater. When the validity period
is less than five days, there is a high likelihood of the certificate entering a
near-expiry or expired state, which can cause the MDM agent on devices to
reject the certificate before it’s installed.
Key storage provider (KSP):
(Applies to: Windows 8.1, and Windows 10/11)
Specify where the key to the certificate is stored. Choose from the following
values:
Enroll to Trusted Platform Module (TPM) KSP if present, otherwise
Software KSP
Enroll to Trusted Platform Module (TPM) KSP, otherwise fail
Enroll to Windows Hello for Business, otherwise fail (Windows 10 and
later)
Enroll to Software KSP
Key usage:
Select key usage options for the certificate:

Digital signature: Allow key exchange only when a digital signature helps
protect the key.
Key encipherment: Allow key exchange only when the key is encrypted.
Key size (bits):

Select the number of bits contained in the key:
Not configured
1024
2048
4096 - A Key size of 4096 is supported for the following platforms:

Android (all)
iOS/iPadOS 14 and later
macOS 11 and later
Windows (all)
７ Note
For Windows devices, 4096-bit key storage is supported only in the

Software Key Storage Provider (KSP). The following do not support
storing keys of this size:
The hardware TPM (Trusted Platform Module). As a workaround
you can use the Software KSP for key storage.
Windows Hello for Business. There is no workaround for Windows
Hello for Business at this time.
Hash algorithm:
(Applies to Android, Android (AOSP), Android enterprise, Windows 8.1, and

Windows 10/11)
Select one of the available hash algorithm types to use with this certificate.
Select the strongest level of security that the connecting devices support.
NOTE: Android AOSP and Android Enterprise devices will select the strongest
algorithm supported - SHA-1 will be ignored, and SHA-2 will be used instead.
Root Certificate:
Select the trusted certificate profile you previously configured and assigned to
applicable users and devices for this SCEP certificate profile. The trusted
certificate profile is used to provision users and devices with the Trusted Root
CA certificate. For information about the trusted certificate profile, see Export
your trusted root CA certificate and Create trusted certificate profiles in Use
certificates for authentication in Intune.
７ Note
If you have a multiple level PKI Infastructure, such as a Root Certification

Authority and an Issuing Certification Authority, select the top level
Trusted Root certificate profile that validates the Issuing Certification
Authority.
Extended key usage:
Add values for the certificate's intended purpose. In most cases, the
certificate requires client authentication so that the user or device can
authenticate to a server. You can add additional key usages as required.
Renewal threshold (%):
Enter the percentage of the certificate lifetime that remains before the device
requests renewal of the certificate. For example, if you enter 20, the renewal
of the certificate will be attempted when the certificate is 80% expired.
Renewal attempts continue until renewal is successful. Renewal generates a
new certificate, which results in a new public/private key pair.
７ Note
Renewal behavior on iOS/iPadOS and macOS: Certificates can only be

renewed during the renewal threshold phase. In addition, the device has
to be unlocked while synching with Intune. If the renewal was not
successful, the expired certificate will remain on the device and Intune
does not trigger a renewal anymore. Also, Intune does not offer an
option to redeploy expired certificates. Affected devices need to be
excluded from the SCEP profile temporarily to remove the expired
certificate and request a new one.
SCEP Server URLs:
Enter one or more URLs for the NDES Servers that issue certificates via SCEP.
For example, enter something like
https://ndes.contoso.com/certsrv/mscep/mscep.dll .
To allow devices on the internet to get certificates, you must specify the NDES
URL external to your corporate network. The URL can be HTTP or HTTPS.
However, to support the following devices, the SCEP Server URL must use
HTTPS:
Android Enterprise device owner
Android Enterprise personally-owned work profile
You can add additional SCEP URLs for load balancing as needed. Devices
make three separate calls to the NDES server. The first is to get the servers
capabilities, the next to get a public key, and then to submit a signing
request. When you use multiple URLs its possible that load balancing might
result in a different URL being used for subsequent calls to an NDES Server. If
a different server is contacted for a subsequent call during the same request,
the request will fail.
The behavior for managing the NDES server URL is specific to each device
platform:
Android: The device randomizes the list of URLs received in the SCEP
policy, and then works through the list until an accessible NDES server is
found. The device then continues to use that same URL and server through
the entire process. If the device can’t access any of the NDES servers, the
process fails.
iOS/iPadOS: Intune randomizes the URLs and provides a single URL to a
device. If the device can’t access the NDES server, the SCEP request fails.
Windows: The list of NDES URLs is randomized and then passed to the
Windows device, which then tries them in the order received, until one
that's available is found. If the device can’t access any of the NDES servers,
the process fails.
If a device fails to reach the same NDES server successfully during any of the
three calls to the NDES server, the SCEP request fails. For example, this might
happen when a load-balancing solution provides a different URL for the
second or third call to the NDES server, or provides a different actual NDES
server based on a virtualized URL for NDES. After a failed request, a device
tries the process again on its next policy cycle, starting with the randomized
list of NDES URLs (or a single URL for iOS/iPadOS).
8. This step applies only to Android Enterprise devices profiles for Fully Managed,
Dedicated, and Corporate-Owned work Profile.
In Apps, configure Certificate access to manage how certificate access is granted

to applications. Choose from:
Require user approval for apps (default) – Users must approve use of a
certificate by all applications.
Grant silently for specific apps (require user approval for other apps) – With
this option, select Add apps, and then select one or more apps that will
silently use the certificate without user interaction.
9. Select Next.
Select Next.
Intune.
Avoid certificate signing requests with escaped special

characters
There's a known issue for SCEP and PKCS certificate requests that include a Subject
Name (CN) with one or more of the following special characters as an escaped
character. Subject names that include one of the special characters as an escaped
character result in a CSR with an incorrect subject name. An incorrect subject name
results in the Intune SCEP challenge validation failing and no certificate issued.
The special characters are:
+
,
;
=
When your subject name includes one of the special characters, use one of the following
options to work around this limitation:
Encapsulate the CN value that contains the special character with quotes.
Remove the special character from the CN value.
For example, you have a Subject Name that appears as Test user (TestCompany, LLC). A
CSR that includes a CN that has the comma between TestCompany and LLC presents a
problem. The problem can be avoided by placing quotes around the entire CN, or by
removing of the comma from between TestCompany and LLC:
Add quotes: CN="Test User (TestCompany,

LLC)",OU=UserAccounts,DC=corp,DC=contoso,DC=com
Remove the comma: CN=Test User (TestCompany
LLC),OU=UserAccounts,DC=corp,DC=contoso,DC=com
However, attempts to escape the comma by using a backslash character will fail with an
error in the CRP logs:
Escaped comma: CN=Test User (TestCompany\,

LLC),OU=UserAccounts,DC=corp,DC=contoso,DC=com
The error is similar to the following error:
Subject Name in CSR CN="Test User (TESTCOMPANY\,

LLC),OU=UserAccounts,DC=corp,DC=contoso,DC=com" and challenge CN=Test User
(TESTCOMPANY\, LLC),OU=UserAccounts,DC=corp,DC=contoso,DC=com do not match
Exception: System.ArgumentException: Subject Name in CSR and challenge do

not match
at
Microsoft.ConfigurationManager.CertRegPoint.ChallengeValidation.ValidationPh
ase3(PKCSDecodedObject pkcsObj, CertEnrollChallenge challenge, String
templateName, Int32 skipSANCheck)
Exception: at
Microsoft.ConfigurationManager.CertRegPoint.ChallengeValidation.ValidationPh
ase3(PKCSDecodedObject pkcsObj, CertEnrollChallenge challenge, String
templateName, Int32 skipSANCheck)
at
Microsoft.ConfigurationManager.CertRegPoint.Controllers.CertificateControlle
r.VerifyRequest(VerifyChallengeParams value
Assign the certificate profile

Assign SCEP certificate profiles the same way you deploy device profiles for other
purposes.
） Important
To use a SCEP certificate profile, a device must have also received the trusted
certificate profile that provisions it with your Trusted Root CA certificate. We
recommend you deploy both the trusted root certificate profile and SCEP certificate
profile to the same groups.
Consider the following before you continue:
When you assign SCEP certificate profiles to groups, the Trusted Root CA certificate
file (as specified in the trusted certificate profile) is installed on the device. The
device uses the SCEP certificate profile to create a certificate request for that
Trusted Root CA certificate.
The SCEP certificate profile installs only on devices that run the platform you
specified when you created the certificate profile.
You can assign certificate profiles to user collections or to device collections.
To publish a certificate to a device quickly after the device enrolls, assign the
certificate profile to a user group rather than to a device group. If you assign to a
device group, a full device registration is required before the device receives
policies.
If you use co-management for Intune and Configuration Manager, in Configuration

Manager set the workload slider for Resource Access Policies to Intune or Pilot
Intune. This setting allows Windows 10/11 clients to start the process of requesting
the certificate.
７ Note
On iOS/iPadOS devices, when a SCEP certificate profile or a PKCS certificate

profile is associated with an additional profile, like a Wi-Fi or VPN profile, the
device receives a certificate for each of those additional profiles. This results in
the iOS/iPadOS device having multiple certificates delivered by the SCEP or
PKCS certificate request.
Certificates delivered by SCEP are each unique. Certificates delivered by PKCS

are the same certificate, but appear different as each profile instance is
represented by a separate line in the management profile.
On iOS 13 and macOS 10.15, there are some additional security requirements
that are documented by Apple to take into consideration.
Next steps
Assign profiles
Troubleshoot deployment of SCEP certificate profiles

Add partner certification authority in
Intune using SCEP
Article • 03/07/2023
Use third-party certification authorities (CA) with Intune. Third-party CAs can provision
mobile devices with new or renewed certificates by using the Simple Certificate
Enrollment Protocol (SCEP), and can support Windows, iOS/iPadOS, Android, and
macOS devices.
There are two parts to using this feature: open-source API, and the Intune administrator
tasks.
Part 1 - Use an open-source API
Microsoft created an API to integrate with Intune. Through the API you can validate
certificates, send success or failure notifications, and use SSL, specifically SSL socket
factory, to communicate with Intune.
The API is available on the Intune SCEP API public GitHub repository for you to
download, and use in your solutions. Use this API with third-party SCEP servers to run
custom challenge validation against Intune before SCEP provisions a certificate to a
device.
Integrate with Intune SCEP management solution provides more details on using the
API, its methods, and testing the solution you build.
Part 2 - Create the application and profile
Using an Azure Active Directory (Azure AD) application, you can delegate rights to
Intune to handle SCEP requests coming from devices. The Azure AD application includes
application ID and authentication key values that are used within the API solution the
developer creates. Administrators then create and deploy SCEP certificates profiles using
Intune and can view reports on the deployment status on the devices.
This article provides an overview of this feature from an Administrator-perspective,

including creating the Azure AD application.
Overview
The following steps provide an overview of using SCEP for certificates in Intune:
1. In Intune, an administrator creates a SCEP certificate profile, and then targets the
profile to users or devices.
2. The device checks in to Intune.
3. Intune creates a unique SCEP challenge. It also adds additional integrity-check
information, such as what the expected subject and SAN should be.
4. Intune encrypts and signs both the challenge and integrity-check information, and
then sends this information to the device with the SCEP request.
5. The device generates a certificate signing request (CSR) and public/private key pair
on the device based on the SCEP certificate profile that's pushed from Intune.
6. The CSR and encrypted/signed challenge are sent to the third-party SCEP server
endpoint.
7. The SCEP server sends the CSR and the challenge to Intune. Intune then validates
the signature, decrypts the payload, and compares the CSR to the integrity-check
information.
8. Intune sends back a response to the SCEP server, and states whether the challenge
validation is successful or not.
9. If the challenge is successfully verified, then the SCEP server issues the certificate to
the device.
The following diagram shows a detailed flow of third-party SCEP integration with Intune:
Set up third-party CA integration

Validate third-party certification authority
Before integrating third-party certification authorities with Intune, confirm that the CA
you're using supports Intune. Third-party CA partners (in this article) includes a list. You
can also check your certification authority's guidance for more information. The CA may
include setup instructions specific to their implementation.
７ Note
To support the following devices, the CA must support the use of an HTTPS URL
when you configure you must configure an HTTPS URL when you configure SCEP
Server URLs for the SCEP certificate profile:

Android Enterprise device owner
Android Enterprise personally-owned work profile
Authorize communication between CA and Intune

To allow a third-party SCEP server to run custom challenge validation with Intune, create
an app in Azure AD. This app gives delegated rights to Intune to validate SCEP requests.
Be sure you have the required permissions to register an Azure AD app. See Required
permissions, in the Azure AD documentation.
Create an application in Azure Active Directory
1. In the Azure portal , go to Azure Active Directory > App Registrations, and then
select New registration.
2. On the Register an application page, specify the following details:
In the Name section, enter a meaningful application name.

For the Supported account types section, select Accounts in any
organizational directory.
For Redirect URI, leave the default of Web, and then specify the sign-on URL
for the third-party SCEP server.
3. Select Register to create the application and to open the Overview page for the
new app.
4. On the app Overview page, copy the Application (client) ID value and record it for
later use. You'll need this value later.
5. In the navigation pane for the app, go to Certificates & secrets under Manage.
Select the New client secret button. Enter a value in Description, select any option
for Expires, and then and choose Add to generate a value for the client secret.
） Important
Before you leave this page, copy the value for the client secret and record it
for later use with your third-party CA implementation. This value is not shown
again. Be sure to review the guidance for your third-party CA on how they
want the Application ID, Authentication Key, and Tenant ID configured.
6. Record your Tenant ID. The Tenant ID is the domain text after the @ sign in your
account. For example, if your account is admin@name.onmicrosoft.com, then your
tenant ID is name.onmicrosoft.com.
7. In the navigation pane for the app, go to API permissions, which are under
Manage. You're going to add two separate application permissions:
a. Select Add a permission:

i. On the Request API permissions page, select Intune and then select
Application permissions.
ii. Select the checkbox for scep_challenge_provider (SCEP challenge validation).
iii. Select Add permissions to save this configuration.
b. Select Add a permission again.

i. On the Request API permissions page, select Microsoft Graph > Application
permissions.
ii. Expand Application and select the checkbox for Application.Read.All (Read
all applications).
iii. Select Add permissions to save this configuration.
8. Remain on the API permissions page, and select Grant admin consent for <your
tenant>, and then select Yes.
The app registration process in Azure AD is complete.
Configure and deploy a SCEP certificate profile

As the administrator, create a SCEP certificate profile to target to users or devices. Then,
assign the profile.
Assign the certificate profile
Removing certificates
When you unenroll or wipe the device, the certificates are removed. The certificates
aren't revoked.
Third-party certification authority partners

The following third-party certification authorities support Intune:
Cogito Group
DigiCert
EJBCA
Entrust
EverTrust
GlobalSign
HID Global
IDnomic
KeyTalk
Keytos
Nexus Certificate Manager
SCEPman
Sectigo
SecureW2
Venafi
If you're a third-party CA interested in integrating your product with Intune, review the
API guidance:
Intune SCEP API GitHub repository

Intune SCEP API guidance for third party CAs
See also
Configure certificate profiles
Intune SCEP API GitHub repository
Intune SCEP API guidance for third party CAs
Configure and use PKCS certificates with
Intune
Article • 08/23/2023
Microsoft Intune supports the use of private and public key pair (PKCS) certificates. This
article reviews what's required to use PKCS certificates with Intune, including the export
of a PKCS certificate then adding it to an Intune device configuration profile.
Microsoft Intune includes built-in settings to use PKCS certificates for access and
authentication to your organizations resources. Certificates authenticate and secure
access to your corporate resources like a VPN or a WiFi network. You deploy these
settings to devices using device configuration profiles in Intune.
For information about using imported PKCS certificates, see Imported PFX Certificates.
 Tip
PKCS certificate profiles are supported for Windows Enterprise multi-session

remote desktops.
Requirements
To use PKCS certificates with Intune, you'll need the following infrastructure:
Active Directory domain:

All servers listed in this section must be joined to your Active Directory domain.
For more information about installing and configuring Active Directory Domain
Services (AD DS), see AD DS Design and Planning.
Certification Authority:
An Enterprise Certification Authority (CA).
For information on installing and configuring Active Directory Certificate Services

(AD CS), see Active Directory Certificate Services Step-by-Step Guide.
２ Warning
Intune requires you to run AD CS with an Enterprise Certification Authority

(CA), not a Standalone CA.
A client:
To connect to the Enterprise CA.
Root certificate:
An exported copy of your root certificate from your Enterprise CA.
Certificate Connector for Microsoft Intune:

Prerequisites.
Export the root certificate from the Enterprise

CA
To authenticate a device with VPN, WiFi, or other resources, a device needs a root or
intermediate CA certificate. The following steps explain how to get the required
certificate from your Enterprise CA.
Use a command line:
1. Log into the Root Certification Authority server with Administrator Account.
2. Go to Start > Run, and then enter Cmd to open command prompt.
3. Specify certutil -ca.cert ca_name.cer to export the Root certificate as a file named
ca_name.cer.
Configure certificate templates on the CA

1. Sign in to your Enterprise CA with an account that has administrative privileges.
2. Open the Certification Authority console, right-click Certificate Templates, and

select Manage.
3. Find the User certificate template, right-click it, and choose Duplicate Template to
open Properties of New Template.
７ Note
For S/MIME email signing and encryption scenarios, many administrators use
separate certificates for signing and encryption. If you're using Microsoft
Active Directory Certificate Services, you can use the Exchange Signature
Only template for S/MIME email signing certificates, and the Exchange User
template for S/MIME encryption certificates. If you're using a 3rd-party
certification authority, it's suggested to review their guidance to set up
signing and encryption templates.
4. On the Compatibility tab:
Set Certification Authority to Windows Server 2008 R2

Set Certificate recipient to Windows 7 / Server 2008 R2
5. On the General tab, set Template display name to something meaningful to you.
２ Warning
Template name by default is the same as Template display name with no

spaces. Note the template name, you need it later.
6. In Request Handling, select Allow private key to be exported.
７ Note
Unlike SCEP, with PKCS the certificate private key is generated on the server
where the certificate connector is installed and not on the device. The
certificate template must allow the private key to be exported so that the
connector can export the PFX certificate and send it to the device.
When the certificates install on the device itself, the private key is marked as
not exportable.
7. In Cryptography, confirm that the Minimum key size is set to 2048.
Windows and Android devices support use of 4096-bit key size with a PKCS
certificate profile. To use this key size, specify 40496 as the Minimum key size.
７ Note
For Windows devices, 4096-bit key storage is supported only in the Software
Key Storage Provider (KSP). The following do not support storing keys of this
size:
The hardware TPM (Trusted Platform Module). As a workaround you can
use the Software KSP for key storage.
Windows Hello for Business. There is no workaround for Windows Hello
for Business at this time.
8. In Subject Name, choose Supply in the request.
9. In Extensions, confirm that you see Encrypting File System, Secure Email, and Client
Authentication under Application Policies.
） Important
For iOS/iPadOS certificate templates, go to the Extensions tab, update Key

Usage, and confirm that Signature is proof of origin isn't selected.
10. In Security:
a. (Required): Add the Computer Account for the server where you install the
Certificate Connector for Microsoft Intune. Allow this account Read and Enroll
permissions.
b. (Optional but recommended): Remove the Domain Users group from the list of
groups or user names allowed permissions on this template by selecting the
Domain Users group and select Remove. Review the other entries in Groups or
user names for permissions and applicability to your environment.
11. Select Apply > OK to save the certificate template. Close the Certificate Templates
Console.
12. In the Certification Authority console, right-click Certificate Templates > New >
Certificate Template to Issue. Choose the template that you created in the
previous steps. Select OK.
13. For the server to manage certificates for enrolled devices and users, use the
following steps:
a. Right-click the Certification Authority, choose Properties.
b. On the security tab, add the Computer account of the server where you run the
connector.
c. Grant Issue and Manage Certificates and Request Certificates Allow
permissions to the computer account.
14. Sign out of the Enterprise CA.

Download, install, and configure the Certificate
For guidance, see Install and configure the Certificate Connector for Microsoft Intune.
Create a trusted certificate profile

Platform: Choose the platform of the devices that will receive this profile.
Android Enterprise:
Fully Managed
Dedicated
Personally-Owned Work Profile
iOS/iPadOS
macOS
Windows 10/11
Profile: Select Trusted certificate. Or, select Templates > Trusted certificate.
4. Select Create.
can easily identify them later. For example, a good profile name is Trusted
certificate profile for entire company.
recommended.
6. Select Next.
7. In Configuration settings, specify the .cer file for the Root CA Certificate you
previously exported.
７ Note
Depending on the platform you chose in Step 3, you may or may not have an
option to choose the Destination store for the certificate.
8. Select Next.
9. In Assignments, select the user or device group(s) that will be assigned the profile.
For more granularity, see Create filters in Microsoft Intune and apply them by
selecting Edit filter.
Plan to deploy this certificate profile to the same groups that receive the PKCS
certificate profile, and that recieve a configuration profile like a Wi-Fi profile that
makes use of the certificate. For more information on assigning profiles, see Assign
user and device profiles.
Select Next.
Intune.
Create a PKCS certificate profile


Android Enterprise:
Fully Managed
Dedicated
iOS/iPadOS
macOS
Windows 10/11
Profile: Select PKCS certificate. Or, select Templates > PKCS certificate.
７ Note
On devices with an Android Enterprise profile, certificates installed using a

PKCS certificate profile are not visible on the device. To confirm successful
certificate deployment, check the status of the profile in the Intune admin
center.
4. Select Create.
can easily identify them later. For example, a good profile name is PKCS
recommended.
6. Select Next.
can configure are different. Select your platform for detailed settings:

Android Enterprise
iOS/iPadOS
Windows 10/11
Setting Platform Details
Renewal All Recommended is 20%

threshold (%)
Certificate All If you didn't change the certificate template,

validity period this option may be set to one year.
Use a validity period of five days or up to 24

months. When the validity period is less
than five days, there's a high likelihood of
the certificate entering a near-expiry or
expired state, which can cause the MDM
agent on devices to reject the certificate
before it’s installed.
Key storage Windows 10/11 For Windows, select where to store the keys
provider (KSP) on the device.
Certification All Displays the internal fully qualified domain

authority name (FQDN) of your Enterprise CA.
Certification All Lists the name of your Enterprise CA, such

authority as "Contoso Certification Authority".
name
Certificate All Lists the name of your certificate template.

template
name
Certificate Android Enterprise Select a type:

type (Corporate-Owned User certificates can contain both user
and Personally- and device attributes in the subject
Owned Work Profile) and subject alternative name (SAN) of
iOS the certificate.
macOS Device certificates can only contain
Windows 10/11 device attributes in the subject and
SAN of the certificate. Use Device for
scenarios such as user-less devices,
like kiosks or other shared devices.
This selection affects the Subject

name format.
Subject name All For details on how to configure the subject

format name format, see Subject name format later
in this article.
Setting Platform Details
For the following platforms, the Subject

name format is determined by the certificate
type:
Android Enterprise (Work Profile)

iOS
macOS
Windows 10/11
Subject All For Attribute, select User principal name

alternative (UPN) unless otherwise required, configure
name a corresponding Value, and then select Add.
You can use variables or static text for the

SAN of both certificate types. Use of a
variable isn't required.
For more information, see Subject name

format later in this article.
Extended key Android device Certificates usually require Client

usage administrator Authentication so that the user or device can
Android Enterprise authenticate to a server.
(Device Owner,
Corporate-Owned
and Personally-
Owned Work Profile)
Windows 10/11
Allow all apps macOS Set to Enable to give apps that are
access to configured for the associated mac device
private key access to the PKCS certificate's private key.
For more information on this setting, see

AllowAllAppsAccess the Certificate Payload
section of Configuration Profile Reference
in the Apple developer documentation.
Root Android device Select a root CA certificate profile that was

Certificate administrator previously assigned.
Android Enterprise
(Device Owner,
Corporate-Owned
and Personally-
Owned Work Profile)

9. Select Next.
10. In Assignments, select the user or groups that will receive your profile. Plan to
deploy this certificate profile to the same groups that receive the trusted certificate
profile, and that receive a configuration profile like a Wi-Fi profile that makes use
of the certificate. For more information on assigning profiles, see Assign user and
device profiles.
Select Next.
Subject name format

When you create a PKCS certificate profile for the following platforms, options for the
subject name format depend on the Certificate type you select, either User or Device.
Platforms:
Android Enterprise (Corporate-Owned and Personally-Owned Work Profile)

iOS
macOS
Windows 10/11
７ Note
There is a known issue for using PKCS to get certificates which is the same issue as
seen for SCEP when the subject name in the resulting Certificate Signing Request
(CSR) includes one of the following characters as an escaped character (proceeded
by a backslash \):
+
;
,
=
７ Note
Beginning with Android 12, Android no longer supports use of the following
hardware identifiers for personally-owned work profile devices:
Serial number
IMEI
MEID
Intune certificate profiles for personally-owned work profile devices that rely on
these variables in the subject name or SAN will fail to provision a certificate on
devices that run Android 12 or later at the time the device enrolled with Intune.
Devices that enrolled prior to upgrade to Android 12 can still receive certificates so
long as Intune previously obtained the devices hardware identifiers.
For more information about this and other changes introduced with Android 12,
see the Android Day Zero Support for Microsoft Endpoint Manager blog post.

Format options for the Subject name format include two variables: Common Name
(CN) and Email (E). Email (E) would usually be set with the {{EmailAddress}}
variable. For example: E={{EmailAddress}}
Common Name (CN) can be set to any of the following variables:
CN={{UserName}}: The user name of the user, such as Jane Doe.
CN={{UserPrincipalName}}: The user principal name of the user, such as

janedoe@contoso.com.
CN={{AAD_Device_ID}}: An ID assigned when you register a device in Azure

Active Directory (AD). This ID is typically used to authenticate with Azure AD.
CN={{DeviceId}}: An ID assigned when you enroll a device in Intune.
CN={{SERIALNUMBER}}: The unique serial number (SN) typically used by the

manufacturer to identify a device.
CN={{IMEINumber}}: The International Mobile Equipment Identity (IMEI) unique
number used to identify a mobile phone.
CN={{OnPrem_Distinguished_Name}}: A sequence of relative distinguished

names separated by comma, such as CN=Jane
Doe,OU=UserAccounts,DC=corp,DC=contoso,DC=com.
To use the {{OnPrem_Distinguished_Name}} variable, be sure to sync the

onpremisesdistinguishedname user attribute using Azure AD Connect to your
Azure AD.
CN={{onPremisesSamAccountName}}: Admins can sync the samAccountName

attribute from Active Directory to Azure AD using Azure AD connect into an
attribute called onPremisesSamAccountName. Intune can substitute that variable
as part of a certificate issuance request in the subject of a certificate. The
samAccountName attribute is the user sign-in name used to support clients and
servers from a previous version of Windows (pre-Windows 2000). The user sign-
in name format is: DomainName\testUser, or only testUser.
To use the {{onPremisesSamAccountName}} variable, be sure to sync the

onPremisesSamAccountName user attribute using Azure AD Connect to your
Azure AD.
All device variables listed in the following Device certificate type section can also be
used in user certificate subject names.
By using a combination of one or many of these variables and static text strings,
you can create a custom subject name format, such as: CN={{UserName}},E=
{{EmailAddress}},OU=Mobile,O=Finance
Group,L=Redmond,ST=Washington,C=US
That example includes a subject name format that uses the CN and E variables, and
strings for Organizational Unit, Organization, Location, State, and Country values.
CertStrToName function describes this function, and its supported strings.
User attributes aren't supported for devices that don’t have user associations, such
as devices that are enrolled as Android Enterprise dedicated. For example, a profile
that uses CN={{UserPrincipalName}} in the subject or SAN can't get the user
principal name when there isn't a user on the device.

Format options for the Subject name format include the following variables:
{{AAD_Device_ID}}
{{DeviceId}} - This is the Intune device ID
{{Device_Serial}}
{{Device_IMEI}}
{{SerialNumber}}
{{IMEINumber}}
{{AzureADDeviceId}}
{{WiFiMacAddress}}
{{IMEI}}
{{DeviceName}}
{{FullyQualifiedDomainName}} (Only applicable for Windows and domain-joined
devices)
{{MEID}}
You can specify these variables, followed by the text for the variable, in the textbox.
For example, the common name for a device named Device1 can be added as CN=
{{DeviceName}}Device1.
） Important
When you specify a variable, enclose the variable name in curly brackets { }
as seen in the example, to avoid an error.
Device properties used in the subject or SAN of a device certificate, like
IMEI, SerialNumber, and FullyQualifiedDomainName, are properties that
could be spoofed by a person with access to the device.
A device must support all variables specified in a certificate profile for that
profile to install on that device. For example, if {{IMEI}} is used in the
subject name of a SCEP profile and is assigned to a device that doesn't
have an IMEI number, the profile fails to install.
Next steps
Use SCEP for certificates
Issue PKCS certificates from a Symantec PKI manager web service.
Troubleshoot PKCS certificate profiles
Configure and use imported PKCS
certificates with Intune
Article • 04/27/2023
Microsoft Intune supports the use of imported public key pair (PKCS) certificates,
commonly used for S/MIME encryption with Email profiles. Certain email profiles in
Intune support an option to enable S/MIME where you can define an S/MIME signing
certificate and S/MIME encryption cert.
） Important
As announced in this Microsoft Tech Community blog , support for Azure Active
Directory Authentication Library (ADAL) ends in December 2022. For your
PowerShell scripts or custom code to continue to work to import user PFX
certificates to Intune, they must be updated to leverage Microsoft Authentication
Library (MSAL). Additionally, the global Intune application ID should be updated
with the unique Application (client) ID assigned to your app after registering it in
Azure Active Directory (Azure AD) to prevent future authentication issues.
On GitHub, the sample PowerShell script to help simplify importing PFX certificates
has been updated to reference MSAL and the Azure AD Application (client) ID.
Script samples in this article are also updated where applicable.
For more information, view the PFXImport PowerShell Project readme file on
GitHub, and download the updated sample script.
S/MIME encryption is challenging because email is encrypted with a specific certificate:
You must have the private key of the certificate that encrypted the email on the
device where you're reading the email so it can be decrypted.
Before a certificate on a device expires, you should import a new certificate so
devices can continue to decrypt new email. Renewal of these certificates isn't
supported.
Encryption certificates are renewed regularly, which means that you might want to
keep past certificate on your devices, to ensure that older email can continue to be
decrypted.
Because the same certificate needs to be used across devices, it's not possible to use
SCEP or PKCS certificate profiles for this purpose as those certificate delivery
mechanisms deliver unique certificates per device.
For more information about using S/MIME with Intune, Use S/MIME to encrypt email.
Supported platforms
Intune supports import of PFX certificates for the following platforms:

Android Enterprise:
Fully Managed
iOS/iPadOS
macOS
Windows 10/11
Requirements
To use imported PKCS certificates with Intune, you'll need the following infrastructure:
Certificate Connector for Microsoft Intune:
The certificate connector handles requests for PFX files imported to Intune for
S/MIME email encryption for a specific user. Ensure that each connector you install
has access to the private key that is used to encrypt the passwords of the uploaded
PFX files.

Prerequisites.
Windows Server:
The certificate connector installs on a Windows Server that meets the connectors
prerequisites.
Visual Studio 2015 or above (optional):
You use Visual Studio to build the helper PowerShell module with cmdlets for
importing PFX certificates to Microsoft Intune. To get the helper PowerShell
cmdlets, see PFXImport PowerShell Project in GitHub .
How it works
When you use Intune to deploy an imported PFX certificate to a user, there are two
components at play in addition to the device:
Intune Service: Stores the PFX certificates in an encrypted state and handles the
deployment of the certificate to the user device. The passwords protecting the
private keys of the certificates are encrypted before they're uploaded using either a
hardware security module (HSM) or Windows Cryptography, ensuring that Intune
can't access the private key at any time.
Certificate Connector for Microsoft Intune: When a device requests a PFX

certificate that was imported to Intune, the encrypted password, the certificate,
and the device's public key are sent to the connector. The connector decrypts the
password using the on-premises private key, and then re-encrypts the password
(and any plist profiles if using iOS) with the device key before sending the
certificate back to Intune. Intune then delivers the certificate to the device and the
device decrypts it with the device's private key and install the certificate.
Import PFX Certificates to Intune

You use Microsoft Graph to import your users PFX certificates into Intune. The helper
PFXImport PowerShell Project at GitHub provides you with cmdlets to do the
operations with ease.
If you prefer to use your own custom solution using Graph, use the userPFXCertificate
resource type.
Build 'PFXImport PowerShell Project' cmdlets

To make use of the PowerShell cmdlets, you build the project yourself using Visual
Studio. The process is straight forward and while it can run on the server, we
recommended you run it on your workstation.
1. Go to the root of the Intune-Resource-Access repository on GitHub, and then

either download or clone the repository with Git to your machine.
2. Go to .\Intune-Resource-Access-develop\src\PFXImportPowershell\ and open the
project with Visual Studio using the file PFXImportPS.sln.
3. On the top, change from Debug to Release.
4. Go to Build and select Build PFXImportPS. In a few moments, you'll see the Build
succeeded confirmation at the bottom left of Visual Studio.
5. The build process creates a new folder with the PowerShell Module at .\Intune-
Resource-Access-develop\src\PFXImportPowershell\PFXImportPS\bin\Release .
You'll use this Release folder for the next steps.
Create the encryption Public Key

You import PFX Certificates and their private keys to Intune. The password protecting
the private key is encrypted with a public key that is stored on-premises. You can use
either Windows cryptography, a hardware security module, or another type of
cryptography to generate and store the public/private key pairs. Depending on the type
of cryptography used, the public/private key pair can be exported in a file format for
backup purposes.
The PowerShell module provides methods to create a key using Windows cryptography.
You can also use other tools to create a key.
To create the encryption key using Windows cryptography
1. Copy the Release folder that's created by Visual Studio to the server where you
installed the Certificate Connector for Microsoft Intune. This folder contains the
PowerShell module.
2. On the server, open PowerShell as an Administrator and then navigate to the

Release folder that contains the PowerShell module.
3. To import the module, run Import-Module .\IntunePfxImport.psd1 to import the

module.
4. Next, run Add-IntuneKspKey -ProviderName "Microsoft Software Key Storage

Provider" -KeyName "PFXEncryptionKey"
 Tip
The provider you use must be selected again when you import PFX
Certificates. You can use the Microsoft Software Key Storage Provider,
although it is supported to use a different provider. The key name is also
provided as an example, and you can use a different key name of your choice.
If you plan to import the certificate from your workstation, you can export this key
to a file with the following command:
Export-IntunePublicKey -ProviderName "
<ProviderName>" -KeyName "<KeyName>" -FilePath "<File path\Filename.PFX>"
The private key must be imported on each server that hosts the Certificate
Connector for Microsoft Intune so that imported PFX certificates can be processed
successfully.
To use a hardware security module (HSM)

You can use a hardware security module (HSM) to generate and store the public/private
key pair. For more information, see the HSM provider's documentation.
Import PFX Certificates
The following process uses the PowerShell cmdlets as an example of how to import the
PFX certificates. You can pick different options depending on your requirements.
Options include:
Intended Purpose (groups certificates together based on a tag):

unassigned
smimeEncryption
smimeSigning
Padding Scheme:
oaepSha256
oaepSha384
oaepSha512
Select the Key Storage Provider that matches the provider you used to create the key.
To import the PFX certificate

1. Export the certificates from any Certification Authority (CA) by following the
documentation from the provider. For Microsoft Active Directory Certificate
Services, you can use this sample script .
2. On the server, open PowerShell as an Administrator and then navigate to the

Release folder that contains the PowerShell module IntunePfxImport.psd1.
７ Note
The following changes must be made for GCC High and DoD tenants prior to
running IntunePfxImport.psd1.
Use a text editor or PowerShell ISE to edit the file, which updates the service
endpoints for the GCC High environment. Notice that these updates change
the URIs from .com to .us suffixes. There are a total of two updates within
IntunePfxImport.psd1. One for AuthURI and the second for GraphURI:
PrivateData = @{
AuthURI = "login.microsoftonline.us"
GraphURI = "https://graph.microsoft.us"
SchemaVersion = "beta"
ClientId = "00000000-0000-0000-0000-000000000000" # Client Id

from Azure app registration
ClientSecret = "" # client secret from app registration when

using application permissions to authenticate
TenantId = "00000000-0000-0000-0000-000000000000" # TenantId is

required when using client secret
}
After saving the changes, restart PowerShell.
3. To import the module, run Import-Module .\IntunePfxImport.psd1
4. To authenticate to Intune Graph, run Set-IntuneAuthenticationToken -

AdminUserName "<Admin-UPN>"
７ Note
As the authentication is run against Graph, you must provide permissions to

the AppID. If it's the first time you've used this utility, a Global administrator is
required. The PowerShell cmdlets use the same AppID as the one used with
PowerShell Intune Samples .
5. Convert the password for each PFX file you're importing to a secure string by
running $SecureFilePassword = ConvertTo-SecureString -String "<PFXPassword>" -
AsPlainText -Force .
6. To create a UserPFXCertificate object, run

$userPFXObject = New-
IntuneUserPfxCertificate -PathToPfxFile "<FullPathPFXToCert>"
$SecureFilePassword "<UserUPN>" "<ProviderName>" "<KeyName>" "
<IntendedPurpose>"
For example: $userPFXObject = New-IntuneUserPfxCertificate -PathToPfxFile

"C:\temp\userA.pfx" $SecureFilePassword "userA@contoso.com" "Microsoft
Software Key Storage Provider" "PFXEncryptionKey" "smimeEncryption"
７ Note
When you import the certificate from a system other than the server where
the connector is installed, you must use the following command that includes
the key file path: $userPFXObject = New-IntuneUserPfxCertificate -
PathToPfxFile "<FullPathToPFX>" $SecureFilePassword "<UserUPN>" "
<ProviderName>" "<KeyName>" "<IntendedPurpose>" "<PaddingScheme>" "<File

path to public key file>"
VPN is not supported as a IntendedPurpose.
7. Import the UserPFXCertificate object to Intune by running Import-

IntuneUserPfxCertificate -CertificateList $userPFXObject
8. To validate the certificate was imported, run Get-IntuneUserPfxCertificate -

UserList "<UserUPN>"
9. As a best practice to clean up the Azure AD token cache without waiting for it to
expire on it’s own, run Remove-IntuneAuthenticationToken
For more information about other available commands, see the readme file at
PFXImport PowerShell Project at GitHub .

After importing the certificates to Intune, create a PKCS imported certificate profile, and
assign it to Azure Active Directory groups.
７ Note
After you create a PKCS imported certificate profile, the Intended Purpose and Key
storage provider (KSP) values in the profile are read-only and can't be edited. If
you need a different value for either of these settings, create and deploy a new
profile.

Profile: Select PKCS imported certificate. Or, select Templates > PKCS
imported certificate.
4. Select Create.
can easily identify them later. For example, a good profile name is PKCS
imported certificate profile for entire company.
recommended.
6. Select Next.
7. In Configuration settings, enter the following properties:
Intended purpose: Specify the intended purpose of the certificates that are
imported for this profile. Administrators can import certificates with different
intended purposes (like S/MIME signing or S/MIME encryption). The intended
purpose selected in the certificate profile matches the certificate profile with
the right imported certificates. Intended purpose is a tag to group imported
certificates together and doesn't guarantee that certificates imported with
that tag will meet the intended purpose.
Key storage provider (KSP): For Windows, select where to store the keys on
the device.

9. Select Next.
Select Next.
Intune.
Select Next.
Support for third-party partners

The following partners provide supported methods or tools you can use to import PFX
certificates to Intune.
DigiCert
If you use the DigiCert PKI Platform service, you can use the DigiCert Import Tool for
Intune S/MIME Certificates to import PFX certificates to Intune. Use of this tool replaces
the need to follow the instructions in the section Import PFX Certificates to Intune that's
detailed earlier in this article.
To learn more about the DigiCert Import tool, including how to obtain the tool, see
https://knowledge.digicert.com/tutorials/microsoft-intune.html in the DigiCert
knowledge base.
EverTrust
If you use EverTrust as your PKI solution, standalone or combined to an existing PKI, you
can configure EverTrust Horizon to import PFX certificates to Intune. After you complete
the integration, you won’t need to follow the instructions in the section Import PFX
Certificates to Intune that's detailed earlier in this article.
To learn more about EverTrust’s integration with Intune, see https://evertrust.fr/horizon-

and-intune-integration/ .
KeyTalk
If you use the KeyTalk service, you can configure their service to import PFX certificates
to Intune. After you complete the integration, you won’t need to follow the instructions
in the section Import PFX Certificates to Intune to Intune that's detailed earlier in this
article.
To learn more about KeyTalk’s integration with Intune, see https://keytalk.com/support
in the KeyTalk knowledge base.
Next steps
Intune UI displays Windows Server devices as distinct

from Windows clients for the Security Management for
Microsoft Defender for Endpoint scenario
configuration) scenario, Intune will soon differentiate Windows devices in Azure Active
With this change, you'll be able to improve policy targeting for Microsoft Defender for
Endpoint security configuration. For example, you'll be able to use dynamic groups that
consist of only Windows Server devices, or only Windows client devices (Windows
10/11).
S/MIME overview to sign and encrypt
email in Intune
Article • 02/21/2023
Email certificates, also known as S/MIME certificate, provide extra security to your email
communications by using encryption and decryption. Microsoft Intune can use S/MIME
certificates to sign and encrypt emails to mobile devices running the following
platforms:
Android
iOS/iPadOS
macOS
Windows 10/11
Intune can automatically deliver S/MIME encryption certificates to all platforms. S/MIME
certificates are automatically associated with mail profiles that use the native mail client
on iOS, and with Outlook on iOS and Android devices. For the Windows and macOS
platforms, and for other mail clients on iOS and Android, Intune delivers the certificates
but users must manually enable S/MIME in their mail app and choose their S/MIME
certificates.
For more information about S/MIME email signing and encryption with Exchange, see
S/MIME for message signing and encryption.
This article provides an overview of using S/MIME certificates to sign and encrypt emails
on your devices.
Signing certificates
Certificates used for signing allow the client email app to communicate securely with the
email server.
To use signing certificates, create a template on your certificate authority (CA) that
focuses on signing. On Microsoft Active Directory Certification Authority, Configure the
server certificate template lists the steps to create certificate templates.
Signing certificates in Intune use PKCS certificates. Configure and use PKCS certificates
describes how to deploy and use PKCS certificate in your Intune environment. These
steps include:
Install and configure the Certificate Connector for Microsoft Intune to support
PKCS certificate requests. The connector has the same network requirements as
managed devices.
Create a trusted root certificate profile for your devices. This step includes using
trusted root and intermediate certificates for your certification authority, and then
deploying the profile to devices.
Create a PKCS certificate profile using the certificate template you created. This
profile issues signing certificates to devices, and deploys the PKCS certificate
profile to devices.
You can also import a signing certificate for a specific user. The signing certificate is
deployed across any device that a user enrolls. To import certificates into Intune, use the
PowerShell cmdlets in GitHub . To deploy a PKCS certificate imported in Intune to be
used for email signing, follow the steps in Configure and use PKCS certificates with
Intune. These steps include:
Download, install, and configure the Certificate Connector for Microsoft Intune.
This connector delivers imported PKCS certificates to devices.
Import S/MIME email signing certificates to Intune.
Create a PKCS imported certificate profile. This profile delivers imported PKCS
certificates to the appropriate user's devices.
Encryption certificates
Certificates used for encryption confirm that an encrypted email can only be decrypted
by the intended recipient. S/MIME encryption is an extra layer of security that can be
used in email communications.
When sending an encrypted email to another user, the public key of that user's
encryption certificate is obtained, and encrypts the email you send. The recipient
decrypts the email using the private key on their device. Users can have a history of
certificates used to encrypt email. Each of those certificates must be deployed to all of a
specific user's devices so their email is successfully decrypted.
It's recommended that email encryption certificates aren't created in Intune. While
Intune supports issuing PKCS certificates that support encryption, Intune creates a
unique certificate per device. A unique certificate per device isn't ideal for an S/MIME
encryption scenario where the encryption certificate should be shared across all the
user's devices.
To deploy S/MIME certificates using Intune, you must import all of a user's encryption
certificates to Intune. Intune then deploys all of those certificates to each device that a
user enrolls. To import certificates into Intune, use the PowerShell cmdlets in GitHub .
To deploy a PKCS certificate imported in Intune used for email encryption, follow the
steps in Configure and use PKCS certificates with Intune. These steps include:
Install and configure the Certificate Connector for Microsoft Intune. This connector
delivers imported PKCS certificates to devices.
Import S/MIME email encryption certificates to Intune.
Create a PKCS imported certificate profile. This profile delivers imported PKCS
certificates to the appropriate user's devices.
７ Note
Imported S/MIME encryption certificates are removed by Intune when company

data is removed, or when users are unenrolled from management. But, certificates
aren't revoked on the certification authority.
S/MIME email profiles

Once you have created S/MIME signing and encryption certificate profiles, you can
enable S/MIME for iOS/iPadOS native mail.
Next steps
Use PKCS certificates
Use a partner CA
Issue PKCS certificates from a Symantec PKI manager web service
Set up the Certificate Connector for
Microsoft Intune to support the DigiCert
PKI Platform
Article • 02/22/2023
You can use the Certificate Connector for Microsoft Intune to issue PKCS certificates from
DigiCert PKI Platform to Intune-managed devices. The certificate connector works with
either a DigiCert certification authority (CA) only, or with both a DigiCert CA and a
Microsoft CA.
 Tip
DigiCert acquired Symantec's Website Security and related PKI Solutions business.
For more information about this change, see the Symantec technical support
article .
If you already use the Certificate Connector for Microsoft Intune to issue certificates from
a Microsoft CA by using PKCS or Simple Certificate Enrollment Protocol (SCEP), you can
use that same connector to configure and issue PKCS certificates from a DigiCert CA. After
you complete the configuration to support the DigiCert CA, the connector can issue the
following certificates:
PKCS certificates from a Microsoft CA

PKCS certificates from a DigiCert CA
Endpoint Protection certificates from a Microsoft CA
If you don't have the connector installed but plan to use it for both a Microsoft CA and a
DigiCert CA, complete the connector configuration for the Microsoft CA first. Then, return
to this article to configure it to also support DigiCert. For more information about
certificate profiles and the connector, see Configure a certificate profile for your devices in
Microsoft Intune.
If you'll use the connector with only the DigiCert CA, you can use the instructions in this
article to install and then configure the connector.
Prerequisites
You'll need the following to support use of a DigiCert CA:
An active subscription at the DigiCert CA - The subscription is required to get a
registration authority (RA) certificate from the DigiCert CA.
Certificate Connector for Microsoft Intune - You'll be instructed to install and

configure the certificate connector later in this article. To help you plan for the
connectors prerequesites in advance, see the following articles:
Prerequisites.
Install the DigiCert RA certificate

1. Save the following code snippet as in a file named certreq.ini and update it as
required (for example: Subject name in CN format).
[Version]
Signature="$Windows NT$"
[NewRequest]
;Change to your,country code, company name and common name
Subject = "Subject Name in CN format"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication // Uncomment if you need a

mutual TLS authentication
;-----------------------------------------------
2. Open an elevated command prompt and generate a certificate signing request (CSR)
by using the following command:
Certreq.exe -new certreq.ini request.csr

3. Open the request.csr file in Notepad and copy the CSR content that's in the
following format:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIID8TCCAtkCAQAwbTEMMAoGA1UEBhMDVVNBMQswCQYDVQQIDAJXQTEQMA4GA1UE
fzpeAWo=
-----END NEW CERTIFICATE REQUEST-----
4. Sign in to the DigiCert CA and browse to Get an RA Cert from the tasks.
a. In the text box, provide the CSR content from step 3.
b. Provide a friendly name for the certificate.
c. Select Continue.
d. Use the provided link to download the RA certificate to your local computer.
5. Import the RA certificate into the Windows Certificate store:
a. Open an MMC console.
b. Select File > Add or Remove Snap-ins > Certificate > Add.
c. Select Computer Account > Next.
d. Select Local Computer > Finish.
e. Select OK in the Add or Remove Snap-ins window. Expand Certificates (Local

Computer) > Personal > Certificates.
f. Right-click the Certificates node and select All Tasks > Import.
g. Select the location of the RA certificate that you downloaded from the DigiCert
CA, and then select Next.
h. Select Personal Certificate Store > Next.
i. Select Finish to import the RA certificate and its private key into the Local
Machine-Personal store.
6. Export and import the private key certificate:
a. Expand Certificates (Local Machine) > Personal > Certificates.

b. Select the certificate that was imported in the previous step.
c. Right-click the certificate and select All Tasks > Export.
d. Select Next, and then enter the password.
e. Select the location to export to, and then select Finish.
f. Use the procedure from step 5 to import the private key certificate into the Local
Computer-Personal store.
g. Record a copy the RA certificate thumbprint without any spaces. The following is
an example of the thumbprint:
RA Cert Thumbprint: "EA7A4E0CD1A4F81CF0740527C31A57F6020C17C5"
Later, after you install the Certificate Connector for Microsoft Intune, you'll use this
value to update three .config files for the connector.
７ Note
For assistance in getting the RA certificate from the DigiCert CA, contact
DigiCert customer support.
Configure the certificate connector to support

DigiCert
1. Use the information at Install the Certificate Connector for Microsoft Intune to first
download and then install and configure the Certificate Connector for Microsoft
Intune:
During installation step 2 of the connector install procedure, select the options
for PKCS and optionally for Certificate revocation.
After you complete the connector installation and configuration procedure,
return to this procedure to continue.
2. Configure the connector to support DigiCert by modifying three .config files for the
connector, and then restarting their related services:
a. On the server where the connector installed, go to %ProgramFiles%\Microsoft

Intune\PFXCertificateConnector\ConnectorSvc. (By default, the Certificate
Connector for Microsoft Intune installs to %ProgramFiles%\Microsoft
Intune\PFXCertificateConnector.)
b. Use a simple text editor like Notepad.exe to update the RACertThumbprint key
value in the following three files. Replace the value in the files with the value you
copied during step 6.g. of the procedure in the preceding section:
Microsoft.Intune.ConnectorsPkiCreate.exe.config
Microsoft.Intune.ConnectorsPkiRevoke.exe.config
Microsoft.Intune.ConnectorsPkiCreateLegacy.exe.config
For example, locate the entry in each file that is similar to <add
key="RACertThumbprint" value="EA7A4E0CD1A4F81CF0740527C31A57F6020C17C5"/> , and
replace EA7A4E0CD1A4F81CF0740527C31A57F6020C17C5 with the new RA Cert Thumbprint

value.
c. Run services.msc and stop and then restart the following three services:
PFX Revoke Certificate Connector for Microsoft Intune

(PkiRevokeConnectorSvc)
PFX Create Certificate Connector for Microsoft Intune
(PkiCreateConnectorSvc)
PFX Create Legacy Connector for Microsoft Intune
(PfxCreateLegacyConnectorSvc)

The PKCS certificates you'll deploy for Intune managed devices must be chained with a
trusted root certificate. To establish this chain, create an Intune trusted certificate profile
with the root certificate from the DigiCert CA, and deploy both the trusted certificate
profile and the PKCS certificate profile to the same groups.
1. Get a trusted root certificate from the DigiCert CA:
a. Sign in to the DigiCert CA admin portal.
b. Select Manage CAs from Tasks.
c. Select the appropriate CA from the list.
d. Select Download root certificate to download the trusted root certificate.
2. Create a trusted certificate profile in the Microsoft Intune admin center. For detailed
guidance, see To create a trusted certificate profile. Be sure to assign this profile to
devices that will receive certificates. To assign the profile to groups, see Assign
device profiles.
After you create the profile, it appears in the list of profiles in the Device
configuration – Profiles pane, with a profile type of Trusted certificate.
Get the certificate profile OID

The certificate profile OID is associated with a certificate profile template in the DigiCert
CA. To create a PKCS certificate profile in Intune, the certificate template name must be in
the form of a certificate profile OID that is associated with a certificate template in the
DigiCert CA.
1. Sign in to the DigiCert CA admin portal.
2. Select Manage Certificate Profiles.
3. Select the certificate profile that you want to use.
4. Copy the certificate profile OID. It looks similar to the following example:
Certificate Profile OID = 2.16.840.1.113733.1.16.1.2.3.1.1.47196109
７ Note
If you need help to get the certificate profile OID, contact DigiCert customer
support.
Create a PKCS certificate profile


Profile: Select PKCS certificate. Or, select Templates > PKCS certificate.
4. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you can
recommended.
6. In Configuration settings, configure parameters with the values from the following
table. These values are required to issue PKCS certificates from a DigiCert CA,
through the Certificate Connector for Microsoft Intune.
PKCS Value Description

certificate
parameter
Certificate pki-ws.symauth.com This value must be the DigiCert CA

authority base service FQDN without trailing
slashes. If you aren't sure whether this
is the correct base service FQDN for
your DigiCert CA subscription, contact
DigiCert customer support.
With the change from Symantec to

DigiCert, this URL remains unchanged.
If this FQDN is incorrect, the

certificate connector won't issue PKCS
certificates from the DigiCert CA.
Certificate Symantec This value must be the string

authority Symantec.
name
If there's any change to this value, the
certificate connector won't issue PKCS
Certificate Certificate profile OID from the This value must be a certificate profile
template DigiCert CA. For example: OID obtained in the previous section
name 2.16.840.1.113733.1.16.1.2.3.1.1.61904612 from the DigiCert CA certificate
profile template.
If the certificate connector can't find a

certificate template associated with
this certificate profile OID in the
DigiCert CA, it won't issue PKCS
７ Note
The PKCS certificate profile for Windows platforms doesn't need to associate
with a trusted certificate profile. But it is required for non-Windows platform
profiles such as Android.
7. Complete the configuration of the profile to meet your business needs, and then
select Create to save the profile.
8. On the Overview page of the new profile, select Assignments and configure an
appropriate group that will receive this profile. At least one user or device must be
part of the assigned group.
After you complete the previous steps, Certificate Connector for Microsoft Intune will
issue PKCS certificates from the DigiCert CA to Intune-managed devices in the assigned
group. These certificates will be available in the Personal store of the Current User
certificate store on the Intune-managed device.
Supported attributes for the PKCS certificate profile

Attribute Intune supported formats DigiCert Cloud CA supported formats result
Subject Intune supports the subject name in The DigiCert CA supports more attributes. We use
name following three formats only:
If you want to select more attributes, they common
must be defined with fixed values in the name or
1. Common name
DigiCert certificate profile template. email from
2. Common name that includes the PKCS
email
certificate
3. Common name as email
request.
For example:
Any
mismatch
CN = IWUser0 <br><br> E = in
IWUser0@samplendes.onmicrosoft.com attribute
selection
between
the Intune
certificate
profile and
the
DigiCert
certificate
profile
template
results in
no
certificates
issued
from the
DigiCert
CA.
SAN Intune supports only the following The DigiCert Cloud CA also supports these None
SAN field values:
parameters. If you want to select more
attributes, they must be defined with fixed
AltNameTypeEmail
values in the DigiCert certificate profile
AltNameTypeUpn
template.
AltNameTypeOtherName (encoded
value) AltNameTypeEmail: If this type isn't found
in the SAN, the certificate connector uses
the value from AltNameTypeUpn. If
AltNameTypeUpn is also not found in the
SAN, then the certificate connector uses
the value from the subject name if it's in
email format. If the type is still not found,
the certificate connector fails to issue the
certificates.
Example: RFC822
Name=IWUser0@ndesvenkatb.onmicrosoft.com
Attribute Intune supported formats DigiCert Cloud CA supported formats result
AltNameTypeUpn: If this type is not found

in the SAN, the certificate connector uses
the value from AltNameTypeEmail. If
AltNameTypeEmail is also not found in
the SAN, then the certificate connector
uses the value from subject name if it's in
email format. If the type is still not found,
the certificate connector fails to issue the
certificates.
Example: Other Name: Principal

Name=IWUser0@ndesvenkatb.onmicrosoft.com
AltNameTypeOtherName: If this type isn't

found in the SAN, the certificate connector
fails to issue the certificates.
Example: Other Name: DS Object Guid=04

12 b8 ba 65 41 f2 d4 07 41 a9 f7 47 08
f3 e4 28 5c ef 2c
The value of this field is supported only in

encoded format (hexadecimal value) by
the DigiCert CA. For any value in this field,
the certificate connector converts it to
base64 encoding before it submits the
certificate request. Certificate Connector
for Microsoft Intune doesn't validate
whether this value is already encoded or
not.
Troubleshooting
Logs for the Certificate Connector for Microsoft Intune are available as Event logs on the
server where the connector is installed. These logs provide details about the connectors
operation, and can be used to identify problems with the certificate connector and
operations. For more information, see Logging.
Next steps
Use the information in this article with the information in What are Microsoft Intune
device profiles? to manage your organization's devices and the certificates on them.
Remove SCEP and PKCS certificates in
Microsoft Intune
Article • 02/21/2023
In Microsoft Intune, you can use Simple Certificate Enrollment Protocol (SCEP) and
Public Key Cryptography Standards (PKCS) certificate profiles to add certificates to
devices.
These certificates can be removed when you wipe or retire the device. Certificates that
were provisioned by Intune are also removed when the profile that provisioned the
certificate no longer targets the device or user. There are other scenarios where
certificates are automatically removed, and scenarios where certificates stay on the
device. This article lists some common scenarios and their effect on PKCS and SCEP
certificates.
７ Note
To remove and revoke certificates for a user who's being removed from on-
premises Active Directory or Azure Active Directory (Azure AD), follow these steps
in order:
1. Wipe or retire the user's device.

2. Remove the user from on-premises Active Directory or Azure AD.
The majority of this article applies to SCEP and PKCS certificate profiles, but not to
imported PKCS certificates. Imported PKCS certificates are removed by Intune when
company data is removed from the device or when a device is unenrolled from
management.
Manually deleted certificates

Manual deletion of a certificate is a scenario that applies across platforms and
certificates provisioned by SCEP or PKCS certificate profiles. For example, a user might
delete a certificate from a device, when the device remains targeted by a certificate
policy.
In this scenario, after the certificate is deleted, the next time the device checks in with
Intune it's found to be out of compliance as it is missing the expected certificate. Intune
then issues a new certificate to restore the device to compliance. No other action is
needed to restore the certificate.
７ Note
SCEP certificates are removed but not revoked when using a third-party
certification authority.
Windows devices
SCEP certificates
A SCEP certificate is revoked and removed when:
A user unenrolls.
An administrator runs the wipe action.
An administrator runs the retire action.
The device is removed from an Azure AD group.
A certificate profile is removed from the group assignment.
A SCEP certificate is revoked when:
An administrator changes or updates the SCEP profile.
A root certificate is removed when:
A user unenrolls.
SCEP certificates stay on the device (certificates aren't revoked or removed) when:
A user loses the Intune license.

An administrator withdraws the Intune license.
An administrator removes the user or group from Azure AD.
PKCS certificates
A PKCS certificate is revoked and removed when:
A user unenrolls.
A PKCS certificate is removed when:
The PKCS certificate profile no longer targets the device or user.
A user unenrolls.
PKCS certificates stay on the device (certificates aren't revoked or removed) when:

An administrator changes or updates the PKCS profile.
iOS devices
SCEP certificates
A user unenrolls.
The device is removed from the Azure AD group.
A user unenrolls.

PKCS certificates
A user unenrolls.
A PKCS certificate is removed when:
A user unenrolls.

Android KNOX devices
SCEP certificates
A user unenrolls.

A user unenrolls.

PKCS certificates
A user unenrolls.
A user unenrolls.

７ Note
Android for Work devices are not validated for the preceding scenarios.
Android
legacy devices (any non-Samsung, non-work profile devices) are not enabled for
certificate removal.
macOS certificates
SCEP certificates
A user unenrolls.
An administrator runs a retire action.

７ Note
Using the wipe action to factory reset macOS devices is not supported.
PKCS certificates
A user unenrolls.
A user unenrolls.

A certificate profile is removed from the group assignment. (The Profile is
removed.)
Next steps
Use certificates for authentication
Use derived credentials with Microsoft
Intune
Article • 02/24/2023
Android Enterprise fully managed devices that run version 7.0 and above
iOS/iPadOS
Windows 10/11
In an environment where smart cards are required for authentication or encryption and
signing, you can use Intune to provision mobile devices with a certificate that's derived
from a user's smart card. That certificate is called a derived credential. Intune supports
several derived credential issuers, though you can use only a single issuer per tenant at
a time.
Derived credentials are an implementation of the National Institute of Standards and

Technology (NIST) guidelines for Derived Personal Identity Verification (PIV) credentials
as part of Special Publication (SP) 800-157.
With Intune's implementation:
The Intune administrator configures their tenant to work with a supported derived
credential issuer. You don't need to configure any Intune specific settings in the
derived credential issuer's system.
The Intune administrator specifies Derived credential as the authentication method

for the following objects:
For Android Enterprise fully managed devices:

Common profile types like Wi-Fi and VPN
App authentication
For iOS/iPadOS:
Common profile types like Wi-Fi, VPN, and Email, which includes the iOS/iPadOS
native mail app
App authentication
S/MIME signing and encryption
For Windows:
Common profile types like Wi-Fi, and VPN
７ Note
Currently, derived credentials as an authentication method for VPN profiles

isn't working as expected on Windows devices. This behavior only impacts
VPN profiles on Windows devices and will be fixed in a future release (no ETA).
For Android and iOS/iPadOS, users obtain a derived credential by using their smart
card on a computer to authenticate to the derived credential issuer. The issuer
then issues to the mobile device a certificate that's derived from their smart card.
For Windows, users install the app from the derived credential provider, which
installs the certificate to the device for later use.
After the device receives the derived credential, it's used for authentication and for
S/MIME signing and encryption when apps or resource access profiles require the
derived credential.
Prerequisites
Review the following information before you configure your tenant to use derived
credentials.
Supported platforms
Intune supports derived credentials on the following platforms:
iOS/iPadOS
Android Enterprise:
Fully Managed devices (version 7.0 and above)
Windows 10/11
Supported issuers
Intune supports a single derived credential issuer per tenant. You can configure Intune
to work with the following issuers:
DISA Purebred: https://public.cyber.mil/pki-pke/purebred/

Entrust: https://www.entrust.com/
Intercede: https://www.intercede.com/
For important details about using the different issuers, review guidance for that issuer.
For more information, see Plan for derived credentials in this article.
） Important
If you delete a derived credential issuer from your tenant, the derived credentials
that were set up through that issuer will no longer function.
See Change the derived credential issuer later in this article.
Required apps
Plan to deploy the relevant user-facing app to devices that will enroll for a derived
credential. Device users use the app to start the credential enrollment process.
iOS devices use the Company Portal app. See Add iOS store apps to Microsoft
Intune.
Android Enterprise Fully Managed and Corporate-Owned work profile devices use
the Intune App. See Add Android store apps to Microsoft Intune.
Plan for derived credentials

Understand the following considerations before setting up a derived credential issuer
for Android and iOS/iPadOS.
For Windows devices, see Derived credentials for Windows, later in this article.
1) Review the documentation for your chosen derived

credential issuer
Before you configure an issuer, review that issuer's documentation to understand how
their system delivers derived credentials to devices.
Depending on the issuer you choose, you might need staff to be available at the time of
enrollment to help users complete the process. Also review your current Intune
configurations to ensure they don't block access that's necessary for devices or users to
complete the credential request.
For example, you might use conditional access to block access to email for non-
compliant devices. If you rely on email notifications to inform the user to start the
derived credential enrollment process, your users might not receive those instructions
until they're compliant with policy.
Similarly, some derived credential request workflows require the use of the device
camera to scan an on-screen QR code. This code links that device to the authentication
request that occurred against the derived credential issuer with the user's smart card
credentials. If device configuration polices block camera use, the user can't complete the
derived credential enrollment request.
General information:
You can only configure a single issuer per tenant at a time, and that issuer is
available to all users and supported devices in your tenant.
Users aren't notified that they must enroll for derived credentials until you target
them with a policy that requires derived credentials.
Notification can be through app notification for the Company Portal, through
email, or both. If you choose to use email notifications and you use enabled
conditional access, users might not receive the email notification if their device
isn't compliant.
） Important
To ensure notifications related to device credentials are successfully received

by end users, you should enable app notifications for the Company Portal,
email notifications, or both.
2) Review the end-user workflow for your chosen issuer

The following are key considerations for each supported partner. Become familiar with
this information so you can ensure your Intune policies and configurations don't block
users and devices from successfully completing enrollment for a derived credential from
that issuer.
DISA Purebred
Review the platform-specific user workflow for the devices you'll use with derived
credentials.
iOS and iPadOS

Android Enterprise - Corporate-Owned Work Profile or Fully managed devices
Key requirements include:
Users need access to a computer or KIOSK where they can use their smart card to
authenticate to the issuer.
iOS and iPadOS devices that will enroll for a derived credential must install the
Intune Company Portal app. Android Fully Managed and Corporate-Owned Work
Profile devices must install and use the Intune app.
Use Intune to deploy the DISA Purebred app to devices that will enroll for a
derived credential. This app must be deployed through Intune so that it's managed
and can then work with the Intune Company Portal app or Intune App, which
device users use to complete the derived credential request.
To retrieve a derived credential from the Purebred app, the device must have
access to the on-premises network. Access might be through corporate Wi-Fi or
VPN.
Device users must work with a live agent during the enrollment process. During
enrollment, time-limited one-time passcodes are provided to the user as they
continue through the enrollment process.
When changes are made to a policy that uses derived credentials, such as creation
of a new Wi-Fi profile, iOS and iPadOS users are notified to open the Company
Portal app.
Users are notified to open the applicable app when they need to renew their
derived credential.
The renewal process happens like this:

The derived credential issuer needs to issue new or updated certificates before
the previous certificates are 80% of the way through their validity period.
The device checks in during the renewal period (the last 20% of the validity
period).
Microsoft Intune notifies the user through email or an app notification to launch
the Company Portal.
The user launches the Company Portal and taps the derived credential
notification, and then the derived credential certificates are copied to the device
For information getting and configuring the DISA Purebred app, see Deploy the DISA
Purebred app later in this article.
Entrust
credentials.
iOS and iPadOS

Android Enterprise- Corporate-Owned Work Profile or Fully managed devices
Use of a device camera to scan a QR code that links the authentication request to
the derived credential request from the mobile device.
Users are prompted by the Company Portal app or through email to enroll for
derived credentials.
When changes are made to a policy that uses derived credentials, such as creating
a new Wi-Fi profile:
iOS and iPadOS - Users are notified to open the Company Portal app.
Android Enterprise Corporate-Owned Work Profile or Fully managed devices -
The Company Portal app doesn't need to open.
derived credential.

period).
the Company Portal.
Intercede
credentials.
iOS and iPadOS
Android Enterprise - Corporate-Owned Work Profile or Fully managed devices
Use of a device camera to scan a QR code that links the authentication request to
the derived credential request from the mobile device.
Users are prompted by the Company Portal app or through email to enroll for
When changes are made to a policy that uses derived credentials, such as creating
a new Wi-Fi profile:
iOS and iPadOS - Users are notified to open the Company Portal app.
Android Enterprise Corporate-Owned Work Profile or Fully managed devices -
The Company Portal app doesn't need to open.
derived credential.

period).
the Company Portal.
3) Deploy a trusted root certificate to devices

A trusted root certificate is used with derived credentials to verify that the derived
credential certificate chain is valid and trusted. Even when not directly referenced by
policy, a trusted root certificate is required. See Configure a certificate profile for your
4) Provide end-user instructions for how to get the
derived credential
Create and provide guidance to your users on how to start the derived credential
enrollment process and to navigate you the derived credential enrollment workflow for
your chosen issuer.
We recommend you provide a URL that will host your guidance. You specify this URL
when you configure the derived credential issuer for your tenant, and that URL is made
available from within the Company Portal app. If you don't specify your own URL, Intune
provides a link to generic details. These details can't cover all scenarios and might not
be correct for your environment.
5) Deploy Intune policies that require derived credentials

Create new policies or edit existing policies to use derived credentials. Derived
credentials replace other authentication methods for the following objects:
App authentication
Wi-Fi
VPN
Email (iOS only)
S/MIME signing and encryption, including Outlook (iOS only)
Avoid requiring use of a derived credential to access a process that you'll use as part of
the process to get the derived credential, as that can prevent users from completing the
request.
Set up a derived credential issuer

Before you create policies that require use of a derived credential, set up a credential
issuer in the Microsoft Intune admin center. A derived credential issuer is a tenant-wide
setting. Tenants support only a single issuer at a time.
2. Select Tenant administration > Connectors and tokens > Derived Credentials.
3. Specify a friendly Display name for the derived credential issuer policy. This name
isn't shown to your device users.
4. For Derived credential issuer, select the derived credential issuer that you have
chosen for your tenant:
DISA Purebred (iOS only)

Entrust
Intercede
5. Specify a Derived credential help URL to provide a link to a location that includes
custom instructions to help users get derived credentials for your organization. The
instructions should be specific to your organization and to the workflow that's
necessary to get a credential from your chosen issuer. The link appears in the
Company Portal app and should be accessible from the device.
If you don't specify your own URL, Intune provides a link to generic details that
can't cover all scenarios. This generic guidance might not be correct for your
environment.
6. Select one or more options for Notification type. Notification types are the
methods you use to inform users about the following scenarios:
Enroll a device with an issuer to get a new derived credential.

Get a new derived credential when the current credential is close to
expiration.
Use a derived credential with a supported object.
7. When ready, select Save to complete configuration of the derived credential issuer.
After you save the configuration, you can make changes to all fields except for the
Derived credential issuer. To change the issuer, see Change the derived credential issuer.
Deploy the DISA Purebred app

This section applies only when you use DISA Purebred.
To use DISA Purebred as your derived credential issuer for Intune, you must get the
DISA Purebred app and then use Intune to deploy the app to devices. Then users
request the derived credential from DISA Purebred by using the Company Portal App on
their iOS/iPadOS device, or the Intune app on their Android devices.
In addition to deploying the DISA Purebred app with Intune, the device must have
access to the on-premises network. To provide this access, consider using a VPN or
corporate Wi-Fi.
Complete the following tasks:
1. Download the DISA Purebred application: https://cyber.mil/pki-pke/purebred/.
2. Deploy the DISA Purebred application in Intune.
See Add an iOS line-of-business app to Microsoft Intune.

See Add an Android line-of-business app to Microsoft Intune
Additional settings for the Purebred app might be required. Speak to your
Purebred agent to understand which values should be included in your policies, or
if you have a DoD issued Common Access Card (CAC) you can access the Purebred
documentation online at https://cyber.mil/pki-pke/purebred/.
3. If you choose to use a per-app VPN for the DISA Purebred application, see Create
a per-app VPN.
Use derived credentials for authentication and
You can specify Derived credential for the following profile types and purposes:
Applications
Email:
iOS and iPadOS
Android Enterprise
VPN:
iOS and iPadOS
Android Enterprise
Wi-Fi:
iOS and iPadOS
Android Enterprise
For Wi-Fi profiles, Authentication method is available only when the EAP type is set
to one of the following values:
EAP – TLS
EAP-TTLS
PEAP
Use derived credentials for app authentication

Use derived credentials for certificate-based authentication to web sites and
applications. To deliver a derived credential for app authentication:
For iOS and iPadOS:
can easily identify them later. For example, a good profile name is Derived
credential for iOS devices profile.
Description: Enter a description that gives an overview of the setting, and any
other important details.
Platform: Select iOS/iPadOS.
Profile type: Select Derived credential.
For Android Enterprise:
can easily identify them later. For example, a good profile name is Derived
credential for Android Enterprise devices profile.
Profile type: Under Fully Managed, Dedicated, and Corporate-Owned Work
Profile, select Derived credential.
On the Apps page, configure Certificate access to manage how certificate
access is granted to applications. Choose from:
Grant silently for specific apps (require user approval for other apps) –
With this option, select Add apps, and then select one or more apps that
will silently use the certificate without user interaction.
4. On the Assignments page, select the groups that should receive the policy.
5. When finished, select OK > Create to create the Intune profile. When complete,
your profile is shown in the Devices - Configuration profiles list.
Users receive the app or email notification depending on the settings you specified
when you set up the derived credential issuer. The notification informs the user to
launch the Company Portal so that the derived credential policies can be processed.
Derived credentials for Windows

You can use derived certificates as an authentication method for Wi-Fi and VPN profiles
on Windows devices. The same providers that are supported by Android and
iOS/iPadOS devices are supported as providers for Windows:
DISA Purebred
Entrust
Intercede
７ Note
Currently, derived credentials as an authentication method for VPN profiles isn't

working as expected on Windows devices. This behavior only impacts VPN profiles
on Windows devices and will be fixed in a future release (no ETA).
For Windows, users don't work through a smartcard registration process to obtain a
certificate for use as a derived credential. Instead, the user needs to install the app for
Windows, which is obtained from the derived credential provider. To use derived
credentials with Windows, complete the following configurations:
1. Install the app from the Derived Credential providers on the Windows device.
When you install the Windows app from a derived credential provider on a
Windows device, the derived certificate is added to that device's Windows
certificate store. After the certificate is added to the device, it becomes available
for use a derived credential authentication method.
After you get the app from your chosen provider, the app can be deployed to
Users, or directly installed by the user of the device.
2. Configure Wi-Fi and VPN profiles to use derived credentials as the

authentication method.
When configuring a Windows profile for Wi-Fi or VPN, select Derived credential
for the Authentication Method. With this configuration, the profile uses the
certificate that installs on the device when the provider's app was installed.
Renew a derived credential

Derived credentials for Android or iOS/iPadOS devices can't be extended or renewed.
Instead, users must use the credential request workflow to request a new derived
credential for their device. For Windows devices, consult the documentation for the App
from your derived credential provider.
If you configure one or more methods for Notification type, Intune automatically
notifies users when the current derived credential reaches 80% of its life span. The
notification directs users to go through the credential request process to get a new
derived credential.
After a device receives a new derived credential, policies that use derived credentials
redeploy to that device.
Change the derived credential issuer
At the tenant level, you can change your credential issuer, although only one issuer is
supported by a tenant at a time.
After you change the issuer, users are prompted to get a new derived credential from
the new issuer. They must do so before they can use a derived credential for
authentication.
Change the issuer for your tenant
） Important
If you delete an issuer and immediately reconfigure that same issuer, you must still
update profiles and devices to use derived credentials from that issuer. Derived
credentials that were obtained before you delete the issuer are no longer valid.

2. Select Tenant administration > Connectors and tokens > Derived Credentials.
3. Select Delete to remove the current derived credential issuer.
4. Configure a new issuer.
Update profiles that use derived credentials

After you delete an issuer and then add a new one, edit each profile that uses derived
credentials. This rule applies even if you restore the previous issuer. Any edit of the
profile will trigger an update, including a simple edit to the profile Description.
Update derived credentials on devices

After you delete an issuer and then add a new one, device users must request a new
derived credential. This rule applies even when you add the same issuer that you
removed. The process to request the new derived credential is the same as for enrolling
a new device or renewing an existing credential.
Next steps
Create device configuration profiles.
Manage iOS/iPadOS software update
policies in Intune
Article • 02/22/2023
You can use Microsoft Intune device configuration profiles to manage software updates
for iOS/iPad devices that enrolled as supervised devices.
Supervised devices are devices that enroll through one of Apple's Automated Device
Enrollment (ADE) options. Devices enrolled through ADE support management
control through a mobile device management solution like Intune. ADE options include
Apple Business Manager or Apple School Manager.
iOS 10.3 and later (supervised)

iPadOS 13.0 and later (supervised)
With policies for iOS software updates, you can:
Choose to deploy the latest update that's available, or choose to deploy an older
update, based on the update version number.
When deploying an older update, you must also deploy a device restrictions profile
to restrict visibility of software updates. This is because update profiles don't
prevent users from updating the OS manually. Users can be prevented from
updating the OS manually with a device configuration policy that restricts visibility
of software updates.
Specify a schedule that determines when the update installs. Schedules can be as
simple as installing updates the next time that the device checks in, or creating
date and time ranges during which updates can install or are blocked from
installing.
By default, devices check in with Intune about every 8 hours. If an update is

available through an update policy, the device downloads the update. The device
then installs the update upon next check-in within your schedule configuration.
７ Note
iOS/iPadOS software updates that you send to a Shared iPad, can install only
when there is no user signed in to a Shared iPad session and the device is
charging. The iPad must be signed out of all user accounts and plugged into a
power source for the device to update successfully.
If using Autonomous Single App Mode (ASAM), the impact of OS updates

should be considered as the resulting behavior may be undesirable.
Consider
testing to assess the impact of OS updates on the app you are running in
ASAM. ASAM can be configured through Intune device restriction profiles.
 Tip
If you're new to configuring software updates or want some guidance based on

common scenarios, go to:
Software updates admin checklist and scenarios for supervised iOS/iPadOS

devices
Software updates admin checklist for BYOD and personal devices
Configure the policy

2. Select Devices > Update policies for iOS/iPadOS > Create profile.
3. On the Basics tab, specify a name for this policy, specify a description (optional),
and then select Next.
4. On the Update policy settings tab, configure the following options:

a. Select version to install. You can choose from:
Latest update: Deploys the most recently released update for iOS/iPadOS.
Any previous version that is available in the dropdown box. If you select a
previous version, you must also deploy a device configuration policy to
delay visibility of software updates.
b. Schedule type: Configure the schedule for this policy:
Update at next check-in: The update installs on the device the next time it
checks in with Intune. This option is the simplest and has no extra
configurations.
Update during scheduled time: You configure one or more windows of time
during which the update will install upon check-in.
Update outside of scheduled time: You configure one or more windows of
time during which the updates won't install upon check-in.
c. Weekly schedule: If you choose a schedule type other than update at next
check-in, configure the following options:
Time zone: Choose a time zone.
Time window: Define one or more blocks of time that restrict when the
updates install. The effect of the following options depends on the
Schedule type you selected. With a start day and end day, overnight
blocks are supported. Options include:
Start day: Choose the day on which the schedule window starts.
Start time: Choose the time day when the schedule window begins. For
example, if you select 5 AM and have a Schedule type of Update during
scheduled time, 5 AM will be the time that updates can begin to install.
If you chose a Schedule type of Update outside of a scheduled time, 5
AM will be the start of a period of time that updates can't install.
End day: Choose the day on which the schedule window ends.
End time: Choose the time of day when the schedule window stops. For
example, if you select 1 AM and have a Schedule type of Update during
scheduled time, 1 AM will be the time when updates can no longer
install. If you chose a Schedule type of Update outside of a scheduled
time, 1 AM will be the start of a period of time that updates can install.
If you don't configure times to start or end, the configuration results in no

restriction and updates can install at any time.
７ Note
You can configure settings in a device restrictions profile to hide an update

from device users for a period of time on your supervised iOS/iPadOS
devices. A restriction period can give you time to test an update before it's
visible to users to install. After the device restriction period expires, the
update becomes visible to users. Users can then choose to install it, or your
Software update policies might automatically install it soon after.
When you use a device restriction to hide an update, review your software
update policies to ensure they won't schedule the installation of the update
before that restriction period ends. Software update policies install updates
based on their own schedule, regardless of the update being hidden or
visible to the device user.
After configuring Update policy settings, select Next.
5. On the Scope tags tab, select + Select scope tags to open the Select tags pane if
you want to apply them to the update policy.
On the Select tags pane, choose one or more tags, and then Select to add
them to the policy and return to the Scope tags pane.
When ready, select Next to continue to Assignments.
6. On the Assignments tab, choose + Select groups to include and then assign the
update policy to one or more groups. Use + Select groups to exclude to fine-tune
the assignment. When ready, select Next to continue.
The devices used by the users targeted by the policy are evaluated for update
compliance. This policy also supports userless devices.
7. On the Review + create tab, review the settings, and then select Create when
ready to save your iOS/iPadOS update policy. Your new policy is displayed in the
list of update policies for iOS/iPadOS.
７ Note
You can't use Intune software update policies to downgrade the OS version on a
device.
Edit a policy
You can edit an existing policy, including changing the restricted times:
1. Select Devices > Update policies for iOS. Select the policy you want to edit.
2. While viewing the policies Properties, select Edit for the policy page you want to
modify.
3. After introducing a change, select Review + save > Save to save your edits, and
return to the policies Properties.
７ Note
If the Start time and End time are both set to 12 AM, Intune does not check for
restrictions on when to install updates. This means that any configurations you
have for Select times to prevent update installations are ignored, and updates can
install at any time.
Delay visibility of software updates

When you use update policies for iOS, you might have need to delay visibility of an iOS
software update. Reasons to delay visibility include:
Prevent users from updating the OS manually

To deploy an older update while preventing users from installing a more recent
one
To delay visibility, deploy a device restriction template that configures the following
settings:
Defer software updates = Yes
This doesn't affect any scheduled updates. It represents days before software
updates are visible to end users after release.
Delay default visibility of software updates = 1 to 90
90 days is the maximum delay that Apple supports.
Device restriction templates are part of device configuration policies.
For guidance from the Intune support team, see Delay visibility of software updates in
Intune for supervised devices .
Monitor for update installation failures on

devices
In the Microsoft Intune admin center, go to Devices > Monitor > Installation failures
for iOS devices.
Intune displays a list of supervised iOS/iPadOS devices that are targeted by an update
policy. The list doesn't include devices that are up-to-date and healthy because iOS/iPad
devices only return information about installation failures.
For each device on the list, the Installation Status displays the error that was returned by
the device. To view the list of potential installation status values, on the Installation
failures for iOS devices page, select Filters and then expand the drop-down list for
Installation Status.
Next steps
Software updates admin checklist and scenarios for supervised iOS/iPadOS devices
in Intune
Manage macOS software update
policies in Intune
Article • 04/18/2023
You can use Microsoft Intune to manage software updates for macOS devices that
enrolled as supervised devices.
macOS 12 and later (supervised)
７ Note
Prior to the macOS 12.5 release, devices may download and install additional
updates before installing the latest update.
With policies for macOS software updates, you can:
Remotely manage how downloads, installations, and notifications should occur

when the following types of updates are available for macOS:
Critical update
Firmware update
Configuration file update
All other updates (OS, built-in apps)
Specify a schedule that determines when the update installs. Schedules can be as
simple as installing updates the next time that the device checks in or creating
day-time ranges during which updates can install or are blocked from installing.
By default, devices check in with Intune about every 8 hours. If an update is available
through an update policy, the device downloads the update. The device then installs the
update upon next check-in within your schedule configuration.
Configure the policy

1. Sign in to the Microsoft Intune admin center .
 Tip
For more information on managing software updates and the update
experience on devices, see Manage software updates for Apple devices -
Apple Support at Apple's Platform Deployment site.
2. Select Devices > Update policies for macOS > Create profile.
3. On the Basics tab, specify a name for this policy, specify a description (optional),

and then select Next.
4. On the Update policy settings tab, configure the following options:
a. For Critical, Firmware, Configuration file, and All other updates (OS, built-in
apps), the following installation actions can be configured:
Download and install: Download or install the update, depending on the

current state.
Download only: Download the software update without installing it.
Install immediately: Download the software update and trigger the restart
countdown notification. This action is recommended for userless devices.
Notify only: Download the software update and notify the user through
System Settings.
Install later: Download the software update and install it later. This action
is not available for major OS upgrades.
When you configure Install later for *All other updates (OS, built-in-apps),
the following additional settings are available:
Max User Deferrals:
When the All other updates update type is configured to Install later,
this setting allows you to specify the maximum number of times a user
can postpone a minor OS update before it’s installed. The system
prompts the user once a day. Available for devices running macOS 12
and later.
Priority: When the All other updates update type is configured to Install
later, this setting allows you to specify values of Low or High for the
scheduling priority for downloading and preparing minor OS updates.
Available for devices running macOS 12.3 and later.
Not configured: No action taken on the software update.
７ Note
Devices with Apple Silicon require an MDM-issued bootstrap token to

authenticate automated, non-interactive updates and upgrades.
b. Schedule type: Configure the schedule for this policy:
Update at next check-in: The update installs on the device the next time it
checks in with Intune. This option is the simplest and has no extra
configurations.
Update during scheduled time: You configure one or more windows of

time during which the update will install upon check-in.
Update outside of scheduled time: You configure one or more windows of

time during which the updates won't install upon check-in.
c. Weekly schedule: If you choose a schedule type other than update at next

check-in, configure the following options:
Time zone: Choose a time zone.
Time window: Define one or more blocks of time that restrict when the
updates install. The effect of the following options depends on the
Schedule type you selected. With a start day and end day, overnight
blocks are supported. Options include:
Start day: Choose the day on which the schedule window starts.
Start time: Choose the time day when the schedule window begins. For
example, if you select 5 AM and have a Schedule type of Update during
scheduled time, 5 AM will be the time that updates can begin to install. If
you chose a Schedule type of Update outside of a scheduled time, 5 AM will
be the start of a period of time that updates can't install.
End day: Choose the day on which the schedule window ends.
End time: Choose the time of day when the schedule window stops. For
example, if you select 1 AM and have a Schedule type of Update during
scheduled time, 1 AM will be the time when updates can no longer install.
If you chose a Schedule type of Update outside of a scheduled time, 1 AM
will be the start of a period of time that updates can install.
If you don't configure times to start or end, the configuration results in no

restriction and updates can be installed at any time.
 Tip
You can deploy a settings catalog policy to hide an update from device users
for a period of time on your supervised macOS devices. For more informtaion
see the following section Delay visibility of updates.
5. After configuring Update policy settings, select Next.
6. On the Scope tags tab, select + Select scope tags to open the Select tags pane if

you want to apply them to the update policy.
On the Select tags pane, choose one or more tags, and then Select to add

them to the policy and return to the Scope tags pane.
When ready, select Next to continue to Assignments.
7. On the Assignments tab, choose + Select groups to include and then assign the

update policy to one or more groups. Use + Select groups to exclude to fine-tune
the assignment. When ready, select Next to continue.
The devices used by the users targeted by the policy are evaluated for update
compliance. This policy also supports userless devices.
8. On the Review + create tab, review the settings, and then select Create when ready

to save your macOS update policy. Your new policy is displayed in the list of
update policies for macOS.
７ Note
Apple MDM doesn't allow you to force a device to install updates by a certain time
or date. You can't use Intune software update policies to downgrade the OS version
on a device.
Delay visibility of updates

When you use update policies for macOS, you might want to hide updates from users of
supervised macOS devices for a period of time. You can accomplish this with a settings
catalog policy for macOS devices that configure update restriction periods.
A restriction period can give you time to test an update before it’s made available to
users to install. After the restriction period ends, the update becomes visible to users,
and they can choose to install it if your update policies don’t install it first.
If you use device restrictions to hide an update, review your software update policies to
ensure they won’t schedule the installation of that update before the restriction period
ends. Software update policies will install updates per their schedule regardless of the
update being hidden or visible to the device user.
You’ll find settings that can restrict visibility of updates on macOS devices in the
Restrictions category of the settings catalog. A few examples of settings you can use to
defer an update include:
Enforced Software Update Delay

Enforced Software Update Major OS Deferred Install Delay
Enforced Software Update Non OS Deferred Install Delay
You can also find related settings under the System Updates > Software Update
category to manage how users manually interact with updates through their system UI.
However, updates from a targeted update policy will override these settings.
Edit a policy
You can edit an existing policy, including changing the restricted times:
1. Select Devices > Update policies for macOS. Select the policy you want to edit.
2. While viewing the policies Properties, select Edit for the policy page you want to
modify.
3. After introducing a change, select Review + save > Save to save your edits.
７ Note
If the Start time and End time are both set to 12 AM, Intune does not check for
restrictions on when to install updates. This means that any configurations you
have for Select times to prevent update installations are ignored, and updates can
install at any time.
Configure additional macOS software update

settings using the Settings Catalog
The Restrictions category contains the following settings that can be used to delay
visibility of macOS software updates on devices (Devices > macOS > Device
configuration > Settings catalog > Restrictions):
Enforced Software Update Delay:  Sets how many days to delay a software update
on the device. With this restriction in place, the user doesn’t see a software update
until the specified number of days after the software update release date. This
value is used by Force Delayed App Software Updates and Force Delayed Software
Updates.
Force Delayed App Software Updates:  If true, delays user visibility of non-OS
Software Updates for built-in software like Safari, XProtect, and Gatekeeper.
Requires a supervised device. The delay is 30 days unless Enforced Software Update
Delay is set to another value.
Enforced Software Update Non OS Deferred Install Delay:  This restriction allows the
admin to set how many days to delay an app software update on the device. When
this restriction is in place, the user sees a non-OS software update only after the
specified delay after the release of the software. This value controls the delay for
Force Delayed App Software Updates.
Force Delayed Major Software Updates:  If set to true, delays user visibility of major
upgrades to OS Software.
Enforced Software Update Major OS Deferred Install Delay:  This restriction allows

the admin to set how many days to delay a major software upgrade on the device.
Major software upgrades are new major OS releases; for example, macOS 12
Monterrey and macOS 13 Ventura. When this restriction is in place, the user sees a
software upgrade only after the specified delay after the release of the software
upgrade. This value controls the delay for Force Delayed Major Software Updates.
Force Delayed Software Updates:  If true, delays user visibility of software updates. In
macOS, seed build updates are allowed, without delay. The delay is 30 days
unless Enforced Software Update Delay is set to another value.
Enforced Software Update Minor OS Deferred Install Delay:  This restriction allows

the admin to set how many days to delay a minor OS software update on the
devices. Minor software updates are intermediate updates that are released
between major OS upgrades; for example, macOS 13.1 and macOS 13.2. When this
restriction is in place, the user sees a software update only after the specified delay
after the release of the software update. This value controls the delay for Force
Delayed Software Updates.
The Software Update category contains the following settings that can be used to
configure the user experience for macOS software update options on devices (Devices >
macOS > Device configuration > Settings catalog > System Updates > Software
Update):
Allow Pre Release Installation:  If true, prerelease software can be installed on this
computer.
Automatic Check Enabled:  If false, deselects the "Check for updates" option and
prevents the user from changing the option.
Automatic Download:  If false, deselects the "Download new updates when available
from the App Store" option and prevents the user from changing the option.
Automatically Install App Updates:  If false, deselects the "Install app updates from
the App Store" option and prevents the user from changing the option.
Automatically Install macOS Updates:  If false, restricts the "Install macOS Updates"
option and prevents the user from changing the option.
Config Data Install:  If false, restricts the automatic installation of configuration

data.
Critical Update Install:  If false, disables the automatic installation of critical updates
and prevents the user from changing the "Install system data files and security
updates" option.
Restrict Software Update Require Admin To Install:  If true, restrict app installations
to admin users. This key has the same function as the Restrict Store Require Admin
To Install setting in the App Store category.
Monitor for update installation failures on

devices
In the Microsoft Intune admin center, go to Devices > Monitor > Installation status for
macOS devices.
Intune displays a list of supervised macOS devices that are targeted by an update policy.
The list doesn't include devices that are up-to-date and healthy because macOS devices
only return information about installation failures.
For each device on the list, the Installation Status displays the error that was returned by
the device. To view the list of potential installation status values, on the Installation status
for macOS devices page, select Filters and then expand the drop-down list for Installation
Status.
Next steps
Android FOTA Updates
Article • 05/23/2023
You can use Microsoft Intune to manage software updates on the following Android
Enterprise devices:
Fully Managed
Dedicated
Corporate-Owned Work Profile devices
You have two ways to manage software updates on android:
Use Firmware Over-the-Air (FOTA), which works for some OEMs.
If FOTA isn't available you can use Device restrictions profiles, which work for all
OEMs.

2. Navigate to Devices > Android > Configuration profiles > Device
restrictions.
3. Device restrictions profiles offer control over how the device handles over-
the-air updates and allow you to set a freeze period for these updates.
７ Note
Not all device manufacturers support over-the-air updates. For more

information, see Corporate-owned Android Enterprise device restriction
settings in Microsoft Intune
Firmware Over-the-Air (FOTA) updates allow remotely updating the firmware of devices
using a wireless connection, rather than requiring the devices to be physically connected
to a computer or network.
A FOTA update can include software and security patches, feature updates, and other
changes to the device's firmware. This method is more efficient, convenient, and more
secure than manual updates and can be performed on a scheduled or on-demand basis.
In the context of FOTA, a deployment is an update policy that includes instructions

about the firmware update to be deployed to devices and other update-related settings.
For example, Schedule type, and charging requirements.
In addition, Microsoft Intune supports FOTA update management for supported devices
from the following manufacturers. Manufacturer-specific FOTA support may offer more
controls beyond what Device restrictions profiles offer.
Zebra: Go to Zebra LifeGuard Over-the-Air Integration with Microsoft Intune. This

feature is in public preview. For more information, see Public preview in Microsoft
Intune.
Samsung: Go to Samsung E-FOTA Update Management with Microsoft Endpoint
Manager
Zebra LifeGuard Over-the-Air
Integration with Microsoft Intune
Article • 08/10/2023
） Important
Microsoft Intune.
Microsoft Intune supports/provides integration with Zebra LifeGuard Over-the-Air (LG

OTA), so that you can have a single area for managing firmware updates for supported
Zebra devices. Zebra LifeGuard Over-the-Air (LG OTA) is a service offered by Zebra
Technologies that allows deployment of updates to their Android devices in a hands-
free and automated manner.
Microsoft Intune allows you to manage firmware updates for supported Zebra devices
directly through the Intune admin center.
Intune manages the creation, management, and monitoring of these deployments

through APIs provided by Zebra. Zebra's services and on-device clients handle other
complexities (such as evaluating customer entitlements and device compatibility),
update hosting, update delivery, and installation.
Supported Devices
LG OTA is supported on the following devices:
Android Enterprise dedicated devices

Android Enterprise fully managed devices
For more specific information on supported devices, see Zebra's TechDocs .
The following aren't supported in public preview:
Graph assignment with inclusions/exclusions
Prerequisites
Set up Managed Google Play for your tenant
Administrators must have all the required RBAC (role-based access control)
permissions:
Mobile Apps (to create and deploy app configuration profiles)
Android FOTA (to manage firmware OTA updates)
Access to all appropriate Zebra licenses, and entitlements to use the LG OTA
service. For more information, contact Zebra support or see Zebra's TechDocs .
For information about services ports and endpoints used by Zebra OTA updates,
refer to Zebra Lifeguard Over the Air FOTA Updates Ports .
For more information about which Zebra devices work with the service based on
the platform, see Zebra's TechDocs .
Process overview
The process for using LG OTA via Intune is as follows:
1. Set up Zebra connector.

2. Enroll devices with Zebra LG OTA service.
3. Approve and deploy required apps for your tenant.
4. Create app configuration policy.
3. Create and assign deployments in Intune.
4. View and manage deployments.
Before you start

You must enroll devices separately with the Zebra LG OTA service before devices can be
updated. We recommend that you identify the devices to use with LG OTA, and create a
group containing only those devices, to make the enrollment process easier.
Step 1: Set up Zebra Connector

In the Microsoft Intune admin center, you can link Intune and Zebra.

2. Select Tenant administration > Connectors and tokens > Firmware over-the-air
update.
3. Select Zebra. A context panel appears and guides you through the process of
setting up your tenant for LG OTA.
4. Select Connect and consent to data sharing with Zebra. The context panel is
refreshed, and a temporary authorization link becomes enabled in the context
panel.
5. Select the authorization link and follow the prompts on the Zebra portal to
authorize access for Intune.
） Important
Remember the email address of the Zebra account you use to authorize Intune.
You'll need this if you contact Zebra for support. Intune doesn't store this
information.
７ Note
This authorization link expires in 10 minutes. If it expires, select Refresh to generate

a new link.
6. After the authorization process is complete, an enrollment token will auto-

populate within the context panel. If the token doesn't appear, select Refresh.
Copy the enrollment token to your clipboard, as you'll need the token later.
Step 2: Enroll Devices with Zebra LG OTA

Service
You must enroll devices separately with the Zebra LG OTA service before devices can be
updated. We recommend that you identify which devices need to be updated and used
with LG OTA. Then create a group containing only those devices, to make the enrollment
process easier.
2a: Approve and deploy required apps for your tenant

Zebra requires two apps present on the device to perform enrollment with the LG OTA
service.
The apps required are:
Zebra Enrollment Manager

Zebra Common Transport Layer
Use Managed Google Play to add them to your tenant. For information on how to add
them to your tenant, see Add and assign Managed Google Play apps to Android
Enterprise devices
Next, assign Zebra Enrollment Manager and Zebra Common Transport Layer as
Required apps for all the Zebra devices you want to update and use with LG OTA. The
apps are deployed automatically to those devices.
Enabling a Zebra package as a system app

If you're planning to use LG OTA to update a device running on a version higher than
Android 11, you need to enable another Zebra package as a system app. For more
information on how to enable system apps, see Manage Android Enterprise system apps
in Microsoft Intune
Build System app to be enabled
Any build of Android 11 that is earlier than 11-20-18.00-RG-U00 com.symbol.tool.stagenow
11-20-18.00-RG-U00 or 11-20-18.00-RG-U02 com.zebra.devicemanager
Any build of Android 11 that is later than 11-20-18.00-RG-U02 (None required)
2b: Create app configuration policy

From the context panel in the Set up Zebra connector screen, select the link - Go to app
configuration policies. You need to create an app configuration policy for managed
devices for each of the two required apps.
For more information, see Add app configuration policies for managed Android
Enterprise devices
Policy targeting Zebra Enrollment Manager app
1. Select Add and then select Managed Devices.
2. Complete the fields in the Basic tab and select Next.
3. In the Settings tab, under the Permissions section, select Add to add the following
permission override:
a. Permission: Phone state (read)
b. Permission state: set to Auto grant
4. In the Settings tab, under the Configuration Settings section, select Add to add
the following two configuration settings:
a. Action: Set Configuration value to Claim Device.
b. Claim Device Token: Paste the enrollment token that you copied in the earlier
step into the Configuration value field.
5. Assign this configuration policy to all the same devices that you assigned the app
earlier.
6. Navigate through the tabs and complete the fields.
Policy targeting Zebra Common Transport Layer app

1. Select Add and then select Managed Devices.
2. Complete the fields in the Basic tab and select Next.
3. In the Settings tab, under the Permissions section, select Add to add the following
permission override:
a. Permission: Phone state (read)
b. Permission state: set to Auto grant
4. Assign this configuration policy to all the same devices that you assigned the app
earlier.
5. Navigate through the tabs and complete the fields.
Wait at least 15 minutes for the required apps and app configuration policy to reach the
devices. If needed, use the Intune app on the device to force a sync by navigating to the
Intune app > select the More menu (...), and select Sync.
After synchronization is complete, the devices that support LG OTA will contact Zebra LG
OTA service to be enrolled in the LG OTA service and are associated with the Microsoft
Intune/Zebra accounts. You can then deploy firmware updates to these LG OTA enrolled
devices.
Step 3: Create and Assign Deployments
７ Note
LG OTA deployments are fire and forget actions and are not persistent policies that
enforce compliance. Therefore, Microsoft refers to them as deployments rather
than policy. For example, if an upgrade fails initially but later the issue is
remediated, LG OTA will not try to update the device even after the issue is
remediated.
2. Select Devices > Android > Android FOTA deployments to create and manage
FOTA deployments.
3. Select Create deployment.
4. On the Basics tab, specify a name for this policy, specify a description (optional),
and then select Next.
5. On the Settings tab, configure the deployment settings you'd like to use.
７ Note
Zebra does not support firmware downgrades through LG OTA. Downgrading

the operating system on a device causes an Enterprise Reset, wiping all user
data and potentially leaving the device in an unmanaged state.
For more information on available settings, see Zebra documentation .
a. In the Update area, configure the following options:

i. Select the target firmware or update to deploy for the devices in this
deployment.
i. Release: Select if you want to install the Latest release available for the
device, or Custom to choose specific firmware.
ii. Model: Choose the device model you want to target with this deployment.
If you're not sure which firmware to select, or for model and version
compatibility, see Zebra documentation .
７ Note
If you assign the deployment to a group containing devices of other

models, only devices of the selected model are updated.
b. In the Deployment Schedule area, configure the following options:

i. Select when the update is deployed.
ii. Schedule Mode: Choose when you want the deployment to start running.
i. Run as soon as possible: The deployment starts running immediately and
lasts for 28 days after you select Create at the end of this flow.
ii. Scheduled: More options are available when you select Scheduled.
iii. Time zone: Select a time zone for the devices being updated.
iv. Start: Specify when the deployment must start running.
v. End: If you don't specify an end time, the deployment runs for 28 days.
c. In the Installation Schedule area, configure the following options:

i. Select when the installation can take place. If you don't specify, devices start
installing updates once the deployment starts running.
i. Time zone: select the time zone for the devices being updated. The time
zone you select must match the time zone selected in Deployment
schedule, if you defined a deployment schedule.
ii. Start/End: Specify when you want to allow the updates to be installed. Once
installation begins, a complete installation is attempted even if it's past the
end time.
iii. Delay installation until: On devices Android 10 and earlier, Zebra supports
delaying installation to a specific time after the device downloads an update.
On Android 11 and later, this setting doesn't do anything, as updates are
installed in the background while being downloaded.
d. In the Device conditions area, configure the following options:

i. Specify device conditions that must be met for downloading and installation
to take place.
i. Minimum battery level: battery level between 30-100%
ii. Require device to be connected to charger: yes/no
iii. Network type: choose the type of network the device must be connected
to for downloading and installation to take place.
6. When ready, select Next to continue to Assignments.
7. On the Assignments tab, choose + Select groups to include and then assign your
deployments to one or more groups. Review these important guidelines for
assignment. When ready, select Next to continue.
8. On the Review + create tab, review your settings.
9. When ready, select Create to create the deployment. The deployment is created
with Zebra for the list of assigned devices.
Important guidelines for assignment

When you create an LG OTA deployment, Intune sends information about the
deployment to the Zebra LG OTA service, which processes the request and updates
eligible devices accordingly. Eligible refers to a Zebra device that is successfully enrolled
with the LG OTA service. Deployments can't be modified after they're created. As a
result, these deployments have different assignment behavior from many other policies
in Intune.
When you assign a deployment to a group, only eligible Zebra devices, at the time the
deployment was created, are included in the deployment request that Intune sends to
Zebra for processing by the Zebra LG OTA service. So, dynamic group membership
updates may not be reflected in LG OTA deployments.
If devices are added to an assigned group after the deployment is created, those devices
won't be part of the deployment in the LG OTA service. To update devices that are
added to a group after the deployment is created, you can create a new deployment
with the same settings, and assign it to the same group. Devices in the group that have
already been updated by the first deployment won't be updated again.
If devices are later removed from an assigned group after the deployment is created,
those devices may still be updated if they were already part of this deployment request
sent to the LG OTA service. You should assume that all eligible Zebra devices that were
ever added to the assigned groups are updated, even if they're removed from the group
afterwards.
Example
You have a dynamic group G that contains three TC57 devices A, B, and C. Every
time a new TC57 device is enrolled in your tenant, it's automatically added to the
dynamic group. A, B, and C devices start off running firmware version v1.
On January 1, you use Intune and LG OTA to create a deployment that runs as soon
as possible, to update devices in G from v1 to v2. All three devices are now on v2.
On February 1, a new TC57 device, D, running firmware version v1, is enrolled in
the tenant. D is automatically added to the group, and now there are four devices
in group G. D isn't part of the January 1 deployment, so if you want to update D to
v2, you need create a new deployment assigned to either D or G.
On February 15, you create a deployment that runs as soon as possible, to update
devices in G to v3. Now, devices A, B, C, and D are all on v3.
On March 1, you use Intune and LG OTA to create a deployment that starts on April
1 and will update devices in G to v4. Intune sends this deployment to the Zebra
service on March 1 after you select Create.
On March 15, you remove devices A and B from group G.
On April 1, the deployment starts running as scheduled. Now, devices A, B, C, D are
updated from v3 to v4.
７ Note
A device can only be part of one deployment at a time. Deployments are only
supported for devices, not users. For example, if you assign a deployment to a
group containing a device A and a user B who is associated with device B, only
device A will receive the deployment.
Assignment filters are not currently supported. Deployments that are assigned to
empty groups, or groups containing no eligible devices, will fail. If you assigned to
or targeted an empty group, it will fail.
Step 4: View and Manage Deployments

After deployments are completed, you can view them from Devices > Android >
Android FOTA deployments (Preview).
Reporting displays information for eligible devices only and is currently refreshed every
hour. For example, if you assign a deployment to a group containing non-Zebra devices,
or Zebra devices that aren't enrolled with the LG OTA service, those devices aren't
included in the Android FOTA deployments reports.
Each deployment displays details related to:
Deployment status: The status of the deployment. For more information, see the
following table.
Completed devices: The number of eligible devices where the update is

completed.
Failed devices: The number of devices where the update failed.
Total devices: The total number of eligible devices targeted.
Release: The associated firmware release.
The status of a deployment is different from the status of individual devices in the
deployment. For example, if you create a deployment that targets two devices and only
one is successfully updated, the deployment is considered Completed. However, it shows
one device as failed and one as successful.
Intune deployment status Description
Creation in progress Intune has sent a deployment request to Zebra service.
Failed to create Failed to create deployment in the Zebra service.
Created Deployment is created but start date hasn't been reached.

Intune deployment status Description
Deployment in progress Start date has been reached, and end date hasn't passed.
Completed The deployment end date has passed.
Cancellation requested Intune has sent a cancellation request to the Zebra service.
Canceled Deployment is successfully canceled with the Zebra service.
By selecting the More (…) menu next to a deployment, or by selecting the deployment
details, you can attempt to Cancel a deployment that is in progress or Delete a
completed deployment from Intune. Zebra doesn't support editing of already created
deployments.
View device level details of a deployment

1. Select a deployment name to view more details.
2. The Device status chart shows a breakdown of the status for assigned devices.
3. Select View report to view device-level information, where you can filter by status
and view error codes (if applicable).
4. Each device displays its update status alongside:
A Zebra deployment ID. This ID can be useful when contacting Zebra support.
A Status detail, if applicable. If an error code is displayed
Code NOTAPPLICABLE: the device isn't enrolled with the LG OTA service, or not
eligible for this update
Numeric error code. For example, 4009. Contact Zebra support for more details
on next steps.
Known issues
During public preview, you may need to disconnect and reconnect the Zebra connector.
The following error message appears on the Android FOTA deployments page:
"Something went wrong while communicating with Zebra. Try again later, or if this issue
persists try disconnecting and reconnecting the Zebra connector in Tenant
administration".
1. Go to Tenant admin > connectors and tokens > Firmware over-the-air.

2. Select Disconnect and confirm the disconnection. This disconnects your Intune
tenant from Zebra and existing deployments will not be affected.
3. Return to the Intune admin center and reconnect the Zebra connector.
Manage Windows 10 and Windows 11
software updates in Intune
Article • 08/30/2023
Use Microsoft Intune to manage the install of Windows 10/11 software updates from
Windows Update for Business.
By using Windows Update for Business, you simplify the update management
experience. You don't need to approve individual updates for groups of devices and can
manage risk in your environments by configuring an update rollout strategy. With
Intune, you can configure update settings on devices and configure deferral of update
installation. You can also prevent devices from installing features from new Windows
versions to help keep them stable, while allowing those devices to continue installing
updates for quality and security.
Intune stores only the update policy assignments, not the updates themselves. When
you save a policy, Intune passes the configuration details to Windows Update, which
then determines which updates will be offered to each device. Devices access Windows
Update directly for the updates.
Learn more about Windows feature and quality updates in the Windows documentation.
Policy types to manage updates

Intune provides the following policy types to manage updates, which you assign to
groups of devices:
Update rings for Windows 10 and later: This policy is a collection of settings that
configures when devices that run Windows 10 and Windows 11 updates get
installed. Update ring policies are supported for devices that run Windows 10
version 1607 or later, and Windows 11. For more information, see Update rings
policy.
Feature updates for Windows 10 and later: Use Feature updates policy updates
devices to the Windows version you specify, and then freezes the feature set
version on those devices. This version freeze remains in place until you choose to
update them to a later Windows version. While the feature version remains static,
devices can continue to install quality and security updates that are available for
their feature version.
You can also use Feature updates policy to upgrade your devices that run Windows
10 to Windows 11.
Quality updates for Windows 10 and later: With Quality updates for Windows 10
and later, you can expedite the install of the most recent Windows 10 and
Windows 11 security updates as quickly as possible on devices you manage with
Microsoft Intune. Expedited install is accomplished without the need to pause or
edit your existing monthly servicing policies. For more information, see Expedite
updates policy.
Driver updates for Windows 10 and later: With Windows Driver Update
Management in Microsoft Intune, you can review, approve for deployment and
pause deployments of driver updates for your managed Windows 10 and Windows
11 devices. Intune and the Windows Update for Business (WUfB) deployment
service (DS) take care of the heavy lifting to identify the applicable driver updates
for devices that are assigned a driver updates policy. For more information, see
Driver updates policy.
Quality updates for Windows 10 and later: Policy for Quality updates, also referred
to as Expedited updates, allows you to expedite the install of the most recent
Windows 10 and Windows 11 security updates on your managed devices.
Deployment of expedited quality updates is done without the need to pause or
edit your existing monthly servicing policies.
Driver updates for Windows 10 and later: With Driver updates you can review,
approve for deployment, and pause deployments of driver updates for your
managed Windows 10 and Windows 11 devices. Your policies can automatically
install the newest recommended driver for you, or wait for an admin to manually
approve drivers before they are installed. review, approve for deployment and
pause deployments of driver updates for your managed Windows 10 and Windows
11 devices.
Policy limitations for Workplace Joined devices

Microsoft introduced a cloud service as part of the Windows Update for Business
product family, Windows Update for Business deployment service (WUfB ds). As a cloud
service, WUfB ds supports device update capabilities that require a device to have an
Azure Active Directory registration (AADJ devices). These capabilities aren’t supported
with Workplace Join (WPJ) devices. Windows update management on WPJ devices
remains supported through core Windows Update for Business (WUfB) capabilities and
the Intune Update rings for Windows 10 and later policy type.
The following Intune policy types for Windows Updates use WUfB ds, which prevents
their support on WPJ devices:
Driver Updates for Windows 10 and later

Feature Updates for Windows 10 and later
Quality Updates for Windows 10 and later
If you support WPJ devices with Intune, the following information can help you
understand the differences in capabilities based on policy type, for both WPJ devices
and AADJ devices.
Capability WUfB WUfB-ds

via Update Ring policy via Driver, Feature, and Quality
update policies
WPJ device support Yes No
AADJ device support Yes Yes
Scan for Updates and Yes Use Update Ring policies to manage
Restart schedules schedules
Enforce Update Yes Use Update Ring policies to enforce

Deadlines deadlines
Control which updates to Feature: Yes Feature: Yes

install - Defer all feature updates by - Manage individual updates
specified days - Specify Start Date or Gradual
Rollout start and end dates.
Quality: Yes Quality: Use Update Ring policies

- Defer all quality updates by
specified days
Drivers: Yes Drivers: Yes

- Allow or Block all - Manage individual Recommended
Recommended drivers and Other drivers.
- No support for Other
drivers
Pause Updates Feature: Feature:

- Pause all updates - Pause individual updates
Quality: Quality:
- Pause all updates - Pause individual updates
Drivers: Drivers:
- Block all updates - Pause individual updates
Capability WUfB WUfB-ds
via Update Ring policy via Driver, Feature, and Quality
update policies
Expedite Quality Update No Yes
Reports - Summary WUfB reports WUfB reports

count of devices:
- Feature updates
- Quality updates
Reports – Detailed WUfB reports Yes, in Intune

status:
- Per Update
Move from update ring deferrals to feature

updates policy
When using Intune to manage Windows updates, it's possible to use both update rings
policy with update deferrals, and feature updates policy to manage the updates you
want to install on devices. If you're using feature updates, we recommend you end use
of deferrals as configured in your update rings policy. Combining update ring deferrals
with feature updates policy can create complexity that might delay update installations.
You can continue to use the user experience settings from update rings, as they don't
create issues when combined with feature updates policy.
While nothing prohibits use of both policy types to control which updates can install on
a device, there's typically no advantage to doing so. When both policy types apply to a
device, the conditions of both policy types must be met (be true) on the device before
it's offered an applicable update. This scenario can lead to updates not installing as
expected due to a block by one of the policy types.
Plan to transition
Plan to manage the change from using update ring deferrals to feature updates so that
the Windows Update service can be ready to deploy the updates you expect.
When Intune policies for Windows updates are created or modified, Intune passes
the policy details to Windows Update, which then determines the updates that are
applicable for each device that's assigned one or more update policies.
The process to evaluate updates for devices can take up to 10 minutes to

complete, and in some cases might take a bit longer.
If a device starts a scan for updates after a deferral has been set to zero or
removed for the device, but before Windows Update completes the processing of
the feature updates policy, that device can be offered an update you didn't plan
for it to install.
Use the following process to ensure Windows Update has processed your feature
updates policy before deferrals are removed.
Switch to feature updates policy

1. In the Microsoft Intune admin center, create a feature updates policy that
configures your desired Windows version, and assign it to applicable devices.
After the saved policy is assigned to devices, it will take a few minutes for Windows
Update to process the policy.
2. View the Windows 10 feature updates (Organizational) report for the feature
update policy, and verify devices have a state of OfferReady before you proceed.
Once all devices show OfferReady, Windows Update has completed processing the
policy.
3. After devices are verified to be in the OfferReady state you can safely reconfigure
the Windows 10 and later update ring policy for that same set of devices to
change the setting Feature update deferral period (days) to a value of 0.
Reporting on updates
To learn about report options for Update rings policy and Windows feature updates
policy, see Windows update reports.
Next steps
Use Windows update rings
Use Windows feature updates
Expedite quality updates
Use Windows driver updates policy
For more information, see Manage updates using Windows Update for Business in
the Windows documentation.
Update rings for Windows 10 and later
policy in Intune
Article • 08/30/2023
Create update rings that specify how and when Windows as a Service updates your
Windows 10/11 devices with feature and quality updates. With Windows 10/11, new
feature and quality updates include the contents of all previous updates. As long as
you've installed the latest update, you know your Windows devices are up to date.
Unlike with previous versions of Windows, you now must install the entire update
instead of part of an update.
Update rings can also be used to upgrade your eligible Windows 10 devices to Windows
11. To do so, when creating a policy you use the setting named Upgrade Windows 10
devices to Latest Windows 11 release by configuring it as Yes. When you use update rings
to upgrade to Windows 11, devices install the most current version of Windows 11. If
you later set the upgrade setting back to No, devices that haven't started the upgrade
won't start while devices that are in the process of upgrading will continue to do so.
Devices that have completed the upgrade will remain with Windows 11. For more
information on eligibility, see Windows 11 Specs and System Requirements |
Microsoft .
Windows update rings support scope tags. You can use scope tags with update rings to
help you filter and manage sets of configurations that you use.
Prerequisites
The following prerequisites must be met to use Windows Update Rings for Windows
10/11 devices in Intune.
Devices must have access to endpoints. To get a detailed list of endpoints required
for the associated service listed here, see Network endpoints.
Windows Update
Devices must run Windows 10 version 1607 or later, or Windows 11.
７ Note
Although not required to configure Windows Update for Business, if the

Microsoft Account Sign-In Assistant (wlidsvc) service is disabled, Windows
Update doesn't offer feature updates to devices running Windows 10 1709 or
later, or Windows 11. For more information, see Feature updates are not
being offered while other updates are.
Devices must be one of the following supported Windows editions:
Windows 10/11 Pro
Windows 10/11 Enterprise
Windows 10/11 Team - for Surface Hub devices
Windows Holographic for Business - Windows Holographic for Business

supports a subset of settings for Windows updates, including:
Automatic update behavior
Microsoft product updates
Servicing channel: Any update build that is generally available.
For more information, see Manage Windows Holographic.
Windows 10/11 Enterprise LTSC - LTSC is supported for Quality updates, but not
for Feature updates. As a result, the following ring controls aren't supported for
LTSC:
Pause of Feature updates
Feature Update Deferral period (days)
Set feature update uninstall period (2 - 60 days)
Enable pre-release builds, which includes the following build options:
Windows Insider – Release Preview
Beta Channel
Dev Channel
Use deadline settings for Feature updates.
Limitations for Workplace Joined devices

Intune Update rings for Windows 10 and later require the use of Windows Update for
Business (WUfB), which supports devices that are Workplace Joined (WPJ). However, the
following Intune Windows Update policy types use WUfB and Windows Update for
Business deployment service (WUfB ds), which provides for additional capabilities that
are not supported for WPJ devices.
Driver updates for Windows 10 and later

Feature updates for Windows 10 and later
Quality Updates updates for Windows 10 and later (also known as Expedited
updates)
For more information about WPJ limitations for Intune Windows Update policies, see
Policy limitations for Workplace Joined devices in Manage Windows 10 and Windows 11
software updates in Intune.
Create and assign update rings

2. Select Devices > Windows > Update rings for Windows 10 and later > Create
profile.
3. Under Basics, specify a name, a description (optional), and then select Next.
4. Under Update ring settings, configure settings for your business needs. For
information about the available settings, see Windows update settings. After
configuring Update and User experience settings, select Next.
5. Under Scope tags, select + Select scope tags to open the Select tags pane if you
want to apply them to the update ring. Choose one or more tags, and then click
Select to add them to the update ring and return to the Scope tags page.
When ready, select Next to continue to Assignments.
6. Under Assignments, choose + Select groups to include and then assign the
update ring to one or more groups. Use + Select groups to exclude to fine-tune
the assignment. Select Next to continue.
While update rings can deploy to both device and user groups, consider using only
device groups when you also use feature updates.
7. Under Review + create, review the settings, and then select Create when ready to
save your Windows update ring. Your new update ring is displayed in the list of
update rings.
Manage your Windows Update rings

In the portal, navigate to Devices > Windows > Update rings for Windows 10 and later
and select the policy that you want to manage. The policy opens to its Overview page.
From this page, you can view the rings assignment status and select the following
actions from the top of the Overview pane to manage the update ring:
Delete
Pause
Resume
Extend
Uninstall
Delete
Select Delete to stop enforcing the settings of the selected Windows update ring.
Deleting a ring removes its configuration from Intune so that Intune no longer applies
and enforces those settings.
Deleting a ring from Intune doesn't modify the settings on devices that were assigned
the update ring. Instead, the device keeps its current settings. Devices don't maintain a
historical record of what settings they held previously. Devices can also receive settings
from other update rings that remain active.
To delete a ring
1. While viewing the overview page for an Update Ring, select Delete.
2. Select OK.
Pause
Select Pause to prevent assigned devices from receiving feature or quality updates for
up to 35 days from the time you pause the ring. After the maximum days have passed,
pause functionality automatically expires and the device scans Windows Updates for
applicable updates. Following this scan, you can pause the updates again. If you resume
a paused update ring, and then pause that ring again, the pause period resets to 35
days.
To pause a ring
1. While viewing the overview page for an Update Ring, select Pause.
2. Select either Feature or Quality to pause that type of update, and then select OK.
3. After pausing one update type, you can select Pause again to pause the other
update type.
When an update type is paused, the Overview pane for that ring displays how many
days remain before that update type resumes.
） Important
After you issue a pause command, devices receive this command the next time they
check into the service. It's possible that before they check in, they might install a
scheduled update. Additionally, if a targeted device is turned off when you issue
the pause command, when you turn it on, it might download and install scheduled
updates before it checks in with Intune.
Resume
While an update ring is paused, you can select Resume to restore feature and quality
updates for that ring to active operation. After you resume an update ring, you can
pause that ring again.
To resume a ring
1. While viewing the overview page for a paused Update Ring, select Resume.
2. Select from the available options to resume either Feature or Quality updates, and
then select OK.
3. After resuming one update type, you can select Resume again to resume the other
update type.
Extend
While an update ring is paused, you can select Extend to reset the pause period for
both feature and quality updates for that update ring to 35 days.
To Extend the pause period for a ring

1. While viewing the overview page for a paused Update Ring, select Extend.
2. Select from the available options to resume either Feature or Quality updates, and
then select OK.
3. After extending the pause for one update type, you can select Extend again to
extend the other update type.
Uninstall
An Intune administrator can use Uninstall to uninstall (roll back) the latest feature
update or the latest quality update for an active or paused update ring. After
uninstalling one type, you can then uninstall the other type. Intune doesn't support or
manage the ability of users to uninstall updates.
） Important
When you use the Uninstall option, Intune passes the uninstall request to devices
immediately.
Windows devices start removal of updates as soon as they receive the change
in Intune policy. Update removal isn't limited to maintenance schedules, even
when they're configured as part of the update ring.
If the update removal requires a device restart, the device restarts without
offering device users an option to delay.
For Uninstall to be successful:

A device must run the Windows 10 April 2018 update (version 1803) or later, or
Windows 11.
A device must have installed the latest update. Because updates are cumulative, devices
that install the latest update will have the most recent feature and quality update. An
example of when you might use this option is to roll back the last update should you
discover a breaking issue on your Windows machines.
Consider the following when you use Uninstall:
Uninstalling a feature or quality update is only available for the servicing channel
the device is on.
Using uninstall for feature or quality updates triggers a policy to restore the
previous update on your Windows machines.
On a Windows 10/11 device, after a quality update is successfully rolled back,

device users continue to see the update listed in Windows settings > Updates >
Update History.
When you initiate an uninstall of feature or quality updates on an Update Ring,

Intune also pauses updates of the same type on that Update Ring.
Once the feature or quality update pause elapses on an Update Ring, devices will
reinstall previously uninstalled feature or quality updates if they're still applicable.
Uninstallation will not be successful when the feature update was applied using an
Enablement Package. An Enablement Package is the most common way devices
update to Windows 10 22H2 from Windows 10 2004, 20H2, and 21H2 via Windows
Update for Business. To learn more about Enablement Packages, see KB5015684:
Featured update to Windows 10, version 22H2 by using an enablement package -
Microsoft Support . To learn more about using a script to uninstall Enablement
Packages, see Uninstalling Windows updates on managed devices using Intune
For feature updates specifically, the time you can uninstall the update is limited
from 2-60 days. This period is configured by the update rings Update setting Set
feature update uninstall period (2 – 60 days). You can't roll back a feature update
that's been installed on a device after the update has been installed for longer than
the configured uninstall period.
For example, consider an update ring with a feature update uninstall period of 20
days. After 25 days you decide to roll back the latest feature update and use the
Uninstall option. Devices that installed the feature update over 20 days ago can't
uninstall it as they've removed the necessary bits as part of their maintenance.
However, devices that only installed the feature update up to 19 days ago can
uninstall the update if they successfully check in to receive the uninstall command
before exceeding the 20-day uninstall period.
For more information about Windows Update policies, see Update CSP in the Windows
client management documentation.
To uninstall the latest Windows update

1. While viewing the overview page for a paused Update Ring, select Uninstall.
2. Select from the available options to uninstall either Feature or Quality updates,
and then select OK.
3. After you trigger the uninstall for one update type, you can select Uninstall again
to uninstall the remaining update type.
Validation and reporting

There are multiple options to get in-depth reporting for Windows 10/11 updates with
Intune. To learn more, see Windows update reports.
Next steps
Use Windows feature updates in Intune
Use Windows update compatibility reports
Use Windows update reports for Windows updates
Also see Windows Autopatch in the Windows deployment content for an
alternative solution
Feature updates for Windows 10 and
later policy in Intune
Article • 07/25/2023
With Feature updates for Windows 10 and later in Intune, you can select the Windows
feature update version that you want devices to remain at, like Windows 10 version
1909 or a version of Windows 11. Intune supports setting a feature level to any version
that remains in support at the time you create the policy.
You can also use feature updates policy to upgrade devices that run Windows 10 to
Windows 11.
Windows feature updates policies work with your Update rings for Windows 10 and later
policies to prevent a device from receiving a Windows feature version that's later than
the value specified in the feature updates policy.
When a device receives a policy for Feature updates:
The device updates to the version of Windows specified in the policy. A device that
already runs a later version of Windows remains at its current version. By freezing
the version, the devices feature set remains stable during the duration of the
policy.
７ Note
A device won't install an update when it has a safeguard hold for that
Windows version. When a device evaluates applicability of an update version,
Windows creates the temporary safeguard hold if an unresolved known issue
exists. Once the issue is resolved, the hold is removed and the device can then
update.
Learn more about safeguard holds in the Windows documentation for

Feature Update Status.
To learn about known issues that can result in a safeguard hold, see the
applicable Windows release information and then reference the relevant
Windows version from the table of contents for that page:
Windows 11 release information
Windows 10 release information
For example, for Windows 11 version 21H2, go to the Windows 11 release
information and then from the left-hand pane, select Version 21H2 and
then Known issues and notifications. The resultant page includes details for
known issues for that Windows version that might result in safeguard hold.
Unlike using Pause with an update ring, which expires after 35 days, the Feature
updates policy remains in effect. Devices won't install a new Windows version until
you modify or remove the Feature updates policy. If you edit the policy to specify a
newer version, devices can then install the features from that Windows version.
The ability to Uninstall the Feature update is still honored by the Update Rings.
You can configure policy to manage the schedule by which Windows Update
makes the offer available to devices. For more information, see Rollout options for
Windows Updates.
Prerequisites
） Important
This feature is not supported on GCC and GCC High/DoD cloud environments.
The following are prerequisites for Intune's Feature updates for Windows 10 and later:
In addition to a license for Intune, your organization must have one of the
following subscriptions that include a license for Windows Update for Business
deployment service:
Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
Windows Virtual Desktop Access E3 or E5
Review your subscription details for applicability to Windows 11.
Beginning in November of 2022, the Windows Update for Business deployment

service (WUfB ds) license will be checked and enforced.
Capabilities supported by client policies on Professional SKU devices will not

require a license. That includes basic controls for deploying a specified feature
update and when to start making the update available to devices. The Gradual
Rollout capability is a cloud only feature, requiring a license that includes the
Windows Update for Business deployment service.
If you’re blocked when creating new policies for capabilities that require WUfB ds
and you get your licenses to use WUfB through an Enterprise Agreement (EA),
contact the source of your licenses such as your Microsoft account team or the
partner who sold you the licenses. The account team or partner can confirm that
your tenants licenses meet the WUfB ds license requirements. See Enable
subscription activation with an existing EA.
Devices must:
Run a version of Windows 10/11 that remains in support.
Be enrolled in Intune MDM and be Hybrid AD joined or Azure AD joined.
Have Telemetry turned on, with a minimum setting of Required.
Devices that receive a feature updates policy and that have Telemetry set to Not
configured (off), might install a later version of Windows than defined in the
feature updates policy. The prerequisite to require Telemetry is under review as
this feature moves towards general availability.
Configure Telemetry as part of a Device Restriction policy for Windows 10/11. In

the device restriction profile, under Reporting and Telemetry, configure the
Share usage data with a minimum value of Required. Values of Enhanced (1903
and earlier) or Optional are also supported.
The Microsoft Account Sign-In Assistant (wlidsvc) must be able to run. If the
service is blocked or set to Disabled, it fails to receive the update. For more
information, see Feature updates aren't being offered while other updates are.
By default, the service is set to Manual (Trigger Start), which allows it to run
when needed.
Have access to endpoints. To get a detailed list of endpoints required for the
associated services listed here, see Network endpoints.
Windows Update
Windows Update for Business deployment service
Feature updates are supported for the following Windows 10/11 editions:
Pro
Enterprise
Education
Education
Pro for Workstations
７ Note
Unsupported versions and editions:

Windows 10/11 Enterprise LTSC: Windows Update for Business (WUfB) does
not support the Long Term Service Channel release. Plan to use alternative
patching methods, like WSUS or Configuration Manager.

Intune policies for Feature updates for Windows 10 and later require the use of Windows
Update for Business (WUfB) and Windows Update for Business deployment service
(WUfB ds). Where WUfB supports WPJ devices, WUfB ds provides for additional
capabilities that are not supported for WPJ devices.
Limitations for Feature updates for Windows 10

and later policy
When you deploy a Feature updates for Windows 10 and later policy to a device
that also receives an Update rings for Windows 10 and later policy, review the
update ring for the following configurations:
We recommend setting the Feature update deferral period (days) to 0. This
configuration ensures your feature updates are not delayed by update deferrals
that might be configured in an update ring policy.
Feature updates for the update ring must be running. They must not be paused.
 Tip
If you're using feature updates, we recommend you end use of deferrals as

configured in your update rings policy. Combining update ring deferrals with
feature updates policy can create complexity that might delay update
installations.
For more information, see Move from update ring deferrals to feature
updates policy
Feature updates for Windows 10 and later policies cannot be applied during the
Autopilot out of box experience (OOBE). Instead, the policies apply at the first
Windows Update scan after a device has finished provisioning, which is typically a
day.
If you co-manage devices with Configuration Manager, feature updates policies

might not immediately take effect on devices when you newly configure the
Windows Update policies workload to Intune. This delay is temporary but can
initially result in devices updating to a later feature update version than is
configured in the policy.
To prevent this initial delay from impacting your co-managed devices:
2. Go to Devices > Windows > Feature updates for Windows 10 and later >
Create profile.
3. For Deployment settings, enter a meaningful name and a description for the
policy. Then, Specify the feature update you want devices to be running.
4. Complete the policy configuration, including assigning the policy to devices.

The policy deploys to devices, though any device that already has the version
you’ve selected, or a newer version, won’t be offered the update.
Monitor the report for the policy. To do so, go to Reports > Windows
Updates > Reports Tab > Feature Updates report. Select the policy you
created and then generate the report.
5. Devices that have a state of OfferReady or later, are enrolled for feature
updates and protected from updating to anything newer than the update you
specified in step 3. See, Use the Windows 10 feature updates (Organizational)
report.
6. With devices enrolled for updates and protected, you can safely change the
Windows Update policies workload from Configuration Manager to Intune.
See, Switch workloads to Intune in the co-management documentation.
When the device checks in to the Windows Update service, the device's group
membership is validated against the security groups assigned to the feature
updates policy settings for any feature update holds.
Managed devices that receive feature update policy are automatically enrolled with
the Windows Update for Business deployment service. The deployment service
manages the updates a device receives. The service is utilized by Microsoft Intune
and works with your Intune policies for Windows updates to deploy feature
updates to devices.
When a device is no longer assigned to any feature update policies, Intune waits
90 days to unenroll that device from feature update management and to unenroll
that device from the deployment service. This delay allows time to assign the
device to a different policy and ensure that in the meantime the device doesn’t
receive a feature update that wasn't intended.
This means that when a feature updates policy no longer applies to a device, that
device won’t be offered any feature updates until one of the following happens:
90 days elapse.
The device is assigned to a new feature update profile.
The device is unenrolled from Intune, which unenrolls the device from feature
update management by the Deployment Service.
You use the Windows Update for Business deployment service graph API to
remove the device from feature update management.
To keep a device at its current feature update version and prevent it from being
unenrolled and updated to the most recent feature update version, ensure the
device remains assigned to a feature update policy that specifies the devices
current Windows version.
Create and assign Feature updates for

Windows 10 and later policy
2. Select Devices > Windows > Feature updates for Windows 10 and later > Create
profile.
3. Under Deployment settings:
Specify a name, a description (optional), and for Feature update to deploy,

select the version of Windows with the feature set you want, and then select
Next. Only versions of Windows that remain in support are available to select.
Configure Rollout options to manage when Windows Updates makes the

update available to devices that receive this policy. For information about
using these options, see Rollout options for Windows Updates.
4. Under Assignments, choose + Select groups to include and then assign the
feature updates deployment to one or more device groups. Select Next to
continue.
5. Under Review + create, review the settings. When ready to save the Feature
updates policy, select Create.
Upgrade devices to Windows 11

You can use policy for Feature updates for Windows 10 and later to upgrade devices that
run Windows 10 to Windows 11.
When you use feature updates policy to deploy Windows 11, you can target the policy
to Windows 10 devices that meet the Windows 11 minimum requirements to upgrade
them to Windows 11. Devices that don’t meet the requirements for Windows 11 won’t
install the update and remain at their current Windows 10 version.
However, if a Windows 10 device that can’t run Windows 11 is targeted with a Windows
11 update, future Windows 10 updates will not be offered to that device automatically.
In this case, remove the not eligible device from the Windows 11 policy and assign the
device to a Windows 10 feature update policy. See Update behavior when multiple
policies target a device.
When there are multiple versions of Windows 11 available, you can choose to deploy
the latest build. When you deploy the latest build to a group of devices, those devices
that already run Windows 11 will update while devices that still run Windows 10 will
upgrade to that version of Windows 11 if they meet the upgrade requirements. In this
way, you can always upgrade supported Windows 10 devices to the latest Windows 11
version even if you choose to delay the upgrade of some devices until a future time.
Prepare to upgrade to Windows 11

The first step in preparing for a Windows 11 upgrade is to ensure your devices meet the
minimum system requirements for Windows 11.
You can use Endpoint analytics in Microsoft Intune to determine which of your devices
meet the hardware requirements. If some of your devices don't meet all the
requirements, you can see exactly which ones aren't met. To use Endpoint analytics, your
devices must be managed by Intune, co-managed, or have the Configuration Manager
client version 2107 or newer with tenant attach enabled.
If you’re already using Endpoint analytics, navigate to the Work from anywhere report,
and select the Windows score category in the middle to open a flyout with aggregate
Windows 11 readiness information. For more granular details, go to the Windows tab at
the top of the report. On the Windows tab, you’ll see device-by-device readiness
information.
Licensing for Windows 11 versions

Windows 11 includes a new license agreement, which can be viewed at
https://www.microsoft.com/useterms/ . This license agreement is automatically
accepted by an organization that submits a policy to deploy Windows 11.
When you use configure a policy in the Microsoft Intune admin center to deploy any
Windows 11 version, the Microsoft Intune admin center displays a notice to remind you
that by submitting the policy you are accepting the Windows 11 License Agreement
terms on behalf of the devices, and your device users. After submitting the feature
updates policy, end users won’t see or need to accept the license agreement, making
the update process seamless.
This license reminder appears each time you select a Windows 11 build, even if all your
Windows devices already run Windows 11. This prompt is provided because Intune
doesn’t track which devices will receive the policy, and its possible new devices that run
Windows 10 might later enroll and be targeted by the policy.
For more information including general licensing details, see the Windows 11
documentation.
Create policy for Windows 11

To deploy Windows 11, you’ll create and deploy a feature updates policy just as you
might have done previously for a Windows 10 device. It’s the same process though
instead of selecting a Windows 10 version, you’ll select a Windows 11 version from the
Feature update to deploy dropdown list. The dropdown list displays both Windows 10
and Windows 11 version updates that are in support.
Policies for Windows 11 and Windows 10 can exist side by side in Microsoft Intune.
Deploying an older Windows version to a device won’t downgrade the device.
Devices only install an update when it's newer than the devices current version.
Deploying a Windows 11 update to a Windows 10 device that supports Windows
11, upgrades that device.
Avoid deploying a Windows 11 policy to a Windows 10 device that doesn't support
Windows 11.
Update behavior when multiple policies target
a device:
Consider the following points when feature update policies target a device with more
than one update policy, or target a Windows 10 device with an update for Windows 11:
Each Windows feature update policy supports a single update. When a device is
targeted by more than one policy, it might be targeted with multiple update
versions.
The Windows Update service can only offer a device one feature update at a time,
and always offers the latest update version that targets the device.
Because Windows 11 updates are considered to be later versions than Windows

10, the service always offers the Windows 11 update to a device targeted by both
Windows 10 and Windows 11 updates. This is done because deploying a Windows
11 update to a Windows 10 device is a supported upgrade path.
The Windows Update for Business deployment service can’t determine that a
device can’t run Windows 11. Therefore, if a Windows 10 device that can’t run
Windows 11 is targeted with a Windows 11 update, Windows 10 updates will not
be offered automatically. In this case, remove the not eligible device from the
Windows 11 policy and assign the device to a Windows 10 feature update policy.
Manage Feature updates for Windows 10 and

later policy
In the admin center, go to Devices > Windows > Feature updates for Windows 10 and
later to view your profiles.
For each profile you can view:
Feature Update Version – The feature update version in the profile.
Assigned – If the profile is assigned to one or more groups.
Support: The status of the feature update:

Supported – The feature update version is in support and can deploy to
devices.
Support Ending - The feature update version is within two months of its
support end date.
Not supported – Support for the feature update has expired and it no longer
deploys to devices.
Support End Date – The end of support date for the feature update version.
７ Note
The date provided is for the Enterprise and Education editions of Windows. To find
the support dates for other editions supported by Windows Update for Business
deployment service, see the Microsoft Product Lifecycle site .
Selecting a profile from the list opens the profiles Overview pane where you can:
Select Delete to delete the policy from Intune and remove it from devices.
Select Properties to modify the deployment. On the Properties pane, select Edit to
open the Deployment settings or Assignments, where you can then modify the
deployment.
７ Note
The End user update status Last Scanned Time value will return 'Not scanned yet'
until an initial user logs on and Update Session Orchestrator (USO) scan is initiated.
For more information on the Unified Update Platform (UUP) architecture and
related components, see Get started with Windows Update.
Validation and reporting

There are multiple options to get in-depth reporting for Windows 10/11 updates with
Intune. Windows update reports show details about your Windows 10 and Windows 11
devices side by side in the same report.
To learn more, see Intune compliance reports.
Next steps
Use Windows update rings in Intune
Use Windows update reports for Windows 10/11 updates
Also see Windows Autopatch in the Windows deployment content for an
alternative solution
Expedite Windows quality updates in
Microsoft Intune
Article • 08/30/2023
With Quality updates for Windows 10 and Later policy, you can expedite the install of the
most recent Windows 10/11 security updates as quickly as possible on devices you
manage with Microsoft Intune. Deployment of expedited updates is done without the
need to pause or edit your existing monthly servicing policies. For example, you might
expedite a specific update to mitigate a security threat when your normal update
process wouldn’t deploy the update for some time.
Not all updates can be expedited. Currently, only Windows 10/11 security updates that
can be expedited are available to deploy with Quality updates policy. To manage regular
monthly quality updates, use Update rings for Windows 10 and later policies.
How expedited updates work

With expedited updates, you can speed installation of quality updates like the most
recent patch Tuesday release or an out-of-band security update for a zero-day flaw.
To speed installation, expedite is able to check for expedited updates more frequently
than the normal Windows Update scan frequency. This process enables devices to start
the download and install of an expedited update as soon as possible, without having to
wait for the device to check in for updates.
The actual time that a device starts to update depends on the device being online, its
scan timing, whether communication channels to the device are functioning, and other
factors like cloud-processing time.
For each expedite update policy you select a single update to deploy based on its
release date. By using the release date, you don’t have to create separate policies
to deploy different instances of that update to devices that have different versions
of Windows, like Windows 10 version 1809, 1909, and so on.
Windows Update evaluates the build and architecture of each device, and then
delivers the version of the update that applies.
Only devices that need the update receive the expedited update:
Windows Update doesn’t try to expedite the update for devices that already
have a revision that’s equal to or greater than the update version.
For devices with a lower build version than the update, Windows Update
confirms that the device still requires the update before installing it.
） Important
In some scenarios, Windows Update can install an update that is more recent
than the update you specify in expedite update policy. For more information
about this scenario, see About installing the latest applicable update, later in
this article.
Expedite update policies ignore and override any quality update deferral periods
for the update version you deploy. You can configure quality updates deferrals by
using Intune Windows update rings and the setting for Quality update deferral
period.
When a restart is required to complete installation of the update, the policy helps
to manage the restart. In the policy, you can configure a period that users have to
restart a device before the policy forces an automatic restart. Users can also
choose to schedule the restart or let the device try to find the best time outside of
the devices Active Hours. Before reaching the restart deadline, the device displays
notifications to alert device users about the deadline and includes options to
schedule the restart.
If a device doesn’t restart before the deadline, the restart can happen in the middle
of the working day. For more information on restart behavior, see Enforcing
compliance deadlines for updates.
Expedite is not recommended for normal monthly quality update servicing.

Instead, consider using the deadline settings from an Update ring for Windows 10
and later policy. For information, see Use deadline settings under the user
experience settings in Windows update settings.
Prerequisites
） Important
This feature is not supported on GCC and GCC High/DoD cloud environments.
The following are requirements to qualify for installing expedited quality updates with
Intune:
Licensing:
In addition to a license for Intune, your organization must have one of the following
subscriptions that include a license for Windows Update for Business deployment
service:

Beginning in November of 2022, the Windows Update for Business deployment service
(WUfB ds) license will be checked and enforced.
If you’re blocked when creating new policies for capabilities that require WUfB ds and
you get your licenses to use WUfB through an Enterprise Agreement (EA), contact the
source of your licenses such as your Microsoft account team or the partner who sold
you the licenses. The account team or partner can confirm that your tenants licenses
meet the WUfB ds license requirements. See Enable subscription activation with an
existing EA.
Supported Windows 10/11 versions:
Windows 10/11 versions that remain in support for Servicing, on x86 or x64
architecture
Only update builds that are generally available are supported. Preview builds, including
the Beta and Dev channels, are not supported with expedited updates.
Supported Windows 10/11 editions:
Professional
Enterprise
Education
Pro Education
Devices must:
Be enrolled in Intune MDM, or be co-managed with the Windows Update policies

workload set to Intune or Pilot Intune.
Be Azure Active Directory (AD) Joined, or Hybrid Azure AD Joined. Workplace Join
isn't supported.
Have access to endpoints. To get a detailed list of endpoints required for the
associated services listed here, see Network endpoints.
Windows Update
Windows Update for Business deployment service
Windows Push Notification Services: (Recommended, but not required. Without
this access, devices might not expedite updates until their next daily check for
updates.)
Be configured to get Quality Updates directly from the Windows Update service.
Have the Update Health Tools installed, which are installed with KB 4023057 -
Update for Windows 10 Update Service components . To confirm the presence of
the Update Health Tools on a device:
Look for the folder C:\Program Files\Microsoft Update Health Tools or review
Add Remove Programs for Microsoft Update Health Tools.
As an Admin, run the following PowerShell script:
PowerShell
$Session = New-Object -ComObject Microsoft.Update.Session

$Searcher = $Session.CreateUpdateSearcher()
$historyCount = $Searcher.GetTotalHistoryCount()
$list = $Searcher.QueryHistory(0, $historyCount) | Select-Object -
Property "Title"
foreach ($update in $list)
{
if ($update.Title.Contains("4023057"))
{
return 1
}
}
return 0
If the script returns a 1, the device has UHS client. If the script returns a 0, the
device doesn’t have UHS client.
Device settings:
To help avoid conflicts or configurations that can block installation of expedited

updates, configure devices as follows. You can use Intune Update rings for Windows 10
and later policies to manage these settings.
Update ring setting Recommended value
Enable pre-release This setting should be set to Not configured. Preview builds, including the
builds Beta and Dev channels, are not supported with expedited updates.
Update ring setting Recommended value
Automatic update Reset to default

behavior
Other values might cause a poor user experience and slow the process to
expedite updates.
Change notification Use any value other than Turn off all notifications, including restart
update level warnings
For more information about these settings, see Policy CSP – Update.
Group Policy settings override mobile device management policies, and the following
list of Group Policy settings can interfere with Expedited policy. On devices where these
settings were managed by Group Policy, restore them to their device defaults (Not
configured):
CorpWuURL - Specify intranet Microsoft update service location.

AutoUpdateCfg - Configure Automatic Updates.
DeferFeatureUpdates - Select when Preview Builds and Feature Updates are
received.
Disable Dual Scan - Don't allow update deferral policies to cause scans against
Windows Update.
Enable Windows Health Monitoring:
Before you can monitor results and update status for expedited updates, your Intune
tenant must enable Windows Health Monitoring. While configuring Windows Health
Monitoring, be sure to set the Scope to Windows updates.

Intune policies for Quality updates for Windows 10 and later require the use of Windows
Update for Business (WUfB) and Windows Update for Business deployment service
(WUfB ds). Where WUfB supports WPJ devices, WUfB ds provides for additional
capabilities that are not supported for WPJ devices.
Create and assign an expedited quality update

2. Select Devices > Quality updates for Windows 10 and later > Create profile.
3. In Settings, enter the following properties to identify this profile:
can easily identify them later.
recommended.
4. In Settings, configure Expedite installation of quality updates if device OS version

less than. Select the update that you want to expedite from the drop-down list.
The list includes only the updates you can expedite.
 Tip
Optional Windows quality updates can’t be expedited and won’t be available

to select.
When selecting an update:
Updates are identified by their release date, and you can select only one
update per policy.
Updates that include the letter B in their name identify updates that released
as part of a patch Tuesday event. The letter B identifies that the update
released on the second Tuesday of the month.
Security updates for Windows 10/11 that release out of band from a patch
Tuesday can be expedited. Instead of the letter B, out-of-band patch releases
have different identifiers.
When the update deploys, Windows Update ensures that each device that
receives the policy installs a version of the update that applies to that devices
architecture and its current Windows version, like version 1809, 2004, and so
on.
 Tip
For more information, see the blog Windows 10 update servicing cadence -
Microsoft Tech Community .
5. In Settings, configure Number of days to wait before forced reboot. For this
setting, select how soon after installing the update a device will automatically
restart to complete the update installation. You can select from zero to two days.
The automatic restart is canceled if a device manually restarts before the deadline.
If an update doesn’t require a restart, this setting isn’t enforced.
A setting of 0 days means that as soon as the device installs the update, the
user is notified about the restart and has limited time to save their work.
） Important
This experience can impact user productivity. Consider using it for those
devices or updates that must complete and restart the device as soon as
possible.
A setting of 1 day or 2 days provides device users flexibility to manage a

restart before it’s forced. These settings correspond to an automatic restart
delay of 24 or 48 hours after the update installs on the device.
6. In Assignments, select Add groups and then select device or user groups to assign
the policy.
7. In Review + create, select Create. After the policy is created, it deploys to assigned
groups.
Identify the latest applicable update

There are some scenarios when your policy to expedite an update results in the
installation of a more recent update than specified in policy. This result occurs when the
newer update includes and surpasses the specified update, and that newer update is
available before a device checks in to install the update that's specified in the expedite
update policy. A detailed example of this scenario is provided later in this article.
Installing the most recent quality update reduces disruptions to the device and user
while applying the benefits of the intended update. This avoids having to install multiple
updates, which each might require separate reboots.
A more recent update is deployed when the following conditions are met:
The device isn't targeted with a deferral policy that blocks installation of a more
recent update. In this case, the most recently available update that isn't deferred is
the update that might install.
During the process to expedite an update, the device runs a new scan that detects
the newer update. This can occur due to the timing of:
When the device restarts to complete installation
When the device runs its daily scan
When a new update becomes available
When a scan identifies a newer update, Windows Update attempts to stop

installation of the original update, cancel the restart, and then starts the download
and installation of the more recent update.
While expedite update policies will override an update deferral for the update version
that’s specified in the policy, they don’t override deferrals that are in place for any other
update version.
Example of installing an expedited update

The following sequence of events provides an example of how two devices, named Test-
1 and Test-2, install an update based on a Quality updates for Windows 10 and Later
policy that's assigned to the devices.
1. Each month, Intune administrators deploy the most recent Windows 10 quality
updates on the fourth Tuesday of the month. This period gives them two weeks
after the patch Tuesday event to validate the updates in their environment before
they force installation of the update.
2. On January 19, 2021, device Test-1 and Test-2 install the latest quality update from
the patch Tuesday release on January 12. The next day, both devices are turned off
by their users who are each leaving on vacation.
3. On the February 9, the Intune admin creates policy to expedite installation of the
patch Tuesday release 02/09/2021 – 2021.02 B Security Updates for Windows 10
to help secure company devices against a critical threat that the update resolves.
The expedite policy is assigned to a group of devices that includes both Test-1 and
Test-2. All devices in that group that are active receive and install the expedited
update policy.
4. On the March 9 patch Tuesday event, a new quality update releases as 03/09/2021
– 2021.03 B Security Updates for Windows 10. There are no critical issues that
require an expedited deployment of this update, but admins do find a possible
conflict. To provide time to review the possible issue, admins use a Windows
update ring policy to create a seven-day deferral policy. All managed devices are
prevented from installing this update until March 14.
5. Now consider the following results for Test-1 and Test-2, based on when each is
turned back on:
Test-1 - On March 12, Test-1 is powered back on, connects to the network,
and receives expedited update notifications:
a. Windows Update determines that Test-1 still needs to expedite the update
installation, per policy.
b. Because the March 9 update supersedes the February update, Windows
Update could install the March 9 update.
c. There's an active deferral for the March update that won't expire until
March 14.
Result: With the deferral policy for the March update still active and blocking
installation of that update, Device-1 installs the February update as
configured in policy.
Test-2 - On March 20, Test-2 is powered back on, connects to the network,
and receives expedited update notifications:
a. Windows Update determines that Test-2 still needs to expedite the update
installation, per policy.
b. Because the March 9 update supersedes the February update, Windows
Update could install the March 9 update.
c. There's no longer an active deferral for the March update.
Result: With the deferral policy for the March update having expired, Test-2
installs the more recent March update, skipping over the February update
and installing a later update than was specified in policy.
Manage policies to expedite quality updates

In the admin center, go to Devices > Windows > Quality updates for Windows 10 and
later and select the policy that you want to manage. The policy opens to its Overview
pane.
From this pane, you can:

Select Delete to delete the policy from Intune. Deleting a policy removes it from
Intune but won’t result in the update uninstalling if it has already completed
installation. Windows Update will attempt to cancel any in-progress installations,
but a successful cancellation of an in-progress install can’t be guaranteed.
Select Properties to modify the deployment. On the Properties pane, select Edit to
open the Settings, Scope tags, or Assignments, where you can then modify the
deployment.
Monitoring and reporting

Before you can monitor results and update status for expedited updates, your Intune
tenant must enable Windows Health Monitoring.
） Important
When you configure the Windows Health Monitoring profile, during step seven you
must set the Scope to Windows updates.
After a policy has been created you can monitor results, update status, and errors from
the following reports.
Summary report
This report shows the current state of all devices in the profile and provides an overview
of how many devices are in progress of installing an update, have completed the
installation, or have an error.
2. Select Reports > Windows updates. On the Summary tab you can view the
Windows Expedited Quality updates table.
3. To drill in for more information, select the Reports tab, and then Windows
Expedited Update Report.
4. Click the link Select an expedited update profile.
5. From the list of profiles that is shown on the right side of the page, select a profile
to see results.
6. Select the Generate report button.

Device report
This report can help you find devices with alerts or errors and can help you troubleshoot
update issues.
2. Select Devices > Monitor.
3. In the list of monitoring reports, scroll to the Software updates section and select
Windows Expedited update failures.
4. From the list of profiles that is shown on the right side of the page, select a profile
to see results.
Update states
Update Update SubState Definition

State
Pending Validating The device has been added to the policy in the service and
validation that the device can be expedited has begun.
Pending Scheduled Device has passed validation and will be expedited.
Offering OfferReady The expedite instructions have been sent to the device.
Installing OfferReceived Device scanned against Windows Update and the update is
applicable but hasn't yet begun to download.
Installing DownloadStart The device has begun to download the update.
Installing DownloadComplete The device has downloaded the update.
Installing InstallStart The device has begun to install the update.
Installing InstallComplete The device has completed installing the update. Unless the
update has an update error, the device should move quickly
to RestartRequired or UpdateInstalled.
Update Update SubState Definition
State
Installing RestartRequired The installation is complete and requires a restart.
Installing RestartInitiated The device has begun a restart.
Installing RestartComplete The device has completed the restart.
Installed UpdateInstalled Update has successfully completed.
Next steps
Configure Update rings for Windows 10 and later
Configure Feature updates for Windows 10 and later
View Windows release information
Windows Driver update management in
Microsoft Intune
Article • 07/26/2023
With Windows Driver Update Management in Microsoft Intune, you can review, approve
for deployment and pause deployments of driver updates for your managed Windows
10 and Windows 11 devices. Intune and the Windows Update for Business (WUfB)
deployment service (DS) take care of the heavy lifting to identify the applicable driver
updates for devices that are assigned a driver updates policy. Intune and WUfB-DS sort
updates by categories that help you easily identify the recommended driver updates for
all devices, or updates that might be considered optional for more limited use.
Using Windows driver update policies, you remain in control of which driver updates can
install on your devices. You can:
Enable automatic approvals of recommended driver updates. Policies set for

automatic approval automatically approve and deploy each new driver update
version that is considered a recommended driver for the devices assigned to the
policy. Recommended drivers are typically the latest driver update published by
the driver publisher that the publisher has marked as required. Drivers that aren't
identified as the current recommended driver are also available as other drivers,
which can be considered to be optional driver updates.
Later, when a newer driver update from the OEM is released and identified as the
current recommended driver update, Intune automatically adds it to the policy and
moves the previously recommended driver to the list of other drivers.
 Tip
An approved recommended driver update that is moved to the other drivers

list due to a newer recommended driver update becoming available, remains
approved. When a newer recommended and approved driver update is
available, WUfB-DS will install only that latest approved version. If the latest
approved update version is paused, the deployment service will automatically
offer the next most recent and approved update version, which is now on the
other drivers list. This behavior ensures that the last known-good driver
update version that was approved can continue to install on devices, while the
more recent recommended version remains paused.
With this policy configuration, you can also choose to review the available updates
to selectively approve, pause, or decline any update that remains available for
devices with the policy.
Configure policy to require manual approval of all updates. This policy ensures
that administrators must approve a driver update before it can be deployed.
Newer versions of driver updates for devices with this policy are automatically
added to the policy but remain inactive until approved.
Later, when a newer driver update from the OEM is recommended for a device in the
policy, the policy status updates to indicate there are drivers pending your review. This
status becomes a call to action to review the policy and decide if you want to approve
deployment of the newest drivers to devices.
Manage which drivers are approved for deployment. You can edit any driver
update policy to modify which drivers are approved for deployment. You can
pause the deployment of any individual driver update to stop its deployment to
new devices, and then later reapprove the paused update to enable Windows
Update to resume installing it on applicable devices.
Regardless of the policy configuration and the drivers included, only approved drivers
can install on devices. Additionally, Windows Update only installs the latest available and
approved update when the version is more recent than the one currently installed on
the device.
Windows driver update management applies to:
Windows 10
Windows 11
Prerequisites
To use Windows Driver Update management, your organization must have the following
licenses, subscriptions, and network configurations:
Subscriptions
Intune: Your tenant requires the Microsoft Intune Plan 1 subscription.
Azure Active Directory (Azure AD): Azure AD Free (or greater) subscription.
Device & Edition requirements

Windows subscriptions and licenses:
Your organization must have one of the following subscriptions that include a license for
Windows Update for Business deployment service:

Review your subscription details for applicability to Windows 11.
If you’re blocked when creating new policies for capabilities that require WUfB-DS and
you get your licenses to use WUfB through an Enterprise Agreement (EA), contact the
source of your licenses such as your Microsoft account team or the partner who sold
you the licenses. The account team or partner can confirm that your tenants’ licenses
meet the WUfB-DS license requirements. See Enable subscription activation with an
existing EA.
Windows editions:
Driver updates are supported for the following Windows 10/11 editions:
Pro
Enterprise
Education
７ Note
Unsupported versions and editions:

Windows 10/11 Enterprise LTSC: Windows Update for Business (WUfB) does not
support the Long Term Service Channel release. Plan to use alternative patching
methods, like WSUS or Configuration Manager.
Devices must:
Run a version of Windows 10/11 that remains in support.
Be enrolled in Intune MDM and be Hybrid AD joined or Azure AD joined.
Have Telemetry turned on and configured to report a minimum data level of Basic
as defined in Changes to Windows diagnostic data collection in the Windows
documentation.
You can use one of the following Intune device configuration profile paths to
configure Telemetry for Windows 10 or Windows 11 devices:
Device restriction template: With this profile, set Share usage data to Required.
Optional is also supported.
Settings catalog: From the Settings catalog, add Allow Telemetry from the
System category, and set it to Basic. Full is also supported.
For more information about Windows Telemetry settings, including both current
and past setting options from Windows, see Changes to Windows diagnostic data
collection in the Windows documentation.
The Microsoft Account Sign-In Assistant (wlidsvc) must be able to run. If the service
is blocked or set to Disabled, it fails to receive the update. For more information,
see Feature updates aren't being offered while other updates are. By default, the
service is set to Manual (Trigger Start), which allows it to run when needed.
Have access to the network endpoints required by Intune managed devices. See
Network endpoints.
Enable data collection for reports

To support reports for Windows Driver updates, you must enable the use of Windows
diagnostic data in Intune. Its possible that diagnostic data is already enabled for other
reports, like Windows Feature updates and Expedited Quality update reports. To enable
the use of Windows diagnostic data:
1. Sign in to the Microsoft Intune admin center and go to Tenant administration >
Connectors and tokens > Windows data.
2. Expand Windows data and ensure the setting Enable features that require
Windows diagnostic data in processor configuration is toggled to On.
For more information, see Enable use of Windows diagnostic data by Intune.
GCC High support

Intune policy for Driver Updates isn't currently supported with GCC High environments.
RBAC requirements
To manage Windows Driver updates, your account must be assigned an Intune role-
based access control (RBAC) role that includes the following permissions:
Device configurations:
Assign
Create
Delete
View Reports
Update
Read
You can add the Device configurations permission with one or more rights to your own
custom RBAC roles or use one the built-in Policy and Profile manager role, which
includes these rights.
Architecture
Windows Driver Update Management architecture:
1. Microsoft Intune provides the Azure Active Directory IDs and Intune policy settings
for devices to WUfB-DS. Intune also provides the list of driver approvals and pause
commands to WUfB-DS.
2. WUfB-DS configures Windows Updates based on the information provided by
Intune. Windows Updates provides the applicable driver update inventory per
device ID.
3. Devices send data to Microsoft so that Windows Update can identify the
applicable driver updates for a device during its regular Windows Update scans for
updates. Any approved updates install on the device.
4. WUfB-DS reports Windows diagnostic data back to Intune for reports.
Plan for driver updates

Before you create policies and manage the approval of drivers in your policies, we
recommend constructing a driver update deployment plan that includes team members
who can approve driver and firmware updates. Subjects to consider include:
When to use automatic driver approvals vs using manual driver approvals.
Use of deployment rings for driver update policies to limit installation of new
driver updates to test groups of devices before broadly installing those updates on
all devices. With this approach, your team can identify potential issues in an early
ring before deploying updates broadly. Use of rings can provide you with time to
pause a troublesome update in subsequent rings to delay or prevent its
deployment. Examples of organizational approaches for rings include:
Structuring driver update policies for different device and hardware models,
aligned with your organizational units, or a combination of both.
Using policy deferral periods for automatic updates and the make available date
for manually approved updates, to align to your update rings for quality and
feature updates schedules.
You might also set the update availability for manually approved updates to match
common update cycles like Microsoft’s Patch Tuesday release. Alignment of
schedules can help reduce extra system restarts that some driver updates require.
Assign devices to only one driver update policy to help prevent a device from
having its drivers managed through more than one policy. This can help avoid
having a driver installed by one policy when you previously declined or paused
that same update in a separate policy. For more information about planning
deployments, see Create a deployment plan in the Windows deployment
documentation.
Frequently Asked Questions
Do policies for driver updates support Assignment

Filters?
No. Driver Updates aren't currently supported with Assignment Filters.
Can I apply driver updates policy during Autopilot?

No. Driver Updates aren't supported during autopilot at this time.
Can I use policy to roll back a driver update?

No. WUfB doesn't currently support Driver rollback. While rollback could be
scripted, there are too many potential variables to provide a useful sample script
for doing so. If you must remove a driver, consider manual methods like
PowerShell.
To help avoid issues that require rolling back a driver from large numbers of devices, use
deployment rings to limit driver installation to small initial groups of devices. This
approach allows time to evaluate the success or compatibility of a driver before broadly
deploying it across your organization.
For policies with manual approvals, you must review and manually approve each
driver before it can deploy to devices. While more work than policies with
automatic approvals, manual approval can help avoid issues with automatically
approved drivers.
If you use policies with automatic approval, plan to monitor the policy for early
signs of problems. If a driver update problem is identified in an early deployment
ring, you can then pause that same update in your other policies.
Can I manage a device through multiple driver update

policies?
While the use of multiple policies per device is supported, we don’t recommend
doing so. Instead, we recommend adding devices to a single policy to avoid
confusion about whether a driver for a device is or isn’t approved.
Consider a device that receives driver updates from two policies. In one policy, a
specific update is approved and in the other policy, that update is paused. Because
the status of approved always wins, the driver installs on the device despite any
other status for that update that is set in any other policy.
How can I reduce reboots on devices that receive driver

updates?
Because it’s not always clear in advance when an OEM releases a new update, or if
that update requires a reboot, consider a regular pattern of update reviews.
For policies with manual approval, when you approve drivers and set an
approval available date, you can set that date to an event like the monthly Patch
Tuesday, or any other time of your choosing.
For policies with automatic approval, you could pause a newly added and then
return to approve it. When you reapprove any paused update, you can set an
approval available date.
To help mitigate this type of recurring challenge, we're evaluating changes that can
mitigate the need to manually coordinate driver updates with Patch Tuesday
updates.
Why has a driver disappeared from the list of available

drivers in my policy?
When an OEM replaces a driver with a new recommended driver, the older driver
can be moved to the Other drivers category. However, if that older driver is the
same version or older than the drivers in use by all devices, that driver is entirely
removed from the policy as there are no devices that can install it through Driver
updates policies.
How do I remove older drivers from the driver list of my

policies?
To ensure that the list of available drivers is up-to-date, drivers with older versions
than those already installed across all devices targeted by a policy are no longer
applicable. These older drivers are removed from the driver list of previously
deployed and active policies. Only drivers that can update the driver version
currently installed on a device targeted by a policy remain available in the policy.
Installing drivers with older versions than those already present on a device isn't
possible through driver update management.
What is the WUfB-DS synchronization frequency?

Intune to WUfB-DS syncs run each day, and you can use the Sync option to run a
synchronization on demand. The time to complete a synchronization depends on
the device information involved but should usually take only a few minutes to
complete.
Devices sync with the WUfB-DS service each day when the device runs a Windows
Update scan.
What drivers are available to be managed?

Any driver updates that are currently published to Windows Update and applicable
to one or more devices in the policy are available through driver updates policies.
What about drivers that update a BIOS that is password

locked. How does this work?
Updates that are published to Windows Update have a requirement to use a
Windows mechanism that enables securely updating the firmware or driver without
requiring the BIOS/UEFI to be unlocked.
If a vendor has their own app for scanning and installing

driver and firmware updates, is there a delay in update
availability between their app and WUfB-DS?
The possibility of a delay depends on the vendor or OEM who determines the
availability of their updates. Because driver updates are digitally signed by the
same portal before they're published to Windows Updates, driver updates might
become available through Windows Update before they become available via the
vendors tools.
Why do my devices have driver updates installed that

didn't pass through an updates policy?
These are likely extension drivers, which are “sub drivers” that a main driver can
reference to be installed when the main driver is installed or updated. Extension
drivers show up in the installed drivers or update history on the device, but aren't
directly manageable. Because extension drivers don't function without base drivers,
it is safe to allow them to install.
How quickly are paused updates actually paused?

Pause is a best effort, and when an update is paused, WUfB-DS removes the
approval. However, devices won’t know that an update is paused until it’s next
scan for updates.
If a device hasn't yet scanned for the update, then the paused update isn’t
offered, and Pause works as expected.
If a device scans for updates and discovers an update is paused and that the
device is in the process of downloading, installing, or waiting to restart, then
Windows Update on the device attempts a “best effort” to remove that driver
update from being installed. If it can't halt the installation, the update completes
its installation.
If an update completes its installation before the next scan for updates, nothing
happens, and the update remains installed.
Where can I learn more about the available drivers?

You can get more information about drivers by copying the name and searching
the catalog.update.microsoft.com website.
Do driver updates policies update drivers for plug-in

devices?
Yes, if the driver updates are published to Windows Update by the OEM vendor.
Which driver updates can my device users see?

After a device is assigned to a driver update policy, optional drivers aren't shown
to the end user. When the admin approves a driver update, it effectively becomes
“required” and installs the next time the device scans for updates.
How do I use driver management if I’m currently using

Configuration Manager for updates?
You can continue to use Configuration Manager for updates other than Drivers, or
to start to move other update types to cloud management in Intune one at a time.
First, ensure you're using cloud attach or co-management, so that your devices are
enrolled in Intune. Then, configure your driver policies in Intune to enroll devices
and get them ready for management. After approximately one day, set the policy
SetPolicyDrivenUpdateSourceForDriverUpdates to a value of 0, to scan for driver
updates from Windows Update.
７ Note
You can move Feature update management to the cloud in Intune by using
other similar policies. If using Update Ring policies in Intune, such as for
Quality Updates, you also need enable co-management and assign the
Windows Updates workload to Intune, or a pilot collection.
Is there a way to set a deadline for drivers?

The Quality Update deadline and grace period settings apply to drivers. The
deadline starts from the time the driver is first offered to the device, but is not a
deferral period. The deferral period delays when updates are first offered to a
device.
Why does it take up to 24 hours for the driver update

inventory to be returned?
To make driver inventory available, there are several steps that must be completed.
The most important is that after the policy is submitted and devices are enrolled
for management, Windows Updates must wait for each device to do its daily scan
for updates. This process occurs daily, so it can take up to 24 hours for all healthy
devices to check in. After this, Intune needs to process the results of the scan to
provide the inventory of available driver updates.
Next steps
Create a Windows driver update policy
Use Windows driver update reports
Manage policy for Windows Driver
updates with Microsoft Intune
Article • 06/26/2023
This article can help you use Microsoft Intune to create and manage Windows Driver
updates policies for your Windows 10 and Windows 11 devices. These policies allow you
to view the list of available driver updates that are applicable to the devices targeted by
the policy, approve updates for deployment, or pause the deployment of individual
updates. When driver updates are approved, Intune sends the assignments to Windows
Update, which manages the update installation on devices based on the policy
configuration.
Before you create and deploy driver update policies, take time to plan how you might
deploy and manage Windows driver updates in your organization. Also review the
prerequisites for using Windows driver updates ensure your tenant is configured to
support them.
After you create driver update policies, plan to review them regularly for newly added
driver updates. Recommended driver updates that are added to policies that support
automatic approvals start to deploy without any intervention. However, any other new
updates added to your policies won't install until an admin manually approves them.
Applies to:
Windows 10
Windows 11
Create Windows driver update policies

Use the following procedure as a guide to create policies to manage driver updates for
groups of devices.
） Important
Policies for Windows update rings, and policies that use the settings catalog, can
include configurations that can block the installation of Windows driver updates. To
ensure driver updates are not blocked, review your policies for the following
configurations:
Windows update ring policy: Ensure the Windows driver setting is set to Allow.
Settings catalog policy: In the Windows Update for Business category, ensure
that Exclude WU Drivers in Quality Update is set to Allow Windows Update
drivers.
By default, both settings use a configuration that will allow Windows driver
updates.
1. Sign in to the Microsoft Intune admin center and go to Devices > Windows >
Driver updates for Windows 10 and later (preview), and select Create profile.
2. On the Basics page, enter the following properties:
recommended.
3. On Settings, configure the approval method for device updates in this policy.
Select one of the following options for Approval method:
Manually approve and deploy driver updates - With this option, each new
driver update that is added to the policy has its status set to Needs review. An
admin must edit the policy to change the status of each individual update to
Approved before that update can deploy to applicable devices.
When you manually approve an update, you can specify a date on which it
becomes available for Windows Update to install on applicable devices. This
date is distinct from the deferral period that is required for automatically
approved updates in policies that use automatic approvals.
Automatically approve all recommended driver updates – With this option,
all new recommended driver updates that are added to the policy are added
with a status of Approved and begin to install on applicable devices without
having to be reviewed or approved by an admin.
Use an automatic approval policy when you want to ensure the drivers on
your devices remain current with an OEMs latest recommended update.
All other updates that aren’t a recommended driver update are added to the
policies other driver list with a status of Needs review. Like updates added to a
policy that use manual approval, before Windows Update can install them, an
admin must explicitly assign these updates a status of Approved and can set a
start date.
When you set a policy for automatic approvals, you must configure the
following setting that creates a deferral period for the automatically
approved updates:
Make updates available after (days) – This setting is a deferral period that
delays when Windows Update begins to deploy and install the new
recommended update that was automatically added to the policy with a
status of Approved. The delay supports from zero to 30 days and starts
from the day the update is added to the policy, not from the date the
update was made available or published by the OEM. The deferral is
intended to provide you with time to identify and if necessary, pause
deployment of the new recommended update.
For example, consider a driver update policy that uses automatic approvals and
has a deferral of three days. On June 1, WUfB-DS identifies a new recommended
driver update that applies to devices with this policy and adds the update to the
policy as approved. Due to the deferral period of three days, Windows Update
waits to offer this update to any device until June 4, three days after it was added
to the policy. If the deferral was set to zero days, Windows Update would begin
installing the update on devices immediately.
 Tip
After a policy is created, you won’t be able to edit the policy to change the
approval type. If the approval type is automatic, you can edit the value for
Make updates available after (days).
4. For Scope tags, select any desired scope tags to apply.

on assigning profiles, see Assign user and device profiles. Devices must be
assigned to this policy and the policy saved before WUfB-DS can identify the
applicable driver updates to add to this policies driver list.
 Tip
We recommend that a device be assigned a single policy for driver update

policies. Assignment of a device to only one policy helps to prevent the
installation of a driver update that is declined in one policy but approved in a
second policy. Keep in mind that policies for Windows driver updates don’t
support options to remove or roll-back driver updates.
6. For Review + create, review the policy configuration, and then select Create. When
you select Create, your changes are saved, and the profile is assigned. The profile is
also shown in the policy list.
Manage and maintain driver update policies

Over time, the list of driver updates available in a Windows driver update policy can
change. The following events can introduce changes to the available driver updates:
Device assignments: If the device assignment for a policy changes, the driver
updates that are available through the policy can change to reflect the devices
now assigned to the policy. Changing device assignments can add driver updates
or new versions of updates to the policy and remove updates from the policy when
they no longer apply to any device assigned to that policy.
Driver updates age out: Once all applicable devices have installed a driver update
version, that version is no longer applicable to install on a device with that policy,
and the update is removed from the policies driver lists.
New driver update versions are available: When an OEM releases a driver update
version that supersedes a driver update found in a policy, the new update is added
to that policy.
For policies with automatic approval:

All new recommended driver updates are automatically approved but don't
deploy until the policies deferral period for new updates is reached. The
previously recommended update, which is now an older version, moves to
the other drivers list and remains approved.
New updates that aren't a recommended driver update are added to the
other drivers list of the policy and have their status set Needs review. These
updates must be manually approved before they can be deployed to a
device.
For policies with manual approvals, all new driver updates are added to the
policy with a status of Needs review. This status applies to updates added to
both the recommended drivers and other drivers lists. An admin must approve all
updates in a manual approval policy before they can deploy to devices.
When you're viewing the list of Windows driver update policies, any policies that
have new driver updates that require manual approval display a yellow warning
icon and a count of driver updates ‘to review’. This warning appears in the Drivers
to review column of the policy list. To learn more about managing driver updates,
see Identify policies with newly added driver updates in this article.
Plan to periodically review your device driver update policies to identify policies that
have had new drivers added.
For more information on manually approving updates, see Manage the status of driver
updates later in this article.
Identify policies with newly added driver updates

When you review the list of driver update policies in the admin center, you can identify
policies that have had new drivers added to them by reviewing the Drivers to review
column for indications of new updates that need review.
７ Note
An exception to this is new recommended driver updates that are added to a policy
set for automatic approval. Recommended driver updates that are the newest or
latest recommended driver update are added to the policy and approved
automatically, and never have their status set to Needs review.
To look for policies that have new driver updates pending a review, in the admin center
go to Devices > Windows 10 and later updates > Driver Updates tab.
In the list of Windows driver update policies, review the Drivers to review column for
entries that indicate there are new updates that have been added to the policy that you
might want to review and approve for deployment. In the following screen capture of
the Driver updates page, two policies have new driver updates. One displays 1 to review
while another displays that it has 3 to review:
The two policies that have new driver updates won't deploy those new updates until an
admin explicitly approves them. You can also review the other policies that haven’t
received new updates should you seek to modify the approved updates for those
policies.
Policies continue to display a count of new updates until each update has been
approved or declined. After all the current updates are managed, the count drops to zero
(0) until new updates are identified and added to the policy.
Policy properties and the driver list

While viewing the Windows driver update policy list, you can view details about a policy
by selecting the policy name or any of its values. Policy details are available through
three tabs.
The first tab displays the policies Properties, where you can review and edit the
policy configuration.
The other two tabs comprise the policies driver list.
You can use the driver list to review the driver updates that WUfB-DS identifies as
applicable for one or more devices that receive that policy. From the list, you can view
and manage the approval status of each update.
 Tip
The driver list is not a record of the driver versions currently installed on devices
assigned to the policy. Instead, it is a list of driver updates identified by and
collected by WUfB-DS, which can be installed on devices to upgrade their existing
drivers to a newer version. Intune does not collect an inventory of installed drivers.
The driver list is divided into two tabs:
Recommended drivers – Recommended drivers are the best match for the
'required' driver updates that Windows Update can identify for a device. To be a
recommended update, the OEM or driver publisher must mark the update as
required and the update must be the most recent update version marked as
required. These updates are the same ones available through Windows Update
and are almost always the most current update version for a driver.
When an OEM releases a newer update version that qualifies to be the new
recommended driver, it replaces the previous update as the recommended driver
update. If the older update version is still applicable to a device in the policy, it's
moved to the Other drivers tab. If the older version was previously approved, it
remains approved.
Other drivers – Other driver updates are updates that are available from the
original equipment manufacturer (OEM) aside from the current recommended
driver update. These updates remain in a policy as long as they're newer than the
driver version that's installed on at least one device with the policy.
These updates can include:

A previously recommended update was superseded by a newer update version
Firmware updates
Optional driver updates, or updates that the OEM doesn't intend to be installed
on all devices by default
These updates can be managed and deployed through policies for Windows driver
updates, but not through classic client Windows Update for Business (WUfB)
policies.
 Tip
When a driver update is no longer needed by any device in the policy, that update
version is removed from the driver list, and the policy. Policies retain only the driver
update versions that can be used to update a driver on a device with that policy.
In the following screen capture, we’ve opened the policy namedTest Manual and
selected the Recommended drivers tab:
This policy requires manual approval, and currently has three driver updates that are
pending review.
For comparison, the following screen capture shows the contents of the Other drivers
tab for this same policy.
Each driver list displays the following details for updates in the policy. Most of the
following details are based on information obtained from the driver update from the
OEM or driver manufacturer:
Driver name – The driver update name. It's not uncommon for subsequent
versions of an update from an OEM or manufacturer to have identical names. Use
the update Version and Release date to differentiate between update instances.
Version - The update version as provided by the OEM or manufacturer.

Manufacturer – The manufacturer of the driver update.
Driver class - The driver class is determined from the details authored by the driver
publisher, and usually represents the drivers hardware class. This information isn't
always easily determined or consistent across updates from different OEM sources
or manufacturers. When a driver's class can't be identified, it's assigned to the
Other hardware class.
Release date – The date the OEM made this driver update available.
Status – The current status of the driver update in this policy. You can modify the
status for individual updates by selecting the name of the driver update from the
list. There are four status options available for updates:
Needs review
Approved
Declined
Paused
For more information about these four status types and how to manage them in a
policy, see Manage the status of updates in this article.
Applicable devices – This number indicates how many devices can install a certain
version of an update. The same device can be reported for multiple versions of a
driver update from both the Recommended drivers and Other drivers tabs. Devices
report multiple times when there's more than one newer version available for a
driver that is still being used by the device.
Manage the status of driver updates

While viewing a policy driver list, you can select individual updates to review and modify
their status.
Manage the status of a driver update:
Select the update from the driver list to open its Manage driver pane. In the following
screen capture, we’ve selected the first driver update. That driver’s Manage driver pane is
open on the right side.

On the Manage driver pane, you can:
1. Confirm the name of the driver update.

2. View the update’s status. The update in the screen capture has a status of Needs
review.
3. View a count of devices that have installed this update version. Because this driver
update version isn't yet approved and hasn't been installed on devices, this count
displays N/A for Not applicable.
4. Select the dropdown box for Actions where you can choose an action to change
the update’s status. The options for a new driver update include Declined and
Approve.
The following are rules for managing the status of a driver update:
Only new driver updates can be assigned the status Needs review. However, a new
recommended update that is added to a policy set for Automatic approval is added
as Approved.
A driver update that Needs review can be Approved or Declined.
An Approved update can be Paused.
A Paused update can be Approved.
After an update is Approved, it can never be Declined, but you can Pause it
indefinitely.
The following are details about each status:
Needs review – This status is used to identify new drivers that have been added to
a policy.
For policies that use manual approval, Needs review applies to both new
recommended drivers and new other drivers. Unless an admin explicitly approves
the new updates, they won't deploy to devices.
For policies that use automatic approval:

A new recommended driver is automatically approved and doesn’t trigger the
display of Needs review.
A new update that isn't the recommended driver update is added to the Other
drivers list and flagged with Needs review. The update remains as Needs review
until an admin manually approves it.
Approved – This status identifies an update that is approved for installation on

applicable devices.
 Tip
Windows Update will only install a driver update on a device if the updates
version is newer than the version of the driver that’s currently on the device.
Consequently, there is no risk of a policy installing an older version of a driver
and downgrading a device’s driver version.
The following rules apply to the setting of Approved for an update:
Policies with automatic approval: All new Recommended driver updates are
automatically configured as Approved and replace any existing Recommended
driver updates for the same driver. After being automatically approved, the
update is subject to the deferral period of the policy before it can be installed
on a device.
When a new recommended update replaces an older recommended driver

update, the older driver update is moved to the other drivers list but remains
approved. This change of driver list location is important to remember as
Windows Update only deploys the latest approved version of any driver update
in a policy. However, if the latest approved version is paused, then Windows
Update deploys the next most recent version of the driver update that remains
approved and applicable to a device.
Policies with manual approval: For policies that require manual approval, you
must edit the policy and manage new updates to configure them as Approved.
Once set to Approved, you can configure a setting called Make available in
Windows Update. Here, you must specify a date that indicates when the update
is available for installation on applicable devices. If you leave this field blank, the
update is approved for installation on devices immediately.
） Important
Any time a driver update’s status is manually changed to Approved, the
availability of that update (which is when Windows Update will begin to
deploy it to devices) is defined by the date you assign for Make available in
Windows Update.
This behavior applies when manually setting an update as Approved in policies

with manual approval, and in policies with automatic approval. In policies with
automatic approval, this includes the manual approval of an update on the
other updates list, or when reapproving a recommended update that was
paused.
Paused – When an update is set to Paused, it's put on hold and isn't deployed to
any more devices through this policy until its status is manually changed back to
Approved. Pausing an update doesn't roll back a completed installation of the
update but can stop an active install of an update that is currently underway.
When you pause the most recent version of an approved update, Windows Update
no longer makes that update available to devices the next time they scan for
updates. However, if the policy has an earlier update version for the same driver
that remains approved, Windows Update begins to install that older version on
applicable devices.
Consider the following scenario: You have a policy with automatic approvals, for
which the recommended update for the device’s printer is version 3. This driver
update is successful on all devices where it has been installed and has been
available for longer than the policies new driver deferral period.
Before all devices install the version 3 update, a newer version of the update is
released, which is version 4. The new driver update version 4 is a recommended
driver, which is automatically approved in the policy.
When version 4 becomes the new recommended driver, the version 3 update is
moved to the other drivers list but remains approved. Because version 4 is the
newest version, this policy will deploy version 4 to devices, and begins to do so
when the policies deferral period for new drivers ends. Until that deferral period
is reached to allow deployment of version 4, the previous update version that
remains approved continues to deploy to devices.
Later, you choose to pause the version 4 update. Windows Update stops
deploying version 4 immediately and starts to deploy version 3 to devices that
don't yet have the driver update version 3 or later version. This deployment
happens because version 3 remains approved and is now the latest approved
version of the print driver in the policy. Deployment of version 3 doesn't need
to wait for a deferral period to end as it was previously approved for longer
than the policies’ current deferral configuration.
Declined – You can configure a driver update to be declined, which removes it

from appearing as a new driver that needs review.
Setting an update to declined doesn’t remove it from the policy, and you can
change it back to Approved if you would like the update to deploy to applicable
devices.
Next steps
Use Windows driver update overview
Use Windows driver update reports
Rollout options for Windows Updates in
Microsoft Intune
Article • 02/22/2023
Use rollout options in Microsoft Intune policies for Feature updates for Windows 10 and
later. With rollout options, you configure schedule options for Windows Update that
result in the gradual rollout of updates to devices that receive your policies.
 Tip
The default behavior for Windows Update is to make an update available to an

assigned device right away. This doesn’t mean the update will install right away.
Instead, when an update is made available, the device becomes eligible to install it.
Before a device can install an available update, the device must connect to
Windows Update and scan for updates. When the need for an update is confirmed
and the device is eligible, the Windows Update service then offers the update to
that device. After a device completes the update, it is then dependent on user
behavior and other settings like Deadline.
You configure rollout options when creating Feature Updates policy by selecting one of
the following options:
Make update available as soon as possible - With this option, there's no delay in
making the update available to devices. This selection is the default behavior for
Windows Update.
Make update available on a specific date - With this option you can select a day
on which the update in the policy will become available to install. Windows Update
won’t make the update available to devices with this configuration until that day is
reached.
Make update available gradually - This process helps distribute the availability of
the update across a range of time that you configure, with Windows Update
making an update available to different subsets of the devices targeted by the
policy, at different times. This option can reduce the effect to your network when
compared to offering the update to all devices at the same time. The following
section explains how to use this option in more detail.
Make updates available gradually

With the option Make update available gradually, you can direct Windows Update to
extend an update offer to different subsets of the devices that are targeted by the
policy, at different times. We’ll refer to those subsets as offer groups. This behavior
distributes the availability of the update across the time you’ve configured and can
reduce the effect to your network as compared to offering the update to all devices at
the same time.
To configure this option, you set the following values. Windows Update uses these
values to determine how many offer groups to use based on the number of devices that
are targeted by the policy, when to offer the update to the first group, and how long to
wait until the update is made available to the next offer group:
First group availability – Configure the first day that Windows Update will offer the
update to devices that receive this policy.
This date must be at least two days in the future from when you configure this
policy. The delay enables Windows Update time to identify the devices that are
targeted by the policy, how many offer groups to use, and to assign devices to
those offer groups. If you select a date that isn’t at least two days in the future,
Intune prompts you to reenter the date and displays the first valid date you can
use.
Final group availability – Configure the last day that Windows Update makes the
update available to what will be the final offer group. The last offer group includes
all remaining devices that haven’t already received the offer. Depending on the
number of days between groups, the last offer might not occur on the last day of
the schedule. Devices that are assigned this policy after the final group availability
date will receive the offer immediately.
Days between groups – Windows Update uses this value to determine how many
offer groups to use when making the update available to devices.
For example, you set the first group availability to be January 1, and the final group
of availability to be January 10. Then you set three days between groups. The
results are that Windows Update creates four groups to use for making the update
available. Windows Update then makes the update available to devices in the first
group on January 1, available to devices in the next group on January 4, and so on.
The update is offered to devices in the last group on the 10th. In this example, a
quarter of the devices that receive the policy are assigned to each group, and
devices can only receive the update offer after the group they're assigned to
becomes eligible.
The following behaviors apply to the management of offer groups:

Windows Update assigns targeted devices to the groups randomly, keeping
groups evenly sized.
If you edit a policy to change the date for the first or final group availability, or
change the number of days between groups for the policy:
Windows Update recalculates the number of groups to use, if necessary.
For devices that haven't been offered the update, Windows Update adjusts
group membership. This adjustment can change when a device is offered the
update.
If the date of the final group availability is changed to be in the past, all
remaining devices are offered the update as soon as possible.
If the date of the first group availability is changed to the future, devices that
were already offered the update retain that offer, and new devices won’t receive
an offer until that new start date.
If the policy assignment changes to add or remove devices from receiving the
policy:
New devices are distributed to the remaining offer groups.
For devices that are no longer targeted by the policy but were offered the
update, Windows Update will attempt to retract the offer. However, the offer
can’t be retracted if the device has started processing that offer.
Intelligent rollouts
To enhance your use of gradual rollouts, you can configure Intelligent rollouts.
With intelligent rollouts, the Windows Update for Business Deployment Service uses
data that it collects from devices to optimize the device members in the offer groups of
your gradual rollout deployments. The first offer group will include the fewest number
of devices that have the largest pool of variations in your environment. You can think of
this as a pilot ring for the deployment.
To enable intelligent rollout, you deploy a settings catalog profile for device
configuration to Allow WUfB Cloud Processing. Then, you assign the profile to the same
groups that you use with your Feature update profiles. You only need to deploy this
profile to a device a single time. The change then applies to all future deployments for
that device.
Likely issue safeguard holds

The Windows Update for Business setting that you enable, Allow WUfB Cloud Processing,
is the same setting that enables the Deployment Service to create a likely issue
safeguard hold for a device. To learn more, see Safeguard holds in the documentation
for Windows Update for Business reports.
As your rollout progresses, the deployment service monitors for unexpected issues. The
service leverages insights from the Windows ecosystem and will create likely issue
safeguard holds and proactively pause deployments to devices that are likely to
encounter an issue. By applying safeguard holds to devices that are likely to have issues
with the update, devices and end users are protected from potential productivity
affecting issues.
To learn more, see Manage safeguards using the Windows Update for Business
deployment service in the Graph API documentation for device updates.
Enable intelligent rollouts

2. Go to Devices > Configuration profiles > Create profile.
3. For Platform, select Windows 10 and later and then for Profile type, select Settings
catalog.
4. On the Configuration settings page, select Add settings, and then on the Settings
picker page, search for Allow WUfB Cloud Processing. You’ll find this setting in the
System category. Select the checkbox for this setting and then close the Settings
picker window.
5. Set Allow WUfB Cloud Processing to Enabled.
6. On the Assignments page, assign the profile to the same groups you use for your
Feature update profiles, and then complete and Create this settings catalog profile,
to deploy it.
After the profile deploys, devices that use gradual rollouts for Feature update profiles
will also have intelligent optimization applied.
Next steps
Configure Feature Updates policy
App and driver compatibility reports for
Windows updates
Article • 02/22/2023
With Intune, you can deploy updates to Windows 10/11 devices by using policies for
Update rings for Windows 10 and later and Feature updates for Windows 10 and later.
To help prepare for update deployments, Intune offers integrated reports to help you
understand compatibility risks that might impact your devices during or after an update:

To use these reports, you must first ensure that prerequisites are met and that devices
are properly configured for data collection.
Prerequisites
Licensing
The Windows feature update device readiness and Windows feature update
compatibility risks reports require users of enrolled devices to have one of the following
licenses:

Windows 10/11 Virtual Desktop Access (VDA) per user
Before using these reports, you must attest to having the required licenses on the
Windows data page of the Intune admin center.
Devices
To be eligible for the Windows feature update device readiness and Windows feature
update compatibility risks reports, devices must:
Run a supported version of Windows 10 or later with the latest cumulative update
Be Azure AD joined or hybrid Azure AD joined
Be managed by Intune (including co-managed devices) or a supported version of
the Configuration Manager client with tenant attach enabled
Have Windows diagnostic data enabled at the Required level or higher
Additionally, you must set the Enable features that require Windows diagnostic data in
processor configuration setting in Tenant administration > Connectors and tokens >
Windows data to On.
Users
To view these reports, users must be assigned an Intune role with the Managed devices
> View reports permission. This permission is included in the following built-in roles:

Read Only Operator
Help Desk Operator
In addition, to use the Windows feature update device readiness report, users must
also have the Roles > Read permission. This permission is included in the following
built-in roles:

Read Only Operator
Help Desk Operator
Intune Role Administrator
Use the Windows feature update device

readiness report
The Windows feature update device readiness report provides a device-level view of
compatibility risks associated with an upgrade or update to a chosen version of
Windows.
） Important
The insights in this report are specific to the target version of Windows you select
when generating the report. To ensure accuracy of insights, confirm that your
selected OS version matches the version of Windows you intend to deploy.
To use this report:

2. In the admin center, go to Reports > Windows updates > select the Reports tab >
select Windows Feature Update Device Readiness Report.
3. Configure settings:
Click on Select Target OS and choose the version of Windows you plan to
deploy.
Click on Select Scope (Tags) and choose which devices should be in scope for
this report.
Optionally select Ownership and Readiness status to refine the report.
Click Generate report. This process can take several minutes. You'll be
notified when report generation is complete.
） Important
The data in this report is made available on-demand only. You must configure the
Target OS and Scope (Tags) settings, and then click Generate report for data to
appear in the report.
７ Note
When you generate a report, the data in the report is cached on a per-user basis.
Other Intune users in your organization will not be able to see the report you have
generated. If you'd like to regenerate the report with different settings or to pull
the latest data, follow the steps above and click Generate again.
The following columns are available in this report:
Device name - The name of the device.

Manufacturer - The manufacturer of the device.
Model - The model of the device.
OS Version - The current version of Windows installed on the device. For more
information on how to interpret OS version data, see Windows 11 release
information or Windows 10 release information
Readiness status - A summary of the readiness state of the device.
Sys req issues - A summary of any system requirements associated with the target
OS version that this device doesn't meet.
App issues - The number of applications installed on this device with a known
compatibility risk associated with the target OS version.
Driver issues - The number of drivers installed on this device with a known
compatibility risk associated with the target OS version.
The following applies to Readiness status:
Low risk - There are no known compatibility risks associated with the device.
Medium risk - There are only minor, or non-blocking, compatibility risks
associated with this device, such as applications that will be automatically removed
during upgrade.
High risk - There are multiple or blocking compatibility risks associated with this
device, such as applications that will block an upgrade.
Replace device - The device isn't capable of upgrading to the target OS version.
Upgraded - The device is already running a version of Windows equal to or greater
than the target OS version.
Unknown - A readiness status couldn't be determined. Ensure that the device is
properly configured to send Windows diagnostic data.
For more information about the compatibility risks that impact a specific device, select
the device name to open the details flyout. The tabs on the details flyout include:
Overview - A summary of device properties that can be used to identify the device,
and an overview of the compatibility risks impacting the device.
Applications - A table of applications with compatibility risks that are installed on
the device.
Drivers - A table of drivers with compatibility risks that are installed on the device.
Other - A table of compatibility risks that might impact this device, but aren't
associated with applications or drivers. Compatibility risks associated with device
configurations and settings, such as some Safeguard holds, fall into this category.
Use the Windows feature update compatibility

risks report
The Windows feature update compatibility risks report provides a summary view of the
compatibility risks across your organization associated with an upgrade or update to a
chosen version of Windows.
） Important
The insights in this report are specific to the target version of Windows you select
when generating the report. To ensure accuracy of insights, confirm that your
selected OS version matches the version of Windows you intend to deploy.
To use this report:
2. In the admin center, go to Reports > Windows updates > select the Reports tab >
select Windows Feature Update Compatibility Risks Report.
3. Configure settings:
Click on Select Target OS and choose the version of Windows you plan to
deploy.
Optionally select Asset type and Risk status to refine the report.
Click Generate report. This process can take several minutes. You'll be
notified when report generation is complete.

７ Note
When you generate a report, the data in the report is cached on a per-user basis.
Other Intune users in your organization will not be able to see the report you have
generated. If you'd like to regenerate the report with different settings or to pull
the latest data, follow the steps above and click Generate again.
The following columns are available in this report:
Asset type - The type of asset that has a compatibility risk. Options include
Application, Driver, and Other.
Asset name - The name of the asset with a compatibility risk, such as the
application name.
Asset vendor - The name of the vendor who publishes the asset with a
compatibility risk.
Asset version - The version of the asset with a compatibility risk.
Affected devices - The number of enrolled devices that might be impacted by this
compatibility risk.
Risk status - A summary of the severity of the compatibility risk. Most
compatibility risks are either Medium risk if they might block the upgrade.
Issue - A description of the compatibility risk that has been identified.
For more information about a specific compatibility risk, including which devices are
potentially impacted, select the number in the Affected devices column to open the
details flyout. The tabs on the details flyout include:
Overview - A summary of the compatibility risk, including asset details and the
compatibility assessment. When available, the Guidance section provides
recommended actions to mitigate the compatibility risk.
Affected devices - A table of the devices that may be impacted by this
compatibility risk.
Issue descriptions
We use information from the Microsoft app compatibility database to describe any
existing compatibility issues for publicly available applications from Microsoft or other
publishers:
Application is removed during upgrade

Windows detected compatibility issues with an application. The application won't
migrate to the new OS version. No action is required for the upgrade to continue. Install
a compatible version of the application on the new OS version.
Windows can partially or fully remove these assets:
Full removal: Windows setup completely removes the app from the device during
upgrade.
Partial removal: Windows setup partially removes the app from the device. You
need to manually uninstall it after you upgrade Windows.
In both the cases, after you upgrade Windows, you can't use the app.
Blocking upgrade
Windows detected blocking issues, and can't remove the application during upgrade. It
may not work on the new OS version. Before you upgrade, remove the application,
reinstall and test it on the new OS version.
Blocking upgrade, but can be reinstalled after upgrading

The application is compatible with the new OS version, but won't migrate. Remove the
application before upgrading Windows and then reinstall the application on the new OS
version.
Blocking upgrade, update application to newest version

The existing version of the application isn't compatible with the new OS version and
won't migrate. A compatible version of the application is available. Update the
application before upgrading.
Disk encryption blocking upgrade

The application's encryption features block the upgrade. Disable the encryption feature
before you upgrade Windows and enable it after the upgrade.
Doesn't work with new OS, but won't block upgrade
The application isn't compatible with the new OS version, but won't block the upgrade.
No action is required for the upgrade to continue. Install a compatible version of the
application on the new OS version.
Doesn't work with new OS, and will block upgrade

The application isn't compatible with the new OS version and will block the upgrade.
Remove the application before upgrading. A compatible version of the application may
be available.
Evaluation may be required on new OS

Windows will migrate the application, but it detected issues that may impact the app's
performance on the new OS version. No action is required for the upgrade to continue.
Test the application on the new OS version.
May block upgrade, test application
Windows detected issues that may interfere with the upgrade, but needs further
investigation. Test the application's behavior during upgrade. If it blocks the upgrade,
remove it before upgrading. Then reinstall and test it on the new OS version.
Multiple
Multiple issues affect the application.
Reinstall application after upgrading

The application is compatible with the new OS version, but you need to reinstall it after
you upgrade Windows. The upgrade process removes the application. No action is
required for the upgrade to continue. Reinstall the application on the new OS version.
Driver won't migrate to new OS

The currently installed version of a driver won't migrate to the new OS version.
The driver won't migrate to the new OS version and Windows doesn't have a
compatible version. In this case, we recommend checking with the independent
hardware vendor (IHV) who manufactures the driver, or the original equipment
manufacturer (OEM) who provided the device.
A new driver will be installed during upgrade, and a newer version may be
available from Windows Update. If the computer automatically receives updates
from Windows Update, no action is required. Otherwise, import a new driver from
Windows Update after you upgrade Windows.
Safeguards
When an issue may result in a Windows client feature update to fail or rollback, we may
apply safeguard holds to prevent affected devices from installing the update in order to
safeguard them from these experiences. We remove these holds once a fix is found and
verified. To get additional information about safeguard holds in place, see the Windows
release health page under Known issues corresponding to the relevant release.
７ Note
The safeguard entries aren't a real asset that's installed on your devices. It's a
placeholder to help identify apps or drivers in your environment with the safeguard
compatibility tag.
About reporting data latency

The data source for these reports is Windows diagnostic data. Data typically uploads
from enrolled devices once per day and is then processed in batches before being made
available in Intune. The maximum end-to-end latency is approximately 52 hours.
Known issues
Exported csv files display numerical values
When report data is exported to a .csv file, the exported data doesn't use the friendly
names you're used to seeing in the online reports. Use the information below to map
the data in the exported file into the meaning of the value:
Windows feature update device readiness report

Ownership:
Ownership .csv value Report value
0 Unknown
1 Corporate
2 Personal
Readiness status:
Readiness status .csv value Report value
0 Low risk
1 Medium risk
2 High risk
3 Replace device
4 Upgraded
5 Unknown
Sys req issues (Some report values map to multiple .csv values):
Sys req issues .csv value Report value
1, 8, 10 Processor family
2 RAM
3 BIOS
4 Basic display driver
5 TPM
6, 12 System drive size

Sys req issues .csv value Report value
7 Secure boot
9 Network
11, 13 Driver block
14 S mode
15 Storage
７ Note
When exported, the sys req issues column is represented as a comma-separated

list of all values that apply to the device. For example, a value of "1, 2" means the
device does not meet the processor family or the RAM requirement for the target
OS version selected.
Windows feature update compatibility risks report

Asset Type:
Asset Type .csv value Report value
0 Device
1 Application
2 Driver
3 Other
Risk status (This column is called Readiness status in the .csv export):
Readiness status .csv value Risk status report value
0 Low risk
1 Medium risk
2 High risk
Issue (Asset Type is required to properly map exported Issue values):

Asset Type Issue Issue Guidance
.csv
value
Application, 1 Doesn't Application won't work on new OS. No action is required

Other work with for upgrade to proceed.
new OS, but
won't block
upgrade.
Application, 2 Evaluate Application may have issues on new OS. No action is

Other application required for upgrade to proceed.
on new OS.
Application, 3 Reinstall No action is required for upgrade to proceed. Application

Other application will work on new OS, but must be reinstalled.
after
upgrading.
Application, 4 Disk Disable disk encryption before upgrading. You can re-
Other encryption enable it after.
blocking
upgrade.
Application, 5 Blocking Remove application before upgrading. Application may

Other upgrade. work on new OS.
Application, 6 Blocking Update application before upgrading. Compatible version

Other upgrade, is available.
update
application
to newest
version.
Application, 7 locking Remove application before upgrading. Application will work

Other upgrade, but on new OS, but must be reinstalled.
can be
reinstalled
after
upgrading.
Application, 8 Application Application is removed during upgrade due to

Other is removed compatibility issues. No action is required for the upgrade
during to proceed, but be sure to test the application on the new
upgrade. OS, and check with the developer for a compatible version
if needed.
Asset Type Issue Issue Guidance
.csv
value
Application, 9 Evaluation Windows may upgrade, but applications or drivers can have
Other may be issues.
required on
new OS.
Driver 1 Driver won't Check with vendor for compatible driver.

migrate to
new OS.
Driver 2 Driver won't Driver is replaced with a new version (either inbox or via
migrate to Windows Update). No action is required for upgrade to
new OS. proceed.
Driver 3 Blocking Can't upgrade.

upgrade.
７ Note
Guidance information is not included in the .csv export file. The mapping table
above includes Guidance data for each Issue type.
See also
The FastTrack Center Benefit for Windows provides access to Desktop App Assure. This
benefit is a service designed to address issues with Windows 10/11 and Microsoft 365
Apps for enterprise compatibility. For more information, see Desktop App Assure.
Next step
Configure Update rings for Windows 10 and later
Configure Feature updates for Windows 10 and later
Windows Update reports for Microsoft
Intune
Article • 06/26/2023
With Intune, you can deploy updates to Windows 10/11 devices by using policies for:
Update rings for Windows 10 and later

Feature updates for Windows 10 and later
Windows Driver updates for Windows 10 and later
Reports for these policy types are available to help you monitor and troubleshoot
update deployments, Intune supports the following report options:
Reports in Intune:
Windows 10 update rings – Use a built-in report that's ready by default when
you deploy update rings to your devices.
Windows 10 feature updates – Use two built-in reports that work together to
gain a deep picture of update status and issues. These reports require you to
configure data collection from devices before the reports can display data about
feature updates.
Windows Driver updates – Use the built-in reports to understand which driver
updates are applicable to your devices and which of those updates have been
approved, installed, or paused.
Windows Update for Business reports:
Use Windows Update for Business reports with Intune to monitor Windows update
rollouts. Windows Update for Business reports is a free service built on Azure
Monitor and Log Analytics.
For more information, see Monitor Windows Updates with Windows Update for
Business reports in the Windows documentation.
Reports for Update rings for Windows 10 and

later policy
Intune offers integrated report views for the Windows update ring policies you deploy.
These views display details about the update ring deployment and status:

2. Select Devices > Monitor. Then under Software updates select Per update ring
deployment state and choose the deployment ring to review.
Reports for Windows 10 and later feature

updates policy
Intune offers integrated reports to view detailed Windows update deployment status for
devices using Feature updates for Windows 10 and later policies. To use reports for this
feature, you must first configure prerequisites and policies that support data collection
from devices.
The data in the Intune reports for Feature updates for Windows 10 and later policy is
used only for these reports and doesn't surface in other Intune reports.
Windows 10 feature updates (Organizational)- This report provides an overall view

of compliance for devices on a per-policy basis.
Feature update failures report (Operational) – This report provides details on Alerts
– errors, warnings, information, and recommendations – on a per-policy basis to
help troubleshoot and optimize your devices.
Before you can use the feature updates policy reports, you must configure prerequisites
for the report.
Prerequisites
Data collection:
Before a device can send the reporting data that's used in the Windows 10 feature
updates report for Intune, you must Configure data collection:
Service-based data is collected for all feature update versions and doesn't
require you to configure data collection.
Client-based data is collected from devices only after data collection is
configured.
Service and client-based data is described in Use the Windows 10 feature updates
(Organizational) report later in this article.
Devices:
Devices must:
Meet the prerequisites for Windows 10 and later feature updates policy as
documented in Feature updates for Windows 10 and later policy in Intune.
Be Azure Active Directory Joined, or Hybrid Azure Active Directory Joined to
support submitting of data for reporting.
Run Windows 10 1903 or later, or Windows 11. Although Windows 10 and later
feature updates policy supports earlier versions of Windows, earlier versions
don't support reporting of the data that Intune uses for the feature updates
reports.
Configure data collection

The data that powers Intune's Windows feature updates reports isn't collected by the
typical device sync with Intune. Instead, it's collected through the Windows health
monitoring device configuration policy, which uses the Windows 10/11 and Windows
Server Connected User Experiences and Telemetry component (DiagTrack) to collect the
data from Intune-managed devices. To enable use of this data in the reports, you must
configure devices to send Windows Updates data.
Enable data collection

To Configure this setting for your devices, Create a profile with the following
information:
Profile: Select Windows health monitoring.
Name: Enter a descriptive name for the profile, like Intune data collection policy.
recommended.
In Configuration Settings:
Health Monitoring: Select Enable to collect event information from supported
Windows 10/11 devices.
Scope: Select Windows Updates.
Use the Scope tags and Applicability rules to filter the profile to specific IT groups
or devices in a group that meet a specific criteria. Only Windows 10 version 1903
and later and Windows 11 are supported for these reports.
When you complete the creation of the Windows health monitoring profile, the profile
deploys to the assigned groups, and configuration of data collection is complete.
It can take up to 24 hours after setting up Windows health monitoring with Windows
updates before the policy is applied.
 Tip
If you use Endpoint Analytics, you can modify the existing configuration profile.
The same policy is used to collect data for Endpoint Analytics.
About reporting data latency

The data for these reports is generated at different times, which depend on the type of
data:
Service-based data from Windows Update – This data typically arrives in less than
an hour after an event happens in the service. Events include Alerts for a device
that can't register with Windows Update (which is viewable in the Feature update
failures report), to status updates about when Windows Update began offering an
update to clients. This data is available without configuring data collection.
Client-based data from Intune devices that are configured to send data to Intune
– This data is processed in batches and refreshes every eight hours, but is only
available after you configure data collection. The data contains information like
when a client doesn't have enough disk space to install an update. This data is also
used in the Windows 10 feature updates organizational report to show the various
installation steps a device moves through when installing feature updates.
Use the Windows 10 feature updates (Organizational)
report
The Windows 10 feature updates report provides an overview of compliance for devices
you target with a Windows feature updates policy.
） Important
Before this report can show data, you must configure data collection for the
Windows feature updates reports.
This report provides you update installation status that's based on the update state from
device and device-specific update details. The data in this report is timely, calls out the
device name and state, and other update-related details. This report also supports
filtering, searching, paging, and sorting.
To use the report:
2. To view a summary report across all Windows 10 and later feature updates policies:
In the admin center, go to Reports > Windows updates. The default view
displays the Summary tab:
3. To open the Windows 10 feature updates report and view device details for a
specific feature updates profile:
In the admin center, go to Reports > Windows updates > select the Reports
tab > select Windows Feature Update Report.
Select on Select a feature update profile, select a profile, and then Generate
report.
Select Update status and Ownership to refine the report.
The following list identifies the columns that are available in the view:
Devices – The name of the device.

UPN – Intune user identifier (email).
Intune Device ID – Intune device identifier.
AAD Device ID – Azure Active Directory identifier for device.
Last Event Time – The last time there was new data, or something happened
for the device and update.
Update State – The state of the update for the device. Initial state data is
from the service-side, which is the status of the update in the system before it
begins to install on the device. When client-side data is available, client-side
data is shown, replacing the server-side data.
Update Substate – A low-level detailed version of the Update State.
Update Aggregated Status – A high-level summary of the Update State, like
In progress or Error.
Alert Type – When applicable, Alert Type displays the most recent alert
message.
Alert Details – This column isn't in use.
Last Scan Time – The last time this device ran a scan for Windows Update.
The following information applies to Update State and Update Substate:
Service-side data:
Pending:
Validation – The update can't be offered to the device because of a
validation issue with the device and Windows Update.
Scheduled – The update isn't ready to be offered to the device but is
ready to be offered.
On hold:
Admin paused – The update is on hold because the Deployment being
paused by an explicit Administrator action.
ServicePaused – The update is on hold because of an automatic action
by Windows Update.
Canceled:
Admin Cancelled – The update offer was canceled by explicit
Administrator action.
Service Cancelled – The update was canceled by Windows Update for
one of the following reasons:
The end of service for the selected content was reached and it’s no
longer offered by Windows Update. For example, the device might
have been added to a deployment after the content’s availability
expired, or the content reached its end of service date before it could
install on the device.
The deployment content has been superseded for the device. This
can happen when the device is targeted by another deployment that
deploys newer content. For example, one deployment targets the
Windows 10 device to install version 2004 and a second deployment
targets that same device with version 21H1. In this event, 2004 is
superseded by the 21H1 deployment and Windows Update cancels
the 2004 deployment to the device.
Removed from Deployment – The update offer was canceled because
it was removed from the Deployment by explicit Administrator action.
Offering:
OfferReady – The update is currently being offered to the device by
Windows Update.
Client-side data:
On Hold:
Deferred – Windows Update for Business (WUfB) policies are causing
the device to defer the update being offered.
Offering:
Offer Received – The device scanned against Windows Update (WU)
and identifies that the update is applicable but hasn't begun to
download it.
Installing:
Download Start – The download process has begun.
Download Complete – The download process has completed.
Install Start – The pre-restart install process has started.
Install Complete – The pre-restart install process has finished. If the
update doesn't require a restart, the update process ends here.
Restart Required – A restart is required to finish update.
Restart Initiated – The device has gone into restart.
Restart Complete – The device has come back from restart.
Installed:
Update Installed – The update successfully installed.
Uninstalling:
Uninstall – The device is actively uninstalling the update.
Rollback – A rollback has been initiated to a previous update because
of a serious issue during installation.
Update Uninstalled – The update successfully uninstalled.
Rollback complete – A rollback has completed.
Cancelled:
User Cancelled – A user canceled the update.
Device Cancelled – The device canceled the update for a user. This
action is usually because the update no longer applies.
Other:
Needs attention: The device has some issue and needs attention.
Use the Feature update failures (Operational) report

The Feature update failures operational report provides details for devices that you
target with a Windows 10 and later feature updates policy, and that have attempted to
install an update. Devices in this report might have an Alert that prevents the device
from completing installation of the update.
） Important
Before this report can show data, you must configure data collection for the
Windows feature updates reports.
This report provides insights to update installation status, including the number of
devices with errors. It also supports drilling in for more details to help you troubleshoot
issues with the installation. This report supports filtering, searching, paging, and sorting.
To use the report:
2. Select Devices > Monitor, and then below Software updates select Feature update
failures.
The initial view displays a per-profile summary of how many devices have
alerts for each of your profiles with the version of Windows that the profile
targets:
Selecting a profile opens a dedicated view that contains all active Alerts for
that profile.
While viewing the active alerts for the profile:
Select an Alert Message to open a pane that displays more details for that
alert:
Select the device name to open the Device page:
The following list identifies Alert Messages, and suggested remediation actions:
Alert Message Description Recommendation
CancelledByUser User Retry the installation.

canceled the
update.
DamagedMedia The update Run Chkdsk /F on the device with

file or the administrator privileges, then retry the
hard drive is update.
damaged.
DeploymentConflict Device is in Remove the device from any

more than deployments that shouldn't apply.
one
deployment
of the same
update type.
Only the first
deployment
assigned is
effective.
DeviceRegistrationInvalidAzureADDeviceId The device Check that the device is joined to the

isn't able to Azure Active Directory tenant making
register or the request.
authenticate
properly with
Windows
Update
because of
an invalid
Azure AD
Device ID.
DeviceRegistrationInvalidGlobalDeviceId The device The Microsoft Account Sign-In

isn't able to Assistant (MSA) Service might be
register or disabled, preventing Global Device ID
authenticate assignment. Check that the MSA
properly with Service is running or able to run on
Windows the device.
Update
because of
an invalid
Global
Device ID.
DeviceRegistrationIssue The device Check that the device registration

isn't able to information is correct and the device
register or can connect.
authenticate
properly with
Windows
Update.
DeviceRegistrationNoTrustType The device Check that the device is joined in

isn't able to Azure Active Directory using your
register or account. If the issue persists, the
authenticate device might need to be unenrolled
properly with from Intune first.
Windows
Update
because it
can't
establish
Trust.
DiskFull The Free up disk space on the Windows

installation partition. Retry the installation.
couldn't
complete
because the
Windows
partition is
full.
DownloadCancelled Windows Make sure your network is working

Update and retry the download. If it still fails,
couldn't check your WSUS server or contact
download support.
the update
because the
update
server
stopped the
connection.
DownloadConnectionIssue Windows Make sure your network is working

Update and retry the download. If it still fails,
couldn't contact support.
connect to
the update
server and
the update
couldn't
download.
DownloadCredentialsIssue Windows Retry the download. If it fails again,

Update review your network configuration to
couldn't make sure that this computer can
download access the internet. If you need help,
the file contact support.
because the
Background
Intelligent
Transfer
Service
(BITS)
couldn't
connect to
the internet.
A proxy
server or
firewall on
your network
might
require
credentials.
DownloadIssue There was an Retry the installation.

issue
downloading
the update.
DownloadIssueServiceDisabled There was a In the Services administration tool,

problem make sure that the Background
with the Intelligent Transfer Service is enabled.
Background If the service isn't running, try starting
Intelligent it manually. If it won't start, check the
Transfer event log for errors.
Service
(BITS). The
BITS service
or a service it
depends on
might be
disabled.
DownloadTimeout A timeout Retry the download. If it doesn't

occurred succeed, make sure that the update
while service and payload servers are
Windows running normally and that there are
tried to no network connectivity issues.
contact the
update
service or
the server
containing
the update's
payload.
EndOfService Device is on Update device to a version that is

a version of currently supported.
Windows
that has
passed its
end of
service date.
EndOfServiceApproaching Device is on Update the device to a version that

a version of has a longer remaining servicing
Windows timeline.
that is
approaching
its end of
service date.
FailureResponseThreshold The failure Consider pausing the deployment and

response assessing for issues.
threshold
setting was
met for a
deployment
to which the
device
belongs.
FailureResponseThresholdPause A Review devices that encountered

deployment issues.
to which the
device
belongs was
paused
because of
its failure
response
threshold
being met.
FileNotFound The Download the update again, and then

downloaded retry the installation.
update files
can't be
found. The
Disk Cleanup
utility or a
non-
Microsoft
software
cleaning tool
might have
removed the
files during
cleanup.
Incompatible The system Review the ScanResult.xml file for

doesn't meet Block Type=Hard.
the
minimum
requirements
to install the
update.
IncompatibleArchitecture This update Make sure the target operating

is for a system architecture matches the host
different operating system architecture.
CPU
architecture.
IncompatibleServicingChannel Device is in a Configure the device's servicing

servicing channel to a retail (Generally
channel that Available) update channel.
is
incompatible
with a
deployment
to which the
device
belongs.
InstallAccessDenied Installer Retry the installation.

doesn't have
permission
to access or
replace a file.
The installer
might have
tried to
replace a file
that an
antivirus,
antimalware,
or a backup
program is
currently
scanning.
InstallCancelled The Retry the installation.

installation
was
canceled.
InstallFileLocked Installer Check the files under the

couldn't %SystemDrive%$Windows.~bt
access a file directory. Retry the installation.
that is
already in
use. The
installer
might have
tried to
replace a file
that an
antivirus,
antimalware,
or backup
program is
currently
scanning.
InstallIssue There was an Run dism /online /cleanup-image

issue /restorehealth on the device with
installing the administrator privileges, then retry the
update. update. If the commands fail, a
reinstall of Windows might be
required.
InstallIssueRedirection A known Report this issue to Microsoft if this

folder that error is encountered more than a
doesn't once.
support
redirection
to another
drive might
have been
redirected to
another
drive.
InstallMissingInfo Windows Another update might have replaced

Update the one you're trying to install. Check
doesn't have the update, and then try reinstalling it.
information
it needs
about the
update to
finish the
installation.
InstallOutOfMemory The Restart Windows, then try the

installation installation again. If it still fails,
couldn't allocate more memory to the virtual
complete machine, or increase the size of the
because virtual memory pagefiles.
Windows ran
out of
memory.
InstallSetupError Windows Check that the BIOS and drivers are

Setup up to date. Retry the download.
encountered
an error
while
installing.
InstallSystemError A system Check that the BIOS and drivers are

occurred up to date. Retry the download.
while
installing.
PolicyConflict There are Check that the client policies

client configured on the device don't
policies conflict with deployment settings.
(MDM, GP)
that conflict
with
Windows
Update
settings.
PolicyConflictDeferral The Deferral Check that the client policies

Policy configured on the device don't
configured conflict with deployment settings.
on the
device is
preventing
the update
from
installing.
PolicyConflictPause Updates are Check that the client policies

paused on configured on the device don't
the device, conflict with deployment settings.
preventing
the update
from
installing.
PostRestartIssue Windows If the update you're trying to install

Update isn't available, no action is required. If
couldn't the update is still available, retry the
determine installation.
the results of
installing the
update. The
error is
usually false
and the
update
probably
succeeded.
RollbackInitiated A rollback Run the Setup Diagnostics Tool on the

was started Device. Don't retry the installation
on this until the impact is understood.
device,
indicating a
catastrophic
issue
occurred
during the
Windows
Setup install
process.
SafeguardHold Update can't View the Deployment Error Code

install column of the report to see the ID of
because of a the safeguard hold. Open the
known Windows release health dashboard at
Safeguard https://aka.ms/WindowsReleaseHealth
Hold. to view information about the active
holds, including known issues with the
update.
UnexpectedShutdown The Ensure the device remains on during

installation Windows installation.
was stopped
because a
Windows
shutdown or
restart was in
progress.
VersionMismatch Device is on Confirm whether the device is on the

a version of intended version.
Windows
that wasn't
intended by
Windows
Update.
WindowsRepairRequired The current Run the Startup Repair Tool on this

version of device.
Windows
needs to be
repaired
before it can
be updated.
WUBusy Windows Restart Windows. Retry the

Update can't installation.
do this task
because it's
busy.
WUComponentMissing Windows Run dism /online /cleanup-image

Update /restorehealth on the device with
might be administrator privileges, and then
missing a retry the update. If the commands fail,
component a reinstall of Windows might be
or the required.
update file
might be
damaged.
WUDamaged Windows Run dism /online /cleanup-image

Update or /restorehealth on the device with
the update administrator privileges, and then
file might be retry the update. If the commands fail,
damaged. a reinstall of Windows might be
required.
WUDecryptionIssue Windows Retry the installation.

Update
couldn't
decrypt the
encrypted
update file
because it
couldn't find
the proper
key.
WUDiskError Windows Run the Windows Update

Update Troubleshooter on the device. Retry
encountered the installation.
an error
while
reading or
writing to
the system
drive.
WUIssue Windows Contact support.

Update
couldn't
understand
the
metadata
provided by
the update
service. This
error usually
indicates a
problem
with the
update.
Reports for Windows Driver updates policy

Intune offers integrated reports to view detailed status for Windows driver updates for
devices assigned to Windows Driver update policies. To use these reports, you must first
configure the prerequisites and policies that support data collection from devices. These
reports are applicable to Windows 10 and Windows 11.
The data in the Intune reports for Windows Driver update policies is used only for these
reports and doesn't appear in other Intune reports. The following reports are available:
Windows Driver updates summary
Windows Driver updates report
Windows Driver update failures
Prerequisites for driver updates reports
Devices and data collection

To support reporting on all status and events for driver updates, you must configure the
following data collection settings:
Enable Windows diagnostic data collection from devices at a level of Required or

higher.
At the Tenant level, set Enable features that require Windows diagnostic data in
processor configuration to On. This setting can be configured in the Microsoft
Intune admin center at Tenant administration > Connectors and tokens >
Windows data.
User permissions to use reports

To view these reports, users must be assigned an Intune role with the Managed devices
> View reports permission. This permission is included in the following built-in roles:

Read Only Operator
Help Desk Operator
Windows Driver updates summary

On the Summary tab of the Windows Updates node of Reports, you can view summary
details about device success or failure for installing updates from device update policies.
To find this report, navigate to Reports > Windows Updates > Summary tab and scroll
down until you find the Windows Driver updates.
The following screen capture displays a summary of four policies, each assigned to a
single device.

This report allows you to view the status of driver updates for each policy (Profile
column). It displays the number of devices that are up-to-date (Success), failed (Error),
paused (Paused), etc. for the driver updates in that policy. However, each device is only
represented once in a single status column, based on the worst status across all of the
updates that apply to that device.
Intune ranks the following statuses in order of priority, from best (Success) to worst
(NeedsReview):
Success – All applicable driver updates have installed successfully.

In progress – At least one update remains in progress, and none have been
paused, failed, or worse.
Paused – At least one update has been paused, but none have failed to install,
been cancelled, or are pending review.
Error – At least one update failed to install, but none are cancelled or pending
review.
Cancelled – At least one update has been declined, but none are pending review.
NeedsReview – One or more updates are new to the policy and pending review to
approve or decline.
For example: A policy might have three applicable driver updates for an assigned device.
If one of the three fails to install on that device while the other two updates install
successfully, the device is identified by adding one to the Error column. Once all three
updates install successfully, the device is represented by adding one to the Success
column and reducing the count of the Error column by one.
This report doesn’t support drilling in for more details about devices, driver updates, or
policy details.
Windows Driver updates report

The Windows Driver Updates report allows you to select a single driver update and view
details about the policies in which it's applicable for a device. This report provides
information about the driver from all your driver update policies, offering a different
perspective than other reports, which only provide details specific to a single policy.
To find this report, in the admin center go to Reports > Windows updates > Reports
tab, and then select the Windows Driver Update Report tile.
In the following screen capture, the report shows details for the driver update Microsoft
– APPLIANCES – 1.0.0.1.
To change the focus of this report to a different driver:
1. On the Windows 10 and later Driver updates view, select Select a driver update to
open the Driver updates pane on the right.
2. The Driver updates pane displays a list of updates that are approved and applicable
for at least one device from across all your driver update policies.
3. On the Driver updates pane, select a driver, and then OK to return to the Windows
10 and later Driver updates report view that now shows information for the driver
you selected, and select Generate again to update the report.
In the following screen capture, only four drivers remain applicable to devices with
driver updates policy, and those four updates are different versions of the same driver
update.

Column details:
While most of the column details should be clear, the following warrant some
explanation:
Update State – This column presents the most recent status of the selected driver
update, as reported by each device to which it applies. Further details can be found
in the Update Substrate column.
Cancelled – The update was paused in the policy that applies to this device.
Offering – The update is approved, but the device hasn't yet installed it.
Installed – The update installed successfully.
Needs attention – There's an installation issue for the update on this device.
Policy – This column identifies the name of the policy in which the update was
approved.
Last Scan Time – This column provides insight into when a device last checked for
updates. This can help explain why approved updates haven't installed. For
instance, if the last scan time is several weeks old, it may indicate that the device is
either offline or unable to connect to scan for updates.
Data retention:
As devices across all your updates policies install the latest versions of a driver update,
older driver update versions that are no longer needed by any device drops off the
driver updates list. However, this isn't necessarily an immediate event. Reporting data for
driver updates remains available until the end of a data retention period is reached. This
period is six months since the last time an event for the update is received.
If the update is approved and all applicable devices have installed the update, then
six months after the last device updates is status, the update is removed from
reporting details.
Similarly, if an update is paused and shows no activity for the retention period, that
update is also dropped from reporting details after six months. After an updates
data ages out, if a paused update that remains applicable to a device is
reapproved, subsequent status for that update begins to appear in reports.
Previous data that aged out of reports won’t be restored or available.
Windows Driver update failures

Windows driver updates include a report on driver update failures. To find this report, in
the admin center go to Devices > Monitor > Windows Driver update failures. This
report is part of the Software updates group and might require you to scroll down the
admin center to locate it.
When you select the report, you can view a list of your update policies and see a count
of devices in each policy that have at least one driver update error. In the previous
screen capture, only one driver has such an error.
By selecting that policy and entry, you can then view more information about the error,
including:
Device Name
Driver Name
Driver Class
Alert Message
Deployment Error Code
UPN
Intune Device ID
This view is a useful place to identify and start investigation of driver update installation
failures.
Use Windows Update for Business reports

You can monitor Windows update rollouts by using Windows Update for Business
reports. Windows Update for Business reports is offered through the Azure portal and is
included as part of Windows 10/11 licenses listed in the prerequisites. Azure Log
Analytics ingestion and retention charges aren't incurred on your Azure subscription for
Windows Update for Business reports data.
To use this solution, you'll:
Use an Intune device configuration profile to deploy the settings to your Windows
10/11 devices.
Optionally, deploy a configuration script as a Win32 app to those same devices to

validate their configuration for Windows Update for Business reports.
Use Windows Update for Business reports to Monitor Windows updates.
For guidance on this solution, see Configuring Microsoft Intune devices for Windows
Update For Business reports in the Windows Update For Business reports
documentation.
Next steps
Manage software updates in Intune
Troubleshooting policies and profiles in
Microsoft Intune
Article • 05/27/2023
This article provides troubleshooting guidance for common issues related to policies
and configuration profiles in Microsoft Intune. including instructions on how to use the
built-in Intune troubleshooting feature.
Use the built-in Troubleshoot pane

You can use the built-in troubleshooting feature to review different compliance and
configuration statuses.
1. In the Microsoft Intune admin center , select Troubleshooting + support >

Troubleshoot.
2. Choose Select user > select the user having an issue > Select.
3. Confirm that Intune license shows the green check:
Helpful links:
Assign licenses so users can enroll devices

Add users to Intune
4. Under Devices, find the device having an issue. Review the different columns:
Managed: For a device to receive compliance or configuration policies, this

property must show MDM or EAS/MDM.
If Managed isn't set to MDM or EAS/MDM, then the device isn't enrolled.
It doesn't receive compliance or configuration policies until it's enrolled.
App protection policies (mobile application management) don't require

devices to be enrolled. For more information, see create and assign app
Azure AD Join Type: Should be set to Workplace or AzureAD.

If this column is Not Registered, there may be an issue with enrollment.
Typically, unenrolling and re-enrolling the device resolves this state.
Intune compliant: Should be Yes. If No is shown, there may be an issue with

compliance policies, or the device isn't connecting to the Intune service. For
example, the device may be turned off, or may not have a network
connection. Eventually, the device becomes non-compliant, possibly after 30
days.
For more information, see get started with device compliance policies.
Azure AD compliant: Should be Yes. If No is shown, there may be an issue

with compliance policies, or the device isn't connecting to the Intune service.
For example, the device may be turned off, or may not have a network
connection. Eventually, the device becomes non-compliant, possibly after 30
days.
For more information, see get started with device compliance policies.
Last check in: Should be a recent time and date. By default, Intune devices
check in every 8 hours.
If Last check in is more than 24 hours, there may be an issue with the
device. A device that can't check in can't receive your policies from Intune.
To force check-in:
On the Android device, open the Company Portal app > Devices >
Choose the device from list > Check Device Settings.
On the iOS/iPadOS device, open the Company portal app > Devices >
Choose the device from list > Check Settings.
On a Windows device, open Settings > Accounts > Access Work or
School > Select the account or MDM enrollment > Info > Sync.
Select the device to see policy-specific information.
Device Compliance shows the states of compliance policies assigned to the

device.
Device Configuration shows the states of configuration policies assigned to

the device.
If the expected policies aren't shown under Device Compliance or Device

Configuration, then the policies aren't targeted correctly. Open the policy,
and assign the policy to this user or device.
Policy states:
Not Applicable: This policy isn't supported on this platform. For example,
iOS/iPadOS policies don't work on Android. Samsung KNOX policies don't
work on Windows devices.
Conflict: There's an existing setting on the device that Intune can't
override. Or, you deployed two policies with the same setting using
different values.
Pending: The device hasn't checked into Intune to get the policy. Or, the
device received the policy but hasn't reported the status to Intune.
Errors: Look up errors and possible resolutions at Troubleshoot company
resource access problems.
Check tenant status
Check the Tenant Status and confirm the subscription is Active. You can also view details
for active incidents and advisories that may impact your policy or profile deployment.
Confirm a configuration profile is correctly

applied
2. Select Devices > All devices > select the device > Device configuration.
Every device lists its profiles. Each profile has a Status. The status applies when all
of the assigned profiles, including hardware and OS restrictions and requirements,
are considered together. Possible statuses include:
Conforms: The device received the profile and reports to Intune that it
conforms to the setting.
Not applicable: The profile setting isn't applicable. For example, email
settings for iOS/iPadOS devices don't apply to an Android device.
Pending: The profile is sent to the device, but hasn't reported the status to
Intune. For example, encryption on Android requires the user to enable
encryption, and might show as pending.
For more information, see Monitor device profiles in Microsoft Intune
Saving of Access Rules to Exchange has Failed

Issue: You receive the alert Saving of Access Rules to Exchange has Failed in the admin
console.
If you create policies in the Exchange On-Premises Policy workspace (Admin console),
but are using Microsoft 365, then the configured policy settings aren't enforced by
Intune. In the alert, note the policy source. Under the Exchange On-premises Policy
workspace, delete the legacy rules. The legacy rules are Global Exchange rules within
Intune for on-premises Exchange, and aren't relevant to Microsoft 365. Then, create new
policy for Microsoft 365.
Troubleshoot the Intune on-premises Exchange connector may be a good resource.

Can't change security policies for enrolled
devices
Windows 10 devices may not remove security policies when you unassign the policy
(stop deployment). You may need to leave the policy assigned, and then change the
security settings back to the default values.
Depending on the device platform, if you want to change the policy to a less secure
value, you may need to reset the security policies.
For example, in Windows 8.1, on the desktop, swipe in from right to open the Charms
bar. Choose Settings > Control Panel > User Accounts. On the left, select Reset
Security Policies link, and choose Reset Policies.
Other platforms, such as Android, and iOS/iPadOS may need to be retired and re-
enrolled to apply a less restrictive policy.
Feedback

Troubleshoot Conditional Access
Article • 07/12/2023
This article describes what to do when your users fail to get access to resources
protected with Conditional Access, or when users can access protected resources but
should be blocked.
With Intune and Conditional Access, you can protect access to Microsoft 365 services
like Exchange Online and SharePoint Online, and various other services. This capability
allows you to make sure that only devices that are enrolled with Intune and compliant
with the Conditional Access rules that you set in Intune or Azure Active Directory have
access to your company resources.
Requirements for Conditional Access

The following requirements must be met for Conditional Access to work:
The device must be enrolled in mobile device management (MDM) and managed
by Intune.
Both the user and the device must be compliant with the assigned Intune
By default, the user must be assigned a device compliance policy. This can depend
on the configuration of the setting Mark devices with no compliance policy
assigned as which is under Device Compliance > Compliance Policy Settings in
the Intune admin portal.
Exchange ActiveSync must be activated on the device if the user is using the
device's native mail client rather than Outlook. This happens automatically for
iOS/iPadOS and Android Knox devices.
For on-premise Exchange, your Intune Exchange Connector must be properly

configured. For more information, see Troubleshooting the Exchange Connector in
Microsoft Intune.
For on-premise Skype, you must configure Hybrid Modern Authentication. See
Hybrid Modern Auth Overview.
You can view these conditions for each device in the Azure portal and in the device
inventory report.
Devices appear compliant but users are still
blocked
Ensure that the user has an Intune license assigned for proper compliance
evaluation.
Non-Knox Android devices won't be granted access until the user clicks the Get
Started Now link in the quarantine email they receive. This applies even if the user
is already enrolled in Intune. If the user doesn't get the email with the link on their
phone, they can use a PC to access their email and forward it to an email account
on their device.
When a device is first enrolled, it might take some time for compliance information
to be registered for a device. Wait a few minutes and try again.
For iOS/iPadOS devices, an existing email profile might block the deployment of an
Intune admin-created email profile assigned to that user, making the device
noncompliant. In this scenario, the Company Portal app will notify the user that
they aren't compliant because of their manually configured email profile, and it
prompts the user to remove that profile. Once the user removes the existing email
profile, the Intune email profile can successfully deploy. To prevent this problem,
instruct your users to remove any existing email profiles on their device before
enrolling.
A device might get stuck in a checking-compliance state, preventing the user from
starting another check-in. If you have a device in this state:
Make sure the device is using the latest version of the Company Portal app.
Restart the device.
See if the problem persists on different networks (for example, cellular, Wi-Fi,
etc.).
If the problem remains, contact Microsoft Support as described in Get support in

Microsoft Intune.
Certain Android devices might appear to be encrypted, however the Company

Portal app recognizes these devices as not encrypted and marks them as
noncompliant. In this scenario, the user will see a notification in the Company
Portal app asking them to set a start-up passcode for the device. After tapping the
notification and confirming the existing PIN or password, choose the Require PIN
to start device option on the Secure start-up screen, then tap the Check
Compliance button for the device from the Company Portal app. The device
should now be detected as encrypted.
７ Note
Some device manufacturers encrypt their devices by using a default PIN

instead of a PIN set by the user. Intune views encryption that uses a default
PIN as insecure and marks those devices as noncompliant until the user
creates a new, non-default PIN.
An Android device that's enrolled and compliant might still be blocked and receive
a quarantine notice when first trying to access corporate resources. If this occurs,
make sure the Company Portal app isn't running, then select the Get Started Now
link in the quarantine email to trigger evaluation. This should only need to be done
when Conditional Access is first enabled.
An Android device that is enrolled might prompt the user with "No certificates
found" and not be granted access to Microsoft 365 resources. The user must
enable the Enable Browser Access option on the enrolled device as follows:
1. Open the Company Portal app.

2. Go to the Settings page from the triple dots (...) or the hardware menu
button.
3. Select the Enable Browser Access button.
4. In the Chrome browser, sign out of Microsoft 365 and restart Chrome.
Desktop applications must use modern authentication methods that rely on an

authentication prompt that's displayed either in a web browser or an
authentication broker. Scripts that send passwords directly can provide proof of a
device's identity only if they use an authentication broker.
Devices are blocked and no quarantine email is

received
Verify that the device is present in the Intune admin console as an Exchange
ActiveSync device. If it's not, it's likely that device discovery is failing, probably
because of an Exchange Connector issue. For more information, see Troubleshoot
the Intune Exchange Connector.
Before the Exchange Connector blocks a device, it sends an activation (quarantine)

email. If the device is offline, it might not receive the activation email.
Check if the email client on the device is configured to retrieve email using Push
instead of Poll. If so, this could cause the user to miss the email. Switch to Poll and
see if the device receives the email.
Devices are noncompliant but users are not

blocked
For Windows PCs, Conditional Access only blocks the native email app, Office 2013
with Modern Authentication, or Office 2016. Blocking earlier versions of Outlook or
all mail apps on Windows PCs require Azure AD Device Registration and Active
Directory Federation Services (AD FS) configurations as per How to: Block legacy
authentication to Azure AD with Conditional Access.
If the device is selectively wiped or retired from Intune, it might continue to have
access for several hours after retirement. This is because Exchange caches access
rights for six hours. Consider other means of protecting data on retired devices in
this scenario.
Surface Hub, Bulk-Enrolled, and DEM enrolled Windows devices can support
Conditional Access when a user who is assigned a license for Intune is signed in.
However, you must deploy the compliance policy to device groups (not user
groups) for correct evaluation.
Check the assignments for your compliance policies and your Conditional Access
policies. If a user isn't in the group that's assigned the policies, or is in a group
that's excluded, the user isn't blocked. Only devices for users in an assigned group
are checked for compliance.
Noncompliant device is not blocked

If a device isn't compliant but continues to have access, take the following actions.
Review your Target and Exclusion groups. If a user isn't in the right target group or
is in the exclusion group, they won't be blocked. Only devices of users in a Target
group are checked for compliance.
Ensure the device is being discovered. Is the Exchange Connector pointing to an

Exchange 2010 CAS while the user is on an Exchange 2013 server? In this case, if
the default Exchange rule is Allow, even if the user is in the Target group, Intune
can't be aware of the device's connection to Exchange.
Check Device Existence/Access State in Exchange:

Use this PowerShell cmdlet to get a list of all mobile devices for a mailbox: 'Get-
MobileDeviceStatistics -mailbox mbx'. If the device isn't listed, it isn't accessing
Exchange. For more info, see the Exchange PowerShell docs.
If the device is listed, use the 'Get-CASmailbox -identity:'upn' | fl' cmdlet to get
detailed information about its access state, and provide that information to
Microsoft Support. For more info, see the Exchange PowerShell docs.
Sign-in errors with app-based Conditional

Access
Intune app protection policies help you protect company data at the app level, even on
devices that you don't manage in Intune. If your users cannot sign in to protected
applications, there might be an issue with your app-based Conditional Access policies.
See Troubleshooting sign-in problems with Conditional Access for detailed guidance.
Feedback
Provide product feedback | Get help at Microsoft Q&A

Intune Certificate Connector events and
diagnostic codes
Article • 10/28/2022
Starting with version 6.1806.x.x, the Intune Connector Service logs events in the Event
Viewer (Applications and Services Logs > Microsoft Intune Connector). Use these
events to help troubleshoot potential issues in the configuration of the Intune Certificate
Connector. These events log successes and failures of an operation, and also contain
diagnostic codes with messages to help the IT admin troubleshoot.
 Tip
To troubleshoot issues and verify Intune Certificate Connector setup, see Certificate
Authority script samples .
Event IDs and descriptions

Event Event Name Event Description Related
ID Diagnostic
Codes
10010 StartedConnectorService Connector service started 0x00000000,

0x0FFFFFFF
10020 StoppedConnectorService Connector service stopped 0x00000000,

0x0FFFFFFF
10100 CertificateRenewal_Success Connector enrollment certificate 0x00000000,

successfully renewed 0x0FFFFFFF
10102 CertificateRenewal_Failure Connector enrollment certificate failed to 0x00000000,

renew. Reinstall the connector. 0x00000405,
0x0FFFFFFF
10302 RetrieveCertificate_Error Failed to retrieve the connector enrollment 0x00000000,

certificate from the registry. Review event 0x00000404,
details for the certificate thumbprint 0x0FFFFFFF
related to this event.
10301 RetrieveCertificate_Warning Check diagnostic information in event 0x00000000,

details. 0x00000403,
0x0FFFFFFF
ID Diagnostic
Codes
20100 PkcsCertIssue_Success Successfully issued a PKCS certificate. 0x00000000,

Review event details for the device ID, user 0x0FFFFFFF
ID, CA name, certificate template name,
and certificate thumbprint related to this
event.
20102 PkcsCertIssue_Failure Failed to issue a PKCS certificate. Review 0x00000000,

event details for the device ID, user ID, CA 0x00000400,
name, certificate template name, and 0x00000401,
certificate thumbprint related to this event. 0x0FFFFFFF
20200 RevokeCert_Success Successfully revoked the certificate. Review 0x00000000,

event details for the device ID, user ID, CA 0x0FFFFFFF
name, and certificate serial number related
to this event.
20202 RevokeCert_Failure Failed to revoke the certificate. Review 0x00000000,

event details for the device ID, user ID, CA 0x00000402,
name, and certificate serial number related 0x0FFFFFFF
to this event. For additional information,
see the NDES SVC Logs.
20300 Upload_Success Successfully uploaded the certificate's 0x00000000,

request or revocation data. Review the 0x0FFFFFFF
event details for the upload details.
20302 Upload_Failure Failed to upload the certificate's request or 0x00000000,

revocation data. Review the event details > 0x0FFFFFFF
Upload State to determine the point of
failure.
20400 Download_Success Successfully downloaded request to sign a 0x00000000,

certificate, download a client certificate, or 0x0FFFFFFF
revoke a certificate. Review the event
details for the download details.
20402 Download_Failure Failed to download request to sign a 0x00000000,

certificate, download client certificate, or 0x0FFFFFFF
revoke a certificate. Review the event
details for the download details.
20500 CRPVerifyMetric_Success Certificate Registration Point successfully 0x00000000,

verified a client challenge 0x0FFFFFFF
20501 CRPVerifyMetric_Warning Certificate Registration Point completed 0x00000000,

but rejected the request. See diagnostic 0x00000411,
code and message for more details. 0x0FFFFFFF
ID Diagnostic
Codes
20502 CRPVerifyMetric_Failure Certificate Registration Point failed to 0x00000000,

verify a client challenge. See diagnostic 0x00000408,
code and message for more details. See 0x00000409,
event message details for the Device ID 0x00000410,
corresponding to the challenge. 0x0FFFFFFF
20600 CRPNotifyMetric_Success Certificate Registration Point successfully 0x00000000,

finished notify process and has sent the 0x0FFFFFFF
certificate to the client device.
20602 CRPNotifyMetric_Failure Certificate Registration Point failed to finish 0x00000000,

notify process. See the event message 0x0FFFFFFF
details for information on the request.
Verify connection between the NDES
server and the CA.
Diagnostic codes
Diagnostic Diagnostic Name Diagnostic Message
Code
0x00000000 Success Success
0x00000400 PKCS_Issue_CA_Unavailable Certification authority is not valid or is

unreachable. Verify that the certification
authority is available, and that your server
can communicate with it.
0x00000401 Symantec_ClientAuthCertNotFound Symantec Client Auth certificate was not

found in the local cert store. See the article
Install the Symantec registration
authorization certificate for more
information.
0x00000402 RevokeCert_AccessDenied The specified account does not have

permissions to revoke a certificate from CA.
See CA Name field in the event message
details to determine the issuing CA.
0x00000403 CertThumbprint_NotFound Could not find a certificate that matched

your input. Enroll the certificate connector
and try again.
Diagnostic Diagnostic Name Diagnostic Message
Code
0x00000404 Certificate_NotFound Could not find a certificate that matched the

input supplied. Re-enroll the certificate
connector and try again.
0x00000405 Certificate_Expired A certificate expired. Re-enroll the certificate

connector to renew the certificate and try
again.
0x00000408 CRPSCEPCert_NotFound CRP Encryption certificate could not be

found. Verify that NDES and the Intune
Connector is setup correctly.
0x00000409 CRPSCEPSigningCert_NotFound Signing certificate could not be retrieved.

Verify the Intune Connector Service is
configured correctly, and the Intune
Connector Service is running. Verify also that
the certificate download events were
successful.
0x00000410 CRPSCEPDeserialize_Failed Failed to deserialize SCEP challenge request.

Verify the NDES and Intune Connector is
setup correctly.
0x00000411 CRPSCEPChallenge_Expired Request denied due to expired certificate

challenge. The client device can retry after
obtaining a new challenge from the
management server.
0x0FFFFFFFF Unknown_Error We are unable to complete your request

because a server-side error occurred. Please
try again.
Next steps
For further assistance, see Troubleshooting SCEP certificate profiles with Microsoft
Intune.
Feedback

Troubleshooting SCEP certificate
profiles with Intune
Article • 10/28/2022
This articles gives guidance to help you troubleshoot and resolve issues with Simple
Certificate Enrollment Protocol (SCEP) certificate profiles in Microsoft Intune. The
following sections cover these concepts:
The architecture and the communication flow of the SCEP process

Narrowing down where a problem exists in that communication flow
Identifying the key log files that are referenced in subsequent articles for
troubleshooting certificate profiles
The information in this article and related SCEP certificate troubleshooting articles
applies to using SCEP certificate profiles with Android, iOS/iPad, and Windows devices.
Similar information for macOS isn't available at this time. To troubleshoot Network
Device Enrollment Service (NDES), see the following articles:
Verify NDES configuration on-premises for SCEP certificates in Intune

Before proceeding, ensure you've met the prerequisites for using SCEP certificate
profiles, including the deployment of a root certificate through a trusted certificate
profile.
SCEP communication flow overview

The following image demonstrates a basic overview of the SCEP communication process
in Intune. Each step includes a link to an article with more prescriptive guidance.
1. Deploy a SCEP certificate profile. Intune generates a challenge string, which
requires a specific user, certificate purpose, and certificate type.
2. Device to NDES server communication. The device uses the URI for NDES from the
profile to contact the NDES server so it can present a challenge.
3. NDES to policy module communication. NDES forwards the challenge to the Intune
Certificate Connector policy module on the server, which validates the request.
4. NDES to certification authority. NDES passes valid requests to issue a certificate to

the Certification Authority (CA).
5. Certificate delivery to the device. The certificate is delivered to the device.
6. Reporting of deployment to Intune. The Intune Certificate Connector reports the

certificate issuance event to Intune.
Log files
To identify problems for the communication and certificate provisioning workflow,
review log files from both the Server infrastructure, and from devices. Later sections for
troubleshooting SCEP certificate profiles refer to log files referenced in this section.
Infrastructure and server logs
Device logs depend on the device platform:
iOS and iPadOS

Android
Windows
Logs for on-premises infrastructure

On-premises infrastructure that supports use of SCEP certificate profiles for certificate
deployments includes the Microsoft Intune Certificate Connector, NDES that runs on a
Windows Server, and the certification authority.
Log files for these roles include Windows Event Viewer, Certificate consoles, and various
log files specific to the Intune Certificate Connector, NDES, or other role and operations
that are part of the on-premises infrastructure.
The following list includes logs or consoles that are referenced in the subsequent SCEP
troubleshooting articles.
NDESConnector_date_time.svclog:
This log shows communication from the Microsoft Intune Certificate Connector to
the Intune cloud service. You can use the Service Trace Viewer Tool to view this log
file.
Related registry key:

HKLM\Software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus
Location: On the server that hosts NDES at %program_files%\Microsoft

intune\ndesconnectorsvc\logs\logs
CertificateRegistrationPoint_date_time.svclog:
This log shows the NDES policy module receiving and verifying certificate requests.
You can use the Service Trace Viewer Tool to view this log file.

intune\ndesconnectorsvc\logs\logs
NDESPlugin.log:
This log shows the passing of certificate requests to the Certificate Registration
Point, and the resulting verification of those requests.

Intune\NDESPolicyModule\logs
IIS logs:
IIS logs show the certificate requests from mobile devices entering NDES.
Location: On the server that hosts NDES at c:\inetpub\logs\LogFiles\W3SVC1
Windows Application log:
This log is useful when investigating IIS issues, like the SCEP application pool.
Location: On the server that hosts NDES: Run eventvwr.msc to open Windows
Event Viewer
Logs for Android devices

For devices that run Android, use the Android Company Portal app log file,
OMADM.log. Before you collect and review logs, ensure Verbose Logging is enabled,
and then reproduce the issue.
To collect the OMADM.logs from a device, see Upload and email logs using a USB cable.
You can also Upload and email logs to support.
Logs for iOS and iPadOS devices

For devices that run iOS/iPadOS, you use debug logs and Xcode that runs on a Mac
computer:
1. Connect the iOS/iPadOS device to Mac, and then go to Applications > Utilities to
open the Console app.
2. Under Action, select Include Info Messages and Include Debug Messages.
3. Reproduce the problem, and then save the logs to a text file:
a. Select Edit > Select All to select all the messages on the current screen, and
then select Edit > Copy to copy the messages to the clipboard.
b. Open the TextEdit application, paste the copied logs into a new text file, and
then save the file.
The Company Portal log for iOS and iPadOS devices doesn't contain information about
Logs for Windows devices

For devices that run Windows, use the Windows Event logs to diagnose enrollment or
device management issues for devices that you manage with Intune.
On the device, open Event Viewer > Applications and Services Logs > Microsoft >
Windows > DeviceManagement-Enterprise-Diagnostics-Provider.
Next steps
Troubleshoot deployment of a SCEP certificate profile to devices in Microsoft Intune
Feedback

Troubleshooting the deployment of
SCEP certificates profile to devices in
Intune
Article • 05/27/2023
This articles gives troubleshooting guidance for issues deploying of Simple Certificate
Enrollment Protocol (SCEP) certificate profiles with Microsoft Intune. Certificate
deployment is Step 1 of the SCEP communication flow overview.
The SCEP certificate profile, and the trusted certificate profile specified in the SCEP
profile, must both be assigned to the same user, or the same device. The following table
shows the expected result of mixed assignments:
Trusted certificate Trusted certificate Trusted certificate

profile assignment profile assignment profile assignment
includes User includes Device includes User and
Device
SCEP certificate Success Failure Success

profile assignment
includes User
SCEP certificate Failure Success Success

profile assignment
includes Device
SCEP certificate Success Success Success

profile assignment
includes User and
Device
Android
SCEP certificate profiles for Android come down to the device as a SyncML and are
logged in the OMADM log.
Validate that the Android device was sent the policy

To validate a profile was sent to the device you expect, in the Microsoft Intune admin
center go to Troubleshooting + Support > Troubleshoot. On the Troubleshoot
window, set Assignments to Configuration profiles and then validate the following
configurations:
1. Specify the user who should receive the SCEP certificate profile.
2. Review the user's group membership to ensure they are in the security group you
used with the SCEP certificate profile.
3. Review when the device last checked in with Intune.
Validate the policy reached the Android device

Review the devices OMADM log. Look for entries that resemble the following examples,
which are logged when the device gets the profile from Intune:
Time VERB Event com.microsoft.omadm.syncml.SyncmlSession 9595

9 <?xml version="1.0" encoding="utf-8"?><SyncML xmlns="SYNCML:SYNCML1.2">
<SyncHdr><VerDTD>1.2</VerDTD><VerProto>DM/1.2</VerProto>
<SessionID>1</SessionID><MsgID>6</MsgID><Target>
<LocURI>urn:uuid:UUID</LocURI></Target><Source>
<LocURI>https://a.manage.microsoft.com/devicegatewayproxy/AndroidHandler.ash
x</LocURI></Source><Meta><MaxMsgSize
xmlns="syncml:metinf">524288</MaxMsgSize></Meta></SyncHdr><SyncBody><Status>
<CmdID>1</CmdID><MsgRef>6</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd>
<Data>200</Data></Status><Replace><CmdID>2</CmdID><Item><Target>
<LocURI>./Vendor/MSFT/Scheduler/IntervalDurationSeconds</LocURI></Target>
<Meta><Format xmlns="syncml:metinf">int</Format><Type
xmlns="syncml:metinf">text/plain</Type></Meta><Data>28800</Data></Item>
</Replace><Replace><CmdID>3</CmdID><Item><Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/EnterpriseIDs</LocURI>
</Target><Data>contoso.onmicrosoft.com</Data></Item></Replace><Exec>
<CmdID>4</CmdID><Item><Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/EnterpriseApps/ClearNotificati
ons</LocURI></Target></Item></Exec><Add><CmdID>5</CmdID><Item><Target>
<LocURI>./Vendor/MSFT/CertificateStore/Root/{GUID}/EncodedCertificate</LocUR
I></Target><Data>Data</Data></Item></Add><Add><CmdID>6</CmdID><Item><Target>
<LocURI>./Vendor/MSFT/CertificateStore/Enroll/ModelName=AC_51…
%2FLogicalName_39907…%3BHash=-1518303401/Install</LocURI></Target><Meta>
<Format xmlns="syncml:metinf">xml</Format><Type
xmlns="syncml:metinf">text/plain</Type></Meta>
<Data><CertificateRequest><ConfigurationParametersDocument>&
lt;ConfigurationParameters
xmlns="http://schemas.microsoft.com/SystemCenterConfigurationManager/2012/03
/07/CertificateEnrollment/ConfigurationParameters"><Expiration
Threshold>20</ExpirationThreshold><RetryCount&am
p;gt;3</RetryCount><RetryDelay>1</RetryDe
lay><TemplateName /><SubjectNameFormat>
{ID}</SubjectNameFormat><SubjectAlternativeNameFormat&a
mp;gt;
{ID}</SubjectAlternativeNameFormat><KeyStorageProviderS
etting>0</KeyStorageProviderSetting><KeyUsage&am
p;gt;32</KeyUsage><KeyLength>2048</KeyLen
gth><HashAlgorithms><HashAlgorithm>SHA-
1</HashAlgorithm><HashAlgorithm>SHA-
2</HashAlgorithm></HashAlgorithms><NDESUr
ls><NDESUrl>https://breezeappproxy-
contoso.msappproxy.net/certsrv/mscep/mscep.dll</NDESUrl>&l
t;/NDESUrls><CAThumbprint>
{GUID}</CAThumbprint><ValidityPeriod>2</V
alidityPeriod><ValidityPeriodUnit>Years</Validit
yPeriodUnit><EKUMapping><EKUMap><E
KUName>Client
Authentication</EKUName><EKUOID>1.3.6.1.5.5.7.3.
2</EKUOID></EKUMap></EKUMapping>&a
mp;lt;/ConfigurationParameters></ConfigurationParametersDocument&g
t;<RequestParameters><CertificateRequestToken>PENlcnRFbn...
Hash:
1,010,143,298</CertificateRequestToken><SubjectName>CN=name</
SubjectName><Issuers>CN=FourthCoffee CA; DC=fourthcoffee;
DC=local</Issuers><SubjectAlternativeName><SANs><SAN
NameFormat="ID" AltNameType="2" OID="{OID}"></SAN><SAN
NameFormat="ID" AltNameType="11" OID="
{OID}">john@contoso.onmicrosoft.com</SAN></SANs></SubjectA
lternativeName><NDESUrl>https://breezeappproxy-
contoso.msappproxy.net/certsrv/mscep/mscep.dll</NDESUrl></RequestPa
rameters></CertificateRequest></Data></Item></Add><Get>
<CmdID>7</CmdID><Item><Target>
<LocURI>./Vendor/MSFT/CertificateStore/SCEP</LocURI></Target></Item></Get>
<Add><CmdID>8</CmdID><Item><Target><LocURI>./Vendor/MSFT/GCM</LocURI>
</Target><Data>Data</Data></Item></Add><Replace><CmdID>9</CmdID><Item>
<Target><LocURI>./Vendor/MSFT/GCM</LocURI></Target><Data>Data</Data></Item>
</Replace><Get><CmdID>10</CmdID><Item><Target>
<LocURI>./Vendor/MSFT/NodeCache/SCConfigMgr</LocURI></Target></Item></Get>
<Get><CmdID>11</CmdID><Item><Target>
<LocURI>./Vendor/MSFT/NodeCache/SCConfigMgr/CacheVersion</LocURI></Target>
</Item></Get><Get><CmdID>12</CmdID><Item><Target>
<LocURI>./Vendor/MSFT/NodeCache/SCConfigMgr/ChangedNodes</LocURI></Target>
</Item></Get><Get><CmdID>13</CmdID><Item><Target>
<LocURI>./DevDetail/Ext/Microsoft/LocalTime</LocURI></Target></Item></Get>
<Get><CmdID>14</CmdID><Item><Target>
<LocURI>./Vendor/MSFT/DeviceLock/DevicePolicyManager/IsActivePasswordSuffici
ent</LocURI></Target></Item></Get><Get><CmdID>15</CmdID><Item><Target>
<LocURI>./Vendor/MSFT/WorkProfileLock/DevicePolicyManager/IsActivePasswordSu
fficient</LocURI></Target></Item></Get><Final /></SyncBody></SyncML>
Examples of key entries:
ModelName=AC_51bad41f-3854-4eb5-a2f2-
0f7a94034ee8%2FLogicalName_39907e78_e61b_4730_b9fa_d44a53e4111c%3BHash=-151830
3401
NDESUrls><NDESUrl>https://<server>-
contoso.msappproxy.net/certsrv/mscep/mscep.dll</NDESUrl><
/NDESUrls
iOS/iPadOS
Validate that the iOS/iPadOS device was sent the policy

To validate a profile was sent to the device you expect, in the Microsoft Intune admin
center go to Troubleshooting + Support > Troubleshoot. On the Troubleshoot
configurations:
2. Review the user's group Membership to ensure they are in the security group you

Validate the policy reached the iOS or iPadOS device
Review the devices debug log. Look for entries that resemble the following examples,
which are logged when the device gets the profile from Intune:
debug 18:30:54.638009 -0500 profiled Adding dependent

ModelName=AC_51bad41f.../LogicalName_1892fe4c...;Hash=-912418295 to parent
636572740000000000000012 in domain PayloadDependencyDomainCertificate to
system\
Examples of key entries:
ModelName=AC_51bad41f.../LogicalName_1892fe4c...;Hash=-912418295
PayloadDependencyDomainCertificate
Windows
Validate that the Windows device was sent the policy

To validate the profile was sent to the device you expect, in the Microsoft Intune admin
center , go to Troubleshooting + Support > Troubleshoot. On the Troubleshoot
configurations:
2. Review the user's group membership to ensure they are in the security group you
Validate the policy reached the Windows device

The arrival of the policy for the profile is logged in a Windows device's
DeviceManagement-Enterprise-Diagnostics-Provider > Admin log, with an event ID 306.
To open the log:
1. On the device, run eventvwr.msc to open Windows Event Viewer.
2. Expand Applications and Services Logs > Microsoft > Windows >
DeviceManagement-Enterprise-Diagnostic-Provider > Admin.
3. Look for Event 306, which resembles the following example:
Event ID: 306
Task Category: None
Level: Information
User: SYSTEM
Computer: <Computer Name>
Description:
SCEP: CspExecute for UniqueId :

(ModelName_<ModelName>_LogicalName_<LogicalName>_Hash_<Hash>)
InstallUserSid : (<UserSid>) InstallLocation : (user) NodePath :
(clientinstall) KeyProtection: (0x2) Result : (Unknown Win32 Error
code: 0x2ab0003).
The error code 0x2ab0003 translates to DM_S_ACCEPTED_FOR_PROCESSING.
A non-successful error code might provide indication of the underlying problem.
Next steps
If the profile reaches the device, the next step is to review the device to NDES server
communication.
Feedback

Troubleshooting device to NDES server
communication for SCEP certificate
profiles in Microsoft Intune
Article • 10/28/2022
Use the following information to determine if a device that received and processed an
Intune Simple Certificate Enrollment Protocol (SCEP) certificate profile can successfully
contact Network Device Enrollment Service (NDES) to present a challenge. On the
device, a private key is generated and the certificate signing request (CSR) and challenge
are passed from the device to the NDES server. To contact the NDES server, the device
uses the URI from the SCEP certificate profile.
This article references Step 2 of the SCEP communication flow overview.
Review IIS logs for a connection from the

device
Internet Information Services (IIS) log files include the same type of entries for all
platforms.
1. On the NDES server, open the most recent IIS log file found in the following folder:
%SystemDrive%\inetpub\logs\logfiles\w3svc1
2. Search the log for entries similar to the following examples. Both examples contain
a status 200, which appears near the end:
fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll/pkiclient.exe

operation=GetCACaps&message=default 80 - fe80::f53d:89b8:c3e8:5fec%13
Mozilla/4.0+(compatible;+Win32;+NDES+client) - 200 0 0 186 0.
And
operation=GetCACert&message=default 80 - fe80::f53d:89b8:c3e8:5fec%13
Mozilla/4.0+(compatible;+Win32;+NDES+client) - 200 0 0 3567 0
3. When the device contacts IIS, an HTTP GET request for mscep.dll is logged.
Review the status code near the end of this request:

Status code of 200: This status indicates the connection with the NDES server
is successful.
Status code of 500: The IIS_IUSRS group might lack correct permissions. See
Troubleshoot status code 500, later in this article.
If the status code isn't 200 or 500:
See Test and troubleshoot the SCEP server URL later in this article to help
validate the configuration.
See The HTTP status code in IIS 7 and later versions for information
about less common error codes.
If the connection request isn't logged at all, the contact from the device might be
blocked on the network between the device and the NDES server.
Review device logs for connections to NDES
Android devices
Review the devices OMADM log. Look for entries that resemble the following examples,
which are logged when the device connects to NDES:
Output
2018-02-27T05:16:08.2500000 VERB Event

com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager
18327 10 There are 1 requests
2018-02-27T05:16:08.2500000 VERB Event
18327 10 Trying to enroll certificate request: ModelName=AC_51bad41f-
3854-4eb5-a2f2-
0f7a94034ee8%2FLogicalName_39907e78_e61b_4730_b9fa_d44a53e4111c;Hash=1677525
787
2018-02-27T05:16:09.5530000 VERB Event

org.jscep.transport.UrlConnectionGetTransport 18327 10 Sending
GetCACaps(ca) to https://<server>.msappproxy.net/certsrv/mscep/mscep.dll?
operation=GetCACaps&message=ca
2018-02-27T05:16:14.6440000 VERB Event

org.jscep.transport.UrlConnectionGetTransport 18327 10 Received '200
OK' when sending GetCACaps(ca) to
https://<server>.msappproxy.net/certsrv/mscep/mscep.dll?
2018-02-27T05:16:21.8220000 VERB Event

org.jscep.message.PkiMessageEncoder 18327 10 Encoding message:
org.jscep.message.PkcsReq@2b06f45f[messageData=org.
<server>.pkcs.PKCS10CertificationRequest@699b3cd,messageType=PKCS_REQ,sender
Nonce=Nonce
[D447AE9955E624A56A09D64E2B3AE76E],transId=251E592A777C82996C7CF96F3AAADCF99
6FC31FF]
2018-02-27T05:16:21.8790000 VERB Event

org.jscep.message.PkiMessageEncoder 18327 10 Signing pkiMessage using
key belonging to [dn=CN=<uesrname>; serial=1]
2018-02-27T05:16:21.9580000 VERB Event

org.jscep.transaction.EnrollmentTransaction 18327 10 Sending org.
<server>.cms.CMSSignedData@ad57775
Key entries include the following sample text strings:
There are 1 requests

Received '200 OK' when sending GetCACaps(ca) to
https://<server>.msappproxy.net/certsrv/mscep/mscep.dll?
Signing pkiMessage using key belonging to [dn=CN=<username>; serial=1]
The connection is also logged by IIS in the

%SystemDrive%\inetpub\logs\LogFiles\W3SVC1\ folder of the NDES server. Below is an
example:
Output
fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll

operation=GetCACert&message=ca 443 -
fe80::f53d:89b8:c3e8:5fec%13 Dalvik/2.1.0+
(Linux;+U;+Android+5.0;+P01M+Build/LRX21V) - 200 0 0 3909 0
fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll

operation=GetCACaps&message=ca 443 -
fe80::f53d:89b8:c3e8:5fec%13 Dalvik/2.1.0+
(Linux;+U;+Android+5.0;+P01M+Build/LRX21V) - 200 0 0 421
iOS/iPadOS devices
Review the devices debug log. Look for entries that resemble the following examples,
which are logged when the device connects to NDES:
Output
debug 18:30:53.691033 -0500 profiled Performing synchronous URL

request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?
operation=GetCACert&message=SCEP%20Authority\

operation=GetCACaps&message=SCEP%20Authority\
default 18:30:55.483977 -0500 profiled Attempting to retrieve

issued certificate...\
debug 18:30:55.487798 -0500 profiled Sending CSR via GET.\

operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEA
gMFADCABgkqhkiG9w0BBwGggCSABIIZfzCABgkqhkiG9w0BBwOggDCAAgEAMYIBgjCCAX4CAQAwZ
jBPMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxHDAaBgoJkiaJk/IsZAEZFgxmb3VydGhjb2ZmZWUxG
DAWBgNVBAMTD0ZvdXJ0aENvZmZlZSBDQQITaAAAAAmaneVjEPlcTwAAAAAACTANBgkqhkiG9w0BA
QEFAASCAQCqfsOYpuBToerQLkw/tl4tH9E+97TBTjGQN9NCjSgb78fF6edY0pNDU+PH4RB356wv3
rfZi5IiNrVu5Od4k6uK4w0582ZM2n8NJFRY7KWSNHsmTIWlo/Vcr4laAtq5rw+CygaYcefptcaam
kjdLj07e/Uk4KsetGo7ztPVjSEFwfRIfKv474dLDmPqp0ZwEWRQGZwmPoqFMbX3g85CJT8khPaqF
W05yGDTPSX9YpuEE0Bmtht9EwOpOZe6O7sd77IhfFZVmHmwy5mIYN7K6mpx/4Cb5zcNmY3wmTBlK
EkDQpZDRf5PpVQ3bmQ3we9XxeK1S4UsAXHVdYGD+bg/bCafMIAGCSqGSIb3DQEHATAUBggqhkiG9
w0DBwQI5D5J2lwZS5OggASCF6jSG9iZA/EJ93fEvZYLV0v7GVo3JAsR11O7DlmkIqvkAg5iC6DQv
XO1j88T/MS3wV+rqUbEhktr8Xyf4sAAPI4M6HMfVENCJTStJw1PzaGwUJHEasq39793nw4k268UV
5XHXvzZoF3Os2OxUHSfHECOj
Key entries include the following sample text strings:
operation=GetCACert
Attempting to retrieve issued certificate
Sending CSR via GET
operation=PKIOperation
Windows devices
On a Windows device that is making a connection to NDES, you can view the devices
Windows Event Viewer and look for indications of a successful connection. Connections
are logged as an event ID 36 in the devices DeviceManagement-Enterprise-Diagnostics-
Provide > Admin log.
To open the log:
1. On the device, run eventvwr.msc to open Windows Event Viewer.
DeviceManagement-Enterprise-Diagnostic-Provider > Admin.
3. Look for Event 36, which resembles the following example, with the key line of
SCEP: Certificate request generated successfully:
Output
Event ID: 36
Task Category: None
Level: Information
Keywords:
User: <UserSid>
Description:
SCEP: Certificate request generated successfully. Enhanced Key Usage:

(1.3.6.1.5.5.7.3.2), NDES URL:
(https://<server>/certsrv/mscep/mscep.dll/pkiclient.exe), Container
Name: (), KSP Setting: (0x2), Store Location: (0x1).
Troubleshoot status code 500

Connections that resemble the following example, with a status code of 500, indicate
the Impersonate a client after authentication user right isn't assigned to the IIS_IUSRS
group on the NDES server. The status value of 500 appears at the end:
Output
2017-08-08 20:22:16 IP_address GET /certsrv/mscep/mscep.dll

operation=GetCACert&message=SCEP%20Authority 443 - 10.5.14.22
profiled/1.0+CFNetwork/811.5.4+Darwin/16.6.0 - 500 0 1346 31
Complete the following steps to fix this issue:
1. On the NDES server, run secpol.msc to open the Local Security Policy.
2. Expand Local Policies, and then select User Rights Assignment.
3. Double-click Impersonate a client after authentication in the right pane.
4. Select Add User or Group…, enter IIS_IUSRS in the Enter the object names to
select box, and then select OK.
5. Select OK.
6. Restart the computer, and then try the connection from the device again.
Test and troubleshoot the SCEP server URL

Use the following steps to test the URL that is specified in the SCEP certificate profile.
1. In Intune, edit your SCEP certificate profile and copy the Server URL. The URL
should resemble https://contoso.com/certsrv/mscep/mscep.dll .
2. Open a web browser, and then browse to that SCEP server URL. The result should
be: HTTP Error 403.0 – Forbidden. This result indicates the URL is functioning
correctly.
If you don't receive that error, select the link that resembles the error you see to
view issue-specific guidance:
I receive a general Network Device Enrollment Service message
I receive "HTTP Error 503. The service is unavailable"
I receive the "GatewayTimeout" error
I receive "HTTP 414 Request-URI Too Long"
I receive "This page can't be displayed"
I receive "500 - Internal server error"
General NDES message

When you browse to the SCEP server URL, you receive the following Network Device
Enrollment Service message:
Cause: This problem is usually an issue with the Microsoft Intune Connector
installation.
Mscep.dll is an ISAPI extension that intercepts incoming request and displays the
HTTP 403 error if it's installed correctly.
Solution: Examine the SetupMsi.log file to determine whether Microsoft Intune

Connector is successfully installed. In the following example, Installation completed
successfully and Installation success or error status: 0 indicate a successful
installation:
Output
MSI (c) (28:54) [16:13:11:905]: Product: Microsoft Intune Connector --

Installation completed successfully.
MSI (c) (28:54) [16:13:11:999]: Windows Installer installed the

product. Product Name: Microsoft Intune Connector. Product Version:
6.1711.4.0. Product Language: 1033. Manufacturer: Microsoft
Corporation. Installation success or error status: 0.
If the installation fails, remove the Microsoft Intune Connector and then reinstall it.
If the installation was successful and you continue to receive the General NDES
message, run the iisreset command to restart IIS.
HTTP Error 503
When you browse to the SCEP server URL, you receive the following error:
This issue is usually because the SCEP application pool in IIS isn't started. On the NDES
server, open IIS Manager and go to Application Pools. Locate the SCEP application pool
and confirm it's started.
If the SCEP application pool isn't started, check the application event log on the server:
1. On the device, run eventvwr.msc to open Event Viewer and go to Windows Logs
> Application.
2. Look for an event that is similar to the following example, which means that the
application pool crashes when a request is received:
Output
Log Name: Application
Source: Application Error
Event ID: 1000
Task Category: Application Crashing Events
Level: Error
Keywords: Classic
Description: Faulting application name: w3wp.exe, version:

8.5.9600.16384, time stamp: 0x5215df96
Faulting module name: ntdll.dll, version: 6.3.9600.18821, time stamp:

0x59ba86db
Exception code: 0xc0000005
Common causes for an application pool crash

Cause 1: There are intermediate CA certificates (not self-signed) in the NDES
server's Trusted Root Certification Authorities certificate store.
Solution: Remove intermediate certificates from the Trusted Root Certification

Authorities certificate store, and then restart the NDES server.
To identify all intermediate certificates in the Trusted Root Certification Authorities

certificate store, run the following PowerShell cmdlet: Get-Childitem -Path
cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}
A certificate that has the same Issued to and Issued by values, is a root certificate.
Otherwise, it's an intermediate certificate.
After removing certificates and restarting the server, run the PowerShell cmdlet
again to confirm there are no intermediate certificates. If there are, check whether
a Group Policy pushes the intermediate certificates to the NDES server. If so,
exclude the NDES server from the Group Policy and remove the intermediate
certificates again.
Cause 2: The URLs in the Certificate Revocation List (CRL) are blocked or
unreachable for the certificates that are used by the Intune Certificate Connector.
Solution: Enable additional logging to collect more information:
1. Open Event Viewer, select View, make sure that Show Analytic and Debug
Logs option is checked.
2. Go to Applications and Services Logs > Microsoft > Windows > CAPI2 >
Operational, right-click Operational, then select Enable Log.
3. After CAPI2 logging is enabled, reproduce the problem, and examine the
event log to troubleshoot the issue.
Cause 3: IIS permission on CertificateRegistrationSvc has Windows

Authentication enabled.
Solution: Enable Anonymous Authentication and disable Windows

Authentication, and then restart the NDES server.
Cause 4: The NDESPolicy module certificate has expired.

The CAPI2 log (see Cause 2's solution) will show errors relating to the certificate
referenced by
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy\ND
ESCertThumbprint being outside of the certificate's validity period.
Solution: Renew the certificate and reinstall the connector.
1. Use certlm.msc to open the local computer certificate store, expand

Personal, and then select Certificates.
2. In the list of certificates, find an expired certificate that satisfies the following
conditions:
The value of Intended Purposes is Client Authentication.
The value of Issued To or Common Name matches the NDES server name.
７ Note
The Client Authentication extended key usage (EKU) is required. Without

this EKU, CertificateRegistrationSvc will return an HTTP 403 response to
NDESPlugin requests. This response will be logged in the IIS logs.
3. Double-click the certificate. In the Certificate dialog box, select the Details
tab, locate the Thumbprint field, and then verify the value matches the value
of the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPol
icy\NDESCertThumbprint registry subkey.
4. Select OK to close the Certificate dialog box.
5. Right-click the certificate, select All Tasks, then select Request Certificate
with New Key or Renew Certificate with New Key.
6. In the Certificate Enrollment page, select Next, select the correct SSL
template, and then select More information is required to enroll for this
certificate. Click here to configure settings.
7. In the Certificate Properties dialog box, select the Subject tab, and then
perform the following steps:
a. Under Subject name, in the Type drop-down box, select Common Name.
In the Value box, enter the fully qualified domain name (FQDN) of the
NDES server. Then select Add.
b. Under Alternative name, in the Type drop-down box, select DNS. In the
Value box, enter the FQDN of the NDES server. Then select Add.
c. Select OK to close the Certificate Properties dialog box.
8. Select Enroll, wait until the enrollment finishes successfully, and then select
Finish.
9. Reinstall the Intune Certificate Connector to link it to the newly created

certificate. For more information, see Install the Certificate Connector for
Microsoft Intune.
10. After you close the Certificate Connector UI, restart the Intune Connector
Service and the World Wide Web Publishing Service.
GatewayTimeout
Cause: The Microsoft Azure AD Application Proxy Connector service isn't started.
Solution: Run services.msc, and then make sure that the Microsoft Azure AD
Application Proxy Connector service is running and Startup Type is set to
Automatic.
HTTP 414 Request-URI Too Long

When you browse to the SCEP server URL, you receive the following error: HTTP 414
Request-URI Too Long
Cause: IIS request filtering isn't configured to support the long URLs (queries) that
the NDES service receives. This support is configured when you configure the
NDES service for use with your infrastructure for SCEP.
Solution: Configure support for long URLs.
1. On the NDES server, open IIS manager, select Default Web Site > Request
Filtering > Edit Feature Setting to open the Edit Request Filtering Settings
page.

Maximum URL length (Bytes) = 65534
Maximum query string (Bytes) = 65534
3. Select OK to save this configuration and close IIS manager.
4. Validate this configuration by locating the following registry key to confirm

that it has the indicated values:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Paramete
rs
The following values are set as DWORD entries:

Name: MaxFieldLength, with a decimal value of 65534
Name: MaxRequestBytes, with a decimal value of 65534
5. Restart the NDES server.
This page can't be displayed

You have Azure AD Application Proxy configured. When you browse to the SCEP server
URL, you receive the following error:
This page can't be displayed
Cause: This issue occurs when the SCEP external URL is incorrect in the Application
Proxy configuration. An example of this URL is
https://contoso.com/certsrv/mscep/mscep.dll .
Solution: Use the default domain of yourtenant.msappproxy.net for the SCEP

external URL in the Application Proxy configuration.
500 - Internal server error

Cause 1: The NDES service account is locked or its password is expired.
Solution: Unlock the account or reset the password.
Cause 2: The MSCEP-RA certificates are expired.

Solution: If the MSCEP-RA certificates are expired, reinstall the NDES role or
request new CEP Encryption and Exchange Enrollment Agent (Offline request)
certificates.
To request new certificates, follow these steps:
1. On the Certificate Authority (CA) or issuing CA, open the Certificate

Templates MMC. Make sure that the logged in user and the NDES server have
Read and Enroll permissions to the CEP Encryption and Exchange Enrollment
Agent (Offline request) certificate templates.
2. Check the expired certificates on the NDES server, copy the Subject
information from the certificate.
3. Open the Certificates MMC for Computer account.
4. Expand Personal, right-click Certificates, then select All Tasks > Request New
Certificate.
5. On the Request Certificate page, select CEP Encryption, then select More
information is required to enroll for this certificate. Click here to configure
settings.
6. In Certificate Properties, select the Subject tab, fill the Subject name with the
information that you collected during step 2, select Add, then select OK.
7. Complete the certificate enrollment.

8. Open the Certificates MMC for My user account.
When you enroll for the Exchange Enrollment Agent (Offline request)
certificate, it must be done in the user context. Because the Subject Type of
this certificate template is set to User.
9. Expand Personal, right-click Certificates, then select All Tasks > Request New
Certificate.
10. On the Request Certificate page, select Exchange Enrollment Agent (Offline
request), then select More information is required to enroll for this
certificate. Click here to configure settings.
11. In Certificate Properties, select the Subject tab, fill the Subject name with the
information that you collected during step 2, select Add.
Select the Private Key tab, select Make private key exportable, then select
OK.
12. Complete the certificate enrollment.
13. Export the Exchange Enrollment Agent (Offline request) certificate from the
current user certificate store. In the Certificate Export Wizard, select Yes,
export the private key.
14. Import the certificate to the local machine certificate store.
15. In the Certificates MMC, do the following action for each of the new
certificates:
Right-click the certificate, select All Tasks > Manage Private Keys, add Read
permission to the NDES service account.
16. Run the iisreset command to restart IIS.
Next steps
If the device successfully reaches the NDES server to present the certificate request, the
next step is to review the Intune Certificate Connectors policy module.
Feedback

Troubleshooting the NDES policy
module in Microsoft Intune
Article • 10/28/2022
This article gives guidance to help you validate and troubleshoot operation of the
Network Device Enrollment Service (NDES) policy module that installs with the Microsoft
Intune Certificate Connector. When NDES receives a request for a certificate, it forwards
the request to the policy module, which validates the request as valid for the device.
After the validation, NDES contacts the certificate authority (CA) to request the
certificate on behalf of the device.
This article applies to both Step 3 and Step 4 of SCEP communication workflow.
NDES communication to the policy module

After receiving the certificate request from a device, NDES validates that request with
Intune through the policy module that installs with the Microsoft Intune Certificate
Connector. These entries refer to the certificate registration point.
Log entries that indicate success:
To confirm the validation request is submitted to the module, look for an entry that
resembles the following examples in logs on the NDES server:
IIS logs:
Output
fe80::f53d:89b8:c3e8:5fec%13 POST
/CertificateRegistrationSvc/Certificate/VerifyRequest - 443 -
fe80::f53d:89b8:c3e8:5fec%13 NDES_Plugin - 201 0 0 341 875
NDESPlugin log:
Output
Calling VerifyRequest ...
Sending request to certificate registration point.
The following example indicates a successful validation of the devices challenge

request and that NDES can now contact the CA:
Output
Verify challenge returns true
Exiting VerifyRequest with 0x0
CertificateRegistrationPoint.svclog:
Validation Phase 1 finished with status True.
VerifyRequest Finished with status True
When success indicators aren't present:
If you don't find these entries, start by reviewing the troubleshooting guidance for
device to NDES server communication.
If the information in that article doesn't help you resolve the issue, the following are
additional entries that can indicate problems.
NDESPlugin.log contains an error 12175

When the log contains an error 12175 that's similar to the following, there might be a
problem with the SSL certificate:
Output
WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID
Failed to send http request

/CertificateRegistrationSvc/Certificate/VerifyRequest. Error 12175
Modern browsers and browsers on mobile devices ignore the Common Name on an SSL
certificate if there are Subject Alternative Names present.
Solution: Issue the web server SSL certificate with the following attributes for Common
Name and Subject Alternative Name, and then bind it to port 443 in IIS:
Subject name
CN = external server name

Subject Alternative Name
Name = external server name
DNS Name = internal server name

NDESPlugin.log contains an error 403 – Forbidden:
Access is denied"
When the following logs contain an error 403 that's similar to the following, the client
certificate might be untrusted or invalid:
NDESPlugin.log:
Output
Verify challenge returns <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0

Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html
xmlns="http://www.w3.org/1999/xhtml"> <head><meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
IIS log:
Output
POST /CertificateRegistrationSvc/Certificate/VerifyRequest - 443 -

<IP_address>
NDES_Plugin - 403 16 2148204809 453
This issue occurs if there are intermediate CA certificates in the NDES server's Trusted
Root Certification Authorities certificate store.
If a certificate has the same Issued to and Issued by values, it's a root certificate.
Otherwise, it's an intermediate certificate.
Solution: To fix the issue, identify and remove the intermediate CA certificates from the
Trusted Root Certification Authorities certificate store.
NDESPlugin.log indicates the challenge returns false

When the result of the challenge returns false, check the
CertificateRegistrationPoint.svclog for errors. For example, you might see a "Signing
certificate could not be retrieved" error that resembles the following entry:
Output
Signing certificate could not be retrieved.

System.Security.Cryptography.CryptographicException: m_safeCertContext is an
invalid handle. at
System.Security.Cryptography.X509Certificates.X509Certificate.ThrowIfContext
Invalid() at
System.Security.Cryptography.X509Certificates.X509Certificate.GetCertHashStr
ing() at
Microsoft.ConfigurationManager.CertRegPoint.CRPCertificate.RetrieveSigningCe
rt(String certThumbprint
Solution: On the server where the connector is installed, open the Registry Editor, locate
the HKLM\SOFTWARE\Microsoft\MicrosoftIntune\NDESConnector registry key, and then
check whether the SigningCertificate value exists.
If this value doesn't exist, restart the Intune Connector Service in services.msc, and then
check whether the value appears in registry. If the value is still missing, it's often because
of network connectivity issues between the server that NDES and the Intune service.
NDES passes the request to issue the certificate

After a successful validation by the certificate registration point (the policy module),
NDES passes the certificate request to the CA on behalf of the device.
Log entries that indicate success:
NDESPlugin log:
Output
Verify challenge returns true
Exiting VerifyRequest with 0x0
IIS logs:
Output

... 80 -
fe80::f53d:89b8:c3e8:5fec%13 Mozilla/4.0+
(compatible;+Win32;+NDES+client) - 200 0 0 2713 1296
VerifyRequest Finished with status True
When success indicators aren't present:

If you don't see the entries that indicate success, complete these steps:
1. Look for problems that are logged in CertificateRegistrationPoint.svclog when the

certificate registration point verifies the challenge. Look for the entries between
the following lines:
VerifyRequest Started.
VerifyRequest Finished with status False
2. Open the Certification Authority MMC on the CA, and select Failed Requests to
look for errors that help identify a problem. The following image is an example:
3. Review the application event log on the CA for errors. Usually you can see errors
that match what you see in the Failed Requests from the previous step. The
following image is an example:
Next steps
If the NDES policy module validates the request and the request is forwarded to the
certificate authority, the next step is to review the certificate delivery to the device.
Feedback

Troubleshooting the delivery of
certificates provisioned by SCEP to
Article • 10/28/2022
This article gives troubleshooting guidance to help you investigate delivery of

certificates to devices when you use Simple Certificate Enrollment Protocol (SCEP) to
provision certificates in Intune. After the Network Device Enrollment Service (NDES)
server receives the requested certificate for a device from the certification authority (CA),
it passes that certificate back to the device.
This article applies to the step 5 of the SCEP communication workflow; delivery of the
certificate to the device that submitted the certificate request.
Review the certification authority

When the CA has issued the certificate, you'll see an entry similar to the following
example on the CA:
Review the device
Android
For device administrator enrolled devices, you'll see a notification similar to the
following image, which prompts you to install the certificate:
For Android Enterprise or Samsung Knox, the certificate installation is automatic, and
silent.
To view an installed certificate on Android, use a third party certificate viewing app.
You can also review the devices OMADM log. Look for entries that resemble the
following examples, which are logged when certificates install:
Root certificate:
Output
2018-02-27T04:50:52.1890000 INFO Event

com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallSta
teMachine 9595 9 Root cert '17…' state changed from
CERT_INSTALL_REQUESTED to CERT_INSTALL_REQUESTED
2018-02-27T04:53:31.1300000 INFO Event

CERT_INSTALL_REQUESTED to CERT_INSTALLING
2018-02-27T04:53:32.0390000 INFO Event

CERT_INSTALLING to CERT_INSTALL_SUCCESS
Certificate provisioned through SCEP
Output
2018-02-27T05:16:08.2500000 VERB Event

18327 10 There are 1 requests
2018-02-27T05:16:08.2500000 VERB Event

18327 10 Trying to enroll certificate request: ModelName=AC_51…
%2FLogicalName_39907…;Hash=1677525787
2018-02-27T05:16:20.6150000 VERB Event

GetCACert(ca) to https://<server>-
contoso.msappproxy.net/certsrv/mscep/mscep.dll?
operation=GetCACert&message=ca
2018-02-27T05:16:20.6530000 VERB Event

org.jscep.transport.UrlConnectionGetTransport 18327 10 Received
'200 OK' when sending GetCACert(ca) to https://<server>-
operation=GetCACert&message=ca
2018-02-27T05:16:21.7460000 VERB Event

GetCACaps(ca) to https://<server>-
2018-02-27T05:16:21.7890000 VERB Event

org.jscep.transport.UrlConnectionGetTransport 18327 10 Received
'200 OK' when sending GetCACaps(ca) to https://<server>-
2018-02-27T05:16:28.0340000 VERB Event

org.jscep.transaction.EnrollmentTransaction 18327 10 Response:
org.jscep.message.CertRep@3150777b[failInfo=
<null>,pkiStatus=SUCCESS,recipientNonce=Nonce
[GUID],messageData=org.spongycastle.cms.CMSSignedData@27cc8998,messageType=C
ERT_REP,senderNonce=Nonce [GUID],transId=TRANSID]
2018-02-27T05:16:28.2440000 INFO Event

com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallSta
teMachine 18327 10 SCEP cert 'ModelName=AC_51…
%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_ENROLLED to
CERT_INSTALL_REQUESTED
2018-02-27T05:18:44.9820000 INFO Event

%2FLogicalName_39907…;Hash=1677525787' state changed from
CERT_INSTALL_REQUESTED to CERT_INSTALLING
2018-02-27T05:18:45.3460000 INFO Event

%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_INSTALLING to
CERT_ACCESS_REQUESTED
2018-02-27T05:20:15.3520000 INFO Event

%2FLogicalName_39907…;Hash=1677525787' state changed from
CERT_ACCESS_REQUESTED to CERT_ACCESS_GRANTED
iOS/iPadOS
On the iOS/iPadOS or iPadOS device, you can view the certificate under the Device
Management Profile. Drill down to see details for installed certificates.
You can also find entries that resemble the following in the iOS debug log:
Output
Debug 18:30:53.691033 -0500 profiled Performing synchronous URL request:

https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?
operation=GetCACert&message=SCEP%20Authority\

operation=GetCACaps&message=SCEP%20Authority\

operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEA
gMFADCABgkqhkiG9w0BBwGggCSABIIZfzCABgkqhkiG9w0BBwOggDCAAgEAMYIBgjCCAX4CAQAwZ
jBPMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxHDAaBgoJkiaJk/IsZAEZFgxmb3VydGhjb2ZmZWUxG
DAWBgNVBAMTD0ZvdXJ0aENvZmZlZSBDQQITaAAAAAmaneVjEPlcTwAAAAAACTANBgkqhkiG9w0BA
QEFAASCAQCqfsOYpuBToerQLkw/tl4tH9E+97TBTjGQN9NCjSgb78fF6edY0pNDU+PH4RB356wv3
rfZi5IiNrVu5Od4k6uK4w0582ZM2n8NJFRY7KWSNHsmTIWlo/Vcr4laAtq5rw+CygaYcefptcaam
kjdLj07e/Uk4KsetGo7ztPVjSEFwfRIfKv474dLDmPqp0ZwEWRQG
Debug 18:30:57.285730 -0500 profiled Adding dependent Microsoft.Profiles.MDM

to parent
www.windowsintune.com.SCEP.ModelName=AC_51bad41f.../LogicalName_1892fe4c...;
Hash=-912418295 in domain ManagedProfileToManagingProfile to system\
Default 18:30:57.320616 -0500 profiled Profile

\'93www.windowsintune.com.SCEP.ModelName=AC_51bad41f.../LogicalName_1892fe4c
...;Hash=-912418295\'94 installed.\
Windows
On a Windows device, verify the certificate was delivered:
Run eventvwr.msc to open Event Viewer. Go to Applications and Services Logs >
Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider >
Admin and look for Event 39. This Event should have a general description of:
SCEP: Certificate installed successfully.
To view the certificate on the device, run certmgr.msc to open the Certificates MMC and
verify that the root and SCEP certificates are installed correctly on the device in the
personal store:
1. Go to Certificates (local Computer) > Trusted Root Certification Authorities >

Certificates, and verify that the root certificate from your CA is present. The values
for Issued To and Issued By will be the same.
2. In the Certificates MMC, go to Certificates – Current User > Personal >
Certificates, and verify the requested certificate is present, with Issued By equal to
the name of the CA.
Troubleshoot failures
Android
To troubleshoot certificate delivery, review errors that are logged in the OMA DM log.
iOS/iPadOS
To troubleshoot certificate delivery, review errors that are logged in the devices debug
log.
Windows
To troubleshoot issues with the certificate not being installed on the device, look in the
Windows Event log for errors that suggest problems:
On the device, run eventvwr.msc to open Event Viewer, and then go to

Applications and Services Logs > Microsoft > Windows > DeviceManagement-
Enterprise-Diagnostic-Provider > Admin.
Errors with delivery and installation of the certificate to the device are typically related to
Windows operations, and not to Intune.
Next steps
If the certificate successfully deploys to the device, but Intune doesn't report success,
see NDES reporting to Intune to troubleshoot reporting.
Feedback

Troubleshooting NDES reporting of
certificate deployments in Intune
Article • 02/04/2023
When using SCEP certificate profiles to provision certificates to Windows devices, the
last phase is that the Intune Certificate Connector reports the deployment to Intune.
This article explains how to confirm that NDES and the Intune Certificate Connector are
successfully reporting on certificate delivery to devices.
This article applies to the Step 6 of the SCEP communication workflow.
） Important
The details in this article apply only to the PFX Certificate Connector for Microsoft
Intune and Microsoft Intune Connector. Support for both connectors ends in July
2021, when they are both replaced by the Certificate Connector for Microsoft
Intune.
If you use the new connector, see Certificate Connector for Microsoft Intune for
more information about capabilities, connector status, and log details including a
list of Log Event IDs for the newer connector.
Find reporting log entries

If reporting was successful, you'll find entries that resemble the following examples on
the NDES server:
IIS log:
fe80::f53d:89b8:c3e8:5fec%13 POST
/CertificateRegistrationSvc/Certificate/Notify - 443 -
fe80::f53d:89b8:c3e8:5fec%13 NDES_Plugin - 204 0 0 277 62
NDESPlugin.log:
Output
Calling Notifyrequest ...
Exiting Notify with 0x0
NDESConnector.svclog:
CertificateRequestStatus:
Go to the %ProgramFiles%\Microsoft Intune\CertificateRequestStatus folder. You'll

see the Failed, Processing, and Succeed folders that contain certificate request
status files.
If the certificate request is successfully processed, you'll see new files in the
Succeed folder. You can use Notepad.exe to open the files and view the data that's
uploaded to the Intune Service by the Intune Certificate Connector. Data that
uploaded includes details like CertificateSerialNumber, UserID, DeviceID, and
Thumbprint.
Troubleshoot stuck files

If you don't see any new files being created in the %ProgramFiles%\Microsoft
Intune\CertificateRequestStatus\Succeed folder, check whether there are any files stuck
in the Processing folder.
Verify that the Intune Connector Service is started on the NDES server. And there are no
errors in Ndesconnector.svclog.
Feedback

Troubleshooting PKCS certificate
deployment in Intune
Article • 05/16/2023
This article gives troubleshooting guidance for several common issues when deploying
Public Key Cryptography Standards (PKCS) certificates in Microsoft Intune. Before
troubleshooting, ensure you've completed the following tasks, as explained in Configure
and use PKCS certificates with Intune:
Review the requirements for using PKCS certificate profiles.

Export the root certificate from the Enterprise Certification Authority (CA).
Configure certificate templates on the certification authority.
Install and configure the Intune Certificate Connector.
Create and deploy a trusted certificate profile to deploy the root certificate.
Create and deploy a PKCS certificate profile.
The most common source of problems for PKCS certificate profiles has been with the
configuration of the PKCS certificate profile. Review the profiles configuration and look
for typos in server names or fully qualified domain names (FQDNs), and confirm the
Certificate Authority and Certificate Authority Name are correct.
Certification Authority: The internal FQDN of the Certificate Authority computer.

For example, server1.domain.local.
Certification Authority Name: The Certificate Authority Name as displayed in the
certification authority MMC. Look under Certification Authority (Local)
You can use the certutil command-line program on the CA to confirm the correct name
for the Certification Authority and Certification Authority Name.
PKCS communication overview

The following graphic provides a basic overview of the PKCS certificate deployment
process in Intune.
1. An Admin creates a PKCS certificate profile in Intune.
2. The Intune service requests that the on-premises Intune Certificate Connector
create a new certificate for the user.
3. The Intune Certificate Connector sends a PFX Blob and Request to your Microsoft
Certification Authority.
4. The Certification Authority issues and sends the PFX User Certificate back to the
Intune Certificate Connector.
5. The Intune Certificate Connector uploads the encrypted PFX User Certificate to
Intune.
6. Intune decrypts the PFX User Certificate and re-encrypts for the device using the
Device Management Certificate. Intune then sends the PFX User Certificate to the
Device.
7. The device reports the certificate status to Intune.
Log files
To identify problems for the communication and certificate provisioning workflow,
review log files from both the Server infrastructure, and from devices. Later sections for
troubleshooting PKCS certificate profiles refer to log files referenced in this section.
Infrastructure and Server logs
Device logs depend on the device platform:
iOS and iPadOS

Android
Windows
Logs for on-premises infrastructure

On-premises infrastructure that supports use of PKCS certificate profiles for certificate
deployments includes the Microsoft Intune Certificate Connector and the certification
authority.
Log files for these roles include Windows Event Viewer, Certificate consoles, and various
log files specific to the Intune Certificate Connector, or other role and operations that
are part of the on-premises infrastructure.
NDESConnector_date_time.svclog:
This log shows communication from the Microsoft Intune Certificate Connector to
the Intune cloud service. You can use the Service Trace Viewer Tool to view this log
file.
Related registry key:

HKLM\SW\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus
Location: On the server that hosts the Intune Certificate Connector at

%program_files%\Microsoft intune\ndesconnectorsvc\logs\logs
Windows Application log:
Location: On the server that hosts the Intune Certificate Connector: Run
eventvwr.msc to open Windows Event Viewer
Logs for Android devices

For devices that run Android, use the Android Company Portal app log file,
OMADM.log. Before you collect and review logs, enable ensure Verbose Logging is
enabled, and then reproduce the issue.
To collect the OMADM.logs from a device, see Upload and email logs using a USB cable.
You can also Upload and email logs to support.
Logs for iOS and iPadOS devices

For devices that run iOS/iPadOS, you use debug logs and Xcode that runs on a Mac
computer:
1. Connect the iOS/iPadOS device to Mac, and then go to Applications > Utilities to
open the Console app.
2. Under Action, select Include Info Messages and Include Debug Messages.
3. Reproduce the problem, and then save the logs to a text file:
a. Select Edit > Select All to select all the messages on the current screen, and
then select Edit > Copy to copy the messages to the clipboard.
b. Open the TextEdit application, paste the copied logs into a new text file, and
then save the file.
The Company Portal log for iOS and iPadOS devices doesn't contain information about
PKCS certificate profiles.
Logs for Windows devices

For devices that run Windows, use the Windows Event logs to diagnose enrollment or
device management issues for devices that you manage with Intune.
On the device, open Event Viewer > Applications and Services Logs > Microsoft >
Windows > DeviceManagement-Enterprise-Diagnostics-Provider
Antivirus exclusions
Consider adding Antivirus exclusions on servers that host the Intune Certificate
Connector when:
Certificate requests reach the server or the Intune Certificate Connector, but are
not successfully processed
Certificates are issued slowly
The following are examples of locations that you might exclude:
%program_files%\Microsoft Intune\PfxRequest
%program_files%\Microsoft Intune\CertificateRequestStatus
%program_files%\Microsoft Intune\CertificateRevocationStatus
Common errors
The following common errors are each addressed in a following section:
The RPC server is unavailable 0x800706ba

An enrollment policy server cannot be located 0x80094015
The submission is pending
The parameter is incorrect 0x80070057
Denied by Policy Module
Certificate profile stuck as Pending
Error -2146875374 CERTSRV_E_SUBJECT_EMAIL_REQUIRED
The RPC server is unavailable 0x800706ba

During PFX deployment, the trusted root certificate appears on the device but the PFX
certificate doesn't appear on the device. The NDESConnector_date_time.svclog log file
contains the string The RPC server is unavailable. 0x800706ba, as seen in the first line
of the following example:
Output
IssuePfx - COMException: System.Runtime.InteropServices.COMException

(0x800706BA): CCertRequest::Submit: The RPC server is unavailable.
0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
IssuePfx -Generic Exception: System.ArgumentException: CCertRequest::Submit:

The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)

(0x80094800): The requested certificate template is not supported by this
CA. (Exception from HRESULT: 0x80094800)
Cause 1 - Incorrect configuration of the CA in Intune

This issue can occur when the PKCS certificate profile specifies the wrong server, or
contains spelling errors for the name or FQDN of the CA. The CA is specified in the
following properties of the profile:
Certification authority
Certification authority name
Solution:
Review the following settings, and fix if they're incorrect:
The Certification authority property displays the internal FQDN of your CA server.
The Certification authority name property displays the name of your CA.
Cause 2 - CA doesn't support certificate renewal for requests

signed by previous CA certificates
If the CA FQDN and name are correct in the PKCS certificate profile, review the Windows
Application log that's on the certificate authority server. Look for an Event ID 128 that
resembles the following example:
Output
Log Name: Application:
Source: Microsoft-Windows-CertificationAuthority
Event ID: 128
Level: Warning
Details:
An Authority Key Identifier was passed as part of the certificate request

2268. This feature has not been enabled. To enable specifying a CA key for
certificate signing, run: "certutil -setreg ca\UseDefinedCACertInRequest 1"
and then restart the service.
When the CA certificate renews, it must sign the Online Certificate Status Protocol
(OCSP) Response Signing certificate. Signing enables the OCSP Response Signing
certificate to validate other certificates by checking on their revocation status. This
signing isn't enabled by default.
Solution:
Manually force signing of the certificate:
1. On the CA server, open an elevated Command Prompt and run the following
command: certutil -setreg ca\UseDefinedCACertInRequest 1
2. Restart the Certificate Services service.
After the Certificate Services service restarts, devices can receive certificates.
An enrollment policy server cannot be located

0x80094015
An enrollment policy server cannot be located and 0x80094015, as seen in the
following example:
Output

(0x80094015): An enrollment policy server cannot be located. (Exception from
HRESULT: 0x80094015)
Cause - Certificate enrollment policy server name
This issue occurs if the computer that hosts the Intune Certificate Connector can't locate
a certificate enrollment policy server.
Solution:
Manually configure the name of the certificate enrollment policy server on the computer
that hosts the Intune Certificate Connector. To configure the name, use the Add-
CertificateEnrollmentPolicyServer PowerShell cmdlet.

After you deploy a PKCS certificate profile to mobile devices, the certificates aren't
acquired, and the NDESConnector_date_time.svclog log contains the string The
submission is pending, as seen in the following example:
Output
IssuePfx - The submission is pending: Taken Under Submission
IssuePfx -Generic Exception: System.InvalidOperationException: IssuePfx -

In addition, on the certificate authority server, you can see the PFX request in the
Pending Requests folder:

Cause - Incorrect configuration for Request Handling

This issue occurs if the option Set the request status to pending. The administrator
must explicitly issue the certificate is selected in the certificate authority Properties >
Policy Module > Properties dialog box.
Solution:
Edit the Policy Module properties to set: Follow the settings in the certificate template,
if applicable. Otherwise, automatically issue the certificate.
The parameter is incorrect 0x80070057

With the Intune Certificate Connector installed and configured successfully, devices
don't receive PKCS certificates and the NDESConnector_date_time.svclog log contains
the string The parameter is incorrect. 0x80070057, as seen in the following example:
Output
CCertRequest::Submit: The parameter is incorrect. 0x80070057 (WIN32: 87

ERROR_INVALID_PARAMETER)
Cause - Configuration of the PKCS profile

This issue occurs if the PKCS profile in Intune is misconfigured. The following are
common misconfigurations:
The profile includes an incorrect name for the CA.

The Subject Alternative Name (SAN) is configured for email address, but the
targeted user doesn't have a valid email address yet. This combination results in a
null value for the SAN, which is invalid.
Solution:
Verify the following configurations for the PKCS profile, and then wait for the policy to
refresh on the device:
Configured with the name of the CA

Assigned to the correct user group
Users in the group have valid email addresses
For more information, see Configure and use PKCS certificates with Intune.
Denied by Policy Module

When devices receive the trusted root certificate but don't receive the PFX certificate
and the NDESConnector_date_time.svclog log contains the string The submission failed:
Denied by Policy Module, as seen in the following example:
Output
IssuePfx - The submission failed: Denied by Policy Module
IssuePfx -Generic Exception: System.InvalidOperationException: IssuePfx -

The submission failed
at
Microsoft.Management.Services.NdesConnector.MicrosoftCA.GetCertificate(PfxRe
questDataStorage pfxRequestData, String containerName, String& certificate,
String& password)
Issuing Pfx certificate for Device ID <Device ID> failed
Cause – Computer Account permissions to the certificate template
This issue occurs when the Computer Account of the server that hosts the Intune
Certificate Connector doesn't have permissions to the certificate template.
Solution:

select Manage.
3. Find the certificate template and open the Properties dialog box of the template.
4. Select the Security tab and add the Computer Account for the server where you
installed the Microsoft Intune Certificate Connector. Grant that account Read and
Enroll permissions.
5. Select Apply > OK to save the certificate template, and then close the Certificate
Templates console.
6. In the Certification Authority console, right-click Certificate Templates > New >
Certificate Template to Issue.
7. Select the template that you modified, and then click OK.
For more information, see Configure certificate templates on the CA.
Certificate profile stuck as Pending

In the Microsoft Intune admin center, PKCS certificate profiles fail to deploy with a state
of Pending. There are no obvious errors in the NDESConnector_date_time.svclog log file.
Because the cause of this problem isn't identified clearly in logs, work through the
following causes.
Cause 1 - Unprocessed request files
Review the request files for errors that indicate why they failed to be processed.
1. On the server that hosts the Intune Certificate Connector, use File Explorer to
navigate to %programfiles%\Microsoft Intune\PfxRequest.
2. Review files in the Failed and Processing folders, using your favorite text editor.
3. In these files, look for entries that indicate errors or suggest problems. Using a
web-based search, look up the error messages for clues as to why the request
failed to process, and for solutions to those issues.
Cause 2 - Misconfiguration for the PKCS certificate profile

When you don't find request files in the Failed, Processing, or Succeed folders, the
cause might be that the wrong certificate is associated with the PKCS certificate profile.
For example, a subordinate CA is associated with the profile, or the wrong root
certificate is used.
Solution:
1. Review your trusted certificate profile to ensure you've deployed the root
certificate from your Enterprise CA to devices.
2. Review your PKCS certificate profile to ensure it references the correct CA,
certificate type, and the trusted certificate profile that deploys the root certificate
to devices.
For more information, see Use certificates for authentication in Microsoft Intune.
Error -2146875374
CERTSRV_E_SUBJECT_EMAIL_REQUIRED
PKCS certificates fail to deploy, and the certificate console on the issuing CA displays a
message with the string -2146875374 CERTSRV_E_SUBJECT_EMAIL_REQUIRED, as seen
in the following example:
Output
Active Directory Certificate Services denied request abc123 because The

Email name is unavailable and cannot be added to the Subject or Subject
Alternate name. 0x80094812 (-2146875374 CERTSRV_E_SUBJECT_EMAIL_REQUIRED).
The request was for CN=" Common Name". Additional information: Denied by
Policy Module".
Cause - "Supply in the request" is misconfigured

This issue occurs if the Supply in the request option isn't enabled on the Subject Name
tab in the certificate template Properties dialog box.
Solution:
Edit the template to resolve the configuration issue:

select Manage.
3. Open the Properties dialog box of the certificate template.
4. On the Subject Name tab, select Supply in the request.
5. Select OK to save the certificate template, and then close the Certificate Templates
console.
6. In the Certification Authority console, and right-click Templates > New >
Certificate Template to Issue.
7. Select the template that you modified, and then select OK.
Feedback

Troubleshooting the Intune Exchange
Connector
Article • 10/28/2022
This article gives troubleshooting guidance to help resolve common problems with the
on-premises Intune Exchange Connector. To troubleshoot specific error messages, see
Resolve common errors for the Intune Exchange Connector.
） Important
As of July 2020, support for the Exchange Connector is deprecated, and replaced
with Exchange hybrid modern authentication (HMA).
Existing customers with an active connector will be able to continue with the
current functionality at this time. New customers and existing customers that do
not have an active connector will no longer be able to create new connectors or
manage Exchange ActiveSync (EAS) devices from Intune. For those tenants,
Microsoft recommends the use of Exchange HMA to protect access to Exchange
on-premises.
Before you start

Before you start troubleshooting an Exchange Connector issue in Intune, collect some
basic information so that you're working on a solid foundation. This approach can help
you better understand the nature of the problem and resolve it more quickly.
Verify that your process meets the installation requirements. See Set up the on-
premises Intune Exchange Connector.
Verify that your account has both Exchange and Intune administrator permissions.
Note the complete and exact error message text, details, and where the message is
displayed.
Determine when the problem started:
Are you setting up the connector for the first time?
Did the connector work correctly and then fail?
If it was working, what changes occurred in the Intune environment, Exchange
environment, or on the computer that runs the connector software?
What is the MDM authority?
What version of Exchange do you use?
Use PowerShell to get more data on Exchange Connector
issues
To get a list of all mobile devices for a mailbox, use Get-MobileDeviceStatistics -
mailbox mbx
To get a list of SMTP addresses for a mailbox, use Get-Mailbox -Identity user |
select emailaddresses | fl
To get detailed information about a device's access state, use Get-CASMailbox
<upn> | fl
Review the connector configuration

Review the on-premises Exchange connector requirements to make sure your
environment and the connector is configured correctly.
General considerations for the connector

Make sure your firewall and proxy servers allow communication between the
server that hosts the Intune Exchange Connector and the Intune service.
The computer that hosts the Intune Exchange Connector and the Exchange Client
Access Server (CAS) should be domain-joined and on same LAN. Make sure that
the required permissions are added for the account that's used by the Intune
Exchange connector.
The notification account is used to retrieve Autodiscover settings. For more

information about Autodiscover in Exchange, see Autodiscover service in Exchange
Server.
The Intune Exchange Connector sends a request to the EWS URL by using the
notification account credentials to send notification email messages together with
the Get Started link (to enroll in Intune). Use of the Get Started link to enroll is a
requirement for Android non-Knox devices. Otherwise, these devices will be
blocked by Conditional Access.
Common issues with connector configurations

Account permissions: In the Microsoft Intune Exchange Connector dialog box,
make sure you've specified a user account that has the appropriate permissions to
execute the required Windows PowerShell Exchange cmdlets.
Notification email messages: Enable notifications and specify a notification
account.
Client Access Server synchronization: When configuring the Exchange Connector,
specify a CAS that has the lowest network latency possible to the server hosting
the Exchange connector. Communication latency between the CAS and the
Exchange connector can delay device discovery, particularly when using Exchange
Online Dedicated.
Synchronization schedule: A user with a newly enrolled device could be delayed in
getting access until the Exchange connector synchronizes with the Exchange CAS.
A full sync takes place once a day, and a delta (quick) sync occurs several times a
day. You can manually force a quick sync or full sync to minimize delays.
An Exchange ActiveSync device isn't discovered

from Exchange
When an Exchange ActiveSync device isn't discovered from Exchange, monitor the
Exchange connector activity to see if the Exchange connector is syncing with the
Exchange server. If no sync has happened since the device joined, collect the sync logs
and attach them to a support request. If a full sync or quick sync has finished
successfully since the device joined, check for the following issues:
Make sure users have an Intune license. If not, the Exchange connector won't
discover their devices.
If the user's primary SMTP address is different from the user principal name (UPN)
in Azure Active Directory (Azure AD), the Exchange connector won't discover any
devices for that user. Fix the primary SMTP address to resolve the issue.
If you have both Exchange 2010 and Exchange 2013 mailbox servers in your
environment, we recommend pointing the Exchange connector to an Exchange
2013 Client Access server (CAS). If the Exchange connector is set up to
communicate with an Exchange 2010 CAS, the Exchange connector won't discover
any user devices on Exchange 2013.
For Exchange Online Dedicated environments, you must point the Exchange
connector to an Exchange 2013 CAS (not an Exchange 2010 CAS) in the dedicated
environment during the initial setup. The connector will communicate only with an
Exchange 2013 CAS when it executes PowerShell cmdlets.
Users don't receive the notification email
message
To support Conditional Access for on-premises mailboxes on devices that don't run
Android Knox, make sure Intune enrollment starts from the "Get Started Now" email
message that the Intune Exchange connector sends. Starting enrollment from the
message ensures that the device receives a unique ActiveSyncID across all platforms
(Exchange, Azure AD, Intune).
A user might not receive the notification email message because:
The notification account was set up incorrectly.

Autodiscover failed for the notification account.
The Exchange Web Services (EWS) request to send the email message failed.
Review the following sections to troubleshoot email notification issues.
Check the notification account that retrieves

Autodiscover settings
1. Make sure the Autodiscover service and EWS are configured on the Exchange
Client Access services. For more information, see Client Access services and
Autodiscover service in Exchange Server.
2. Verify that your notification account meets the following requirements:
The account has an active mailbox that's hosted by your Exchange on-
premises server.
The account UPN matches the SMTP address.
3. Autodiscover requires a DNS server that has a DNS record for

Autodiscover.SMTPdomain.com (for example Autodiscover.contoso.com) that
points to your Exchange Client Access server. To check for the record, specify your
FQDN in place of Autodiscover.SMTPdomain.com and follow these steps:
a. At a command prompt, enter NSLOOKUP.
b. Enter Autodiscover.SMTPdomain.com. The output should be similar to the

following image:
You can also test the Autodiscover service from the internet at
https://testconnectivity.microsoft.com . Or test it from a local domain by using
the Microsoft Connectivity Analyzer tool. For more information, see Microsoft
Connectivity Analyzer tool.
Check Autodiscover
If Autodiscover fails, try the following steps:
1. Configure a valid Autodiscover DNS record.
2. Hard-code the EWS URL in the Intune Exchange connector configuration file:
a. Determine the EWS URL. The default EWS URL for Exchange is
https://<mailServerFQDN>/ews/exchange.asmx , but your URL might differ.
Contact the Exchange administrator to verify the correct URL for your
environment.
b. Edit the OnPremisesExchangeConnectorServiceConfiguration.xml file. By default,

the file is located in %ProgramData%\Microsoft\Windows Intune Exchange
Connector on the computer that runs the Exchange connector. Open the file in a
text editor, and then change the following line to reflect the EWS URL for your
environment:
<ExchangeWebServiceURL>https://<YourExchangeHOST>/EWS/Exchange.asmx</Exchan
geWebServiceURL>
3. Save the file, and then restart the computer or restart the Microsoft Intune
Exchange connector service.
７ Note
In this configuration, the Intune Exchange connector stops using Autodiscover and
instead connects directly to the EWS URL.
Feedback

Resolve common errors for the Intune
Exchange Connector
Article • 10/28/2022
This article can help Intune administrators resolve specific errors and messages about
the operation of the Intune Exchange Connector.
Configuration failed and returned error code

0x0000001
Issue:
When you try to configure the Microsoft Intune Exchange Connector, you receive the
following error message:
The Microsoft Intune Exchange Connector cannot connect to the Microsoft

Exchange server.
The following Microsoft Exchange Server address could not be reached

<Exchange server Name FQDN>
Verify that the FQDN of the exchange server address and credentials that
you entered is correct and the server is running. The Microsoft Intune
Exchange Connector does not support Exchange server arrays.
Error code: 0x0000001
This problem can occur if the Internet proxy settings are misconfigured.
Solution:
Configure proxy settings:
1. Contact the local network administrator to make sure that the proxy settings are
configured correctly.
2. Use the Netsh winhttp command to configure the proxy server and add the
required exclusion list. For example:
Netsh winhttp set proxy proxy-server="http=proxy.corp.domain.com"

bypass-
list"34*.*;134.132.*.*;10.*.*;localhost;*.corp.domain.com;*.staging.dom
ain.com"

0x000000b
Issue:
The Microsoft Intune Exchange Connector experienced an error:
CertEnroll::CX509PrivateKey::Create: The system cannot find the file

specified. 0x80070002 (WIN32: 2
ERROR_FILE_NOT_FOUND
Error code: 0x000000b
This problem can occur if the account that you used to sign in to Intune isn't an Intune
Global Administrator account.
Solution:
Sign in to Intune with an account that is a Global Administrator, or add your account to
the Global Admin group. For more information, see Role-based administration control
(RBAC) with Microsoft Intune.

0x0000006
Issue:
The Microsoft Intune Exchange Connector cannot connect to Microsoft

Intune
Verify that you are connected to the Internet, check the Microsoft Intune
Service Status, and try to connect again.
Error code: 0x00000006
This error can occur if a proxy server is used to connect to the Internet and is blocking
traffic to the Intune Service. To determine whether a proxy is in use, go to Control Panel
> Internet Options, select the Connection tab, and then click LAN Settings.
Solution:
Option 1 - Remove the proxy settings to allow the computer to connect to the
Internet without going through the proxy.
Option 2 - Configure your proxy server to allow communication to the Intune

service, as documented in Intune Exchange Connector requirements.
Event 7000 or 7041: Microsoft Intune Exchange

Connector Service won't start
Issue:
An iOS device fails to enroll in Intune and generates one of the following error
messages:
Log Name: System
Source: Service Control Manager
Date: <time>
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: <computer>
Description:
The Microsoft Intune Exchange Connector Service service failed to start

because of the following error:
The service did not start because of a logon failure.
Log Name: System
Source: Service Control Manager
Date: <time>
Event ID: 7041
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: <computer>
Description:
The WIEC service was unable to log on as .\WIEC_USER with the currently
configured password because of the following error:
Logon failure: the user has not been granted the requested logon type at
this computer.
Service: WIEC
Domain and account: .\WIEC_USER
This service account does not have the required user right "Log on as a
service."
This problem can occur if the WIEC_User account doesn't have the Log on as service
user right in the local policy.
Solution:
On the computer that runs the Intune Exchange Connector, assign the Log on as a
service user right to the WIEC_User service account. If the computer is a node in a
cluster, make sure to assign the Log on as a service user right to the cluster service
account on all nodes in the cluster.
To assign the Log on as a service user right to the WIEC_User service account on the
computer, follow these steps:
1. Log on to the computer as an administrator or as a member of the Administrators

group.
2. Run secpol.msc to open the Local Security Policy.
3. Go to Security settings > Local policies, and then select User Rights Assignment.
4. In the right pane, double-click Log on as a service.
5. Select Add User or Group, add WIEC_USER to the policy, and then select OK two
times.
If the Log on as a service user right was assigned to WIEC_User but was later removed,
contact the domain administrator to determine whether a Group Policy setting is
overwriting it.
Feedback

Troubleshooting BitLocker policies from the
client side
Article • 05/27/2023
This article provides guidance on how to troubleshoot BitLocker encryption on the client side.
While the Microsoft Intune encryption report can help you identify and troubleshoot common
encryption issues, some status data from the BitLocker configuration service provider (CSP)
might not be reported. In these scenarios, you will need to access the device to investigate
further.
BitLocker encryption process

The following steps describe the flow of events that should result in a successful encryption of a
Windows 10 device that has not been previously encrypted with BitLocker.
1. An administrator configures a BitLocker policy in Intune with the desired settings, and
targets a user group or device group.
2. The policy is saved to a tenant in the Intune service.
3. A Windows 10 Mobile Device Management (MDM) client syncs with the Intune service and
processes the BitLocker policy settings.
4. The BitLocker MDM policy Refresh scheduled task runs on the device that replicates the
BitLocker policy settings to full volume encryption (FVE) registry key.
5. BitLocker encryption is initiated on the drives.
The encryption report will show encryption status details for each targeted device in Intune. For
detailed guidance on how to use this information for troubleshooting, see Troubleshooting
BitLocker with the Intune encryption report.
Initiate a manual sync

If you've determined that there is no actionable information in the encryption report, you'll need
to gather data from the affected device to complete the investigation.
Once you have access to the device, the first step is to initiate a sync with the Intune service
manually before collecting the data. On your Windows device, select Settings > Accounts >
Access work or school > <Select your work or school account> > Info. Then under Device sync
status, select Sync.
After the sync is complete, continue to the following sections.
Collecting event log data

The following sections explain how to collect data from different logs to help troubleshoot
encryption status and policies. Make sure you complete a manual sync before you collect log
data.
Mobile device management (MDM) agent event log

The MDM event log is useful to determine if there was an issue processing the Intune policy or
applying CSP settings. The OMA DM agent will connect to the Intune service and attempt to
process the policies targeted at the user or device. This log will show success and failures
processing Intune policies.
Collect or review the following information:
LOG > DeviceManagement-Enterprise-Diagnostics-Provider admin
Location: Right-click on Start Menu > Event Viewer > Applications and Service Logs >
Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin
File system location: C:\Windows\System32\winevt\Logs\Microsoft-Windows-
DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx
To filter this log, right-click the event log and select Filter Current Log > Critical/Error/Warning.
Then search through the filtered logs for BitLocker (press F3 and enter the text).
Errors in BitLocker settings will follow the format of the BitLocker CSP, so you will see entries like
this:
./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption
or
./Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation
７ Note
You can also enable debug logging for this event log using the Event Viewer for
troubleshooting.
BitLocker-API management event log

This is the main event log for BitLocker. If the MDM agent processed the policy successfully and
there are no errors in the DeviceManagement-Enterprise-Diagnostics-Provider admin event log,
this is the next log to investigate.
LOG > BitLocker-API management

Location: Right-click on Start Menu > Event Viewer > Applications and Service Logs >
Microsoft > Windows > BitLocker-API
BitLocker%4BitLocker Management.evtx
Usually, errors are logged here if there are hardware or software prerequisites missing that the
policy requires such as Trusted Platform Module (TPM) or Windows Recovery Environment
(WinRE).
Error: Failed to enable Silent Encryption
As shown in the following example, conflicting policy settings that cannot be implemented
during silent encryption and manifest as group policy conflicts are also logged:
Failed to enable Silent Encryption.
Error: BitLocker Encryption cannot be applied to this drive because of conflicting Group
Policy settings. When write access to drives not protected by BitLocker is denied, the use of
a USB startup key cannot be required. Please have your system administrator resolve these
policy conflicts before attempting to enable BitLocker.
Solution: Configure the compatible TPM startup PIN to Blocked. This will resolve conflicting
Group Policy settings when using silent encryption.
You must set the PIN and TPM startup key to Blocked if silent encryption is required.
Configuring the TPM startup PIN and startup key to Allowed and other startup key and PIN
setting to Blocked for user interaction and will result in a conflicting Group Policy error in
BitLocker-AP event log. Also, if you configure TPM startup PIN or startup key to require user
interaction, it will cause silent encryption to fail.
Configuring any of the compatible TPM settings to Required will cause silent encryption to fail.
Error: TPM not available

Another common error in the BitLocker-API log is that the TPM is not available. The following
example shows that TPM is a requirement for silent encryption:
Failed to enable Silent Encryption. TPM is not available.
Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this
computer.
Solution: Ensure there is a TPM available on the device and if it is present, check the status via
TPM.msc or the PowerShell cmdlet get-tpm.
Error: Un-Allowed DMA capable bus
If the BitLocker-API log displays the following status, it means that Windows has detected an
attached Direct memory access (DMA)-capable device that might expose a DMA threat.
Un-Allowed DMA capable bus/device(s) detected
Solution: To remediate this issue, first verify that the device has no external DMA ports with the
original equipment manufacturer (OEM). Then follow these steps to add the device to the
allowed list. Note: Only add a DMA device to the allowed list if it is an internal DMA
interface/bus.
System event log

If you're having hardware-related issues—such as problems with the TPM—errors will appear in
the system event log for TPM from the TPMProvisioningService or TPM-WMI source.
LOG > System event
Location: Right-click on Start Menu > Event Viewer > Windows Logs > System
File system location: C:\Windows\System32\winevt\Logs\System.evtx
Filter on these event sources to help identify any hardware-related issues that the device may be
experiencing with the TPM and check with the OEM manufacturer whether there are any
firmware updates available.
Task scheduler operational event log

The task scheduler operational event log is useful for troubleshooting scenarios where the policy
has been received from Intune (has been processed in DeviceManagement-Enterprise), but
BitLocker encryption has not successfully initiated. BitLocker MDM policy refresh is a scheduled
task that should run successfully when the MDM agent syncs with the Intune service.
Enable and run the operational log in the following scenarios:
The BitLocker policy appears in the DeviceManagement-Enterprise-Diagnostics-Provider

admin event log, in MDM diagnostics, and the registry.
There are no errors (the policy has been picked up successfully from Intune).
Nothing is logged in the BitLocker-API event log to show that encryption was even
attempted.
LOG > Task scheduler operational event
Location: Event Viewer > Applications and Service Logs > Microsoft > Windows >
TaskScheduler
TaskScheduler%4Operational.evtx
Enable and run the operational event log
） Important
You must manually enable this event log before logging any data because the log will
identify any problems running the BitLocker MDM policy Refresh scheduled task.
1. To enable this log, right-click on Start Menu > Event Viewer > Applications and Services
> Microsoft > Windows > TaskScheduler > Operational.
2. Then enter task scheduler in the Windows search box, and select Task Scheduler >
Microsoft > Windows > BitLocker. Right-click on BitLocker MDM policy Refresh and
choose Run.
3. When the run is complete, inspect the Last Run Result column for any error codes and
examine the task schedule event log for errors.
In the example above, 0x0 has run successfully. The error 0x41303 this means the task has
never previously run.
７ Note
For more information about Task Scheduler error messages, see Task Scheduler Error and
Success Constants.
Checking BitLocker settings

The following sections explain the different tools you can use to check your encryption settings
and status.
MDM Diagnostics Report

You can create a report of MDM logs to diagnose enrollment or device management issues in
Windows 10 devices managed by Intune. The MDM Diagnostic Report contains useful
information about an Intune enrolled device and the policies deployed to it.
For a tutorial of this process, see the YouTube video How to create an Intune MDM diagnostic
report on Windows devices
File system location: C:\Users\Public\Documents\MDMDiagnostics
OS build and edition

The first step in understanding why your encryption policy is not applying correctly is to check
whether the Windows OS version and edition supports the settings you configured. Some CSPs
were introduced on specific versions of Windows and will only work on a certain edition. For
example, the bulk of BitLocker CSP settings were introduced in Windows 10, version 1703 but
these settings weren't supported on Windows 10 Pro until Windows 10, version 1809.
Additionally, there are settings such as AllowStandardUserEncryption (added in version 1809),
ConfigureRecoveryPasswordRotation (added in version 1909), RotateRecoveryPasswords (added
in version 1909), and Status (added in version 1903).
Investigating with the EntDMID

The EntDMID is a unique device ID for Intune enrollment. In the Microsoft Intune admin
center , you can use the EntDMID to search through the All Devices view and identify a specific
device. It is also a crucial piece of information for Microsoft support to enable further
troubleshooting on the service side if a support case is required.
You can also use the MDM Diagnostic Report to identify whether a policy has been successfully
sent to the device with the settings the administrator configured. By using the BitLocker CSP as a
reference, you can decipher which settings have been picked up when syncing with the Intune
service. You can use the report to determine if the policy is targeting the device and use the
BitLocker CSP documentation to identify what settings have been configured.
MSINFO32
MSINFO32 is an information tool that contains device data you can use to determine if a device
satisfies BitLocker prerequisites. The required prerequisites will depend on BitLocker policy
settings and the required outcome. For example, silent encryption for TPM 2.0 requires a TPM
and Unified Extensible Firmware Interface (UEFI).
Location: In the Search box, enter msinfo32, right-click System Information in the search
results, and select Run as administrator.
File system location: C:\Windows\System32\Msinfo32.exe.
However, if this item doesn't meet the prerequisites, it doesn't necessarily mean that you can't
encrypt the device using an Intune policy.
If you have configured the BitLocker policy to encrypt silently and the device is using TPM
2.0, it is important to verify that BIOS mode is UEFI. If the TPM is 1.2, then having the BIOS
mode in UEFI is not a requirement.
Secure boot, DMA protection, and PCR7 configuration are not required for silent
encryption but might be highlighted in Device Encryption Support. This is to ensure
support for automatic encryption.
BitLocker policies that are configured to not require a TPM and have user interaction rather
than encrypt silently will also not have prerequisites to check in MSINFO32.
TPM.MSC file
TPM.msc is a Microsoft Management Console (MMC) Snap-in file. You can use TPM.msc to
determine whether your device has a TPM, to identity the version, and whether it is ready for
use.
Location: In the Search box, enter tpm.msc, and then right-click and select Run as
administrator.
File system location: MMC Snap-in C:\Windows\System32\mmc.exe.
TPM is not a prerequisite for BitLocker but is highly recommended due to the increased security
it provides. However, TPM is required for silent and automatic encryption. If you're trying to
encrypt silently with Intune and there are TPM errors in the BitLocker-API and system event logs,
TPM.msc will help you understand the problem.
The following example shows a healthy TPM 2.0 status. Note the specification version 2.0 in the
bottom right and that the status is ready for use.
This example shows an unhealthy status when the TPM is disabled in the BIOS:
Configuring a policy to require a TPM and expecting BitLocker to encrypt when the TPM is
missing or unhealthy is one of the most common issues.
Get-Tpm cmdlet
A cmdlet is a lightweight command in the Windows PowerShell environment. In addition to
running TPM.msc, you can verify the TPM using the Get-Tpm cmdlet. You will need to run this
cmdlet with administrator rights.
Location: In the Search box enter cmd, and then right-click and select Run as
administrator > PowerShell > get-tpm.
In the example above, you can see that the TPM is present and active in the PowerShell window.
The values equal True. If the values were set to False, it would indicate a problem with the TPM.
BitLocker will not be able to use the TPM until it is present, ready, enabled, activated, and
owned.
Manage-bde command-line tool

Manage-bde is a BitLocker encryption command-line tool included in Windows. It's designed to
help with administration after BitLocker is enabled.
Location: In the Search box, enter cmd, right-click and select Run as administrator, and
then enter manage-bde -status.
File system location: C:\Windows\System32\manage-bde.exe.
You can use manage-bde to discover the following information about a device:
Is it encrypted? If reporting in the Microsoft Intune admin center indicates a device is not
encrypted, this command-line tool can identify the encryption status.
Which encryption method has been used? You can compare information from the tool to
the encryption method in the policy to make sure they match. For example, if the Intune
policy is configured to XTS-AES 256-bit and the device is encrypted using XTS-AES 128-bit,
this will result in errors in Microsoft Intune admin center policy reporting.
What specific protectors are being used? There are several combinations of protectors.
Knowing which protector is used on a device will help you understand if the policy has
been applied correctly.
In the following example, the device is not encrypted:
BitLocker registry locations

This is the first place in the registry to look when you want to decipher the policy settings picked
up by Intune:
Location: Right-click on Start > Run and then enter regedit to open the Registry Editor.
Default file system location:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\BitLocker
The MDM agent registry key will help you identify the Globally Unique Identifier (GUID) in the
PolicyManager that contains the actual BitLocker policy settings.
The GUID is highlighted in the above example. You can include the GUID (it will be different for
each tenant) in the following registry subkey to troubleshoot BitLocker policy settings:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers<GUID>\
default\Device\BitLocker
This report shows the BitLocker policy settings that have been picked up by the MDM agent
(OMADM client). These are the same settings that you will see in the MDM Diagnostic report, so
this is an alternative way of identifying settings that the client has picked up.
Example of EncryptionMethodByDriveType registry key:
<enabled/><data id="EncryptionMethodWithXtsOsDropDown_Name" value="6"/><data

id="EncryptionMethodWithXtsFdvDropDown_Name" value="6"/><data
id="EncryptionMethodWithXtsRdvDropDown_Name" value="3"/>
Example of SystemDrivesRecoveryOptions:
<enabled/><data id="OSAllowDRA_Name" value="true"/><data

id="OSRecoveryPasswordUsageDropDown_Name" value="2"/><data
id="OSRecoveryKeyUsageDropDown_Name" value="2"/><data id="OSHideRecoveryPage_Name"
value="false"/><data id="OSActiveDirectoryBackup_Name" value="true"/><data
id="OSActiveDirectoryBackupDropDown_Name" value="1"/><data
id="OSRequireActiveDirectoryBackup_Name" value="true"/>
BitLocker registry key

The settings in the policy provider registry key will be duplicated into the main BitLocker registry
key. You can compare the settings to ensure they match what appears in the policy settings in
the user interface (UI), MDM log, MDM diagnostics and the policy registry key.
Registry key location:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
This is an example of the FVE registry key:

A: EncryptionMethodWithXtsOs, EncryptionMethodWithXtsFdv and
EncryptionMethodWithXtsRdv have the following possible values:
3 = AES-CBC 128
4 = AES-CBC 256
6 = XTS-AES 128
7 = XTS-AES 256
B: UseTPM, UseTPMKey, UseTPMKeyPIN, USeTPMPIN are all set to 2, which means they are
all set to allow.
C: Notice that most of the keys are divided into groups of settings for the operating
system drive (OS), fixed drive (FDV) and removable drive (FDVR).
D: OSActiveDirectoryBackup has a value of 1 and is enabled.
E: OSHideRecoveryPage is equal to 0 and not enabled.
Use the BitLocker CSP documentation to decode all of the setting names in the registry.
REAgentC.exe command-line tool

REAgentC.exe is a command-line executable tool that you can use to configure the Windows
Recovery Environment (Windows RE). WinRE is a prerequisite for enabling BitLocker in certain
scenarios such as silent or automatic encryption.
Location: Right-click on Start > Run, enter cmd. Then right-click cmd and select Run as
administrator > reagentc /info.
File system location: C:\Windows\System32\ReAgentC.exe.
 Tip
If you see error messages in the BitLocker-API about WinRe not being enabled, run the
reagentc /info command on the device to determine the WinRE status.
If the WinRE status is disabled, run the reagentc /enable command as an administrator to
enable it manually:
Summary
When BitLocker fails to enable on a Windows 10 device using an Intune policy, in most cases,
the hardware or software prerequisites are not in place. Examining the BitLocker-API log will
help you identify which prerequisite is not satisfied. The most common issues are:
TPM is not present

WinRE is not enabled
UEFI BIOS is not enabled for TPM 2.0 devices
Policy misconfiguration can also cause encryption failures. Not all Windows devices can encrypt
silently so think about the users and devices that you're targeting.
Configuring a startup key or PIN for a policy intended for silent encryption will not work because
of the user interaction required when enabling BitLocker. Keep this in mind when configuring
the BitLocker policy in Intune.
Verify whether the policy settings have been picked up by the device to determine whether the
targeting has been successful.
It is possible to identify the policy settings using MDM diagnostics, registry keys, and the device
management enterprise event log to verify if settings were successfully applied. The BitLocker
CSP documentation can help you decipher these settings to understand whether they match
what has been configured in the policy.
Feedback

Troubleshooting integration of Jamf Pro
Article • 09/04/2023
This article helps Intune administrators understand and troubleshoot problems with
integration of Jamf Pro for macOS with Microsoft Intune. Each of the following sections
describes a common issue, and offers a potential cause and troubleshooting steps for a
resolution.
） Important
Starting from September 1, 2024, the platform that Jamf Pro's Conditional Access
If you use Jamf Pro's Conditional Access integration for macOS devices, follow
Jamf's documented guidelines to migrate your devices from macOS Conditional
Access to macOS Device Compliance .
If you have questions or need help, contact Jamf Customer Success . For more
information, see Transitioning Jamf macOS devices from Conditional Access to
Device Compliance .
Prerequisites
Before you start troubleshooting, collect some basic information to clarify the problem
and reduce the time to find a resolution. For example, when you encounter a Jamf-
Intune integration-related issue, always verify that prerequisites have been met.
Consider the following before you start troubleshooting:
Review the prerequisites from the following articles, depending on how you
configure Jamf Pro integration with Intune:
Use the Jamf Cloud Connector to integrate Jamf Pro with Intune
Integrate Jamf Pro with Intune
All users must have Microsoft Intune and Microsoft Azure Active Directory (Azure
AD) Premium P1 licenses
You must have a user account that has Microsoft Intune Integration permissions in
the Jamf Pro console.
You must have a user account that has Global Admin permissions in Azure.
Collect the following information when investigating Jamf Pro integration with Intune:
Exact error message(s)

Location of the error message(s)
When the problem started, and whether your Jamf Pro integration with Intune
worked previously
How many users are affected (all users or just some)
How many devices are affected (all devices or just some)
Devices are marked as unresponsive in Jamf

Pro
Cause: The following are common causes of devices being marked as Unresponsive by
Jamf Pro:
Device fails to check in with Jamf Pro.

Jamf Pro expects devices to check in every 15 minutes. Devices are marked as
unresponsive by Jamf when they fail to check in over a 24-hour period.
Device fails to check in with Azure AD.

With successful registration to Azure AD, macOS devices receive an Azure token:
This token refreshes every 12 hours.
When the token refresh fails for 24 hours or more, Jamf Pro marks the device as
unresponsive.
If the Azure token expires, users are prompted to sign in to Azure to obtain a
new token. A refresh token for Azure access is generated every seven days.
Solution
After a device is marked as Unresponsive by Jamf Pro, the enrolled user of the device
must sign in to correct the non-responsive state. It must be the user who has workplace-
joined the account as they have the identity from Intune in their keychain.
Mac devices prompt for keychain sign-in when

you open an app
After you configure Intune and Jamf Pro integration and deploy conditional access
policies, users of devices managed with Jamf Pro receive password prompts when
opening Microsoft 365 applications, such as Teams, Outlook, and other apps that require
Azure AD authentication.
For example, a prompt with text similar to the following example appears when opening
Microsoft Teams:
Microsoft Teams wants to sign using key "Microsoft Workplace Join Key" in your
keychain.
To allow this, enter the "login" keychain password
Cause: These prompts are generated by Jamf Pro for each applicable app that requires
Azure AD registration.
Solution
At the prompt, the user must provide their device password to sign in to Azure AD.
Options include:
Deny - Do not sign in and do not use the app.

Allow - A one time sign-in. The next time the app opens, it prompts for sign-in
again.
Always Allow - The sign-in credentials are cached for the application. The next
time the app opens, it doesn't prompt for sign-in.
Selecting Always Allow for one app only approves that app for future sign-in. Additional
apps prompt for authentication until they also are set as Always Allow. Cached
credentials for one app can't be used by another app.
Devices fail to register with Intune

There are several common causes for Mac devices that fail to register with Intune
through Jamf Pro.
Cause 1 - Jamf Pro doesn't have correct permissions

The Jamf Pro enterprise application in Azure has the wrong permission or has more than
one permission. When you create the app in Azure, you must remove all default API
permissions and then assign Intune a single permission of update_device_attributes.
Solution
Review and if necessary correct the permissions for the Jamf app. If you use the Jamf Pro
Cloud Connector, this app was created for you. If you manually configured the
integration, you created the app in Azure AD. For the app permissions, see Create an
application (for Jamf) in Azure AD.
Cause 2 - Wrong tenant or account
The Jamf Native macOS Connector app wasn't created in your Azure AD tenant or
consent for the connector was signed by an account that doesn't have global admin
rights.
Solution
See the Configuring macOS Intune Integration section in Integrating with Microsoft
Intune on docs.jamf.com.
Cause 3 - User doesn't have valid license(s)

Lack of a valid Intune or Jamf license can result in the following error, which indicates
that the Jamf license is expired:
Unable to connect to Microsoft Intune.

Check your Microsoft Intune Integration configuration.
Solution
Jamf license: Contact Jamf for assistance to obtain a new license for Jamf.
Intune license: Assign the user a valid license or contact Microsoft or your Partner
for information about how to obtain a current license.
Cause 4 - User didn't use Jamf Self Service

For a device to successfully enroll and register with Intune through Jamf, the user must
use Jamf Self Service to open the Intune Company Portal. If the user opens the Company
Portal manually, the device enrolls and registers without its connection to Jamf.
To determine which service the device used to enroll and register, look in the Company
Portal app on the device. When registered through Jamf, you should receive a
notification to open the Self-Service app to make changes.
In the Company Portal app, the user might see Not registered , and an entry similar to
the following example might appear in the Company Portal logs:
Line 7783: <DATE> <IP ADDRESS> INFO com.microsoft.ssp.application TID=1

WelcomeViewController.swift: 253 (startLogin()) Portal launched without WPJ only
arg while account is under partner management
Solution
To change the registration source from Intune to Jamf:
1. Remove the macOS device from Intune. To avoid further complications for devices
that aren't fully removed from Intune, see Cause 6 below.
2. On the device, use Jamf Self Service to open the Company Portal app, and then
register the device with Azure AD. This task requires you to have already
completed the following tasks:
Deploy the Company Portal app for macOS in Jamf Pro

Create a policy in Jamf Pro to have users register their devices with Azure AD
3. When the portal opens, the first screen you see prompts you to sign in. Use your
work or school account
4. The Company Portal confirms your account information and shows your Device
Enrollment and Device Compliance statuses. Yellow triangles highlight the actions
you need to take to secure your macOS device for school or work. Click Begin to
start enrollment.
5. If prompted, type in your computer's sign-in information.
It might take a few minutes to register your device. You'll receive a message after the
registration is completed to let you know you're done.
Cause 5 - Intune integration is turned off

If Intune integration is turned off, users receive a pop-up window in the Company Portal
with the following message when they try to register a device:
Invalid command line input Registration-only command line flag (-r) can only be
used when partner management is enabled in Intune. Please contact your IT admin.
The Jamf Pro server sends a pulse to the Intune servers when integration is turned off
that tells Intune that integration is disabled.
Solution
Re-enable Intune integration within Jamf Pro. See the following depending on how you
configure integration:
Use the Jamf Cloud Connector to integrate Jamf Pro with Intune
Manually configure Microsoft Intune Integration in Jamf Pro.
Cause 6 - The device was previously enrolled in Intune
If a device is unenrolled from Jamf but not correctly removed from Intune (if it had been
enrolled previously), or if the user has made several registration attempts, you might see
multiple instances of the same device in the portal. This causes Jamf enrollment to fail.
Solution
1. On the Mac, start Terminal.
2. Run sudo JAMF removemdmprofile.
3. Run sudo JAMF removeFramework.
4. On the JAMF Pro server, delete the computer's inventory record.
5. Delete the device from AzureAD.
6. Delete the following files on the device if they exist:
/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info
/Library/Application Support/com.microsoft.CompanyPortal
/Library/Application Support/com.jamfsoftware.selfservice.mac
/Library/Saved Application State/com.jamfsoftware.selfservice.mac.savedState
/Library/Saved Application State/com.microsoft.CompanyPortal.savedState
/Library/Preferences/com.microsoft.CompanyPortal.plist
/Library/Preferences/com.jamfsoftware.selfservice.mac.plist
/Library/Preferences/com.jamfsoftware.management.jamfAAD.plist
/Users/<username>/Library/Cookies/com.microsoft.CompanyPortal.binarycookies
/Users/<username>/Library/Cookies/com.jamf.management.jamfAAD.binarycookies
com.microsoft.CompanyPortal
com.microsoft.CompanyPortal.HockeySDK
enterpriseregistration.windows.net
https://device.login.microsoftonline.com
https://device.login.microsoftonline.com/
Microsoft Session Transport Key (public AND private keys)

Microsoft Workplace Join Key (public AND private keys)
7. Remove anything from the keychain on the device that references Microsoft,
Intune, or Company Portal, including DeviceLogin.microsoft.com certificates.
Remove JAMF references except for JAMF public and private key.
） Important
Removing the public and private key will break device enrollment.
8. Delete any of the following entries that you find:
Kind: Application password ; Account:

com.microsoft.workplacejoin.thumbprint
Kind: Application password ; Account:
com.microsoft.workplacejoin.registeredUserPrincipalName
Kind: Certificate ; Issued by: MS-Organization-Access
Kind: Identity preference ; Name (ADFS STS URL if present): https://<DNS
NAME>.com/adfs/ls
Kind: Identity preference ; Name:

https://enterpriseregistration.windows.net
Kind: Identity preference ; Name:

https://enterpriseregistration.windows.net/
9. Restart the Mac device.
10. Uninstall Company Portal from the device.
11. Go to portal.manage.microsoft.com and delete out all the instances of the Mac
device. Wait at least 30 minutes before you go to the next step.
12. Re-enroll the device in JAMF Pro.
13. Reopen Self Service and start Registration policy.
Cause 7 - User didn't provide JamfAAD access to their key

JamfAAD requests access to a "Microsoft Workplace Join Key" from the users' keychain.
During registration, the user of a macOS device receives the following prompt to allow
JamfAAD access to a key from their keychain:
JamfAAD wants to access key "Microsoft Workplace Join Key" in your keychain. To
allow this, enter the "login" keychain password
Solution
To successfully register the device with Azure AD, Jamf requires the user to provide their
account password, and select Allow.
This request is similar to the request for Mac devices prompt for keychain sign-in when
you open an app.
Mac device shows compliant in Intune but
noncompliant in Azure
Cause: The following conditions can cause a device to show as compliant in Intune but
not as compliant in Azure:
The device isn't registered correctly.

The device was registered multiple times without the necessary cleanup.
Solution
To resolve this issue, follow the steps in Cause 6.
Duplicate entries appear in the Intune console

for Mac devices enrolled by using Jamf
Cause: A device is registered with Intune multiple times, typically being re-registered
after being removed from Intune.
When a device is removed from Intune and Jamf Pro integration, some data can be left
behind which can cause successive registrations to create duplicate entries.
Solution
To resolve this issue, follow the steps in Cause 6.
Compliance policy fails to evaluate the device

Cause: Jamf integration with Intune doesn't support compliance policy that targets
device groups.
Solution
Modify compliance policy for macOS devices to be assigned to user groups.
Could not retrieve the access token for

Microsoft Graph API
You receive the following error:
Could not retrieve the access token for Microsoft Graph API. Check the
configuration for Microsoft Intune Integration.

The source of this error can be one of the following causes:
Cause 1
There's a permission issue with the Jamf Pro application in Azure. While registering the
Jamf Pro app in Azure, one of the following conditions occurred:
The app received more than one permission.

The Grant admin consent for <your company> option wasn't selected.
Solution
See the resolution for Cause 1 for Devices fail to register, earlier in this article.
Cause 2
A license required for Jamf-Intune integration has expired.
Solution See the resolution for Cause 3 for Devices fail to register.
Cause 3
The required ports aren't open on your network.
Solution Review the information for network ports in Prerequisites for integrating Jamf
Pro with Intune.
Feedback
Was this page helpful?  Yes  No
Provide product feedback | Get help at Microsoft Q&A

Use APIs to add third-party CAs for
SCEP to Intune
Article • 03/02/2023
In Microsoft Intune, you can add third-party certificate authorities (CA), and have these
CAs issue and validate certificates using the Simple Certificate Enrollment Protocol
(SCEP). Add third-party certification authority provides an overview of this feature, and
describes the Administrator tasks in Intune.
There are also some developer tasks that use an open-source library that Microsoft
published in GitHub.com. The library includes an API that:
Validates the SCEP password dynamically generated by Intune

Notifies Intune of the certificates created on devices submitting SCEP requests
Using this API, your third-party SCEP server integrates with the Intune SCEP
management solution for MDM devices. The library abstracts aspects such as
authentication, service location, and the ODATA Intune Service API from its users.
SCEP management solution

Using Intune, administrators create SCEP profiles, and then assign these profiles to
MDM devices. The SCEP profiles include parameters, such as:
The URL of the SCEP server

The Trusted Root Certificate of the Certificate Authority
Certificate attributes, and more
Devices that check-in with Intune are assigned the SCEP profile, and are configured with
these parameters. A dynamically-generated SCEP challenge password is created by
Intune, and then assigned to the device.
This challenge contains:
The dynamically-generated challenge password

The details on the parameters expected in the certificate signing request (CSR) that
the device issues to the SCEP server
The challenge expiration time
Intune encrypts this information, signs the encrypted blob, and then packages these
details into the SCEP challenge password.
Devices contacting the SCEP server to request a certificate then give this SCEP challenge
password. The SCEP server sends the CSR and encrypted SCEP challenge password to
Intune for validation. This challenge password and CSR must pass validation for the
SCEP server to issue a certificate to the device. When an SCEP challenge is validated, the
following checks happen:
Validates the signature of the encrypted blob

Validates that the challenge hasn't expired
Validates that the profile is still targeted to the device
Validates that the certificate properties requested by the device in the CSR match
the expected values
The SCEP management solution also includes reporting. An administrator can get
information on the deployment status of the SCEP profile, and about the certificates
issued to the devices.
Integrate with Intune

The code for the library to integrate with the Intune SCEP is available for download in
the Microsoft/Intune-Resource-Access GitHub repository .
Integrating the library into your products includes the following steps. These steps
require knowledge on working with GitHub repositories, and creating solutions and
projects in Visual Studio.
1. Register to receive notifications from the repository
2. Clone or download the repository
3. Go to the library implementation you need under the \src\CsrValidation folder

(https://github.com/Microsoft/Intune-Resource-
Access/tree/develop/src/CsrValidation )
4. Build the library using the instructions in the README file
5. Include the library in the project that builds your SCEP server
6. Complete the following tasks on the SCEP Server:
Allow the admin to configure the Azure Application Identifier, Azure

Application Key, and Tenant ID (in this article) that the library uses for
authentication. Administrators should be allowed to update the Azure
Application Key.
Identify SCEP requests that include an Intune-generated SCEP password
Use the Validate Request API library to validate Intune-generated SCEP
passwords
Use the library notification APIs to notify Intune about certificates issued for
SCEP requests that have the Intune-generated SCEP passwords. Also notify
Intune about errors that can occur when processing these SCEP requests.
Confirm that the server logs enough information to help admins troubleshoot
issues
7. Complete integration testing (in this article), and address any issues
8. Give written guidance to the customer that explains:
How the SCEP Server needs to be onboarded in the Microsoft Intune admin
center
How to get the Azure Application Identifier and Azure Application Key
needed to configure the library
Onboard SCEP server in Azure

To authenticate to Intune, the SCEP server requires an Azure Application ID, an Azure
Application Key, and a Tenant ID. The SCEP Server also needs authorized to access the
Intune API.
To get this data, the SCEP server administrator signs in to the Azure portal, registers the
application, gives the application both the Microsoft Intune API\SCEP challenge
validation permission and the Application.Read.All permission, creates a key for the
application, and then downloads the application ID, its key, and the tenant ID.
For guidance on registering an application, and getting the IDs and keys, see Use portal
to create an AAD application and service principal to access resources.
Java Library API

The Java library is implemented as a Maven project that pulls in its dependencies when
it's built. The API is implemented under the com.microsoft.intune.scepvalidation
namespace by the IntuneScepServiceClient class.
IntuneScepServiceClient class
The IntuneScepServiceClient class includes the methods used by the SCEP service to
validate SCEP passwords, to notify Intune about certificates that are created, and to list
any errors.
IntuneScepServiceClient constructor
Signature:
Java
IntuneScepServiceClient(
Properties configProperties)
Description:
Instantiates and configures an IntuneScepServiceClient object.
Parameters:
configProperties - Properties object containing client configuration information
The configuration must include following properties:
AAD_APP_ID="The Azure Application Id obtained during the onboarding process"

AAD_APP_KEY="The Azure Application Key obtained during the onboarding
process"
TENANT="The Tenant Id obtained during the onboarding process"
PROVIDER_NAME_AND_VERSION="Information used to identify your product and
its version"
If your solution requires a proxy either with authentication or without authentication,

then you can add the following properties:
PROXY_HOST="The host the proxy is hosted on."

PROXY_PORT="The port the proxy is listening on."
PROXY_USER="The username to use if proxy uses basic authentication."
PROXY_PASS="The password to use if proxy uses basic authentication."
Throws:
IllegalArgumentException - Thrown if the constructor is executed without a

proper property object.
） Important
It's best to instantiate an instance of this class, and use it to process multiple SCEP
requests. Doing so reduces overhead, as it caches authentication tokens and service
location information.
Security notes
The SCEP server implementer must protect the data entered in the configuration
properties persisted to storage against tampering and disclosure. It's recommended to
use proper ACLs and encryption to secure the information.
ValidateRequest method
Signature:
Java
void ValidateRequest(
String transactionId,
String certificateRequest)
Description:
Validates a SCEP certificate request.
Parameters:
transactionId - The SCEP Transaction ID

certificateRequest - DER-encoded PKCS #10 Certificate Request Base64 encoded
as a string
Throws:
IllegalArgumentException - Thrown if called with a parameter that is not valid

IntuneScepServiceException - Thrown if it is found that the certificate request is
not valid
Exception - Thrown if an un-expected error is encountered
） Important
Exceptions thrown by this method should be logged by the server. Note that the
IntuneScepServiceException properties have detailed information on why the
certificate request validation failed.
Security notes:
If this method throws an exception, the SCEP server must not issue a certificate to
the client.
SCEP certificate request validation failures may indicate a problem in the Intune
infrastructure. Or, they could indicate that an attacker is trying to get a certificate.
SendSuccessNotification method
Signature:
Java
void SendSuccessNotification(
String certificateRequest,
String certThumbprint,
String certSerialNumber,
String certExpirationDate,
String certIssuingAuthority)
Description:
Notifies Intune that a certificate is created as part of processing a SCEP request.
Parameters:

as a string
certThumprint - SHA1 hash of the thumbprint of the provisioned certificate
certSerialNumber - Serial number of the provisioned certificate
certExpirationDate - Expiration date of the provisioned certificate. The date time
string should be formatted as web UTC time (YYYY-MM-DDThh:mm:ss.sssTZD) ISO
8601.
certIssuingAuthority - Name of the authority that issued the certificate
Throws:

not valid
） Important
Security notes:
the client.
SendFailureNotification method
Signature:
Java
void SendFailureNotification(
String certificateRequest,
long hResult,
String errorDescription)
Description:
Notifies Intune that an error occurred while processing a SCEP request. This method
shouldn't be invoked for exceptions thrown by the methods of this class.
Parameters:

as a string
hResult - Win32 error code that best describes the error that was encountered. See
Win32 Error Codes
errorDescription - Description of the error encountered
Throws:

not valid
） Important
Security notes:
the client.
SetSslSocketFactory method
Signature:
Java
void SetSslSocketFactory(
SSLSocketFactory factory)
Description:
Use this method to inform the client that it must use the specified SSL socket factory
(instead of the default) when communicating with Intune.
Parameters:
factory - The SSL socket factory that the client should use for HTTPS requests
Throws:
７ Note
The SSL Socket factory must be set if required prior to executing the other methods
of this class.
Integration testing
Validating and testing that your solution is properly integrated with Intune is a must.
The following lists an overview of the steps:
1. Set up an Intune trial account.

2. Onboard the SCEP Server in the Azure portal (in this article).
3. Configure the SCEP Server with the IDs and key created when onboarding your
SCEP server.
4. Enroll devices to test the scenarios in the scenario testing matrix .
5. Create a Trusted Root Certificate profile for your test Certificate Authority.
6. Create SCEP profiles to test the scenarios listed in the scenario testing matrix .
7. Assign the profiles to users that enrolled their devices.
8. Wait for the devices to sync with Intune. Or, manually sync the devices.
9. Confirm the Trusted Root Certificate and SCEP profiles are deployed to the devices.
10. Confirm the Trusted Root Certificate are installed on all the devices.
11. Confirm the SCEP Certificates for the assigned profiles are installed on all the
devices.
12. Confirm the properties of the installed certificates match the properties set in the
SCEP profile.
13. Confirm the issued certificates are properly listed in the Intune admin center
See also
Add 3rd party CA overview
Setup Intune
Device enrollment
Configure SCEP certificate profiles (the Microsoft NDES Server\Connector setup
isn't used for this scenario)
Device Compliance settings for Android
device administrator in Intune
Article • 02/21/2023
This article lists the compliance settings you can configure on Android device
administrator devices in Intune. As part of your mobile device management (MDM)
solution, use these settings to mark rooted devices as not compliant, set an allowed
threat level, enable Google Play Protect, and more.
As an Intune administrator, use these compliance settings to help protect your

organizational resources. To learn more about compliance policies, and what they do,
see get started with device compliance.
Before you begin

Create a compliance policy. For Platform, select Android device administrator.

Require the device to be at or under the machine risk score
Select the maximum allowed machine risk score for devices evaluated by Microsoft
Defender for Endpoint. Devices that exceed this score get marked as
noncompliant.
Clear
Low
Medium
High
Device Health
Devices managed with device administrator
Device administrator capabilities are superseded by Android Enterprise.

Block - Blocking device administrator will guide users to move to Android
Enterprise Personally-Owned and Corporate-Owned Work Profile management
to regain access.
Rooted devices
Prevent rooted devices from having corporate access. (This compliance check is
supported for Android 4.0 and above.)
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Block - Mark rooted devices as not compliant.
Require the device to be at or under the Device Threat Level
Use this setting to take the risk assessment from a connected Mobile Threat
Defense service as a condition for compliance.
compliance.
Secured - This option is the most secure, as the device can't have any threats. If
the device is detected with any level of threats, it's evaluated as noncompliant.
Low - The device is evaluated as compliant if only low-level threats are present.
Anything higher puts the device in a noncompliant status.
Medium - The device is evaluated as compliant if existing threats on the device
are low or medium level. If the device is detected to have high-level threats, it's
determined to be noncompliant.
High - This option is the least secure, and allows all threat levels. It may be
useful if you're using this solution only for reporting purposes.
Google Play Protect
） Important
Devices operating in countries/regions where Google Mobile Services are not

available will fail Google Play Protect compliance policy setting evaluations. For
more information, see Managing Android devices where Google Mobile Services
are not available .
Google Play Services is configured
Google Play services allows security updates, and is a base-level dependency for
many security features on certified-Google devices.
compliance.
Require - Require that the Google Play services app is installed and enabled.
Up-to-date security provider
compliance.
Require - Require that an up-to-date security provider can protect a device
from known vulnerabilities.
Threat scan on apps

compliance.
Require - Require that the Android Verify Apps feature is enabled.
７ Note
On the legacy Android platform, this feature is a compliance setting. Intune

can only check whether this setting is enabled at the device level.

Enter the level of SafetyNet attestation that must be met. Your options:
compliance.
Check basic integrity
Check basic integrity & certified devices
７ Note
To configure Google Play Protect settings using app protection policies, see Intune
app protection policy settings on Android.
Device Properties
Operating System Version

Minimum OS version
When a device doesn't meet the minimum OS version requirement, it's reported as
noncompliant. A link with information about how to upgrade is shown. The end
user can choose to upgrade their device, and then get access to company
resources.
By default, no version is configured.

Maximum OS version
When a device is using an OS version later than the version specified in the rule,
access to company resources is blocked. The user is asked to contact their IT
admin. Until a rule is changed to allow the OS version, this device can't access
company resources.
System Security
Encryption
Encryption of data storage on a device
Supported on Android 4.0 and later, or KNOX 4.0 and later.

compliance.
Require - Encrypt data storage on your devices. Devices are encrypted when
you choose the Require a password to unlock mobile devices setting.
Device Security
Supported on Android 4.0 to Android 7.x. Not supported by Android 8.0 and later
Not configured (default) - this setting isn't evaluated for compliance or non-
compliance.
Block - Block devices with Security > Unknown Sources enabled sources
(supported on Android 4.0 through Android 7.x. Not supported on Android 8.0 and
later.).
To side-load apps, unknown sources must be allowed. If you're not side-loading

Android apps, then set this feature to Block to enable this compliance policy.
） Important
Side-loading applications require that the Block apps from unknown sources
setting is enabled. Enforce this compliance policy only if you're not side-
loading Android apps on devices.
Company portal app runtime integrity

compliance.
Require - Choose Require to confirm the Company Portal app meets all the
following requirements:
Has the default runtime environment installed
Is properly signed
Isn't in debug-mode
Block USB debugging on device
(Supported on Android 4.2 or later)

compliance.
Block - Prevent devices from using the USB debugging feature.
Minimum security patch level
(Supported on Android 8.0 or later)
Select the oldest security patch level a device can have. Devices that aren't at least
at this patch level are noncompliant. The date must be entered in the YYYY-MM-DD
format.
By default, no date is configured.
Restricted apps
Enter the App name and App bundle ID for apps that should be restricted, and
then select Add. A device with at least one restricted app installed is marked as
non-compliant.
Password
The available settings for passwords vary by the version of Android on the device.
All Android devices

The following settings are supported on Android 4.0 or later, and Knox 4.0 and later.
Maximum minutes of inactivity before password is required
This setting specifies the length of time without user input after which the mobile
device screen is locked. Options range from 1 Minute to 8 Hours. The
recommended value is 15 Minutes.
The following settings are supported on Android 10 or later, but not on Knox.
Password complexity
This setting is supported on Android 10 or later, but not on Samsung Knox. On

devices that run Android 9 and earlier or Samsung Knox, settings for the password
length and type override this setting for complexity.
Specify the required password complexity.

None (default) - No password required.
Low - The password satisfies one of the following conditions:
Pattern
Numeric PIN has a repeating (4444) or ordered (1234, 4321, 2468) sequence.
Medium - The password satisfies one of the following conditions:
Numeric PIN doesn’t have a repeating (4444) or ordered (1234, 4321, 2468)
sequence, and has minimum length of 4.
Alphabetic, with a minimum length of 4.
Alphanumeric, with a minimum length of 4.
High - The password satisfies one of the following conditions:
Android 9 and earlier or Samsung Knox
The following settings are supported on Android 9.0 and earlier, and any version of
Samsung Knox.
Require a password to unlock mobile devices
This setting specifies whether to require users to enter a password before access is
granted to information on their mobile devices. Recommended value: Require
compliance.
Require - Users must enter a password before they can access their device.
When set to Require, the following setting can be configured:
Required password type
Choose if a password should include only numeric characters, or a mix of numerals

and other characters.
Device Default - To evaluate password compliance, be sure to select a password
strength other than Device default.
Low security biometric
At least numeric
Numeric complex - Repeated or consecutive numerals, such as 1111 or 1234 ,
aren't allowed.
At least alphabetic
At least alphanumeric
At least alphanumeric with symbols
Based on the configuration of this setting, one or more of the following options
are available:
Enter the minimum number of digits or characters that the user's password
must have.
Enter the idle time before the user must reenter their password. When you
choose Not configured (default), this setting isn't evaluated for compliance or
non-compliance.
Number of days until password expires
Select the number of days before the password expires and the user must
create a new password.
Enter the number of recent passwords that can't be reused. Use this setting to
restrict the user from creating previously used passwords.
Next steps
Add actions for noncompliant devices and use scope tags to filter policies.
Monitor your compliance policies.
See the compliance policy settings for Android Enterprise devices.
Device compliance settings for Android
(AOSP) in Intune
Article • 02/22/2023
This article lists the compliance settings you can configure for Android (AOSP) devices in
Intune. Use these settings as part of your mobile device management (MDM) solution to
define your organization's standards for:
Device health
Device properties
System security
Devices are also governed by tenant-wide compliance policy settings. To manage the
tenant-wide compliance policy settings in your tenant, sign in to Microsoft Intune admin
center and go to Endpoint security > Device compliance > Compliance policy settings.
To learn more about compliance policies, and what they do, see get started with device
compliance.
Android (AOSP)
Before you begin

To access these settings, create an Android (AOSP) compliance policy. When prompted
to select a Platform, choose Android (AOSP).
Device health
Rooted devices
Prevent rooted devices from having corporate access.

compliance.
Device properties
Minimum OS version
noncompliant. A link with information about how to upgrade is shown. The end
user can choose to upgrade their device, and then get access to company
resources.
Maximum OS version
When a device is using an OS version later than the version specified in the rule,
access to company resources is blocked. The user is asked to contact their IT
admin. Until a rule is changed to allow the OS version, this device can't access
company resources.
Enter the oldest security patch level a device can have. Devices that aren't at least
at this patch level are noncompliant. The date must be entered in the YYYY-MM-DD
format.
By default, no patch level is configured.
System security
If you don't configure password requirements, the use of a device password is optional
and left up to the users to configure.
Require users to have a password-protected lock screen on their device. Your

options:
compliance.
Yes - Users must enter a password to unlock their devices.
If you require a password, also configure:
Require users to use a certain type of password. Your options:
Device default - To evaluate password compliance, be sure to select a password

Numeric - Password must only be numbers, such as 123456789 . Also enter:

Minimum password length: The minimum number of digits required, from 4
to 16.
Numeric complex - Repeated or consecutive numerals, such as 1111 or 1234 ,
aren't allowed. Also enter:
Minimum password length: The minimum number of digits required, from 4
to 16.
７ Note
There is a known issue that prevents Password required, no restriction
from working on Android (AOSP) devices.
The following password types are listed as options but are not supported
for Android (AOSP) devices: alphabetic, alphanumeric, and alphanumeric
with symbols.
Enter the maximum idle time allowed, from 1 minute to 8 hours, before the user
must re-enter their password to get back into their device. When you choose Not
configured (default), this setting isn't evaluated for compliance or non-compliance.
Encryption
Your options are:
compliance.
Require - Encrypt data storage on your devices. Devices are encrypted when
you choose the Require a password to unlock mobile devices setting.
Device compliance reporting

Compliance reports are currently not available for Android (AOSP) devices. This section
will be updated when reporting becomes available.
Next steps
Add actions for noncompliant devices.
Set device restrictions for AOSP devices.
Device compliance settings for Android
Enterprise in Intune
Article • 02/21/2023
This article lists and describes the different compliance settings you can configure on
Android Enterprise devices in Intune. As part of your mobile device management (MDM)
solution, use these settings to mark rooted devices as not compliant, set an allowed
threat level, enable Google Play Protect, and more.
Android Enterprise

） Important
To apply to Android Enterprise dedicated devices, compliance policy must target

devices, not users. Compliance policies will be evaluated against the device and will
appropriately reflect the compliance state in Intune. To allow users on dedicated
devices to sign-in to resources protected by Conditional Access policies, consider
using Android Enterprise dedicated devices with Azure AD shared device mode.
On Android Enterprise dedicated devices that are enrolled without Azure AD shared
device mode, users of the device will be unable to sign into resources protected by
Conditional Access policies, even if the device is compliant in Intune. To learn more
about shared device mode, see Overview of shared device mode in the Azure AD
documentation.
Before you begin

When configuring compliance policies, the broad range of settings enable you to tailor
protection to your specific needs. To better understand how to implement specific
security configuration scenarios, see the security configuration framework guidance for
Android Enterprise device restriction policies.
The security configuration framework is organized into distinct configuration levels that
provide guidance for personally owned and supervised devices, with each level building
off the previous level. The available levels and settings in each level vary by enrollment
mode:
For Android Enterprise personally-owned work profile devices: Android personally-

owned work profile security settings
For Android Enterprise fully managed, dedicated, and corporate-owned work
profile devices: Android fully managed-security settings
When ready to proceed, create a compliance policy. For Platform, select Android
Enterprise.
Fully Managed, Dedicated, and Corporate-

Owned Work Profile

noncompliant.
Clear
Low
Medium
High
７ Note
Microsoft Defender for Endpoint may not be supported on all Android Enterprise
enrollment types. Learn more about what scenarios are supported.
Device Health
Select the maximum allowed device threat level evaluated by your mobile threat
defense service. Devices that exceed this threat level are marked noncompliant. To
use this setting, choose the allowed threat level:
compliance.
Secured - This option is the most secure, and means that the device can't have
any threats. If the device is detected with any level of threats, it's evaluated as
noncompliant.
Low: - The device is evaluated as compliant if only low-level threats are present.
Medium - The device is evaluated as compliant if the threats that are present on
the device are low or medium level. If the device is detected to have high-level
threats, it's determined to be noncompliant.
High - This option is the least secure, as it allows all threat levels. It may be
７ Note
All the Mobile Threat Defense (MTD) providers are supported on Android
Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile
deployments using app configuration. Check with your MTD provider for the exact
configuration needed to support Android Enterprise Fully Managed, Dedicated, and
Corporate-Owned Work Profile platforms on Intune.
Google Play Protect
） Important
Devices operating in regions or countries where Google Mobile Services are not
available will fail Google Play Protect compliance policy setting evaluations. For
more information, see Managing Android devices where Google Mobile Services
are not available .

Not configured (default) - Setting isn't evaluated for compliance or non-
compliance.
Device Properties

Minimum OS version
non-compliant. A link with information on how to upgrade is shown. The end user
can upgrade their device, and then access organization resources.
Maximum OS version
When a device is using an OS version later than the version in the rule, access to
organization resources is blocked. The user is asked to contact their IT
administrator. Until a rule is changed to allow the OS version, this device can't
access organization resources.
at this patch level are noncompliant. The date must be entered in the YYYY-MM-
DD format.
System Security
compliance.

and other characters. Your options:
Device default - To evaluate password compliance, be sure to select a password
Password required, no restrictions
Weak biometric - Strong vs. weak biometrics (opens Android's web site)
Numeric (default): Password must only be numbers, such as 123456789 . Enter
the minimum password length a user must enter, between 4 and 16 characters.
Numeric complex - Repeated or consecutive numbers, such as "1111" or
"1234", aren't allowed. Enter the minimum password length a user must enter,
between 4 and 16 characters.
Alphabetic - Letters in the alphabet are required. Numbers and symbols aren't
required. Enter the minimum password length a user must enter, between 4
and 16 characters.
Alphanumeric - Includes uppercase letters, lowercase letters, and numeric
characters. Enter the minimum password length a user must enter, between 4
and 16 characters.
Alphanumeric with symbols - Includes uppercase letters, lowercase letters,
numeric characters, punctuation marks, and symbols.
Depending on the password type you select, the following settings are available:
Enter the minimum length the password must have, between 4 and 16
characters.
Number of characters required
Enter the number of characters the password must have, between 0 and 16
characters.
Number of lowercase characters required

Enter the number of lowercase characters the password must have, between 0
and 16 characters.
Number of uppercase characters required
Enter the number of uppercase characters the password must have, between 0
and 16 characters.
Number of non-letter characters required
Enter the number of non-letters (anything other than letters in the alphabet) the
password must have, between 0 and 16 characters.
Number of numeric characters required
Enter the number of numeric characters ( 1 , 2 , 3 , and so on) the password must
have, between 0 and 16 characters.
Number of symbol characters required
Enter the number of symbol characters ( & , # , % , and so on) the password must
Enter the idle time before the user must reenter their password. Options include
the default of Not configured, and from 1 Minute to 8 hours.
Enter the number of days, between 1-365, until the device password must be
changed. For example, to change the password after 60 days, enter 60 . When
the password expires, users are prompted to create a new password.
By default, no value is configured.
Number of passwords required before user can reuse a password
Enter the number of recent passwords that can't be reused, between 1-24. Use
this setting to restrict the user from creating previously used passwords.
Encryption
Encryption of data storage on device

compliance.
Require - Encrypt data storage on your devices.
You don't have to configure this setting because Android Enterprise devices
enforce encryption.
Microsoft Defender for Endpoint - for Personally-Owned

Work Profile
noncompliant.
Clear
Low
Medium
High
Device Health - for Personally-Owned Work Profile

Rooted devices
compliance.
Select the maximum allowed device threat level evaluated by your mobile threat
defense service. Devices that exceed this threat level are marked noncompliant. To
use this setting, choose the allowed threat level:
compliance.
noncompliant.
threats, it's determined to be noncompliant.
Google Play Protect - for Personally-Owned Work Profile
Google Play Services is configured

compliance.
Require - Require that the Google Play services app is installed and enabled.
Google Play services allows security updates, and is a base-level dependency for
many security features on certified-Google devices.
Up-to-date security provider

compliance.
Require - Require that an up-to-date security provider can protect a device
from known vulnerabilities.

Not configured (default) - Setting isn't evaluated for compliance or non-
compliance.
Required SafetyNet evaluation type
This setting is only available when SafetyNet device attestation is set to either Check
basic integrity or Check basic integrity & certified devices.
Select the evaluation type you want to use to compute the SafetyNet device
attestation response.
Not configured (defaults to basic evaluation) – (default)
Hardware-backed key – Require that hardware-backed key attestation is used
for SafetyNet evaluation. Devices that don’t support hardware-backed key
attestation are marked as not compliant.
For more information about SafetyNet and which devices support hardware-
backed key attestation, see Evaluation types in the SafetyNet documentation for
Android.
７ Note
On Android Enterprise devices, Threat scan on apps is a device configuration

policy. Using a configuration policy, administrators can enable the setting on a
device. See Android Enterprise device restriction settings.
Device Properties - for Personally-Owned Work Profile
Operating System Version - for Personally-Owned Work Profile
Minimum OS version
can upgrade their device, and then access organization resources.
Maximum OS version
When a device is using an OS version later than the version in the rule, access to
organization resources is blocked. The user is asked to contact their IT
administrator. Until a rule is changed to allow the OS version, this device can't
access organization resources.
System security - for Personally-Owned Work Profile

Encryption - for Personally-Owned Work Profile
Require encryption of data storage on device
compliance.
Require - Encrypt data storage on your devices.
You don't have to configure this setting because Android Enterprise devices
enforce encryption.
Device Security - for Personally-Owned Work Profile

compliance.
Block - Block devices with Security > Unknown Sources enabled sources
(supported on Android 4.0 through Android 7.x. Not supported by Android 8.0 and
later).
To side-load apps, unknown sources must be allowed. If you're not side-loading

Android apps, then set this feature to Block to enable this compliance policy.
） Important
Side-loading applications require that the Block apps from unknown sources
setting is enabled. Enforce this compliance policy only if you're not side-
loading Android apps on devices.
You don't have to configure this setting as Android Enterprise devices always
restrict installation from unknown sources.
Company portal app runtime integrity

compliance.
Require - Choose Require to confirm the Company Portal app meets all the
following requirements:
Has the default runtime environment installed
Is properly signed
Isn't in debug-mode
Is installed from a known source
Block USB debugging on device

compliance.
Block - Prevent devices from using the USB debugging feature.
You don't have to configure this setting because USB debugging is already
disabled on Android Enterprise devices.
at this patch level are noncompliant. The date must be entered in the YYYY-MM-
DD format.

compliance.
This setting applies at the device level. If you only need to require a password at
the Personally-Owned Work Profile level, then use a configuration policy. See
Android Enterprise device configuration settings.
All Android devices - for Personally-Owned Work Profile
Enter the number of days, between 1-365, until the device password must be
changed. For example, to change the password after 60 days, enter 60 . When the
password expires, users are prompted to create a new password.
Enter the number of recent passwords that can't be reused. Use this setting to
restrict the user from creating previously used passwords.
Enter the idle time before the user must reenter their password. Options include
the default of Not configured, and from 1 Minute to 8 hours.
Android 12 and later - for Personally-Owned Work Profile
Password complexity
Use this setting to set the password complexity requirements. Your options:
None - This setting isn't evaluated for compliance or non-compliance.
Low - A pattern or PIN with repeating (4444) or ordered (1234, 4321, 2468)
sequences are allowed.
Medium - PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences
are blocked. The length, alphabetic length, or alphanumeric length must be at
least 4 characters.
High - PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences are
blocked. The length must be at least 8 characters. The alphabetic or
alphanumeric length must be at least 6 characters.
On personally owned devices with a work profile, there are two passwords affected
by this Password complexity setting:
The device password that unlocks the device
The work profile password that allows users to access the work profile
If the device password complexity is too low, then the device password is
automatically changed to require a High complexity. The end users must update
the device password to meet the complexity requirements. Then, they sign into the
work profile and are prompted to update the work profile complexity configured in
the Password complexity setting in your policy.
） Important
Before the Password complexity setting was available, the Required

password type and Minimum password length settings were used. These
settings are still available, but they're deprecated by Google for Android 12+
personally owned devices with a work profile. For information on these
settings, go to Android 11 and earlier (in this article).
Here's what you need to know:
If the Required password type setting is changed from the Device default
value in a policy, then:
Newly enrolled Android Enterprise 12+ devices will automatically use

the Password complexity setting with the High complexity. So if you
don't want a High password complexity, then create a new policy for
Android Enterprise 12+ devices and configure the Password complexity
setting.
Existing Android Enterprise 12+ devices will continue to use the

Required password type setting and the existing value configured.
If you change an existing policy with the Required password type
setting that's already configured, then Android Enterprise 12+ devices
will automatically use the Password complexity setting with the High
complexity.
For Android Enterprise 12+ devices, it's recommended to configure the

Password complexity setting.
If the Required password type setting isn't changed from the Device
default value in a policy, then no password policy is automatically applied
to newly enrolled Android Enterprise 12+ devices.
Android 11 and earlier - for Personally-Owned Work Profile
） Important
Google is deprecating these Required password type and Minimum

password length settings for Android 12+ personally owned devices with a
work profile and replacing it with new password complexity requirements. For
more information about this change, go to Day zero support for Android
13 .
On Android Enterprise 12+ devices, use the Password complexity setting.

and other characters. Your options:
Device Default: Because the Device Default varies by device model, use one of
the other values for more control and consistency across all devices.
Low security biometric
At least numeric (default): Enter the minimum password length a user must
enter, between 4 and 16 characters.
Numeric complex: Enter the minimum password length a user must enter,
At least alphabetic: Enter the minimum password length a user must enter,
At least alphanumeric: Enter the minimum password length a user must enter,
At least alphanumeric with symbols: Enter the minimum password length a
user must enter, between 4 and 16 characters.
Depending on the Required password type you select, the following setting is available:
Enter the minimum length the password must have, between 4 and 16 characters.
Next steps
See the compliance policy settings for Android devices.
Device Compliance settings for
iOS/iPadOS in Intune
Article • 03/02/2023
iOS/iPadOS devices in Intune. As part of your mobile device management (MDM)
solution, use these settings to require an email, mark rooted (jailbroken) devices as not
compliant, set an allowed threat level, set passwords to expire, and more.
iOS
iPadOS

Before you begin

When configuring compliance policies, the broad range of settings enable you to tailor
protection to your specific needs. To better understand how to implement specific
iOS compliance policies.
off the previous level.
For details about the settings for each level:
For personally owned and for supervised devices, see iOS/iPadOS device
compliance security configurations
When you're ready to proceed, create an iOS/iPadOS device compliance policy.
Email
Unable to set up email on the device
compliance.
Require - A managed email account is required. If the user already has an email
account on the device, the email account must be removed so Intune can set
one up correctly. If no email account exists on the device, the user should
contact the IT administrator to configure a managed email account.
The device is considered non-compliant in the following situations:

The email profile is assigned to a different user group than the user group
targeted by the compliance policy.
The user already set up an email account on the device that matches the Intune
email profile deployed to the device. Intune can't overwrite the user-configured
profile, and Intune can't manage it. To be compliant, the end user must remove
the existing email settings. Then, Intune can install the managed email profile.
For details about email profiles, see configure access to organization email using email
profiles with Intune.
Device Health
Jailbroken devices
Supported for iOS 8.0 and later

compliance.
Block - Mark rooted (jailbroken) devices as not compliant.
Use this setting to take the risk assessment as a condition for compliance. Choose
the allowed threat level:
compliance.
non-compliant.
Anything higher puts the device in a non-compliant status.
threats, it's determined to be non-compliant.
Device Properties

Minimum OS version
can choose to upgrade their device. After that, they can access organization
resources.
Maximum OS version
When a device uses an OS version later than the version in the rule, access to
organization resources is blocked. The end user is asked to contact their IT
administrator. The device can't access organization resources until a rule changes
to allow the OS version.
Minimum OS build version
When Apple publishes security updates, the build number is typically updated, not
the OS version. Use this feature to specify a minimum allowed build number on the
device. For Apple Rapid Security Response updates, enter the supplemental build
version, such as 20E772520a .
Maximum OS build version
the OS version. Use this feature to enter a maximum allowed build number on the

noncompliant.
Clear
Low
Medium
High
System Security
Password
７ Note
After a compliance or configuration policy is applied to an iOS/iPadOS device, users

are prompted to set a passcode every 15 minutes. Users are continually prompted
until a passcode is set. When a passcode is set for the iOS/iPadOS device, the
encryption process automatically starts. The device remains encrypted until the
passcode is disabled.

compliance.
iOS/iPadOS devices that use a password are encrypted.
Simple passwords

Not configured (default) - Users can create simple passwords like 1234 or 1111.
Block - Users can't create simple passwords, such as 1234 or 1111.
Enter the minimum number of digits or characters that the password must have.
Choose if a password should have only Numeric characters, or if there should be a

mix of numbers and other characters (Alphanumeric).
Number of non-alphanumeric characters in password
Enter the minimum number of special characters, such as & , # , % , ! , and so on,
that must be in the password.
Setting a higher number requires the user to create a password that is more
complex.
Maximum minutes after screen lock before password is required
Specify how soon after the screen is locked before a user must enter a password to
access the device. Options include the default of Not configured, Immediately, and
from 1 Minute to 4 hours.
Maximum minutes of inactivity until screen locks
Enter the idle time before the device locks its screen. Options include the default of
Not configured, Immediately, and from 1 Minute to 15 Minutes.
Select the number of days before the password expires, and they must create a
new one.
Enter the number of previously used passwords that can't be used.
Device Security
Restricted apps
You can restrict apps by adding their bundle IDs to the policy. If a device has the
app installed, the device is marked as non-compliant.
App name - Enter a user-friendly name to help you identify the bundle ID.
App Bundle ID - Enter the unique bundle identifier assigned by the app
provider. To find the bundle ID, see Bundle IDs for native iOS and iPadOS
apps at Support.apple.com, or contact the software vendor of the app.
７ Note
The Restricted apps setting applies to un-managed applications that are

installed outside of management context.
Next steps
See the compliance policy settings for macOS devices.
Device compliance settings for Linux in
Intune
Article • 03/15/2023
This article lists and describes the different compliance settings you can configure for
Linux devices in Intune.
For Linux, compliance settings are available from the settings catalog instead of from a
pre-determined template as seen for other platforms. Therefore, when configuring a
compliance policy for Linux you choose the settings you want to include in your policy
by browsing the catalog and selecting them.
In addition to the platform-specific compliance policy, devices are also governed by

tenant-wide compliance policy settings. To manage the tenant-wide compliance policy
settings in your tenant, sign in to Microsoft Endpoint Manager admin center and go to
Endpoint security > Device compliance > Compliance policy settings.
To learn more about compliance policies, and what they do, see get started with device
compliance.
Linux
Linux settings categories

Compliance policies for Linux can include settings from the following categories. Where
applicable, guidance on configuring the setting is provided.
Allowed Distros
Add entries that define a maximum and minimum OS version for a Linux distribution
type.
Users of devices that fail to meet the defined criteria need to install a different version or
distribution of Linux to bring the device into compliance.
Custom Compliance
Add the settings in this category when you use custom compliance settings for Linux.
For information about the available settings for custom compliance and how to use
them, see Use custom compliance policies and settings for Linux and Windows devices
with Microsoft Intune.
Device Encryption
Add settings to manage disk encryption.
Require Device Encryption – Specifies whether device-level encryption is required

for writable fixed disks on this computer.
Users of devices that aren’t encrypted receive a message that they must encrypt
the drives to bring the device into compliance.
There are several options for disk and partition encryption on Linux operating
systems. At this time, Intune recognizes any encryption system that uses the
underlying dm-crypt subsystem that has been standard on Linux systems for
some time.
The preferred method of setting up dm-crypt is to use the LUKS format with the
cryptsetup tool.
Keep the following things in mind when configuring encryption:

Encrypting Linux system volumes after installation is possible, but potentially
very time consuming. Microsoft recommends setting up disk encryption while
installing the operating system.
Not all filesystem partitions need to be encrypted to meet organizational
standards. The following are ignored:
Read-only partitions
Pseudo-filesystems like /proc or tmpfs
The /boot or /boot/efi partitions
Password Policy
Enforce common password requirements for Linux devices:
Minimum Lowercase - Specifies the minimum number of lowercase letters a

password must contain.
Minimum Uppercase - Specifies the minimum number of uppercase letters a
password must contain.
Minimum Symbols - Specifies the minimum number of symbols a password must
contain.
Minimum Length - Specifies the minimum number of total characters a password
must contain.
Minimum Digits - Specifies the minimum number of digits a password must
contain.
Users that fail to meet password complexity requirements can receive a message that
they must use a strong password to bring the device into compliance.
Refresh compliance status

If you must modify a device’s configuration, use one of the following methods to refresh
the device compliance status with Intune after making changes:
If the Microsoft Intune app is still running, on the apps device details page or the
compliance issues page, select the Refresh link. The device starts a new check-in.
If the Microsoft Intune app isn't running, start the app and sign in. Signing in starts
a new check-in.
By default, the Microsoft Intune app periodically uses a background task to checks
in while the computer is on and logged in.
Next steps
Device Compliance settings for macOS
settings in Intune
Article • 05/08/2023
macOS devices in Intune. As part of your mobile device management (MDM) solution,
use these settings to set a minimum or maximum OS version, set passwords to expire,
and more.
macOS

Before you begin

Create a compliance policy. For Platform, select macOS.
７ Note
Device compliance evaluation is not supported for userless macOS devices.
Device Health
Require a system integrity protection
compliance.
Require - Require macOS devices to have System Integrity Protection (opens
Apple's web site) enabled.
Device Properties
Minimum OS required
non-compliant. A link with information on how to upgrade is shown. The device
user can choose to upgrade their device. After that, they can access organization
resources.
Maximum OS version allowed
When a device uses an OS version later than the version in the rule, access to
organization resources is blocked. The device user is asked to contact their IT
administrator. The device can't access organization resources until a rule changes
to allow the OS version.
Minimum OS build version
the OS version. Use this feature to enter a minimum allowed build number on the
Maximum OS build version
the OS version. Use this feature to enter a maximum allowed build number on the
System security settings
Password
Require Users must enter a password before they can access their device.
Simple passwords
Not configured (default) - Users can create passwords simple like 1234 or 1111.
Password type

Number of non-alphanumeric characters in password
Enter the minimum number of special characters, such as & , # , % , ! , and so on,
that must be in the password.
complex.
Enter the idle time before the user must reenter their password.
Select the number of days before the password expires, and they must create a
new one.
） Important
When the password requirement is changed on a macOS device, it doesn't take

effect until the next time the user changes their password. For example, if you set
the password length restriction to eight digits, and the macOS device currently has
a six digits password, then the device remains compliant until the next time the
user updates their password on the device.
Encryption
Require - Use Require to encrypt data storage on your devices.
Device Security
Firewall protects devices from unauthorized network access. You can use Firewall to
control connections on a per-application basis.
Firewall
Not configured (default) - This setting leaves the firewall turned off, and
network traffic is allowed (not blocked).
Enable - Use Enable to help protect devices from unauthorized access. Enabling
this feature allows you to handle incoming internet connections, and use stealth
mode.
Incoming connections
Not configured (default) - Allows incoming connections and sharing services.
Block - Block all incoming network connections except the connections required
for basic internet services, such as DHCP, Bonjour, and IPSec. This setting also
blocks all sharing services, including screen sharing, remote access, iTunes
music sharing, and more.
Stealth Mode
Not configured (default) - This setting leaves stealth mode turned off.
Enable - Turn on stealth mode to prevent devices from responding to probing
requests, which can be made my malicious users. When enabled, the device
continues to answer incoming requests for authorized apps.
Gatekeeper
For more information, see Gatekeeper on macOS (opens Apple's web site).
Allow apps downloaded from these locations
Allows supported applications to be installed on your devices from different

locations. Your location options:
Not configured (default) - The gatekeeper option has no impact on compliance
or non-compliance.
Mac App Store - Only install apps for the Mac app store. Apps can't be installed
from third parties nor identified developers. If a user selects Gatekeeper to
install apps outside the Mac App Store, then the device is considered not
compliant.
Mac App Store and identified developers - Install apps for the Mac app store
and from identified developers. macOS checks the identity of developers, and
does some other checks to verify app integrity. If a user selects Gatekeeper to
install apps outside these options, then the device is considered not compliant.
Anywhere - Apps can be installed from anywhere, and by any developer. This
option is the least secure.
Next steps
See the compliance policy settings for iOS devices.
Windows 10/11 in Intune
Article • 02/21/2023
Windows devices in Intune. As part of your mobile device management (MDM) solution,
use these settings to require BitLocker, set a minimum and maximum operating system,
set a risk level using Microsoft Defender for Endpoint, and more.
Windows 10/11
Surface Hub

Before you begin

Create a compliance policy. For Platform, select Windows 10 and later.
Device Health
Windows Health Attestation Service evaluation rules

Require BitLocker:
Windows BitLocker Drive Encryption encrypts all data stored on the Windows
operating system volume. BitLocker uses the Trusted Platform Module (TPM) to
help protect the Windows operating system and user data. It also helps confirm
that a computer isn't tampered with, even if its left unattended, lost, or stolen. If
the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock
the encryption keys that protect the data. As a result, the keys can't be accessed
until the TPM verifies the state of the computer.
compliance.
Require - The device can protect data that's stored on the drive from
unauthorized access when the system is off, or hibernates.
Device HealthAttestation CSP - BitLockerStatus
７ Note
If using a device compliance policy in Intune, be aware that the state of this
setting is only measured at boot time. Therefore, even although BitLocker
encryption may have completed - a reboot will be required in order for the
device detect this and become compliant. For more information, see the
following Microsoft support blog on Device Health Attestation .
Require Secure Boot to be enabled on the device:

compliance.
Require - The system is forced to boot to a factory trusted state. The core
components that are used to boot the machine must have correct cryptographic
signatures that are trusted by the organization that manufactured the device.
The UEFI firmware verifies the signature before it lets the machine start. If any
files are tampered with, which breaks their signature, the system doesn't boot.
７ Note
The Require Secure Boot to be enabled on the device setting is supported on

some TPM 1.2 and 2.0 devices. For devices that don't support TPM 2.0 or later,
the policy status in Intune shows as Not Compliant. For more information on
supported versions, see Device Health Attestation.
Require code integrity:
Code integrity is a feature that validates the integrity of a driver or system file each
time it's loaded into memory.
compliance.
Require - Require code integrity, which detects if an unsigned driver or system
file is being loaded into the kernel. It also detects if a system file is changed by
malicious software or run by a user account with administrator privileges.
More resources:
For details about how the Health Attestation service works, see Health Attestation
CSP.
Support Tip: Using Device Health Attestation Settings as Part of Your Intune
Compliance Policy .
Device Properties

To discover build versions for all Windows 10/11 Feature Updates and Cumulative
Updates (to be used in some of the fields below), see Windows release information. Be
sure to include the appropriate version prefix before the build numbers, like 10.0 for
Windows 10 as the following examples illustrate.
Minimum OS version:
Enter the minimum allowed version in the major.minor.build.revision number

format. To get the correct value, open a command prompt, and type ver . The ver
command returns the version in the following format:
Microsoft Windows [Version 10.0.17134.1]
When a device has an earlier version than the OS version you enter, it's reported as
noncompliant. A link with information on how to upgrade is shown. The end user
can choose to upgrade their device. After they upgrade, they can access company
resources.
Maximum OS version:
Enter the maximum allowed version, in the major.minor.build.revision number

format. To get the correct value, open a command prompt, and type ver . The ver
command returns the version in the following format:
Microsoft Windows [Version 10.0.17134.1]
When a device is using an OS version later than the version entered, access to
administrator. The device can't access organization resources until the rule is
changed to allow the OS version.
Minimum OS required for mobile devices:
Enter the minimum allowed version, in the major.minor.build number format.
When a device has an earlier version that the OS version you enter, it's reported as
noncompliant. A link with information on how to upgrade is shown. The end user
can choose to upgrade their device. After they upgrade, they can access company
resources.
Maximum OS required for mobile devices:
Enter the maximum allowed version, in the major.minor.build number.

When a device is using an OS version later than the version entered, access to
administrator. The device can't access organization resources until the rule is
changed to allow the OS version.
Valid operating system builds:
Specify a list of minimum and maximum operating system builds. Valid operating
system builds provides additional flexibility when compared against minimum and
maximum OS versions. Consider a scenario where minimum OS version is set to
10.0.18362.xxx (Windows 10 1903) and maximum OS version is set to
10.0.18363.xxx (Windows 10 1909). This configuration can allow a Windows 10
1903 device that doesn't have recent cumulative updates installed to be identified
as compliant. Minimum and maximum OS versions might be suitable if you have
standardized on a single Windows 10 release, but might not address your
requirements if you need to use multiple builds, each with specific patch levels. In
such a case, consider leveraging valid operating system builds instead, which
allows multiple builds to be specified as per the following example.
Example:
The following table is an example of a range for the acceptable operating systems
versions for different Windows 10 releases. In this example, three different Feature
Updates have been allowed (1809, 1909 and 2004). Specifically, only those versions
of Windows and which have applied cumulative updates from June to September
2020 will be considered to be compliant. This is sample data only. The table
includes a first column that includes any text you want to describe the entry,
followed by the minimum and maximum OS version for that entry. The second and
third columns must adhere to valid OS build versions in the
major.minor.build.revision number format. After you define one or more entries,
you can Export the list as a comma-separated values (CSV) file.
Description Minimum OS version Maximum OS version
Win 10 2004 (Jun-Sept 2020) 10.0.19041.329 10.0.19041.508
Win 10 1909 (Jun-Sept 2020) 10.0.18363.900 10.0.18363.1110
Win 10 1809 (Jun-Sept 2020) 10.0.17763.1282 10.0.17763.1490
Configuration Manager Compliance

Applies only to co-managed devices running Windows 10/11. Intune-only devices return
a not available status.
Require device compliance from Configuration Manager:
Not configured (default) - Intune doesn't check for any of the Configuration
Manager settings for compliance.
Require - Require all settings (configuration items) in Configuration Manager to
be compliant.
System Security
Password
Require a password to unlock mobile devices:
compliance.
Simple passwords:
Not configured (default) - Users can create simple passwords, such as 1234 or
1111.
Password type:
Choose the type of password or PIN required. Your options:

Device default (default) - Require a password, numeric PIN, or alphanumeric PIN
Numeric - Require a password or numeric PIN
Alphanumeric - Require a password, or alphanumeric PIN.
When set to Alphanumeric, the following settings are available:
Password complexity:
Your options:
Require digits and lowercase letters (default)
Require digits, lowercase letters, and uppercase letters
Require digits, lowercase letters, uppercase letters, and special characters
 Tip
The Alphanumeric password policies can be complex. We encourage

administrators to read the CSPs for more information:
DeviceLock/AlphanumericDevicePasswordRequired CSP
DeviceLock/MinDevicePasswordComplexCharacters CSP
Minimum password length:
Maximum minutes of inactivity before password is required:
Password expiration (days):
Enter the number of days before the password expires, and they must create a new
one, from 1-730.
Number of previous passwords to prevent reuse:
Require password when device returns from idle state (Mobile and Holographic):
Require - Require device users to enter the password every time the device
returns from an idle state.
） Important
When the password requirement is changed on a Windows desktop, users are

impacted the next time they sign in, as that's when the device goes from idle
to active. Users with passwords that meet the requirement are still prompted
to change their passwords.
Encryption
Encryption of data storage on a device:
This setting applies to all drives on a device.

DeviceStatus CSP - DeviceStatus/Compliance/EncryptionCompliance
７ Note
The Encryption of data storage on a device setting generically checks for the
presence of encryption on the device, more specifically at the OS drive level.
Currently, Intune supports only the encryption check with BitLocker. For a
more robust encryption setting, consider using Require BitLocker, which
leverages Windows Device Health Attestation to validate Bitlocker status at
the TPM level. However, when leveraging this setting, be aware that a reboot
may be required before the device will reflect as compliant.
Device Security
Firewall:
Not configured (default) - Intune doesn't control the Microsoft Defender
Firewall, nor change existing settings.
Require - Turn on the Microsoft Defender Firewall, and prevent users from
turning it off.
Firewall CSP
７ Note
If the device immediately syncs after a reboot, or immediately syncs waking

from sleep, then this setting may report as an Error. This scenario might
not affect the overall device compliance status. To re-evaluate the
compliance status, manually sync the device.
If a configuration is applied (for example, via a group policy) to a device

that configures Defender Firewall to allow all inbound traffic, or turns off
the firewall, setting Firewall to Require will return Not compliant, even if
Intune device configuration policy turns Firewall on. This is because the
group policy object overrides the Intune policy. To fix this issue, we
recommend that you remove any conflicting group policy settings, or that
you migrate your Firewall-related group policy settings to Intune device
configuration policy. In general, we recommend that you keep default
settings, including blocking inbound connections. For more information,
see Best practices for configuring Windows Defender Firewall.
Trusted Platform Module (TPM):

Not configured (default) - Intune doesn't check the device for a TPM chip
version.
Require - Intune checks the TPM chip version for compliance. The device is
compliant if the TPM chip version is greater than 0 (zero). The device isn't
compliant if there isn't a TPM version on the device.
DeviceStatus CSP - DeviceStatus/TPM/SpecificationVersion

Antivirus:
Not configured (default) - Intune doesn't check for any antivirus solutions
installed on the device.
Require - Check compliance using antivirus solutions that are registered with
Windows Security Center , such as Symantec and Microsoft Defender.
DeviceStatus CSP - DeviceStatus/Antivirus/Status
Antispyware:
Not configured (default) - Intune doesn't check for any antispyware solutions
installed on the device.
Require - Check compliance using antispyware solutions that are registered
with Windows Security Center , such as Symantec and Microsoft Defender.
DeviceStatus CSP - DeviceStatus/Antispyware/Status
Defender
The following compliance settings are supported with Windows 10/11 Desktop.
Microsoft Defender Antimalware:

Not configured (default) - Intune doesn't control the service, nor change
existing settings.
Require - Turn on the Microsoft Defender anti-malware service, and prevent
users from turning it off.
Microsoft Defender Antimalware minimum version:
Enter the minimum allowed version of Microsoft Defender anti-malware service.

For example, enter 4.11.0.0 . When left blank, any version of the Microsoft
Defender anti-malware service can be used.
Microsoft Defender Antimalware security intelligence up-to-date:
Controls the Windows Security virus and threat protection updates on the devices.
Not configured (default) - Intune doesn't enforce any requirements.
Require - Force the Microsoft Defender security intelligence be up-to-date.
Defender CSP - Defender/Health/SignatureOutOfDate CSP
For more information, see Security intelligence updates for Microsoft Defender
Antivirus and other Microsoft antimalware .
Real-time protection:
Not configured (default) - Intune doesn't control this feature, nor change
existing settings.
Require - Turn on real-time protection, which scans for malware, spyware, and
other unwanted software.
Policy CSP - Defender/AllowRealtimeMonitoring CSP
Microsoft Defender for Endpoint rules

For additional information on Microsoft Defender for Endpoint integration in conditional
access scenarios, see Configure Conditional Access in Microsoft Defender for Endpoint.
Require the device to be at or under the machine risk score:
Use this setting to take the risk assessment from your defense threat services as a
condition for compliance. Choose the maximum allowed threat level:
Clear -This option is the most secure, as the device can't have any threats. If the
device is detected as having any level of threats, it's evaluated as non-
compliant.
Anything higher puts the device in a non-compliant status.
Medium - The device is evaluated as compliant if existing threats on the device
are low or medium level. If the device is detected to have high-level threats, it's
determined to be non-compliant.
High - This option is the least secure, and allows all threat levels. It may be
To set up Microsoft Defender for Endpoint as your defense threat service, see
Enable Microsoft Defender for Endpoint with Conditional Access.

Windows Holographic for Business uses the Windows 10 and later platform. Windows
Holographic for Business supports the following setting:
System Security > Encryption > Encryption of data storage on device.
To verify device encryption on the Microsoft HoloLens, see Verify device encryption.
Surface Hub
Surface Hub uses the Windows 10 and later platform. Surface Hubs are supported for
both compliance and Conditional Access. To enable these features on Surface Hubs, we
recommend you enable Windows automatic enrollment in Intune (requires Azure Active
Directory (Azure AD)), and target the Surface Hub devices as device groups. Surface
Hubs are required to be Azure AD joined for compliance and Conditional Access to
work.
For guidance, see set up enrollment for Windows devices.
Special consideration for Surface Hubs running Windows 10/11 Team OS:
Surface Hubs that run Windows 10/11 Team OS do not support the Microsoft Defender
for Endpoint and Password compliance policies at this time. Therefore, for Surface Hubs
that run Windows 10/11 Team OS set the following two settings to their default of Not
configured:
In the category Password, set Require a password to unlock mobile devices to the
default of Not configured.
In the category Microsoft Defender for Endpoint, set Require the device to be at
or under the machine risk score to the default of Not configured.
Next steps
See the compliance policy settings for Windows 8.1 devices.
Windows 8.1 in Intune
Article • 02/21/2023
） Important
Windows 8.1 devices in Intune. As part of your mobile device management (MDM)
solution, use these settings to block simple passwords, set a minimum and maximum OS
version, and more.

Before you begin

Create a compliance policy. For Platform, select Windows 8.1 and later.
Device Properties

Minimum OS version:
Enter the minimum allowed version. When a device doesn't meet the minimum OS
version requirement, it's reported as non-compliant. A link with information on
how to upgrade is shown. The device user can choose to upgrade their device, and
then get access to company resources.
Maximum OS version:
Enter the maximum allowed version. When a device is using an OS version later
than the version entered in the rule, access to organization resources is blocked.
The device user is asked to contact their IT administrator. The device can't access
organizational resources until a rule changes to allow the OS version.
Windows 8.1 PCs return a version of 3. If the OS version rule is set to Windows 8.1 for
Windows, then the device is reported as non-compliant even if the device has Windows
8.1.
System Security
Password
Require a password to unlock mobile devices:
compliance.
Simple passwords:
Not configured (default) - Users can create simple passwords like 1234 or 1111.
For devices that run Windows and are accessed with a Microsoft account, the
compliance policy fails to evaluate correctly if either of the following conditions is
met:
Minimum password length is greater than eight characters
Minimum number of character sets is more than two
Password type:

When set to Alphanumeric, the following setting is available.
Number of non-alphanumeric characters in password:
When the password type is set to Alphanumeric, specify the minimum number
of character sets that the password must contain. Options include 0 to 4 sets,
with a default of 1.
The four character sets are:

Lowercase letters
Uppercase letters
Symbols
Numbers
complex. For devices that are accessed with a Microsoft account, the
compliance policy fails to evaluate correctly if either of the following conditions
is met:
Minimum password length is greater than eight characters
Minimum number of character sets is more than two
Maximum minutes of inactivity before password is required:
Select the number of days before the password expires, and users must create a
new one.
Number of previous passwords to prevent reuse:
Encryption
Encryption of data storage on device:
Next steps
See the compliance policy settings for Windows 10/11 devices.
Settings for Microsoft Defender for
Endpoint for Mac in Microsoft Intune
Article • 02/21/2023
View the Antivirus profile settings you can configure for Microsoft Defender for
Endpoint for Mac in Microsoft Intune. For more information about these settings, see
Microsoft Defender for Endpoint for Mac in the Windows documentation.
Learn about using Endpoint security policies in Intune.

Require Defender on macOS devices to use the real-time Monitoring functionality.

Real-time monitoring locates and stops malware from installing or running on your
device. You can turn off this setting for a short time before it turns back on
automatically.
Not configured (default) - The setting is restored to the system default
Enabled - Enforce use of real-time monitoring. Device users can't change this
setting.
Disabled - The setting is disabled. Device users can't change this setting.
Cloud-delivered protection
By default, Defender sends information to Microsoft about any problems it finds.

Microsoft analyzes that information to learn more about problems affecting you
and other customers, to offer improved solutions. Protection Works best when
Automatic sample submission is set on.
Not configured (default) - The setting is restored to the system default.
Enabled - Cloud-delivered protection is turned on. Device users can't change
this setting.
Automatic sample submission
Sends sample files to Microsoft to help protect device users and your organization
from potential threats.
Enabled - Cloud-delivered protection is turned on. Device users can't change
this setting.
Diagnostic data collection
Configure how diagnostic and usage data is shared with Microsoft.

Required
Optional
Folders excluded from scan
Select Add and then specify folders to ignore during a scan.
Files excluded from scan
Select Add and then specify files to ignore during a scan.
File types excluded from scan
Select Add and then specify file extensions to ignore during a scan.
Processes excluded from scan
Select Add and then specify processes to ignore during a scan.

Settings for Microsoft Defender
Antivirus policy in Microsoft Intune for
Windows devices
Article • 02/22/2023
View details about the endpoint security antivirus policy settings you can configure for
the Microsoft Defender Antivirus profile for Windows 10 and later in Microsoft Intune.
７ Note
This article details the settings you can find in Microsoft Defender Antivirus and
Microsoft Defender Antivirus Exclusions profiles created before April 5, 2022, for
the Windows 10 and later platform for endpoint security Antivirus policy. On April 5,
2022, the Windows 10 and later platform was replaced by the Windows 10,
Windows 11, and Windows Server platform. Profiles created after that date use a
new settings format as found in the Settings Catalog. With this change you can no
longer create new versions of the old profile and they are no longer being
developed. Although you can no longer create new instances of the older profile,
you can continue to edit and use instances of it that you previously created.
For profiles that use the new settings format, Intune no longer maintains a list of
each setting by name. Instead, the name of each setting, its configuration options,
and its explanatory text you see in the Microsoft Intune admin center are taken
directly from the settings authoritative content. That content can provide more
information about the use of the setting in its proper context. When viewing a
settings information text, you can use its Learn more link to open that content.
The following settings details for Windows profiles apply to those deprecated
profiles.
Cloud protection
Turn on cloud-delivered protection
CSP: AllowCloudProtection
By default, Defender on Windows 10/11 desktop devices sends information to

Microsoft about any problems it finds. Microsoft analyzes that information to learn
more about problems affecting you and other customers, to offer improved
solutions.
No - The setting is disabled. Device users can't change this setting.
Yes - Cloud-delivered protection is turned on. Device users can't change this
setting.
Cloud-delivered protection level
CSP: CloudBlockLevel
Configure how aggressive Defender Antivirus is in blocking and scanning

suspicious files.
Not configured (default) - Default Defender blocking level.
High - Aggressively block unknowns while optimizing client performance, which
includes a greater chance of false positives.
High plus - Aggressively block unknowns and apply additional protection
measures that might affect client performance.
Zero tolerance - Block all unknown executable files.
Defender cloud extended timeout in seconds
CSP: CloudExtendedTimeout
Defender Antivirus automatically blocks suspicious files for 10 seconds while it

scans them in the cloud to make sure they're safe. You can add up to 50 additional
seconds to this timeout.
Microsoft Defender Antivirus Exclusions

The following settings are available in the Microsoft Defender Antivirus profile:
Defender local admin merge
CSP: Configuration/DisableLocalAdminMerge
This setting controls if exclusion list settings that are configured by a local
administrator merge with managed settings from Intune policy. This setting applies
to lists such as threats and exclusions.
Not configured (default) - Unique items defined in preference settings that are
configured by a local administrator merge into the resulting effective policy. If
there are conflicts, management settings from Intune policy override local
preference settings.
No - Behavior is the same as Not configured.
Yes - Only items defined by management are used in the resulting effective
policy. Managed settings override preference settings that are configured by
the local administrator.
The following settings are available in the following profiles:
Microsoft Defender Antivirus

For each setting in this group, you can expand the setting, select Add, and then specify
a value for the exclusion.
Defender processes to exclude
CSP: ExcludedProcesses
Specify a list of files opened by processes to ignore during a scan. The process
itself isn't excluded from the scan.
File extensions to exclude from scans and real-time protection
CSP: ExcludedExtensions
Specify a list of file type extensions to ignore during a scan.
Defender files and folders to exclude
CSP: ExcludedPaths
Specify a list of files and directory paths to ignore during a scan.
These settings are available in the following profiles:
Settings:
Turn on real-time protection
CSP: AllowRealtimeMonitoring
Require Defender on Windows 10/11 desktop devices to use the real-time

Monitoring functionality.
Yes - Enforce use of real-time monitoring. Device users can't change this setting.
Enable on access protection
CSP: AllowOnAccessProtection
Configure virus protection that's continuously active, as opposed to on demand.

Not Configured (default) - This policy doesn't alter the state of this setting on a
device. The existing state on the device remains unchanged.
No - Block On Access Protection on devices. Device users can't change this
setting.
Yes - On Access Protection is active on devices.
Monitoring for incoming and outgoing files
CSP: Defender/RealTimeScanDirection
Configure this setting to determine which NTFS file and program activity is
monitored.
Monitor all files (default)
Only monitor incoming files
Only monitor outgoing files
Turn on behavior monitoring
CSP: AllowBehaviorMonitoring
By default, Defender on Windows 10/11 desktop devices uses the Behavior

Yes - Enforce use of real-time behavior monitoring. Device users can't change
this setting.
Turn on network protection
CSP: EnableNetworkProtection
Protect device users using any app from accessing phishing scams, exploit-hosting
sites, and malicious content on the Internet. Protection includes preventing third-
party browsers from connecting to dangerous sites.
Yes - Network protection is turned on. Device users can't change this setting.
Scan all downloaded files and attachments
CSP: AllowIOAVProtection
Configure Defender to scan all downloaded files and attachments.

Yes - Defender scans all downloaded files and attachments. Device users can't
change this setting.
Scan scripts that are used in Microsoft browsers
CSP: AllowScriptScanning
Configure Defender to scan scripts.

Yes - Defender scans scripts. Device users can't change this setting.
Scan network files
CSP: AllowScanningNetworkFiles
Configure Defender to scan network files.

Yes - Turn on scanning of network files. Device users can't change this setting.
Scan emails
CSP: AllowEmailScanning
Configure Defender to scan incoming email.

Yes - Turn on email scanning. Device users can't change this setting.
Remediation
Settings:
Number of days (0-90) to keep quarantined malware
CSP: DaysToRetainCleanedMalware
Specify the number of days from zero to 90 that the system stores quarantined
items before they're automatically removed. A value of zero keeps items in
quarantine and doesn't automatically remove them.
Submit samples consent

Send safe samples automatically
Always prompt
Never send
Send all samples automatically
Action to take on potentially unwanted apps
CSP: PUAProtection
Specify the level of detection for potentially unwanted applications (PUAs).

Defender alerts users when potentially unwanted software is being downloaded or
attempts to install on a device.
Not configured (default) - The setting is restored to the system default, which is
PUA Protection OFF.
Disable
Enable - Detected items are blocked, and show in history along with other
threats.
Audit mode - Defender detects potentially unwanted applications, but takes no
action. You can review information about the applications Defender would have
taken action against by searching for events that are created by Defender in the
Event Viewer.
Actions for detected threats
CSP: ThreatSeverityDefaultAction
Specify the action that Defender takes for detected malware based on the
malware's threat level.
Defender classifies malware that it detects as one of the following severity levels:
Low severity
Moderate severity
High severity
Severe severity
For each level, specify the action to take. The default for each severity level is Not
configured.
Not configured
Clean - The service tries to recover files and try to disinfect.
Quarantine - Moves files to quarantine.
Remove - Removes files from the device.
Allow - Allows the file and doesn't take other actions.
User defined - The device user makes the decision on which action to take.
Block - Blocks file execution.
Scan
Settings:
Scan archive files
CSP: AllowArchiveScanning
Configure Defender to scan archive files, like ZIP or CAB files.

Not configured (default) - The setting returns to the client default, which is to
scan archived files, however the user may disable setting.
Learn more
No - File archives aren't scanned. Device users can't change this setting.
Yes - Enable scans of archive files. Device users can't change this setting.
Use low CPU priority for scheduled scans
CSP: EnableLowCPUPriority
Configure CPU priority for scheduled scans.

Not configured (default) - The setting returns to the system default, in which no
changes to CPU priority are made.
Yes - Low CPU priority will be used during scheduled scans. Device users can't
change this setting.
Disable catch-up full scan
CSP: DisableCatchupFullScan
Configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is
run because a regularly scheduled scan was missed. Usually these scheduled scans
are missed because the computer was turned off at the scheduled time.
Not configured (default) - The setting is returned to client default, which is to
disable catch-up scans for full scans.
Yes - Catch-up scans for scheduled full scans are enforced and the user can't
disable them. If a computer is offline for two consecutive scheduled scans, a
catch-up scan is started the next time someone signs in to the computer. If
there's no scheduled scan configured, there will be no catch-up scan run. Device
users can't change this setting.
Disable catchup quick scan
CSP: DisableCatchupQuickScan
Configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that
is run because a regularly scheduled scan was missed. Usually these scheduled
scans are missed because the computer was turned off at the scheduled time.
disable catch-up scans for full scans.
Yes - Catch-up scans for scheduled quick scans are enforced and the user can't
disable them. If a computer is offline for two consecutive scheduled scans, a
catch-up scan is started the next time someone signs in to the computer. If
there's no scheduled scan configured, there will be no catch-up scan run. Device
users can't change this setting.
CPU usage limit per scan
CSP: AvgCPULoadFactor
Specify as a percent from zero to 100, the average CPU load factor for the
Defender scan.
Scan mapped network drives during full scan
CSP: AllowFullScanOnMappedNetworkDrives
Configure Defender to scan mapped network drives.

Not configured (default) - The setting is restored to the system default, which
disables scanning on mapped network drives.
No - The setting is disabled. Device users can't change the setting.
Yes - Enable scans of mapped network drives. Device users can't change this
setting.
Run daily quick scan at
CSP: ScheduleQuickScanTime
Select the time of day that Defender quick scans run. This setting applies only
when a device runs a quick scan and doesn't interact with the following three
settings:
Scan type
Day of week to run a scheduled scan
Time of day to run a scheduled scan
By default, Run daily quick scan at is set to Not configured.
Scan type
CSP: ScanParameter
Select the type of scan that Defender runs. This setting interacts with the settings
Day of week to run a scheduled scan and Time of day to run a scheduled scan.
Not Configured (default)
Quick scan
Full scan


Check for signature updates before running scan

No
Yes
Updates
Settings:
Enter how often (0-24 hours) to check for security intelligence updates
CSP: SignatureUpdateInterval
Specify the interval from zero to 24 (in hours) that is used to check for signatures.
A value of zero results in no check for new signatures. A value of 2 will check every
two hours, and so on.
Define file shares for downloading definition updates
CSP: SignatureUpdateFallbackOrder
Manage locations, like a UNC file share, as a download source location to get
definition updates. After definition updates successfully download from a specified
source, the remaining sources in the list won't be contacted.
You can Add individual locations, or Import a list of locations as a .csv file.
Define the order of sources for downloading definition updates
CSP: SignatureUpdateFileSharesSources
Specify in which order to contact source locations you've specified, to get
definition updates. After definition updates have successfully downloaded from
one specified source, the remaining sources in the list won't be contacted.
User experience
Settings:
Allow user access to Microsoft Defender app
CSP: AllowUserUIAccess
Not Configured (default) - The setting returns to client default in which UI and
notifications are allowed.
No - The Defender User Interface (UI) is inaccessible and notifications ware
suppressed.
Yes
Settings for Microsoft Defender
Antivirus policy for tenant attached
Article • 02/21/2023
View the Microsoft Defender Antivirus settings you can manage with the Microsoft
Defender Antivirus Policy (ConfigMgr) profile from Intune. The profile is available when
you configure Intune Endpoint security Antivirus policy, and the policy deploys to
devices you manage with Configuration Manager when you've configured the tenant
attach scenario.
Cloud protection
CSP: AllowCloudProtection
By default, Defender on Windows 10/11 desktop devices sends information to

Microsoft about any problems it finds. Microsoft analyzes that information to learn
more about problems affecting you and other customers, to offer improved
solutions.
Not allowed Turns off the Microsoft Active Protection Service.
Allowed Turns on the Microsoft Active Protection Service.
CSP: CloudBlockLevel
Configure how aggressive Defender Antivirus is in blocking and scanning

suspicious files.
Not configured (default) - Default Defender blocking level.
High - Aggressively block unknowns while optimizing client performance, which
includes a greater chance of false positives.
High plus - Aggressively block unknowns and apply extra protection measures
that might impact client performance.
Zero tolerance - Block all unknown executable files.
Defender cloud extended timeout in seconds
CSP: CloudExtendedTimeout
Defender Antivirus automatically blocks suspicious files for 10 seconds so it can
scan the files in the cloud to make sure they're safe. With this setting, you can add
up to 50 more seconds to this timeout.

For each setting in this group, you can expand the setting, select Add, and then specify
a value for the exclusion.
Defender processes to exclude
CSP: ExcludedProcesses
Specify a list of files opened by processes to ignore during a scan. The process
itself isn't excluded from the scan.
CSP: ExcludedExtensions
Specify a list of file type extensions to ignore during a scan.
Defender files and folders to exclude
CSP: ExcludedPaths
Specify a list of files and directory paths to ignore during a scan.
CSP: AllowRealtimeMonitoring
Require Defender on Windows 10/11 desktop devices to use the real-time

Not allowed Turns off the real-time monitoring service.
Allowed Turns on and runs the real-time monitoring service.
Enable on access protection
CSP: AllowOnAccessProtection
Configure virus protection that's continuously active, as opposed to on demand.

Not Configured (default) - This policy doesn't alter the state of this setting on a
device. The existing state on the device remains unchanged.
Not allowed Turns off the real-time monitoring service.
Allowed
Monitoring for incoming and outgoing files
CSP: Defender/RealTimeScanDirection
Configure this setting to determine which NTFS file and program activity is
monitored.
Monitor all files (bi-directional) (default)
Monitor incoming files
Monitor outgoing files
Turn on behavior monitoring
CSP: AllowBehaviorMonitoring
By default, Defender on Windows 10/11 desktop devices uses the Behavior

Not allowed Turns off behavior monitoring.
Allowed Turns on real-time behavior monitoring.
Configure Defender to allow or disallow Intrusion Prevention functionality.

No - Intrusion Prevention System is not allowed.
Yes - Intrusion Prevention System is allowed.
Configure Defender to scan all downloaded files and attachments.

Not allowed
Allowed
CSP: AllowScriptScanning
Configure Defender to scan scripts.

Not allowed
Allowed
Scan network files
CSP: AllowScanningNetworkFiles
Configure Defender to scan network files.
Not allowed Turns off scanning of network files.
Allowed Scans network files.
Scan emails
CSP: AllowEmailScanning
Configure Defender to scan incoming email.

Not allowed Turns off email scanning.
Allowed Turns on email scanning.
Remediation
Number of days (0-90) to keep quarantined malware
CSP: DaysToRetainCleanedMalware
Specify a number of days from zero to 90 that the system stores quarantined items
before they're automatically removed. A value of zero keeps items in quarantine
and does not automatically remove them.
Submit samples consent

Always prompt
Send safe samples automatically
Never send
Send all samples automatically
Action to take on potentially unwanted apps
CSP: PUAProtection
Specify the level of detection for potentially unwanted applications (PUAs).

Defender alerts users when potentially unwanted software is being downloaded or
attempts to install on a device.
Not configured (default) - The setting is restored to the system default, which is
PUA Protection OFF.
PUA Protection off - Windows Defender will not protect against potentially
unwanted applications.
PUA Protection on - Detected items are blocked. They will show in history
along with other threats.
Audit mode - Defender detects potentially unwanted applications, but takes no
action. You can review information about the applications Defender would have
taken action against by searching for events that are created by Defender in the
Event Viewer.
Create a system restore point before computers are cleaned

Yes (default)
No
Not Configured
Actions for detected threats
CSP: ThreatSeverityDefaultAction
Specify the action that Defender takes for detected malware based on the
malware's threat level.
Defender classifies malware that it detects as one of the following severity levels:
Low threat
Moderate threat
High threat
Severe threat
For each level, specify the action to take. The default for each severity level is Not
configured.
Clean - The service tries to recover files and try to disinfect.
Quarantine - Moves files to quarantine.
Remove - Removes files from the device.
Allow - Allows the file and doesn't take other actions.
User defined - The device user makes the decision on which action to take.
Block - Blocks file execution.
Scan
Scan archive files
CSP: AllowArchiveScanning
Configure Defender to scan archive files, like ZIP or CAB files.

scan archived files, however the user may disable the scan.
Learn more
Not allowed Turns off scanning on archived files.
Allowed Scans the archive files.
Enable low CPU priority for scheduled scans
CSP: EnableLowCPUPriority
Configure CPU priority for scheduled scans.

Not configured (default) - The setting returns to the system default, in which no
changes to CPU priority are made.
Disabled
Enabled
Disable catch-up full scan
CSP: DisableCatchupFullScan
Configure catch-up scans for scheduled full scans. A catch-up scan is a scan that
starts because a regularly scheduled scan was missed. Usually these scheduled
enable catch-up scans for full scans, however the user can turn them off.
Disabled
Enabled
Disable catchup quick scan
CSP: DisableCatchupQuickScan
Configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that
starts because a regularly scheduled scan was missed. Usually these scheduled
enable catch-up quick scans, however the user can turn them off.
Disabled
Enabled
CPU usage limit (0-100 percent) per scan
CSP: AvgCPULoadFactor
Specify as a percent from zero to 100, the average CPU load factor for the
Defender scan.
Enable mapped network drives be scanned during a full scan
CSP: AllowFullScanOnMappedNetworkDrives
Configure Defender to scan mapped network drives.

Not configured (default) - The setting is restored to the system default, which
disables scanning on mapped network drives.
Not allowed Disables scanning on mapped network drives.
Allowed Scans mapped network drives.
Run daily quick scan at
CSP: ScheduleQuickScanTime
Select the time of day that Defender quick scans run.

By default, this option is Not
configured
Scan type
CSP: ScanParameter
Select the type of scan that Defender runs.

Quick scan
Full scan


Check for signature updates before running scan

Disabled
Enabled
Randomize scheduled scan and security intelligence update start times
-Not Configured (default)

-Yes
-No
Scan removable drives during full scan

Not allowed Turns off scanning on removable drives.
Allowed Scans removable drives.
Updates
CSP: SignatureUpdateInterval
Specify the interval from zero to 24 (in hours) that is used to check for signatures.
A value of zero results in no check for new signatures. A value of 2 will check every
two hours, and so on.
Signature Update Fallback Order (Device)
Signature Update File Shares Sources (Device)
Security Intelligence Location (Device)
User experience
Block user access to Microsoft Defender app
Not allowed Prevents users from accessing UI.
Allowed Lets users access UI.
Show notifications messages on the client computer when the user needs to run
a full scan, update security intelligence, or run Windows Defender Offline
Yes
No
Disable the client user interface

Yes
No
Allow users to view full History results
７ Note
This is a legacy setting that only applies to versions of Windows prior to

Windows 10 version 1703. User of this setting with a current operating system
has no effect. This setting is scheduled for removal from this policy. For more
information, see -DisablePrivacyMode in Set-MpPreference in the Windows
PowerShell documentation.

Yes
No
Settings for Windows Security
experience Antivirus policy for tenant
attached devices in Microsoft Intune
Article • 02/21/2023
View the Windows Security experience settings you can manage with the Windows
Security experience (preview) profile from Intune.
The profile is available when you configure Intune Endpoint security Antivirus policy.
This profile supports devices you manage with Configuration Manager after configuring
the tenant attach scenario for Intune.
Windows Security
Enable tamper protection to prevent Microsoft Defender being disabled
Prevent changes to security settings with Tamper Protection

Not configured
Enabled
Disabled
Hide the Account protection area in the Windows Security app
CSP: DisableAccountProtectionUI
(Disable) The users can see the display of the Account protection area in
Windows Defender Security Center.
(Enable) The users can see the display of the Account protection area in
Hide the App and browser control area in the Windows Security app
CSP: DisableAppBrowserUI
(Disable) The users can see the display of the app and browser protection area
in Windows Defender Security Center.
(Enable) The users cannot see the display of the app and browser protection
area in Windows Defender Security Center.
Disable the Clear TPM option in the Windows Security app
CSP: DisableClearTpmButton
(Disable) The security processor troubleshooting page shows a button that
initiates the process to clear the security processor (TPM).
(Enable) The security processor troubleshooting page will not show a button
that initiates the process to clear the security processor (TPM).
Hide the Family options area in the Windows Security app
CSP: DisableFamilyUI
(Disable) The users can see the display of the family options area in Windows
Defender Security Center.
(Enable) The users cannot see the display of the family options area in Windows
Hide the Device security area in the Windows Security app
CSP: DisableDeviceSecurityUI
(Disable) The users can see the display of the Device security area in Windows
(Enable) The users cannot see the display of the Device security area in
Hide the Device performance and health area in the Windows Security app
CSP: DisableHealthUI
(Disable) The users can see the display of the device performance and health
(Enable) The users cannot see the display of the device performance and health
Hide the Firewall and network protection area in the Windows Security app
CSP: DisableNetworkUI
(Disable) The users can see the display of the firewall and network protection
(Enable) The users cannot see the display of the firewall and network protection
Hide the Windows Security icon from the notification area
CSP: HideWindowsSecurityNotificationAreaControl
Enabled
Hide the Ransomware data recovery option in the Windows Security app
CSP: HideRansomwareDataRecovery
(Disable) The Ransomware data recovery area will be visible.
(Enable) The Ransomware data recovery area is hidden.
Hide the Virus and threat protection area in the Windows Security app
CSP: DisableVirusUI
(Disable) The users can see the display of the virus and threat protection area in
(Enable) The users cannot see the display of the virus and threat protection area
in Windows Defender Security Center.
Prompt users to update TPM firmware if vulnerability is discovered
CSP: DisableTpmFirmwareUpdateWarning
(Disabled or Not configured) A warning will be displayed if the firmware of the
security processor (TPM) should be updated for TPMs that have a vulnerability.
(Enabled) No warning will be displayed if the firmware of the security processor
(TPM) should be updated.
Organization's support email address
CSP: EnableCustomizedToasts
Organization's support phone number
Organization's support web address
Organization's support contact name
Disable Notifications
CSP: DisableNotifications
(Disable) The users can see the display of Windows Defender Security Center
notifications.
(Enable) The users cannot see the display of Windows Defender Security Center
notifications.
Disable Enhanced Notifications
CSP: DisableEnhancedNotifications
(Disable) Windows Defender Security Center will display critical and non-critical
notifications to users.
(Enable) Windows Defender Security Center only displays notifications that are
considered critical on clients.
Settings for the Windows Security
experience profile in Microsoft Intune
Article • 02/21/2023
７ Note
This article details the settings in the Windows Security experience profile for the
Windows 10 and later platform for endpoint security Antivirus policy. Beginning on
April, 5 2022, the Windows 10 and later platform was replaced by the Windows 10,
Windows 11, and Windows Server platform. Although you can no longer create new
instances of the original profile, you can continue to edit and use your existing
profiles.
View details about the endpoint security antivirus policy settings you can configure for
the Windows Security Experience profile for Windows 10 and later in Microsoft Intune.
Windows Security
Prevent changes to security settings with Tamper Protection

Not configured (default) - When the Enable or Disable state exists on a client,
deploying Not configured has no impact on the setting.
Enable - Enable the Tamper Protection restriction. To change the state from
either enabled or disabled, deploy the opposite setting to have effect.
Disable - Disable the Tamper Protection restrictions. To change the state from
either enabled or disabled, deploy the opposite setting to have effect.
Hide the Virus and threat protection area in the Windows Security app
CSP: DisableVirusUI
allow user access and notifications.
Yes - The virus and threat protection area in the Windows Security app is hidden
from end-users. Virus and threat protection-related notifications are
suppressed.
When this setting is configured as No or Not configured, the following setting is

available:
Hide the Ransomware data recovery option in the Windows Security app
CSP: HideRansomwareDataRecovery
This setting is only available when Hide the Virus and threat protection area in
the Windows Security app is set to No or Not configured.
Not configured (default) - The setting returns to the client default, which is
to allow user access and notifications.
Yes - The ransomware data recovery area in the Windows Security app is
hidden from end-users. Ransomware related notifications are suppressed.
Hide the Account protection area in the Windows Security app
CSP: DisableAccountProtectionUI
Yes - The account protection area in the Windows Security app is hidden from
end-users. Account protection-related notifications are suppressed.
Hide the Firewall and network protection area in the Windows Security app
CSP: DisableNetworkUI
Yes - The firewall and network protection area in the Windows Security are
hidden from end-users. Firewall and network protection-related notifications are
suppressed.
Hide the App and browser control area in the Windows Security app
CSP: DisableAppBrowserUI
Yes - The app and browser control area in the Windows Security is hidden from
end-users. App and browser control related notifications are suppressed.
Hide the Device security area in the Windows Security app
CSP: DisableDeviceSecurityUI
Yes - The hardware protection area in the Windows Security app is hidden from
end-users. Hardware protection-related notifications will be suppressed.
Hide the Device performance and health area in the Windows Security app
CSP: DisableHealthUI
Yes - The device performance and health area in the Windows Security app are
hidden from end-users. Device performance and health-related notifications
ware suppressed
Hide the Family options area in the Windows Security app
CSP: DisableFamilyUI
Yes - The family options area in the Windows Security app is hidden from end-
users. Also, notifications related to family options are suppressed.
Windows Security app notifications
CSP: DisableNotifications
Use this setting to block Windows Security notifications to your users for all of the
preceding feature settings. Alternatively, you can manage the Windows Security
app notifications per feature by using the proceeding settings.
Not configured (default) - This setting doesn't enforce a block of any settings
and all Windows Security app notifications that are not controlled by another
setting are allowed.
Block non-critical notification - Notifications such as scan completions are
blocked.
Block all notifications - Critical and non-critical notifications are blocked for all
Windows Security features.
Hide the Windows Security icon from the notification area
CSP: HideWindowsSecurityNotificationAreaControl
For this setting to take effect, the user needs to either sign out and back in, or
reboot the computer.
Not configured (default) - The setting returns the client to the default, which is
to show the icon.
Yes - Hide the Windows Security icon from the notification area.
Disable the Clear TPM option in the Windows Security app
CSP: DisableClearTpmButton
Not configured (default) - The setting returns to the client default, which allows
access to the button.
Yes - Disable access to the clear TPM button in the Windows Security app.
Prompt users to update TPM firmware if vulnerability is discovered
CSP: DisableTpmFirmwareUpdateWarning
not prompt users.
Yes - Allow Windows to prompt end-users when a potential vulnerability is
found in their TPM firmware. Users are then encouraged to run firmware
updates to resolve the vulnerability.
Organization's support contact information
Declare where you would like your IT organization information displayed in the
Windows Security app and notifications.
Display in app and in notifications
Display only in app
Display only in notifications
Disk encryption policy settings for
Article • 07/31/2023
View the settings you can configure in profiles for Disk Encryption policy in the Endpoint
security node of Intune as part of an Endpoint security policy.
Applies to:
macOS
Windows 10/11
Supported platforms and profiles:
macOS:
Profile: FileVault
Windows 10 and later:
Profile: BitLocker
FileVault
Encryption
Enable FileVault
Yes - Enable Full Disk Encryption using XTS-AES 128 with FileVault on devices that
run macOS 10.13 and later. FileVault is enabled when the user signs off of the
device.
When set to Yes, you can configure additional settings for FileVault.
Recovery key type Personal key recovery keys are created for devices. Configure
the following settings for the personal key:
Personal recovery key rotation
Specify how frequently the personal recovery key for a device will rotate. You
can select the default of Not configured, or a value of 1 to 12 months.
Escrow location description of personal recovery key
Specify a short message to the user that explains how they can retrieve their
personal recovery key. The user sees this message on their sign in screen
when prompted to enter their personal recovery key if a password is
forgotten.
Number of times allowed to bypass

Set the number of times a user can ignore prompts to enable FileVault before
FileVault is required for the user to sign in.
Not configured (default) - Encryption on the device is required before the
next sign-in is allowed.
1 to 10 - Allow a user to ignore the prompt from 1 to 10 times before
requiring encryption on the device.
No limit, always prompt - The user is prompted to enable FileVault, but
encryption is never required.
Allow deferral until sign out

Yes - Defer the prompt to enable FileVault until the user signs out.
Disable prompt at sign out

Prevent the prompt to the user that requests they enable FileVault when they
sign out. When set to Disable, the prompt at sign-out is disabled and instead,
the user is prompted when they sign in.
Yes - Disable the prompt to enable FileVault that appears at sign-out.
Hide recovery key

Hide the personal recovery key from the user of the macOS device during
encryption. After the disk is encrypted, a user can use any device to view their
personal recovery key through the Intune Company Portal website, or company
portal app on a supported platform.
Yes - Hide the personal recovery key during device encryption.
BitLocker
７ Note
This article details the settings you can find in BitLocker profiles created before
June 19, 2023, for the Windows 10 and later platform for endpoint security Disk
encryption policy. On June 19, 2023, the Windows 10 and later profile was updated
to use a new settings format as found in the Settings Catalog. With this change you
can no longer create new versions of the old profile and they are no longer being
The following settings details for Windows profiles apply to those deprecated
profiles.
BitLocker – Base Settings

Enable full disk encryption for OS and fixed data drives
CSP: BitLocker - RequireDeviceEncryption
If the drive was encrypted before this policy applied, no extra action is taken. If the
encryption method and options match that of this policy, configuration should
return success. If an in-place BitLocker configuration option doesn't match this
policy, configuration will likely return an error.
To apply this policy to a disk already encrypted, decrypt the drive and reapply the
MDM policy. Windows default is to not require BitLocker drive encryption.
However, on Azure AD Join and Microsoft Account (MSA) registration/login
automatic encryption can apply enabling BitLocker at XTS-AES 128-bit encryption.
Not configured (default) - No BitLocker enforcement takes place.
Yes - Enforce use of BitLocker.
Require storage cards to be encrypted (mobile only)

CSP: BitLocker - RequireStorageCardEncryption
This setting only applies to Windows Mobile and Mobile Enterprise SKU devices.
Not configured (default) - The setting returns to the OS default, which is to not
require storage card encryption.
Yes - Encryption on storage cards is required for mobile devices.
７ Note
Support for Windows 10 Mobile and Windows Phone 8.1 ended in
August of 2020.
Hide prompt about third-party encryption

CSP: BitLocker - AllowWarningForOtherDiskEncryption
If BitLocker is enabled on a system that's already encrypted by a third-party

encryption product, it might render the device unusable. Data loss can occur and
you might need to reinstall Windows. It's highly suggested to never enable
BitLocker on a device that has third-party encryption installed or enabled.
By default, the BitLocker setup wizard prompts users to confirm that no third-party
encryption is in place.
Not configured (default) – The BitLocker setup wizard displays a warning and
prompts users to confirm no third-party encryption is present.
Yes - Hide the BitLocker setup wizards prompt from users.
If BitLocker silent enable features are required, the third-party encryption warning
must be hidden as any required prompt breaks silent enablement workflows.
When set to Yes, you can then configure the following setting:
Allow standard users to enable encryption during Autopilot

CSP: BitLocker - AllowStandardUserEncryption
Not configured (default) – The setting is left as client default, which is to
require local admin access to enable BitLocker.
Yes - During Azure Active Directory Join (AADJ) silent enable scenarios, users
don't need to be local administrators to enable BitLocker.
For non-silent enablement and Autopilot scenarios, the user must be a local
admin to complete the BitLocker setup wizard.
Configure client-driven recovery password rotation

CSP: BitLocker - ConfigureRecoveryPasswordRotation
Add Work Account (AWA, formally Workplace Joined) devices aren't supported for
key rotation.
Not configured (default) – The client won’t rotate BitLocker recovery keys.
Disabled
Azure AD-joined devices
Azure AD and Hybrid-joined devices
BitLocker - Fixed Drive Settings

BitLocker fixed drive policy
CSP: BitLocker - EncryptionMethodByDriveType
Fixed drive recovery

CSP: BitLocker - FixedDrivesRecoveryOptions
Control how BitLocker-protected fixed data-drives are recovered in the absence

of the required startup key information.
Not configured (default) - The default recovery options are supported
including the data recovery agent (DRA). The end user can specify recovery
options and recovery information isn't backed up to Azure Active Directory.
Configure – Enable access to configure various drive recovery techniques.
When set to Configure the following settings are available:
User creation of recovery key

Blocked (default)
Required
Allowed
Configure BitLocker recovery package

Password and Key (default) - Include both the BitLocker recovery
password that's used by admins and users to unlock protected drives, and
recovery key packages that are used by admins for data recovery
purposes) in Active Directory.
Password only - The recovery key packages might not be accessible when
needed.
Require device to back up recovery information to Azure Ad

Not configured (default) - BitLocker enablement will complete even if
recovery key backup to Azure AD fails. This can result in no recovery
information being stored externally.
Yes - BitLocker won't complete enablement until recovery keys have been
successfully saved to Azure Active Directory.
User creation of recovery password

Blocked (default)
Required
Allowed
Hide recovery options during BitLocker setup

Not configured (default) - Allow the user to access extra recovery options.
Yes - Block the end user from choosing extra recovery options such as
printing recovery keys during the BitLocker setup wizard.
Enable BitLocker after recovery information to store

Yes - By setting this to Yes, BitLocker recovery information will be saved to
Active Directory Domain Services.
Block the use of certificate-based data recovery agent (DRA)

Not configured (default) - Allow the use of DRA to be set up. Setting up
DRA requires an enterprise PKI and Group Policy Objects to deploy the
DRA agent and certificates.
Yes - Block the ability to use Data Recovery Agent (DRA) to recover
BitLocker enabled drives.
Block write access to fixed data-drives not protected by BitLocker

CSP: BitLocker - FixedDrivesRequireEncryption
This setting is available when BitLocker fixed drive policy is set to Configure.
Not configured (default) - Data can be written to non-encrypted fixed drives.
Yes - Windows won't allow any data to be written to fixed drives that aren't
BitLocker protected. If a fixed drive isn't encrypted, the user will need to
complete the BitLocker setup wizard for the drive before write access is
granted.
Configure encryption method for fixed data-drives

Configure the encryption method and cipher strength for fixed data-drives
disks. XTS- AES 128-bit is the Windows default encryption method and the
recommended value.
AES 128bit CBC
AES 256bit CBC
AES 128bit XTS
AES 256bit XTS
BitLocker - OS Drive Settings

BitLocker system drive policy
Configure (default)
Not configured
When set to Configure you can configure the following settings:
Startup authentication required

CSP: BitLocker - SystemDrivesRequireStartupAuthentication
Yes - Configure the additional authentication requirements at system startup,
including the use of Trusted Platform Module (TPM) or startup PIN
requirements.
When set to Yes you can configure the following settings:
Compatible TPM startup

It's recommended to require a TPM for BitLocker. This setting only applies
when first enabling BitLocker and has no effect if BitLocker is already
enabled.
Blocked (default) - BitLocker doesn’t use the TPM.
Required - BitLocker enables only if a TPM is present and usable.
Allowed - BitLocker uses the TPM if it's present.
Compatible TPM startup PIN

Blocked (default) - Block the use of a PIN.
Required - Require a PIN and TPM be present to enable BitLocker.
Allowed - BitLocker uses the TPM if it's present and allows a startup PIN
to be configured by the user.
For silent enable scenarios, you must set this to Blocked. Silent enable
scenarios (including Autopilot) won't be successful when user interaction is
required.
Compatible TPM startup key

Blocked (default) - Block the use of startup keys.
Required - Require a startup key and TPM be present to enable BitLocker.
Allowed - BitLocker uses the TPM if it's present and allows a startup key
(such as a USB drive) be present to unlock the drives.
required.
Compatible TPM startup key and PIN
Blocked (default) - Block the use of a startup key and PIN combination.
Required - Require BitLocker have a startup key and PIN present to
become enabled.
Allowed - BitLocker uses the TPM if it's present and allows a startup key)
and PIN combination.
required.
Disable BitLocker on devices where TPM is incompatible

If no TPM is present, BitLocker requires a password or USB drive for startup.
This setting only applies when first enabling BitLocker and has no effect if
BitLocker is already enabled.
Yes - Block BitLocker from being configured without a compatible TPM
chip.
Enable preboot recovery message and url

CSP: BitLocker - SystemDrivesRecoveryMessageconfigure
Not configured (default) – Use the default BitLocker pre-boot recovery
information.
Yes – Enable the configuration of a custom pre-boot recovery message
and URL to help your users understand how to find their recovery
password. The pre-boot message and URL are seen by users when they're
locked out of their PC in recovery mode.
When set to Yes you can configure the following settings:
Preboot recovery message

Specify a custom pre-boot recovery message.
Preboot recovery url

Specify a custom pre-boot recovery URL.
System drive recovery

CSP: BitLocker - SystemDrivesRecoveryOptions
Configure - Enable the configuration of additional settings.
When set to Configure the following settings are available:
User creation of recovery key

Blocked (default)
Required
Allowed
Configure BitLocker recovery package

Password and Key (default) - Include both the BitLocker recovery
password that's used by admins and users to unlock protected drives,
and recovery key packages that are used by admins for data recovery
purposes) in Active Directory.
Password only - The recovery key packages might not be accessible
when needed.
Require device to back up recovery information to Azure Ad

Not configured (default) - BitLocker enablement will complete even if
recovery key backup to Azure AD fails. This can result in no recovery
information being stored externally.
Yes - BitLocker won't complete enablement until recovery keys have
been successfully saved to Azure Active Directory.
User creation of recovery password

Blocked (default)
Required
Allowed
Hide recovery options during BitLocker setup

Not configured (default) - Allow the user to access extra recovery
options.
Yes - Block the end user from choosing extra recovery options such as
printing recovery keys during the BitLocker setup wizard.
Enable BitLocker after recovery information to store

Yes - By setting this to Yes, BitLocker recovery information will be saved
to Active Directory Domain Services.
Block the use of certificate-based data recovery agent (DRA)

Not configured (default) - Allow the use of DRA to be set up. Setting
up DRA requires an enterprise PKI and Group Policy Objects to deploy
the DRA agent and certificates.
Yes - Block the ability to use Data Recovery Agent (DRA) to recover
BitLocker enabled drives.
Minimum PIN length

CSP: BitLocker - SystemDrivesMinimumPINLength
Specify the minimum startup PIN length when TPM + PIN is required during
BitLocker enablement. The PIN length must be between 4 and 20 digits.
If you don't configure this setting, users can configure a startup PIN of any
length (between 4 and 20 digits)
This setting only applies when first enabling BitLocker and has no effect if
BitLocker is already enabled.
Configure encryption method for Operating System drives

Configure the encryption method and cipher strength for OS drives. XTS- AES
128-bit is the Windows default encryption method and the recommended value.
AES 128bit CBC
AES 256bit CBC
AES 128bit XTS
AES 256bit XTS
BitLocker - Removable Drive Settings

BitLocker removable drive policy
Configure
When set to Configure you can configure the following settings.
Configure encryption method for removable data-drives

Select the desired encryption method for removable data-drives disks.

AES 128bit CBC
AES 256bit CBC
AES 128bit XTS
AES 256bit XTS
Block write access to removable data-drives not protected by BitLocker
CSP: BitLocker - RemovableDrivesRequireEncryption
Not configured (default) - Data can be written to non-encrypted removable
drives.
Yes - Windows doesn’t allow data to be written to removable drives that
aren't BitLocker protected. If an inserted removable drive isn't encrypted, the
user must complete the BitLocker setup wizard before write access is granted
to drive.
Block write access to devices configured in another organization

CSP: BitLocker - RemovableDrivesRequireEncryption
Not configured (default) - Any BitLocker encrypted drive can be used.
Yes - Block write access to removable drives unless they were encrypted on a
computer owned by your organization.
Next steps
Endpoint security policy for disk encryption
Firewall policy settings for endpoint
security in Intune
Article • 02/22/2023
View the settings you can configure in profiles for Firewall policy in the endpoint
security node of Intune as part of an Endpoint security policy.
Applies to:
macOS
Windows 10
Windows 11
７ Note
Beginning on April 5, 2022, the Firewall profiles for the Windows 10 and later
platform were replaced by the Windows 10, Windows 11, and Windows Server
platform and new instances of those same profiles. Profiles created after that date
use a new settings format as found in the Settings Catalog. With this change you
can no longer create new versions of the old profile and they are no longer being
The settings details for Windows profiles in this article apply to those deprecated
profiles.
macOS:
Profile: macOS firewall

Profile: Microsoft Defender Firewall
macOS firewall profile
Firewall
The following settings are configured as Endpoint Security policy for macOS Firewalls
Enable Firewall
Yes - Enable the firewall.
When set to Yes, you can configure the following settings.
Block all incoming connections

Yes - Block all incoming connections except connections that are required for
basic Internet services such as DHCP, Bonjour, and IPSec. This blocks all
sharing services.
Enable stealth mode

Yes - Prevent the computer from responding to probing requests. The
computer still answers incoming requests for authorized apps.
Firewall apps
Expand the dropdown and then select Add to then specify apps
and rules for incoming connections for the app.
Allow incoming connections

Not configured
Block
Allow
Bundle ID - The ID identifies the app. For example: com.apple.app
Microsoft Defender Firewall profile
Microsoft Defender Firewall

The following settings are configured as Endpoint Security policy for Windows Firewalls.
Stateful File Transfer Protocol (FTP)
CSP: MdmStore/Global/DisableStatefulFtp
Allow - The firewall performs stateful File Transfer Protocol (FTP) filtering to
allow secondary connections.
Disabled - Stateful FTP is disabled.
Number of seconds a security association can be idle before it's deleted
CSP: MdmStore/Global/SaIdleTime
Specify a time in seconds between 300 and 3600, for how long the security
associations are kept after network traffic isn't seen.
If you don't specify any value, the system deletes a security association after it's
been idle for 300 seconds.
Preshared key encoding
CSP: MdmStore/Global/PresharedKeyEncoding
If you don't require UTF-8, preshared keys are initially encoded using UTF-8. After
that, device users can choose another encoding method.
None
UTF8
No exemptions for Firewall IP sec
Not configured (default) - When not configured, you'll have access to the
following IP sec exemption settings that you can configure individually.
Yes - Turn off all Firewall IP sec exemptions. The following settings aren't
available to configure.
Firewall IP sec exemptions allow neighbor discovery
CSP: MdmStore/Global/IPsecExempt
Yes - Firewall IPsec exemptions allow neighbor discovery.
Firewall IP sec exemptions allow ICMP
Yes - Firewall IPsec exemptions allow ICMP.
Firewall IP sec exemptions allow router discovery
Yes - Firewall IPsec exemptions allow router discovery.
Firewall IP sec exemptions allow DHCP
Yes - Firewall IP sec exemptions allow DHCP
Certificate revocation list (CRL) verification
CSP: MdmStore/Global/CRLcheck
Specify how certificate revocation list (CRL) verification is enforced.

Not configured (default) - Use the client default, which is to disable CRL
verification.
None
Attempt
Require
Require keying modules to only ignore the authentication suites they don’t
support
CSP: MdmStore/Global/OpportunisticallyMatchAuthSetPerKM
Disabled
Enabled - Keying modules ignore unsupported authentication suites.
Packet queuing
CSP: MdmStore/Global/EnablePacketQueue
Specify how to enable scaling for the software on the receive side for the
encrypted receive and clear text forward for the IPsec tunnel gateway scenario.
This ensures the packet order is preserved.
Not configured (default) - Packet queuing is returned to the client default,
which is disabled.
Disabled
Queue Inbound
Queue Outbound
Queue Both
Turn on Microsoft Defender Firewall for domain networks
CSP: EnableFirewall
Not configured (default) - The client returns to its default, which is to enable the
firewall.
Yes - The Microsoft Defender Firewall for the network type of domain is turned
on and enforced. You also gain access to additional settings for this network.
No - Disable the firewall.
Additional settings for this network, when set to Yes:
Block stealth mode
CSP: DisableStealthMode
By default, stealth mode is enabled on devices. It helps prevent malicious users

from discovering information about network devices and the services they run.
Disabling stealth mode can make devices vulnerable to attack.
Yes
No
Enable shielded mode
CSP: Shielded
Not configured (default) - Use the client default, which is to disable shielded
mode.
Yes - The machine is put into shielded mode, which isolates it from the
network. All traffic is blocked.
No
Block unicast responses to multicast broadcasts
CSP: DisableUnicastResponsesToMulticastBroadcast
to allow unicast responses.
Yes - Unicast responses to multicast broadcasts are blocked.
No - Enforce the client default, which is to allow unicast responses.
Disable inbound notifications
CSP DisableInboundNotifications
to allow the user notification.
Yes - User notification is suppressed when an application is blocked by an
inbound rule.
No - User notifications are allowed.
Block outbound connections
This setting applies to Windows version 1809 and later.

CSP:
DefaultOutboundAction
This rule is evaluated at the very end of the rule list.

to allow connections.
Yes - All outbound connections that don't match an outbound rule are
blocked.
No - All connections that don't match an outbound rule are allowed.
Block inbound connections
CSP: DefaultInboundAction

to block connections.
Yes - All inbound connections that don't match an inbound rule are blocked.
No - All connections that don't match an inbound rule are allowed.
Ignore authorized application firewall rules
CSP: AuthAppsAllowUserPrefMerge
to honor the local rules.
Yes - Authorized application firewall rules in the local store are ignored.
No - Authorized application firewall rules are honored.
Ignore global port firewall rules
CSP: GlobalPortsAllowUserPrefMerge
Yes - Global port firewall rules in the local store are ignored.
No - The global port firewall rules are honored.
Ignore all local firewall rules
CSP: IPsecExempt
Yes - All firewall rules in the local store are ignored.
No - The firewall rules in the local store are honored.
Ignore connection security rules

CSP: AllowLocalIpsecPolicyMerge
Yes - IPsec firewall rules in the local store are ignored.
No - IPsec firewall rules in the local store are honored.
Turn on Microsoft Defender Firewall for private networks
CSP: EnableFirewall
firewall.
Yes - The Microsoft Defender Firewall for the network type of private is turned
Block stealth mode

Yes
No
CSP: Shielded
mode.
No
inbound rule.

CSP:

blocked.

CSP: IPsecExempt

Turn on Microsoft Defender Firewall for public networks
CSP: EnableFirewall
firewall.
Yes - The Microsoft Defender Firewall for the network type of public is turned
Block stealth mode

Yes
No
CSP: Shielded
mode.
No
inbound rule.

CSP:

blocked.

CSP: IPsecExempt

Microsoft Defender Firewall rules

This profile is in Preview.
The following settings are configured as Endpoint Security policy for Windows Firewalls.
Windows Firewall Rule
Name
Specify a friendly name for your rule. This name will appear in the list of rules to
help you identify it.
Description
Provide a description of the rule.
Direction
Not configured (default) - This rule defaults to outbound traffic.
Out - This rule applies to outbound traffic.
In - This rule applies to inbound traffic.
Action
Not configured (default) - The rule defaults to allow traffic.
Blocked - Traffic is blocked in the Direction you've configured.
Allowed - Traffic is allowed in the Direction you've configured.
Network type
Specify the network type to which the rule belongs. You can choose one or more
of the following. If you don't select an option, the rule applies to all network types.
Domain
Private
Public
Not configured
Application settings
Applications targeted with this rule:
Package family name
Get-AppxPackage
Package family names can be retrieved by running the Get-AppxPackage

command from PowerShell.
File path
CSP: FirewallRules/FirewallRuleName/App/FilePath
To specify the file path of an app, enter the apps location on the client device. For
example: C:\Windows\System\Notepad.exe
Service name
FirewallRules/FirewallRuleName/App/ServiceName
Use a Windows service short name when a service, not an application, is sending or
receiving traffic. Service short names are retrieved by running the Get-Service
command from PowerShell.
Port and protocol settings

Specify the local and remote ports to which this rule applies:
Protocol
CSP: FirewallRules/FirewallRuleName/Protocol
Specify the protocol for this port rule.

Transport layer protocols like TCP(6) and UDP(17) allow you to specify ports or
port ranges.
For custom protocols, enter a number between 0 and 255 that represents the IP
protocol.
When nothing is specified, the rule defaults to Any.
Interface types
Specify the interface types to which the rule belongs. You can choose one or more
of the following. If you don't select an option, the rule applies to all interface types:
Remote access
Wireless
Local area network
Not configured
Authorized users
FirewallRules/FirewallRuleName/LocalUserAuthorizationList
Specify a list of authorized local users for this rule. A list of authorized users can't
be specified if Service name in this policy is set as a Windows service. If no
authorized user is specified, the default is all users.
IP address settings
Specifies the local and remote addresses to which this rule applies:
Any local address
Not configured (default) - Use the following setting, Local address ranges* to
configure a range of addresses to support.
Yes - Support any local address and don't configure an address range.
Local address ranges
CSP: FirewallRules/FirewallRuleName/LocalAddressRanges
Manage local address ranges for this rule. You can:

Add one or more addresses as a comma-separated list of local addresses that
are covered by the rule.
Import a .csv file that contains a list of addresses to use as local address ranges.
Export your current list of local address ranges as a .csv file.
Valid entries (tokens) include the following options:

An asterisk - An asterisk (*) indicates any local address. If present, the asterisk
must be the only token included.
A subnet - Specify subnets by using the subnet mask or network prefix
notation. If a subnet mask or network prefix isn't specified, the subnet mask
defaults to 255.255.255.255.
A valid IPv6 address
An IPv4 address range - IPv4 ranges must be in the format of start address -
end address with no spaces included, where the start address is less than the
end address.
end address.
When no value is specified, this setting defaults to use Any address.
Any remote address
Not configured (default) - Use the following setting, Remote address ranges* to
configure a range of addresses to support.
Yes - Support any remote address and don't configure an address range.
Remote address ranges
CSP: FirewallRules/FirewallRuleName/RemoteAddressRanges
Manage remote address ranges for this rule. You can:

Add one or more addresses as a comma-separated list of remote addresses that
are covered by the rule.
Import a .csv file that contains a list of addresses to use as remote address
ranges.
Export your current list of remote address ranges as a .csv file.
Valid entries (tokens) include the following and aren't case-sensitive:

An asterisk - An asterisk (*) indicates any remote address. If present, the asterisk
must be the only token included.
Defaultgateway
DHCP
DNS
WINS
Intranet - Supported on devices that run Windows 1809 or later.
RmtIntranet - Supported on devices that run Windows 1809 or later.
Ply2Renders - Supported on devices that run Windows 1809 or later.
LocalSubnet - Indicates any local address on the local subnet.
A subnet - Specify subnets by using the subnet mask or network prefix
notation. If a subnet mask or a network prefix isn't specified, the subnet mask
defaults to 255.255.255.255.
A valid IPv6 address
end address.
end address.
When no value is specified, this setting defaults to use Any address.
Next steps
Endpoint security policy for firewalls
Firewall policy settings for tenant
attached devices in Microsoft Intune
Article • 02/21/2023
View the Microsoft Windows Defender Firewall settings you can manage with the
Microsoft Defender Firewall (ConfigMgr) (preview) profile from Intune. The profile is
available when you configure Intune Firewall policy, and the policy deploys to devices
you manage with Configuration Manager when you've configured the tenant attach
scenario.
Microsoft Defender Firewall

Certificate revocation list verification (Device)
CSP: MdmStore/Global/CRLcheck
Specify how certificate revocation list (CRL) verification is enforced.

Not configured (default) - Use the client default, which is to disable CRL
verification.
None
Attempt
Require
Disable Stateful Ftp (Device)
CSP: MdmStore/Global/DisableStatefulFtp
True - Stateful FTP is disabled
False - The firewall performs stateful File Transfer Protocol (FTP) filtering to
allow secondary connections.
Enable Packet Queue (Device)
CSP: MdmStore/Global/EnablePacketQueue
Select from the following options to configure scaling for the software on the
receive side for the encrypted receive and clear text forward for the IPsec tunnel
gateway scenario. This ensures the packet order is preserved. By default, no
options are selected.
Disabled
Queue Inbound
Queue Outbound
IPsec Exceptions (Device)
Select from the following options to configure IPsec exceptions.

Exempt neighbor discover IPv6 ICMP type-codes from IPsec
Exempt ICMP from IPsec
Exempt router discover IPv6 ICMP type-codes from IPsec
Exempt both IPv4 and IPv6 DHCP traffic from IPsec
Opportunistically Match Auth Set Per KM (Device)
CSP: OpportunisticallyMatchAuthSetPerKM
True
False
Preshared Key Encoding (Device)
CSP: MdmStore/Global/PresharedKeyEncoding
None
UTF8
Security association idle time (Device)
CSP: MdmStore/Global/SaIdleTime
Specify a time in seconds between 300 and 3600, for how long the security
associations are kept after network traffic isn't seen.
If you don't specify any value,
the system deletes a security association after it's been idle for 300 seconds.
Domain Profile
Enable Domain Network Firewall (Device)
CSP: EnableFirewall
firewall.
True - The Microsoft Defender Firewall for the network type of domain is turned
on and enforced.
False - Disable the firewall.
When set to True, you can then configure the following settings for this firewall
profile type:
Allow Local Ipsec Policy Merge (Device)
True
False - Connection security rules from the local store are ignored and not
enforced.
Allow Local Policy Merge (Device)
CSP: AllowLocalPolicyMerge
True
False - Firewall rules from the local store are ignored and not enforced.
Auth Apps Allow User Pref Merge (Device)
True
False
Default Inbound Action for Domain Profile (Device)
Allow
Block
Default Outbound Action (Device)
CSP: DefaultOutboundAction
Allow
Block
Disable Inbound Notifications (Device)
CSP: DisableInboundNotifications
True - The firewall won't display a notification to the user when an
application is blocked from listening on a port.
False - The firewall might display a notification to the user when an
Disable Stealth Mode (Device)
True
False - The server operates in stealth mode. The firewall rules used to enforce
stealth mode are implementation-specific.
Disable Unicast Responses To Multicast Broadcast (Device)
True - Unicast response to multicast broadcast traffic is blocked.
False
Global Ports Allow User Pref Merge (Device)
True
False - Global port firewall rules in the local store are ignored and not
enforced.
Shielded (Device)
CSP: Shielded
True - The server blocks all incoming traffic regardless of other policy
settings.
False
Private Profile
Enable Private Network Firewall (Device)
CSP: EnableFirewall
firewall.
True - The Microsoft Defender Firewall for the network type of private is turned
on and enforced.
profile type:
True
enforced.
True
True
False
Default Inbound Action for Private Profile (Device)
Allow
Block
Allow
Block
True
False
True
enforced.
Shielded (Device)
CSP: Shielded
settings.
False
Public Profile
Enable Public Network Firewall (Device)
CSP: EnableFirewall
firewall.
True - The Microsoft Defender Firewall for the network type of public is turned
on and enforced.
profile type:
True
enforced.
True
True
False
Default Inbound Action for Public Profile (Device)
Allow
Block
Allow
Block
True
False
True
enforced.
Shielded (Device)
CSP: Shielded
settings.
False
Next steps
Endpoint security policy for firewalls
settings for endpoint security in Intune
Article • 02/21/2023
７ Note
This article details the settings in the Endpoint detection and response profile for
the Windows 10 and later platform for endpoint security Endpoint detection and
response policy. Beginning on April 5, 2022, the Windows 10 and later platform was
replaced by the Windows 10, Windows 11, and Windows Server platform. Although
you can no longer create new instances of the original profile, you can continue to
edit and use your existing profiles. The settings details in this article apply to those
deprecated profiles.
View the settings you can configure in profiles for Endpoint detection and response
policy in the endpoint security node of Intune.
Applies to:
Windows 10
Windows 11
Windows 10 and later: Use this platform for policy you deploy to Windows 10 and
Windows 11 devices managed with Intune.
Profile: Endpoint detection and response (MDM)
Windows 10, Windows 11, and Windows Server (ConfigMgr): Use this platform for
policy you deploy to devices managed by Configuration Manager.
Profile: Endpoint detection and response (ConfigMgr)
Endpoint detection and response (MDM)

Endpoint detection and response:
Microsoft Defender for Endpoint client configuration package type
Upload a signed configuration package that will be used to onboard the Microsoft
Defender for Endpoint client.
Onboarding blob
Offboarding blob
When set to Onboarding blob, you can configure the following settings:
Defender for Endpoint onboarding blob
Click Select onboarding file to open the Select onboarding File pane, where you
specify a .onboarding file.
When set to Offboarding blob, you can configure the following settings:
Defender for Endpoint offboarding blob
Click Select offboarding file to open the Select offboarding File pane, where you
specify a .offboarding file.
Sample sharing for all files
Returns or sets the Microsoft Defender for Endpoint Sample Sharing configuration
parameter. Sample Sharing sends a file to Microsoft for deep analysis.
Organizations can disable sample sharing on specific devices that are considered
too sensitive.
Yes
Expedite telemetry reporting frequency

Yes - Increase the Microsoft Defender for Endpoint telemetry reporting
frequency.
Endpoint detection and response (ConfigMgr)

Endpoint detection and response:
Sample sharing for all files
Returns or sets the Microsoft Defender for Endpoint Sample Sharing configuration
parameter.
Yes
Expedite telemetry reporting frequency

Yes - Increase the Microsoft Defender for Endpoint telemetry reporting
frequency.
Next steps
Endpoint security policy for EDR
Attack surface reduction policy settings
for endpoint security in Intune
Article • 04/18/2023
View the settings you can configure in profiles for Attack surface reduction policy in the
endpoint security node of Intune as part of an Endpoint security policy.
Applies to:
Windows 11
Windows 10
Windows 10 and later - Use this platform for policy you deploy to devices
managed with Intune.
Profile: App and browser isolation
Profile: Application control
Profile: Attack surface reduction rules
Profile: Device control
Profile: Exploit protection
Profile: Web protection (Microsoft Edge Legacy)
Windows 10 and later (ConfigMgr): Use this platform for policy you deploy to
devices managed by Configuration Manager.
Profile: Exploit Protection(ConfigMgr)(preview)
Profile: Web Protection (ConfigMgr)(preview)
Windows 10, Windows 11, and Windows Server: Use this platform for policy you
deploy to devices managed through Security Management for Microsoft Defender
for Endpoint.
Profile: Attack Surface Reduction Rules
Attack surface reduction (MDM)
App and browser isolation profile
７ Note
This section details the settings in App and browser isolation profiles created
before April 18, 2023. Profiles created after that date use a new settings format as
found in the Settings Catalog. With this change you can no longer create new
versions of the old profile and they are no longer being developed. Although you
can no longer create new instances of the older profile, you can continue to edit
and use instances of it that you previously created.
App and browser isolation
Turn on Application Guard
CSP: AllowWindowsDefenderApplicationGuard
Not configured (default) - Microsoft Defender Application Guard isn't
configured for Microsoft Edge or isolated Windows environments.
Enabled for Edge - Application Guard opens unapproved sites in a Hyper-V
virtualized browsing container.
Enabled for isolated Windows environments - Application Guard is turned on
for any applications enabled for App Guard within Windows.
Enabled for Edge AND isolated Windows environments - Application Guard is
configured for both scenarios.
７ Note
If you are deploying Application Guard for Microsoft Edge via Intune,
Windows network isolation policy must be configured as a prerequisite.
Network isolation may be configured via various profiles, including App and
broswer isolation under the Windows network isolation setting.
When set to Enabled for Edge or Enabled for Edge AND isolated Windows
environments, the following settings are available, which apply to Edge:
Clipboard behavior
CSP: ClipboardSettings
Choose what copy and paste actions are allowed from the local PC and an
Application Guard virtual browser.
Block copy and paste between PC and browser
Allow copy and paste from browser to PC only
Allow copy and paste from PC to browser only
Allow copy and paste between PC and browser
Block external content from non-enterprise approved sites
CSP: BlockNonEnterpriseContent
Yes - Block content from unapproved websites from loading.
Collect logs for events that occur within an Application Guard browsing
session
CSP: AuditApplicationGuard
Yes - Collect logs for events that occur within an Application Guard virtual
browsing session.
Allow user-generated browser data to be saved
CSP: AllowPersistence
Yes - Allow user data that is created during an Application Guard virtual
browsing session to be saved. Examples of user data include passwords,
favorites, and cookies.
Enable hardware graphics acceleration
CSP: AllowVirtualGPU
Yes - Within the Application Guard virtual browsing session, use a virtual
graphics processing unit to load graphics-intensive websites faster.
Allow users to download files onto the host
CSP: SaveFilesToHost
Yes - Allow users to download files from the virtualized browser onto the
host operating system.
Application Guard allow camera and microphone access
CSP: AllowCameraMicrophoneRedirection
Not configured (default) - Applications inside Microsoft Defender
Application Guard can't access the camera and microphone on the user’s
device.
Yes - Applications inside Microsoft Defender Application Guard can access
the camera and microphone on the user’s device.
No - Applications inside Microsoft Defender Application Guard can't access
the camera and microphone on the user’s device. This is the same behavior
as Not configured.
Application guard allow print to local printers

Yes - Allow printing to local printers.
Application guard allow print to network printers

Yes - Allow printing print to network printers.
Application guard allow print to PDF

Yes- Allow printing print to PDF.
Application guard allow print to XPS

Yes - - Allow printing print to XPS.
Application Guard allow use of Root Certificate Authorities from the user's
device
CSP: CertificateThumbprints
Configure certificate thumbprints to automatically transfer the matching root

certificate to the Microsoft Defender Application Guard container.
To add thumbprints one at a time, select Add. You can use Import to specify a .CSV
file that contains multiple thumbprint entries that are all added to the profile at the
same time. When you use a .CSV file, each thumbprint must be separated by a
comma. For example:
b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cd
a924
All entries that are listed in the profile are active. You don't need to select a
checkbox for a thumbprint entry to make it active. Instead, use the checkboxes to
help you manage the entries that have been added to the profile. For example, you
can select the checkbox of one or more certificate thumbprint entries and then
Delete those entries from the profile with a single action.
Windows network isolation policy

Yes - Configure Windows network isolation policy.
When set to Yes, you can configure the following settings:
IP ranges
Expand the dropdown, select Add, and then specify a lower address and then an
upper address.
Cloud resources
Expand the dropdown, select Add, and then specify an IP address or FQDN and
a Proxy.
Network domains
Expand the dropdown, select Add, and then specify Network domains.
Proxy servers
Expand the dropdown, select Add, and then specify Proxy servers.
Internal proxy servers
Expand the dropdown, select Add, and then specify Internal proxy servers.
Neutral resources
Expand the dropdown, select Add, and then specify Neutral resources.
Disable Auto detection of other enterprise proxy servers

Yes - Disable Auto detection of other enterprise proxy servers.
Disable Auto detection of other enterprise IP ranges

Yes - Disable Auto detection of other enterprise IP ranges.
７ Note
After the profile is created, any devices to which the policy should apply will have
Microsoft Defender Application Guard enabled. Users might have to restart their
devices in order for protection to be in place.
Application control profile
Microsoft Defender Application Control

App locker application control
CSP: AppLocker
Enforce Components and Store Apps
Audit Components and Store Apps
Enforce Components, Store Apps, and Smartlocker
Audit Components, Store Apps, and Smartlocker
Block users from ignoring SmartScreen warnings
CSP: SmartScreen/PreventOverrideForFilesInShell
Not configured (default) - Users can ignore SmartScreen warnings for files and
malicious apps.
Yes - SmartScreen is enabled and users can't bypass warnings for files or
malicious apps.
Turn on Windows SmartScreen
CSP: SmartScreen/EnableSmartScreenInShell
Not configured (default) - Return the setting to Windows default, which is to
enable SmartScreen, however users may change this setting. To disable
SmartScreen, use a custom URI.
Yes - Enforce the use of SmartScreen for all users.
Attack surface reduction rules profile
Attack Surface Reduction Rules
７ Note
This section details the settings in Attack Surface Reduction Rules profiles created
Block persistence through WMI event subscription
Reduce attack surfaces with attack surface reduction rules
This attack surface reduction (ASR) rule is controlled via the following GUID:
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
This rule prevents malware from abusing WMI to attain persistence on a device.
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file
system, and to gain periodic execution control. Some threats can abuse the WMI
repository and event model to stay hidden.
Not configured (default) – The setting returns to the Windows default, which is
off and persistence isn't blocked.
Block – Persistence through WMI is blocked.
Audit – Evaluate how this rule affects your organization if it's enabled (set to
Block).
Disable - Turn this rule off. Persistence is not blocked.
To learn more about this setting, see Block persistence through WMI event
subscription.
Block credential stealing from the Windows local security authority subsystem
(lsass.exe)
Protect devices from exploits
This attack surface reduction (ASR) rule is controlled via the following GUID:
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Not configured (default) - The setting returns to the Windows default, which is
off.
User defined
Enable - Attempts to steal credentials via lsass.exe are blocked.
Audit mode - Users aren't blocked from dangerous domains and Windows
events are raised instead.
Warn - For Windows 10 version 1809 or later and Windows 11, the device user
receives a message that they can bypass Block of the setting. On devices that
run earlier versions of Windows 10, the rule enforces the Enable behavior.
Block Adobe Reader from creating child processes
Reduce attack surfaces with attack surface reduction rules
This ASR rule is controlled via the following GUID: 7674ba52-37eb-4a4f-a9a1-

f0f9a1619a2c
Not configured (default) - The Windows default is restored, is to not block
creation of child processes.
User defined
Enable - Adobe Reader is blocked from creating child processes.
Audit mode - Windows events are raised instead of blocking child processes.
Block Office applications from injecting code into other processes
This ASR rule is controlled via the following GUID: 75668C1F-73B5-4CF0-BB93-

3ECF5CB7CC84
off.
Block - Office applications are blocked from injecting code into other processes.
Audit mode - Windows events are raised instead of blocking.
Disable - This setting is turned off.
Block Office applications from creating executable content
This ASR rule is controlled via the following GUID: 3B576869-A4EC-4529-8536-

B80A7769E899
off.
Block - Office applications are blocked from creating executable content.
Block all Office applications from creating child processes
This ASR rule is controlled via the following GUID: D4F940AB-401B-4EFC-AADC-

AD5F3C50688A
off.
Block - Office applications are blocked from creating child processes.
Block Win32 API calls from Office macro
This ASR rule is controlled via the following GUID: 92E97FA1-2EDF-4476-BDD6-

9DD0B4DDDC7B
off.
Block - Office macro's are blocked from using Win32 API calls.
Block Office communication apps from creating child processes
This ASR rule is controlled via the following GUID: 26190899-1602-49e8-8b27-

eb1d0a1ce869.
Not configured (default) - The Windows default is restored, which is to not
block creation of child processes.
User defined
Enable - Office communication applications are blocked from creating child
processes.
Audit mode - Windows events are raised instead of blocking child processes.
Block execution of potentially obfuscated scripts ( js/vbs/ps)
This ASR rule is controlled via the following GUID: 5BEB7EFE-FD9A-4556-801D-

275E5FFC04CC
off.
Block - Defender blocks execution of obfuscated scripts.
Block JavaScript or VBScript from launching downloaded executable content
This ASR rule is controlled via the following GUID: D3E037E1-3EB8-44C8-A917-

57927947596D
off.
Block - Defender blocks JavaScript or VBScript files that have been downloaded
from the Internet from being executed.
Block process creations originating from PSExec and WMI commands
This ASR rule is controlled via the following GUID: d1e49aac-8f56-4280-b9ba-

993a6d77406c
off.
Block - Process creation by PSExec or WMI commands is blocked.
Block untrusted and unsigned processes that run from USB
This ASR rule is controlled via the following GUID: b2b3f03d-6a65-4f7b-a9c7-

1c7ef74a9ba4
off.
Block - Untrusted and unsigned processes that run from a USB drive are
blocked.
Block executable files from running unless they meet a prevalence, age, or
trusted list criteria
This ASR rule is controlled via the following GUID: 01443614-cd74-433a-b99e-

2ecdc07bfc25e
off.
Block
Block executable content download from email and webmail clients

off.
Block - Executable content downloaded from email and webmail clients is
blocked.
Use advanced protection against ransomware
This ASR rule is controlled via the following GUID: c1db55ab-c21a-4637-bb3f-

a12568109d35
off.
User defined
Enable
Audit mode - - Windows events are raised instead of blocking.
Enable folder protection
CSP: EnableControlledFolderAccess
Not configured (default) - This setting returns to its default, which is no read or
writes are blocked.
Enable - For untrusted apps, Defender blocks attempts to modify or delete files
in protected folders, or write to disk sectors. Defender automatically determines
which applications can be trusted. Alternatively, you can define your own list of
trusted applications.
Audit mode - Windows events are raised when untrusted applications access
controlled folders, but no blocks are enforced.
Block disk modification - Only attempts to write to disk sectors are blocked.
Audit disk modification - Windows events are raised instead of blocking
attempts to write to disk sectors.
List of additional folders that need to be protected
CSP: ControlledFolderAccessProtectedFolders
Define a list of disk locations that will be protected from untrusted applications.
List of apps that have access to protected folders
CSP: ControlledFolderAccessAllowedApplications
Define a list of apps that have access to read/write to controlled locations.
Exclude files and paths from attack surface reduction rules
CSP: AttackSurfaceReductionOnlyExclusions
Expand the dropdown and then select Add to define a Path to a file or folder to
exclude from your attack surface reduction rules.
Device control profile
Device Control
７ Note
This section details the settings found in Device control profiles created before May
23, 2022. Profiles created after that date use a new settings format as found in the
Settings Catalog. Although you can no longer create new instances of the original
profile, you can continue to edit and use your existing profiles.
Allow hardware device installation by device identifiers

Yes - Windows can install or update any device whose Plug and Play hardware
ID or compatible ID appears in the list you create unless another policy setting
specifically prevents that installation. If you enable this policy setting on a
remote desktop server, the policy setting affects redirection of the specified
devices from a remote desktop client to the remote desktop server.
No
When set to Yes you can configure the following options:

Allow list - Use Add, Import, and Export to manage a list of device identifiers.
Block hardware device installation by device identifiers
CSP: AllowInstallationOfMatchingDeviceIDs
Yes - Specify a list of Plug and Play hardware IDs and compatible IDs for devices
that Windows is prevented from installing. This policy takes precedence over
any other policy setting that allows Windows to install a device. If you enable
this policy setting on a remote desktop server, the policy setting affects
redirection of the specified devices from a remote desktop client to the remote
desktop server.
No
Remove matching hardware devices

Yes
Block list - Use Add, Import, and Export to manage a list of device identifiers.
Allow hardware device installation by setup class

Yes - Windows can install or update device drivers whose device setup class
GUIDs appear in the list you create unless another policy setting specifically
prevents that installation. If you enable this policy setting on a remote desktop
server, the policy setting affects redirection of the specified devices from a
remote desktop client to the remote desktop server.
No

CSP: AllowInstallationOfMatchingDeviceSetupClasses
Yes - Specify a list of device setup class globally unique identifiers (GUIDs) for
device drivers that Windows is prevented from installing. This policy setting
takes precedence over any other policy setting that allows Windows to install a
device. If you enable this policy setting on a remote desktop server, the policy
setting affects redirection of the specified devices from a remote desktop client
to the remote desktop server.
No

Yes
Allow hardware device installation by device instance identifiers

Yes - Windows is allowed to install or update any device whose Plug and Play
device instance ID appears in the list you create unless another policy setting
specifically prevents that installation. If you enable this policy setting on a
remote desktop server, the policy setting affects redirection of the specified
devices from a remote desktop client to the remote desktop server.
No

Block hardware device installation by device instance identifiers
If you enable this policy setting on a remote desktop server, the policy setting
affects redirection of the specified devices from a remote desktop client to the
remote desktop server.
Yes - Specify a list of Plug and Play hardware IDs and compatible IDs for devices
that Windows is prevented from installing. This policy takes precedence over
any other policy setting that allows Windows to install a device. If you enable
this policy setting on a remote desktop server, the policy setting affects
redirection of the specified devices from a remote desktop client to the remote
desktop server.
No

Yes
Block write access to removable storage
CSP: RemovableDiskDenyWriteAccess
Yes - Write access is denied to removable storage.
No - Write access is allowed.
CSP: Defender/AllowFullScanRemovableDriveScanning
Not configured (default) - The setting returns to client default, which scans
removable drives, however the user can disable this scan.
Yes - During a full scan, removable drives (like USB flash drives) are scanned.
Block direct memory access
CSP: DataProtection/AllowDirectMemoryAccess
This policy setting is only enforced when BitLocker or device encryption is enabled.
Yes - block direct memory access (DMA) for all hot pluggable PCI downstream
ports until a user logs into Windows. After a user logs in, Windows enumerates
the PCI devices connected to the host plug PCI ports. Every time the user locks
the machine, DMA is blocked on hot plug PCI ports with no children devices
until the user logs in again. Devices that were already enumerated when the
machine was unlocked will continue to function until unplugged.
Enumeration of external devices incompatible with Kernel DMA Protection
CSP: DmaGuard/DeviceEnumerationPolicy
This policy can provide additional security against external DMA capable devices. It
allows for more control over the enumeration of external DMA capable devices
incompatible with DMA Remapping/device memory isolation and sandboxing.
This policy only takes effect when Kernel DMA Protection is supported and
enabled by the system firmware. Kernel DMA Protection is a platform feature that
must be supported by the system at the time of manufacturing. To check if the
system supports Kernel DMA Protection, check the Kernel DMA Protection field in
the Summary page of MSINFO32.exe.
Not configured - (default)
Block all
Allow all
Block bluetooth connections
CSP: Bluetooth/AllowDiscoverableMode
Yes - Block bluetooth connections to and from the device.
Block bluetooth discoverability
CSP: Bluetooth/AllowDiscoverableMode
Yes - Prevents the device from being discoverable by other Bluetooth-enabled
devices.
Block bluetooth pre-pairing
CSP: Bluetooth/AllowPrepairing
Yes - Prevents specific Bluetooth devices from automatically pairing with the
host device.
Block bluetooth advertising
CSP: Bluetooth/AllowAdvertising
Yes - Prevents the device from sending out Bluetooth advertisements.
Block bluetooth proximal connections
CSP: Bluetooth/AllowPromptedProximalConnections
Block users from using Swift
Pair and other proximity-based scenarios
Yes - Prevents a device user from using Swift Pair and other proximity-based
scenarios.
Bluetooth/AllowPromptedProximalConnections CSP
Bluetooth allowed services
CSP: Bluetooth/ServicesAllowedList.
For more information on the service list, see ServicesAllowedList usage guide
Add - Specify allowed Bluetooth services and profiles as hex strings, such as
{782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF} .
Import - Import a .csv file that contains a list of bluetooth services and profiles,
as hex strings, such as {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}
Removable storage
CSP: Storage/RemovableDiskDenyWriteAccess
Block (default) - Prevent users from using external storage devices, like SD cards
with the device.
Not configured
USB connections (HoloLens only)
CSP: Connectivity/AllowUSBConnection
Block - Prevent use of a USB connection between the device and a computer to
sync files, or to use developer tools to deploy or debug applications. USB
charging isn't affected.
Exploit protection profile
Exploit protection
７ Note
This section details the settings you can find in Exploit protection profiles created
Upload XML
CSP: ExploitProtectionSettings
Enables the IT admin to push out a configuration representing the desired system
and application mitigation options to all the devices in the organization. The
configuration is represented by an XML file. Exploit protection can help protect
devices from malware that use exploits to spread and infect. You use the Windows
Security app or PowerShell to create a set of mitigations (known as a
configuration). You can then export this configuration as an XML file and share it
with multiple machines on your network so they all have the same set of mitigation
settings. You can also convert and import an existing EMET configuration XML file
into an exploit protection configuration XML.
Choose Select XML File, specify the XML filet upload, and then click Select.
Yes
Block users from editing the Exploit Guard protection interface
CSP: DisallowExploitProtectionOverride
Not configured (default) - Local users can make changes in the exploit
protection settings area.
Yes - Prevent users from making changes to the exploit protection settings area
in the Microsoft Defender Security Center.
Web protection (Microsoft Edge Legacy) profile
Web Protection (Microsoft Edge Legacy)
Enable network protection
disabled.
User defined
Enable - Network protection is enabled for all users on the system.
Audit mode - Users aren't blocked from dangerous domains and Windows
events are raised instead.
Require SmartScreen for Microsoft Edge
CSP: Browser/AllowSmartScreen
Yes - Use SmartScreen to protect users from potential phishing scams and
malicious software.
Block malicious site access
CSP: Browser/PreventSmartScreenPromptOverride
Yes - Block users from ignoring the Microsoft Defender SmartScreen Filter
warnings and block them from going to the site.
Block unverified file download
CSP: Browser/PreventSmartScreenPromptOverrideForFiles
Yes - Block users from ignoring the Microsoft Defender SmartScreen Filter
warnings and block them from downloading unverified files.
Attack surface reduction (ConfigMgr)
Exploit Protection (ConfigMgr)(Preview) profile
Exploit Protection
Upload XML
CSP: ExploitProtectionSettings
Enables the IT admin to push out a configuration representing the desired system
and application mitigation options to all the devices in the organization. The
configuration is represented by an XML file. Exploit protection can help protect
devices from malware that use exploits to spread and infect. You use the Windows
Security app or PowerShell to create a set of mitigations (known as a
configuration). You can then export this configuration as an XML file and share it
with multiple machines on your network so they all have the same set of mitigation
settings. You can also convert and import an existing EMET configuration XML file
into an exploit protection configuration XML.
Choose Select XML File, specify the XML filet upload, and then click Select.
Disallow Exploit Protection Override
CSP: DisallowExploitProtectionOverride
(Disable) Local users are allowed to make changes in the exploit protection
settings area.
(Enable) Local users cannot make changes to the exploit protection settings
area
Web Protection (ConfigMgr)(Preview) profile
Web Protection
Enable Network Protection (Device)
Disabled
Enabled (block mode)
Enabled (audit mode)
Allow Smart Screen (Device)
CSP: Browser/AllowSmartScreen
Block
Allow
Prevent Smart Screen Prompt Override For Files (Device)
CSP: Browser/PreventSmartScreenPromptOverride
Disabled
Enabled
Prevent Smart Screen Prompt Override (Device)
CSP: Browser/PreventSmartScreenPromptOverrideForFiles
Disabled
Enabled
Next steps
Endpoint security policy for ASR
Account protection policy settings for
Article • 02/23/2023
View the settings you can configure in profiles for Account protection policy in the
endpoint security node of Intune as part of an Endpoint security policy.
The settings in this article apply to:
Windows 10
Windows 11

Profile: Account protection (Preview)
Account protection profile
Account protection
Block Windows Hello for Business
Windows Hello for Business is an alternative method for signing into Windows by
replacing passwords, Smart Cards, and Virtual Smart Cards.
Not configured (default) - Devices provision Windows Hello for Business.
Disabled - Devices provision Windows Hello for Business.
Enabled - Devices don't provision Windows Hello for Business for any user
） Important
Due to how Intune determines the scope and applicability of Windows Hello for
Business policy, the device may log Event ID 454 as a result of applying policy. This
can be safely ignored when policy is being successful applied (and enforced).
Enable to use security keys for sign-in
Enable Windows Hello security key as a sign-in credential for all PCs in the tenant.
Yes
Turn on credential guard
CSP: []DeviceGuard
Credential Guard uses Windows Hypervisor to provide protections. Credential

Guard requires hardware support for Secure Boot and DMA protections. This
setting is only successful on devices that meet the hardware requirements.
Not configured (default) - Disable the use of Credential Guard, which is the
Windows default.
Enable with UEFI lock - Enable Credential Guard and block it from being turned
off remotely, as the UEFI persisted configuration must be manually cleared.
Enable without UEFI lock - Enable Credential Guard and allow it to be turned
off without physical access to the machine.
Next steps
Endpoint security policy for Account protection
List of the settings in the Windows 10/11
MDM security baseline in Intune
Article • 02/23/2023
This article is a reference for the settings that are available in the different versions of
the Windows 10/11 MDM security baseline that you can deploy with Microsoft Intune.
You can use the tabs below to select and view the settings in the current baseline
version and a few older versions that might still be in use.
For each setting you’ll find the baselines default configuration, which is also the
recommended configuration for that setting provided by the relevant security team.
Because products and the security landscape evolve, the recommended defaults in one
baseline version might not match the defaults you find in later versions of the same
baseline. Different baseline types, like the MDM security and the Defender for Endpoint
baselines, could also set different defaults.
When the Intune UI includes a Learn more link for a setting, you’ll find that here as well.
Use that link to view the settings policy configuration service provider (CSP) or relevant
content that explains the settings operation.
When a new version of a baseline becomes available, it replaces the previous version.
Profiles instances that you’ve created prior to the availability of a new version:
Become read-only. You can continue to use those profiles but can't edit them to
change their configuration.
Can be updated to the latest version. After you update a profile to the current
baseline version, you can edit the profile to modify settings.
To learn more about using security baselines, see Use security baselines. In that article
you'll also find information about how to:
Change the baseline version for a profile to update a profile to use the latest
version of that baseline.
Security Baseline for Windows 10/11 for November 2021
Above Lock
Voice activate apps from locked screen:
Baseline default: Disabled
Learn More
Block display of toast notifications:
Baseline default: Yes
Learn More
App Runtime
Microsoft accounts optional for Microsoft store apps:
Baseline default: Enabled
Learn more
Application Management
Block app installations with elevated privileges:
Learn more
Block user control over installations:
Learn more
Block game DVR (desktop only):
Learn more
Audit
Audit settings configure the events that are generated for the conditions of the setting.
Account Logon Audit Credential Validation (Device):
Baseline default: Success and Failure
Account Logon Audit Kerberos Authentication Service (Device):
Baseline default: None
Account Logon Logoff Audit Account Lockout (Device):
Baseline default: Failure
Account Logon Logoff Audit Group Membership (Device):
Baseline default: Success
Account Logon Logoff Audit Logon (Device):

Audit Other Logon Logoff Events (Device):
Audit Special Logon (Device):
Audit Security Group Management (Device):
Audit User Account Management (Device):
Detailed Tracking Audit PNP Activity (Device):
Detailed Tracking Audit Process Creation (Device):
Object Access Audit Detailed File Share (Device):
Audit File Share Access (Device):
Object Access Audit Other Object Access Events (Device):
Object Access Audit Removable Storage (Device):
Audit Authentication Policy Change (Device):
Policy Change Audit MPSSVC Rule Level Policy Change (Device):
Policy Change Audit Other Policy Change Events (Device):
Audit Changes to Audit Policy (Device):
Privilege Use Audit Sensitive Privilege Use (Device):

System Audit Other System Events (Device):
System Audit Security State Change (Device):
Audit Security System Extension (Device):
System Audit System Integrity (Device):
Auto Play
Auto play default auto run behavior:
Baseline default: Do not execute
Learn more
Auto play mode:
Learn more
Block auto play for non-volume devices:
Learn more
BitLocker
BitLocker removable drive policy:
Baseline default: Configure
Learn more
Block write access to removable data-drives not protected by BitLocker:
Learn more
Browser
Block Password Manager:
Learn more
Require SmartScreen for Microsoft Edge Legacy:
Learn more
Block malicious site access:
Learn more
Block unverified file download:
Learn more
Prevent user from overriding certificate errors:
Learn more
Connectivity
Configure secure access to UNC paths:
Baseline default: Configure Windows to only allow access to the specified UNC paths
after fulfilling additional security requirements
Learn more
Hardened UNC path list:
Baseline default: Not configured by default. Manually add one or more hardened
UNC paths.
Block downloading of print drivers over HTTP:
Learn more
Block Internet download for web publishing and online ordering wizards:
Learn more
Credentials Delegation
Remote host delegation of non-exportable credentials:
Learn more
Credentials UI
Enumerate administrators:
Learn more
Data Protection
Block direct memory access:
Learn more
Device Guard
Virtualization based security:
Baseline default: Enable VBS with secure boot
Enable virtualization based security:
Learn more
Launch system guard:
Turn on credential guard:
Baseline default: Enable with UEFI lock
Learn more
Device Installation
Block hardware device installation by setup classes:
Learn more
Remove matching hardware devices:
Block list:
Baseline default: Not configured by default. Manually add one or more Identifiers.
Device Lock
Require password:
Learn more
Required password:
Baseline default: Alphanumeric
Learn more
Baseline default: 60
Learn more
Password minimum character set count:
Baseline default: 3
Learn more
Prevent reuse of previous passwords:
Learn more
Baseline default: 8
Learn more
Number of sign-in failures before wiping device:
Learn more
Block simple passwords:
Learn more
Password minimum age in days:
Baseline default: 1
Learn more
Prevent use of camera:
Learn more
Prevent slide show:
Learn more
DMA Guard
Enumeration of external devices incompatible with Kernel DMA Protection:
Baseline default: Block all
Event Log Service

Application log maximum file size in KB:
Learn more
System log maximum file size in KB:
Learn more
Security log maximum file size in KB:
Learn more
Experience
Block Windows Spotlight:
Learn more
Block third-party suggestions in Windows Spotlight:
Baseline default: Not configured
Learn more
Block consumer specific features:
Learn more
File Explorer
Block data execution prevention:
Learn more
Block heap termination on corruption:
Learn more
Firewall
For more information, see 2.2.2 FW_PROFILE_TYPE in the Windows Protocols
documentation.
Firewall profile domain:
Learn more
Inbound connections blocked:
Learn more
Outbound connections required:
Learn more
Inbound notifications blocked:
Learn more
Firewall enabled:
Baseline default: Allowed
Learn more
Firewall profile private:
Learn more
Learn more
Learn more
Learn more
Firewall enabled:
Learn more
Firewall profile public:
Learn more
Learn more
Learn more
Learn more
Firewall enabled:
Learn more
Connection security rules from group policy not merged:
Learn more
Policy rules from group policy not merged:
Learn more
Internet Explorer
Internet Explorer encryption support:
Baseline default: Two items: TLS v1.1 and TLS v1.2
Learn more
Internet Explorer prevent managing smart screen filter:
Baseline default: Enable
Learn more
Internet Explorer restricted zone script Active X controls marked safe for
scripting:
Baseline default: Disable
Learn more
Internet Explorer restricted zone file downloads:
Learn more
Internet Explorer certificate address mismatch warning:
Learn more
Internet Explorer enhanced protected mode:
Learn more
Internet Explorer fallback to SSL3:
Baseline default: No sites
Learn more
Internet Explorer software when signature is invalid:
Learn more
Internet Explorer check server certificate revocation:
Learn more
Internet Explorer check signatures on downloaded programs:
Learn more
Internet Explorer processes consistent MIME handling:
Learn more
Internet Explorer bypass smart screen warnings:
Learn more
Internet Explorer bypass smart screen warnings about uncommon files:
Learn more
Internet Explorer crash detection:
Learn more
Internet Explorer download enclosures:
Learn more
Internet Explorer ignore certificate errors:
Learn more
Internet Explorer disable processes in enhanced protected mode:
Learn more
Internet Explorer security settings check:
Learn more
Internet Explorer Active X controls in protected mode:
Learn more
Internet Explorer users adding sites:
Learn more
Internet Explorer users changing policies:
Learn more
Internet Explorer block outdated Active X controls:
Learn more
Internet Explorer include all network paths:
Learn more
Internet Explorer internet zone access to data sources:
Learn more
Internet Explorer internet zone automatic prompt for file downloads:
Learn more
Internet Explorer internet zone copy and paste via script:
Learn more
Internet Explorer internet zone drag and drop or copy and paste files:
Baseline default: Disabled.
Learn more
Internet Explorer internet zone less privileged sites:
Learn more
Internet Explorer internet zone loading of XAML files:
Learn more
Internet Explorer internet zone .NET Framework reliant components:
Learn more
Internet Explorer internet zone allow only approved domains to use ActiveX
controls:
Learn more
Internet Explorer internet zone allow only approved domains to use tdc ActiveX
controls:
Learn more
Internet Explorer internet zone scripting of web browser controls:
Learn more
Internet Explorer internet zone script initiated windows:
Learn more
Internet Explorer internet zone scriptlets:
Learn more
Internet Explorer internet zone smart screen:
Learn more
Internet Explorer internet zone updates to status bar via script:
Learn more
Internet Explorer internet zone user data persistence:
Learn more
Internet Explorer internet zone allow VBscript to run:

Learn more
Internet Explorer internet zone do not run antimalware against ActiveX controls:
Learn more
Internet Explorer internet zone download signed ActiveX controls:
Baseline default: DisableBaseline default: Disable
Learn more
Internet Explorer internet zone download unsigned ActiveX controls:
Learn more
Internet Explorer internet zone cross site scripting filter:
Learn more
Internet Explorer internet zone drag content from different domains across
windows:
Learn more
Internet Explorer internet zone drag content from different domains within
windows:
Learn more
Internet Explorer internet zone protected mode:
Learn more
Internet Explorer internet zone include local path when uploading files to server:
Learn more
Internet Explorer internet zone initialize and script Active X controls not marked
as safe:
Learn more
Internet Explorer internet zone java permissions:
Baseline default: Disable java
Learn more
Internet Explorer internet zone launch applications and files in an iframe:
Learn more
Internet Explorer internet zone logon options:
Baseline default: Prompt
Learn more
Internet Explorer internet zone navigate windows and frames across different
domains:
Learn more
Internet Explorer internet zone run .NET Framework reliant components signed
with Authenticode:
Learn more
Internet Explorer internet zone security warning for potentially unsafe files:
Learn more
Internet Explorer internet zone popup blocker:
Learn more
Internet Explorer intranet zone do not run antimalware against Active X controls:
Learn more
Internet Explorer intranet zone initialize and script Active X controls not marked
as safe:
Learn more
Internet Explorer intranet zone java permissions:
Baseline default: High safety
Learn more
Internet Explorer local machine zone do not run antimalware against Active X
controls:
Learn more
Internet Explorer local machine zone java permissions:
TBaseline default: Disable java
Learn more
Internet Explorer locked down internet zone smart screen:
Baseline default: Enabled.
Learn more
Internet Explorer locked down intranet zone java permissions:
Learn more
Internet Explorer locked down local machine zone java permissions:
Learn more
Internet Explorer locked down restricted zone smart screen:
Learn more
Internet Explorer locked down restricted zone java permissions:
Baseline default: Disable Java
Learn more
Internet Explorer locked down trusted zone java permissions:
Learn more
Internet Explorer processes MIME sniffing safety feature:
Learn more
Internet Explorer processes MK protocol security restriction:
Learn more
Internet Explorer processes notification bar:
Learn more
Internet Explorer prevent per user installation of Active X controls:
Learn more
Internet Explorer processes protection from zone elevation:
Learn more
Internet Explorer remove run this time button for outdated Active X controls:
Learn more
Internet Explorer processes restrict Active X install:
Learn more
Internet Explorer restricted zone access to data sources:
Learn more
Internet Explorer restricted zone active scripting:
Learn more
Internet Explorer restricted zone automatic prompt for file downloads:
Learn more
Internet Explorer restricted zone binary and script behaviors:
Learn more
Internet Explorer restricted zone copy and paste via script:
Learn more
Internet Explorer restricted zone drag and drop or copy and paste files:
Learn more
Internet Explorer restricted zone less privileged sites:
Learn more
Internet Explorer restricted zone loading of XAML files:
Learn more
Internet Explorer restricted zone meta refresh:
Learn more
Internet Explorer restricted zone .NET Framework reliant components:
Learn more
Internet Explorer restricted zone allow only approved domains to use Active X
controls:
Learn more
Internet Explorer restricted zone allow only approved domains to use tdc Active
X controls:
Learn more
Internet Explorer restricted zone scripting of web browser controls:
Learn more
Internet Explorer restricted zone script initiated windows:
Learn more
Internet Explorer restricted zone scriptlets:
Learn more
Internet Explorer restricted zone smart screen:
Learn more
Internet Explorer restricted zone updates to status bar via script:
Learn more
Internet Explorer restricted zone user data persistence:
Learn more
Internet Explorer restricted zone allow vbscript to run:

Learn more
Internet Explorer restricted zone do not run antimalware against Active X

controls:
Learn more
Internet Explorer restricted zone download signed Active X controls:
Learn more
Internet Explorer restricted zone download unsigned Active X controls:
Learn more
Internet Explorer restricted zone cross site scripting filter:
Learn more
Internet Explorer restricted zone drag content from different domains across
windows:
Learn more
Internet Explorer restricted zone drag content from different domains within
windows:
Learn more
Internet Explorer restricted zone include local path when uploading files to
server:
Learn more
Internet Explorer restricted zone initialize and script Active X controls not
marked as safe:
Learn more
Internet Explorer restricted zone java permissions:
Learn more
Internet Explorer restricted zone launch applications and files in an iFrame:
Learn more
Internet Explorer restricted zone logon options:
Baseline default: Anonymous
Learn more
Internet Explorer restricted zone navigate windows and frames across different
domains:
Learn more
Internet Explorer restricted zone run Active X controls and plugins:
Baseline default: Disable.
Learn more
Internet Explorer restricted zone run .NET Framework reliant components signed
with Authenticode:
Learn more
Internet Explorer restricted zone scripting of java applets:
Learn more
Internet Explorer restricted zone security warning for potentially unsafe files:
Learn more
Internet Explorer restricted zone protected mode:
Learn more
Internet Explorer restricted zone popup blocker:
Learn more
Internet Explorer processes restrict file download:
Learn more
Internet Explorer processes scripted window security restrictions:
Learn more
Internet Explorer security zones use only machine settings:
Learn more
Internet Explorer use Active X installer service:
Learn more
Internet Explorer trusted zone do not run antimalware against Active X controls:
Learn more
Internet Explorer trusted zone initialize and script Active X controls not marked
as safe:
Learn more
Internet Explorer trusted zone java permissions:
Learn more
Internet Explorer auto complete:
Learn more
Local Policies Security Options

Block remote logon with blank password:
Learn more
Minutes of lock screen inactivity until screen saver activates:
Learn more
Smart card removal behavior:
Baseline default: Lock workstation
Learn more
Require client to always digitally sign communications:
Learn more
Prevent clients from sending unencrypted passwords to third party SMB servers:
Learn more
Require server digitally signing communications always:
Learn more
Prevent anonymous enumeration of SAM accounts:
Learn more
Block anonymous enumeration of SAM accounts and shares:
Learn more
Restrict anonymous access to named pipes and shares:
Learn more
Allow remote calls to security accounts manager:
Baseline default: O:BAG:BAD:(A;;RC;;;BA)
Learn more
Prevent storing LAN manager hash value on next password change:
Learn more
Authentication level:
Baseline default: Send NTLMv2 response only. Refuse LM and NTLM
Learn more
Minimum session security for NTLM SSP based clients:
Baseline default: Require NTLM V2 128 encryption
Learn more
Minimum session security for NTLM SSP based servers:
Baseline default: Require NTLM V2 and 128 bit encryption
Learn more
Administrator elevation prompt behavior:
Baseline default: Prompt for consent on the secure desktop
Learn more
Standard user elevation prompt behavior:
Baseline default: Automatically deny elevation requests

Learn more
Detect application installations and prompt for elevation:
Learn more
Only allow UI access applications for secure locations:
Learn more
Require admin approval mode for administrators:
Learn more
Use admin approval mode:
Learn more
Virtualize file and registry write failures to per user locations:
Learn more
Microsoft Defender
Block Adobe Reader from creating child processes:
Learn more
Block Office communication apps launch in a child process:
Learn more
Baseline default: 4
Learn more
Scan type
Baseline default: Quick scan
Learn more
Defender schedule scan day:
Baseline default: Everyday
Defender scan start time:
Cloud-delivered protection level:
Baseline default: Not Configured
Learn more
Scan network files:
Learn more
Learn more
Learn more
Scan archive files:
Learn more
Turn on behavior monitoring:
Learn more
Turn on cloud-delivered protection:
Learn more
Scan incoming mail messages:
Learn more
Scan removable drives during a full scan:
Learn more
Block Office applications from injecting code into other processes:
Baseline default: Block
Learn more
Learn more
Learn more
Block Win32 API calls from Office macro:
Learn more
Block execution of potentially obfuscated scripts ( js/vbs/ps):
Learn more
Block JavaScript or VBScript from launching downloaded executable content:
Learn more
Block executable content download from email and webmail clients:
Learn more
(lsass.exe):
Learn more
Defender potentially unwanted app action:
Learn more
Block untrusted and unsigned processes that run from USB:
Learn more
Enable network protection:
Learn more
Defender sample submission consent type:
Baseline default: Send safe samples automatically
Learn more
MS Security Guide
SMB v1 client driver start configuration:
Baseline default: Disabled driver
Learn more
Apply UAC restrictions to local accounts on network logon:
Learn more
Structured exception handling overwrite protection:
Learn more
SMB v1 server:
Learn more
Digest authentication:
Learn more
MSS Legacy
Network IPv6 source routing protection level:
Baseline default: Highest protection
Learn more
Network IP source routing protection level:
Learn more
Network ignore NetBIOS name release requests except from WINS servers:
Learn more
Network ICMP redirects override OSPF generated routes:
Learn more
Power
Require password on wake while on battery:
Learn more
Require password on wake while plugged in:
Learn more
Standby states when sleeping while on battery:
Learn more
Standby states when sleeping while plugged in:
Learn more
Remote Assistance
Remote Assistance solicited:
Baseline default: Disable Remote Assistance
Learn more
Remote Desktop Services

Remote desktop services client connection encryption level:
Baseline default: High
Learn more
Block drive redirection:

Block password saving:
Learn more
Prompt for password upon connection:
Learn more
Secure RPC communication:
Learn more
Remote Management
Block client digest authentication:
Learn more
Block storing run as credentials:
Learn more
Client basic authentication:
Learn more
Basic authentication:
Learn more
Client unencrypted traffic:
Learn more
Unencrypted traffic:
Learn more
Remote Procedure Call

RPC unauthenticated client options:
Baseline default: Authenticated
Learn more
Search
Disable indexing encrypted items:
Learn more
Smart Screen
Learn more
Learn more
System
System boot start driver initialization:
Baseline default: Good unknown and bad critical
Learn more
Wi-Fi
Block Automatically connecting to Wi-Fi hotspots:
Learn more
Block Internet sharing:
Learn more
Windows Connection Manager

Block connection to non-domain networks:
Learn more
Windows Ink Workspace
Ink Workspace:
Learn more
Windows PowerShell
PowerShell script block logging:
Learn more
Next steps
Avoid conflicts
List of the settings in the Microsoft
Defender for Endpoint security baseline
in Intune
Article • 02/23/2023
the Microsoft Defender for Endpoint security baseline that you can deploy with
Microsoft Intune. You can use the tabs below to select and view the settings in the
current baseline version and a few older versions that might still be in use.
Microsoft Defender for Endpoint baseline for December 2020 - version 6
The Microsoft Defender for Endpoint baseline is available when your environment meets
the prerequisites for using Microsoft Defender for Endpoint.
This baseline is optimized for physical devices and isn't recommended for use on virtual
machines (VMs) or VDI endpoints. Certain baseline settings can affect remote interactive
sessions on virtualized environments. For more information, see Increase compliance to
the Microsoft Defender for Endpoint security baseline in the Windows documentation.

Attack surface reduction rules support a merger of settings from different policies, to
create a superset of policy for each device. Only the settings that aren't in conflict are
merged. Settings that are in conflict are not added to the superset of rules. Previously, if
two policies included conflicts for a single setting, both policies were flagged as being in
conflict, and no settings from either profile would be deployed.
Attack surface reduction rule merge behavior is as follows:
Attack surface reduction rules from the following profiles are evaluated for each
device the rules apply to:
Devices > Configuration policy > Endpoint protection profile > Microsoft
Defender Exploit Guard > Attack Surface Reduction
Endpoint security > Attack surface reduction policy > Attack surface reduction
rules
Endpoint security > Security baselines > Microsoft Defender for Endpoint
Baseline > Attack Surface Reduction Rules.
Settings that don't have conflicts are added to a superset of policy for the device.
When two or more policies have conflicting settings, the conflicting settings aren't
added to the combined policy, while settings that don’t conflict are added to the
superset policy that applies to a device.
Only the configurations for conflicting settings are held back.
To learn more, see Attack surface reduction rules in the Microsoft Defender for Endpoint
documentation.
Block Office communication apps from creating child processes
Learn more
Block Adobe Reader from creating child processes
Learn more
Block Office applications from injecting code into other processes
Learn more
Learn more
Block JavaScript or VBScript from launching downloaded executable content
Learn more
Enable network protection
Learn more
Block untrusted and unsigned processes that run from USB
Learn more
(lsass.exe)
Learn more
Block executable content download from email and webmail clients
Learn more
Learn more
Block execution of potentially obfuscated scripts ( js/vbs/ps)
Learn more
Block Win32 API calls from Office macro
Learn more
BitLocker
BitLocker system drive policy
Learn more
Startup authentication required
Learn more
Compatible TPM startup PIN
Learn more
Compatible TPM startup key
Baseline default: Required
Learn more
Disable BitLocker on devices where TPM is incompatible
Learn more
Configure encryption method for Operating System drives
Learn more
Standby states when sleeping while on battery

Learn more
Standby states when sleeping while plugged in
Learn more
Enable full disk encryption for OS and fixed data drives
Learn more
BitLocker fixed drive policy
Learn more
Block write access to fixed data-drives not protected by BitLocker
Learn more
This setting is available when BitLocker fixed drive policy is set to Configure.
Configure encryption method for fixed data-drives
Baseline default: AES 128bit XTS
Learn more
BitLocker removable drive policy
Learn more
Configure encryption method for removable data-drives
Baseline default: AES 128bit CBC
Learn more
Block write access to removable data-drives not protected by BitLocker
Learn more
Device Guard
Turn on credential guard
Learn more
Device Installation
Block hardware device installation by setup classes:
Learn more
Remove matching hardware devices:
Block list
Baseline default: Not configured by default. Manually add one or more setup class
globally unique identifiers.
DMA Guard
Learn more
Firewall
Stateful File Transfer Protocol (FTP)
Learn more
Number of seconds a security association can be idle before it's deleted
Learn more
Preshared key encoding
Baseline default: UTF8
Learn more
Certificate revocation list (CRL) verification
Learn more
Packet queuing
Learn more
Firewall profile private
Learn more
Inbound connections blocked
Learn more
Unicast responses to multicast broadcasts required
Learn more
Outbound connections required
Learn more
Inbound notifications blocked
Learn more
Global port rules from group policy merged
Learn more
Firewall enabled
Learn more
Authorized application rules from group policy not merged
Learn more
Connection security rules from group policy not merged
Learn more
Incoming traffic required
Learn more
Policy rules from group policy not merged
Learn more
Firewall profile public
Learn more
Inbound connections blocked
Learn more
Learn more
Outbound connections required
Learn more
Baseline default: Yes**
Learn more
Learn more
Learn more
Firewall enabled
Learn more
Learn more
Incoming traffic required
Learn more
Learn more
Firewall profile domain
Learn more
Learn more
Learn more
Learn more
Learn more
Firewall enabled
Learn more
Learn more
Learn more
Microsoft Defender
Learn more
Additional amount of time (0-50 seconds) to extend cloud protection timeout
Baseline default: 0
Learn more
Learn more
Scan type
Learn more
Defender schedule scan day:
Defender scan start time:
Defender sample submission consent
Learn more
Learn more
Learn more
Defender potentially unwanted app action
Learn more
Learn more
Smart Screen
Learn more
Learn more
Require SmartScreen for Microsoft Edge
Learn more
Block malicious site access
Learn more
Block unverified file download
Learn more
Configure Microsoft Defender SmartScreen
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Prevent bypassing of Microsoft Defender SmartScreen warnings about

downloads
Configure Microsoft Defender SmartScreen to block potentially unwanted apps
Next steps
Avoid conflicts
security baseline settings reference for
Microsoft Intune
Article • 05/24/2023
This article is a reference for the settings that are available in the Microsoft 365 Apps for
Enterprise security baseline for Microsoft Intune and applies to versions of that baseline
that released in May 2023 or later.
About this reference article

The details that are displayed in this article are based on baseline version that is selected
at the top of the article. For each selection, this article displays:
A list of each setting in that baseline version.

The default configuration of each setting in that baseline version.
When available, a link to the underlying configuration service provider (CSP)
documentation, or other related content from the relevant product group that
provides context and possibly additional details for the settings use.
Profile instances that you’ve created prior to the availability of a new version:
To learn more about using security baselines, see:
Use security baselines

Manage security baselines.
Microsoft 365 Apps for Enterprise security baseline for May 2023
For more information about the following settings that are included in this baseline,
download the Microsoft Security Compliance Toolkit 1.0 from the Microsoft Download
Center, and review the Microsoft 365 Apps for Enterprise-2206-FINAL.zip file.
Microsoft Access 2016

Application Settings > Security > Trust Center
Block macros from running in Office files from the Internet (User)
VBA Macro Notification Settings (User)

Baseline default: Disable all with notification
Disable Trust Bar Notification for unsigned application add-ins and block them
(User)
Application Settings > Security > Trust Center > Trusted Locations
Allow Trusted Locations on the network (User)
Microsoft Excel 2016

Data Recovery
Do not show data extraction options when opening corrupt workbooks (User)
Excel Options > Advanced
Ask to update automatic links (User)
Excel Options > Advanced > General
Load pictures from Web pages not created in Excel (User)

Excel Options > Save
Disable AutoRepublish (User)
Do not show AutoRepublish warning alert (User)
Excel Options > Security
Force file extension to match file type (User)

Baseline default: Always match file type
Scan encrypted macros in Excel Open XML workbooks (User)

Baseline default: Scan encrypted macros (default)
Turn off file validation (User)
WEBSERVICE Function Notification Settings (User)

Baseline default: Disable all with notification
Excel Options > Security > Trust Center
Prevent Excel from running XLM macros (User)
Require that application add-ins are signed by Trusted Publisher (User)

Disable Trust Bar Notification for unsigned application add-ins and block
them (User)

Baseline default: Disable all except digitally signed macros
Excel Options > Security > Trust Center > External Content
Always prevent untrusted Microsoft Query files from opening (User)
Don’t allow Dynamic Data Exchange (DDE) server launch in Excel (User)
Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel (User)
Excel Options > Security > Trust Center > File Block Settings
dBase III / IV files (User)

File block setting: (User)
Baseline default: Open/Save blocked, use open policy
Dif and Sylk files (User)

Excel 2 macrosheets and add-in files (User)

Excel 2 worksheets (User)




Excel 4 workbooks (User)


Excel 95 workbooks (User)

Excel 95-97 workbooks and templates (User)

Excel 97-2003 workbooks and templates (User)

Set default file block behavior (User)

Baseline default: Blocked files are not opened
Web pages and Excel 2003 XML spreadsheets (User)

Excel Options > Security > Trust Center > Protected View
Always open untrusted database files in Protected View (User)
Do not open files from the Internet zone in Protected View (User)

Do not open files in unsafe locations in Protected View (User)
Set document behavior if file validation fails (User)

Checked: Allow edit. Unchecked: Do not allow edit. (User)
Baseline default: False

Baseline default: Open in Protected View
Turn off Protected View for attachments opened from Outlook (User)
Excel Options > Security > Trust Center > Trusted Locations
Microsoft Lync Feature Policies

Configure SIP security mode
Disable HTTP fallback for SIP connection

Microsoft Office 2016

Customize
Disable UI extending from documents and templates (User)
Disallow in PowerPoint (User)
Baseline default: True
Disallow in Publisher (User)
Disallow in Visio (User)
Disallow in InfoPath (User)
Disallow in Outlook (User)

Disallow in Project (User)
Disallow in Access (User)
Disallow in Word (User)
Disallow in Excel (User)
Security Settings
ActiveX Control Initialization (User)
-ActiveX Control Initialization: (User)
Baseline default: 6
Allow VBA to load typelib references by path from untrusted intranet locations
(User)
Automation Security (User)

Set the Automation Security level (User)
Baseline default: Use application macro security level
Control how Office handles form-based sign-in prompts (User)

Specify hosts allowed to show form-based sign-in prompts to users: (User)
Baseline default: ;
Behavior: (User)
Baseline default: Block all prompts
Disable additional security checks on VBA library references that may refer to
unsafe locations on the local machine (User)
Disable all Trust Bar notifications for security issues (User)
Encryption type for password protected Office 97-2003 files (User)

Encryption type: (User)
Baseline default: Microsoft Enhanced RSA and AES Cryptographic Provider,AES

256,256
Encryption type for password protected Office Open XML files (User)

Encryption type: (User)
Baseline default: Microsoft Enhanced RSA and AES Cryptographic Provider,AES

256,256
Load Controls in Forms3 (User)

Load Controls in Forms3: (User)
Baseline default: 1
Macro Runtime Scan Scope (User)

Baseline default: Enable for all documents
Protect document metadata for rights managed Office Open XML Files (User)
Security Settings > Trust Center
Allow mix of policy and user locations (User)
Server Settings
Disable the Office client from polling the SharePoint Server for published links
(User)
Smart Documents (Word, Excel)
Disable Smart Document's use of manifests (User)
Microsoft Office 2016 (Machine)

Security Settings > IE Security
Add-on Management

mspub.exe (Device)
mse7.exe (Device)
msaccess.exe (Device)
powerpnt.exe (Device)
visio.exe (Device)
outlook.exe (Device)
pptview.exe (Device)
winword.exe (Device)
excel.exe (Device)
onent.exe (Device)
winproj.exe (Device)
exprwd.exe (Device)
spDesign.exe (Device)
groove.exe (Device)
Consistent Mime Handling

exprwd.exe (Device)
excel.exe (Device)
mspub.exe (Device)
visio.exe (Device)
onent.exe (Device)
mse7.exe (Device)
groove.exe (Device)
Disable user name and password

groove.exe (Device)
onent.exe (Device)
mse7.exe (Device)
excel.exe (Device)
visio.exe (Device)
exprwd.exe (Device)
mspub.exe (Device)
Information Bar

excel.exe (Device)
mspub.exe (Device)
onent.exe (Device)
exprwd.exe (Device)
groove.exe (Device)
visio.exe (Device)
mse7.exe (Device)
Local Machine Zone Lockdown Security

mse7.exe (Device)
mspub.exe (Device)
excel.exe (Device)
exprwd.exe (Device)
groove.exe (Device)
visio.exe (Device)
onent.exe (Device)
Mime Sniffing Safety Feature

onent.exe (Device)
excel.exe (Device)
exprwd.exe (Device)
groove.exe (Device)
visio.exe (Device)
mspub.exe (Device)
mse7.exe (Device)
Navigate URL

visio.exe (Device)
mse7.exe (Device)
groove.exe (Device)
onent.exe (Device)
excel.exe (Device)
exprwd.exe (Device)
mspub.exe (Device)
Object Caching Protection

excel.exe (Device)
exprwd.exe (Device)
mse7.exe (Device)
mspub.exe (Device)
onent.exe (Device)
visio.exe (Device)
groove.exe (Device)
Protection From Zone Elevation

groove.exe (Device)
mspub.exe (Device)
visio.exe (Device)
excel.exe (Device)
mse7.exe (Device)
onent.exe (Device)
exprwd.exe (Device)
Restrict ActiveX Install

mse7.exe (Device)
onent.exe (Device)
excel.exe (Device)
mspub.exe (Device)
visio.exe (Device)
exprwd.exe (Device)
groove.exe (Device)
Restrict File Download

onent.exe (Device)
mse7.exe (Device)
groove.exe (Device)
visio.exe (Device)
excel.exe (Device)
mspub.exe (Device)
exprwd.exe (Device)
Saved from URL

visio.exe (Device)
mspub.exe (Device)
excel.exe (Device)
onent.exe (Device)
groove.exe (Device)
exprwd.exe (Device)
mse7.exe (Device)
Scripted Window Security Restrictions

visio.exe (Device)
onent.exe (Device)
exprwd.exe (Device)
mspub.exe (Device)
groove.exe (Device)
mse7.exe (Device)
excel.exe (Device)
Microsoft Outlook 2016

Security > Security Form Settings
The "Outlook Security Mode" policy controls how security settings in Outlook are
enforced. To manage any of the dependent Outlook security policies using Microsoft
Endpoint Manager, Office cloud policy service, or Group policy this policy must be
enabled and the Outlook Security Policy dropdown set to "Use Outlook Security Group
Policy".
Outlook Security Mode (User)
Outlook Security Policy: (User)
Baseline default: Use Outlook Security Group Policy

Guard behavior: (User)
Baseline default: Automatically Deny
Configure Outlook object model prompt When accessing the Formula

property of a UserProperty object (User)

Authentication with Exchange Server (User)

Select the authentication with Exchange server. (User)
Baseline default: Kerberos Password Authentication
Configure Outlook object model prompt when reading address information

(User)

Enable RPC encryption (User)
Allow hyperlinks in suspected phishing e-mail messages (User)
Configure Outlook object model prompt when sending mail (User)
Allow users to demote attachments to Level 2 (User)

Allow Active X One Off Forms (User)

Sets which ActiveX controls to allow.
Baseline default: Load only Outlook Controls
Allow scripts in one-off Outlook forms (User)
Prevent users from customizing attachment security settings (User)
Remove file extensions blocked as Level 2 (User)

Removed Extensions: (User)
Baseline default: ;
Retrieving CRLs (Certificate Revocation Lists) (User)

Baseline default: When online always retrieve the CRL
Configure Outlook object model prompt when accessing an address book

(User)

Do not allow Outlook object model scripts to run for public folders (User)
Include Internet in Safe Zones for Automatic Picture Download (User)
Signature Warning (User)

Signature Warning (User)
Baseline default: Always warn about invalid signatures
Use Unicode format when dragging e-mail message to file system (User)
Set Outlook object model custom actions execution prompt (User)

When executing a custom action: (User)

Security setting for macros (User)

Security Level (User)
Baseline default: Warn for signed, disable unsigned
Remove file extensions blocked as Level 1 (User)

Removed Extensions: (User)
Baseline default: ;
Junk E-mail protection level (User)
Display Level 1 attachments (User)
Minimum encryption settings (User)

Minimum key size (in bits): (User)
Do not allow Outlook object model scripts to run for shared folders (User)
Configure Outlook object model prompt when executing Save As (User)

Configure Outlook object model prompt when responding to meeting and

task requests (User)

Microsoft PowerPoint 2016

PowerPoint Options > Security
Run Programs (User)

disable (don't run any programs)
Scan encrypted macros in PowerPoint Open XML presentations (User)

PowerPoint Options > Security > Trust Center

them (User)

PowerPoint Options > Security > Trust Center > File Block Settings
PowerPoint 97-2003 presentations, shows, templates and add-in files (User)


PowerPoint Options > Security > Trust Center > Protected View

PowerPoint Options > Security > Trust Center > Trusted Locations
Microsoft Project 2016

Project Options > Security > Trust Center

them (User)

Microsoft Publisher 2016

Security
Publisher Automation Security Level (User)

Baseline default: By UI (prompted)
Security > Trust Center

Disable Trust Bar Notification for unsigned application add-ins (User)
Baseline default: Enabled*


Microsoft Visio 2016

Visio Options > Security > Trust Center

them (User)

Visio Options > Security > Trust Center > File Block Settings
Visio 2000-2002 Binary Drawings, Templates and Stencils (User)

Baseline default: Open/Save blocked
Visio 2003-2010 Binary Drawings, Templates and Stencils (User)

Visio 5.0 or earlier Binary Drawings, Templates and Stencils (User)

Microsoft Word 2016

Word Options > Security > Trust Center
Dynamic Data Exchange (User)

them (User)
Scan encrypted macros in Word Open XML documents (User)


Word Options > Security > Trust Center > File Block Settings

Word 2 and earlier binary documents and templates (User)

Word 2000 binary documents and templates (User)


Word 2007 and later binary documents and templates (User)

Word 6.0 binary documents and templates (User)



Word XP binary documents and templates (User)

Word Options > Security > Trust Center > Protected View

Word Options > Security > Trust Center > Trusted Locations

Word Options > Security
MS Security Guide
Block Flash activation in Office documents

Block Flash player in Office (Device)
Baseline default: Block all activation*
Restrict legacy JScript execution for Office
Outlook: (Device)
Excel: (Device)
PowerPoint: (Device)
OneNote: (Device)
Publisher: (Device)
Access: (Device)
Visio: (Device)
Project: (Device)
Word: (Device)

Next steps
Avoid conflicts
Microsoft Edge security baseline
settings reference for Microsoft Intune
Article • 05/24/2023
This article is a reference for the settings that are available in the Microsoft Edge security
baseline for Microsoft Intune and applies to versions of that baseline that released in
May 2023 or later.
If you use a security baseline for Edge version 85 or earlier, see List of the settings in the
Microsoft Edge security baseline in Intune.
７ Note
Beginning in May 2023, all new security baseline versions use a new settings format
that replaces previous versions. While the last version instance for a baseline that
uses the older setting format remains available to use, the older format will no
longer receive updates for new settings, or updated default configurations.
About this reference article

The details that are displayed in this article are based on baseline version that is selected
at the top of the article. For each selection, this article displays:
A list of each setting in that baseline version.

The default configuration of each setting in that baseline version.
When available, a link to the underlying configuration service provider (CSP)
documentation, or other related content from the relevant product group that
provides context and possibly additional details for the settings use.
Profile instances that you’ve created prior to the availability of a new version:
 Tip
Because the new baselines versions introduced in May 2023 or later exist side-
by-side with the last baseline version from the older format, baselines for the
last available version of that older format remain accessible to use and to edit.
To learn more about using security baselines, see:
Use security baselines

Manage security baselines.
Microsoft Edge
Microsoft Edge baseline for May 2023 (Edge version 112)
For more information about the following settings that are included in this baseline,
download the Microsoft Security Compliance Toolkit 1.0 from the Microsoft Download
Center, and review the Microsoft Edge v112 Security Baseline.zip file.
Allow unconfigured sites to be reloaded in Internet Explorer mode
Allow users to proceed from the HTTPS warning page
Enable browser legacy extension point blocking
Enable site isolation for every site
Enhance images enabled
Force WebSQL to be enabled
Minimum TLS version enabled

Minimum SSL version enabled (Device)
Baseline default: TLS 1.2
Show the Reload in Internet Explorer mode button in the toolbar
Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated

context
Extensions:
Control which extensions cannot be installed

Extension IDs the user should be prevented from installing (or * for all)
(Device)
Baseline default: *
HTTP authentication:
Allow Basic authentication for HTTP
Supported authentication schemes

Learn more
Supported authentication schemes (Device)
Baseline default: ntlm,negotiate
Native Messaging:
Allow user-level native messaging hosts (installed without admin permissions)
Password manager and protection:
Enable saving passwords to the password manager
Learn more
Private Network Request Settings:
Specifies whether to allow insecure websites to make requests to more-private

network endpoints

SmartScreen settings:
Learn more
Learn more

downloads
Learn more
Next steps
Avoid conflicts
List of the settings in the Microsoft Edge
security baseline in Intune
Article • 02/23/2023
the Microsoft Edge security baseline that you can deploy with Microsoft Intune. You can
use the tabs below to select and view the settings in the current baseline version and a
few older versions that might still be in use.
baseline. Different baseline types could also set different defaults.
Although the settings in the Intune UI for this baseline omit Learn more links, this article
includes links to relevant content.
Microsoft Edge baseline for September 2020 (Edge version 85)
Microsoft Edge
Learn more
Baseline defaults: Two items: NTLM and Negotiate
Default Adobe Flash setting
Learn more
Baseline default: Block the Adobe Flash plugin
Learn more

Baseline default: Not configured by default. Manually add one or more Extension
IDs
Learn more
Learn more

downloads
Learn more
Microsoft Edge also supports IsolateOrigins policy that can isolate additional, finer-
grained origins. Intune doesn't support configuring the IsolateOrigins policy.
Learn more
This policy is available only on Windows instances that are joined to a Microsoft
Active Director domain, or on Windows 10/11 Pro or Enterprise instances that are
enrolled for device management.
This policy is available only on Windows instances that are joined to a Microsoft
Active Director domain, or on Windows 10/11 Pro or Enterprise instances that are
enrolled for device management.
Allow users to proceed from the SSL warning page
Learn more
Minimum SSL version enabled

Allow certificates signed using SHA-1 when issued by local trust anchors
(deprecated)
） Important
This setting is deprecated. It is currently supported but will become obsolete

in a future release.
Next steps
Avoid conflicts
List of the settings in the Windows 365
Cloud PC security baseline in Intune
Article • 02/23/2023
This article is a reference for the settings that are available in the Windows 365 Cloud PC
security baseline that you can deploy with Microsoft Intune.
Windows 365 Cloud PC security baseline version 2110
Above Lock
Voice activate apps from locked screen:
Learn more
Block display of toast notifications:
Learn more
App Runtime
Microsoft accounts optional for Microsoft store apps:
Learn more
Application management
Block app installations with elevated privileges:
Learn more
Block user control over installations:
Learn more
Block game DVR (desktop only):
Learn more

For general information, see Learn about attack surface reduction rules.
Block Office communication apps from creating child processes:
Learn more
Block Adobe Reader from creating child processes:
Learn more
Block Office applications from injecting code into other processes:
Learn more
Block Office applications from creating executable content:
Learn more
Block JavaScript or VBScript from launching downloaded executable content:
Learn more
Enable network protection:
Learn more
Block untrusted and unsigned processes that run from USB:
Learn more
(lsass.exe):
Learn more
Block all Office applications from creating child processes:
Learn more
Block execution of potentially obfuscated scripts ( js/vbs/ps):
Learn more
Block Win32 API calls from Office macro:
Learn more
Block executable content download from email and webmail clients:
Learn more
Audit
Audit settings configure the events that are generated for the conditions of the setting.
Account Logon Audit Credential Validation (Device):
Account Logon Audit Kerberos Authentication Service (Device):
Baseline default: None

Account Logon Logoff Audit Account Lockout (Device):
Account Logon Logoff Audit Group Membership (Device):
Account Logon Logoff Audit Logon (Device):

Audit Other Logon Logoff Events (Device):
Audit Special Logon (Device):
Audit Security Group Management (Device):
Audit User Account Management (Device):
Detailed Tracking Audit PNP Activity (Device):
Detailed Tracking Audit Process Creation (Device):
Object Access Audit Detailed File Share (Device):
Audit File Share Access (Device):
Object Access Audit Other Object Access Events (Device):
Object Access Audit Removable Storage (Device):
Audit Authentication Policy Change (Device):
Policy Change Audit MPSSVC Rule Level Policy Change (Device):

Policy Change Audit Other Policy Change Events (Device):
Audit Changes to Audit Policy (Device):
Privilege Use Audit Sensitive Privilege Use (Device):
System Audit Other System Events (Device):
System Audit Security State Change (Device):
Audit Security System Extension (Device):
System Audit System Integrity (Device):
Auto Play
Auto play default auto run behavior:
Baseline default: Do not execute
Learn more
Auto play mode:
Learn more
Block auto play for non-volume devices:
Learn more
Browser
Block Password Manager:
Learn more
Require SmartScreen for Microsoft Edge Legacy:
Learn more
Block malicious site:
Learn more
Block unverified file download:
Learn more
Prevent user from overriding certificate errors:
Learn more
Connectivity
Configure secure access to UNC paths:
Baseline default: Configure Windows to only allow access to the specified UNC paths
after fulfilling additional security requirements
Learn more
Hardened UNC path list:
Not configured by default. Manually add one or more hardened UNC paths.
Block downloading of print drivers over HTTP:
Learn more
Block Internet download for web publishing and online ordering wizards:
Learn more
Credentials Delegation
Remote host delegation of non-exportable credentials:
Learn more
Credentials UI
Enumerate administrators:
Learn more
Device Guard
Virtualization based security:
Baseline default: Enable VBS with secure boot
Enable virtualization based security:
Learn more
Launch system guard:
Turn on Credential Guard:
Learn more
Device Installation
Learn more
Block list
Not configured by default. Manually add one or more Identifiers.
DMA Guard
Event Log Service

Application log maximum file size in KB
Learn more
System log maximum file size in KB
Learn more
Security log maximum file size in KB
Learn more
Experience
Block Windows Spotlight
Learn more
File Explorer
Block data execution prevention
Learn more
Block heap termination on corruption
Learn more
Firewall
For more information, see 2.2.2 FW_PROFILE_TYPE in the Windows Protocols
documentation.
Firewall profile domain:
Learn more
Learn more
Learn more
Learn more
Firewall enabled:
Learn more
Firewall profile private:
Learn more
Learn more
Learn more
Learn more
Firewall enabled:
Learn more
Firewall profile public:
Learn more
Learn more
Learn more
Learn more
Firewall enabled:
Learn more
Connection security rules from group policy not merged:
Learn more
Policy rules from group policy not merged:
Learn more
Internet Explorer
View the full list of Internet Explorer CSPs.
Internet Explorer encryption support
Baseline defaults: Two items: TLS v1.1 and TLS v1.2
Learn more
Internet Explorer prevent managing smart screen filter
Learn more
Internet Explorer restricted zone script Active X controls marked safe for
scripting
Learn more
Internet Explorer restricted zone file downloads
Learn more
Internet Explorer certificate address mismatch warning
Learn more
Internet Explorer enhanced protected mode
Learn more
Internet Explorer fallback to SSL3
Baseline default: No sites
Learn more
Internet Explorer software when signature is invalid
Learn more
Internet Explorer check server certificate revocation
Learn more
Internet Explorer check signatures on downloaded programs
Learn more
Internet Explorer processes consistent MIME handling
Learn more
Internet Explorer bypass smart screen warnings
Learn more
Internet Explorer bypass smart screen warnings about uncommon files
Learn more
Internet Explorer crash detection
Learn more
Internet Explorer download enclosures
Learn more
Internet Explorer ignore certificate errors
Learn more
Internet Explorer disable processes in enhanced protected mode
Learn more
Internet Explorer security settings check
Learn more
Internet Explorer Active X controls in protected mode
Learn more
Internet Explorer users adding sites
Learn more
Internet Explorer users changing policies
Learn more
Internet Explorer block outdated Active X controls
Learn more
Internet Explorer include all network paths
Learn more
Internet Explorer internet zone access to data sources

Learn more
Internet Explorer internet zone automatic prompt for file downloads
Learn more
Internet Explorer internet zone copy and paste via script
Learn more
Internet Explorer internet zone drag and drop or copy and paste files
Learn more
Internet Explorer internet zone less privileged sites
Learn more
Internet Explorer internet zone loading of XAML files
Learn more
Internet Explorer internet zone .NET Framework reliant components
Learn more
Internet Explorer internet zone allows only approved domains to use ActiveX
controls
Learn more
Internet Explorer internet zone allows only approved domains to use tdc ActiveX
controls
Learn more
Internet Explorer internet zone scripting of web browser controls
Learn more
Internet Explorer internet zone script initiated windows
Learn more
Internet Explorer internet zone scriptlets
Learn more
Internet Explorer internet zone smart screen
Learn more
Internet Explorer internet zone updates to status bar via script
Learn more
Internet Explorer internet zone user data persistence
Learn more
Internet Explorer internet zone allows VBscript to run
Learn more
Internet Explorer internet zone do not run antimalware against ActiveX controls
Learn more
Internet Explorer internet zone download signed ActiveX controls
Learn more
Internet Explorer internet zone download unsigned ActiveX controls
Learn more
Internet Explorer internet zone cross site scripting filter
Learn more
Internet Explorer internet zone drag content from different domains across
windows
Learn more
Internet Explorer internet zone drag content from different domains within
windows
Learn more
Internet Explorer internet zone protected mode
Learn more
Internet Explorer internet zone include local path when uploading files to server
Learn more
Internet Explorer internet zone initialize and script Active X controls not marked
as safe
Learn more
Internet Explorer internet zone java permissions
Learn more
Internet Explorer internet zone launch applications and files in an iframe
Learn more
Internet Explorer internet zone logon options
Learn more
Internet Explorer internet zone navigate windows and frames across different
domains
Learn more
Internet Explorer internet zone run .NET Framework reliant components signed
with Authenticode
Learn more
Internet Explorer internet zone security warning for potentially unsafe files
Learn more
Internet Explorer internet zone popup blocker
Learn more
Internet Explorer intranet zone do not run antimalware against Active X controls
Learn more
Internet Explorer intranet zone initialize and script Active X controls not marked
as safe
Learn more
Internet Explorer intranet zone java permissions
Learn more
Internet Explorer local machine zone do not run antimalware against Active X
controls
Learn more
Internet Explorer local machine zone java permissions
Learn more
Internet Explorer locked down internet zone smart screen
Learn more
Internet Explorer locked down intranet zone java permissions
Learn more
Internet Explorer locked down local machine zone java permissions
Learn more
Internet Explorer locked down restricted zone smart screen
Learn more
Internet Explorer locked down restricted zone java permissions
Learn more
Internet Explorer locked down trusted zone java permissions
Learn more
Internet Explorer processes MIME sniffing safety feature
Learn more
Internet Explorer processes MK protocol security restriction
Learn more
Internet Explorer processes notification bar
Learn more
Internet Explorer prevent per user installation of Active X controls
Learn more
Internet Explorer processes protection from zone elevation
Learn more
Internet Explorer remove run this time button for outdated Active X controls
Learn more
Internet Explorer processes restrict Active X install
Learn more
Internet Explorer restricted zone access to data sources
Learn more
Internet Explorer restricted zone active scripting
Learn more
Internet Explorer restricted zone automatic prompt for file downloads
Learn more
Internet Explorer restricted zone binary and script behaviors
Learn more
Internet Explorer restricted zone copy and paste via script
Learn more
Internet Explorer restricted zone drag and drop or copy and paste files
Learn more
Internet Explorer restricted zone less privileged sites
Learn more
Internet Explorer restricted zone loading of XAML files
Learn more
Internet Explorer restricted zone meta refresh
Learn more
Internet Explorer restricted zone .NET Framework reliant components
Learn more
Internet Explorer restricted zone allows only approved domains to use Active X
controls
Learn more
Internet Explorer restricted zone allows only approved domains to use tdc Active
X controls
Learn more
Internet Explorer restricted zone scripting of web browser controls
Learn more
Internet Explorer restricted zone script initiated windows
Learn more
Internet Explorer restricted zone scriptlets
Learn more
Internet Explorer restricted zone smart screen
Learn more
Internet Explorer restricted zone updates to status bar via script
Learn more
Internet Explorer restricted zone user data persistence
Learn more
Internet Explorer restricted zone allows vbscript to run
Learn more
Internet Explorer restricted zone do not run antimalware against Active X

controls
Learn more
Internet Explorer restricted zone download signed Active X controls
Learn more
Internet Explorer restricted zone download unsigned Active X controls
Learn more
Internet Explorer restricted zone cross site scripting filter
Learn more
Internet Explorer restricted zone drag content from different domains across
windows
Learn more
Internet Explorer restricted zone drag content from different domains within
windows
Learn more
Internet Explorer restricted zone include local path when uploading files to
server
Learn more
Internet Explorer restricted zone initialize and script Active X controls not
marked as safe
Learn more
Internet Explorer restricted zone java permissions
Learn more
Internet Explorer restricted zone launch applications and files in an iFrame
Learn more
Internet Explorer restricted zone logon options
Baseline default: Anonymous
Learn more
Internet Explorer restricted zone navigate windows and frames across different
domains
Learn more
Internet Explorer restricted zone run Active X controls and plugins
Learn more
Internet Explorer restricted zone run .NET Framework reliant components signed
with Authenticode
Learn more
Internet Explorer restricted zone scripting of java applets
Learn more
Internet Explorer restricted zone security warning for potentially unsafe files
Learn more
Internet Explorer restricted zone protected mode
Learn more
Internet Explorer restricted zone popup blocker
Learn more
Internet Explorer processes restrict file download
Learn more
Internet Explorer processes scripted window security restrictions
Learn more
Internet Explorer security zones use only machine settings
Learn more
Internet Explorer use Active X installer service
Learn more
Internet Explorer trusted zone do not run antimalware against Active X controls
Learn more
Internet Explorer trusted zone initialize and script Active X controls not marked
as safe
Learn more
Internet Explorer trusted zone java permissions
Learn more
Internet Explorer auto complete
Learn more
Local Policies Security Options

Block remote logon with blank password
Learn more
Minutes of lock screen inactivity until screen saver activates
Learn more
Smart card removal behavior
Baseline default: Lock workstation
Learn more
Require client to always digitally sign communications
Learn more
Prevent clients from sending unencrypted passwords to third party SMB servers
Learn more
Require server digitally signing communications always
Learn more
Prevent anonymous enumeration of SAM accounts
Learn more
Block anonymous enumeration of SAM accounts and shares
Learn more
Restrict anonymous access to named pipes and shares
Learn more
Allow remote calls to security accounts manager
Baseline default: O:BAG:BAD:(A;;RC;;;BA)
Learn more
Prevent storing LAN manager hash value on next password change
Learn more
Authentication level
Baseline default: Send NTLMv2 response only. Refuse LM and NTLM
Learn more
Minimum session security for NTLM SSP based clients
Learn more
Minimum session security for NTLM SSP based servers
Learn more
Administrator elevation prompt behavior
Baseline default: Prompt for consent on the secure desktop
Learn more
Standard user elevation prompt behavior
Baseline default: Automatically deny elevation requests

Learn more
Detect application installations and prompt for elevation
Learn more
Only allow UI access applications for secure locations
Learn more
Require admin approval mode for administrators
Learn more
Use admin approval mode
Learn more
Virtualize file and registry write failures to per user locations
Learn more
Microsoft Defender
Learn more
Learn more
Additional amount of time (0-50 seconds) to extend cloud protection timeout
Learn more
Learn more
Scan type
Learn more
Defender schedule scan day

Scheduled scan start time
Defender sample submission consent
Learn more
Learn more
Learn more
Defender potentially unwanted app action
Learn more
Learn more

Defender Processes to exclude
Baseline defaults: Not configured by default. Manually add one or more entries.
Baseline defaults: Not configured by default. Manually add one or more entries.
Defender Files And Folders To Exclude
Baseline default: Not configured by default. Manually add one or more entries.
Microsoft Edge

Baseline default: Not configured by default. Manually add one or more IDs


Allow users to proceed from the SSL warning page

downloads

Baseline default: Block the Adobe Flash plugin

Baseline defaults: Two items: NTLM and Negotiate
MS Security Guide
SMB v1 client driver start configuration
Baseline default: Disable driver
Learn more
Apply UAC restrictions to local accounts on network logon
Learn more
Structured exception handling overwrite protection
Learn more
SMB v1 server
Learn more
Digest authentication
Learn more
MSS Legacy
Network IPv6 source routing protection level
Learn more
Network IP source routing protection level
Learn more
Network ignore NetBIOS name release requests except from WINS servers
Learn more
Network ICMP redirects override OSPF generated routes
Learn more
Remote Assistance
Remote Assistance solicited
Baseline default: Disable Remote Assistance
Learn more
Remote Desktop Services

Remote desktop services client connection encryption level
Learn more
Block drive redirection
Block password saving
Learn more
Prompt for password upon connection
Learn more
Secure RPC communication
Learn more
Remote Management
Block client digest authentication
Learn more
Block storing run as credentials
Learn more
Client basic authentication
Learn more
Basic authentication
Learn more
Client unencrypted traffic
Learn more
Unencrypted traffic
Learn more
Remote Procedure Call
RPC unauthenticated client options
Baseline default: Authenticated
Learn more
Search
Disable indexing encrypted items
Learn more
Smart Screen
Learn more
Learn more
System
System boot start driver initialization
Baseline default: Good unknown and bad critical
Learn more
Windows Connection Manager

Block connection to non-domain networks
Learn more
Windows Ink Workspace

Ink Workspace
Learn more
Windows PowerShell
PowerShell script block logging
Learn more
Windows Security
Learn more
Reference for Microsoft Tunnel Gateway
Article • 02/21/2023
The information in this reference for Microsoft Tunnel Gateway is provided to support
installation and maintenance of the tunnel installation in your environment.
mst-cli command-line tool for Microsoft Tunnel

Gateway
Mst-cli is a command-line tool for use with Microsoft Tunnel Gateway. This tool is
available on the Linux server after the tunnel completes installation and is found at
/usr/sbin/mst-cli. Some tasks you can use this tool to complete include:
Get information about the tunnel server.

Set or update the configuration of the tunnel server.
Restart the tunnel server.
Uninstall the tunnel server.
The following are common command line uses of the tool.
Command-line interface:
mst-cli –help - Usage: mst-cli [command]
Commands:
agent - Operate on the agent component.
server - Operate on the server component.
uninstall - Uninstall the Microsoft Tunnel.

eula - Show the EULA.
import_cert - Import or update the TLS certificate.
mst-cli agent –help - Usage: mst-cli agent [command]
Commands:
logs - Show the agent logs (-h for more information).
status - Show the agent status.
start - Start the agent service.

stop - Stop the agent service.
restart - Restart the agent service.
mst-cli agent logs help - Usage: mst-cli agent logs [flags]

Flags:
-f, --follow - Follow log output. The default is false.
--since string - Show logs since TIMESTAMP.
--tail uint - Output the specified number of LINES at the end of the logs.
Defaults to zero (0), which prints all lines.
-t, --timestamps - Output the timestamps in the log.
mst-cli agent status - The following returns are examples of results you might
see:
State: running
Health: healthy
mst-cli agent start - Starts the agent if it's stopped.
mst-cli agent stop - Stops the agent. Must be started manually after stopped.
mst-cli agent restart - Restarts the agent.
mst-cli server --help - Usage: mst-cli server [command]
Commands:
logs - Show the server logs. Use -h for more information.
status - Show the server status.

start - Start the server service.
stop - Stop the server service.

restart - Restart the server service.
show - Show various server stats. Use -h for more information.
mst-cli server logs –help - Usage: mst-cli server logs [flags]
Flags:
-f, --follow - Follow log output. The default is false.
--since string - Show logs since TIMESTAMP
--tail uint - Output the specified number of LINES at the end of the logs.
Defaults to zero (0), which prints all lines.
-t, --timestamps - Output the timestamps in the log.
mst-cli server status - The following returns are examples of results you might
see:
State: running
Health: healthy
mst-cli server start - Starts the server if it's stopped.

mst-cli server stop - Stops the server. Must be started manually after stopped.
mst-cli server restart - Restarts the server.
mst-cli server show
show status - Prints the status and statistics of the server.

show users - Prints the connected users.
show ip bans - Prints the banned IP addresses.
show ip ban points - Prints all the known IP addresses that have points.
show iroutes - Prints the routes provided by users of the server.
show sessions all - Prints all the session IDs.

show sessions valid - Prints all the valid for reconnection sessions.
show session [SID] - Prints information on the specified session.
show user [NAME] - Prints information on the specified user.

show id [ID] - Prints information on the specified ID.
show events - Provides information about connecting users.

show cookies all - Alias for show sessions all.
show cookies valid - Alias for show sessions valid.
Environment variables
Following are environment variables you might want to configure when you install the
Microsoft Tunnel Gateway software on the Linux server. These variables are found in the
environment file /etc/mstunnel/env.sh:
http_proxy=[address] - The HTTP address for your proxy server.

https_proxy=[address] - The HTTPs address for your proxy server.
Data Paths 
Path/File Description Permissions
/…/mstunnel The root directory for all configuration. Owner root,

Group
mstunnel
/…/mstunnel/admin- Contains the settings for the server install.  This file is
settings.json managed by Intune and shouldn't be edited manually.
/…/mstunnel/certs The directory where the TLS certificate is stored.  Owner root,
Group
mstunnel
Path/File Description Permissions
/…/mstunnel/private The directory where the Intune Agent certificate and the Owner root,
TLS private key are stored.  Group
mstunnel
Files add during server installation

/etc/mstunnel:
admin-settings.json:
Contains the serialized Server configuration from Intune.
Created after the server has enrolled.
agent-info.json:
Created when the enrollment is complete.
AgentId, IntuneTenantId, AADTenantId, and the agent certificate RenewalDate.
Updated on agent certificate renewal.
private/agent.p12:
PFX certificate used for agent authentication to Intune.
Automatically renewed.
version-info.json:
Contains version information for the various components.
ConfigVersion, DockerVersion, AgentImageHash, AgentCreateDate,
ServerImageHash, ServerCreateDate.
ocserv.conf:
Server configuration
Images_configured
The Docker images used to create the containers:
agentImageDigest
serverImageDigest
Example of admin-settings.json
JSON
"PolicyName": "Auto Generated Policy for rh7vm",
"DisplayName": "rh7vm Policy",
"Description": "This policy was auto generated for rh7vm",
"Network": "169.100.0.0/16",
"DNSServers": ["168.63.129.16"],
"DefaultDomainSuffix":
"nmqjwlanybmubp4imht0k2b4qd.xx.internal.cloudapp.net",
"RoutesInclude": ["default"],
"RoutesExclude": [],
"ListenPort": 443
Admin Setting Description
PolicyName The name of the settings policy. You can choose the name.
DisplayName The short display name. You can choose the name.
Description The description of the policy. You can choose the description.
Network The network with mask that will be used to assign clients virtual addresses.
This doesn't need to change unless you have a conflict. This setting will
support 64,000 clients.
DNSServers The list of DNS servers that the client should use. These servers can resolve
the addresses of internal resources.
DefaultDomainSuffix The Domain suffix that a client appends to the host name when trying to
resolve resources.
RoutesInclude The list of routes that will be routed via the VPN. The default is all routes.
RoutesExclude The list of routes that should bypass the VPN.
ListenPort The port that the VPN server will receive traffic on.
Docker commands
The following are common commands for Docker that can be of use if you must
investigate problems on a tunnel server.
７ Note
Most Linux distributions use Docker. However, some like Red Hat Enterprise Linux
(RHEL) 8.4 do not support Docker. Instead, these distributions use Podman. See
Linxu servers in the prerequisites for more details about supported distributions
and the Docker or Podman requirements of each.
The references and command lines that are written for Docker can be used with
Podman by replacing docker with podman.
Command-line interface:
docker ps –a – See all containers.

mstunnel-server – This container runs the ocserv server components, and uses
inbound Port 443 (default), or a custom port configuration.
mstunnel-agent - This container runs the Intune connector and uses outbound
Port 443.
To restart Docker:
systemctl restart docker
To run something in a container:

docker exec –it mstunnel-server bash
docker exec –it mstunnel-agent bash
Podman commands
The following are commands for Podman that can be of use if you must investigate
problems on a tunnel server. For additional commands you can use with Podman, see
Docker commands.
sudo podman images - List all running containers.
sudo podman stats - Display container CPU utilization, MEM usage, Network and
Block IO.
sudo podman port mstunnel-server - List the port mappings from tunnel-server to
the local Linux host.
Linux commands
The following are common Linux commands you might use with a tunnel server.
sudo su – Makes you root on the box. Use this command before running the
following commands, and before you run mstunnel-setup.
ls – list contents of the directory.
ls – l – List contents of directory including timestamps.

cd – change to another directory. For example, cd /etc/test/stuff changes you
from the root directory to the etc subfolder > to the test subfolder > and then to
the stuff folder.
cp <source> <destination> - Useful for copying the certs to the right location.
ln –s <source> <target> - Create a softlink.
curl <URL> – Checks access to a website. For example: curl https://microsoft.com
./<filename> - Run a script.
Manually load ip_tables

Use the following commands to check for, and manually load if necessary, ip_tables in
the Linux server kernel. Use the sudo context:
Validate the presence of ip_tables on the server: lsmod |grep ip_tables
Create a config file that will load the ip_tables into kernel when the server boots:
echo ip_tables > /etc/modules-load.d/mstunnel_iptables.conf
To load ip_tables into the kernel immediately: /sbin/modprobe ip_tables

Settings for Windows Update that you
can manage through Intune policy for
Update rings
Article • 08/08/2023
When you use Intune policies for Update rings, you're configuring the Windows settings
that manage how and when devices will install Windows updates. If a Windows update
setting has a Windows 10 or Windows 11 version dependency, the version dependency
is noted in the settings details.
Following are the Windows Update settings for Windows 10 and Windows 11 Updates
that you can manage with update rings with Microsoft Intune.
Update settings
Update settings control what bits a device will download, and when. For more
information about the behavior of each setting, see the Windows reference
documentation.
Microsoft product updates

Default: Allow
Windows Update CSP: Update/AllowMUUpdateService
Allow - Select Allow to scan for app updates from Microsoft Update.
Block - Select Block to prevent scanning for app updates.
Windows drivers
Default: Allow
Windows Update CSP: Update/ExcludeWUDriversInQualityUpdate
Allow - Select Allow include Windows Update drivers during updates.
Block - Select Block to prevent scanning for drivers.
Quality update deferral period (days)

Default: 0
Windows Update CSP: Update/DeferQualityUpdatesPeriodInDays
Specify the number of days from 0 to 30 for which Quality Updates are deferred.
This period is in addition to any deferral period that is part of the service channel
you select. The deferral period begins when Microsoft releases the update.
Quality Updates are typically fixes and improvements to existing Windows
functionality.
Feature update deferral period (days)

Default: 0
Windows Update CSP: Update/PauseFeatureUpdatesPeriodInDays
Specify the number of days for which Feature Updates are deferred. This period is
in addition to any deferral period that is part of the service channel you select. The
deferral period begins when Microsoft releases the update.
Supported deferral period:

Windows version 1709 and later - 0 to 365 days
Feature Updates are typically new features for Windows.
Upgrade Windows 10 devices to Latest Windows 11 release

Default: No
When set to Yes, eligible Windows 10 devices will upgrade to the most current
Windows 11 release. For more information on eligibility, see Windows 11 Specs
and System Requirements | Microsoft .
Set feature update uninstall period (2 – 60 days)

Default: 10
Windows Update CSP: Update/ConfigureFeatureUpdateUninstallPeriod
Configure a time after which feature updates can't be uninstalled.
After this period expires, the previous update bits are removed from the device,
and it can no longer uninstall to a previous update version.
For example, consider an update ring with a feature update uninstall period of 20
days. After 25 days, you decide to roll back the latest feature update and use the
Uninstall option. Devices that installed the feature update over 20 days ago can't
uninstall it as they've removed the necessary bits as part of their maintenance.
However, devices that only installed the feature update up to 19 days ago can
uninstall the update if they successfully check in to receive the uninstall command
before exceeding the 20-day uninstall period.
Enable pre-release builds

Default: Not Configured
When configuring Update ring settings, you can choose to enable Enable pre-
release builds. Devices that receive this setting as Enabled will move to the pre-
release build you specify, and will also reboot. When enabled, specify one of the
following prerelease builds:
Windows Insider - Release Preview (default)
Beta Channel
Dev Chanel
For information about pre-release builds, see Windows Insider .
User experience settings

User experience settings control the end-user experience for device restart and
reminders. For more information about the behavior of each setting, see the Windows
Update CSP documentation.
Automatic update behavior

Default: Auto install at maintenance time
Windows Update CSP: Update/AllowAutoUpdate
Choose how automatic updates are installed and, if necessary, when to restart the
device.
Supported options:
Notify download - Notify the user before downloading the update. Users
choose to download and install updates.
） Important
If the user takes no action, the update will not install until the deadline you
have configured is reached.
Auto install at maintenance time - Updates download automatically and then

install during Automatic Maintenance when the device isn't in use or running on
battery power. When restart is required, users are prompted to restart for up to
seven days, and then restart is forced.
This option can restart a device automatically after the update installs. Use the
Active hours settings to define a period during which the automatic restarts are
blocked:
Active hours start - Specify a start time for suppressing restarts due to
update installations.
Default: 8 AM
Windows Update CSP: Update/ActiveHoursStart
Active hours end - Specify an end time for suppressing reboots due to
Default: 5 PM
Windows Update CSP: Update/ActiveHoursEnd
Auto install and restart at maintenance time - Updates download

automatically and then install during Automatic Maintenance when the device
isn't in use or running on battery power. When restart is required, the device
restarts when not being used, which is the default for unmanaged devices.
This option can restart a device automatically after the update installs. Use of
the Active hours settings aren't described in Windows Update settings but are
used by Intune to define a period during which the automatic restarts are
blocked:
Active hours start - Specify a start time for suppressing restarts due to
Default: 8 AM
Windows Update CSP: Update/ActiveHoursStart
Active hours end - Specify an end time for suppressing reboots due to
Default: 5 PM
Windows Update CSP: Update/ActiveHoursEnd
Auto install and restart at scheduled time - Specify an installation day and
time. If unspecified, installation runs at 3 AM daily, followed by a 15-minute
countdown to a restart. Logged on users can delay countdown and restart.
Windows Update CSP: Update/AllowAutoUpdate
When set to Auto install and restart at scheduled time, you can configure the
following settings:
Automatic behavior frequency - Use this setting to schedule when updates

are installed, including the week, the day, and the time.
Default: Every week
Scheduled install day - Specify on which day of the week you want updates
to install.
Default: Any Day
Scheduled install time - Specify the time of day when you want updates to
install.
Default: 3 AM
） Important
The device might not complete the installation at the specified time
because of power policies, user absence, and so on. In this case, it will
not attempt installation until the specified time occurs again or until a
deadline you have specified is reached.
Auto install and reboot without end-user control - Updates download

automatically and then install during Automatic Maintenance when the device
isn't in use or running on battery power. When restart is required, the device
restarts when not being used. This option sets the end-users control pane to
read-only.
Reset to default - Restore the original auto update settings on machines that
run the Windows 10 October 2018 Update or later, and that run Windows 11.
When you reset to default, Windows will automatically determine active hours
for the device. Using the active hours, Windows then schedules the best time to
install updates and restart the system after updates install.
Restart checks
Default: Allow
Windows Update CSP: Update/SetEDURestart
Allow - Perform restart checks: Battery level = 40%, User presence, Display
Needed, Presentation mode, Full screen mode, phone call state, game mode
etc.
Skip - Will restrict updates to download and install outside of Active Hours.
Updates will be allowed to start even if there is a signed-in user or the device is
on battery power, providing there is more than 70% battery capacity. Windows
will schedule the device to wake from sleep 1 hour after the Active Hours End
time with a 60-minute random delay. Devices will reboot immediately after the
updates are installed. If there are still pending updates, the device will continue
to retry every hour for 4 hours.
This option is designed for education devices that remain in carts overnight that
are left in sleep mode. It is not designed for 1:1 devices.
Option to pause Windows updates
Default: Enable
Windows Update CSP: Update/SetDisablePauseUXAccess
Enable - Allow device users to pause the installation of an update for a certain
number of days.
Disable - Prevent device users from pausing the installation of an update.
Option to check for Windows updates

Default: Enable
Windows Update CSP: Update/SetDisableUXWUAccess
Enable - Allow device users to use Windows Update scan to find updates.
Disable - Prevent device users from accessing the Windows Update scan.
Change notification Update level

Default: Use the default Windows Update notifications
Windows Update CSP: Update/UpdateNotificationLevel
Specify what level of Windows Update notifications users see. This setting doesn't
control how and when updates are downloaded and installed.
Supported options:
Not configured
Use the default Windows Update notifications
Turn off all notifications, excluding restart warnings
Turn off all notifications, including restart warnings
Use deadline settings

Default: Not configured
Allows user to use deadline settings.

Not configured
Allow
When set to Allow, you can configure the following settings for deadlines:
Deadline for feature updates

Windows Update CSP: Update/ConfigureDeadlineForFeatureUpdates
Specifies the number of days a user has before feature updates are installed on
their devices automatically (2-30).
Deadline for quality updates

Windows Update CSP: Update/ConfigureDeadlineForQualityUpdates
Specifies the number of days a user has before quality updates are installed on
their devices automatically (2-30).
Grace period
Default: Not configured Windows Update CSP:
Update/ConfigureDeadlineGracePeriod
Specifies a minimum number of days after deadline until restarts occur

automatically (0-7).
Auto reboot before deadline

Default: Yes Windows Update CSP: Update/ConfigureDeadlineNoAutoReboot
Specifies whether the device should auto reboot before deadline.

Yes
No
Software update agent error codes and
descriptions in Microsoft Intune
Article • 02/21/2023
The following table lists the Intune Update Agent error codes. If you can't find a specific error
code in this table, see Windows Update error code list .
Error code Symbolic name More information
0x00cf0001 OM_S_SERVICE_STOP The agent was successfully stopped.
0x00cf0003 OM_S_UPDATE_ERROR The operation was completed successfully,

but errors occurred during the application
of updates.
0x00cf0004 OM_S_MARKED_FOR_DISCONNECT A callback was marked to be disconnected

later because the request to disconnect the
operation occurred while a callback was
running.
0x00cf0005 OM_S_REBOOT_REQUIRED The system must be restarted to complete

the update installation.
0x00cf0006 OM_S_ALREADY_INSTALLED The update to be installed is already

installed on the system.
0x00cf0007 OM_S_ALREADY_UNINSTALLED The update to be removed is not installed

on the system.
0x00cf2015 OM_S_UH_INSTALLSTILLPENDING The update installation is in progress.
0x80cf0001 OM_E_NO_SERVICE The agent could not provide the service.
0x80cf0002 OM_E_MAX_CAPACITY_REACHED The maximum capacity of the service was

exceeded.
0x80cf0003 OM_E_UNKNOWN_ID An ID cannot be found.
0x80cf0004 OM_E_NOT_INITIALIZED The object could not be initialized.
0x80cf0007 OM_E_INVALIDINDEX The index to a collection is not valid.
0x80cf0008 OM_E_ITEMNOTFOUND The key for the queried item could not be
found.
0x80cf0009 OM_E_OPERATIONINPROGRESS A conflicting operation was in progress.

Some operations, like multiple installations
cannot be performed simultaneously.
0x80cf000B OM_E_CALL_CANCELLED The operation was canceled.
0x80cf000C OM_E_NOOP No operation was required.

0x80cf000D OM_E_XML_MISSINGDATA The agent could not find required

information in the update's XML data.
0x80cf000E OM_E_XML_INVALID The agent found information in the

update's XML data that is not valid.
0x80cf000F OM_E_CYCLE_DETECTED Circular update relationships were

detected in the metadata.
0x80cf0010 OM_E_TOO_DEEP_RELATION The update relationships were too deeply

nested to evaluate.
0x80cf0011 OM_E_INVALID_RELATIONSHIP An update relationship was found that is

not valid.
0x80cf0012 OM_E_REG_VALUE_INVALID A registry value was read that is not valid.
0x80cf0013 OM_E_DUPLICATE_ITEM The operation tried to add a duplicate item

to a list.
0x80cf0014 OM_E_INVALID_INSTALL_REQUESTED The caller cannot install updates that were

requested for installation.
0x80cf0016 OM_E_INSTALL_NOT_ALLOWED The operation tried to install while another

installation was in progress, or the system
was pending a mandatory restart.
0x80cf0017 OM_E_NOT_APPLICABLE The operation was not performed because

there are no applicable updates.
0x80cf0018 OM_E_NO_USERTOKEN The operation failed because a required

user token is missing.
0x80cf0019 OM_E_EXCLUSIVE_INSTALL_CONFLICT An exclusive update cannot be

simultaneously installed together with
other updates.
0x80cf001A OM_E_POLICY_NOT_SET A policy value was not set.
0x80cf001D OM_E_INVALID_UPDATE An update contains metadata that is not

valid.
0x80cf001E OM_E_SERVICE_STOP The operation could not be completed

because the service or system was being
shut down.
0x80cf001F OM_E_NO_CONNECTION The operation could not be completed

because the network connection was not
available.
0x80cf0020 OM_E_NO_INTERACTIVE_USER The operation could not be completed

because there is no logged-on interactive
user.
0x80cf0021 OM_E_TIME_OUT The operation could not be completed

because it timed out.
0x80cf0022 OM_E_ALL_UPDATES_FAILED The operation failed for all the updates.
0x80cf0024 OM_E_NO_UPDATE There are no updates.
0x80cf0025 OM_E_USER_ACCESS_DISABLED Group Policy settings prevented access to

Windows Update.
0x80cf0026 OM_E_INVALID_UPDATE_TYPE The update type is not valid.
0x80cf0028 OM_E_UNINSTALL_NOT_ALLOWED The update could not be uninstalled

because the request did not originate from
a WSUS server.
0x80cf0029 OM_E_INVALID_PRODUCT_LICENSE Search might have missed some updates,

or there might be an unlicensed
application on the system.
0x80cf002C OM_E_BIN_SOURCE_ABSENT A delta-compressed update could not be

installed because it required the source.
0x80cf002D OM_E_SOURCE_ABSENT A full-file update could not be installed

because it required the source.
0x80cf002E OM_E_WU_DISABLED Access to an unmanaged server is not

allowed.
0x80cf002F OM_E_CALL_CANCELLED_BY_POLICY The operation could not be completed

because the
DisableWindowsUpdateAccess policy was
set.
0x80cf0030 OM_E_INVALID_PROXY_SERVER The proxy list format is not valid.
0x80cf0031 OM_E_INVALID_FILE The file is in the wrong format.
0x80cf0032 OM_E_INVALID_CRITERIA The search criteria string is not valid.
0x80cf0034 OM_E_DOWNLOAD_FAILED The update failed to download.
0x80cf0035 OM_E_UPDATE_NOT_PROCESSED The update was not processed.
0x80cf0036 OM_E_INVALID_OPERATION The object's current state did not allow the
operation.
0x80cf0037 OM_E_NOT_SUPPORTED The operation is not supported.
0x80cf0038 OM_E_WINHTTP_INVALID_FILE The downloaded file has an unexpected

content type.
0x80cf0039 OM_E_TOO_MANY_RESYNC The server asked the agent to resync too

many times.
0x80cf0043 OM_E_NO_UI_SUPPORT There is no support for WUA UI.

0x80cf0044 OM_E_PER_MACHINE_UPDATE_ACCESS_DENIED Only administrators can perform this

operation on per-computer updates.
0x80cf0045 OM_E_UNSUPPORTED_SEARCHSCOPE A search was attempted with an

unsupported scope.
0x80cf0046 OM_E_BAD_FILE_URL The URL does not point to a file.
0x80cf0047 OM_E_NOTSUPPORTED The requested operation is not supported.
0x80cf0049 OM_E_OUTOFRANGE The data is out of range.
0x80cf004A OM_E_INVALIDWUAVERSION The data contains a version that is not

valid.
0x80cf004B OM_E_SEARCH_COMPLETED_WITH_SOME_FAILURES The search call was completed, but failed

to detect some of the updates.
0x80cf004C OM_E_DOWNLOAD_COMPLETED_WITH_SOME_FAILURES The download call was completed, but

failed to download some of the updates.
0x80cf004D OM_E_INSTALL_COMPLETED_WITH_SOME_FAILURES The install call was completed, but failed to

install some of the updates.
0x80cf004E OM_E_WINUPDATE_CACHE_UNINITIALIZED The Windows Update cache is empty

because it has not been initialized.
0x80cf0436 OM_E_PT_CATALOG_SYNC_REQUIRED The server does not support category-

specific search. Full catalog search must be
issued instead.
0x80cf0437 OM_E_PT_SECURITY_VERIFICATION_FAILURE There was a problem authorizing with the

service.
0x80cf0438 OM_E_PT_ENDPOINT_UNREACHABLE There is no route or network connectivity

to the endpoint.
0x80cf0439 OM_E_PT_INVALID_FORMAT The data received does not meet the data
contract expectations.
0x80cf043A OM_E_PT_INVALID_URL The URL is not valid.
0x80cf043B OM_E_PT_NWS_NOT_LOADED The NWS runtime cannot be loaded.
0x80cf043C OM_E_PT_PROXY_AUTH_SCHEME_NOT_SUPPORTED The proxy authentication scheme is not

supported.
0x80cf043D OM_E_SERVICEPROP_NOTAVAIL The requested service property is not

available.
0x80cf043E OM_E_PT_ENDPOINT_REFRESH_REQUIRED The endpoint provider plug-in requires an

online refresh.
0x80cf043F OM_E_PT_ENDPOINTURL_NOTAVAIL A URL for the requested service endpoint is

not available.
0x80cf0440 OM_E_PT_ENDPOINT_DISCONNECTED The connection to the service endpoint

terminated.
0x80cf0441 OM_E_PT_INVALID_OPERATION The operation is not valid because protocol

talker is in an inappropriate state.
0x80cf0FFF OM_E_UNEXPECTED An operation failed because of reasons

that are not explained by another error
code.
0x80cf1001 OM_E_MSI_WRONG_VERSION Search might have missed some updates

because the Windows Installer is an earlier
version than version 3.1.
0x80cf1002 OM_E_MSI_NOT_CONFIGURED Search might have missed some updates

because the Windows Installer is not
configured.
0x80cf1003 OM_E_MSP_DISABLED Search might have missed some updates

because policy has disabled Windows
Installer patching.
0x80cf1004 OM_E_MSI_WRONG_APP_CONTEXT An update could not be applied because

the application is installed per user.
0x80cf2000 OM_E_UH_REMOTEUNAVAILABLE A request for a remote update handler

could not be completed because no
remote process is available.
0x80cf2001 OM_E_UH_LOCALONLY A request for a remote update handler

could not be completed because the
handler is local only.
0x80cf2003 OM_E_UH_REMOTEALREADYACTIVE A remote update handler could not be

created because one already exists.
0x80cf2004 OM_E_UH_DOESNOTSUPPORTACTION A request for the handler to install

(uninstall) an update could not be
completed because the update does not
support install (uninstall).
0x80cf2005 OM_E_UH_WRONGHANDLER An operation could not be completed

because the wrong handler was specified.
0x80cf2006 OM_E_UH_INVALIDMETADATA A handler operation could not be

completed because the update contains
metadata that is not valid.
0x80cf2007 OM_E_UH_INSTALLERHUNG An operation could not be completed

because the installer exceeded the time
limit. Check whether an update that
requires user interaction was approved for
deployment. In this case, you must revise
the update installation parameters so that
it can install silently.
0x80cf2008 OM_E_UH_OPERATIONCANCELLED An operation that was being performed by

the update handler was canceled.
0x80cf2009 OM_E_UH_BADHANDLERXML An operation could not be completed

because the handler-specific metadata is
not valid.
0x80cf200B OM_E_UH_INSTALLERFAILURE The installer failed to install (uninstall) one

or more updates.
0x80cf200D OM_E_UH_NEEDANOTHERDOWNLOAD The update handler did not install the

update because it must be downloaded
again.
0x80cf200E OM_E_UH_NOTIFYFAILURE The update handler failed to send

notification of the status of the install
(uninstall) operation.
0x80cf2014 OM_E_UH_POSTREBOOTSTILLPENDING The post-reboot operation for the update

is still in progress.
0x80cf2015 OM_E_UH_POSTREBOOTRESULTUNKNOWN The result of the post-reboot operation for

the update could not be determined.
0x80cf2016 OM_E_UH_POSTREBOOTUNEXPECTEDSTATE The state of the update after its post-

reboot operation was completed is
unexpected.
0x80cf2017 OM_E_UH_NEW_SERVICING_STACK_REQUIRED The operation system servicing stack must

be updated before this update is
downloaded or installed.
0x80cf2018 OM_E_UH_CALLED_BACK_FAILURE A callback installer called back with an

error.
0x80cf2019 OM_E_UH_CUSTOMINSTALLER_INVALID_SIGNATURE The custom installer signature did not

match the signature that the update
requires.
0x80cf201A OM_E_UH_UNSUPPORTED_INSTALLCONTEXT The installer does not support the

installation configuration.
0x80cf201B OM_E_UH_INVALID_TARGETSESSION The targeted session for the installation is

not valid.
0x80cf2FFF OM_E_UH_UNEXPECTED An update handler error is not covered by

another OM_E_UH_* code.
0x80cf3FFD OM_E_NON_UI_MODE Cannot show UI when in non-UI mode.

Windows Update client UI modules might
not be installed.
0x80cf3FFE OM_E_WUCLTUI_UNSUPPORTED_VERSION This version of WU client UI exported

functions is not supported.
0x80cf3FFF OM_E_AUCLIENT_UNEXPECTED A user interface error occurred that is not

covered by another OM_E_AUCLIENT_*
error code.
0x80cf4007 OM_E_PT_SOAPCLIENT_SOAPFAULT Same as SOAPCLIENT_SOAPFAULT. SOAP

client failed because a SOAP fault of
OM_E_PT_SOAP_* error code type
occurred.
0x80cf4008 OM_E_PT_SOAPCLIENT_PARSEFAULT Same as

SOAPCLIENT_PARSEFAULT_ERROR. SOAP
client failed to parse a SOAP fault error.
0x80cf400A OM_E_PT_SOAPCLIENT_PARSE Same as SOAPCLIENT_PARSE_ERROR.

SOAP client failed to parse the response
from the server.
0x80cf400B OM_E_PT_SOAP_VERSION Same as SOAP_E_VERSION_MISMATCH.

SOAP client found an unrecognizable
namespace for the SOAP envelope.
0x80cf400C OM_E_PT_SOAP_MUST_UNDERSTAND Same as SOAP_E_MUST_UNDERSTAND.

SOAP client could not interpret a header.
0x80cf400D OM_E_PT_SOAP_CLIENT Same as SOAP_E_CLIENT. SOAP client

found the message was malformed.
Correct before resending.
0x80cf400E OM_E_PT_SOAP_SERVER Same as SOAP_E_SERVER. The SOAP

message could not be processed because
of a server error. Resend later.
0x80cf4010 OM_E_PT_EXCEEDED_MAX_SERVER_TRIPS The number of round trips to the server

exceeded the maximum limit.
0x80cf4012 OM_E_PT_DOUBLE_INITIALIZATION The initialization failed because the object

was already initialized.
0x80cf4013 OM_E_PT_INVALID_COMPUTER_NAME The computer name could not be

determined.
0x80cf4015 OM_E_PT_REFRESH_CACHE_REQUIRED The reply from the server indicates that the
server was changed or the cookie was
invalid. Refresh the internal cache and
retry.
0x80cf4016 OM_E_PT_HTTP_STATUS_BAD_REQUEST Same as HTTP status 400. The server could

not process the request because the syntax
is not valid.
0x80cf4017 OM_E_PT_HTTP_STATUS_DENIED Same as HTTP status 401. The requested

resource requires user authentication.
0x80cf4018 OM_E_PT_HTTP_STATUS_FORBIDDEN Same as HTTP status 403. The server

understood the request, but declined to
fulfill it.
0x80cf4019 OM_E_PT_HTTP_STATUS_NOT_FOUND Same as HTTP status 404. The server

cannot find the requested URI (Uniform
Resource Identifier).
0x80cf401A OM_E_PT_HTTP_STATUS_BAD_METHOD Same as HTTP status 405. The HTTP

method is not allowed.
0x80cf401B OM_E_PT_HTTP_STATUS_PROXY_AUTH_REQ Same as HTTP status 407. Proxy

authentication is required.
0x80cf401C OM_E_PT_HTTP_STATUS_REQUEST_TIMEOUT Same as HTTP status 408. The server timed

out waiting for the request.
0x80cf401D OM_E_PT_HTTP_STATUS_CONFLICT Same as HTTP status 409. The request was

not completed because of a conflict with
the current state of the resource.
0x80cf401E OM_E_PT_HTTP_STATUS_GONE Same as HTTP status 410. The requested

resource is no longer available at the
server.
0x80cf401F OM_E_PT_HTTP_STATUS_SERVER_ERROR Same as HTTP status 500. An error internal

to the server prevented the request from
being fulfilled.
0x80cf4020 OM_E_PT_HTTP_STATUS_NOT_SUPPORTED Same as HTTP status 500. The server does

not support the functionality that is
required to fulfill the request.
0x80cf4021 OM_E_PT_HTTP_STATUS_BAD_GATEWAY Same as HTTP status 502. The server, while

acting as a gateway or proxy, received an
invalid response from the upstream server
that it accessed while trying to fulfill the
request.
0x80cf4022 OM_E_PT_HTTP_STATUS_SERVICE_UNAVAIL Same as HTTP status 503. The service is

temporarily overloaded.
0x80cf4023 OM_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT Same as HTTP status 503. The request was

timed out waiting for a gateway.
0x80cf4024 OM_E_PT_HTTP_STATUS_VERSION_NOT_SUP Same as HTTP status 505. The server does

not support the HTTP protocol version that
is used for the request.
0x80cf4025 OM_E_PT_FILE_LOCATIONS_CHANGED The operation failed because of a changed

file location. Refresh the internal state and
resend.
0x80cf4027 OM_E_PT_NO_AUTH_PLUGINS_REQUESTED The server returned an empty

authentication information list.
0x80cf4028 OM_E_PT_NO_AUTH_COOKIES_CREATED The agent could not create any valid

authentication cookies.
0x80cf4029 OM_E_PT_INVALID_CONFIG_PROP A configuration property value was wrong.
0x80cf402A OM_E_PT_CONFIG_PROP_MISSING A configuration property value was

missing.
0x80cf402B OM_E_PT_HTTP_STATUS_NOT_MAPPED The HTTP request could not be completed,

and the reason did not correspond to any
of the OM_E_PT_HTTP_* error codes.
0x80cf402C OM_E_PT_WINHTTP_NAME_NOT_RESOLVED Same as

ERROR_WINHTTP_NAME_NOT_RESOLVED.
The proxy server or destination server
name cannot be resolved.
0x80cf402F OM_E_PT_ECP_SUCCEEDED_WITH_ERRORS The external .cab file processing was

completed with some errors.
0x80cf4030 OM_E_PT_ECP_INIT_FAILED The external .cab processor initialization

was not completed.
0x80cf4031 OM_E_PT_ECP_INVALID_FILE_FORMAT The format of a metadata file is not valid.
0x80cf4032 OM_E_PT_ECP_INVALID_METADATA The external cab processor found metadata

that is not valid.
0x80cf4033 OM_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST The file digest could not be extracted from

an external .cab file.
0x80cf4034 OM_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE An external .cab file could not be

decompressed.
0x80cf4035 OM_E_PT_ECP_FILE_LOCATION_ERROR The external cab processor could not get

the file locations.
0x80cf4FFF OM_E_PT_UNEXPECTED A communication error occurred that is not

covered by another OM_E_PT_* error code.
0x80cf6001 OM_E_DM_URLNOTAVAILABLE A download manager operation could not

be completed because the requested file
does not have a URL.
0x80cf6002 OM_E_DM_INCORRECTFILEHASH A download manager operation could not

be completed because the file digest was
not recognized.
0x80cf6003 OM_E_DM_UNKNOWNALGORITHM A download manager operation could not

be completed because the file metadata
requested an unrecognized hash
algorithm.
0x80cf6005 OM_E_DM_NONETWORK A download manager operation could not

be completed because the network
connection was not available.
0x80cf6007 OM_E_DM_NOTDOWNLOADED The update has not been downloaded.
0x80cf6008 OM_E_DM_FAILTOCONNECTTOBITS A download manager operation failed

because the download manager could not
connect the Background Intelligent
Transfer Service (BITS).
0x80cf6009 OM_E_DM_BITSTRANSFERERROR A download manager operation failed

because there was an unspecified
Background Intelligent Transfer Service
(BITS) transfer error.
0x80cf600a OM_E_DM_DOWNLOADLOCATIONCHANGED A download must be restarted because the

download source location has changed.
0x80cf600B OM_E_DM_CONTENTCHANGED A download must be restarted because the

update content changed in a new revision.
0x80cf6FFF OM_E_DM_UNEXPECTED A download manager error occurred that is

not covered by another OM_E_DM_* error
code.
0x80cf7003 OM_E_INVALID_EVENT_PAYLOAD An event payload was specified that is not

valid.
0x80cf7004 OM_E_INVALID_EVENT_PAYLOADSIZE The size of the event payload submitted is

not valid.
0x80cf7005 OM_E_SERVICE_NOT_REGISTERED The service is not registered.
0x80cf8000 OM_E_DS_SHUTDOWN An operation failed because the agent is

shutting down.
0x80cf8001 OM_E_DS_INUSE An operation failed because the data store

was in use.
0x80cf8002 OM_E_DS_INVALID The current and expected states of the

data store do not match.
0x80cf8003 OM_E_DS_TABLEMISSING The data store is missing a table.
0x80cf8004 OM_E_DS_TABLEINCORRECT The data store contains a table that has

unexpected columns.
0x80cf8005 OM_E_DS_INVALIDTABLENAME A table could not be opened because the

table is not in the data store.
0x80cf8006 OM_E_DS_BADVERSION The current and expected versions of the

data store do not match.
0x80cf8007 OM_E_DS_NODATA The information that is requested is not in

the data store.
0x80cf8008 OM_E_DS_MISSINGDATA The data store is missing required

information or has a null in a table column
that requires a non-null value.
0x80cf8009 OM_E_DS_MISSINGREF The data store is missing required

information or has a reference to missing
license terms, file, localized property, or
linked row.
0x80cf800A OM_E_DS_UNKNOWNHANDLER The update was not processed because its

update handler was not recognized.
0x80cf800B OM_E_DS_CANTDELETE The update was not deleted because it is

still referenced by one or more services.
0x80cf800C OM_E_DS_LOCKTIMEOUTEXPIRED The data store section could not be locked

within the allotted time.
0x80cf800E OM_E_DS_ROWEXISTS The row was not added because an

existing row has the same primary key.
0x80cf800F OM_E_DS_STOREFILELOCKED The data store could not be initialized

because it was locked by another process.
0x80cf8010 OM_E_DS_CANNOTREGISTER The data store is not allowed to be

registered with COM in the current
process.
0x80cf8011 OM_E_DS_UNABLETOSTART An operation could not create a data store

object in another process.
0x80cf8013 OM_E_DS_DUPLICATEUPDATEID The server sent the same update to the

client with two different revision IDs.
0x80cf8014 OM_E_DS_UNKNOWNSERVICE An operation could not be completed

because the service is not in the data store.
0x80cf8015 OM_E_DS_SERVICEEXPIRED An operation could not be completed

because the registration of the service has
expired.
0x80cf8016 OM_E_DS_DECLINENOTALLOWED A request to hide an update was declined

because it is a mandatory update or
because it was deployed with a deadline.
0x80cf8017 OM_E_DS_TABLESESSIONMISMATCH A table was not closed because it is not

associated with the session.
0x80cf8018 OM_E_DS_SESSIONLOCKMISMATCH A table was not closed because it is not

associated with the session.
0x80cf8019 OM_E_DS_NEEDWINDOWSSERVICE The request to remove or unregister the

service was declined because it is a built-in
service or because Automatic Updates
cannot fall back to another service.
0x80cf801A OM_E_DS_INVALIDOPERATION The request was declined because the

operation is not allowed.
0x80cf801B OM_E_DS_SCHEMAMISMATCH The schema of the current data store and

the schema of a table in a backup XML
document do not match.
0x80cf801C OM_E_DS_RESETREQUIRED The data store requires a session reset.

Release the session and retry with a new
session.
0x80cf801D OM_E_DS_IMPERSONATED A data store operation could not be

completed because it was requested with
an impersonated identity.
0x80cf8FFF OM_E_DS_UNEXPECTED A data store error occurred that is not

covered by another OM_E_DS_* code.
0x80cfA000 OM_E_AU_NOSERVICE Automatic Updates could not service

incoming requests.
0x80cfA004 OM_E_AU_PAUSED Automatic Updates could not process

incoming requests because it was paused.
0x80cfA005 OM_E_AU_NO_REGISTERED_SERVICE No unmanaged service is registered with

Automatic Updates.
0x80cfA006 OM_E_AU_DETECT_SVCID_MISMATCH The default service registered with

Automatic Updates changed during the
search.
0x80cfA007 OM_E_AU_ALREADY_PROMPTING_FOR_REBOOT Automatic Updates is already prompting

the user to restart.
0x80cfAFFF OM_E_AU_UNEXPECTED An Automatic Updates error occurred that

is not covered by another OM_E_AU *
code.
0x80cfE001 OM_E_EE_UNKNOWN_EXPRESSION An expression evaluator operation could

not be completed because an expression
was not recognized.
0x80cfE002 OM_E_EE_INVALID_EXPRESSION An expression evaluator operation could

was not valid.
0x80cfE003 OM_E_EE_MISSING_METADATA An expression evaluator operation could

contains an incorrect number of metadata
nodes.
0x80cfE004 OM_E_EE_INVALID_VERSION An expression evaluator operation could

not be completed because the version of
the serialized expression data is not valid.
0x80cfE005 OM_E_EE_NOT_INITIALIZED The expression evaluator could not be

initialized.
0x80cfE006 OM_E_EE_INVALID_ATTRIBUTEDATA An expression evaluator operation could

not be completed because an attribute is
not valid.
0x80cfE007 OM_E_EE_CLUSTER_ERROR An expression evaluator operation could

not be completed because the cluster state
of the computer could not be determined.
0x80cfEFFF OM_E_EE_UNEXPECTED An expression evaluator error occurred

that is not covered by another OM_E_EE_*
error code.
0x80cfF001 OM_E_REPORTER_EVENTCACHECORRUPT The event cache file was defective.
0x80cfF002 OM_E_REPORTER_EVENTNAMESPACEPARSEFAILED The XML in the event namespace

descriptor could not be parsed.
0x80cfF003 OM_E_INVALID_EVENT The XML in the event namespace

descriptor is not valid.
0x80cfF004 OM_E_SERVER_BUSY The server rejected an event because the

server was too busy.
0x80cfFFFF OM_E_REPORTER_UNEXPECTED A reporter error occurred that is not

covered by another error code.
0x80af0005 OMC_E_INSTALL_NOT_ALLOWED_REBOOT_REQUIRED Installation failed because there is a

pending mandatory reboot.
0x80af0006 OMC_E_DOWNLOAD_CANCELLED The download was canceled.

Certificate connectors for Microsoft
Intune
Article • 02/22/2023
） Important
connectors. Support for the previous connectors that are described in this article,
ended on 9/22/2021 with the release of version 6.2109.51.0 of the Certificate
Connector for Microsoft.
If you need to install a new certificate connector, or reinstall a connector, install the
newer Certificate Connector for Microsoft Intune. For more information, see
To support the use of certificates for authentication and the signing and encryption of
email using S/MIME, Intune requires the use of a certificate connector. A certificate
connector is software you install on an on-premises server. The connector enables
cloud-managed devices to provision certificates from on-premises infrastructure, like an
issuing Certificate Authority.
Available connectors
There are two certificate connectors for Intune. Each has its own uses and requirements.
PFX Certificate Connector for Microsoft Intune

The PFX Certificate Connector supports certificate deployment for PKCS #12 certificate
requests and handles requests for PFX files imported to Intune for S/MIME email
encryption for a specific user.
 Tip
Prior to the August update for this connector (version 6.2008.60.607), PKCS #12
certificate requests were handled by the Intune Certificate Connector. With the
August update, the functionality for all PKCS certificate requests was consolidated
in the PFX Certificate Connector, which supports auto-update of the connector to
new versions, and requires use of .NET Framework version 4.7.2.
This connector also supports the following three platforms, that aren’t supported
through the Microsoft Intune Connector:
Android Enterprise – Fully Managed

Android Enterprise – Dedicated
Android Enterprise – Corporate-Owned Work Profile
The functionality of the Microsoft Intune Connector isn't deprecated and you can
continue use it with PKCS certificate profiles for some platforms. However, if you do
not use SCEP or otherwise require use of NDES, you can switch to the PFX
Certificate Connector and remove NDES from your servers.
The PFX Certificate Connector:
Supports multiple instances of this connector for each Intune tenant. Each instance
of the connector must install on a Windows Server and have access to the private
key used to encrypt the passwords of the uploaded PFX files.
７ Note
All connectors need to have the same permissions and be able to connect
with all the certification authorities defined later in the PKCS profiles.
Any instance of this connector can retrieve pending PKCS requests from the
Intune Service queue, as such it's not possible to define which connector
handles each request.
The same applies to certificate revocation.
Can install on the same server that hosts an instance of the Microsoft Intune
Connector.
Supports up to 100 instances of this connector per tenant, with each instance on a
separate Windows server. When you use multiple connectors:
All instances of the PFX Certificate Connector in your environment should be at
the same version.
connector instance can process your certificate requests.
Supports automatic updates to new versions. To automatically install new versions,
the computer that hosts the connector must contact autoupdate.msappproxy.net
on port 443. If the connector fails to automatically update, you can manually
update the connector.
Supports certificate revocation (requires the connector run version 6.2008.60.607

or later)
Has the same network requirements as managed devices
For more information, see Network endpoints for Microsoft Intune, and Intune
network configuration requirements and bandwidth.
The Windows server where the connector installs:
Must run Windows Server 2012 R2 or later.

Run the .NET 4.7.2 Framework.
To install the PFX Certificate connector:
For guidance installation of this connector, see Download, install, and configure the PFX
Certificate Connector.
Microsoft Intune Connector

The Microsoft Intune Connector is sometimes referred to as the Microsoft Intune
Certificate Connector. This connector supports certificate deployment when you use
Simple Certificate Enrollment Protocol (SCEP) and have an Active Directory Certificate
Services Certification Authority (CA). This type of CA is also referred to as a Microsoft CA.
When you use SCEP with a Microsoft CA, you must also configure the Network Device
Enrollment Service (NDES). For that reason, this connector is often referred to as the
NDES Certificate Connector.
If you use a third-party Certification Authority, you don’t need to use this connector and
NDES isn’t required.
The Microsoft Intune Connector:
Supports issuing SCEP certificates
Can be used to issue PKCS certificates to most device platforms, but not all. This
connector doesn't support issuing of PKCS certificates to:
Android Enterprise – Fully Managed
Android Enterprise – Dedicated
Android Enterprise – Corporate-Owned Work Profile
To support those platforms, use the PFX Certificate Connector, which supports
issuing PKCS certificates to all device platforms. If you don’t use SCEP, you can
then uninstall this connector, and use only the PFX Certificate Connector.
７ Note
With PKCS, all connectors need to have the same permissions and be able to
connect with all the certification authorities defined later in the PKCS profiles.
Any instance of this connector can retrieve pending PKCS requests from the
Intune Service queue, as such it's not possible to define which connector
handles each request.
The same applies to certificate revocation.
Installs on a Windows server, which can also host an instance of the PFX Certificate
Connector.
Supports up to 100 instances of this connector per tenant, with each instance on a
separate Windows server. When you use multiple connectors:
All instances of the Microsoft Intune Connector in your environment should be at
the same version.
connector instance can process your certificate requests.
Requires a manual update to install the new version of the connector. Manual
update requires you to uninstall the current connector, and then install the new
version of the connector. Additional actions shouldn't be required.
Supports Federal Information Processing Standard (FIPS) mode. FIPS isn't required.
When FIPS is enabled, you can issue and revoke certificates.
Has the same network requirements as managed devices.
For more information, see Network endpoints for Microsoft Intune, and Intune
network configuration requirements and bandwidth.
The Windows server where the connector installs:
Must run Windows Server 2012 R2 or later.

Run the .NET 4.5 Framework. When this connector installs on the same server as
the PFX Certificate Connector, you must use .NET 4.7.2 Framework, which is
required by the PFX connector.
Can't be the same server that hosts your issuing Certificate Authority (CA).
When used for SCEP with a Microsoft CA, requires access to a server that runs
NDES. NDES runs on a Windows server, and can run on the same server as this
connector.
When NDES is required:
Internet Explorer Enhanced Security Configuration must be disabled on the server

that hosts NDES and the server that hosts the Microsoft Intune Connector.
The connector requires additional configurations to communicate with NDES.

You'll find procedures for installing and configuring NDES with the procedures for
installing the Microsoft Intune Connector.
For more information about NDES, see Network Device Enrollment Service
Guidance.
To install the Microsoft Intune Connector:
For guidance on installation of this connector, see Configure infrastructure to support

SCEP with Intune.
Connector Lifecycle
） Important
connectors.
Periodically, updated versions of certificate connectors are released. Announcements for

new connector releases appear in the What’s New article for Intune and in the What's
new for Connectors section near the end of this article.
When a new version releases, support for the previous version is deprecated with a
limited grace period for its continued use. After the grace period expires, support for
that deprecated version ends, and it can stop functioning at any time. The grace period
is six months.
Plan to update a connector to the latest version at the first opportunity. Each connector
has a different update path:
PFX Certificate Connector for Microsoft Intune - Supports automatic updates.
Microsoft Intune Connector - Requires manual update.
Automatic update
When supported by the connector type and your environment, Intune can automatically
update the connector to the latest version shortly after that connector version is
released.
To update automatically, the server that hosts the connector must access the Azure
update service:
Port: 443
When firewalls, infrastructure, or network configurations limit access for automatic

update, resolve the blocking issues or manually update the connector to the new
version.
Manual update
The process to manually update a certificate connector is the same for reinstalling a
connector.
You can manually update a certificate connector even when it supports automatic
updates. For example, you can manually update the connector when your network
configuration blocks an automatic update.
To reinstall a certificate connector

1. On the Windows server that hosts the connector, use Windows Apps and Features
to uninstall the connector.
2. To install the new version, use the procedure to install a new version of the
connector. Be sure to check for any new or updated prerequisites when installing a
newer version of a connector:
SCEP: Configure infrastructure to support SCEP with Intune

PKCS: Download, install, and configure the PFX Certificate Connector for
Microsoft Intune
Connector status
In the Microsoft Intune admin center, you can select a certificate connector to view
information about its status:
2. Go to Tenant administration > Connectors and tokens > Certificate connectors.
3. Select a connector to view its status.
When viewing the connector status:
Deprecated connectors will show with a Warning. After the six-month grace
period, the warning changes to an Error.
Connectors that are beyond the grace period show an Error. These connectors are
no longer supported and can stop working at any time.
Logging
The following logging details are available beginning with connector version 6.2101.13.0.
Logs for the PFX Certificate Connector are available as Event logs on the server where
the connector is installed:
Event Viewer > Application and Service Logs > Microsoft > Intune > Certificate
Connectors
The following logs are available and default to 50 MB, with automatic archiving enabled:
Admin Log - This log contains one log event per request to the connector. Events
include either a success with information about the request, or an error with
information about the request and the error.
Operational Log - This log displays additional information than is found in the
Admin log, and can be of use in debugging issues. This log also displays a ongoing
operations for the PFX Certificate connector instead of single events.
Event IDs
All events have one of the following IDs:
0001-0999 - Not associated with any specific scenario

1000-1999 - PKCS
2000-2999 - PKCS Import
3000-3999 - Revoke
Task Categories
All events are tagged with a Task Category to aid in filtering. Task categories contain but
are not limited to the following list:
PKCS
Admin
PkcsRequestSuccess - Successfully fulfilled and uploaded a PKCS Request to
Intune.
PkcsRequestFailure - Failed to fulfill or upload a PKCS Request to Intune.
Operational
PkcsDownloadSuccess - Successfully downloaded PKCS requests from Intune
PkcsDownloadFailure - A failure occurred when downloading PKCS requests
from Intune
PkcsDownloadedRequest - Details of a single downloaded request from Intune
PkcsIssuedSuccess - Issued a certificate for a request
PkcsIssuedFailedAttempt - A failure occurred while issuing a certificate for a
request
PkcsIssuedFailure - Failed to issue a certificate for a Request
PkcsUploadSuccess - Details of successful request that was uploaded to Intune
PkcsUploadFailure - A failure occurred when uploading requests to Intune
PkcsUploadedRequest - Details of an uploaded request to Intune
PKCS Import
Admin
PkcsImportRequestSuccess - Successfully downloaded PKCS Import requests
from Intune
PkcsImportRequestFailure - A failure occurred when downloading PKCS Import
requests from Intune
Operational
PkcsImportDownloadSuccess - Successfully downloaded PKCS Import requests
from Intune
PkcsImportDownloadFailure - A failure occurred when downloading PKCS
Import requests from Intune
PkcsImportDownloadedRequest - Details of a single downloaded request from
Intune
PkcsImportReencryptSuccess - Re-encrypted an imported certificate
PkcsImportReencryptFailedAttempt - A failure occurred while re-encrypting an
imported certificate
PkcsImportReencryptFailure - Failed to re-encrypt an imported certificate
PkcsImportUploadFailure - A failure occurred when uploading requests to Intune
PkcsImportUploadedRequest - Details of an uploaded request to Intune
Revocation
Admin
RevokeRequestSuccess - Successfully downloaded Revocation requests from
Intune
RevokeRequestFailure - A failure occurred when downloading Revocation
Operational
RevokeDownloadSuccess - Successfully downloaded Revocation requests from
Intune
RevokeDownloadFailure - A failure occurred when downloading Revocation
RevokeDownloadedRequest - Details of a single downloaded request from Intune
RevokeSuccess - Successfully revoked certificate
RevokeFailure - A failure occurred while revoking a certificate
RevokeFailedAttempt - Failed to revoke a certificate
RevokeUploadSuccess - Details of successful request that was uploaded to
Intune
RevokeUploadFailure - A failure occurred when uploading requests to Intune
RevokeUploadedRequest - Details of an uploaded request to Intune
What's new for Connectors

Updates for the two certificate connectors are released periodically. When we update a
connector, you can read about the changes here.
） Important
Starting April 2022, certificate connectors earlier than version 6.2101.13.0 will be
deprecated and will show a status of Error. This status does not affect functionality.
Starting June 2022, such connectors will not be able to issue certificates. See the
note at the to start of this article for details on moving to the new Certificate
Connector for Microsoft.
PFX Certificate Connector release history

The PFX Certificate Connector for Microsoft Intune supports automatic updates.
March 10, 2021
Version 6.2101.16.0. - Changes in this release:
Improvements to to the PFX Create flow to prevent duplication of Certificate

Request files on on-premises servers that host the connector.
February 24, 2021
Version 6.2101.13.0. This new connector version adds improvements for logging to the
PFX Connector:
New location for Event Logs, with logs broken down into Admin, Operational &
Debug
Admin & Operational logs default to 50 MB - with auto archiving enabled.
EventIDs for PKCS Import, PKCS Create and Revocation.
January 26, 2021
Improves upgrade of the Connector to persist accounts that run Connector

Services.
January 15, 2021

Improvements to the renewal of the connector certificate.
October 2, 2020
Fixed an issue with PKCS certificate delivery to Android Enterprise Fully Managed
devices. The issue required the cryptography Key Storage Provider (KSP) be a
legacy provider. You can now use a Cryptographic Next Generation (CNG) Key
Storage Provider as well.
Changes to CA Account tab of the PFX Certificate Connector: The Username and
password (credentials) that you specify are now used to issue certificates and to
revoke certificates. Previously these credentials were used only for certificate
revocation.
Microsoft Intune Connector release history
April 2, 2019
Fixed an issue where the connector might fail to enroll to Intune after signing in to
the connector with a global administrator account.
Includes reliability fixes to certificate revocation.
Includes performance fixes to increase how quickly PKCS certificate requests are
processed.
Next steps
Create SCEP, PKCS, or PKCS imported certificate profiles for each platform you want to
use. To continue, see the following articles:

Troubleshoot issues for the Microsoft Intune Connector
Protect Microsoft 365 Exchange Online
without requiring device management
Article • 02/21/2023
If you want to give employees access to their work email without the overhead of
setting up a device management system, you can. You can give access to Microsoft 365
Exchange Online through Intune. To complete the necessary steps, confirm you have
licenses for Microsoft 365, or Azure Active Directory (premium) and Intune. Employees
need to have a supported iOS/iPadOS or Android device.
If you decide to set up a device management system, you can. This type of app
protection works independently of device management.
Action plan
1. Learn about Conditional Access.
2. Learn about app-based Conditional Access.
3. Set up app-based Conditional Access policies for Exchange Online.
4. Block apps that can't be managed. Specifically, block apps that don't use the
Microsoft Authentication Library (MSAL).
5. (Optional) Set up app-based Conditional Access policies for SharePoint Online.
These policies block access to your company data from apps that cannot be
managed and secured. The policies also limit access through SharePoint mobile.
What to tell employees and students

Ask your employees and students to download and install Microsoft Outlook or
Microsoft SharePoint for iOS/iPadOS from the Apple App Store or for Android from
the Google Play Store.
If you block access to apps that do not use modern authentication, let the
employees and students know of this restriction.
Next steps
You have used app-based Conditional Access to increase the security of company data.
As part of next steps, you can learn more about the other ways you can increase the
protection of your company's data, including:
Setting up Conditional Access based on device compliance, device risk, location,
and user attributes in Active Directory and Azure Active Directory.
Setting up app protection policies to help you protect your company data against
intentional or unintentional data leaks.
Leveraging Azure Information Protection to protect company data outside your
network.
Want help enabling this or other EMS or Microsoft 365 scenarios? If you have at least
150 licenses for Microsoft 365, Enterprise Mobility + Security, or Azure Active Directory
Premium, use your FastTrack benefits.
Prevent unauthorized access to
company data using Microsoft Intune
Article • 07/12/2023
You can classify, label, and protect Microsoft 365 documents and emails so only
authorized users have access to the data. The settings are managed automatically after
IT administrators or users set the rules and conditions. Alternatively, the IT team can
provide recommended settings for users to follow. Administrators and users can also
revoke access to data already shared with others without assistance from another
authority. The result of this work is to control who opens or updates protected data,
even when the data leaves the company's network.
Before you begin

The following action plan can be used when you meet the following requirements:
Your company is ready to transition securely to the cloud.

Your company uses Microsoft 365 Exchange Online, SharePoint Online, OneDrive
for Business, or Viva Engage.
Your company has licenses for Microsoft 365, Enterprise Mobility + Security (EMS),
or Azure Information Protection.
Your company works with devices running Windows 7 Service Pack 1 or later.
Your company uses Microsoft 365 Apps with 2016 apps or 2013 apps, Office
Professional Plus 2016, Office Professional Plus 2013 with Service Pack 1, or Office
Professional Plus 2010.
Action plan
Complete the quick start tutorial for Azure Information Protection.

You can share details of how and when to protect documents and emails that contain
sensitive information.
Next steps
As part of next steps, you can learn more about the other ways you can increase the
protection of your company's data, including:
Learn how to use Azure Information Protection on iOS/iPadOS and Android

devices.
For Mac computers, learn about Microsoft Rights Management Sharing
Application.
Prevent data leaks on non-managed
devices using Microsoft Intune
Article • 03/02/2023
If you allow access to company data hosted by Microsoft 365, you can control how users
share and save data without risking intentional or accidental data leaks. Microsoft Intune
provides app protection policies that you set to secure your company data on user-
owned devices. The devices do not need to be enrolled in the Intune service.
App protection policies set up with Intune also work on devices managed with a non-
Microsoft device management solution. The personal data on the devices is not
touched; only company data is managed by the IT department.
You can set app protection policies for Office mobile apps on devices running Windows,
iOS/iPadOS, or Android to protect company data. These policies let you set policies such
as app-based PIN or company data encryption, or more advanced settings to restrict
how your cut, copy, paste, and save-as features are used by users between managed
and unmanaged apps. You can also remotely wipe company data without requiring
users enroll devices.
Intune app protection policies are independent of device management. App protection
policies let you manage Office mobile apps on both unmanaged and Intune-managed
devices, as well as device managed by non-Microsoft MDM solutions.
Before you begin

The following action plan can be used when you meet the following requirements:
Your company is ready to transition securely to the cloud.

Your company uses Microsoft 365 Exchange Online, SharePoint Online, OneDrive
for Business, or Yammer.
Your company has licenses for Microsoft 365, Enterprise Mobility + Security (EMS),
or Azure Information Protection.
Your company allows users to access company data from company-owned or
personally-owned Windows, iOS/iPadOS, or Android devices.
Your company does not want to require enrollment of personally-owned devices in
a device management service.
Action plan
For iOS/iPadOS and Android devices:
1. Learn how app protection policies work.

2. Learn how to create and deploy app protection policies for Office mobile apps.
3. Monitor the app protection policies that you create and deploy.
For Windows 10/11 devices:
1. Learn how Windows Information Protection (WIP) works.

2. Get ready to configure app protection policies for Windows 10/11.
3. Create and deploy WIP app protection policies with Intune.

As appropriate, share the following links to provide additional information:
Where to find work or school apps for iOS/iPadOS

Where to find work or school apps for Android
Next steps
Want help enabling this or other EMS or Microsoft 365 scenarios? If you have at least
150 licenses for Microsoft 365, Enterprise Mobility + Security, or Azure Active Directory
Premium, use your FastTrack benefits.
Apply features and settings on your
devices using device profiles in
Microsoft Intune
Article • 03/23/2023
Microsoft Intune includes settings and features you can enable or disable on different
devices within your organization. These settings and features are added to
"configuration profiles". You can create profiles for different devices and different
platforms, including iOS/iPadOS, Android device administrator, Android Enterprise, and
Windows. Then, use Intune to apply or "assign" the profile to the devices.
As part of your mobile device management (MDM) solution, use these configuration
profiles to complete different tasks. Intune has many templates that include groups of
settings that are specific to a feature, such as certificates, VPN, email, and more.
Some profile examples include:
Allow or prevent access to bluetooth on the device.

Create a WiFi or VPN profile that gives different devices access to your corporate
network.
Manage software updates, including when they're installed.
Run an Android device as dedicated kiosk device that can run one app, or run
many apps.
On iOS/iPadOS and macOS devices, allow users to use AirPrint printers in your
organization.
This article gives an overview of the different types of profiles you can create. Use these
profiles to allow or prevent some features on the devices.
Administrative templates and Group policy

Administrative templates include hundreds of settings that you can configure for
Internet Explorer, Microsoft Edge, OneDrive, remote desktop, Word, Excel, and other
Office programs. These templates give administrators a simplified view of settings
similar to group policy, and they're 100% cloud-based.
Group Policy analytics analyzes your on-premises GPOs, and shows which policy settings
are supported, deprecated, and more.
This feature supports:

Windows 11
Windows 10
Certificates
Certificates configure trusted, SCEP, and PKCS certificates that are assigned to devices.
These certificates authenticate WiFi, VPN, and email profiles.

Android (AOSP)
Android Enterprise
iOS/iPadOS
macOS
Windows 11
Windows 10
Windows 8.1
Custom profile
Custom settings let administrators assign device settings that aren't built in to Intune.
On Android devices, you can enter OMA-URI values. For iOS/iPadOS devices, you can
import a configuration file you created in the Apple Configurator.

Android Enterprise
iOS/iPadOS
macOS
Windows 11
Windows 10
Delivery optimization
Delivery optimization provides a better experience to delivery software updates. These
settings are replacing the Software Updates > Windows 10 update ring settings.
Use these settings to control how software updates are downloaded to devices in your
organization. For example, you can let users get their own updates, or get updates using
the delivery optimization cloud services in a device profile.
Windows 11
Windows 10
Derived credential
Derived credentials are certificates on smart cards that can authenticate, sign, and
encrypt. In Intune, you can create profiles with these credentials to use in apps, email
profiles, connecting to VPN, S/MIME, and Wi-Fi.
Android Enterprise
iOS/iPadOS
Device features
Device features controls features on iOS/iPadOS and macOS devices, such as AirPrint,
notifications, and lock screen messages.
iOS/iPadOS
macOS
Device firmware configuration interface

Device firmware configuration interface (DFCI) allows administrators to enable or disable
UEFI (BIOS) settings using Intune. Use these settings to enhance security at the
firmware-level, which is typically more resilient to malicious attacks.
Windows 11 on supported firmware

Windows 10 1809 and newer on supported firmware
Device restrictions
Device restrictions controls security, hardware, data sharing, and more settings on the
devices. For example, create a device restriction profile that prevents iOS/iPadOS device
users from using the device camera.

Android (AOSP)
Android Enterprise
iOS/iPadOS
macOS
Windows 11
Windows 10
Windows 10 Team
Domain join
Domain join configures on-premises Active Directory domain information. This
information is deployed to hybrid Azure AD joined devices when provisioned using
Windows Autopilot and Intune. This profile tells devices which domain and OU to join.
Windows 11
Windows 10
Edition upgrade and mode switch

Windows 10/11 edition upgrades automatically upgrades devices that run some
versions of Windows client to a newer edition.
Windows 11
Windows 10
Education
Education settings - Windows 10 configure options for the Windows Take a Test app.
When you configure these options, no other apps can run on the device until the test is
complete.
Education settings - iOS/iPadOS uses the iOS/iPadOS Classroom app to guide learning,
and control student devices in the classroom. You can configure iPad devices so many
students can share a single device.
Email
Email settings creates, assigns, and monitors Exchange ActiveSync email settings on the
devices. Email profiles help with consistency, reduce support calls, and let end-users
access company email on their personal devices, without any required setup on their
part.

Android Enterprise
iOS/iPadOS
Windows 11
Windows 10
Endpoint protection
Endpoint protection configures BitLocker and Microsoft Defender settings for Windows
client devices. On macOS devices, you can also configure the firewall, gateway, and
other resources.
To onboard Microsoft Defender for Endpoint with Microsoft Intune, see Configure
endpoints using Mobile Device Management (MDM) tools.
macOS
Windows 11
Windows 10
eSIM cellular - Public preview

eSIM cellular profiles lets administrators configure cellular data plans on your managed
devices for internet and data access. After getting activation codes from your mobile
operator, use Intune to import these activation codes, and then assign to your eSIM
capable devices.

Windows 11
Windows 10 Fall Creators Update and newer
Extensions
macOS system extensions and kernel extensions allows administrators to add features or
programs that extend the native capabilities of the operating system. Configure these
settings to trust all extensions from a specific developer or partner, or allow specific
extensions.
macOS
Identity protection
Identity protection controls the Windows Hello for Business experience on Windows
client devices. Configure these settings to make Windows Hello for Business available to
users and devices, and to specify requirements for device PINs and gestures.
Windows 11
Windows 10
Kiosk
Kiosk settings profile configures a device to run one app, or run many apps. You can also
customize other features on your kiosk, including a start menu and a web browser.
Windows 11 (single app kiosk only)

Windows 10
Kiosk settings also available as device restrictions for Android, Android Enterprise, and
iOS/iPadOS.
MX profile (Zebra)
Mobility extensions (MX) expand on the built-in Intune settings to customize or add
more settings specific to Zebra devices. Zebra devices are commonly used on factory
floors, and retail environments. If you have hundreds or thousands of Zebra devices, you
can use Intune to configure and manage these devices.

Microsoft Defender for Endpoint integrates with Intune to monitor and help protect
devices. You set risk levels, and determine what happens if devices exceed that level.
When combined with conditional access, you can help prevent malicious activity in your
organization.
Windows 11
Windows 10
Network boundary
Network boundary creates a list of sites that are trusted by your organization. This
feature is used with Microsoft Defender Application Guard and Microsoft Edge to help
protect your devices.
Windows 11
Windows 10
OEMConfig
On Android Enterprise devices, OEMConfig is a standard. It allows OEMs (original
equipment manufacturers) and EMMs (enterprise mobility management) to build and
support OEM-specific features in a standardized way. With OEMConfig, an OEM creates
a schema that defines OEM-specific management features, and embeds it in an app
uploaded to Google Play. Intune reads the schema from the app, and allows Intune
administrators to configure the settings in the schema.

Android Enterprise (OEMConfig)
Preference file
Preference files on macOS devices include information about apps. For example, you
can use preference files to control web browser settings, customize apps, and more.
macOS
 Tip
macOS settings are continually being added to the settings catalog. Some of these
settings can replace preference files. For more information, go to Tasks you can
complete using the Settings Catalog in Intune.
Settings catalog
The settings catalog lists the settings you can configure. It's not template, or a logical
grouping of settings.
On Windows, there are thousands of settings available, including many settings not
found in the templates. When you want a complete list of all the settings, use the
settings catalog to create your policy. If you want to use a logical grouping of settings,
then continue to use the templates.
On macOS, you can configure Microsoft Edge version 77 and newer using the settings
catalog. In your policy, you configure individual settings. It doesn't require a preference
file.
iOS/iPadOS
macOS
Windows 11
Windows 10
Shared multi-user device

Windows 10/11 and Windows Holographic for Business includes settings to manage
devices with multiple users. These devices are known as shared devices, or shared PCs.
When a user signs in to the device, you choose if the user can change the sleep options,
or save files on the device. In another example, to save space, you can create a profile
that deletes inactive credentials from Windows HoloLens devices.
These shared multi-user device settings allow administrators to control some of the
device features, and manage these shared devices using Intune.
Windows 11
Windows 10
Shell scripts
On Linux devices, you can add existing Bash scripts to customize settings and features
on these devices. This concept is similar to creating a custom device configuration
profile, and deploying the policy to your devices. With Linux, you're using existing Bash
scripts to configure features and settings that aren't built into Intune.
On macOS devices, you can add existing shell scripts, and then deploy these scripts to
your macOS devices.
On Windows devices, you can use the Intune Management Extension to upload your
PowerShell scripts in Intune, and then run these scripts on your devices. Also see what's
required to use the extension, how to add them to Intune, and other important
information.
Linux
macOS
Windows 11
Windows 10
Update policies
iOS/iPadOS update policies shows you how to create and assign iOS/iPadOS policies to
install software updates on your iOS/iPadOS devices. You can also review the installation
status.
For update policies on Windows devices, see Delivery optimization.
iOS/iPadOS
VPN
VPN settings assigns VPN profiles to users and devices in your organization, so they can
easily and securely connect to the network.
Virtual private networks (VPNs) give users secure remote access to your company
network. Devices use a VPN connection profile to start a connection with your VPN
server.

Android Enterprise
iOS/iPadOS
macOS
Windows 11
Windows 10
Windows 8.1
Wi-Fi
Wi-Fi settings assigns wireless network settings to users and devices. When you assign a
WiFi profile, users get access to your corporate WiFi without having to configure it
themselves.

Android (AOSP)
Android Enterprise
iOS/iPadOS
macOS
Windows 11
Windows 10
Windows 8.1 (import only)
Windows health monitoring
Windows health monitoring lets your data event be collected, and then analyzed by
Endpoint Analytics. You can use this data to get insights on your Windows devices,
including software updates and startup performance.
Windows 11
Windows 10
Wired networks
Wired networks let you create and manage 802.1x wired connections for macOS and
Windows desktop computers and devices. In your profile, you choose the network
interface, select the accepted EAP types, and enter the server trust settings, including
PKCS and SCEP certificates.
When you assign the profile, users get access to your corporate wired network without
having to configure it themselves.
macOS
Windows 11
Windows 10
Zebra Mobility Extensions (MX)

Zebra Mobility Extensions (MX) allows administrators to use and manage Zebra devices
in Intune. You create StageNow profiles with your settings, and then use Intune to assign
and deploy these profiles to your Zebra devices. The StageNow logs and common issues
is a great resource to troubleshoot profiles, and see some potential issues when using
StageNow.
Android device administrator (Mobility Extensions)
Manage and troubleshoot

Manage your profiles to check the status of devices, and the profiles assigned. Also help
resolve conflicts by seeing the settings that cause a conflict, and the profiles that include
these settings. Common issues and resolutions helps administrators work with profiles.
It describes what happens when deleting a profile, what causes notifications to be sent
to devices, and more.
Next steps
Choose a profile, and get started.
Create a device profile in Microsoft
Intune
Article • 03/02/2023
Device profiles allow you to add and configure settings, and then push these settings to
devices in your organization. You have some options when creating policies:
Administrative templates: On Windows 10/11 devices, these templates are ADMX

settings that you configure. If you're familiar with ADMX policies or group policy
objects (GPO), then using administrative templates is a natural step to Microsoft
Intune.
For more information, see Administrative Templates
Baselines: On Windows 10/11 devices, these baselines include preconfigured

security settings. If you want to create security policy using recommendations by
Microsoft security teams, then security baselines are for you.
For more information, see Security baselines.
Settings catalog: On Windows 10/11 devices, use the settings catalog to see all the
available settings, and in one location. For example, you can see all the settings
that apply to BitLocker, and create a policy that just focuses on BitLocker. On
macOS devices, use the settings catalog to configure Microsoft Edge version 77
and settings.
For more information, see Settings catalog.
On macOS, continue using the preference file to:

Configure earlier versions of Microsoft Edge
Configure Edge browser settings that aren't in settings catalog
Templates: On Android, iOS/iPadOS, macOS, and Windows devices, the templates

include a logical grouping of settings that configure a feature or concept, such as
VPN, email, kiosk devices, and more. If you're familiar with creating device
configuration policies in Microsoft Intune, then you're already using these
templates.
For more information, including the available templates, see Apply features and
settings on your devices using device profiles.
This article:
Lists the steps to create a profile.
Shows you how to add a scope tag to "filter" your policies.
Describes applicability rules on Windows client devices, and shows you how to
create a rule.
Has more information on the check-in refresh cycle times when devices receive
profiles and any profile updates.
Create the profile

Profiles are created in the Microsoft Intune admin center . In this admin center, select
Devices. You have the following options:
Overview: Lists the status of your profiles, and provides more details on the
profiles you assigned to users and devices.
Monitor: Check the status of your profiles for success or failure, and also view logs
on your profiles.
By platform: Create and view policies and profiles by your platform. This view may
also show features specific to the platform. For example, select Windows. You'll see
Windows-specific features, such as Windows Update Rings and PowerShell
scripts.
Policy: Create device profiles, upload custom PowerShell scripts to run on devices,
and add data plans to devices using eSIM.
When you create a profile (Configuration profiles > Create profile), choose your
platform:

Android Enterprise
iOS/iPadOS
macOS
Then, choose the profile. Depending on the platform you choose, the settings you can
configure are different. The following articles describe the different profiles:
Administrative templates (Windows)

Custom
Delivery Optimization (Windows)
Derived credential (Android Enterprise, iOS, iPadOS)
Device features (macOS, iOS, iPadOS)
Device firmware (Windows)
Device restrictions
Domain join (Windows)
Edition upgrade and mode switch (Windows)
Education (iOS, iPadOS)
Email
Endpoint protection (macOS, Windows)
Extensions (macOS)
Identity protection (Windows)
Kiosk
Microsoft Defender for Endpoint (Windows)
Mobility Extensions (MX) profile (Android device administrator)
Network boundary (Windows)
OEMConfig (Android Enterprise)
PKCS certificate
PKCS imported certificate
Preference file (macOS)
SCEP certificate
Secure assessment (Education) (Windows)
Shared multi-user device (Windows)
Telecom expenses (Android device administrator, iOS, iPadOS)
Trusted certificate
VPN
Wi-Fi
Windows health monitoring
Wired networks (macOS)
For example, if you select iOS/iPadOS for the platform, your options look similar to the
following profile:
If you select Windows 10 and later for the platform, your options look similar to the
following profile:
Scope tags
After you add the settings, you can also add a scope tag to the profile. Scope tags filter
profiles to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment . And,
are used in distributed IT.
For more information about scope tags, and what you can do, see Use RBAC and scope
tags for distributed IT.
Applicability rules
Applies to:
Windows 11
Windows 10
Applicability rules allow administrators to target devices in a group that meet specific
criteria. For example, you create a device restrictions profile that applies to the All
Windows 10/11 devices group. And, you only want the profile assigned to devices
running Windows Enterprise.
To do this task, create an applicability rule. These rules are great for the following
scenarios:
You use Windows 10 Education (EDU). At Bellows College, you want to target all
Windows 10 EDU devices between RS3 and RS4.
You want to target all users in Human Resources at Contoso, but only want
Windows 10 Professional or Enterprise devices.
To approach these scenarios, you:
Create a devices group that includes all devices at Bellows College. In the profile,
add an applicability rule so it applies if the OS minimum version is 16299 and the
maximum version is 17134 . Assign this profile to the Bellows College devices
group.
When it's assigned, the profile applies to devices between the minimum and
maximum versions you enter. For devices that aren't between the minimum and
maximum versions you enter, their status shows as Not applicable.
Create a users group that includes all users in Human Resources (HR) at Contoso.
In the profile, add an applicability rule so it applies to devices running Windows 10
Professional or Enterprise. Assign this profile to the HR users group.
When it's assigned, the profile applies to devices running Windows 10 Professional
or Enterprise. For devices that aren't running these editions, their status shows as
Not applicable.
If there are two profiles with the exact same settings, then the profile without an
applicability rule is applied.
For example, ProfileA targets the Windows 10 devices group, enables BitLocker,
and doesn't have an applicability rule. ProfileB targets the same Windows 10
devices group, enables BitLocker, and has an applicability rule to only apply the
profile to Windows 10 Enterprise.
When both profiles are assigned, ProfileA is applied because it doesn't have an
applicability rule.
When you assign the profile to the groups, the applicability rules act as a filter, and only
target the devices that meet your criteria.
Add a rule
1. Select Applicability Rules. You can choose the Rule, and Property:
2. In Rule, choose if you want to include or exclude users or groups. Your options:
Assign profile if: Includes users or groups that meet the criteria you enter.
Don't assign profile if: Excludes users or groups that meet the criteria you
enter.
3. In Property, choose your filter. Your options:
OS edition: In the list, check the Windows client editions you want to include
(or exclude) in your rule.
OS version: Enter the min and max Windows client version numbers of you
want to include (or exclude) in your rule. Both values are required.
For example, you can enter 10.0.16299.0 (RS3 or 1709) for minimum version
and 10.0.17134.0 (RS4 or 1803) for maximum version. Or, you can be more
granular and enter 10.0.16299.001 for minimum version and 10.0.17134.319
for maximum version.
For more version numbers, see Windows client release information.
4. Select Add to save your changes.
Policy refresh cycle times

Intune uses different refresh cycles to check for updates to configuration profiles. If the
device recently enrolled, the check-in runs more frequently. Policy and profile refresh
cycles lists the estimated refresh times.
At any time, users can open the Company Portal app, and sync the device to
immediately check for profile updates.
Recommendations
When creating profiles, consider the following recommendations:
Name your policies so you know what they are, and what they do. All compliance
policies and configuration profiles have an optional Description property. In
Description, be specific and include information so others know what the policy
does.
Some configuration profile examples include:
Profile name: Admin template - OneDrive configuration profile for all Windows 10
users
Profile description: OneDrive admin template profile that includes the minimum
and base settings for all Windows 10 users. Created by user@contoso.com to
prevent users from sharing organizational data to personal OneDrive accounts.
Profile name: VPN profile for all iOS/iPadOS users
Profile description: VPN profile that includes the minimum and base settings for
all iOS/iPadOS users to connect to Contoso VPN. Created by user@contoso.com so
users automatically authenticate to VPN, instead of prompting users for their
Create your profile by its task, such as configure Microsoft Edge settings, enable
Microsoft Defender anti-virus settings, block iOS/iPadOS jailbroken devices, and so
on.
Create profiles that apply to specific groups, such as Marketing, Sales, IT

Administrators, or by location or school system.
Separate user policies from device policies.
For example, Administrative Templates in Intune have thousands of ADMX settings.

These templates show if a setting applies to users or devices. When creating admin
templates, assign your users settings to a users group, and assign your device
settings to a devices group.
The following image shows an example of a setting that can apply to users, apply
to devices, or apply to both:
Every time you create a restrictive policy, communicate this change to your users.
For example, if you're changing the passcode requirement from four (4) characters
to six (6) characters, let your users know before your assign the policy.
Next steps
Assign the profile and monitor its status.
Monitor device configuration profiles in
Microsoft Intune
Article • 02/22/2023
Intune includes some features to help monitor and manage your device configuration
profiles. For example, you can check the status of a profile, see which devices are
assigned, and update the properties of a profile.
View existing profiles

2. Select Devices > Configuration profiles.
All of your profiles are shown. You also see the platform, the type of profile, and if the
profile is assigned.
７ Note
For additional reporting information about device configuration profiles, see Intune
reports.
View details on a profile

After you create your device profile, Intune provides graphical charts. These charts
display the status of a profile, such as it being successfully assigned to devices, or if the
profile shows a conflict.
1. In Devices > Configuration profiles, select an existing profile. For example, select a
macOS profile.
2. Select the Overview tab. In this view, the Profile assignment status includes the
following statuses:
Succeeded: Policy is applied successfully.

Conflict: Two settings are applied to the same device, and Intune can't sort
out the conflict. An administrator should review.
updates a setting specific to iOS 11.1, but the device is using iOS 10.
3. The top graphical chart shows the number of devices assigned to the device
profile. For example, if the configuration device profile applies to macOS devices,
the chart lists the count of the macOS devices.
When you monitor a Windows profile, the count in the Profile assignment status is
per device per user. So, if two users sign in to the same device, then that device is
counted twice.
4. Select the top graphical chart. Or, select Device status. Device status opens.
The devices assigned to the profile are listed, and it shows the deployment status.
Also note that it only lists the devices with the specific platform (for example,
macOS).
Close the Device status details.
5. Select the circle in the bottom graphical chart. Or, select User status. User status
opens.
The users assigned to the profile are listed, and it shows the deployment status.
Also note that it only lists the users with the specific platform (for example,
macOS).
Close the User status details.
6. Back in the Profiles list, select a specific profile.
Properties: Change the policy name, or update any existing configuration

settings. You can also update:
Scope tags: See any existing scope tags used in the policy. Select Edit to
add or remove a scope tag.
Assignments: See the users and groups that receive policy, and see any
existing filters in the policy. Select Edit to update the policy assignment,
and add or remove a filter.
Applicability Rules: On your Windows devices, see the applicability rules
used in the policy. Select Edit to add or remove an applicability rule.
Device and user check-in status: Shows the number of all users or devices
that checked-in with the profile. If one device has multiple users, this report
shows the status for each user. When the user or devices check-in, they
receive the settings in your profile.
Select View report to see the following information:
The devices that received the profile
The user names with devices that received the profile
The check-in status and the last time the user/device checked in with the
profile
You can also select a specific device to get more details and use the filter
column to see the assignment filter options.
Device assignment status: Shows information for the user that last checked-
in. Select Generate report to see the latest profile assignment states for the
devices that received the profile. You can also filter the assignment status to
see only errors, conflicts, and more.
It's normal for the numbers in the Device and user check-in status and
Device assignment status reports to be different.
Per setting status: Shows the individual settings in the profile, and their
status.
 Tip
Intune reports is a great resource, and describes all the reporting features you can
use.
View conflicts
In Devices > All devices, you can see any settings that are causing a conflict. When
there's a conflict, you also see all the configuration profiles that contain this setting.
Administrators can use this feature to help troubleshoot, and fix any discrepancies with
the profiles.
1. In Intune, select Devices > All Devices > select an existing device in the list. An end
user can get the device name from their Company Portal app.
2. Select Device configuration. All configuration policies that apply to the device are
listed.
3. Select the policy. It shows you all the settings in that policy that apply to the
device. If a device has a Conflict state, select that row. In the new window, you see
all the profiles, and the profile names that have the setting causing the conflict.
Now that you know the conflicting setting, and the policies that include that setting, it
should be easier to resolve the conflict.
 Tip
In Devices > Monitor, a list of all policies are shown. The Assignment failures
(preview) report helps troubleshoot errors and conflicts for configuration profiles
that are assigned. For more information on the available reporting data, see Intune
reports.
Device Firmware Configuration Interface profile

reporting
DFCI profiles are reported on a per-setting basis, just like other device configuration
profiles. Depending on the manufacturer's support of DFCI, some settings may not
apply.
With your DFCI profile settings, you may see the following states:
Compliant: This state shows when a setting value in the profile matches the setting
on the device. This state can happen in the following scenarios:
The DFCI profile successful configured the setting in the profile.
The device doesn't have the hardware feature controlled by the setting, and the
profile setting is Disabled.
UEFI doesn't allow DFCI to disable the feature, and the profile setting is
Enabled.
The device lacks the hardware to disable the feature, and the profile setting is
Enabled.
Not Applicable: This state shows when a setting value in the profile is Enabled or
Allowed, and the matching setting on the device isn't found. This state can happen
if the device hardware doesn't have the feature.
Noncompliant: This state shows when a setting value in the profile doesn't match
the setting on the device. This state can happen in the following scenarios:
UEFI doesn't allow DFCI to disable a setting, and the profile setting is Disabled.
The device lacks the hardware to disable the feature, and the profile setting is
Disabled.
The device doesn't have the latest DFCI firmware version.
DFCI was disabled before being enrolled in Intune using a local "opt-out"
control in the UEFI menu.
The device was enrolled to Intune outside of Autopilot enrollment.
The device wasn't registered to Autopilot by a Microsoft CSP, or registered
directly by the OEM.
Next steps
Common questions, issues, and resolutions with device profiles
Troubleshoot policies and profiles and in Intune

Use the settings catalog to configure
settings on Windows, iOS/iPadOS and
macOS devices
Article • 05/01/2023
Settings catalog lists all the settings you can configure, and all in one place. This feature
simplifies how you create a policy, and how you see all the available settings. More
settings are continually being added. For a list of the settings in the settings catalog, go
to the IntunePMFiles / DeviceConfig GitHub repository .
If you prefer to configure settings at a granular level, similar to on-premises GPO, then
the settings catalog is a natural transition to cloud-based policy.
When you create the policy, you start from scratch. You add only the settings you want
to control and manage. For example, you can use the settings catalog to create a
BitLocker policy with all BitLocker settings, and all in one place in Intune.
Use the settings catalog as part of your mobile device management (MDM) solution to
manage and secure devices in your organization.
iOS/iPadOS
Includes device settings that are directly generated from Apple Profile-Specific
Payload Keys. More settings and keys are continually being added. To learn more
about profile-specific payload keys, go to Profile-Specific Payload Keys (opens
Apple's website).
Apple's declarative device management (DDM) is built into the settings catalog.
When you configure settings from the settings catalog on iOS/iPadOS 15+ devices
enrolled using User Enrollment, you're automatically using DDM. If DDM doesn't
work for any reason, then these devices use Apple's standard MDM protocol. All
other iOS/iPadOS devices continue to use Apple's standard MDM protocol.
macOS
Includes device settings that are directly generated from Apple Profile-Specific
Payload Keys. More settings and keys are continually being added. To learn more
about profile-specific payload keys, go to Profile-Specific Payload Keys (opens
Apple's website).
Windows 10/11
There are thousands of settings, including settings that haven't been available
before. These settings are directly generated from the Windows configuration
service providers (CSPs). You can also configure Administrative Templates, and
have more Administrative Template settings available. As Windows adds or
exposes more settings to MDM providers, these settings are added quicker to
Microsoft Intune for you to configure.
 Tip
For a list of the settings in the settings catalog, go to the IntunePMFiles /

DeviceConfig GitHub repository .
To see the Microsoft Edge policies you have configured, open Microsoft Edge,
and go to edge://policy .
This article lists the steps to create a policy, and shows how to search and filter the
settings in Intune. When you create the policy, it creates a device configuration profile.
You can then assign or deploy this profile to devices in your organization.
For information on some features you can configure using the settings catalog, go to
Tasks you can complete using the Settings Catalog in Intune.
Create the policy

Platform: Select macOS, or select Windows 10 and later.

Profile: Select Settings catalog.
4. Select Create.
can easily identify them later. For example, a good profile name is macOS:
MSFT Edge settings or Win10: BitLocker settings for all Win10 devices.
recommended.
6. Select Next.
7. In Configuration settings, select Add settings. In the settings picker, select a

category to see all the available settings.
For example, select Windows 10 and later, then select Authentication to see all the
settings in this category:
For example, select macOS. The Microsoft Edge - All category lists all the settings
you can configure, including any new settings. The other categories include
settings that are obsolete, or settings that apply to older versions:
 Tip
On macOS, the categories are temporarily removed. To find a specific

setting, use the Microsoft Edge - All category, or search for the setting
name. For a list of the setting names, go to Microsoft Edge - Policies.
Use the Learn more link in the tooltip to see if a setting is obsolete, and
to see the supported versions.
8. Select any setting you want to configure. Or, choose Select all these settings:
After you add your settings, close the settings picker. All the settings are shown,
and configured with a default value, such as Block or Allow. These defaults values
are the same default values in the OS. If you don't want to configure a setting, then
select the minus:
When you select the minus ( - ):
Intune doesn't change or update this setting. The minus is the same as Not
configured. When set to Not configured, the setting is no longer managed.
The setting is removed from the policy. The next time you open your policy,
the setting isn't shown. You can add it again.
The next time devices check in, the setting is no longer locked. It can be
changed by another policy or by the device user.
 Tip
In the Windows setting tooltips, Learn more links to the CSP.
When a setting allows multiple values, it's recommended to add each

value separately.
For example, you can enter multiple values in the Bluetooth > Services
Allowed List setting. Enter each value on a separate line:
You can add multiple values in a single field, but you may experience a
character limit.
9. Select Next.
10. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use RBAC roles and scope tags for distributed IT.
Select Next.
Select Next.
The next time the device checks for configuration updates, the settings you configured
are applied.
Find some settings

There are thousands of settings available in the settings catalog. To make it easier to
find specific settings, use the built-in features:
In your policy, use Add settings > Search to find specific settings. You can search
by category, such as browser , search for a keyword, such as office or google , and
search for specific settings.
For example, search for internet explorer . All the settings with internet explorer
are shown. Select a category to see the available settings:
In your policy, use Add settings > Add filter. Select the key, operator, and value.
When you filter on OS Edition, you can filter the settings that apply to specific
Windows editions:
７ Note
For the Edge, Office, and OneDrive settings, the OS version or edition doesn't
determine if the settings apply. So, if you filter to a specific edition, like
Windows Professional, then the Edge, Office, and OneDrive settings aren't
shown.
You can also filter the settings by device or user scope. For more information on
user scope and device scope, go to Device scope vs. user scope settings (in this
article):
Copy a profile
Select Duplicate to create a copy of an existing profile. Duplicating is useful when you
need a profile that's similar yet distinct from the original one. The copy contains the
same setting configurations and scope tags as the original profile, but doesn't have
assignments attached to it. After you give the new profile a name, you can edit the
profile to adjust the settings and add assignments.
1. Go to Devices > Configuration profiles.

2. Find the profile that you want to copy. Right-click the profile or select the ellipses
context menu (…).
3. Select Duplicate.
4. Enter a new name and description for the policy.
5. Save your changes.
Reporting and conflicts
You create the policy, and assign it to your groups. In the Intune admin center, you can
check the status of your policy. The data refreshes automatically, and operates in near
real time.
1. In the Intune admin center , select Devices > Device configuration profiles. In
the list, select the policy you created using the Settings Catalog. The Profile type
column shows Settings Catalog:
2. When you select the policy, the device status shows. It shows a summary of your
policy state and the policy properties. You can also change or update your policy in
the Configuration settings section:
3. Select View report. The report shows detailed information, including the device
name, the policy status, and more. You can also filter on the deployment status,
and Export the report to a .csv file:
4. You can also look at the states of each setting using the per-setting status. This
status shows the total number of devices affected by each setting in the policy.
You can:
See the number of devices with the setting successfully applied, in conflict, or
in error.
Select the number of devices in compliance, conflict, or error. And, see a list
of users or devices in that state.
Search, sort, filter, export, and go to the next and previous pages.
5. In the admin center, select Devices > Monitor > Assignment failures. If your
Settings Catalog policy failed to deploy because of an error or conflict, it will show
in this list. You can also Export to a .csv file.
6. Select the policy to see the devices. Then, select a specific device to see the setting
that failed, and a possible error code.
 Tip
Intune reports is a great resource, and describes all the reporting features you can
use. For information on all the reporting data you can view, go to Intune reports.
Conflicts
Conflicts happen when the same setting is updated to different values. Conflicts can also
happen with policies configured using the settings catalog. For more information on
conflict resolution, see:

Common questions and answers with device policies
Settings catalog vs. templates

When you create the policy, you have two policy types: Settings catalog and Templates:
The Templates include a logical group of settings, such as kiosk, VPN, Wi-Fi, and more.
Use this option if you want to use these groupings to configure your settings.
The Settings catalog lists all the available settings. If you want to see all the available
Firewall settings, or all the available BitLocker settings, then use this option. Also, use
this option if you're looking for specific settings.
Device scope vs. user scope settings

When you select a setting, some settings have a (User) tag or (Device) tag in the
setting name, such as Allow EAP Cert SSO (User) or Grouping (Device) . When you see
these tags, the policy only affects the user scope or the device scope.
For more information on user scope and device scope, see the Policy CSP.
Device and user groups are used when you assign your policies. Device and user scopes
describe how a policy is enforced.
Scope assignment behavior

When deploying policy from Intune, you can assign user scope or device scope to any
type of target group. Behavior of the policy per user depends on the scope of the
setting:
User scoped policy writes to HKEY_CURRENT_USER (HKCU) .

Device scoped policy writes to HKEY_LOCAL_MACHINE (HKLM) .
When a device checks in to Intune, the device always presents a deviceID . The device
may or may not present a userID , depending on the check-in timing and if a user is
signed in.
The following list includes some possible combinations of scope, assignment, and the
expected behavior:
If a device scope policy is assigned to a device, then all users on that device have
that setting applied.
If a device scoped policy is assigned to a user, once that user signs in and an
Intune sync occurs, then the device scope settings apply to all users on the device.
If a user scope policy is assigned to a device, then all users on that device have that
setting applied. This behavior is like a loopback set to merge.
If a user scoped policy is assigned to a user, then only that user has that setting
applied.
There are some settings that are available in the user scope and the device scope.
If one of these settings is assigned to both user and device scope, then user scope
takes precedence over device scope.
If there isn't a user hive during initial check-ins, then you may see some user scope
settings marked as not applicable. This behavior happens in the early moments of a
device before a user is present.
Next steps
Tasks you can complete using the Settings Catalog in Intune
Create a Universal Print policy in Microsoft Intune
Be sure to assign the profile, and monitor its status.
Tasks you can complete using the
Settings Catalog in Intune
Article • 02/28/2023
Using the settings catalog in the Microsoft Intune admin center , you can access many
settings that manage apps and features on your devices.
This article lists and describes some of the features you can configure in the settings
catalog.
For more information on the settings catalog, and what it is, go to Use the settings
catalog to configure settings on Windows and macOS devices. To see all the settings
you can configure, create a settings catalog policy.
iOS/iPadOS
macOS
Windows 11
Windows 10
Configure Microsoft Edge and Google Chrome

macOS
Windows 11
Windows 10
These web browser settings are built in, and can be configured & deployed to your
managed devices. On Windows devices, you can also configure Google Chrome.
Previously, to configure Google Chrome settings on Windows devices, you created a
custom OMA-URI device configuration policy.
Add universal printers

Windows 11
You can create a universal print policy, add printers, and then deploy this printer list to
your managed users. When the policy is deployed, it automatically installs the printers
you added. Users can see these printers, and select a printer from your list.
For more information, go to Create a Universal Print policy in Microsoft Intune.
Previously, to configure Universal Print settings, you used the Universal Print printer
provisioning tool, which requires more manual steps, and has some limitations.
Built-in macOS features replacing plist files

macOS
On macOS, you can use property list (plist) files to configure features and settings that
aren't built in to Intune. Some of these feature settings are now available in the settings
catalog:
Microsoft Edge version 77 and newer: For a list of the settings you can configure,
go to Microsoft Edge - Policies (opens another Microsoft website).
Previously, you had to use a property list (plist) file to configure Microsoft Edge
(opens another Microsoft website).
Microsoft Defender for Endpoint: For a list of the settings you can configure, go
to Set preferences for Microsoft Defender for Endpoint on macOS (opens another
Microsoft website).
Previously, you had to use a property list (plist) file to configure Microsoft
Defender for Endpoint (opens another Microsoft website).
Microsoft AutoUpdate (MAU), Microsoft Office and Microsoft Outlook: For a list
of the settings you can configure, go to:
Use preferences to manage privacy controls for Office for Mac - Deploy Office
Set preferences for Outlook for Mac - Deploy Office
Set a deadline for updates from Microsoft AutoUpdate
For a list of apps that support MAU, go to Update Microsoft applications for
Mac by using msupdate.
Previously, you had to use a property list (plist) file to configure these features for
Mac (opens another Microsoft website).
Be sure macOS is listed as a supported platform. If some settings aren't available in the
settings catalog, then it's recommended to continue using the preference file.
Learn more
Use the settings catalog to configure settings on Windows and macOS devices
Create a Universal Print policy in Microsoft Intune
Create a Universal Print policy in
Microsoft Intune
Article • 05/24/2023
Many organizations are moving their printer infrastructure to the cloud. Universal Print
is a cloud-based printing solution in Microsoft 365. It uses built-in cloud printers, built-
in legacy printers, and runs entirely in Microsoft Azure.
When Universal Print is deployed with Universal Print-compatible printers, it doesn't

require any on-premises infrastructure. For a guided simulation, go to Universal Print
guided simulation .
Using the settings catalog in Intune, you can create a printer policy, and deploy the
policy to your managed users and devices. Then, on their devices, end users select the
printer from a list of registered Universal Print printers to print.
Windows 11
Windows 10 21H2 with July 2022 update and later
This article shows you how to create a Universal Print policy in Microsoft Intune. To learn
more about Universal Print and onboarding, go to What is Universal Print and Set up
Universal Print.
 Tip
The PrintProvisioning tool and the printers.csv file process is deprecated. Be sure
to use the steps in this article to install universal printers.
Before you begin

To use this feature, you need the following subscriptions:
Universal Print: For more specific information, go to License Universal Print.
Microsoft Intune: For more specific information, go to Microsoft Intune
licensing.
Every printer must be registered in the Universal Print service (UP), which uses
Azure AD. To create the Intune policy, you need the device ID, printer shared ID,
and printer shared name.
For more specific information, go to What is printer registration?
Admin accounts need the following roles/licenses:
Printer Administrator or Global Administrator roles: Needed to add printers.
For more information on these roles, go to Azure AD built-in roles.
Intune Administrator or Global Administrator roles: Needed to create and

assign Intune policies.
For more information on these roles, go to Role-based access control (RBAC)

An assigned Universal Print license.
End user accounts need the following permissions/licenses:

An assigned Universal Print license
Have access rights to the printer service and the Universal Print service
If the profile is assigned to an Azure AD user/user group that can't access the
printers because of permissions, then Intune grants the assigned user/user group
the permissions.
These settings use the UniversalPrint CSP.
Create the policy

This policy includes your printer information. When you assign the policy, the printers
are automatically installed. Then, on their devices, users select a printer that you added.

Profile: Select Settings catalog.
4. Select Create.
can easily identify them later. For example, a good profile name is Win11:
Universal Print policy.
recommended.
6. Select Next.
7. In Configuration settings, select Add settings. In the settings picker, select Printer
Provisioning, and select the settings you want to configure.
Close the settings picker.
8. Configure the settings:
Action: Select Install to install a printer. When users receive the policy, the
printer will automatically install. Select Uninstall to uninstall a printer.
Cloud Device ID: Enter the printer ID. This ID is created when the printer is
registered in Azure AD using the Universal Print service. To get the ID, use the
Universal Print portal.
Printer Shared ID: Enter the Shared ID of the printer. To get the ID, use the
Universal Print portal.
Printer Shared Name: Enter the Shared Name of the printer. To get the name,
use the Universal Print portal.
You can add more printers using the Add button:

9. Select Next.
10. In Scope tags (optional), assign a tag to filter the profile to specific IT groups. For
more information about scope tags, see Use RBAC roles and scope tags for
distributed IT.
Select Next.
11. In Assignments, select the users that will receive your profile.
These user accounts need access rights to the printer and the Universal Print
service. If the profile is assigned to an Azure AD user/user group that can't access
the printers because of permissions, then Intune grants the assigned user/user
group the permissions.
If users don't have permissions, then the following message is shown:
log
The selected groups may not have Universal Print permissions to

selected printers. If this is the case, Intune will provide these
groups with the correct permissions.
For more information on assigning profiles in Intune, go to Assign user and device
profiles. For more information on user scope vs. device scope in the settings
catalog, go to Use the settings catalog to configure settings: Device scope vs. user
scope settings.
Select Next.
Failures and reporting

After you assign the profile, you can monitor its status. The Intune reports show if a
profile successfully applied, failed, has conflicts, and more. For more specific
information, go to Monitor device configuration profiles in Microsoft Intune.
For information on all the reporting data you can view, go to Intune reports.
Common issues
When you deploy the printer policy, you might get a Error 0x8007007f
(ERROR_PROC_NOT_FOUND) message.
The ERROR_PROC_NOT_FOUND is a very common error, and is usually associated with

the DelayLoaded DLLs missing or missing APIs.
To resolve this error, make sure your Windows OS client version is supported. The
supported versions are listed at the top of this article.
If a printer is removed from the Universal Print service, unshared, or if permissions

are removed, then the Intune policy will fail to install the printer.
Make sure the printer is discoverable on the device. If users can't discover or install
the printer manually, then the Intune policy will also fail to install the printer.
For more information and possible steps, go to Unable to discover printers on the
client .
Make sure the SharedID and PrinterID are entered correctly in the Intune policy.
In some cases, the PrinterID and SharedID are reversed, which prevents the printer
from being discovered. For more information on these settings, go to Create the
policy (in this article).
The Application event log may shows errors related to Universal Print.
Enable tracing
If the common issues (in this article) don't resolve your issue, you can use Fiddler
tracing, the Print-Collect script, and UPPrinterInstaller.exe to resync the Intune
installation of the universal printer. You can review these logs for possible issues. You
can also work with the Intune support team to review and analyze these logs.
For more information and specific steps, go to Universal Print troubleshooting guide -
Use PrintCollect, Fiddler, and UPPrinterInstaller.
Learn more
What is Universal Print
Create a profile with custom settings in
Intune
Article • 02/22/2023
Microsoft Intune includes many built-in settings to control different features on a

device. You can also create custom profiles, which are created similar to built-in profiles.
Custom profiles are great when you want to use device settings and features that aren't
built in to Intune. These profiles include features and settings for you to control on
devices in your organization. For example, you can create a custom profile that sets the
same feature for every iOS/iPadOS device.

iOS/iPadOS
macOS
Windows 10/11
Custom settings are configured differently for each platform. For example, to control
features on Android and Windows devices, you can enter Open Mobile Alliance Uniform
Resource Identifier (OMA-URI) values. For Apple devices, you can import a file you
created with the Apple Configurator or Apple Profile Manager .
For more information on configuration profiles, see What are Microsoft Intune device
profiles?.
This article shows you how to create a custom profile for Android device administrator,
Android Enterprise, iOS/iPadOS, macOS, and Windows. You can also see all the available
settings for the different platforms.
Create the profile


Android Enterprise
iOS/iPadOS
macOS
Profile: Select Custom. Or, select Templates > Custom.
4. Select Create.
easily identify them later. For example, a good policy name is Windows 10/11:
Custom profile that enables AllowVPNOverCellular custom OMA-URI.
recommended.
6. Select Next.

Android Enterprise
iOS/iPadOS
macOS
Windows 10/11
8. Select Next.
tags, see Use RBAC and scope tags for distributed IT.
Select Next.
Select Next.
Example
In the following example, the Connectivity/AllowVPNOverCellular setting is enabled.
This setting allows a Windows client device to open a VPN connection when on a
cellular network.
Next steps
The profile is created, but it may not be doing anything yet. Next, assign the profile and
monitor its status.
Use WDAC and Windows PowerShell to
allow or blocks apps on HoloLens 2
devices with Microsoft Intune
Article • 05/24/2023
Microsoft HoloLens 2 devices support the Windows Defender Application Control

(WDAC) CSP, which replaces the AppLocker CSP.
Using Windows PowerShell and Microsoft Intune, you can use the WDAC CSP to allow or
block specific apps from opening on Microsoft HoloLens 2 devices. For example, you
may want to allow or prevent the Cortana app from opening on HoloLens 2 devices in
your organization.
HoloLens 2 devices running Windows Holographic for Business
The WDAC CSP is based on the Windows Defender Application Control (WDAC) feature.
You can also use multiple WDAC policies.
This article shows you how to:
1. Use Windows PowerShell to create WDAC policies.

2. Use Windows PowerShell to convert the WDAC policy rules to XML, update the
XML, and then convert the XML to a binary file.
3. In Microsoft Intune, create a custom device configuration profile, add this WDAC
policy binary file, and apply the policy to your HoloLens 2 devices.
In Intune, you must create a custom configuration profile to use the Windows Defender
Application Control (WDAC) CSP.
Use the steps in this article as a template to allow or deny specific apps from opening
on HoloLens 2 devices.
Prerequisites
Be familiar with Windows PowerShell.
Sign in to Intune as a member of:
Policy and Profile Manager or Intune Role Administrator Intune role

OR
Global Administrator or Intune Service Administrator Azure AD role
For more information on Intune roles, go to Role-based access control (RBAC) with
Intune.
Create a user group or devices group with your HoloLens 2 devices. For more
information on groups, go to User groups vs. device groups.
Example
This example uses Windows PowerShell to create a Windows Defender Application
Control (WDAC) policy. The policy prevents specific apps from opening. Then, use Intune
to deploy the policy to HoloLens 2 devices.
1. On your desktop computer, open the Windows PowerShell app.
2. Get information about the installed application package on your desktop

computer and HoloLens:
PowerShell
$package1 = Get-AppxPackage -name *<applicationname>*
For example, enter:
PowerShell
$package1 = Get-AppxPackage -name Microsoft.MicrosoftEdge
Next, confirm the package has application attributes:
PowerShell
$package1
App details similar to the following attributes are shown:
PowerShell
Name : Microsoft.MicrosoftEdge
Publisher : CN=Microsoft Corporation, O=Microsoft Corporation,

L=Redmond, S=Washington, C=US
Architecture : Neutral
ResourceId :
Version : 44.20190.1000.0
PackageFullName :
Microsoft.MicrosoftEdge_44.20190.1000.0_neutral__8wekyb3d8bbwe
InstallLocation :
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
IsFramework : False
PackageFamilyName : Microsoft.MicrosoftEdge_8wekyb3d8bbwe
PublisherId : 8wekyb3d8bbwe
IsResourcePackage : False
IsBundle : False
IsDevelopmentMode : False
NonRemovable : True
IsPartiallyStaged : False
SignatureKind : System
Status : Ok
3. Create a WDAC policy, and add the app package to the DENY rule:
PowerShell
$rule = New-CIPolicyRule -Package $package1 -Deny
4. Repeat steps 2 and 3 for any other applications you want to DENY:
PowerShell
$rule += New-CIPolicyRule -Package $package<2..n> -Deny
For example, enter:
PowerShell
$package2 = Get-AppxPackage -name *windowsstore*
$rule += New-CIPolicyRule -Package $package<2..n> -Deny
5. Convert the WDAC policy to newPolicy.xml:
７ Note
You can block apps that are only installed on HoloLens devices. For more
information, go to package family names for apps on HoloLens.
PowerShell
New-CIPolicy -rules $rule -f .\newPolicy.xml -UserPEs
To target all versions of an app, in newPolicy.xml, be sure

PackageVersion="65535.65535.65535.65535" is in Deny node:
XML
<Deny ID="ID_DENY_D_1"
FriendlyName="Microsoft.WindowsStore_8wekyb3d8bbwe FileRule"
PackageFamilyName="Microsoft.WindowsStore_8wekyb3d8bbwe"
PackageVersion="65535.65535.65535.65535" />
For PackageFamilyNameRules , you can use the following versions:
Allow: Enter PackageVersion, 0.0.0.0 , which means "Allow this version and
above".
Deny: Enter PackageVersion, 65535.65535.65535.65535 , which means "Deny
this version and below".
6. If you plan to deploy and run any apps that didn't originate from the Microsoft
Store, such as line of business apps (see App Management), then explicitly allow
these apps by adding their signer to the WDAC policy.
７ Note
Using WDAC and LOB apps is currently only available in Windows Insiders
features for HoloLens.
For example, you plan on deploying ATestApp.msix . ATestApp.msix is signed by the

TestCert.cer certificate. Use the following Windows PowerShell script to add the
signer to the WDAC policy:
PowerShell
Add-SignerRule -FilePath .\newPolicy.xml -CertificatePath

.\TestCert.cer -User
7. Merge newPolicy.xml with the default policy that's on your desktop computer. This
step creates mergedPolicy.xml. For example, allow the Windows, WHQL signed
drivers, and Store signed apps to run:
PowerShell
Merge-CIPolicy -PolicyPaths
.\newPolicy.xml,C:\Windows\Schemas\codeintegrity\examplepolicies\Defaul
tWindows_Audit.xml -o mergedPolicy.xml
8. Disable the Audit mode rule in mergedPolicy.xml. When you merge, audit mode is
automatically turned on:
PowerShell
Set-RuleOption -o 3 -Delete .\mergedPolicy.xml
9. Enable the InvalidateEAs on a reboot rule in mergedPolicy.xml:
PowerShell
Set-RuleOption -o 15 .\mergedPolicy.xml
For more information on these rules, go to Understand WDAC policy rules and file
rules.
10. Convert mergedPolicy.xml to binary format. This step creates compiledPolicy.bin.

In a later step, you add this compiledPolicy.bin binary file to Intune.
PowerShell
ConvertFrom-CIPolicy .\mergedPolicy.xml .\compiledPolicy.bin
11. Create the custom device configuration profile in Intune:
a. In the Microsoft Intune admin center , create a Windows 10/11 custom device
configuration profile.
For the specific steps, go to Create a custom profile using OMA-URI in Intune.
b. When you create the profile, enter the following settings:
OMA-URI: Enter
./Vendor/MSFT/ApplicationControl/Policies/<PolicyGUID>/Policy . Replace
<PolicyGUID> with the PolicyTypeID node in the mergedPolicy.xml file you
created in step 6.
Using our example, enter

./Vendor/MSFT/ApplicationControl/Policies/A244370E-44C9-4C06-B551-
F6016E563076/Policy .
The policy GUID must match the PolicyTypeID node in the mergedPolicy.xml
file (created in step 6).
The OMA-URI uses the ApplicationControl CSP. For more information on the
nodes in this CSP, go to ApplicationControl CSP.
Data type: Set to Base64 file. It automatically converts the file from bin to
base64.
Certificate file: Upload the compiledPolicy.bin binary file (created in step 10).
12. When the profile is assigned to your HoloLens 2 group, check the profile status.
After the profile successfully applies, reboot the HoloLens 2 devices.
Next steps
Assign the profile, and monitor its status.
Learn more about custom profiles in Intune.

Use custom Bash scripts to configure
Linux devices in Microsoft Intune
Article • 04/05/2023
） Important
Custom configuration profiles shouldn't be used for sensitive information, such as

WiFi connections or authenticating apps, sites, and more.
Using Microsoft Intune, you can add or create custom configuration settings for your
Linux devices using custom Bash scripts. They're designed to add device settings and
features that aren't built in to Intune.
In Intune, you import an existing Bash script, and then assign the script policy to your
Linux users and devices. Once assigned, the settings are distributed. They also create a
baseline or standard for Linux in your organization.
This article lists the steps to add an existing script and has a GitHub repo with some
sample scripts.
Prerequisites
Linux Ubuntu Desktop: For a list of the supported versions, go to Supported
operating systems and browsers in Intune.
Linux devices are enrolled in Intune. For more information on Linux enrollment, go
to Enrollment guide: Enroll Linux desktop devices in Microsoft Intune.
Import the script

2. Select Devices > Scripts > Add > Linux:

recommended.
4. Select Next.
Execution context: Select the context the script is executed in. Your options:
User (default): When a user signs in to the device, the script runs. If a user
never signs into the device, or there isn't any user affinity, then the script
doesn't run.
Root: The script will always run (with or without users logged in) at the
device level.
Execution frequency: Select how frequently the script is executed. The default
is Every 15 minutes.
Execution retries: If the script fails, enter how many times Intune should retry
running the script. The default is No retries.
Execution Script: Select the file picker to upload an existing Bash script. Only
add .sh files.
Microsoft has some sample Bash scripts at

https://github.com/microsoft/shell-intune-samples/tree/master/Linux .
Bash Script: After you add an existing Bash script, the script text is shown.
You can edit this script.
6. Select Next.
Select Next.
Select Next.
Next steps
You can also run shell scripts on macOS and Windows.
Configure device restriction settings in
Microsoft Intune
Article • 02/22/2023
） Important
Intune includes device restriction policies that help administrators control Android,
iOS/iPadOS, macOS, and Windows devices. These restrictions let you control a wide
range of settings and features to protect your organization's resources. For example,
administrators can:
Allow or block the device camera.

Control access to Google Play, app stores, viewing documents, and gaming.
Block built-in apps, or create a list of apps that allowed or prohibited.
Allow or prevent backing up files to cloud and storage accounts.
Set a minimum password length, and block simple passwords.
These features are available in Intune, and are configurable by the administrator. Intune
uses "configuration profiles" to create and customize these settings for your
organization's needs. After you add these features in a profile, you can then push or
deploy the profile to devices in your organization.

Android Open Source Project (AOSP)
iOS/iPadOS
macOS
Windows 11
Windows 10
Windows 8.1
This article shows you how to create a device restrictions profile. You can also see all the
available settings for the different platforms.
Create the profile


Android (AOSP)
Android Enterprise
iOS/iPadOS
macOS
Profile: Select Device restrictions. Or, select Templates > Device restrictions.
To create a device restrictions profile for Windows 10 Team devices, such as

Surface Hub, then choose Device restrictions (Windows 10 Team).
4. Select Create.
easily identify them later. For example, a good policy name is iOS/iPadOS:
Block camera on devices.
recommended.
6. Select Next.

Android (AOSP)
Android Enterprise corporate-owned devices and BYOD personally owned
devices
iOS/iPadOS
macOS
Windows 8.1
Windows 10/11
Windows 10 Team
8. Select Next.
Select Next.
Select Next.
Next steps
After the profile is created, it's ready to be assigned. Be sure to assign the profile and
monitor its status.
Add email settings to devices using
Intune
Article • 04/25/2023
Microsoft Intune includes different email settings you can deploy to devices in your
organization. Email device configuration profiles include the connection settings used by
your email app to access organization email.
Most platforms have a native or built-in email app on the device. Using Intune, you can
configure the built-in email app or deploy other email apps that connect to your email
system, like Microsoft Exchange. End users then connect, authenticate, and synchronize
their organizational email accounts on their devices.
By creating and deploying an email profile, you can confirm settings are standard across
many devices. And, help reduce support calls from end users who don't know the
correct email settings.
You can use email profiles to configure email settings for the following devices:
Android device administrator on Samsung Knox Standard 5.0 and newer

iOS 11.0 and newer
iPadOS 13.0 and newer
Windows 11
Windows 10
This article shows you how to create an email profile in Microsoft Intune. It also includes
links to the different platforms for more specific settings.
Before you begin

Email profiles are deployed for the user who enrolled the device. To configure the
email profile, Intune uses the Azure Active Directory (Azure AD) properties in the
email profile of the user during enrollment. The email app your organization uses
must support Azure ID identities.
Email is based on identity and user settings. Email profiles are typically assigned to
user groups, not device groups. Some considerations:
If the email profile includes user certificates, then assign the email profile to
user groups. You may have multiple user certificate profiles that are assigned.
These multiple profiles create a chain of profile deployments. Deploy this profile
chain to user groups.
If one profile in this chain is deployed to a device group, users may be

continuously prompted to enter their password.
Device groups are typically used when there's not a primary user, or if you don't
know who the user will be. Email profiles targeted to device groups (not user
groups) may not be delivered to the device.
For example, your email profile targets an all iOS/iPadOS devices group. Be sure
all these devices have a user.
If any device doesn't have a user, then the email profile may not deploy. You
limit the profile, and could miss some devices.
If the device has a primary user, then deploying to device groups should
work.
For more information on possible issues with using device groups, see Common
issues with email profiles.
Step 1 - Deploy your email app

On user devices, you decide the email apps that can connect to and access organization
email. You also need to determine the email apps your organization allows, and then
deploy the email app to your users.
After the email app is deployed, then you can create and deploy an email device
configuration profile, if it's needed. Depending on the platform and email app you
choose, you can use an app configuration policy or an email device configuration profile
to preconfigure the email app with your organization settings.
This section describes some of the common email apps you can use, and the policy or
profile type you can use for each platform.
Android Enterprise
In Intune, you can use organization owned devices and personally owned devices:
Android Enterprise organization owned devices: These devices are owned by the
organization, are enrolled in Intune, and are fully managed by you.
These devices have a built-in email app that's typically hidden when the device
enrolls in Intune. This behavior also depends on the OEM, so it can be different on
your devices.
The built-in email app is also considered a system app. For more information on
system apps and Intune, go to Manage Android Enterprise system apps in
Microsoft Intune.
Android Enterprise personally owned devices with a work profile: These devices
are owned by end users. Users enroll their devices and a work profile is
automatically created. You manage the work profile, including apps and data in the
work profile.
For more information on the enrollment options for personal devices, go to

Deployment guide: Enroll Android devices - BYOD: Android Enterprise personally
owned devices with a work profile.
These personal devices have a built-in email app that isn't typically used for
organization email. Organizations that use conditional access (CA) can create CA
policies to block native mail apps, or only allow specific apps.
Email app options for Android Enterprise
On both types of Android Enterprise devices, you can add and deploy an email app.
Your options:
Outlook
The Microsoft Outlook app is available in the managed Play Store. To use Outlook
as the email app, add the Outlook app to Intune, and assign the app to your users
or user groups. The app also installs.
After the app is deployed and installed:
If you want to customize Outlook or preconfigure it with your organization

settings, then you can create an app configuration policy (opens another
Microsoft article). When the policy is ready, deploy this app configuration
policy to your users or user groups. App configuration policies are optional.
If you don't want to customize Outlook or preconfigure it for your users, you
don't have to. After Outlook is installed, users need to enter the information
that connects to their work or school account, like the email server link and
more.
For more information on app configuration policies, go to:
App configuration policies in Microsoft Intune

Manage messaging collaboration access by using Outlook for iOS and Android
Deploying Outlook for iOS and Android app configuration settings in Exchange
Online
 Tip
When you create an app configuration policy, you select the enrollment type –
Managed devices or Managed apps. Be sure you know what to choose.
For more information on these options, go to App configuration policies for

Microsoft Intune.
iOS/iPadOS
Organization owned devices: These devices are owned by the organization, are
enrolled in Intune, and are fully managed by you.
Personally owned devices: These devices are owned by end users. Users can enroll
their entire devices in Intune to be fully managed by you. Or, they can enroll only
the apps that will access organization data.

Deployment guide: Enroll iOS and iPadOS devices - BYOD User and Device
enrollment.
Depending on the enrollment method for personal devices, it's also recommended
to use app protection policies on the email app.
Email app options for iOS/iPadOS

On all iOS/iPadOS devices, you can add and deploy an email app. Your options:
Outlook
The Microsoft Outlook app is available in the App Store. To use Outlook as the
email app, add the Outlook app to Intune, and assign the app to your users or user
groups. The app also installs.

settings, then you can create an app configuration policy (opens another
Microsoft article). When the policy is ready, deploy this app configuration
policy to your users or user groups. App configuration policies are optional.
more.
For more information on app configuration policies, go to:
App configuration policies in Microsoft Intune

Add app configuration policies for managed iOS/iPadOS devices
Deploying Outlook for iOS and Android app configuration settings in Exchange
Online
 Tip
When you create an app configuration policy, you select the enrollment type –
Managed devices or Managed apps. Be sure you know what to choose.
For more information on these options, go to App configuration policies for

Microsoft Intune.
Windows client
Organization owned devices: These devices are owned by the organization, are
enrolled in Intune, and are fully managed by you.
Personally owned devices: These devices are owned by end users. Users can enroll
their entire devices in Intune to be fully managed by you.
Deployment guide: Enroll Windows devices - BYOD: User enrollment.
Email app options for Windows client
On all Windows devices, you can add and deploy an email app. Your options:
Outlook
The Microsoft Outlook app is available in the Microsoft 365 Apps suite. To use
Outlook as the email app, add the Outlook app to Intune, and assign the app to
your users or user groups. The app also installs.

settings, then you can create an email device configuration profile (in this
article). When the profile is ready, deploy this email device configuration
profile to your users or user groups. The profile includes the settings that
connect the Outlook app to your email system, such as Microsoft Exchange.
Email device configuration profiles are optional.
more.
Step 2 - Create the profile

After the email app is assigned to the device, this next step creates the device
configuration policy that configures the email connection. If your email app uses an app
configuration policy to configure the app, then skip this step.
Platform: Select the platform of your devices. Your options:

Android device administrator (Samsung Android Knox Standard only)
Android Enterprise personally owned work profiles
iOS/iPadOS
Profile: Select Email. Or, select Templates > Email.
4. Select Create.
Email settings for all Windows 10/11 devices.
recommended.
6. Select Next.
Android device administrator (Samsung Knox Standard)

Android Enterprise
iOS/iPadOS
Windows 10/11
8. Select Next.
Select Next.
10. In Assignments, select the users or device groups that will receive your profile. For
more information on assigning profiles, see Before you begin (in this article).
Assign user and device profiles also some guidance.
Select Next.
Remove an email profile

There are different ways to remove an email profile from devices, even when there's only
one email profile on the device:
Option 1: Open the email profile (Devices > Configuration profiles > select your
profile), and select Assignments. The Include tab shows the groups that are
assigned the profile. Right-click the group > Remove. Be sure to Save your
changes.
Option 2: Wipe or retire the device. You can use these actions to selectively or fully
remove data and settings.
Secure email access

You can help secure email profiles using the following options:
Certificates: When you create the email profile, you select a certificate profile
previously created in Intune. This certificate is known as the identity certificate. It
authenticates against a trusted certificate profile or a root certificate to confirm a
user's device is allowed to connect. The trusted certificate is assigned to the
computer that authenticates the email connection. Typically, this computer is the
native mail server.
If you use certificate-based authentication for your email profile, then deploy the
email profile, certificate profile, and trusted root profile to the same groups. This
deployment makes sure each device can recognize the legitimacy of your
certificate authority.
For more information about how to create and use certificate profiles in Intune, see
How to configure certificates with Intune.
User name and password: The end user authenticates to the native mail server by
entering a user name and password. The password doesn't exist in the email
profile. So, the end user enters the password when connecting to email.
How Intune handles existing email accounts

If the user already configured an email account, then the email profile is assigned
differently, depending on the platform.
Android device administrator Samsung Knox Standard: An existing, duplicate

email profile is detected based on the email address, and overwrites it with the
Intune profile. Android doesn't use the host name to identify the profile. Don't
create multiple email profiles using the same email address on different hosts. The
profiles overwrite each other.
Android Enterprise personally owned work profiles: Intune provides two Android
work email apps that you can configure: Gmail and Nine Work. These apps are
available in the Google Play Store, and install in the personally owned work profile.
These apps don't create duplicate profiles. To use email connectivity, deploy one of
these email apps to your user devices. Then, create and deploy the email profile.
You can also use certificate profiles on Gmail and Nine Work. Any Gmail or Nine
Work device configuration policies that you create continue to apply to the device.
It's not necessary to move them to app configuration policies. Email apps, such as
Nine Work, may not be free. Review the app's licensing details, or contact the app
company with any questions.
iOS/iPadOS: An existing, duplicate email profile is detected based on host name

and email address. The duplicate email profile blocks the assignment of an Intune
profile. In this case, the Company Portal app notifies the user that they aren't
compliant, and prompts the end user to manually remove the configured profile.
To help prevent this scenario, tell your end users to enroll before installing an email
profile, which allows Intune to set up the profile.
Windows: An existing, duplicate email profile is detected based on host name and
email address. Intune overwrites the existing email profile created by the end user.
Changes to assigned email profiles

If you make changes to an email profile you previously assigned, end users may see a
message asking them to approve the reconfiguration of their email settings.
Next steps
Once the profile is created, it isn't doing anything yet. Next, assign the profile and
monitor its status.
Troubleshooting common issues with
email profiles in Microsoft Intune
Article • 05/27/2023
This article gives troubleshooting guidance for common issues with email profiles in
Microsoft Intune.
Users are repeatedly prompted to enter their

password
Users are repeatedly prompted to enter their password for the email profile. If
certificates are used to authenticate and authorize the user, check the assignments of all
the certificate profiles. Typically, these certificate profiles are assigned to user groups,
not device groups. If one of the certificate profiles isn't targeted to a user, then Intune
keeps retrying to deploy the email profile.
If the email profile chain is assigned to user groups, be sure your certificate profiles are
also assigned to user groups.
Profiles deployed to device groups show errors

and latency
Email profiles are typically assigned to user groups. There may be some cases when
they're assigned to device groups.
For example, you want to deploy a certificate-based email profile to only Surface
devices, not desktops. In this scenario, device groups might make sense. Know that
these devices may show as not compliant, may return errors, and may not get your
email profiles immediately.
In this example, you create the email profile, and assign the profile to device
groups. The device restarts, and there's a delay before a user signs in. During this
delay, your PKCS certificate profile, which is assigned to user groups, is deployed.
Since there's no user yet, the PKCS certificate profile causes the device to be not
compliant. The Event Viewer may also show errors on the device.
To get compliant, the user signs in to the device, and syncs with Intune to receive
the policies. Users can resync manually, or wait for the next sync.
For example, you're using dynamic groups. If Azure AD doesn't update the
dynamic groups immediately, then these devices may show as uncompliant.
In these scenarios, you decide if it's more important to use device groups, or more
important to show all policies as compliant.
Device already has an email profile installed

If users create an email profile before enrolling in Intune or Microsoft 365 MDM, the
email profile deployed by Intune may not work as expected:
iOS/iPadOS: Intune detects an existing, duplicate email profile based on hostname

and email address. The user-created email profile blocks the deployment of the
Intune-created profile. This scenario is a common problem as iOS/iPadOS users
typically create an email profile, then enroll. The Company Portal app states that
the user isn't compliant, and may prompt the user to remove the email profile.
The user should remove their email profile so the Intune profile can be deployed.
To prevent this issue, instruct your users to enroll, and allow Intune to deploy the
email profile. Then, users can create their email profile.
Windows: Intune detects an existing, duplicate email profile based on hostname

and email address. Intune overwrites the existing email profile created by the user.
Samsung KNOX Standard: Intune identifies a duplicate email account based on

the email address, and overwrites it with the Intune profile. If the user configures
that account, it's overwritten again by the Intune profile. This behavior may cause
some confusion to the user whose account configuration gets overwritten.
Samsung KNOX doesn't use hostname to identify the profile. We recommend you don't
create multiple email profiles to deploy to the same email address on different hosts, as
they overwrite each other.
Error 0x87D1FDE8 for KNOX Standard device

After creating and deploying an Exchange Active Sync email profile for Samsung KNOX
Standard for different Android devices, the 0x87D1FDE8 or remediation failed error
shows in the device's properties > policy tab.
Review the configuration of your EAS profile for Samsung KNOX and source policy. The
Samsung Notes sync option is no longer supported, and that option shouldn't be
selected in your profile. Be sure devices have enough time to process the policy, up to
24 hours.
Unable to send images from email account

Users who have email accounts automatically configured can't send pictures or images
from their devices. This scenario can happen if Allow e-mail to be sent from third-party
applications isn't enabled.

2. Select Devices > Configuration profiles.
3. Select your email profile > Properties > Settings.
4. Set the Allow e-mail to be sent from third-party applications setting to Enable.
Feedback

Create VPN profiles to connect to VPN
servers in Intune
Article • 04/25/2023
） Important
Virtual private networks (VPNs) give users secure remote access to your organization
network. Devices use a VPN connection profile to start a connection with the VPN
server. VPN profiles in Microsoft Intune assign VPN settings to users and devices in your
organization. Use these settings so users can easily and securely connect to your
organizational network.
iOS/iPadOS
macOS
Windows 10
Windows 11
） Important
For Windows 11 devices, there is an issue between the Windows 11 client and
the Windows VPNv2 CSP. A device with one or more Intune VPN profiles loses
its VPN connectivity when the device processes multiple changes to VPN
profiles for the device simultaneously. When the device checks-in with Intune
a second time, it processes the VPN profile changes, and connectivity is
restored.
The following changes can cause a loss of VPN functionality:
Changes to a VPN profile that was previously processed by the Windows
11 device. This action deletes the original profile, and applies the updated
profile.
Two new VPN profiles apply to the device at the same time.
An active VPN profile is removed at the same time a new VPN profile is
assigned.
This issue doesn't apply when:

A Windows 11 device doesn't have an existing VPN profile assigned, and it
receives one Intune VPN profile.
Windows 11 devices with a VPN profile assigned, and are assigned another
VPN profile with no other profile changes.
A Windows 10 device upgrades to Windows 11, and if there are no
changes to that device's VPN profiles. After the upgrade to Windows 11,
any changes to the devices VPN profiles or adding new VPN profiles will
trigger the issue.
This issue and warning remain until Windows updates the Windows 11 client
that resolves this issue.
Windows 8.1 and newer
For example, you want to configure all iOS/iPadOS devices with the required settings to
connect to a file share on the organization network. You create a VPN profile that
includes these settings. You assign this profile to all users who have iOS/iPadOS devices.
The users see the VPN connection in the list of available networks, and can connect with
minimal effort.
This article lists the VPN apps you can use, shows you how to create a VPN profile, and
includes guidance on securing your VPN profiles. You must deploy the VPN app before
you create the VPN profile. If you need help with deploying apps using Microsoft Intune,
see What is app management in Microsoft Intune?.
Before you begin

VPN profiles for a device tunnel are supported for Windows 10/11 Enterprise
multi-session remote desktops.
If you use certificate based authentication for your VPN profile, then deploy the
VPN profile, certificate profile, and trusted root profile to the same groups. This
step makes sure that each device can recognize the legitimacy of your certificate
authority. For more information, see How to configure certificates with Microsoft
Intune.
User enrollment for iOS/iPadOS and macOS only support per-app VPN.
You can use Intune custom configuration policies to create VPN profiles for the
following platforms:
Android 4 and later
Enrolled devices that run Windows 8.1 and later
Enrolled devices that run Windows 10/11
Step 1 - Deploy your VPN app

Before you can use VPN profiles assigned to a device, you must install the VPN app. This
VPN app connects to your VPN server.
There are different VPN apps available. On user devices, you deploy the VPN app your
organization uses. After the VPN app is deployed, then you create and deploy a VPN
device configuration profile that configures the VPN server settings, including the VPN
server name (or FQDN) and authentication method.
Some platforms and VPN apps require an app configuration policy to preconfigure the
VPN app, instead of a VPN device configuration profile. This section also lists the
platforms and VPN apps that must use an app configuration policy.
To help you assign the app using Intune, see Add apps to Microsoft Intune.
VPN connection types

You can create VPN profiles using the following VPN connection types:
Automatic
Windows 10/11
Check Point Capsule VPN

Android Enterprise fully managed and corporate-owned work profile: Use app
iOS/iPadOS
macOS
Windows 10/11
Windows 8.1
Cisco AnyConnect
Android Enterprise fully managed and corporate-owned work profile
iOS/iPadOS
macOS
Windows 10/11
Cisco (IPSec)
iOS/iPadOS
Citrix SSO
Android Enterprise personally owned devices with a work profile: Use app
Android Enterprise fully managed and corporate-owned work profiles: Use app
iOS/iPadOS
Windows 10/11
Custom VPN
iOS/iPadOS
macOS
Create custom VPN profiles using URI settings in Create a profile with custom
settings.
F5 Access
iOS/iPadOS
macOS
Windows 10/11
Windows 8.1
IKEv2
iOS/iPadOS
Windows 10/11
L2TP
Windows 10/11
Microsoft Tunnel
iOS/iPadOS
） Important
As of June 14, 2021, both the standalone tunnel app and standalone client
connection type for Android are deprecated and drop from support after
October 26, 2021.
Microsoft Tunnel (standalone client)(preview)

iOS/iPadOS
） Important
NetMotion Mobility
iOS/iPadOS
macOS
iOS/iPadOS
Windows 10/11
PPTP
Windows 10/11
Pulse Secure
iOS/iPadOS
Windows 10/11
Windows 8.1

iOS/iPadOS
macOS
Windows 10/11
Windows 8.1
Zscaler
iOS/iPadOS
Step 2 - Create the profile

After the VPN app is assigned to the device, this next step creates the device
configuration policy that configures the VPN connection. If your VPN app connection
type uses an app configuration policy to configure the app, then skip this step.


Android Enterprise > Fully Managed, Dedicated, and Corporate-Owned
Work Profile
Android Enterprise > Personally-owned work profile
iOS/iPadOS
macOS
Profile: Select VPN. Or, select Templates > VPN.
4. Select Create.
can easily identify them later. For example, a good profile name is VPN
recommended.
6. Select Next.

Android Enterprise
iOS/iPadOS
macOS
Windows 10 (including Windows Holographic for Business)
Windows 8.1
8. Select Next.
Select Next.
10. In Assignments, select the user or groups that receive your profile. For more
Select Next.
Secure your VPN profiles

VPN profiles can use many different connection types and protocols from different
manufacturers. These connections are typically secured through the following methods.
Certificates
When you create the VPN profile, you choose a SCEP or PKCS certificate profile that you
previously created in Intune. This profile is known as the identity certificate. It's used to
authenticate against a trusted certificate profile (or root certificate) that you create to
allow the user's device to connect. The trusted certificate is assigned to the computer
that authenticates the VPN connection, typically, the VPN server.
If you use certificate-based authentication for your VPN profile, then deploy the VPN
profile, certificate profile, and trusted root profile to the same groups. This assignment
makes sure each device recognizes the legitimacy of your certificate authority.
For more information about how to create and use certificate profiles in Intune, see How
to configure certificates with Microsoft Intune.
７ Note
Certificates added using the PKCS imported certificate profile aren't supported for
VPN authentication. Certificates added using the PKCS certificates profile are
supported for VPN authentication.
User name and password

The user authenticates to the VPN server by providing a user name and password, or
Next steps
You can also create and use per-app VPNs on Android device
administrator/Android Enterprise and iOS/iPadOS devices.
Use a Microsoft Intune custom profile to
create a per-app VPN profile for
Android devices
Article • 05/24/2023
You can create a per-app VPN profile for Android 8.0 and later devices that are enrolled
in Intune. First, create a VPN profile that uses either the Pulse Secure or Citrix
connection type. Then, create a custom configuration policy that associates the VPN
profile with specific apps.
Android device administrator (DA) enrolled in Intune
To use per-app VPN on Android Enterprise devices, use an app configuration policy. App
configuration policies support more VPN client apps. On Android Enterprise devices,
you can use the steps in this article. But, it's not recommended, and you're limited to
only Pulse Secure and Citrix VPN connections.
After you assign the policy to your Android device or user groups, users should start the
Pulse Secure or Citrix VPN client. Then, the VPN client allows only traffic from the
specified apps to use the open VPN connection.
７ Note
Only the Pulse Secure and Citrix connection types are supported for Android device
administrator. On Android Enterprise devices, use an app configuration policy.
Step 1: Create a VPN profile


Profile: Select VPN.
4. Select Create.
can easily identify them later. For example, a good profile name is Android
DA per-app VPN profile for entire company.
recommended.
6. Select Next.
7. In Configuration settings, configure the settings you want in the profile:
VPN settings for Android device administrator devices.
Take note of the Connection Name value you enter when creating the VPN profile.
This name is needed in the next step. In this example, the connection name is
MyAppVpnProfile.
8. Select Next, and continue creating your profile. For more information, go to Create
a VPN profile.
Step 2: Create a custom configuration policy


4. Select Create.
Name: Enter a descriptive name for the custom profile. Name your profiles so
you can easily identify them later. For example, a good profile name is
Custom OMA-URI Android VPN profile for entire company.
recommended.
6. Select Next.
7. In Configuration settings > OMA-URI Settings, select Add. Enter the following
OMA-URI values:
Name: Enter a name for your setting.

recommended.
OMA-URI: Enter ./Vendor/MSFT/VPN/Profile/*Name*/PackageList , where
Name is the connection name you noted in Step 1. In this example, the string
is ./Vendor/MSFT/VPN/Profile/MyAppVpnProfile/PackageList .
Data type: Enter String.
Value: Enter a semicolon-separated list of packages to associate with the
profile. For example, if you want Excel and the Google Chrome browser to
use the VPN connection, enter
com.microsoft.office.excel;com.android.chrome .
a VPN profile.
Set your blocked and allowed app list (optional)

Use the BLACKLIST value to enter a list of apps that cannot use the VPN connection. All
other apps connect through the VPN. Or, use the WHITELIST value to enter a list of apps
that can use the VPN connection. Apps that aren't on the list don't connect through the
VPN.
1. On the Custom OMA-URI Settings pane, choose Add.

2. Enter a setting name.
3. In OMA-URI, enter ./Vendor/MSFT/VPN/Profile/*Name*/Mode , where Name is the
VPN profile name you noted in Step 1. In our example, the string is
./Vendor/MSFT/VPN/Profile/MyAppVpnProfile/Mode .
4. In Data type, enter String.
5. In Value, enter BLACKLIST or WHITELIST.
Step 3: Assign both policies

Assign both device profiles to the required users or devices.
Next steps
For a list of all the Android device administrator VPN settings, go to Android
device settings to configure VPN.
To learn more about VPN settings and Intune, go to configure VPN settings in
Microsoft Intune.
Set up per-app Virtual Private Network
(VPN) for iOS/iPadOS devices in Intune
Article • 07/31/2023
In Microsoft Intune, you can create and use Virtual Private Networks (VPNs) assigned to
an app. This feature is called "per-app VPN". You choose the managed apps that can use
your VPN on devices managed by Intune. When you use per-app VPNs, end users
automatically connect through the VPN, and get access to organizational resources,
such as documents.
iOS 9 and newer

Check your VPN provider's documentation to see if your VPN supports per-app VPN.
This article shows you how to create a per-app VPN profile, and assign this profile to
your apps. Use these steps to create a seamless per-app VPN experience for your end
users. For most VPNs that support per-app VPN, the user opens an app, and
automatically connects to the VPN.
Some VPNs allow username and password authentication with per-app VPN. Meaning,
users need to enter a username and password to connect to the VPN.
） Important
On iOS/iPadOS, per-app VPN isn't supported for IKEv2 VPN profiles.
Per-app VPN with Microsoft Tunnel or Zscaler

Microsoft Tunnel and Zscaler Private Access (ZPA) integrate with Azure Active Directory
(Azure AD) for authentication. When using Tunnel or ZPA, you don't need the trusted
certificate or SCEP or PKCS certificate profiles (described in this article).
If you have a per-app VPN profile set up for Zscaler, then opening one of the associated
apps doesn't automatically connect to ZPA. Instead, the user needs to sign into the
Zscaler app. Then, remote access is limited to the associated apps.
Prerequisites for per-app VPN
） Important
Your VPN vendor may have other requirements for per-app VPN, such as specific
hardware or licensing. Be sure to check with their documentation, and meet those
prerequisites before setting up per-app VPN in Intune.
To prove its identity, the VPN server presents the certificate that must be accepted
without a prompt by the device. To confirm the automatic approval of the certificate,
create a trusted certificate profile. This trusted certificate profile must include the VPN
server's root certificate issued by the Certification Authority (CA).
Export the certificate and add the CA

1. On your VPN server, open the administration console.
2. Confirm that your VPN server uses certificate-based authentication.
3. Export the trusted root certificate file. It has a .cer extension, and you add it when
creating a trusted certificate profile.
4. Add the name of the CA that issued the certificate for authentication to the VPN
server.
If the CA presented by the device matches a CA in the Trusted CA list on the VPN
server, then the VPN server successfully authenticates the device.
Create a group for your VPN users

Create or choose an existing group in Azure Active Directory (Azure AD). This group
must include the users or devices that will use per-app VPN. For the steps to create a
new group, go to Add groups to organize users and devices.

Import the VPN server's root certificate issued by the CA into a profile created in Intune.
The trusted certificate profile instructs the iOS/iPadOS device to automatically trust the
CA that the VPN server presents.


Profile: Select Trusted certificate.
4. Select Create.
can easily identify them later. For example, a good profile name is
iOS/iPadOS trusted certificate VPN profile for entire company.
recommended.
6. Select Next.
7. In Configuration settings, select the folder icon, and browse to your VPN
certificate ( .cer file) that you exported from your VPN administration console.
a VPN profile.
Create a SCEP or PKCS certificate profile

The trusted root certificate profile allows the device to automatically trust the VPN
Server. The SCEP or PKCS certificate provides credentials from the iOS/iPadOS VPN
client to the VPN server. The certificate allows the device to silently authenticate without
prompting for a username and password.
To configure and assign the client authentication certificate, go to one of the following
articles:

Be sure to configure the certificate for client authentication. You can set client
authentication directly in SCEP certificate profiles (Extended key usage list > Client
authentication). For PKCS, set client authentication in the certificate template in the
certificate authority (CA).
Create a per-app VPN profile
This VPN profile includes the SCEP or PKCS certificate that has the client credentials, the
VPN connection information, and the per-app VPN flag that enables the per-app VPN
used by the iOS/iPadOS application.
1. In the Microsoft Intune admin center , select Devices > Configuration profiles >
Create profile.

Profile: Select VPN.
4. Select Create.
Name: Enter a descriptive name for the custom profile. Name your profiles so
you can easily identify them later. For example, a good profile name is
iOS/iPadOS per-app VPN profile for myApp.
recommended.
Connection type: Select your VPN client app.
Base VPN: Configure your settings. iOS/iPadOS VPN settings describes all the
settings. When using per-app VPN, be sure you configure the following
properties as listed:
Authentication method: Select Certificates.
Authentication certificate: Select an existing SCEP or PKCS certificate >
OK.
Split tunneling: Select Disable to force all traffic to use the VPN tunnel
when the VPN connection is active.
For information on the other settings, go to iOS/iPadOS VPN settings.
Automatic VPN > Type of automatic VPN > Per-app VPN

a VPN profile.
Associate an app with the VPN profile

After adding your VPN profile, associate the app and Azure AD group to the profile.
1. In the Microsoft Intune admin center , select Apps > All apps.
2. Select an app from the list > Properties > Assignments > Edit.
3. Go to the Required or Available for enrolled devices section.
4. Select Add group > Select the group you created (in this article) > Select.
5. In VPNs, select the per-app VPN profile you created (in this article).
6. Select OK > Save.
When all of the following conditions exist, an association between an app and a profile
is removed during the next device check-in:
The app was targeted with required install intent.

The profile and the app are assigned to the same group.
You remove the per-app VPN configuration from the app assignment.
When all of the following conditions exist, an association between an app and a profile
remains until the user requests a reinstall from the Company Portal app:
The app was targeted with available install intent.

The profile and the app are assigned to the same group.
The end user requested the app install in the Company Portal app. This request
results in the app and profile being installed on the device.
You remove or change the per-app VPN configuration from the app assignment.
Verify the connection on the iOS/iPadOS device

With your per-app VPN set-up and associated with your app, verify the connection
works from a device.
Before you attempt to connect

Make sure you deploy all the policies described in this article to the same group.
Otherwise, the per-app VPN experience won't work.
If you're using the Pulse Secure VPN app or a custom VPN client app, then you can
choose to use app-layer or packet-layer tunneling. For app-layer tunneling, set the
ProviderType value to app-proxy. For packet-layer tunneling, set ProviderType
value to packet-tunnel. Check your VPN provider's documentation to make sure
you're using the correct value.
Connect using the per-app VPN

Verify the zero-touch experience by connecting without having to select the VPN or type
your credentials. The zero-touch experience means:
The device doesn't ask you to trust the VPN server. Meaning, the user doesn't see
the Dynamic Trust dialog box.
The user doesn't have to enter credentials.
When the user opens one of the associated apps, the user's device is connected to
the VPN.
Next steps
To review iOS/iPadOS settings, go to VPN settings for iOS/iPadOS devices in
Microsoft Intune.
To learn more about VPN setting and Intune, go to configure VPN settings in
Microsoft Intune.
Add and use Wi-Fi settings on your
Article • 02/22/2023
） Important
Wi-Fi is a wireless network that's used by many mobile devices to get network access.
Microsoft Intune includes built-in Wi-Fi settings that can be deployed to users and
devices in your organization. This group of settings is called a "profile", and can be
assigned to different users and groups. Once assigned, your users get access your
organization's Wi-Fi network without configuring it themselves.
For example, you install a new Wi-Fi network named Contoso Wi-Fi. You then want to
set up all iOS/iPadOS devices to connect to this network. Here's the process:
1. Create a Wi-Fi profile that includes the settings that connect to the Contoso Wi-Fi
wireless network.
2. Assign the profile to a group that includes all users of iOS/iPadOS devices.
3. On their devices, users find the new Contoso Wi-Fi network in the list of wireless
networks. They can then connect to the network, using the authentication method
of your choosing.
This article lists the steps to create a Wi-Fi profile. It also includes links that describe the
different settings for each platform.
Supported device platforms

Wi-Fi profiles support the following device platforms:
Android 5 and newer

Android Enterprise and kiosk
Android (AOSP)
iOS 11.0 and newer
macOS X 10.12 and newer
Windows 11
Windows 10
Create the profile


Android (AOSP)
Android Enterprise
iOS/iPadOS
macOS
Profile: Select Wi-Fi. Or, select Templates > Wi-Fi.
 Tip
For Android Enterprise devices running as a dedicated device (kiosk),
choose Fully Managed, Dedicated, and Corporate-Owned Work
Profile > Wi-Fi.
For Windows 8.1 and newer, you can choose Wi-Fi import. This
option lets you import Wi-Fi settings as an XML file that you
previously exported from a different device.
4. Select Create.
can easily identify them later. For example, a good profile name is WiFi
recommended.
6. Select Next.

Android (AOSP)
Android Enterprise, including dedicated devices
iOS/iPadOS
macOS
Windows 10/11
Windows 8.1 and newer, including Windows Holographic for Business
8. Select Next.
Select Next.
Select Next.
 Tip
If you use certificate based authentication for your Wi-Fi profile, deploy the Wi-Fi
profile, certificate profile, and trusted root profile to the same groups to ensure that
each device can recognize the legitimacy of your certificate authority. For more
information, see How to configure certificates with Microsoft Intune.
Next steps
The profile is created, but may not be doing anything. Be sure to assign the profile, and
monitor its status..
Troubleshoot Wi-Fi profiles in Intune.
Import Wi-Fi settings for Windows
devices in Intune
Article • 03/27/2023
） Important
On Windows devices, you can export Wi-Fi settings to an XML file, and then import
these settings in Intune. Using these imported settings, you can create a Wi-Fi profile,
and then deploy it to your devices.
Windows 11
Windows 10
Windows 8.1 and newer
This article shows you how to export Wi-Fi settings from a Windows device, and then
import these settings in to Intune.
７ Note
On Windows 10/11, you can create a Wi-Fi profile directly in Intune. You
don't have to import a file.
For Windows 8.1 devices, you must export and import Wi-Fi settings to create
and deploy Wi-Fi profiles.
Export Wi-Fi settings from a Windows device

Use netsh wlan to export an existing Wi-Fi profile to an XML file readable by Intune. On
a Windows computer that has the WiFi profile, use the following steps:
1. Create a local folder for the exported Wi-Fi profiles, such as c:\WiFi.
2. Open a command prompt as an administrator.
3. Run the netsh wlan show profiles command. Note the name of the profile you'd
like to export. In this example, the profile name is ContosoWiFi.
4. Run the netsh wlan export profile name="ContosoWiFi" folder=c:\Wifi command.
This command creates a Wi-Fi profile file named Wi-Fi-ContosoWiFi.xml in your
target folder.
） Important
If you're exporting a Wi-Fi profile that includes a pre-shared key, you must
add key=clear to the command. The key must be exported in plain text to
successfully use the profile. For example, enter:
netsh wlan export profile name="ProfileName" key=clear folder=c:\Wifi
Using a pre-shared key with Windows 10/11 causes a remediation error to

show in Intune. When this happens, the Wi-Fi profile is properly assigned to
the device, and the profile works as expected.
If you export a Wi-Fi profile that includes a pre-shared key, be sure the file is
protected. The key is in plain text. It's your responsibility to protect the key.
Import the Wi-Fi settings into Intune

Platform: Select Windows 8.1 and later.
Even though you select Windows 8.1, this feature still applies to Windows
10/11 and Windows Holographic.
Profile: Select Wi-Fi import.
4. Select Create.

Name: This setting is the profile name. You must enter the same name as the
name attribute in the Wi-Fi profile xml. If you enter a different name, the
profile will fail.
recommended. For example, enter Imported Wi-Fi profile for Windows
Holographic devices .
6. Select Next.
Connection name: Enter a name for the Wi-Fi connection. This name is
shown to users when they browse available Wi-Fi networks. For example,
enter ContosoWiFi .
Profile XML: Select the browse button, and select the XML file that contains
the Wi-Fi profile settings you want to import.
File contents: Shows the XML code for the XML file you selected.
8. Select Next.
Select Next.
Select Next.
Next steps
The profile is created, but may not be doing anything. Be sure to assign the profile, and
monitor its status..
See the Wi-Fi settings overview, including other available platforms.

Use a custom device profile to create a
WiFi profile with a preshared key in
Intune
Article • 05/16/2023
Pre-shared keys (PSK) are typically used to authenticate users in WiFi networks, or
wireless LANs. With Intune, you can create a WiFi profile using a preshared key. To
create the profile, use the Custom device profiles feature within Intune. This article also
includes some examples of how to create an EAP-based Wi-Fi profile.

Windows
EAP-based Wi-Fi
） Important
Using a pre-shared key with Windows 10/11 causes a remediation error to

show in Intune. When this happens, the Wi-Fi profile is properly assigned to
the device, and the profile does work as expected.
If you export a Wi-Fi profile that includes a pre-shared key, be sure the file is
protected. The key is in plain text. It's your responsibility to protect the key.
Before you begin

It may be easier to copy the code from a computer that connects to that network,
as described in Create the XML file from an existing Wi-Fi connection (in this
article).
You can add multiple networks and keys by adding more OMA-URI settings.
For iOS/iPadOS, use Apple Configurator on a Mac station to set up the profile.
PSK requires a string of 64 hexadecimal digits, or a passphrase of 8 to 63 printable
ASCII characters. Some characters, such as asterisk ( * ), aren't supported.
Create a custom profile

Platform: Choose your platform.

Profile: Select Custom. Or, select Templates > Custom.
4. Select Create.
easily identify them later. For example, a good policy name is Custom OMA-
URI Wi-Fi profile for Android DA.
recommended.
6. Select Next.
7. In Configuration settings, select Add. Enter a new OMA-URI setting with the
a. Name: Enter a name for the OMA-URI setting.
b. Description: Enter a description for the OMA-URI setting. This setting is

optional, but recommended.
c. OMA-URI: Enter one of the following options:
For Android: ./Vendor/MSFT/WiFi/Profile/SSID/Settings

For Windows: ./Vendor/MSFT/WiFi/Profile/SSID/WlanXml
７ Note
Be sure to include the dot character at the beginning.

If the SSID has a space, then add an escape space %20 .
SSID is the SSID for which you're creating the policy. For example, if the Wi-Fi is
named Hotspot-1 , enter ./Vendor/MSFT/WiFi/Profile/Hotspot-1/Settings . If the
Wi-Fi is named Contoso WiFi , enter
./Vendor/MSFT/WiFi/Profile/Contoso%20WiFi/Settings (with the %20 escape
space).
d. Data Type: Select String.
e. Value: Paste your XML code. See the examples in this article. Update each value
to match your network settings. The comments section of the code includes
some pointers.
f. Select Add to save your changes.
8. Select Next.
tags, go to Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the users or user group that will receive your profile. For
more information on assigning profiles, go to Assign user and device profiles.
７ Note
This policy can only be assigned to user groups.
Select Next.
The next time each device checks in, the policy is applied, and a Wi-Fi profile is created
on the device. The device can then connect to the network automatically.
Android or Windows Wi-Fi profile example

The following example includes the XML code for an Android or Windows Wi-Fi profile.
The example is provided to show proper format and provide more details. It's only an
example, and isn't intended as a recommended configuration for your environment.

<protected>false</protected> must be set to false. When true, it could cause the
device to expect an encrypted password, and then try to decrypt it; which may
result in a failed connection.
<hex>53534944</hex> should be set to the hexadecimal value of <name><SSID of
wifi profile></name> . Windows 10/11 devices may return a false x87D1FDE8

Remediation failed error, but the device still contains the profile.
XML has special characters, such as the & (ampersand). Using special characters
may prevent the XML from working as expected.
Example
XML

<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name><Name of wifi profile></name>
<SSIDConfig>
<SSID>
<hex>53534944</hex>
<name><SSID of wifi profile></name>
</SSID>
<nonBroadcast>false</nonBroadcast>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<autoSwitch>false</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication><Type of authentication></authentication>
<encryption><Type of encryption></encryption>
<useOneX>false</useOneX>
</authEncryption>
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>password</keyMaterial>
</sharedKey>
<keyIndex>0</keyIndex>
</security>
</MSM>
</WLANProfile>
EAP-based Wi-Fi profile example

The following example includes the XML code for an EAP-based Wi-Fi profile: The
example is provided to show proper format and provide more details. It's only an
example, and isn't intended as a recommended configuration for your environment.
XML
<WLANProfile
xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>testcert</name>
<SSIDConfig>
<SSID>
<hex>7465737463657274</hex>
<name>testcert</name>
</SSID>
<nonBroadcast>true</nonBroadcast>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<autoSwitch>false</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication>WPA2</authentication>
<encryption>AES</encryption>
<useOneX>true</useOneX>
<FIPSMode
xmlns="http://www.microsoft.com/networking/WLAN/profile/v2">false</FIPSMode>
</authEncryption>
<PMKCacheMode>disabled</PMKCacheMode>
<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
<cacheUserData>false</cacheUserData>
<authMode>user</authMode>
<EAPConfig>
<EapHostConfig
xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type
xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
<VendorId
xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType
xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId
xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config
xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap
xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>false</DisableUserPromptForServerValid
ation>
<ServerNames></ServerNames>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">f
alse</PerformServerValidation>
<AcceptServerName
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">f
alse</AcceptServerName>
<TLSExtensions
<FilteringInfo
<AllPurposeEnabled>true</AllPurposeEnabled>
<CAHashList Enabled="true">
<IssuerHash>75 f5 06 9c a4 12 0e 9b db bc a1 d9
9d d0 f0 75 fa 3b b8 78 </IssuerHash>
</CAHashList>
<EKUMapping>
<EKUMap>
<EKUName>Client Authentication</EKUName>
<EKUOID>1.3.6.1.5.5.7.3.2</EKUOID>
</EKUMap>
</EKUMapping>
<ClientAuthEKUList Enabled="true"/>
<AnyPurposeEKUList Enabled="false">
<EKUMapInList>
<EKUName>Client Authentication</EKUName>
</EKUMapInList>
</AnyPurposeEKUList>
</FilteringInfo>
</TLSExtensions>
</EapType>
</Eap>
</Config>
</EapHostConfig>
</EAPConfig>
</OneX>
</security>
</MSM>
</WLANProfile>
Create the XML file from an existing Wi-Fi

connection
You can also create an XML file from an existing Wi-Fi connection. On a Windows
computer, use the following steps:
1. Create a local folder for the exported W-Fi- profiles, such as c:\WiFi.
2. Open up a command prompt as an administrator (right-click cmd > Run as

administrator).
3. Run netsh wlan show profiles . The names of all the profiles are listed.
4. Run netsh wlan export profile name="YourProfileName" folder=c:\Wifi . This

command creates a file named Wi-Fi-YourProfileName.xml in c:\Wifi.
If you're exporting a Wi-Fi profile that includes a preshared key, add

key=clear to the command:
netsh wlan export profile name="YourProfileName" key=clear

folder=c:\Wifi
key=clear exports the key in plain text, which is required to successfully use
the profile.
If the exported Wi-Fi profile <name></name> element includes a space, then it

might return a ERROR CODE 0x87d101f4 ERROR DETAILS Syncml(500) error when
assigned. When this issue happens, the profile is listed in
\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces , and shows as a known
network. But, it doesn't successfully display as managed policy in the "Areas

managed by..." URI.
To resolve this issue, remove the space.
After you have the XML file, copy and paste the XML syntax into OMA-URI settings >
Data type. Create a custom profile (in this article) lists the steps.
 Tip
\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{guid} also includes all the
profiles in XML format.
Best practices
Before you deploy a Wi-Fi profile with PSK, confirm that the device can connect to
the endpoint directly.
When rotating keys (passwords or passphrases), expect downtime and plan your
deployments. Consider pushing new Wi-Fi profiles during non-working hours. Also,
warn users that connectivity may be affected.
For a smooth transition, be sure the end user's device has an alternate connection
to the Internet. For example, the end user can switch back to Guest WiFi (or some
other WiFi network) or have cellular connectivity to communicate with Intune. The
extra connection allows the user to receive policy updates when the corporate WiFi
Profile is updated on the device.
Next steps
Be sure to assign the profile, and monitor its status.
Troubleshooting Wi-Fi device
configuration profiles in Microsoft
Intune
Article • 05/27/2023
In Intune, you can create device configuration profiles that include connection settings
for your WiFi network. Use these settings to connect users' Android, iOS/iPadOS, and
Windows devices to the organization network.
This article shows what a Wi-Fi profile looks like when it successfully applies to devices.
It also includes log information, common issues, and more. Use this article to help
troubleshoot your Wi-Fi profiles.
For more information on Wi-Fi profiles in Intune, see Add and use Wi-Fi settings on your
devices.
７ Note
The examples in this article use SCEP certificate authentication for the Intune
profiles. It also assumes that the Trusted Root and SCEP profiles work correctly on
the device.
Troubleshoot Android Wi-Fi profiles

In this section, we step through the user experience when installing configuration
profiles on an Android device. This scenario uses a Nokia 6.1 device. Before the Wi-Fi
profile is installed on the device, install the Trusted Root and SCEP profiles.
1. Users receive a notification to install the Trusted Root certificate profile:

2. The next notification prompts to install the SCEP certificate profile:
 Tip
When using a device administrator-managed Android device, there may be

multiple certificates listed. When a certificate profile is revoked or removed,
the certificate stays on the device. In this scenario, select the newest
certificate. It's usually the last certificate shown in the list.
This situation doesn't occur on Android Enterprise and Samsung Knox devices.
For more information, see Manage Android work profile devices and
Remove SCEP and PKCS certificates.
3. Next, users receive a notification to install the Wi-Fi profile:
4. When complete, the Wi-Fi connection is shown as a saved network:

Review Company Portal app logs
On Android, the Omadmlog.log file details the activities of the Wi-Fi profile when it's
installed on the device. You might have up to five Omadmlog log files. Be sure to get
the timestamp of the last sync, as it will help you find the related log entries.
In the following example, use CMTrace to read the logs, and search for "wifimgr":
The following log shows your search results, and shows the Wi-Fi profile successfully
applied:
log
2019-08-01T19:22:46.7340000 VERB
com.microsoft.omadm.platforms.android.wifimgr.WifiProfile 15118 04142
Starting to parse Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:46.7490000 VERB
com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142
Starting to parse OneX from Wifi XML.
2019-08-01T19:22:46.8100000 VERB
Completed parsing OneX from Wifi XML.
2019-08-01T19:22:46.8209999 VERB
Completed parsing Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:46.8240000 INFO
com.microsoft.omadm.utils.CertificateSelector 15118 04142 Selected
ca certificate with alias: 'user:205xxxxx.0' and thumbprint '<thumbprint>'.
2019-08-01T19:22:47.0990000 VERB
com.microsoft.omadm.platforms.android.certmgr.CertificateChainBuilder
15118 04142 Complete certificate chain built with Complete certs.
2019-08-01T19:22:47.1010000 VERB com.microsoft.omadm.utils.CertUtils

15118 04142 1 cert(s) matched criteria: User<ID>[i:
<ID>,17CECEA1D337FAA7D167AD83A8CC7A8FCBF9xxxx;eku:1.3.6.1.5.5.7.3.1,1.3.6.1.
5.5.7.3.2]
2019-08-01T19:22:47.1090000 VERB com.microsoft.omadm.utils.CertUtils

15118 04142 0 cert(s) excluded by criteria:
2019-08-01T19:22:47.1110000 INFO
com.microsoft.omadm.utils.CertificateSelector 15118 04142 Selected
client cert with alias 'User<ID>' and requestId 'ModelName=
<ModelName>%2FLogicalName_<LogicalName>;Hash=-912418295'.
2019-08-01T19:22:47.4120000 VERB com.microsoft.omadm.Services 15118

04142 Successfully applied, enabled and saved wifi profile '<profile ID>'
2019-08-01T19:22:47.4240000 VERB
2019-08-01T19:22:47.4910000 VERB
2019-08-01T19:22:47.4970000 VERB
Starting to parse Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:47.5080000 VERB
2019-08-01T19:22:47.5820000 VERB
2019-08-01T19:22:47.5900000 VERB
Completed parsing Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:47.5910000 INFO
com.microsoft.omadm.platforms.android.wifimgr.WifiProfileManager 15118
04142 Applied profile <profile ID>
Troubleshoot iOS/iPadOS Wi-Fi profiles

After the Wi-Fi profile is installed on the device, it's shown in the Management Profile:
Review the iOS/iPadOS console and device logs
On iOS/iPadOS devices, the Company Portal app log doesn't include information about
Wi-Fi profiles. To see installation details of your Wi-Fi profiles, use the Console/Device
Logs:
1. Connect the iOS/iPadOS device to Mac. Go to Applications > Utilities, and open
the Console app.
2. Under Action, select Include Info Messages and Include Debug Messages:
3. Reproduce the scenario, and save the logs to a text file:
a. Select all the messages on the current screen: Edit > Select All.
b. Copy the messages: Edit > Copy.
c. Paste the log data in a text editor, and save the file.
4. Search the saved log file to see detailed information. When the profile successfully
installs, your output looks similar to the following log:
log
Line 390870: debug 11:19:58.994815 -0400 profiled Adding

dependent www.windowsintune.com.wifi.Contoso to parent
Microsoft.Profiles.MDM in domain ManagingProfileToManagedProfile to
system\
Line 390872: debug 11:19:58.995210 -0400 profiled Adding

dependent Microsoft.Profiles.MDM to parent
www.windowsintune.com.wifi.Contoso in domain
ManagedProfileToManagingProfile to system\
Line 392346: default 11:19:59.360460 -0400 profiled Profile

\'93www.windowsintune.com.wifi.Contoso\'94 installed.\
Troubleshoot Windows Wi-Fi profiles

After the Wi-Fi profile is installed on the device, go to Settings > Accounts > Access
work or school > Select your account > Info:
In Areas managed by Microsoft, WiFi is shown:
To see the Wi-Fi connection, go to Settings > Network & Internet > Wi-Fi:
Review event viewer logs
On Windows devices, the details about Wi-Fi profiles are logged in the Event Viewer:
1. Open the Event Viewer app.

2. On the View menu, select Show Analytic and Debug Logs.
DeviceManagement-Enterprise-Diagnostic-Provider > Admin
Your output similar to the following logs:
log
Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-

Provider/Admin
Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-
Provider
Date: 8/7/2019 8:01:41 PM
Event ID: 1506
Task Category: (1)
Level: Information
Keywords: (2)
User: SYSTEM
Description:
WiFiConfigurationServiceProvider: Node set value, type: (0x4), Result: (The

operation completed successfully.).
Common issues
This section provides troubleshooting guidance for the following scenarios:
The Wi-Fi profile isn't deployed to the device
The Wi-Fi profile is deployed to the device, but the device can't connect to the
network
Users don't get new profile after changing password on existing profile
All Wi-Fi profiles report as failing
A Wi-Fi profile reports as failing, but seems to be working
The Wi-Fi profile isn't deployed to the device

Confirm the Wi-Fi profile is assigned to the correct group:
1. In the Microsoft Intune admin center , select Devices > Configuration

profiles.
2. Select your profile > Assignments. Confirm the selected groups are correct.
3. In the Intune, select Troubleshooting + Support. Review the Assignments
information.
In the Intune, select Troubleshooting + Support. Confirm the device can sync with
Intune by checking the Last check in time.
If the Wi-Fi profile is linked to the Trusted Root and SCEP profiles, confirm both
profiles are deployed to the device. The Wi-Fi profile has a dependency on these
profiles.
On Windows 10 and newer devices, review the MDM Diagnostic Information log:
1. Go to Settings > Accounts > Access work or school.
2. Select your work or school account > Info.
3. At the bottom of the Settings page, select Create report.
4. A window opens that shows the path to the log files. Select Export.
5. Go to the \Users\Public\Documents\MDMDiagnostics path, and view the report:


 Tip
For more information, see Diagnose MDM failures in Windows 10.
On Android devices, if the Trusted Root and SCEP profiles aren't installed on the
device, you see the following entry in the Company Portal app Omadmlog file:
log
2019-08-01T19:18:13.5120000 INFO
com.microsoft.omadm.platforms.android.wifimgr.WifiProfileManager
15118 04105 Skipping Wifi profile <profile ID> because it is
pending certificates.
When the Trusted Root and SCEP profiles are on the Android device and
compliant, the Wi-Fi profile might not be on the device. This issue happens
when the CertificateSelector provider from the Company Portal app doesn't
find a certificate that matches the specified criteria. The specific criteria can be
in the Certificate Template or in the SCEP profile.
If the matching certificate isn't found, the certificates on the device aren't
installed. The Wi-Fi profile isn't applied because it doesn't have the correct
certificate. In this scenario, you see the following entry in the Company Portal
app Omadmlog file:
Skipping Wifi profile <profile ID> because it is pending certificates.

The following sample log shows certificates being excluded because the Any
Purpose Extended Key Usage (EKU) criteria was specified. But, the certificates
assigned to the device don't have that EKU:
log
2018-11-27T21:10:37.6390000 VERB
com.microsoft.omadm.utils.CertUtils 14210 00948 Excluding
cert with alias User<ID1> and requestId <requestID1> as it does not
have any purpose EKU.
2018-11-27T21:10:37.6400000 VERB
com.microsoft.omadm.utils.CertUtils 14210 00948 Excluding
cert with alias User<ID2> and requestId <requestID2> as it does not
have any purpose EKU.
2018-11-27T21:10:37.6400000 VERB
com.microsoft.omadm.utils.CertUtils 14210 00948 0 cert(s)
matched criteria:
2018-11-27T21:10:37.6400000 VERB
com.microsoft.omadm.utils.CertUtils 14210 00948 2 cert(s)
excluded by criteria:
2018-11-27T21:10:37.6400000 INFO
com.microsoft.omadm.platforms.android.wifimgr.WifiProfileManager
14210 00948 Skipping Wifi profile <profile ID>
because it is pending certificates.
The following sample shows the SCEP profile entered the Any Purpose EKU. But,
it's not entered in the Certificate Template on the certificate authority (CA). To fix
the issue, add the Any Purpose option to the certificate template. Or, remove
the Any Purpose option from the SCEP profile.


Confirm that all required certificates in the complete certificate chain are on the
Android device. Otherwise, the Wi-Fi profile can't be installed on the device. For
more information, see Missing intermediate certificate authority (opens
Android's web site).
Filter Omadmlog with keywords to look for information, such as which

certificate is used in the Wi-Fi profile, and if the profile successfully applied.
For example, use CMTrace to read the logs. Use the search string to filter
"wifimgr":
The output looks similar to the following log:


If you see an error in the log, copy the time stamp of the error and unfilter the
log. Then, use the "find" option with the time stamp to see what happened right
before the error.
The Wi-Fi profile is deployed to the device, but the device

can't connect to the network
Typically, this issue is caused by something outside of Intune. The following tasks may
help you understand and troubleshoot connectivity issues:
Manually connect to the network using a certificate with the same criteria that's in
the Wi-Fi profile.
If you can connect, look at the certificate properties in the manual connection.
Then, update the Intune Wi-Fi profile with the same certificate properties.
Connectivity errors are usually logged in the Radius server log. For example, it
should show if the device tried to connect with the Wi-Fi profile.
Users don't get new profile after changing password on

existing profile
You create a corporate Wi-Fi profile, deploy the profile to a group, change the password,
and save the profile. When the profile changes, some users may not get the new profile.
To mitigate this issue, set up guest Wi-Fi. If the corporate Wi-Fi fails, users can connect
to the guest Wi-Fi. Be sure to enable any automatically connect settings. Deploy the
guest Wi-Fi profile to all users.
Some additional recommendations:

If the Wi-Fi network you're connecting to uses a password or passphrase, make
sure you can connect to the Wi-Fi router directly. You can test with an iOS/iPadOS
device.
After you successfully connect to the Wi-Fi endpoint (Wi-Fi router), note the SSID
and the credential used (this value is the password or passphrase).
Enter the SSID and credential (password or passphrase) in the Pre-Shared Key field.
Deploy to a test group that has limited number of users, preferably only the IT
team.
Sync your iOS/iPadOS device to Intune. Enroll if you haven't already enrolled.
Test connecting to the same Wi-Fi endpoint (as mentioned in the first step) again.
Roll out to larger groups and eventually to all expected users in your organization.
All Wi-Fi profiles report as failing

For Android Enterprise fully managed, dedicated, and corporate-owned work profile
devices, you might get a report that all profiles have failed. This can occur when you
deploy more than one Wi-Fi profile. In this case, when one fails, all the profiles you
deployed will report as failing (even if they are still working).
A Wi-Fi profile reports as failing, but seems to be working

If a Wi-Fi profile is working correctly on an Android device, but reports as failing, it may
be a reporting error. To fix this, update to the Intune app version 2021.05.02 or later.
Feedback

Analyze your on-premises GPOs using
Group Policy analytics in Microsoft
Intune
Article • 08/28/2023
 Tip
Looking for on-premises GPO analysis? There are tools available in the Microsoft
Security Compliance Toolkit.
Microsoft Intune has many of the same settings as your on-premises GPOs. Group
Policy analytics is a tool in Microsoft Intune that:
Analyzes your on-premises GPOs.

Shows the settings that cloud-based MDM providers support, including Microsoft
Intune.
Shows any deprecated settings, or settings not available.
Can migrate your imported GPOs to a settings catalog policy that can be deployed
to your devices.
If your organization uses on-premises GPOs to manage Windows 10/11 devices, then
Group Policy analytics can help. With Group Policy analytics, it's possible Intune can
replace your on-premises GPOs. Windows 10/11 devices are inherently cloud native. So
depending on your configuration, these devices might not require access to an on-
If you're ready to remove the dependency to on on-premises AD, then analyzing your
GPOs with Group Policy analytics is a good first step. Some older settings aren't
supported, or don't apply to cloud native Windows devices. After you analyze your
GPOs, you'll know which settings might still be valid.
Windows 11
Windows 10
This article shows you how to export your GPOs, import the GPOs into Intune, and
review the analysis and results. To migrate or transfer your imported GPOs to an Intune
policy, go to Create a Settings Catalog policy using your imported GPOs in Microsoft
Intune.
Before you begin
In the Microsoft Intune admin center , sign in as the Intune administrator or with a role
that has the Security Baselines permission.
For example, the Endpoint Security Manager role has the Security Baselines
permission. For more information on the built-in roles, see role-based access control.
Export a GPO as an XML file

The following steps might be different on your server, depending on the GPMC version
you're using. When you export the GPO, make sure you export as an XML file.
1. On your on-premises computer, open the Group Policy Management console

(GPMC.msc).
2. In the management console, expand your domain name.
3. Expand Group Policy Objects to see all the available GPOs.
4. Right-click the GPO you want to migrate and choose Save report:
5. Select an easily accessible folder for your export. In Save as type, select XML File.
In another step, you add this file to group policy analytics in Intune.
Make sure that the file is less than 4 MB and has a proper Unicode encoding. If the
exported file is greater than 4 MB, then reduce the number of settings in the group
policy object.
Import GPOs and run analytics
1. In the Microsoft Intune admin center , select Devices > Group Policy analytics.
2. Select Import, select your saved XML file > Next.
You can select multiple files at the same time.
Check the sizes of your individual GPO XML files. A single GPO can't be bigger
than 4 MB. If a single GPO is larger than 4 MB, then the import fails. XML files
without the appropriate unicode ending also fail.
3. In Scope tags, select the existing scope tag you want to apply to the imported
GPO. If you don't select an existing scope tag, then the Default scope tag is
automatically used:
Only admins included in the scope tags you select can see the imported GPO. For
more information on scope tags on your imported GPOs, go to Select a scope tag
when you import (in this article).
4. Select Next > Create.
When you select Create, Intune automatically analyzes the GPO in the XML file.
5. After the analysis runs, the GPO you imported is listed with the following
information:
Group Policy name: The name is automatically generated using information

in the GPO.
Active Directory Target: The target is automatically generated using the

organizational unit (OU) target information in the GPO.
MDM Support: Shows the percentage of group policy settings in the GPO
that have the same setting in Intune.
７ Note
Whenever the Microsoft Intune product team makes changes to the

mapping in Intune, the percentage under MDM Support automatically
updates to reflect those changes.
Unknown Settings: There are some CSPs that can't be analyzed. Unknown
Settings lists the GPOs that can't be analyzed.
Targeted in AD: Yes means the GPO is linked to an OU in on-premises group

policy. No means the GPO isn't linked to an on-premises OU.
Last imported: Shows the date of the last import.
You can Import more GPOs for analysis, Refresh the page, and Filter the output.
You can also Export this view to a .csv file:
6. Select the MDM Support percentage for a listed GPO. More detailed information
about the GPO is shown:
Setting Name: The name is automatically generated using information in the

GPO setting.
Group Policy Setting Category: Shows the setting category for ADMX
settings, such as Internet Explorer and Microsoft Edge. Not all settings have a
setting category.
MDM Support:
Yes means there's a matching setting available in Intune. You can
configure this setting in the Settings Catalog.
No means there isn't a matching setting available to MDM providers,
including Intune.
Value: Shows the value imported from the GPO. It shows different values,
such true , 900 , Enabled , false , and so on.
Scope: Shows if the imported GPO targets users or targets devices.

Min OS Version: Shows the minimum Windows OS version build numbers
that the GPO setting applies. It may show 18362 (1903), 17130 (1803), and
other Windows client versions.
For example, if a policy setting shows 18362 , then the setting supports build
18362 and newer builds.
CSP Name: A Configuration Service Provider (CSP) exposes device

configuration settings in Windows client. This column shows the CSP that
includes the setting. For example, you may see Policy, BitLocker,
PassportforWork, and so on.
The CSP reference lists the available CSPs, shows the supported OS editions,
and more.
CSP Mapping: Shows the OMA-URI path for the on-premises policy. You can
use the OMA-URI in a custom device configuration profile. For example, you
may see ./Device/Vendor/MSFT/BitLocker/RequireDeviceEnryption .
7. For the settings that have MDM support, you can create a Settings Catalog policy
with these settings. For the specific steps, go to Create a Settings Catalog policy
using your imported GPOs in Microsoft Intune.
Select a scope tag when you import

When you import a GPO, you can select existing scope tags. If you don't select a scope
tag, then the Default scope tag is automatically used. Only admins scoped to the
Default scope tag can see the imported GPO. Admins that aren't scoped to the Default
scope tag don't see the imported GPO.
This behavior applies to any scope tag you select when you import a GPO. Admins only
see the imported GPOs if they have one of the same scope tags selected during the
import. If an admin doesn't have the scope tag, then they don't see the imported GPO in
the reporting or in the list of GPOs.
For example, admins have "Charlotte", "London", or "Boston" scope tags assigned to
their role:
An admin with the "Charlotte" scope tag imports a GPO.

During the import, they select the "Charlotte" scope tag. The "Charlotte" scope tag
is applied to the imported GPO.
All admins with the "Charlotte" scope tag can see the imported object.
Admins with only the "London" or only the "Boston" scope tags can't see the
imported object from the "Charlotte" admin.
For admins to see the analytics or migrate the imported GPO to an Intune policy, these
admins must have one of the same scope tags selected during the import.
For more information on scope tags, go to RBAC and scope tags for distributed IT.
Supported CSPs and group policies

Group Policy analytics can parse the following CSPs for MDM support:
Policy CSP
PassportForWork CSP
BitLocker CSP
Firewall CSP
AppLocker CSP
Group Policy Preferences
If your imported GPO has settings that aren't in the supported CSPs and Group Policies,
then the settings may be listed in the Unknown Settings column. This behavior means
the settings were identified in your GPO.
Even though Group Policy analytics can parse the CSPs, there are some things you
should know when migrating your imported GPOs. For more information, go to Migrate
your imported GPO to a Settings Catalog policy - What you need to know.
Group Policy migration readiness report

1. In the Microsoft Intune admin center , select Reports > Group policy analytics:
2. In the Summary tab, a summary of the GPO and its policies are shown. Use this
information to determine the status of the policies in your GPO:
Ready for migration: The policy has a matching setting in Intune, and is
ready to be migrated to Intune.
Not supported: The policy doesn't have a matching setting. Typically, policy
settings that show this status aren't exposed to MDM providers, including
Intune.
Deprecated: The policy may apply to older Windows versions, older Microsoft
Edge versions, and more policies that aren't used anymore.
７ Note
When the Microsoft Intune product team updates the mapping logic,
your imported GPOs are automatically updated. You don't need to
reimport your GPOs.
3. Select the Reports tab > Group policy migration readiness. In this report, you can:
See the number of settings in your GPO that can be configured in a device
configuration profile. It also shows if the settings can be in a custom profile,
aren't supported, or are deprecated.
Filter the report output using the Migration Readiness, Profile type, and CSP
Name filters.
Select Generate report or Generate again to get current data.
See the list of settings in your GPO.
Use the search bar to find specific settings.
Get a time stamp of when the report was last generated.
７ Note
After you add or remove your imported GPOs, it can take about 20 minutes to
update the Migration Readiness reporting data.
Known issues
Currently, the Group Policy analytics tool only supports non-ADMX settings in the
English language. If you import a GPO with settings in languages other than English,
then your MDM Support percentage is inaccurate.
Send product feedback

You can provide feedback on Group Policy Analytics. In the Microsoft Intune admin
center , select Devices > Group Policy analytics > Got feedback.
Examples of feedback areas:
You received errors during GPO import or analytics, and you need more specific
information.
How easy is it to use Group Policy analytics to find the supported group policies in
Microsoft Intune?
Will this tool help you move some workloads to Intune? If yes, what workloads are
you considering?
To get information on the customer experience, the feedback is aggregated, and sent to
Microsoft. Entering an email is optional, and may be used to get more information.
Privacy and security

Any use of customer data, such as which GPOs are used in your organization, is
aggregated. It's not sold to any third parties. This data might be used to make business
decisions within Microsoft. Your customer data is stored securely.
At any time, you can delete imported GPOs:
1. Go to Devices > Group Policy analytics.
2. Select the context menu > Delete:
Next steps
Create a Settings Catalog policy using your imported GPOs in Microsoft Intune
Use Windows 10/11 Administrative Templates to configure group policy settings in

Microsoft Intune
See also
Learn more about Configuration Service Providers (CSP).
Create a Settings Catalog policy using
your imported GPOs in Microsoft Intune
(public preview)
Article • 08/02/2023
You can import your on-premises Group Policy Objects (GPOs), and create an Intune
policy using these imported settings. This policy can be deployed to users and devices
managed by your organization.
With Group Policy Analytics, you import your on-premises GPOs. It analyzes your
imported GPOs, and shows the settings that are also available in Microsoft Intune. For
the settings that are available, you can create a Settings Catalog policy, and then deploy
the policy to your managed devices.
Windows 11
Windows 10
This article shows you how to create the policy from your imported GPOs. For more
information and an overview on Group Policy Analytics, go to Analyze your on-premises
group policy objects (GPO) using Group Policy analytics in Microsoft Intune.
Before you begin

In the Microsoft Intune admin center , sign in as:
The Intune administrator
OR
A role that has the Security baselines permission and the Device
configurations/Create permission
For more information about the permissions included with the built-in Intune roles,
go to built-in admin roles. For information on custom roles, go to assign
permissions to custom roles.
Import your on-premises GPOs, and review the results.

For the specific steps, go to Analyze your on-premises group policy objects (GPO)
using Group Policy analytics in Microsoft Intune.
Only admins scoped to the GPO can create a settings catalog policy from that
imported GPO. Scope tags are first applied during import of the GPO and can be
edited. If a scope tag isn't or wasn't selected during the GPO import, then the
Default scope tag is automatically used.
This feature is in public preview. For more information, go to Public preview in

Microsoft Intune.
Review and migrate your GPOs to a Settings

Catalog policy
After you import your GPOs, review the settings that can be migrated. Remember, some
settings don't make sense on cloud native endpoints, like Windows 10/11 devices. After
they've been reviewed, you can migrate the settings to a Settings Catalog policy.
1. In the Microsoft Intune admin center , select Devices > Group Policy analytics.
2. In the list, your imported GPOs are shown. Next to the GPO you want in your
Settings Catalog profile, select the Migrate checkbox. You can select one GPO or
many GPOs:
3. To see all the settings in your imported GPO, select Migrate:
4. In the Settings to migrate tab, select the Migrate column for the settings you want
to include in your Settings Catalog profile:
To help you pick the settings, you can use the built-in features:
Select all on this page: Select this option if you want all settings on the
existing page to be included in your Settings Catalog profile.
Search by setting name: Enter the setting name to find the settings you want:

Sort: Sort your settings using the column names:
 Tip
If you haven't already, review your Group Policy settings. It's possible some
settings don't apply to cloud-based policy management or don't apply to
cloud native endpoints, like Windows 10/11 devices. It's not recommended to
include all your Group Policy settings without reviewing them.
Select Next.
5. In Configuration, your settings and their values are shown. The values are the
same values in the on-premises Group Policy. Review these settings and their
values.
After you create the Settings Catalog policy, you can change any values.
Select Next.
6. In Profile info, enter the following settings:
Name: Enter a descriptive name for the Setting Catalog profile. Name your
profiles so you can easily identify them later. For example, a good profile
name is Windows 10/11: Imported Microsoft Edge GPOs.
recommended.
Select Next.
7. In Scope tags, optionally assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment. For more information about scope
tags, go to Use RBAC roles and scope tags for distributed IT.
information on assigning profiles, including advice and guidance, go to Assign user
and device profiles in Intune.
Select Next.
9. In Review + deploy, review your settings.
When you select Create, your changes are saved, and the profile is assigned. The
policy is shown in the Devices > Configuration profiles list.
The next time any device within your assigned groups checks for configuration updates,
the settings you configured are applied.
Conflicting settings are detected early

It's possible you have multiple GPOs that include the same setting, and that the setting
is set to different values. When you're creating a policy, and selecting your settings in
the Settings to migrate tab, any conflicting settings show the following error:
Conflicts are detected for the following settings: <setting name>. Select only one
version with the value you prefer in order to continue.

To resolve the conflict, uncheck a conflicting setting, and continue the migration.

The Migrate feature takes the parsed data from the imported Group Policy object (GPO)
and translates it to a relevant setting in the Settings Catalog, if the setting exists.
Migrate is best effort.
When you create the Settings Catalog profile, any settings that can be included in the
profile are included. There can be some differences with the imported settings and the
settings in Settings Catalog.
Some settings have a better configuration experience in Endpoint Security
If you import AppLocker settings or Firewall rule settings, then the Migrate option
is disabled and grayed out. Instead, configure these settings using the Endpoint
Security workload in the Intune admin center.

Firewall policy in Endpoint Security
Endpoint security firewall rule migration tool overview
Application control policy in Endpoint Security.
If you have GPOs that focus on endpoint security, then you should look at the
features available in Endpoint Security, including Security Baselines and mobile
threat defense.
Some settings don't migrate exactly, and may use a different setting
In some scenarios, some GPO settings don't migrate to the exact same setting in
the Settings Catalog. Intune shows an alternate setting that has a similar effect.
For example, you may see this behavior if you import GPOs that include older
Office Administrative Template settings or older Google Chrome settings.
Some settings fail to migrate
It's possible some errors can happen when the settings are migrating. When the
profile is being created, settings that return an error are shown in Notifications:
Some common reasons a setting may show an error include:

The setting value is in an unexpected format.
A child setting is missing from the imported GPO and is required to configure
the parent setting.
Next steps
Analyze your on-premises group policy objects (GPO) using Group Policy analytics
in Microsoft Intune
Use Windows 10/11 Administrative Templates to configure group policy settings in
Microsoft Intune
Use Windows 10/11 templates to
configure group policy settings in
Microsoft Intune
Article • 05/03/2023
Administrative Templates in Microsoft Intune include thousands of settings that control

features in Microsoft Edge version 77 and later, Internet Explorer, Google Chrome,
Microsoft Office programs, remote desktop, OneDrive, passwords, PINs, and more.
These settings allow administrators to create group policies using the cloud.
Windows 11
Windows 10
The Intune templates are 100% cloud-based, are built in to Intune (no downloading),
and don't require any customizations, including using OMA-URI. They offer a straight-
forward way to configure the settings, and find the settings you want:
The Windows settings are similar to group policy (GPO) settings in on-premises
Active Directory (AD). These settings are built in to Windows, and are ADMX-
backed settings that use XML.
The Office, Microsoft Edge, and Visual Studio settings are ADMX-ingested, and
use the same administrative template files that you would download in on-
premises environments.
You can import custom and third party ADMX and ADML files. For more
information, including the steps, go to Import custom or partner ADMX files.
When managing devices in your organization, you want to create groups of settings that
apply to different device groups. You also want a simple view of the settings you can
configure. You can complete this task using Administrative Templates in Microsoft
Intune.
As part of your mobile device management (MDM) solution, use these template settings
as a one-stop shop to manage your Windows client devices.
This article lists the steps to create a template for Windows client devices, and shows
how to filter all the available settings in Intune. When you create the template, it creates
a device configuration profile. You can then assign or deploy this profile to Windows
client devices in your organization.
Before you begin

Some of these settings are available starting with Windows 10 version 1709
(RS2/build 15063). Some settings aren't included in all the Windows editions. For
the best experience, it's suggested to use Windows 10 Enterprise version 1903
(19H1/build 18362) and newer.
The Windows settings use the Windows policy CSPs. The CSPs work on different
editions of Windows, such as Home, Professional, Enterprise, and so on. To see if a
CSP works on a specific edition, go to Windows policy CSPs.
There are two ways to create an administrative template: Using a template, or

using the Settings Catalog. This article focuses on using the Administrative
Templates template. The Settings Catalog has more Administrative Template
settings available.
For the specific steps to use the Settings Catalog, see Use the settings catalog to
configure settings.
Create the template


Profile: To use a logical grouping of settings, select Templates >
Administrative Templates. To see all the settings, select Settings catalog.
4. Select Create.
can easily identify them later. For example, a good profile name is ADMX:
Windows 10/11 admin template that configures xyz settings in Microsoft
Edge.
recommended.
6. Select Next.
7. In Configuration settings, select All settings to see an alphabetical list of all the
settings. Or, configure settings that apply to devices (Computer configuration),
and settings that apply to users (User configuration):
７ Note
If you're using the Settings catalog, then select Add settings, and expand
Administrative Templates. Select any setting to see what you can configure.
For more information on creating policies using the Settings Catalog, see Use
the settings catalog to configure settings.
8. When you select All settings, every setting is listed. Scroll down to use the before
and next arrows to see more settings:
9. Select any setting. For example, filter on Office, and select Activate Restricted
Browsing. A detailed description of the setting is shown. Choose Enabled,
Disabled, or leave the setting as Not configured (default). The detailed description
also explains what happens when you choose Enabled, Disabled, or Not
configured.
 Tip
The Windows settings in Intune correlate to the on-premises group policy

path you see in Local Group Policy Editor ( gpedit ).
10. When you select Computer configuration or User configuration, the setting
categories are shown. You can select any category to see the available settings.
For example, select Computer configuration > Windows components > Internet
Explorer to see all the device settings that apply to Internet Explorer:
11. Select OK to save your changes.
Continue to go through the list of settings, and configure the settings you want in
your environment. Here are some examples:
Use the VBA Macro Notification Settings setting to handle VBA macros in
different Microsoft Office programs, including Word and Excel.
Use the Allow file downloads setting to allow or prevent downloads from
Internet Explorer.
Use Require a password when a computer wakes (plugged in) to prompt
users for a password when devices wake from sleep mode.
Use the Download unsigned ActiveX controls setting to block users from
downloading unsigned ActiveX controls from Internet Explorer.
Use the Turn off System Restore setting to allow or prevent users from
running a system restore on the device.
Use the Allow importing of favorites setting to allow or block users from
importing favorites from another browser into Microsoft Edge.
And much more...
12. Select Next.
tags, see Use role-based access control (RBAC) and scope tags for distributed IT.
Select Next.
information on assigning profiles, see Assign user and device profiles in Intune.
If the profile is assigned to user groups, then configured ADMX settings apply to
any device that the user enrolls, and signs in to. If the profile is assigned to device
groups, then configured ADMX settings apply to any user that signs into that
device. This assignment happens if the ADMX setting is a computer configuration
( HKEY_LOCAL_MACHINE ), or a user configuration ( HKEY_CURRENT_USER ). With some
settings, a computer setting assigned to a user may also impact the experience of
other users on that device.
For more information, see User groups vs. device groups when assigning policies.
Select Next.
The next time the device checks for configuration updates, the settings you configured
are applied.
Find some settings

There are thousands of settings available in these templates. To make it easier to find
specific settings, use the built-in features:
In your template, select the Settings, State, Setting type, or Path columns to sort
the list. For example, select the Path column, and use the next arrow to see the
settings in the Microsoft Excel path.
In your template, use the Search box to find specific settings. You can search by
setting, or path. For example, select All settings, and search for copy . All the
settings with copy are shown:
In another example, search for microsoft word . You see the settings you can set for
the Microsoft Word program. Search for explorer to see the Internet Explorer
settings you can add to your template.
You can also narrow your search by only selecting Computer configuration or User
configuration.
For example, to see all the available Internet Explorer user settings, select User
configuration, and search for Internet Explorer . Only the IE settings that apply to
users are shown:
Create a Known Issue Rollback (KIR) policy

On your enrolled devices, you can use administrative templates to create a Known Issue
Rollback (KIR) policy, and deploy this policy to your Windows devices. For the specific
steps, go to Deploy a KIR activation using Microsoft Intune ADMX policy ingestion to
managed devices.
For more information on KIR, and what it is, go to:
Known Issue Rollback: Helping you keep Windows devices protected and
productive
How to use on-premises Group Policy or Intune to deploy a Known Issue Rollback
Next steps
The template is created, but may not be doing anything yet. Be sure to assign the
template (also called a profile) and monitor the policy status.
Update Office using administrative templates.
Restrict USB devices using administrative templates.
Create Microsoft Edge policy using ADMX.
Import custom or partner ADMX files.

Tutorial: Use the cloud to configure group policy on Windows client devices with
ADMX templates and Microsoft Intune
Import custom ADMX and ADML
administrative templates into Microsoft
Intune (public preview)
Article • 05/31/2023
You can import custom and third party/partner ADMX and ADML templates into the
Intune admin center. Once imported, you can create a device configuration policy using
these settings, and then assign the policy to your managed devices.
Windows 11
Windows 10
This article shows you how to import custom ADMX and ADML files in the Intune admin
center. For more information on administrative templates in Intune, go to Use ADMX
templates to configure policy settings in Microsoft Intune.
 Tip
The settings catalog has many settings natively built-in to Intune, including Google
Chrome. For more information, go to:
Use the settings catalog to configure settings on Windows, iOS/iPadOS and

macOS devices
Common tasks you can complete using the Settings Catalog

There are some limits:

A maximum of 10 ADMX files can be uploaded. Each file must be 1 MB or
smaller.
For each ADMX file, only one ADML file can be uploaded.
Each ADMX file supports one language.
Currently, only en-us ADML files are supported.

Some ADMX files have dependency prerequisites. Import any dependency ADMX
files first. If you upload an ADMX file without the dependency, an error message
will list the missing namespace.
For example, to import Mozilla Firefox ADMX and ADML files, you:
1. Import the mozilla.admx and mozilla.adml files. Make sure the status shows
Available.
2. Import the firefox.admx and firefox.adml files.
If you upload firefox.admx before mozilla.adml , then the import will fail.
To see if your ADMX has a dependency, open the ADMX file in a text editor and
look for using prefix in the policyNamespaces node. Any dependencies will be
listed.
In the following example, the kerberos.admx file requires the Windows.admx file:
XML
<policyNamespaces>
<target prefix="kerberos" namespace="Microsoft.Policies.Kerberos" />
<using prefix="windows" namespace="Microsoft.Policies.Windows" />

</policyNamespaces>
To remove a dependency prerequisite, delete the associated ADMX file first. Then, delete
the dependency prerequisite. In our Mozilla Firefox example, delete firefox.admx and
then delete mozilla.admx .
Some files may require Windows.admx as a prerequisite. This file must be uploaded
first. In a future release (no ETA), this namespace will be automatically included and
eventually not be required.
Currently, the combo box setting type isn't supported. ADMX files with the combo
box setting type will fail to import. All other setting types are supported.
Not all areas of the registry can be set using custom ADMX. For more information
on the registry locations that can be used, go to Win32 and Desktop Bridge app
ADMX policy Ingestion Overview.
ADMX settings that are built into Windows (located in the

C:\Windows\PolicyDefinitions folder) are enabled through configuration service
providers (CSPs).
Don't import these built-in settings if your intent is to configure them. Instead,
use the settings catalog or a custom profile.
Do import these built-in settings if they're a required parent namespace of
another file.
For a list of the ADMX backed CSP settings, go to ADMX-backed policies in Policy
CSP.
Download the ADMX templates

Download the ADMX templates you want to import. Save these files to an easily
accessible folder, like C:\ADMXTemplates . Some common ADMX template downloads
include:
Adobe Reader
Mozilla Firefox
Zoom
Add the ADMX and ADML files

2. Select Devices > Configuration profiles > Import ADMX > Import:
Alternatively, you can also import from Devices > Windows > Configuration
profiles > Import ADMX.
3. Upload your files:
ADMX file: Select the ADMX file you want to upload.

ADML file for the default language: Select the ADML file you want to
upload. Remember, you can add only one language file for each ADMX file
you upload. For any other limitations, go to What you need to know (in this
article).
Specify the language of the ADML file: Shows the ADML language of the file
you uploaded.
4. Select Next.
5. In Review + Create, review your changes. Select Create to import the files.
When the import completes, your ADMX templates are shown in the list. You can also:
Select Refresh to see the updated state.

See the upload Status.
Delete an imported template.
Create a profile using your imported files

Profile: Select Templates > Imported Administrative templates (Preview):

4. Select Create.
Mozilla Firefox for Windows 10/11 devices.
recommended.
6. Select Next.
7. In Configuration settings, select and configure the settings you want in your
policy. When finished, select Next.
Select Next.
information on assigning profiles, see Assign user and device profiles in Intune.
If the profile is assigned to user groups, then configured ADMX settings apply to
any device that the user enrolls, and signs in to. If the profile is assigned to device
groups, then configured ADMX settings apply to any user that signs into that
device. This assignment happens if the ADMX setting is a computer configuration
( HKEY_LOCAL_MACHINE ), or a user configuration ( HKEY_CURRENT_USER ). With some
settings, a computer setting assigned to a user may also impact the experience of
other users on that device.
For more information, see User groups vs. device groups when assigning policies.
Select Next.
Replace existing ADMX files

If you upload an ADMX file with settings that are already imported, then the upload will
fail.
For example, if you upload a different version of an ADMX file that has the same settings
as the original ADMX file, then the upload will fail with a namespace error.
To update existing ADMX files that are imported, you have the following options:
Option 1: Replace the existing ADMX file
To replace an existing ADMX file with the same settings, you can use the following
steps:
1. Delete any profiles using the existing ADMX settings.

2. Delete the original ADMX file you imported.
3. Import the new ADMX and ADML files.
Option 2: Create a new ADMX file
1. Create another version of the ADMX file with the same namespace as the
original ADMX file.
2. Add the new and different settings to this ADMX file.
3. Import the new ADMX and ADML files.
Next steps
Overview: Use ADMX templates to configure policy settings in Microsoft Intune
Use Update Channel and Target Version
settings to update Microsoft 365 with
Microsoft Intune Administrative
Templates
Article • 05/17/2023
In Intune, you can use Windows ADMX templates to configure group policy settings.
This article shows you how to update Microsoft 365 using an administrative template in
Intune. It also gives guidance on confirming your policies apply successfully. This
information also helps when troubleshooting.
In this scenario, you create an administrative template in Intune that updates Microsoft
365 on your devices.
For more information on administrative templates, go to Windows ADMX templates to

configure group policy settings.
Applies to:
Windows 11
Windows 10
Microsoft 365
Prerequisites
Be sure to enable Microsoft 365 Apps Automatic Updates for your Office apps. You can
do this using group policy, or the Intune Office 2016 ADMX template:
Set the Update Channel in the Intune

administrative template
1. In your Intune administrative template, go to the Update Channel setting, and
enter the channel you want. For example, choose Semi-Annual Channel :
７ Note
It's recommended to update more frequently. Semi-annually is only used as

an example.
2. Be sure to assign the policy to your Windows client devices. To test your policy
sooner, you can also sync the policy:
Sync the policy in Intune

Manually sync the policy on the device
Check the Intune registry keys

After you assign the policy and the device syncs, you can confirm the policy is applied:
1. On the device, open the Registry Editor app.
2. Go to the Intune policy path:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\
<Provider
ID>\default\Device\office16~Policy~L_MicrosoftOfficemachine~L_Updates .
 Tip
The <Provider ID> in the registry key changes. To find the provider ID for
your device, open the Registry Editor app, and go to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalle
d . The provider ID is shown.
When the policy is applied, you see the following registry keys:
L_UpdateBranch
L_UpdateTargetVersion
Looking at the following example, you see L_UpdateBranch has a value similar to
<enabled /><data id="L_UpdateBranchID" value="Deferred" /> . This value means
it's set to Semi-Annual Channel:
 Tip
Manage Microsoft 365 Apps with Configuration Manager lists the values,
and what they mean. The registry values are based on the distribution channel
selected:
Monthly Channel - value="Current"

Monthly Channel (Targeted) - value="Current"
Semi-Annual Channel - value="Current"
Semi-Annual Channel (Targeted) - value="FirstReleaseDeferred"
Insider Fast - value="InsiderFast"
At this point, the Intune policy is successfully applied to the device.
Check the Office registry keys

1. On the device, open the Registry Editor app.
2. Go to the Office policy path:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuratio
n.
You see the following registry keys:
UpdateChannel : A dynamic key that changes, depending on the configured

settings.
CDNBaseUrl : Set when Microsoft 365 installs on the device.
3. Look at the UpdateChannel value. The value tells you how frequently Office is
updated. Manage Microsoft 365 Apps with Configuration Manager lists the values,
and what they're set to.
Looking at the following example, you see UpdateChannel is set to

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 , which
is monthly:
This example means the policy isn't applied yet, as it's still set to monthly, instead
of semi-annual.
This registry key is updated when the Task Scheduler > Office Automatic Updates 2.0
runs, or when a user signs into the device. To confirm, open the Office Automatic
Updates 2.0 task > Triggers. Depending on your triggers, it can take at least a day and
more before the UpdateChannel registry key is updated.
Force Office automatic updates to run

To test your policy, you can force the policy settings on the device. The following steps
update the registry. As always, be careful when updating the registry.
1. Clear the registry key:

a. Go to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Updates .
b. Double-select the UpdateDetectionLastRunTime key, delete the value data > OK.
2. Run the Office Automatic Updates task:
a. Open the Task Scheduler app on the device.
b. Expand Task Scheduler Library > Microsoft > Office.
c. Select Office Automatic Updates 2.0 > Run:

Wait for the task to finish, which can take several minutes.
3. In the Registry Editor app, go to

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuratio
n . Check the UpdateChannel value.
It should be updated with the value set in the policy. In our example, the value
should be set to http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-
f9dd17fd3114 .
At this point, the Office update channel is successfully changed on the device. You can
open a Microsoft 365 app for a user that receives this update to check status.
Force the Office synchronization to update

account information
If you want to do more, you can force Office to get the latest version update. The
following steps should only be done as a confirmation, or if you need the devices to get
the latest version update from that channel quickly. Otherwise, let Office do its job, and
update automatically.
Step 1: Force the Office version to update

1. Confirm the Office version supports the update channel you're choosing. Update
history for Microsoft 365 Apps lists the build numbers that support the different
update channels.
2. In your Intune administrative template, go to the Target Version setting, and enter
the version you want.
Your Target version setting looks similar to the following setting:

） Important
Be sure to assign the policy.

If you change an existing policy, your changes affect all assigned users.
If you're testing this feature, it's recommended to create a test policy, and
assign the policy to a test group of users.
Step 2: Check the Office version

Consider using the following steps to test your policy before deploying the policy to all
users:
1. In the Registry Editor app, go to

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\
<Provider
ID>\default\Device\office16~Policy~L_MicrosoftOfficemachine~L_Updates .
2. Look at the L_UpdateTargetVersion value. Once the policy applies, the value is set
to the version you entered, such as <enabled /><data
id="L_UpdateTargetVersionID" value="16.0.10730.20344" /> .
At this point, the Intune policy is successfully applied to the device.
3. Next, you can force Office to update. Open an Office app, such as Excel. Choose to
update now (possibly in the Account menu).
The update takes several minutes. You can confirm Office is trying to get the
version you enter:
a. On the device, go to C:\Program Files (x86)\Microsoft
Office\Updates\Detection\Version .
b. Open the VersionDescriptor.xml file, and go to the <Version> section. The

available version should be the same version you entered in the Intune policy,
such as:
4. After the update is installed, the Office app should show the new version (for
example, on the Account menu)
Next steps
Update channel values for Microsoft 365 clients
Overview of the Office cloud policy service for Microsoft 365 Apps
Use Windows 10/11 templates to configure group policy settings (ADMX templates) in
Microsoft Intune
Configure Microsoft Edge policy
settings in Microsoft Intune
Article • 02/22/2023
Using Administrative Templates in Microsoft Intune, you can create and manage
Microsoft Edge policy settings on your Windows client devices. Administrative
Templates use the ADMX templates for Microsoft Edge.
You can configure specific Microsoft Edge settings, such as adding download
restrictions, using autofill, showing the favorites bar, and more. These settings are
created in an Intune policy, and then deployed to Windows client devices in your
organization.
Windows 11
Windows 10
Microsoft Edge version 77 and newer
For Microsoft Edge version 45 and earlier, see Microsoft Edge Browser device
restrictions.
７ Note
Additional ADMX settings for Edge 96 and Edge updater have been added to
Administrative Templates. This includes support for "Target Channel override" which
allows customers to opt into the Extended Stable release cycle option at any
point using Group Policy or through Intune.
When you use Intune to manage and enforce policies, it's similar to using Active
Directory group policy, or configuring local Group Policy Object (GPO) settings on user
devices. But, Intune is 100% cloud.
This article shows you how to configure Microsoft Edge policy settings using
administrative templates in Microsoft Intune.
 Tip
For information on adding the Microsoft Edge version 77+ app on Windows
client, see Add Edge app on Windows client devices.
For information on adding and configuring Microsoft Edge version 77+ app
on macOS, see Add Edge app, and Configure Edge app using plist.
For a list of the Microsoft Edge updates, including new policies, see the
Release notes for Microsoft Edge.
Prerequisites
Windows 11
Windows 10 with the following minimum system requirements:

Windows 10, version 1909
Windows 10, version 1903 with KB4512941 installed
Create a policy for Microsoft Edge


Profile: Select Templates > Administrative Templates.
4. Select Create.
Configure Edge on Windows 10/11 devices.
recommended.
Your properties look similar to the following properties:

6. Select Next.
7. In Configuration settings, the Microsoft Edge settings are available in Computer

configuration and User configuration. Microsoft Edge is shown on the right pane:
Computer configuration: Settings apply to the computer, even if no one is

signed in.
User configuration: Settings apply to all users signed in to the device.
8. Select Computer Configuration > Microsoft Edge > Allow download restrictions.
The policy description and values are shown:
７ Note
See Microsoft Edge – Policies and Microsoft Edge – Update policies for the
list of the available settings.
9. Close the policy description. Use search to find a specific setting you want to
configure. For example, search for "home page":
10. Select Configure the home page URL > Enabled, and set its value to
https://www.bing.com :
11. Select OK. The State now shows Enabled:
12. Select Next. In Scope tags, select Next.
Scope tags are optional, and this example doesn't use them. To learn more about
scope tags, and what they do, see Use role-based access control (RBAC) and scope
tags for distributed IT.
13. In Assignments, select Next.
Assignments are optional, and this example doesn't use them. In production, select
Add groups. Select an Azure Active Directory (Azure AD) group that includes users
or devices that should receive this policy. For information and guidance on
assigning policies, see Assign user and device profiles in Intune.
14. In Review + create, see the summary of your changes. Select Create.
When you create the profile, your policy is automatically assigned to the users or
groups you chose. If you didn't choose any users or groups, then your policy is
created, but it's not deployed.
Your new Microsoft Edge policy is shown in the list:
For more information about ADMX administrative templates, see:

Intune.
Tutorial: Use the cloud to configure group policy on Windows client devices with
ADMX templates and Microsoft Intune
Next steps
Microsoft Edge Enterprise landing page
Manage web access by using Microsoft Edge with Microsoft Intune
Intune
Deploy Microsoft Edge using Microsoft Intune
Restrict USB devices and allow specific
USB devices using Administrative
Templates in Microsoft Intune
Article • 02/22/2023
Many organizations want to block specific types of USB devices, such as USB flash drives
or cameras. You may also want to allow specific USB devices, such as a keyboard or
mouse.
You can use Administrative Templates (ADMX) templates to configure these settings in a
policy, and then deploy this policy to your Windows devices. For more information on
Administrative Templates, and what they are, see Use Windows 10/11 templates to
configure group policy settings in Microsoft Intune.
This article shows you how to create an ADMX policy with USB settings, and use a log
file to troubleshoot devices that shouldn't be blocked.
Applies to:
Windows 11
Windows 10
Create the profile


Profile type: Select Templates > Administrative Templates.
4. Select Create.
Name: Enter a descriptive name for the profile. For example, enter Restrict
USB devices.
recommended.
6. Select Next.
Prevent installation of devices not described by other policy settings: Select

Enabled > OK:
Allow installation of devices using drivers that match these device setup
classes: Select Enabled. Then, add the class GUID of the device classes you
want to allow.
In the following example, the Keyboard, Mouse, and Multimedia classes are
allowed:
Select OK.
Allow installation of devices that match any of these Device IDs: Select
Enabled. Then, add the device/hardware IDs for devices you want to allow:
To get the device/hardware ID, you can use Device Manager, find the device,
and look at the properties. For the specific steps, see find the hardware ID on
a Windows device.
There's also some helpful device ID information at Microsoft Defender for

Endpoint Device Control Device Installation: Deploying and managing policy
via Intune.
Select OK.
8. Select Next.
Select Next.
10. In Assignments, select the device groups that will receive the profile. Select Next.
saved and the profile is assigned.
Verify on Windows devices

After the device configuration profile is deployed to your targeted devices, you can
confirm that it works correctly.
If a USB device is blocked from installing, then you see a message similar to the
following message:
The installation of this device is forbidden by system policy. Contact your system
administrator.
In the following example, the iPad is blocked because its device ID isn't in the allowed
device ID list:
A device is blocked but should be allowed

Some USB devices have multiple GUIDs, and it's common to miss some GUIDs in your
policy settings. As a result, a USB device that's allowed in your settings, might be
blocked on the device.
In the following example, in the Allow installation of devices using drivers that match
these device setup classes setting, the Multimedia class GUID is entered, and the
camera is blocked:
Resolution:
To find the GUID of your device, use the following steps:
1. On the device, open the %windir%\inf\setupapi.dev.log file.
2. In the file:
a. Search for Restricted installation of devices not described by policy.
b. In this section, find the Class GUID of device changed to: {GUID} text. This
{GUID} needs added to your policy.
In the following example, you see the Class GUID of device changed to:
{36fc9e60-c465-11cf-8056-444553540000} text:
log
>>> [Device Install (Hardware initiated) -

USB\VID_046D&PID_C534\5&bd89ed7&0&2]
>>> Section start 2020/01/20 17:26:03.547
dvi: {Build Driver List} 17:26:03.597
dvi: {Build Driver List - exit(0x00000000)} 17:26:03.645
dvi: {DIF_SELECTBESTCOMPATDRV} 17:26:03.647
dvi: Default installer: Enter 17:26:03.647
dvi: {Select Best Driver}
dvi: Class GUID of device changed to: {36fc9e60-c465-

11cf-8056-444553540000}.
dvi: Selected Driver:
dvi: Description - USB Composite Device
dvi: InfFile -
c:\windows\system32\driverstore\filerepository\usb.inf_amd64_9646056
539e4be37\usb.inf
dvi: Section - Composite.Dev
dvi: {Select Best Driver - exit(0x00000000)}
dvi: Default installer: Exit

dvi: {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 17:26:03.664
dvi: {Core Device Install} 17:26:03.666
dvi: {Install Device - USB\VID_046D&PID_C534\5&BD89ED7&0&2}

17:26:03.667
dvi: Device Status: 0x01806400, Problem: 0x1 (0xc0000361)
dvi: Parent device: USB\ROOT_HUB30\4&278ca476&0&0
!!! pol: The device is explicitly restricted by the

following policy settings:
!!! pol: [-] Restricted installation of devices not

described by policy
!!! pol: {Device installation policy check

[USB\VID_046D&PID_C534\5&BD89ED7&0&2] exit(0xe0000248)}
!!! dvi: Installation of device is blocked by policy!
! dvi: Queueing up error report for device install failure.
dvi: {Install Device - exit(0xe0000248)} 17:26:03.692
dvi: {Core Device Install - exit(0xe0000248)} 17:26:03.694
<<< Section end 2020/01/20 17:26:03.697
<<< [Exit status: FAILURE(0xe0000248)]
3. In the device configuration profile, go to the Allow installation of devices using

drivers that match these device setup classes setting, and add the class GUID
from the log file.
4. If the issue continues, repeat these steps to add the other class GUIDs until the
device is successfully installed.
In our example, the following class GUIDs are added to the device profile:
USB Bus devices (hubs and host controllers): {36fc9e60-c465-11cf-8056-

444553540000}
Human Interface Devices (HID): {745a17a0-74d3-11d0-b6fe-00a0c90f57da}
Camera devices: {ca3e7ab9-b4c3-4ae6-8251-579ef933890f}
Imaging devices: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Common class GUIDs to allow USB devices

Keyboard and mouse: Add the following GUIDs to the device profile:
Keyboard: {4d36e96b-e325-11ce-bfc1-08002be10318}
Mouse: {4d36e96f-e325-11ce-bfc1-08002be10318}
Cameras, headphones and microphones: Add the following GUIDs to the device
profile:
USB Bus devices (hubs and host controllers): {36fc9e60-c465-11cf-8056-
444553540000}
Human Interface Devices (HID): {745a17a0-74d3-11d0-b6fe-00a0c90f57da}

Multimedia devices: {4d36e96c-e325-11ce-bfc1-08002be10318}
Camera devices: {ca3e7ab9-b4c3-4ae6-8251-579ef933890f}
Imaging devices: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
System devices: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Biometric devices: {53d29ef7-377c-4d14-864b-eb3a85769359}
Generic software devices: {62f9c741-b25a-46ce-b54c-9bccce08b6f2}
3.5 mm headphones: Add the following GUIDs to the device profile:

Multimedia devices: {4d36e96c-e325-11ce-bfc1-08002be10318}
Audio endpoint: {c166523c-fe0c-4a94-a586-f1a80cfbbf3e}
７ Note
The actual GUIDs may be different for your specific devices.
Next steps
Learn more about ADMX templates in Microsoft Intune
Use Device Firmware Configuration
Interface (DFCI) profiles on Windows
Article • 03/02/2023
When you use Intune to manage Autopilot devices, you can manage UEFI (BIOS)
settings after they're enrolled using the Device Firmware Configuration Interface (DFCI).
For an overview of benefits, scenarios, and prerequisites, see Overview of DFCI .
DFCI enables Windows to pass management commands from Intune to UEFI (Unified
Extensible Firmware Interface).
In Intune, use this feature to control BIOS settings. Typically, firmware is more resilient to
malicious attacks. It limits end users control over the BIOS, which is good in a
compromised situation.
Windows 11 on supported UEFI

Windows 10 RS5 (1809) and later on supported UEFI
For example, you use Windows client devices in a secure environment, and want to
disable the camera. You can disable the camera at the firmware-layer, so it doesn't
matter what the end user does. Reinstalling the OS or wiping the computer won't turn
the camera back on. In another example, lock down the boot options to prevent users
from booting up another OS, or an older version of Windows that doesn't have the
same security features.
When you reinstall an older Windows version, install a separate OS, or format the hard
drive, you can't override DFCI management. This feature can prevent malware from
communicating with OS processes, including elevated OS processes. DFCI's trust chain
uses public key cryptography, and doesn't depend on local UEFI (BIOS) password
security. This layer of security blocks local users from accessing managed settings from
the device's UEFI (BIOS) menus.
Before you begin

The device manufacturer must have DFCI added to their UEFI firmware in the
manufacturing process, or as a firmware update you install. Work with your device
vendors to determine the manufacturers that support DFCI , or the firmware
version needed to use DFCI.
The device must be registered for Windows Autopilot by a Microsoft Cloud

Solution Provider (CSP) partner , or registered directly by the OEM.
Devices manually registered for Autopilot, such as imported from a csv file, aren't
allowed to use DFCI. By design, DFCI management requires external attestation of
the device's commercial acquisition through an OEM or a Microsoft CSP partner
registration to Windows Autopilot.
Once your device is registered, its serial number is shown in the list of Windows
Autopilot devices.
For more information on Autopilot, including any requirements, see Windows

Autopilot registration overview.
Create your Azure AD security groups

Autopilot deployment profiles are assigned to Azure AD security groups. Be sure to
create groups that include your DFCI-supported devices. For DFCI devices, most
organization may create device groups, instead of user groups. Consider the following
scenarios:
Human Resources (HR) has different Windows devices. For security reasons, you
don't want anyone in this group to use the camera on the devices. In this scenario,
you can create an HR security users group so the policy applies to users in the HR
group, whatever the device type.
On the manufacturing floor, you have 10 devices. On all devices, you want to
prevent booting the devices from a USB device. In this scenario, you can create a
security devices group, and add these 10 devices to the group.
For more information on creating groups in Intune, see Add groups to organize users
and devices.
Create the profiles

To use DFCI, create the following profiles, and assign them to your group.
Step 1: Create an Autopilot deployment profile

This profile sets up and pre-configures new devices. The following article lists the steps
to create the profile:
Autopilot deployment profile
Step 2: Create an Enrollment State Page profile

This profile makes sure that devices are verified and enabled for DFCI during the
Windows setup. It's highly recommended to use this profile to block device use until all
apps and profiles are installed.
The following article lists the steps to create the profile:
Enrollment State Page profile
Step 3: Create the DFCI profile in Intune

This profile includes the DFCI settings you configure.
 Tip
Configuring and assigning DFCI profiles can lock the device beyond repair. So, pay
attention to the values you configure.

Profile: Select Templates > Device Firmware Configuration Interface.
4. Select Create.
Name: Enter a descriptive name for the profile. Name your policies so you
can easily identify them later. For example, a good profile name is Windows:
Configure DFCI settings on Windows devices.
recommended.
Select Next.
6. In Configuration settings, configure the settings you want to control in the UEFI
firmware layer. For a list of all the settings, and what they do, go to:
Windows DFCI settings
Select Next.
Select Next.
Select
Next.
9. In Review + create, review your settings and select Create. When you select
shown in the profiles list.
The next time each device checks in, the policy is applied.
Assign the profiles, and reboot

Be sure to assign the profiles to your Azure AD security groups that include your DFCI
devices. The profile can be assigned when it's created, or after.
When the device runs the Windows Autopilot, during the Enrollment Status page, DFCI
may force a reboot. This first reboot enrolls UEFI to Intune.
If you want to confirm the device is enrolled, you can reboot the device again, but it's
not required. Use the device manufacturer's instructions to open the UEFI menu, and
confirm UEFI is now managed.
The next time the device syncs with Intune, Windows receives the DFCI settings. Reboot
the device. This third reboot is required for UEFI to receive the DFCI settings from
Windows.
Update existing DFCI settings

If you want to change existing DFCI settings on devices that are in use, you can. In your
existing DFCI profile, change the settings, and save your changes. Since the profile is
already assigned, the new DFCI settings take effect when:
1. The device checks in with the Intune service to review profile updates. Check-ins
happen at various times. For more information, see when devices get a policy,
profile, or app updates.
2. To enforce the new settings, reboot the device remotely or locally.
You can also signal devices to check in. After a successful sync, signal to reboot.
７ Note
Deleting the DFCI profile, or removing a device from the group assigned to the
profile doesn't remove DFCI settings or re-enable the UEFI (BIOS) menus. If you
want to stop using DFCI, then update your existing DFCI profile. For more
information on the steps, see retire the device in this article.
Conflicts
When you create the DFCI policy, you configure the Windows DFCI settings you want to
manage.
Some settings are in a logical category, like Microphones and Speakers. There's also
granular settings, like Microphones. If these settings conflict, then the following
happens:
In the first sync attempt, the granular setting is applied (Microphones) and the
category setting is non-compliant (Microphones and Speakers).
With every sync with the Intune service after the first sync, the following behavior
happens in a loop:
Intune applies the category setting (Microphones and Speakers) since it's not
compliant. The granular setting (Microphones) becomes non-compliant.
Intune applies the granular setting (Microphones) since it's not compliant. The
category setting (Microphones and Speakers) becomes non-compliant.
To avoid this looping behavior, configure the category setting or the granular settings.
For example, you want to only allow Wi-Fi radios. In this scenario, you:
Leave the category Radios (Bluetooth, Wi-Fi, NFC, etc.) setting to Not configured.
For the Wi-Fi radio setting, set it to Enable.
Set all the other granular radio settings to Disabled.
Reuse, retire, or recover the device
Reuse
If you plan to reset Windows to repurpose the device, then wipe the device. Do not
remove the Autopilot device record.
After wiping the device, move the device to the group assigned the new DFCI and
Autopilot profiles. Be sure to reboot the device to rerun Windows setup.
Retire
When you're ready to retire the device and release it from management, update the
DFCI profile to the UEFI (BIOS) settings you want at the exit state. Typically, you want all
settings enabled. For example:
1. Open your DFCI profile (Devices > Configuration profiles).

2. Change the Allow local user to change UEFI (BIOS) settings to Only not
configured settings.
3. Set all other settings to Not configured.
4. Save your settings.
These steps unlock the device's UEFI (BIOS) menus. The values remain the same as the
profile (Enabled or Disabled), and aren't set back to any default OS values.
You're now ready to wipe the device. Once the device is wiped, delete the Autopilot
record. Deleting the record prevents the device from automatically re-enrolling when it
reboots.
 Tip
To remove Surface devices from DFCI enrollment, see removing DFCI

management.
Recover
If you wipe a device, and delete the Autopilot record before unlocking the UEFI (BIOS)
menus, then the menus remain locked. Intune can't send profile updates to unlock it.
To unlock the device, open the UEFI (BIOS) menu, and refresh management from
network. Recovery unlocks the menus, but leaves all UEFI (BIOS) settings set to the
values in the previous Intune DFCI profile.
End user impact

When the DFCI policy is applied, local users can't change settings configured by DFCI,
even if the UEFI (BIOS) menu is password protected. Depending on the settings you
configure, end users may receive errors that hardware components aren't found, or can't
be diagnosed. Be sure to provide documentation to end users explaining the options
you've disabled.
Next steps
After the profile is assigned, monitor its status.
Configuration Domain Join settings for
hybrid Azure AD joined devices in
Microsoft Intune
Article • 05/17/2023
Many environments use on-premises Active Directory (AD). When AD domain-joined

devices are also joined to Azure AD, they're called hybrid Azure AD joined devices. Using
Windows Autopilot, you can enroll hybrid Azure AD joined devices in Intune. To enroll,
you also need a Domain Join configuration profile.
A Domain Join configuration profile includes on-premises Active Directory domain

information. When devices are provisioning (and typically offline), this profile deploys
the AD domain details so devices know which on-premises domain to join. If you don't
create a domain join profile, these devices might fail to deploy.
Windows 11
Windows 10
Hybrid Azure AD joined devices
Hybrid deployment with Autopilot + Intune
This article shows you how to create a domain join profile for a hybrid Autopilot
deployment. You can also see the available settings.
Create the profile


Profile: Select Templates > Domain Join.
4. Select Create.

Windows Autopilot domain join.
recommended. For example, enter Windows 10/11: Domain join profile that
includes on-premises domain information to enroll hybrid AD joined
devices with Windows Autopilot.
6. Select Next.
Computer name prefix: Enter a prefix for the device name. Computer names
are 15 characters long. After the prefix, the remaining 15 characters are
randomly generated.
Domain name: Enter the Fully Qualified Domain Name (FQDN) the devices
are to join. For example, enter americas.corp.contoso.com.
Organizational unit (optional): Enter the full path (distinguished name) to the
organizational unit (OU) the computer accounts are to be created. For
example, enter OU=Mine,DC=Contoso,DC=com . Don't enter quotation marks. To
use the well-known computer object container (CN=Computers,
DC=Contoso, DC=Com), leave this property blank.
For more information and advice on this setting, go to Deploy hybrid Azure
AD-joined devices.
8. Select Next.
Select Next.
10. In Assignments, select the device groups that will receive your profile. For more
information about assigning profiles, go to Assign user and device profiles.
If you need to join devices to different domains or OUs, create different device
groups.
Select Next.
It's now ready for you to deploy hybrid Azure AD-joined devices by using Intune and
Windows Autopilot.
Next steps
Deploy hybrid Azure AD-joined devices by using Intune and Windows Autopilot.
Delivery Optimization settings in
Microsoft Intune
Article • 08/08/2023
Applies to:
Windows 10
Windows 11
With Intune, use Delivery Optimization settings for your Windows devices to reduce
bandwidth consumption when those devices download applications and updates.
Configure Delivery Optimization as part of your device configuration profiles.
This article describes how to configure Delivery Optimization settings as part of a device
configuration profile. After you create a profile, you then assign or deploy that profile to
your Windows devices.
To view a list of the Delivery Optimization settings that Intune supports, see Delivery
Optimization settings for Intune.
To learn about Delivery Optimization on Windows 10 and Window 11, see Delivery
Optimization updates in the Windows documentation.
Create the profile


Profile: Select Templates > Delivery optimization.
4. Select Create.
Name: Enter a descriptive name for the new profile.

recommended.
6. Select Next.
7. On the Configuration settings page, define how you want updates and apps to
download. For information about available settings, see Delivery Optimization
settings for Intune.
8. On the Scope (Tags) page, select Select scope tags to open the Select tags pane to
9. On the Assignments page, select the groups that receive this profile. For more
Select Next.
10. On the Applicability Rules page, use the Rule, Property, and Value options to
define how this profile applies within assigned groups.
11. On the Review + create page, when you're done, choose Create. The profile is
created and is shown in the list.
Next steps
After you assign the profile, monitor its status.
View the Delivery Optimization settings for Intune.

Upgrade Windows 10/11 editions or
switch out of S mode on devices using
Microsoft Intune
Article • 05/17/2023
As part of your mobile device management (MDM) solution, you may want to upgrade
your Windows 10/11 devices. For example, you want to upgrade your Windows 10
Professional devices to Windows 10 Enterprise. Or, you want the Windows 10 device to
switch out of S mode.
Windows 10 S mode (opens another Microsoft web site) is designed for security and
performance. You can use Intune to switch out of S mode. Switching out of S mode is
one way. And once you switch out of S mode, you can't go back to Windows 10 S mode.
See some commonly asked questions about S mode.
Windows 11
Windows 10
Windows 10 1809 and newer for S mode
These features are available in Intune, and are configurable by the administrator. Intune
uses "configuration profiles" to create and customize these settings for your
organization's needs. After you add these features in a profile, you can then push or
deploy the profile to Windows client devices in your organization. When you deploy the
profile, Intune automatically upgrades the devices or switches out of S mode.
This article lists the supported upgrade paths, and shows you how to create the device
configuration profile. You can also see all the available upgrade and S mode settings for
Windows 10.
７ Note
If you remove the policy assignment later, the version of Windows on the device
isn't reverted. The device continues to run normally.
Prerequisites
Before you upgrade devices, be sure you have the following prerequisites:
A valid product key to install the updated Windows version on all devices that you
target with the policy (for Windows client Desktop editions). You can use either
Multiple Activation Keys (MAK) or Key Management Server (KMS) keys.
For Windows 10 Holographic editions, you can use a Microsoft license file. The
license file includes the licensing information to install the updated edition on all
devices that you target with the policy.
The Windows client devices you assign the policy are enrolled in Microsoft Intune.
Supported upgrade paths

The following table lists the supported upgrade paths for the Windows 10 edition
upgrade profile.
Upgrade from Upgrade to
Windows 10/11 Pro Windows 10/11 Education
Windows 10/11 Pro Education
Windows 10/11 Pro N edition Windows 10/11 Education N edition
Windows 10/11 Enterprise N edition
Windows 10/11 Pro Education N edition
Windows 10/11 Pro Education Windows 10/11 Education
Windows 10/11 Pro Education N edition Windows 10/11 Education N edition
Windows 10/11 Cloud Windows 10/11 Education
Windows 10/11 Pro
Windows 10/11 Cloud N edition Windows 10/11 Education N edition
Windows 10/11 Pro N edition
Windows 10/11 Enterprise Windows 10/11 Education
Windows 10/11 Enterprise N edition Windows 10/11 Education N edition
Windows 10/11 Core Windows 10/11 Education

Upgrade from Upgrade to
Windows 10/11 Core N edition Windows 10/11 Education N edition
Windows 10 Holographic Windows 10 Holographic for Business
Create the profile


Profile: Select Templates > Edition upgrade and mode switch.
4. Select Create.
Name: Enter a descriptive name for the new profile. For example, enter
something like Windows 10/11 edition upgrade profile or Windows 10 switch
off S mode .
recommended.
6. Select Next.
7. In Configuration settings, enter the settings you want to configure. For a list of all
settings, and what they do, go to:
Windows 10 upgrade and S mode

8. Select Next.
Select Next.
Select Next.
Next steps
See the upgrade and S mode settings for Windows 10/11 and Windows Holographic for
Business devices.
Add and use wired networks settings on
your macOS and Windows devices in
Microsoft Intune
Article • 05/24/2023
Microsoft Intune includes built-in settings to configure wired networks for your macOS
and Windows devices. You can configure the network interface, accepted EAP types,
enter server trust settings, and more.
Wired networks are used by many organizations to give network access to desktop
computers and devices that must use a network cable.
These built-in settings can be deployed to devices in your organization using policy.
When the policy is ready, it can be assigned to different users and groups. Once
assigned, your users get access to your organization's wired network without
configuring it themselves.
As part of your mobile device management (MDM) solution, use this feature to create
802.1x profiles to manage wired networks. Then, deploy these wired networks to your
devices.
macOS
Windows 11
Windows 10
Example scenario
You have a wired network named Contoso wired network. You want to set up all macOS
desktops to connect to this network. Here's the process:
1. In Intune, create a wired network profile that includes the settings that connect to
the Contoso wired network.
2. Assign the profile to a group that includes all users macOS desktop computers. For
recommendations on using group types, go to User groups vs. device groups.
3. On their desktops, users find the Contoso wired network in the list of networks.
They can then connect to the network, using the authentication method of your
choosing.
This article lists the steps to create a wired network profile. It also includes links that
describe the different settings.
Create the profile

Platform: Select macOS or Windows 10 and later.

Profile: Select Templates > Wired network.
4. Select Create.
can easily identify them later. For example, a good profile name is macOS:
wired network policy.
recommended.
6. Select Next.
7. In Configuration settings, configure the settings, including the Extensible

Authentication Protocol (EAP) type. For a list of all settings, and what they do, go
to:
macOS
Windows
8. Select Next.
9. In Assignments, select the user groups or device groups that will receive your
profile. For more information on assigning profiles, go to Assign user and device
profiles.
Select Next.
 Tip
If you use certificate based authentication for your wired network profile, then
deploy the wired network profile, certificate profile, and trusted root profile to the
same groups. This deployment makes sure that each device can recognize the
legitimacy of your certificate authority. For more information, go to configure
certificates with Microsoft Intune.
Next steps
The profile is created, but may not be doing anything. Be sure to assign this profile, and
monitor its status.
Add iOS, iPadOS, or macOS device
feature settings in Intune
Article • 04/03/2023
Intune includes many features and settings that help administrators control iOS, iPadOS,
and macOS devices. For example, administrators can:
Allow users access to AirPrint printers in your network

Add apps and folders to the home screen, including adding new pages
Choose if and how app notifications are shown
Configure the lock screen to show a message or the asset tag, especially for shared
devices
Give users a secure single sign-on experience to share credentials between apps
Filter web sites that use adult language and allow or block specific web sites
Intune uses "configuration profiles" to create and customize these settings for your
organization's needs. After you add these features in a profile, you then push or deploy
the profile to iOS/iPadOS and macOS devices in your organization.
iOS/iPadOS
macOS
This article describes the different features you can configure, and shows you how to
create a device configuration profile. You can also see all the available settings for
iOS/iPadOS and macOS devices.
Create the profile

Platform: Choose your platform:

iOS/iPadOS
macOS
Profile: Select Device features. Or, select Templates > Device features.
4. Select Create.
easily identify them later. For example, a good policy name is macOS:
Configures login screen.
recommended.
6. Select Next.
iOS/iPadOS
macOS
8. Select Next.
Select Next.
Select Next.
Airprint
Airprint is an Apple feature that allows devices to print to files over a wireless network.
In Intune, you can add AirPrint information to devices.
For a list of the settings you can configure in Intune, see AirPrint on iOS/iPadOS and
AirPrint on macOS.
For more information on AirPrint, see About AirPrint on Apple's web site.
Applies to:
iOS 7.0 and newer
macOS 10.10 and newer
App notifications
Choose how apps on your iOS and iPadOS devices receive notifications. For example,
send app notifications so they show in the notification center, show on the lock screen,
or play a sound.
For a list of the settings you can configure in Intune, see App notifications on
iOS/iPadOS.
For more information on this feature, see Notifications on Apple's web site.
Applies to:
iOS 9.3 and newer

Associated domains
Associated domains allow you to create a relationship between your domains, such as
contoso.com , and your apps. This feature allows you to:
Share data and sign in credentials between apps and websites in your
organization.
Use app features that are based on your website, such as single sign-on app
extension, universal links, and password autofill.
For example, create an associated domain to allow password autofill to

recommend credentials, such as a password, for websites associated with your app.
For a list of the settings you can configure in Intune, see Associated domains on macOS.
For more information on this feature, see Setting Up an App's Associated Domains on
Apple's web site.
Applies to:

Home screen layout
These settings configure the app layout and folders on the home screen and dock. You
can also see in real time how most apps and their icons look. Specifically:
Use the Home screen settings to add apps and folders to the home screen on
devices.
Use the Dock settings to add apps or folders to the dock on the screen. For
example, show Safari and the Mail app on the device dock.
For a list of the settings you can configure in Intune, see Home screen layout on
iOS/iPadOS.
Applies to:
iOS 9.3 and newer

Lock screen message

Use these settings to show a custom message or text on the sign in window and lock
screen. For example, you can enter an "If lost, return to ..." message, and show asset tag
information.
For a list of the settings you can configure in Intune, see Lock screen message settings
on iOS/iPadOS.
For more information on Lock Screen Message, see LockScreenMessage on Apple's

web site.
Applies to:
iOS 9.3 and newer

Login items
Use this feature to choose the apps, custom apps, files, and folders that open when
users sign in to the devices.
For a list of the settings you can configure in Intune, see Login items on macOS.
Applies to:
Login window
Control the appearance of the login screen and functions available to users before they
sign in. For example, add a banner with a custom message, choose if the sleep button is
shown, and more.
For a list of the settings you can configure in Intune, see Login window on macOS.
Applies to:
Single sign-on
Most Line of Business (LOB) apps require some level of user authentication to support
security. In many cases, the authentication requires users to enter the same credentials
repeatedly. To improve the user experience, developers can create apps that use single
sign-on (SSO). Using single sign-on reduces the number of times a user must enter
credentials.
The single sign-on profile is based on Kerberos. Kerberos is a network authentication

protocol that uses secret key cryptography to authenticate client-server applications.
The Intune settings define Kerberos account information when accessing servers or
specific apps, and handle Kerberos challenges for web pages and native apps. Apple
recommends you use the Kerberos SSO app extension (in this article) settings instead of
the SSO settings.
To use single sign-on, be sure you have:
An app that's coded to look for the user credential store in single sign-on on the
device.
Intune configured for iOS/iPadOS device single sign-on.
For a list of the settings you can configure in Intune, see Single sign-on on iOS/iPadOS.
Applies to:
iOS 7.0 and newer

Single sign-on app extension
These settings configure an app extension that enables single sign-on (SSO) for your
iOS, iPadOS, and macOS devices. Most Line of Business (LOB) apps and organization
websites require some level of secure user authentication. In many cases, authentication
requires users to enter the same credentials repeatedly. SSO gives users access to apps
and websites after entering their credentials once. SSO also provides a better
authentication experience for users, and reduces the number of repeated prompts for
credentials.
In Intune, use these settings to configure an SSO app extension created by your
organization, your identity provider, Microsoft, or Apple. The SSO app extension handles
authentication for your users. These settings configure redirect-type and credential-type
SSO app extensions.
The redirect type is designed for modern authentication protocols, such as OpenID
Connect, OAuth, and SAML2. You can choose between the Microsoft Azure AD SSO
extension (Microsoft Enterprise SSO plug-in) and a generic redirect extension.
The credential type is designed for challenge-and-response authentication flows.

You can choose between a Kerberos-specific credential extension provided by
Apple, and a generic credential extension.
The Azure AD macOS SSO app extension should work with any third party or
partner MDM. The extension must be deployed as a kerberos SSO extension, or
deployed as a custom configuration profile with all the required properties
configured.
For a list of the settings you can configure in Intune, see iOS/iPadOS SSO app extension
and macOS SSO app extension.
For more information on developing an SSO app extension, watch Extensible Enterprise
SSO on Apple's web site. To read Apple's description of the feature, go to single sign-
on extensions payload settings .
７ Note
The Single sign-on app extension feature is different than the Single sign-on
feature:
The Single sign-on app extension settings apply to iPadOS 13.0 (and newer),
iOS 13.0 (and newer), and macOS 10.15 (and newer). Single sign-on settings
apply to iPadOS 13.0 (and newer) and iOS 7.0 and newer.
The Single sign-on app extension settings define extensions for use by
identity providers or organizations to deliver a seamless enterprise sign-on
experience. The Single sign-on settings define Kerberos account information
for when users access servers or apps.
The Single sign-on app extension uses the Apple operating system to
authenticate. So, it might provide an end-user experience that's better than
Single sign-on.
From a development perspective, with Single sign-on app extension, you can
use any type of redirect SSO or credential SSO authentication. With Single
sign-on, you can only use Kerberos SSO authentication.
The Kerberos Single sign-on app extension was developed by Apple and is
built into the iOS/iPadOS 13.0+ and macOS 10.15+ platforms. The built-in
Kerberos extension can be used to log users into native apps and websites
that support Kerberos authentication. Single sign-on is not an Apple
implementation of Kerberos.
The built-in Kerberos Single sign-on app extension handles Kerberos

challenges for web pages and apps just like Single sign-on. However, the
built-in Kerberos extension supports password changes and behaves better in
enterprise networks. When deciding between the Kerberos Single sign-on
app extension and Single sign-on, we recommend using the extension due to
improved performance and capabilities.
Applies to:
iOS 13.0 and newer

Wallpaper
Add a custom .png, .jpg, or .jpeg image to your supervised iOS/iPadOS devices. For
example, use Intune to add a company logo to the lock screen on your devices.
For a list of the settings you can configure in Intune, see Wallpaper on iOS/iPadOS.
Applies to:
iOS
Web content filter

These settings use Apple's built-in AutoFilter algorithm to evaluate web pages, and
block adult content and adult language. You can also create a list of allowed web links
and restricted web links. For example, you can allow only contoso web sites to open.
For a list of the settings you can configure in Intune, see Web content filter on
iOS/iPadOS.
Applies to:
iOS 7.0 and newer

Next steps
The profile is created, but it may not be doing anything yet. Next, assign the profile and
monitor its status.
View all the device feature settings for iOS/iPadOS and macOS devices.
Deploy the Microsoft Enterprise SSO
plug-in for Apple Devices
Article • 05/30/2023
Azure Active Directory (Azure AD) for authentication.
iOS/iPadOS
macOS
Get started with your MDM provider and

platform
The Enterprise SSO plug-in can be used in Microsoft Intune, Jamf Pro, or other MDM
solutions. For more information about the plug-in, which SSO option to use, and how to
create the SSO profile, go to the following articles:
iOS/iPadOS: Deploy the Microsoft Enterprise SSO plug-in
macOS: Deploy the Microsoft Enterprise SSO plug-in
Next steps
For information about the Microsoft Enterprise SSO plug-in and Azure AD, go to
Microsoft Enterprise SSO plug-in for Apple devices.
For information from Apple on the single sign-on extension payload, go to single
sign-on extensions payload settings (opens Apple's web site).
For information on troubleshooting the Microsoft Enterprise SSO Extension, go to

Troubleshooting the Microsoft Enterprise SSO Extension plugin on Apple devices.
Use the Microsoft Enterprise SSO plug-
in on iOS/iPadOS devices
Article • 04/19/2023
The Microsoft Enterprise SSO plug-in provides single sign-on (SSO) to apps and
websites that use Microsoft Azure Active Directory (Azure AD) for authentication,
including Microsoft 365. This plug-in uses the Apple single sign-on app extension
framework. It reduces the number of authentication prompts users get when using
devices managed by Mobile Device Management (MDM), including any MDM that
supports configuring SSO profiles.
Once set up, apps that support the Microsoft Authentication Library (MSAL)
automatically take advantage of the Microsoft Enterprise SSO plug-in. Apps that don't
support MSAL can be allowed to use the extension, including browsers like Safari and
apps that use Safari web view APIs. Just add the application bundle ID or prefix to the
extension configuration.
For example, to allow a Microsoft app that doesn't support MSAL, add com.microsoft.
to the AppPrefixAllowList property. Be careful with the apps you allow, they'll be able to
bypass interactive sign-in prompts for the signed in user.
For more information, see Microsoft Enterprise SSO plug-in for Apple devices - apps
that don't use MSAL.
iOS/iPadOS
This article shows how to deploy the Microsoft Enterprise SSO plug-in for iOS/iPadOS
Apple devices with Intune, Jamf Pro, and other MDM solutions.
Prerequisites
To use the Microsoft Enterprise SSO plug-in on iOS/iPadOS devices:
Intune
The device is managed by Intune.
The device must support the plug-in:

iOS/iPadOS 13.0 and newer
The Microsoft Authenticator app must be installed on the device.
The Microsoft Authenticator app can be installed manually by users, or

deployed using Intune. For information on how to install the Microsoft
Authenticator app, go to Manage Apple volume-purchased apps.
７ Note
On iOS/iPadOS devices, Apple requires that the SSO app extension and the
Microsoft Authenticator app be installed. Users don't need to use or configure the
Microsoft Authenticator app, it just needs to be installed on the device.
Microsoft Enterprise SSO plug-in vs. Kerberos

SSO extension
When you use the SSO app extension, you use the SSO or Kerberos Payload Type for
authentication. The SSO app extension is designed to improve the sign-in experience for
apps and websites that use these authentication methods.
The Microsoft Enterprise SSO plug-in uses the SSO Payload Type with Redirect
authentication. The SSO Redirect and Kerberos extension types can both be used on a
device at the same time. Be sure to create separate device profiles for each extension
type you plan to use on your devices.
To determine the correct SSO extension type for your scenario, use the following table:
Microsoft Enterprise SSO plug-in for Apple Single sign-on app extension with
Devices Kerberos
Uses the Microsoft Azure AD SSO app extension Uses the Kerberos SSO app extension type
type
Supports the following apps:

- Microsoft 365
- Apps, websites or services integrated with
- Apps, websites or services integrated with Azure AD
AD
For more information on the single sign-on extension, go to Single sign-on app
extension.
Create a single sign-on app extension
configuration profile
Intune
In the Microsoft Intune admin center , create a device configuration profile. This

profile includes the settings to configure the SSO app extension on devices.

Profile: Select Templates > Device features.
4. Select Create:
Name: Enter a descriptive name for the policy. Name your policies so
you can easily identify them later. For example, a good policy name is
iOS: Microsoft Enterprise SSO plug-in.
Description: Enter a description for the policy. This setting is optional,
but recommended.
6. Select Next.
7. In Configuration settings, select Single sign-on app extension, and configure

the following properties:
SSO app extension type: Select Microsoft Azure AD.
Enable shared device mode:
Not configured: Intune doesn't change or update this setting.
For most scenarios, including Shared iPad, personal devices, and

devices with or without user affinity, select this option.
Yes: Select this option only if the targeted devices are using Azure AD
Shared device mode. For more information, go to Shared device
mode overview.
App bundle ID: Enter a list of bundle IDs for apps that don't support
MSAL and are allowed to use SSO. For more information, go to
Applications that don't use MSAL.
Additional configuration: To customize the end user experience, you can

add the following properties. These properties are the default values
used by the Microsoft SSO Extension, but they can be customized for
your organization needs:
Key Type Description
AppPrefixAllowList String Recommended value: com.apple.
Enter a list of prefixes for apps

that don't support MSAL and are
allowed to use SSO. For example,
enter com.microsoft.,com.apple.
to allow all Microsoft and Apple
apps.
Be sure these apps meet the

allowlist requirements.
browser_sso_interaction_enabled Integer Recommended value: 1
When set to 1 , users can sign in

from Safari browser, and from
apps that don't support MSAL.
Enabling this setting allows users
to bootstrap the extension from
Safari or other apps.
disable_explicit_app_prompt Integer Recommended value: 1
Some apps might incorrectly

enforce end-user prompts at the
protocol layer. If you see this
problem, users are prompted to
sign in, even though the Microsoft
Enterprise SSO plug-in works for
other apps.
When set to 1 (one), you reduce

these prompts.
 Tip
For more information on these properties, and other properties you

can configure, see Microsoft Enterprise SSO plug-in for Apple
devices.
When you're done configuring the recommended settings, the settings

look similar to the following values in your Intune configuration profile:
8. Continue creating the profile, and assign the profile to the users or groups
that will receive these settings. For the specific steps, go to Create the profile.
For guidance on assigning profiles, go to Assign user and device profiles.

When the device checks in with the Intune service, it will receive this profile. For
more information, go to Policy refresh intervals.
To check that the profile deployed correctly, in the Intune admin center, go to
Devices > Configuration Profiles > select the profile you created and generate a
report:
End user experience
If you're not deploying the Microsoft Authenticator app using an app policy, then
users must install it manually. Users don't need to use the Authenticator app, it just
needs to be installed on the device.
Users sign in to any supported app or website to bootstrap the extension.

Bootstrap is the process of signing in for the first time, which sets up the extension.
After users sign in successfully, the extension is automatically used to sign in to any
other supported app or website.
You can test single sign-on by opening Safari in private mode (opens Apple's web
site) and opening the https://portal.office.com site. No username and password will
be required.
 Tip
Learn more about how the SSO plug-in works and how to troubleshoot the
Microsoft Enterprise SSO Extension with the SSO troubleshooting guide for Apple
devices.
Next steps
For information about the Microsoft Enterprise SSO plug-in, go to Microsoft
Enterprise SSO plug-in for Apple devices.
For information from Apple on the single sign-on extension payload, go to single

Use the Microsoft Enterprise SSO plug-
in on macOS devices
Article • 03/02/2023
The Microsoft Enterprise SSO plug-in provides single sign-on (SSO) to apps and
websites that use Microsoft Azure Active Directory (Azure AD) for authentication,
including Microsoft 365. This plug-in uses the Apple single sign-on app extension
framework. It reduces the number of authentication prompts users get when using
devices managed by Mobile Device Management (MDM), including any MDM that
supports configuring SSO profiles.
Once set up, apps that support the Microsoft Authentication Library (MSAL)
automatically take advantage of the Microsoft Enterprise SSO plug-in. Apps that don't
support MSAL can be allowed to use the extension, including browsers like Safari and
apps that use Safari web view APIs. Just add the application bundle ID or prefix to the
extension configuration.
For example, to allow a Microsoft app that doesn't support MSAL, add com.microsoft.
to the AppPrefixAllowList property. Be careful with the apps you allow, they'll be able to
bypass interactive sign-in prompts for the signed in user.
For more information, see Microsoft Enterprise SSO plug-in for Apple devices - apps
that don't use MSAL.
macOS
This article shows how to deploy the Microsoft Enterprise SSO plug-in for macOS Apple
devices with Intune, Jamf Pro, and other MDM solutions.
Prerequisites
To use the Microsoft Enterprise SSO plug-in on macOS devices:
Intune
The device is managed by Intune.

The device must support the plug-in:
The Microsoft Company Portal app must be installed and configured on the
device.
Microsoft Enterprise SSO plug-in vs. Kerberos

SSO extension
When you use the SSO app extension, you use the SSO or Kerberos Payload Type for
authentication. The SSO app extension is designed to improve the sign-in experience for
apps and websites that use these authentication methods.
The Microsoft Enterprise SSO plug-in uses the SSO Payload Type with Redirect
authentication. The SSO Redirect and Kerberos extension types can both be used on a
device at the same time. Be sure to create separate device profiles for each extension
type you plan to use on your devices.
To determine the correct SSO extension type for your scenario, use the following table:
Microsoft Enterprise SSO plug-in for Apple Single sign-on app extension with
Devices Kerberos
Uses the Microsoft Azure AD SSO app extension Uses the Kerberos SSO app extension type
type

- Microsoft 365
- Apps, websites or services integrated with
- Apps, websites or services integrated with Azure AD
AD
For more information on the single sign-on extension, go to Single sign-on app
extension.
Create a single sign-on app extension

configuration profile
Intune
In the Microsoft Intune admin center , create a device configuration profile. This

profile includes the settings to configure the SSO app extension on devices.

Platform: Select macOS.

Profile: Select Templates > Device features.
4. Select Create:
Name: Enter a descriptive name for the policy. Name your policies so
you can easily identify them later. For example, a good policy name is
macOS: Microsoft Enterprise SSO plug-in.
Description: Enter a description for the policy. This setting is optional,
but recommended.
6. Select Next.
7. In Configuration settings, select Single sign-on app extension, and configure

the following properties:
SSO app extension type: Select Microsoft Azure AD:

App bundle ID: Enter a list of bundle IDs for apps that don't support
MSAL and are allowed to use SSO. For more information, go to
Applications that don't use MSAL.
Additional configuration: To customize the end user experience, you can

add the following properties. These properties are the default values
used by the Microsoft SSO Extension, but they can be customized for
your organization needs:
AppPrefixAllowList String Recommended value:

com.microsoft.,com.apple.
Enter a list of prefixes for apps

that don't support MSAL and are
allowed to use SSO. For example,
enter com.microsoft.,com.apple.
to allow all Microsoft and Apple
apps.
Be sure these apps meet the

allowlist requirements.
browser_sso_interaction_enabled Integer Recommended value: 1
When set to 1 , users can sign in

from Safari browser, and from
apps that don't support MSAL.
Enabling this setting allows users
to bootstrap the extension from
Safari or other apps.
disable_explicit_app_prompt Integer Recommended value: 1
Some apps might incorrectly

enforce end-user prompts at the
protocol layer. If you see this
problem, users are prompted to
sign in, even though the Microsoft
Enterprise SSO plug-in works for
other apps.
When set to 1 (one), you reduce

these prompts.
 Tip
For more information on these properties, and other properties you

can configure, see Microsoft Enterprise SSO plug-in for Apple
devices.
When you're done configuring the recommended settings, the settings

look similar to the following values in your Intune configuration profile:
8. Continue creating the profile, and assign the profile to the users or groups
that will receive these settings. For the specific steps, go to Create the profile.
For guidance on assigning profiles, go to Assign user and device profiles.
When the device checks in with the Intune service, it will receive this profile. For
more information, go to Policy refresh intervals.
To check that the profile deployed correctly, in the Intune admin center, go to
Devices > Configuration Profiles > select the profile you created and generate a
report:
End user experience
If you're not deploying the Company Portal app using an app policy, then users
must install it manually. Users don't need to use the Company Portal app, it just
needs to be installed on the device.
Users sign in to any supported app or website to bootstrap the extension.

Bootstrap is the process of signing in for the first time, which sets up the extension.
After users sign in successfully, the extension is automatically used to sign in to any
other supported app or website.
You can test single sign-on by opening Safari in private mode (opens Apple's web
site) and opening the https://portal.office.com site. No username and password will
be required.
On macOS, when users sign in to a work or school app, they're prompted to opt in or
out of SSO. They can select Don’t ask me again to opt out of SSO and block future
requests.
Users can also manage their SSO preferences in the Company Portal app for macOS. To
edit preferences, go to the Company Portal app menu bar > Company Portal >
Settings. They can select or deselect Don’t ask me to sign in with single sign-on for
this device.
 Tip
Learn more about how the SSO plug-in works and how to troubleshoot the
Microsoft Enterprise SSO Extension with the SSO troubleshooting guide for Apple
devices.
Next steps
For information about the Microsoft Enterprise SSO plug-in, go to Microsoft
For information from Apple on the single sign-on extension payload, go to single

Add macOS system and kernel
extensions in Intune
Article • 05/16/2023
７ Note
macOS kernel extensions are being replaced with system extensions. For more
information, go to Support Tip: Using system extensions instead of kernel
extensions for macOS Catalina 10.15 in Intune .
On macOS devices, you can add kernel extensions and system extensions. Both kernel
extensions and system extensions allow users to install app extensions that extend the
native capabilities of the operating system. Kernel extensions execute their code at the
kernel level. System extensions run in a tightly controlled user-space.
To add extensions that are always allowed to load on your devices, use Microsoft Intune.
organization's needs. After you add these features in a profile, you then push or deploy
the profile to macOS devices in your organization.
This article describes system extensions and kernel extensions. It also shows you how to
create a device configuration profile using extensions in Intune.
System extensions
System extensions run in the user space, and don't access the kernel. The goal is to
increase security, provide more end user control, and limit kernel level attacks. These
extensions can be:
Driver extensions, including drivers to USB, network interface cards (NIC), serial
controllers, and human interface devices (HID)
Network extensions, including content filters, DNS proxies, and VPN clients
Endpoint security extensions, including endpoint detection, endpoint response,
and antivirus
System extensions are included in an app's bundle, and installed from the app.
For more information on system extensions, go to system extensions (opens Apple's

web site).
Kernel extensions
Kernel extensions add features at the kernel-level. These features access parts of the OS
that regular programs can't access. Your organization may have specific needs or
requirements that aren't available in an app, a device feature, and so on.
For example, you have a virus scanning program that scans your device for malicious
content. You can add this virus scanning program's kernel extension as an allowed
kernel extension in Intune. Then, "assign" the extension to your macOS devices.
With this feature, administrators can allow users to override kernel extensions, add team
identifiers, and add specific kernel extensions in Intune.
For more information on kernel extensions, go to kernel extensions (opens Apple's

web site).
） Important
Kernel extensions don't work on macOS devices with the M1 chip, which are macOS
devices running on Apple silicon. This behavior is a known issue, with no ETA. It's
possible you can get them to work, but it's not recommended. For more
information, go to Kernel extensions in macOS (opens Apple's web site).
For any macOS devices running 10.15 and newer, we recommend using system
extensions (in this article). If you use the kernel extensions settings, then consider
excluding macOS devices with M1 chips from receiving the kernel extensions
profile.
Prerequisites
macOS 10.13.2 and newer (kernel extensions)
macOS 10.15 and newer (system extensions)
From macOS 10.15 to 10.15.4, kernel extensions and system extensions can run
side by side.
To use this feature, devices must be:
Enrolled in Intune using Apple's Device Enrollment Program (DEP).

Automatically enroll macOS devices has more information.
OR
Enrolled in Intune with "user approved enrollment" (Apple's term). Prepare for
changes to kernel extensions in macOS High Sierra (opens Apple's web site)
has more information.

Unsigned legacy kernel extensions and system extensions can be added.
Be sure to enter the correct team identifier and bundle ID of the extension. Intune
doesn't validate the values you enter. If you enter wrong information, the
extension won't work on the device. A team identifier is exactly 10 alphanumeric
characters long.
７ Note
Apple released information regarding signing and notarization for all software. On
macOS 10.14.5 and newer, kernel extensions deployed through Intune don't have
to meet Apple's notarization policy.
For information on this notarization policy, and any updates or changes, go to the
following resources:
Notarizing your app before distribution (opens Apple's web site)

Prepare for changes to kernel extensions in macOS High Sierra (opens
Apple's web site)
Create the profile

Platform: Select macOS

Profile: Select Templates > Extensions.
4. Select Create.

easily identify them later. For example, a good policy name is macOS: Add AV
scanning to kernel extensions on devices.
recommended.
6. Select Next.
7. In Configuration settings, configure your settings:
macOS
8. Select Next.
Select Next.
information on assigning profiles, go to Assign user and device profiles.
Select Next.
Next steps
Be sure to assign the profile and monitor its status.
Add a property list file to macOS
devices using Microsoft Intune
Article • 05/16/2023
Using Microsoft Intune, you can add a property list file (.plist) for macOS devices, or
apps on macOS devices.
Property list files include information about macOS applications. For more information,
see About Information Property List Files (Apple's website) and Custom payload
settings (Apple's website).
This article describes the different property list file settings you can add to macOS
devices. As part of your mobile device management (MDM) solution, use these settings
to add the app bundle ID ( com.company.application ), and add the app's .plist file.
These settings are added to a device configuration profile in Intune, and then assigned
or deployed to your macOS devices.

These settings aren't validated. Test your changes before assigning the profile to
your devices.
If you're not sure how to enter an app key, change the setting within the app.
Then, review the app's preference file using Xcode to see how the setting is
configured. Apple recommends removing nonmanageable settings using Xcode
before importing the file.
Only some apps work with managed preferences, and might not allow you to
manage all settings.
Be sure you upload property list files that target device channel settings, not user
channel settings. Property list files target the entire device.
If you're configuring the Microsoft Edge version 77 and newer app, then use the
Settings catalog. For a list of the settings you can configure, see Microsoft Edge -
Policies (opens another Microsoft website).
Be sure macOS is listed as a supported platform. If some settings aren't available in
the settings catalog, then it's recommended to continue using the preference file.
Create the profile
７ Note
Intune may support more settings than the settings listed in this article. Not all
settings are documented, and won’t be documented. To see the settings you can
configure, create a device configuration profile, and select Settings Catalog. For
more information, see Settings catalog.
Tasks you can complete using the Settings Catalog in Intune is also a good
resource.
Platform: Select macOS

Profile: Select Templates > Preference file.
4. Select Create.
easily identify them later. For example, a good policy name is macOS: Add
preference file that configures Microsoft Defender for Endpoint on devices.
recommended.
6. Select Next.
7. In Configuration settings, configure your settings:
Preference domain name: Enter the bundle ID, such as

com.company.application . For example, enter com.Contoso.applicationName ,
com.Microsoft.Edge , or com.microsoft.wdav .
Property list files are typically used for web browsers (Microsoft Edge),
Microsoft Defender for Endpoint, and custom apps. When you create a
preference domain, a bundle ID is also created.
 Tip
For Microsoft Edge version 77 and newer, you can use the settings
catalog. You don't have to use a preference file. For more information,
see Settings catalog.
Property list file: Select the property list file associated with your app. Be sure
it's a .plist or .xml file. For example, upload a YourApp-Manifest.plist or
YourApp-Manifest.xml file.
The key information in the property list file is shown. If you need to change
the key information, open the list file in another editor, and then reupload the
file in Intune.
Be sure your file is formatted correctly. The file should only have key value pairs,
and shouldn't be wrapped in <dict> , <plist> , or <xml> tags. For example, your
property list file should be similar to the following file:
XML
<key>SomeKey</key>
<string>someString</string>
<key>AnotherKey</key>
<false/>
...
To see some property list file examples, go to Set preferences for Microsoft
8. Select Next.
Select Next.
Select Next.
Next steps
For more information on preference files for Microsoft Edge, see Configure Microsoft
Edge policy settings on macOS.
Use and manage Zebra devices with
Zebra Mobility Extensions in Microsoft
Intune
Article • 02/22/2023
Intune includes a rich set of features, including managing apps and configuring device
settings. These built-in features and settings manage Android devices manufactured by
Zebra Technologies, also known as "Zebra devices".
On Android devices, use Zebra's Mobility Extensions (MX) profiles to customize or add
more Zebra-specific settings.
For Android Enterprise devices, use OEMConfig.
Your company may use Zebra devices for retail, on the factory floor, and more. For
example, you're a retailer and your environment includes thousands of Zebra mobile
devices used by sales associates. Intune can help manage these devices as part of your
mobile device management (MDM) solution.
Using Intune, you can enroll Zebra devices to deploy your line-of-business apps to the
devices. "Device configuration" profiles let you create MX profiles to manage your
Zebra-specific settings.
This article shows you how to use Zebra Mobility Extensions (MX) on Zebra devices in
Microsoft Intune.
７ Note
By default, the Zebra MX APIs aren't locked down on devices. Before a device
enrolls in Intune, it's possible the device can be compromised in a malicious
manner. When the device is in a clean state, we suggest you lock down MX APIs
using Access Manager (AccessMgr). For example, you can choose that only the
Company Portal app and apps you trust are allowed to call MX APIs.
For more information, see Locking down your device on Zebra's web site.
Before you begin
Be sure you have the latest version of the StageNow desktop app from Zebra
Technologies.
Be sure to check Zebra's full MX feature matrix (opens Zebra's web site). Confirm
the profiles you create are compatible with the device's MX version, OS version,
and model.
Certain devices, such as TC20/25 devices, don't support all of the available MX
features in StageNow. Be sure to check Zebra's feature matrix (opens Zebra's
web site) for updated support info.
Step 1: Install the latest Company Portal app

On the device, open the Google Play store. Download and install the Intune Company
Portal app from Microsoft. When installed from Google Play, the Company Portal app
gets updates and fixes automatically.
If Google Play isn't available, download the Microsoft Intune Company Portal for
Android (opens another Microsoft website), and sideload it (in this article). When
installed this way, the app doesn't receive updates or fixes automatically. Be sure to
regularly update and patch the app manually.
Sideload the Company Portal app

"Sideloading" is when you don't use Google Play to install an app. To sideload the
Company Portal app, use StageNow.
The following steps provide an overview. For specific details, see Zebra's documentation.
Enroll in an MDM using StageNow (opens Zebra's web site) may be a good resource.
1. In StageNow, create a profile for Enroll in an MDM.
2. In Deployment, choose to download the MDM agent file.
3. Set the Support App and Download Configuration steps to No.
4. In Download MDM, select Transfer/Copy File. Add the source and destination of
the Company Portal Android package (APK).
5. In Launch MDM, leave the default values as-is. Add the following details:
Package Name: com.microsoft.windowsintune.companyportal

Class Name:
com.microsoft.windowsintune.companyportal.views.SplashActivity
Continue to publish the profile, and consume it with the StageNow app on the device.
The Company Portal app is installed and opened on the device.
 Tip
For more information on StageNow, and what it does, see StageNow Android
device staging (opens Zebra's web site).
Step 2: Confirm the Company Portal app has

device administrator role
The Company Portal app requires Device Administrator to manage Android devices. To
activate the Device Administrator role, some Zebra devices include a user interface (UI)
on the device. If the device includes a UI, the Company Portal app prompts the end user
to grant Device Administrator during enrollment (in this article).
If a UI isn't available, use the DevAdmin Manager in StageNow to create a profile that
manually grants Device Administrator to the Company Portal app.
The following steps provide an overview. For specific details, see Zebra's documentation.
Set battery swap mode as device administrator (opens Zebra's website) may be a
good resource.
1. In StageNow, create a profile and select Xpert Mode.

2. Add DevAdmin Manager to the profile.
3. Set Device Administration Action to Turn On as Device Administrator.
4. Set Device Admin Package Name to com.microsoft.windowsintune.companyportal .
5. Set Device Admin Class Name to
com.microsoft.omadm.client.PolicyManagerReceiver .
Continue to publish the profile, and consume it with the StageNow app on the device.
The Company Portal app is granted the Device Administrator role.
Step 3: Enroll the device in to Intune

After completing the first two steps, the Company Portal app is installed on the device.
The device is ready to be enrolled in to Intune.
Enroll Android devices lists the steps. If you have many Zebra devices, you may want to
use a device enrollment manager (DEM) account. Using a DEM account also removes
the option to unenroll from the Company Portal app, so that users can't unenroll the
device as easily.
Step 4: Create a device management profile in

StageNow
Use StageNow to create a profile that configures the settings you want to manage on
the device. For specific details, see Zebra's documentation. Profiles (opens Zebra's
website) may be a good resource.
When you create the profile in StageNow, on the last step, select Export to MDM. This
step generates an XML file. Save this file. You need it in a later step.
It's recommended to test the profile before you deploy it to devices in your
organization. To test, in the last step when creating profiles with StageNow on your
computer, use the Test options. Then, consume the StageNow-generated file with
the StageNow app on the device.
The StageNow app on the device shows logs generated when you test the profile.
Use StageNow logs on Zebra devices running Android in Intune has information
on using StageNow logs to understand errors.
If you reference apps, update packages, or update other files in your StageNow
profile, you want the device to get these updates. To get the updates, the device
must connect to the StageNow deployment server when the profile is applied.
Or, you can use built-in features in Intune to get these changes, including:
App management features to add, deploy, update, and monitor apps.
Manage system and app updates on devices running Android Enterprise
After you test the file, the next step is to deploy the profile to devices using Intune.
You can deploy one or multiple MX profiles to a device.
You can also export multiple StageNow profiles, and combine the settings into a
single XML file. Then, upload the XML file to Intune to deploy to your devices.
２ Warning
If multiple MX profiles are targeted to the same group, and configure the
same property, there will be conflicts on the device.
If the same property is configured multiple times in a single MX profile, the
last configuration wins.
Step 5: Create a profile in Intune

In Intune, create a device configuration profile:

Profile: Select MX profile (Zebra only).
4. Select Create.

recommended.
6. Select Next.
7. In Configuration settings > Choose a valid Zebra MX XML file, add the XML
profile file you exported from StageNow (in this article).
When done, select Next.
 Tip
For security reasons, you won't see the profile XML text after you save it. The
text is encrypted, and you only see asterisks ( **** ). For your reference, it's
recommended to save copies of the MX profiles before you add them to
Intune.
8. In Scope tags (optional) > Select scope tags, choose your scope tags to assign to
the profile. For more information, see Use RBAC and scope tags for distributed IT.
Select Next.
9. In Assignments, select the groups that will receive this profile. For more
Select Next.
10. In Review + create, when you're done, choose Create. The profile is created, and
shown in the list.
You can also monitor its status.
The next time the device checks for configuration updates, the MX profile is deployed to
the device. Devices sync with Intune when devices enroll, and then approximately every
8 hours. You can also force a sync in Intune. Or, on the device, open the Company Portal
app > Settings > Sync.
Update a Zebra MX configuration after it's

assigned
To update the MX-specific configuration of a Zebra device, you can:
Create an updated StageNow XML file, edit the existing Intune MX profile, and
upload the new StageNow XML file. This new file overwrites the previous policy in
the profile, and replaces the previous configuration.
Create a new StageNow XML file that configures different settings, create a new
Intune MX profile, upload the new StageNow XML file, and assign it to the same
group. Multiple profiles are deployed. If the new profile configures settings that
already exist in existing profiles, conflicts will occur.
Next steps
Use StageNow logs to troubleshoot Zebra devices.
Troubleshoot and see potential issues
on Android Zebra devices in Microsoft
Intune
Article • 05/17/2023
In Microsoft Intune, you can use Zebra Mobility Extensions (MX) to manage Android
Zebra devices. When using Zebra devices, you create profiles in StageNow to manage
settings, and upload them to Intune. Intune uses the StageNow app to apply the
settings on the devices. The StageNow app also creates a detailed log file on the device
that's used to troubleshoot.
For example, you create a profile in StageNow to configure a device. When you create
the StageNow profile, the last step generates a file for you test the profile. You consume
this file with the StageNow app on the device.
In another example, you create a profile in StageNow, and test it. In Intune, you add the
StageNow profile, and then assign it to your Zebra devices. When you check the status
of the assigned profile, the profile shows a high-level status.
In both these cases, you can get more details from the StageNow log file, which is saved
on the device every time a StageNow profile applies.
Some issues aren't related to the contents of the StageNow profile, and aren't reflected
in the logs.
This article shows you how to read the StageNow logs. It also lists some potential issues
with Zebra devices that may not be reflected in the logs.
Use and manage Zebra devices with Zebra Mobility Extensions has more information on
this feature.
Get the logs
Use the StageNow app on the device

You don't have to use Intune to deploy the profile. Instead, you can test a profile directly
using StageNow on your computer. The StageNow app on the device saves the logs
from the test. To get the log file, use the More (...) option in the StageNow app on the
device.
Get logs using Android Debug Bridge

To get logs after the profile is deployed with Intune, connect the device to a computer
with Android Debug Bridge (adb) (opens Android's web site).
On the device, logs are saved in

/sdcard/Android/data/com.microsoft.windowsintune.companyportal/files .
Get logs from email

To get logs after the profile is deployed with Intune, end users can email you the logs
using an email app on the device. On the Zebra device, open the Company Portal app,
and send the logs. Using the send logs feature also creates a PowerLift incident ID,
which you can reference if contacting Microsoft support.
Read the logs

When you look at the logs, there's an error whenever you see the <characteristic-
error> tag. Error details are written to the <parm-error> tag > desc property.
Error types
Zebra devices include different error reporting levels:
The CSP isn't supported on device. For example, the device isn't a cellular device
and doesn't have a cellular manager.
The MX or OSX version is mismatched. Each CSP is versioned. For a full support
matrix, go to Zebra's documentation (opens Zebra's web site).
The device reports another issue or error.
Examples
For example, you have the following input profile:
XML
<wap-provisioningdoc>
<characteristic type="Clock">
<parm name="AutoTime" value="false"/>
<parm name="TimeZone" value="GMT-5"/>
<parm name="Date" value="2014-12-03"/>
<parm name="Time" value="11:11:11"/>
</characteristic>
</wap-provisioningdoc>
In the log, the XML is identical to the input. This matching output means the profile
successfully applied to the device with no errors:
XML
<characteristic type="Clock" version="6.0">
<parm name="AutoTime" value="false"/>
<parm name="TimeZone" value="GMT-5"/>
<parm name="Date" value="2014-12-03"/>
<parm name="Time" value="11:11:11"/>
</characteristic>
In another example, you have the following input:
XML
<characteristic type="XmlMgr" version="4.2" >
<parm name="ProcessingMode" value="1"/>
</characteristic>
<characteristic type="AppMgr" version="4.2" >
<parm name="Action" value="Install"/>
<parm name="APK" value="/sdcard/test.apk"/>
</characteristic>
The log shows an error, as it contains a <characteristic-error> tag. In this scenario, the
profile tried to install an Android package (APK) that doesn't exist in the given path:
XML
<characteristic type="XmlMgr" version="4.2">
<parm name="ProcessingMode" value="1"/>
</characteristic>
<characteristic-error type="AppMgr" version="5.1" desc="missing">
<parm-error name="Action" value="Install" desc="apk doesnot exist in

the path"/>
<parm name="APK" value="/sdcard/test.apk"/>
</characteristic-error>
Other potential issues with Zebra devices

This section lists other possible issues you may see when using Zebra devices with
Device Administrator. These issues aren't reported in the StageNow logs.
Android System WebView is out of date

When older devices sign in using the Company Portal app, users may see a message
that the System WebView component is out of date, and needs upgraded:
If the device has Google Play installed, then connect the device to the internet, and
check for updates.
If the device doesn't have Google Play installed, then get the updated version of
the component, and apply it to the devices. Or, update to the latest device OS
issued by Zebra.
Management actions take a long time

If Google Play services aren't available, then some tasks take up to 8 hours to finish.
Limitations of Intune Company Portal app for Android (opens another Microsoft web
site) may be a good resource.
"Device spoofing suspected" shows in Intune

This error means that Intune suspects a non-Zebra Android device is reporting its model
and manufacturer as a Zebra device.
Company Portal app is older than minimum required

version
Intune may update the minimum required version of the Company Portal app. If Google
Play isn't installed on the device, then the Company Portal app doesn't get automatically
updated. If the minimum required version is newer than the installed version, then the
Company Portal app stops working. Update to the latest Company Portal app using
sideloading on Zebra devices.
Next steps
Zebra discussion boards (opens Zebra's web site)
Use and manage Zebra devices with Zebra Mobility Extensions in Intune
Use and manage Android Enterprise
devices with OEMConfig in Microsoft
Intune
Article • 06/05/2023
In Microsoft Intune, you can use OEMConfig to add, create, and customize OEM-specific
settings for Android Enterprise devices. OEMConfig is typically used to configure
settings that aren't built in to Intune. Different original equipment manufacturers (OEM)
include different settings. The available settings depend on what the OEM includes in
their OEMConfig app.
Android Enterprise
To manage Zebra Technologies devices using Android device administrator, use Zebra
Mobile Extensions (MX).
This article describes OEMConfig, lists the prerequisites, shows how to create a
configuration profile, and lists the supported OEMConfig apps in Intune.
Overview
OEMConfig policies are a special type of device configuration policy similar to app
configuration policy. OEMConfig is a standard defined by Google that uses app
configuration in Android to send device settings to apps written by OEMs (original
equipment manufacturers). This standard allows OEMs and enterprise mobility
management service providers (EMMs) to build and support OEM-specific features in a
standardized way. Learn more about OEMConfig (opens Google's web site).
Historically, OEMs create features. Then EMMs, like Intune, manually build support for
these OEM-specific features. This approach leads to duplicated efforts and slow
adoption.
With OEMConfig, an OEM creates a schema that defines OEM-specific management

features. The OEM embeds the schema into an app, and then puts this app on Google
Play. The EMM service reads the schema from the app, and exposes the schema in the
EMM admin console. The console allows Intune administrators to configure the settings
in the schema.
When the OEMConfig app installs on a device, it uses the settings configured in the
EMM admin console to manage the device. The OEMConfig app executes the device
settings, instead of an MDM agent built by the EMM.
When the OEM adds and improves management features, the OEM also updates the
app in Google Play. As an administrator, you get these new features and updates
(including fixes) without waiting for EMMs to include these updates.
 Tip
You can only use OEMConfig with devices that support this feature and have a
corresponding OEMConfig app. Consult your OEM for specific details.
Before you begin

When using OEMConfig, be aware of the following information:
Intune exposes the OEMConfig app's schema so you can configure it. Intune
doesn't validate or change the schema provided by the app. So if the schema is
incorrect, or has inaccurate data, then this data is still sent to devices. If you find a
problem that originates in the schema, contact the OEM for guidance.
Intune doesn't influence or control the content of the app schema. For example,
Intune doesn't have any control over strings, language, the actions allowed, and so
on. We recommend contacting the OEM for more information on managing their
devices with OEMConfig.
At any time, OEMs can update their supported features and schemas, and upload a
new app to Google Play. Intune always syncs the latest version of the OEMConfig
app from Google Play. Intune doesn't maintain older versions of the schema or the
app. If you run into version conflicts, we recommend contacting the OEM for more
information.
On Zebra devices, you can create multiple profiles, and assign them to the same
device. For more information, go to OEMConfig on Zebra devices.
The OEMConfig model on non-Zebra devices only supports a single policy per
device. If multiple profiles are assigned to the same device, you may see
inconsistent behavior.
Prerequisites
To use OEMConfig on your devices, you need the following requirements:
An Android Enterprise device enrolled in Intune.

An OEMConfig app built by the OEM, and uploaded to Google Play. If it's not on
Google Play, contact the OEM for more information.
The Intune administrator has role-based access control (RBAC) permissions for
Mobile apps, Device Configurations, and the "read" permission under Android for
Work. These permissions are required because OEMConfig profiles use managed
app configurations to manage device configurations.
Prepare the OEMConfig app

Be sure the device supports OEMConfig, the correct OEMConfig app is added to Intune,
and the app is installed on the device. Contact the OEM for this information.
 Tip
OEMConfig apps are specific to the OEM. For example, a Sony OEMConfig app
installed on a Zebra Technologies device doesn't do anything.
1. Get the OEMConfig app from the Managed Google Play Store. Add Managed
Google Play apps to Android enterprise devices lists the steps.
2. Some OEMs may ship devices with the OEMConfig app preinstalled. If the app isn't
preinstalled, use Intune to add and deploy the app to devices.
Create an OEMConfig profile


Profile: Select OEMConfig.
4. Select Create.

recommended.
OEMConfig app: Choose Select an OEMConfig app.
6. In Associated app, select an existing OEMConfig app you previously added >
Select. Be sure to choose the correct OEMConfig app for the devices you're
assigning the policy to.
If you don't see any apps listed, then set up Managed Google Play, and get apps
from the Managed Google Play store. Add Managed Google Play apps to Android
Enterprise devices lists the steps.
） Important
If you added an OEMConfig app and synced it to Google Play, but it's not
listed as an Associated app, you may have to contact Intune to onboard the
app. See adding a new app (in this article).
7. Select Next.
8. In Configure settings, select the Configuration designer or JSON editor:
 Tip
Read the OEM documentation to make sure you're configuring the properties
correctly. These app properties are included by the OEM, not Intune. Intune
does minimal validation of the properties, or what you enter. For example, if
you enter abcd for a port number, the profile saves as-is, and is deployed to
your devices with the values you configure. Be sure you enter the correct
information.
Configuration designer: When you select this option, the properties available
within the app schema are shown for you to configure.
Context menus in the configuration designer indicate that more options

are available. For example, the context menu might let you add, delete,
and reorder settings. The OEM makes these options available. Be sure to
read the OEM app documentation to learn how these options should be
used to create profiles.
Many settings have default values supplied by the OEM. To see if there's a
default value, hover over the info icon next to the setting. A tooltip shows
the default values for that setting (if applicable), and more details provided
by the OEM.
Clicking Clear deletes a setting from the profile. If a setting isn't in the
profile, its value on the device doesn't change when the profile is applied.
Use the Locate button to look for settings. In the side panel, type in a
keyword to see all the relevant settings and their descriptions. Select any
setting to automatically add the setting to the configuration designer tree,
if it's not there already. It also automatically opens the tree so you can see
the setting.
If you create an empty (unconfigured) bundle in the configuration

designer, it's deleted when switching to the JSON editor.
JSON editor: When you select this option, a JSON editor opens with a
template for the full configuration schema embedded in the app. In the
editor, customize the template with values for the different settings. If you
use the Configuration designer to change your values, the JSON editor
overwrites the template with values from the configuration designer.
If you're updating an existing profile, the JSON editor shows the settings
that were last saved with the profile.
OEMConfig schemas can be large and complex. If you prefer to update

these settings using a different editor, select the Download JSON
template button. Use an editor of your choice to add your configuration
values to the template. Then, copy and paste your updated JSON in to the
JSON editor property.
You can use the JSON editor to create a backup of your configuration.
After you configure your settings, use this feature to get the JSON settings
with your values. Copy and paste the JSON to a file, and save it. Now you
have a backup file.
Any changes made in the configuration designer are also made automatically in
the JSON editor. Likewise, any changes made in the JSON editor are automatically
made in the configuration designer. If your input contains invalid values, you can't
switch between the configuration designer and JSON editor until you fix the issues.
9. Select Next.
Select Next.
11. In Assignments, select the users or groups that will receive your profile. Assign one
profile to each device. The OEMConfig model only supports one policy per device.
An OEMConfig profile that exceeds 350 kb isn't assigned, and shows a "pending"
status.
For more information on assigning profiles, go to Assign user and device profiles.
Select Next.
The next time the device checks for configuration updates, the OEM-specific settings
you configured are applied to the OEMConfig app.
Reporting and deployment status

After your profile is deployed, you can check its status:
1. In the Microsoft Intune admin center , select Devices > Configuration profiles. A
list of all your profiles is shown.
2. Select your OEMConfig profile. You can get more information on your profile,
including successful and failed deployments:
Overview: Shows the profile assignment statuses. For more information on

what the statuses mean, go to Monitor device profiles in Microsoft Intune.
Properties: Shows the settings you configured when you created the profile.
You can change the profile name, or update any existing settings.
Device status: The devices assigned to the profile are listed, and it shows if
the profile successfully deployed. You can select a specific device to get more
details.
User status: Lists the user names with devices affected by this profile, and if
the profile successfully deployed. You can select a specific user to get more
details.
3. You can also see if individual settings in a profile successfully applied. To see the
per-setting status of an OEMConfig profile, select Devices > All devices, and
choose a device from the list. Then, go to App configuration, and select your
OEMConfig profile. Select an individual setting status to get more information.
７ Note
For Zebra devices, only a single setting row is shown. Selecting the row shows
details for all settings in the policy.
Supported OEMConfig apps

Compared to standard apps, OEMConfig apps expand the managed configurations
privileges granted by Google to support more complex schemas and functions. OEMs
must register their OEMConfig apps with Google . If you don't register, these features
may not work as expected. Intune currently supports the following OEMConfig apps:
OEM Bundle ID OEM Documentation (if available)
Archos com.archos.oemconfig
Ascom com.ascom.myco.oemconfig
Bartec com.bartec.oemconfig
Bluebird com.bluebird.android.oemconfig
Cipherlab com.cipherlab.oemconfig.common
Crosscall com.hmct.crosscalloemconfig
Datalogic com.datalogic.settings.oemconfig
Ecom - Ex- com.ecom.econfig

Handy 10
Ecom - Smart-Ex com.ecom.econfig.smart

02
Elo com.elotouch.oemconfig Elo OEMConfig Configurations
Getac com.getac.app.getacoemconfig
Honeywell com.honeywell.oemconfig
Honeywell - com.honeywell.oemconfig.scanpal
Scanpal EDA
HMDGlobal - com.hmdglobal.app.oemconfig.n7_2
7.2
4.2
5.3
HMDGlobal - com.hmdglobal.app.oemconfig
OEMConfig
imotion com.iwaylink.oemconfig
Janam com.janam.oemconfig
Kyocera jp.kyocera.enterprisedeviceconfig
Lenovo com.lenovo.oemconfig.rel
LG com.lge.android.oemconfig
Motorola com.motorolasolutions.lexoemconfig
Solutions
Motorola com.motorola.oemconfig.rel Moto OEMConfig Guide

Mobility
Panasonic com.panasonic.mobile.oemconfig
Point Mobile device.apps.emkitagent
Samsung com.samsung.android.knox.kpu Knox Service Plugin Admin Guide
Seuic com.seuic.seuicoemconfig
Social Mobile com.rhinomobility.oemconfig
Spectralink - com.spectralink.barcode.service
Barcodes
Spectralink - com.spectralink.buttons
Buttons
Spectralink - com.spectralink.slnkdevicesettings
Device
Spectralink - com.spectralink.slnklogger
Logging
Spectralink - com.spectralink.slnkvqo
VQO
Sunmi com.sunmi.oemconfig.V2S
Unitech com.unitech.oemconfig
Electronics
Zebra com.zebra.oemconfig.release Zebra OEMConfig overview
Technologies
This Zebra OEMConfig Powered by MX
app supports Android 11.0 and newer.
Zebra com.zebra.oemconfig.common Zebra OEMConfig overview
Technologies
This Legacy Zebra OEMConfig app
supports Android 11.0 and earlier.
If you represent an OEM, and an OEMConfig application exists for your devices, but isn't
listed in the table, then email IntuneOEMConfig@microsoft.com for onboarding help.
OEMs must also register their OEMConfig apps with Google .
７ Note
OEMConfig apps must on-boarded by Google and Intune before they can be
configured with OEMConfig profiles. Once an app is supported, you don't need to
contact Microsoft about setting it up in your tenant. Just follow the instructions in
this article.
If you experience settings within an OEMConfig app behaving incorrectly, then

contact the developers of the OEMConfig app. Intune isn't responsible for technical
issues with the individual OEMConfig apps.
Next steps
Deploy OEMConfig profiles to Zebra
Article • 08/28/2023
In Microsoft Intune, use OEMConfig to customize OEM-specific settings for Android

Enterprise devices. These settings are specific to the device manufacturer, and deployed
using configuration profiles in Intune.
Depending on the OEMCOnfig app you're using, on Zebra devices, you can deploy or
assign profiles to the same device. Existing OEMConfig profiles can use this feature the
next time the devices sync with Intune.
Zebra devices running Android Enterprise
To learn more about OEMConfig, including what it does, and how to use it, go to
OEMConfig configuration profile.
This article describes deploying OEMConfig multiple profiles to Zebra devices, describes
ordering, and using the reporting features in Microsoft Intune.
Prerequisites
Create an OEMConfig configuration profile.
OEMConfig apps for Zebra devices

To manage Zebra devices, there are two versions of the OEMConfig app:
OEMConfig app Supported Multiple profile support

Android
versions
Zebra OEMConfig - Android 13 ❌ This new app aligns closely with Google’s standards
Powered by MX and later and only allows one profile on the device. Be sure to
(new app) - Android 11 deploy one profile with all the required configuration
settings.
If you try to deploy multiple profiles, then the profiles

conflict and no settings are configured.
OEMConfig app Supported Multiple profile support
Android
versions
Legacy Zebra - Android 11 ✔️You can split your Zebra OEMConfig settings into
OEMConfig and earlier smaller profiles. For example, create a baseline profile
that affects all devices. Then, create more profiles that
configure settings specific to a device.
７ Note
Zebra devices don’t support Android 12.

For more information on the new Zebra OEMConfig Powered by MX app, go
to New Zebra OEMConfig app for Android .
Multiple profiles using the Legacy Zebra

OEMConfig app
Zebra's OEMConfig schema also uses Actions. Actions are operations that run on the
device. They don't configure any settings. Use these actions to trigger a file download,
clear the clipboard, and more. For a full list of the supported actions, go to Zebra's
documentation (opens Zebra's web site).
For example, you create a Zebra OEMConfig profile that applies some settings to the
device. Another Zebra OEMConfig profile includes an action that clears the clipboard.
You assign the first profile to a Zebra devices group. Later, you need to clear the
clipboard on those devices. You assign the second profile to the same devices group,
without changing the first profile. The device clipboard gets cleared without resending
or affecting the configuration settings created in the first profile.
In another example, you assigned an OEMConfig profile that configured some Zebra
device settings. Recently, users are reporting issues with a specific application, and you
want to clear the app's cache. Create a new OEMConfig profile that includes only the
"clear cache" action. Assign the profile to the devices that need it.
Multiple profiles take longer to deploy than a single profile. If the speed of delivery of
policy to the device is important, you should group settings into the smallest number of
profiles possible.
Ordering
With multiple profiles on each device, the order that profiles are deployed isn't
guaranteed. This behavior is a Google Play limitation. To run operations in sequence,
you can use Zebra's Transaction Step feature (opens Zebra's web site).
To summarize, if order matters, use Zebra's Transaction Step feature (opens Zebra's
web site). If order doesn't matter, use multiple Intune profiles.
Let's look at some examples:
You want to turn on Bluetooth for all newly enrolled Zebra devices before
configuring any other setting on these devices. To run operations in sequence, use
the Steps feature in Zebra's schema.
Create one Intune profile that has two Transaction Steps. The first step includes
Bluetooth settings, and the second step configures the other setting. When Zebra's
OEMConfig app receives the profile, it runs the steps in order.
For more information, go to Zebra's transaction steps (opens Zebra's web site).
You want all Zebra devices to display time in 24-hour format. For some of these
devices, you want to turn off the camera. The time and camera settings don't
depend on each other.
Create two Intune profiles:

Profile 1: Displays the time in 24-hour format. On Monday, this profile is
assigned to the All Zebra AE devices group.
Profile 2: Turns off the camera. On Tuesday, this profile is assigned to the Zebra
AE factory devices group.
On Wednesday, you enroll 10 new Zebra devices with Intune. Profile 1 and Profile 2
are assigned. After the new devices sync with Intune, they receive the profiles. The
devices may get Profile 2 before getting Profile 1.
Enhanced reporting
You deploy a profile, and it's executed by the Zebra OEMConfig app on the device. The
Zebra OEMConfig app reports the profile status to Intune. In the Intune admin center,
you can see the status of deployed OEMConfig profiles, and any errors or warnings.
2. Select your Zebra OEMConfig profile > Monitor > Device status. This option
shows the devices that have your OEMConfig profile assigned.
3. Select a device > Device configuration > Select your Zebra OEMConfig profile.
This option shows the profile settings that succeeded or failed.
Select a failed row. Details are shown that have more information on why it failed.
Next steps
Learn more about OEMConfig configuration profiles.
On Android device administrator, configure Mobility Extensions (MX).
Windows and Windows Holographic for
Business device settings to run as a
dedicated kiosk using Intune
Article • 08/30/2023
On Windows devices, use Intune to run devices as a kiosk, sometimes known as a

dedicated device. A device in kiosk mode can run one app, or run many apps. You can
show and customize a start menu, add different apps, including Win32 apps, add a
specific home page to a web browser, and more.
This scenario is common for frontline workers (FLW). For more information on FLW
devices in Microsoft Intune, go to FLW device management for devices in Microsoft
Intune.
Windows 11
Windows 10
To create kiosk profiles for other platforms, go to Android device administrator, Android
Enterprise, and iOS/iPadOS.
Intune supports one kiosk profile per device. If you need multiple kiosk profiles on a
single device, you can use a Custom OMA-URI.
organization's needs. After you add these features in a profile, push or deploy these
settings to groups in your organization.
This article shows you how to run one app or many apps as a Windows kiosk device
using a device configuration profile. For a list of all the settings, and what they do, go to
Windows client kiosk settings and Windows Holographic for Business kiosk settings.
Create the profile


Profile: Select Templates > Kiosk.
4. Select Create.

recommended.
6. Select Next.
7. In Configuration settings > Select a kiosk mode, choose the type of kiosk mode
supported by the policy. Options include:
Not Configured (default): Intune doesn't change or update this setting. The
policy doesn't enable kiosk mode.
Single app, full-screen kiosk: The device runs as a single user account, and
locks it to a single web browser or app. So when the user signs in, a specific
app starts. This mode also restricts users from opening new apps, or
changing the running app.
For example, you can run the Microsoft Edge browser, and only show one
site, such as Contoso.com . Or, you can run a Store app, and have the device
locked on this app.
Multi app kiosk: The device runs multiple Store apps, Win32 apps, web
browsers, or inbox Windows apps by using the Application User Model ID
(AUMID). Only the apps you add are available on the device.
The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an

easy-to-understand experience for users by only accessing apps they need.
And, also removing from their view the apps they don't need.
７ Note
Currently, you can use Intune to configure a multi-app kiosk on

Windows 10 devices. For more information about Windows 11 multi-app
kiosk support, go to Set up a multi-app kiosk on Windows 11 devices.
For a list of all settings, and what they do, go to:

Windows client kiosk settings
Windows Holographic for Business kiosk settings
8. Select Next.
Select Next.
Select Next.
Next steps
You can create kiosk profiles for devices that run the following platforms:

Android Enterprise
Windows 10/11
Control access, accounts, and power
features on shared PC or multi-user
Windows devices using Intune
Article • 06/07/2023
Devices that have multiple users are called shared devices, and are a common part of
mobile device management (MDM) solutions. Using Microsoft Intune, you can
customize shared devices running the following platforms:
Windows 10/11 Professional

Windows Holographic for Business, such as the HoloLens
 Tip
For iOS/iPadOS shared devices, go to shared device solutions for iOS/iPadOS.
For example, schools have devices that are typically used by many students. With this
setting, the school Intune administrator can turn on the Shared PC feature to allow one
user at a time. Students can't switch between different signed-in accounts on the device.
When the student signs out, you also choose to remove all user-specific settings.
End users can sign in to these shared devices with a guest account. After users sign in,
the credentials are cached. As they use the device, end-users only get access to features
you allow. For example, you choose when the device goes in to sleep mode, if users can
see and save files locally, enable or disable power management settings, and more. You
also control if the guest account deletes when the user signs-off, or delete inactive
accounts when a threshold is reached.
This article shows you how to create a configuration profile, and includes links to the
available settings with their descriptions.
When the profile is created in Intune, you deploy or assign the profile to device groups
in your organization. You can also assign this profile to device groups with mixed device
types and operating system (OS) versions.
Create the profile


Profile: Select Templates > Shared multi-user device.
4. Select Create.

recommended.
6. Select Next.
Windows 10/11
8. Select Next.
Select Next.
10. In Assignments, select the devices group that will receive your profile. For more
information on assigning profiles, go to Assign user and device profiles.
Select Next.
７ Note
Be sure to assign the profile to device groups in your organization.
Next steps
See all the settings for Windows 10/11 and Windows Holographic for Business.
Use a network boundary to add trusted
sites on Windows devices in Microsoft
Intune
Article • 05/16/2023
When using Microsoft Defender Application Guard and Microsoft Edge, you can protect
your environment from sites that aren't trusted by your organization. This feature is
called a network boundary. It allows you to add network domains, IPV4 and IPv6 ranges,
proxy servers, and more to your network boundary. Items in this boundary are trusted.
In Intune, you can create a network boundary profile, and deploy this policy to your
devices.
For more information on using Microsoft Defender Application Guard in Intune, go to

Windows client settings to protect devices using Intune.
Windows 11 devices enrolled in Intune

This article shows you how to create the profile, and add trusted sites.
Before you begin

This feature uses the NetworkIsolation CSP.
Create the profile


Profile: Select Templates > Network boundary.
4. Select Create.

can easily identify them later. For example, a good profile name is Windows
devices: Network boundary profile.
recommended.
6. Select Next.
Boundary type: This setting creates an isolated network boundary. Sites in

this boundary are considered trusted by Microsoft Defender Application
Guard. Your options:
IPv4 range: Enter a comma-separated list of IPv4 ranges of devices in your
network. Data from these devices is considered part of your organization,
and is protected. These locations are considered a safe destination for
organization data to be shared to.
IPv6 range: Enter a comma-separated list of IPv6 ranges of devices in your
network. Data from these devices is considered part of your organization,
and is protected. These locations are considered a safe destination for
organization data to be shared to.
Cloud resources: Enter a pipe-separated list of organization resource
domains hosted in the cloud that you want protected.
Network domains: Enter a comma-separated list of domains that create
the boundaries. Data from any of these domains is sent to a device, is
considered organization data, and is protected. These locations are
considered a safe destination for organization data to be shared to. For
example, enter contoso.sharepoint.com, contoso.com .
Proxy servers: Enter a comma-separated list of proxy servers. Any proxy
server in this list is at the internet-level, and not internal to the
organization. For example, enter 157.54.14.28, 157.54.11.118,
10.202.14.167, 157.53.14.163, 157.69.210.59 .
Internal proxy servers: Enter a comma-separated list of internal proxy
servers. The proxies are used when adding Cloud resources. They force
traffic to the matched cloud resources. For example, enter 157.54.14.28,
157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59 .
Neutral resources: Enter a list of domain names that can be used for work
resources or personal resources.
Value: Enter your list.

Auto detection of other enterprise proxy servers: Disable prevents devices
from automatically detecting proxy servers that aren't in the list. The devices
accept the configured list of proxies. When set to Not configured (default),
Intune doesn't change or update this setting.
Auto detection of other enterprise IP ranges: Disable prevents devices from

automatically detecting IP ranges that aren't in the list. The devices accept
the configured list of IP ranges. When set to Not configured (default), Intune
doesn't change or update this setting.
8. Select Next.
Select Next.
Select Next.
Next steps
After the profile is assigned, be sure to monitor its status.
Microsoft Defender Application Guard overview

Use Windows Health Monitoring profile
on Windows devices in Microsoft Intune
Article • 08/17/2023
Microsoft can collect event data, and provide recommendations to improve

performance on your Windows devices. Endpoint Analytics analyzes this data, and can
recommend software, help improve startup performance, and fix common support
issues.
In Intune, you can create a Windows Health Monitoring device configuration profile to
enable this data collection, and then deploy this profile to your devices.
Use this profile as part of your mobile device management (MDM) solution to optimize
your Windows devices.

Windows 10 version 1903 and newer devices enrolled in Intune
This article shows you how to create the profile, and enable the monitoring.
Create the profile


Profile: Select Templates > Windows health monitoring.
７ Note
If you don't see Windows health monitoring in the list, then:

a. Go to Reports > Endpoint Analytics > Settings.
b. Select Intune data collection policy.
4. Select Create.
can easily identify them later. For example, a good profile name is Windows
devices: Windows Health Monitoring profile.
recommended.
6. Select Next.
Health monitoring: This setting turns on health monitoring to track Windows

updates and events. Your options:
Enable: Event information is collected from the devices, and sent to
Microsoft for analytics and insights.
Disable: Event information isn't collected from the devices.
DeviceHealthMonitoring/AllowDeviceHealthMonitoring CSP
Scope: Choose the event information you want collected and evaluated. Your
options:
Windows updates: This option configures devices to send Windows
Update data to Intune. This data is then used in a compliance policy that
reports on Windows updates.
Endpoint analytics
DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope CSP
8. Select Next.
9. In Assignments, select the devices or device groups that will receive your profile.
For more information on assigning profiles, go to Assign user and device profiles.
Select Next.
meet the rules you enter. For more information about applicability rules, go to
Select Next.
Related content
After the profile is assigned, be sure to monitor its status.
What is Endpoint analytics
Use the Take a Test app on Windows 10
Article • 02/22/2023
Education profiles in Intune are designed for students to take a test or exam on devices.
This feature includes the Take a Test app and settings to add a test URL, choose how
end-users sign in to the test, and more. This feature supports the following platform:
Windows 10 and newer
When the user signs in, the Take a Test app automatically opens with the test you
entered. No other apps can run on the device while the test is in progress. Take tests in
Windows 10 provides more details on the Take a Test app.
This article lists the steps to create a device configuration profile in Microsoft Intune. It
also includes information to read and learn about the available education settings for
your Windows 10 devices.
Create a device profile


Profile: Select Templates > Secure assessment (Education).
4. Select Create.

recommended.
6. Select Next.
7. In Configuration settings, enter the settings you want to configure:
Windows 10 and newer

8. Select Next.
Select Next.
Select Next.
Next steps
See a list of the Windows 10 education settings and their descriptions.

Configure eSIM download server using
Microsoft Intune
Article • 05/17/2023
The identity of a cellular-enabled device, such as a Windows Connected PC, has

traditionally been encapsulated in a device called SIM (Subscriber Identity Module), and
packaged as a discrete SIM card. Management of SIM cards for a fleet of devices can be
costly and time-consuming. Therefore, Windows 10 and Windows 11 support eSIM
(embedded Subscriber Identity Module) technology as a digital alternative to discrete
SIM cards.
Windows 11 provides more capabilities for the deployment and management
of eSIM content using Mobile Device Management (MDM) such as Microsoft Intune.
About eSIM technology

eSIM technology has created a worldwide ecosystem of cellular devices and mobile
operators based upon a common specification from the GSM Association (GSMA). The
adoption of eSIM technology has been growing due to its incorporation in popular
smart phones. Windows has supported eSIM for PCs since 2017.
eSIM decouples the secure execution environment of the plastic SIM card from the SIM
credentials it contains. The secure container is called an eUICC (embedded Universal
Integrated Circuit Card). In the same way that each physical SIM card has a unique
identity, each eUICC has a unique identity called eUICC Identifier (EID).
The credentials and associated other configuration that uniquely identify a cellular
subscription are contained in a digital (software) package called an eSIM Profile.
Multiple eSIM Profiles may be installed into an eUICC. One of the installed eSIM Profiles
is enabled (and the rest are disabled). The combination of the enabled eSIM Profile and
its eUICC container behaves exactly like a traditional SIM card.
At-Scale Configuration of eSIM PCs

eSIM digitizes the delivery of SIMs to devices such as PCs, eliminating the need to
obtain and deploy physical SIM cards. The Mobile Plans application in Windows further
reduces friction by providing a user-friendly interface for a user to interact with a chosen
mobile operator and coordinate the download and installation of the corresponding
eSIM profile.
The Mobile Plans application is well suited to the needs of consumers and businesses
with a few PCs. However, it requires user interaction on each device that is provisioned,
an effort and cost that may become significant at large scale. To support larger-scale
managed environments (such as an enterprise or an educational organization), Windows
provides eSIM provisioning through mobile device management (MDM) such as
Microsoft Intune.
When an enterprise provisions an eSIM through an MDM such as Microsoft Intune, it
also configures the eSIM deployment along with other enterprise settings and policies.
When the MDM server is enrolled to the end user's work or school account, it pushes
the configuration to the PC throughout its lifecycle. After the PC is configured with the
eSIM information, it downloads the eSIM profile from the mobile operator's download
server (SM-DP+).
Within Windows, the eUICCs Configuration Service Provider (CSP) handles eSIM
configuration. In addition, the enterprise can also configure some eSIM policies through
the CSP and each PC obtains its eSIM profile from the CSP.
Prerequisites
In addition to a Windows 11 Connected PC (eSIM-capable PC) managed through
Microsoft Intune, you need the following information:
A mobile operator who can provide eSIM profiles to a set of known devices based upon
their EIDs. This, in turn, requires some way through which an enterprise (or school)
should be able to provide the EIDs of their PCs to the operator as part of their contract
with the mobile operator.
One option is for the enterprise to obtain the EIDs of their PCs from PC packaging
and send it to the operator directly.
Alternatively, for bulk device purchases, the EIDs of their PCs could come in a
manifest file created by the device OEM or a reseller/distributor and delivered to
the enterprise with the devices or directly to the mobile operator.
After the mobile operator knows the EIDs of the customer's PCs, the mobile operator
will set up eSIM profiles for each PC on its download server (SM-DP+). The enterprise
needs to know the fully qualified domain name (FQDN) of the download server (SM-
DP+). For example, smdp.example.com. However, it doesn't need individual activation
codes. When each PC contacts the download server (SM-DP+), the download server
(SM-DP+) authenticates the PC's EID and provides it with the eSIM profile that is specific
to that device.
Process flow
The overall process flow is as follows:
1. To set up a managed eSIM deployment, the enterprise customer must have a

contract with a mobile operator and obtain information from the operator about
its eSIM download server (SM-DP+). The enterprise then configures the policies
and settings to be applied to all of their eSIM-capable Connected PCs, including
the fully qualified domain name of the operator's SM-DP+.
７ Note
The MDM administrator creates the eSIM configuration profile pointing to the
download server (SM-DP+) provided by the mobile operator and assigns the
profile to the required group(s).
2. As described earlier, the enterprise or its supplier (PC manufacturer or distributor)

provides the EIDs of the Connected PCs to the operator. For each EID, the operator
creates an eSIM profile on its download server (SM-DP+) for that device.
After the
initial configuration is complete, the following process unfolds for each PC:
3. The end user unboxes the PC, powers it on, and goes through the initial Windows
out of box experience. As part of this process, the end user connects the PC to a
Wi-Fi network, and signs into their work or school account.
4. After the user has authenticated to the enterprise's (or school's) Azure Active
Directory, the work or school account is set up on the device. As part of this
process, the PC is enrolled to MDM, which then provisions it as configured by the
enterprise (in step 1). This configuration includes the FQDN of the operator's
download server (SM-DP+).
5. After configuration is complete, the PC connects to the download server (SM-DP+)

according to the standard eSIM download protocol. As part of this process, the
download server (SM-DP+) receives and authenticates the EID of the PC. The
download server (SM-DP+) looks up the eSIM profile for that EID (created in step
2) and downloads that eSIM profile to the PC.
6. The PC installs and enables the eSIM profile. Windows recognizes the mobile
operator and configures the cellular settings such as access point name (APNs),
and the PC is now connected over cellular.
７ Note
The process flow described focuses on the initial device setup experience. However,
eSIM provisioning can also be done anytime throughout the lifecycle of the device
for managed devices.
Intune configuration of an eSIM download

server
The Intune configuration of a mobile operator's eSIM download server is done via a
Configuration Profile assigned to a Group.

Windows 11
To deploy eSIM to your devices using Intune, the following are needed:
eSIM capable devices, such as the Surface Pro 9 with 5G : See if your device
supports eSIM .
Windows 11 (version 22H2 (Build 22621) or higher) that is enrolled and MDM
managed by Intune
eSIM Download Server (SM-DP+ or SM-DS) fully qualified domain name (FQDN)
provided by your mobile operator. Contact your mobile operator for details.

If you're unsure that your devices support eSIM, then contact your device manufacturer.
On Windows devices, you can confirm eSIM supportability. For more information, see
Use an eSIM to get a cellular data connection on your Windows client device .
After your mobile operator confirms that you need to create eSIM profiles on the
download server (SM-DP+), go to Microsoft Intune and create a profile for the EIDs tied
to the eSIM-capable Windows devices that you want to enable with eSIM.
Create an Azure AD device group

Create a Device group that includes the eSIM capable devices. Add groups lists the
steps.
７ Note
We recommend creating a static Azure AD device group that includes your eSIM
devices. Using a group confirms you target only eSIM devices.
Create a profile
2. Select Devices > Configuration profiles > Create Profile.
3. For the Platform field, select Windows 10 and later.
4. For the Profile type field, select Settings catalog.
5. Select Create and follow the wizard to complete the steps.

6. In the Basic tab, enter the Name and Description of the profile, and select Next.
7. In the Configuration Settings tab, select + Add settings and search for eSIM in the
Settings Picker. After you select eSIM, you can select the settings that you want to
make available on your policy.
In the Download Servers area:
1 - Auto Enable: It indicates whether the discovered profile must be

automatically enabled after installation. The default value of the dropdown
list is Enable. Select Auto Enable if the eSIM profile should be
automatically enabled (independently of any other eSIM profiles stored in
eUICC).
2 - Server Name: It's the fully qualified domain name of the SM-DP+
server that is used for profile discovery. For example, smdp.example.com
(do not include https://)
3 - Display Local UI: Determines whether eSIM settings can be viewed and
changed in the Settings app on the eSIM capable devices that are being
provisioned. True if available, false otherwise. If Display Local UI is set to
Disabled, Auto Enable must be checked.
Enter the Server Name, select the desired settings, and then select Next.
8. In the Scope tags tab, add the required tags, and select Next.
9. In the Assignments tab, select the user or device group(s) to assign your profile.
For more information on assigning the profile to a user or device group, go to
Assign device profiles in Microsoft Intune.
Also, before creating the profile, you
need to have your group(s) set up. For more information, go to Add groups to
10. In the Review + create tab, review all the details and select Create.
Best practices & troubleshooting

Create a device Azure AD group that only includes the targeted eSIM devices.
(Note: if the policy is deployed to a non-eSIM-capable device, the Assignment
Status will display an Error.)
The current implementation only supports a single Server Name. Even if more
Server Names are added, only the first one is used.
If the Local UI isn't disabled as part of the Configuration Profile, you can change
the active profile, stop using, or remove any of the eSIM profiles stored in the
device.
As with other settings in Intune, when the deployment status shows as successful it
simply means that the settings is now applied, not necessarily that the eSIM Profile
has also been downloaded and activated.
There's currently no method to remove an eSIM profile using Intune. The profile
must be manually removed from the device.
Intune cannot distinguish between an eSIM and a non-eSIM device.
Next steps
Configure device profiles
Configure eSIM cellular profiles using
imported activation codes in Intune
(public preview)
Article • 05/17/2023
eSIM is an embedded SIM chip, and lets you connect to the Internet over a cellular data
connection on an eSIM-capable device, such as the Surface LTE Pro . With an eSIM,
you don't need to get a SIM card from your mobile operator. As a global traveler, you
can also switch between mobile operators and data plans to always stay connected.
For example, you have a cellular data plan for work, and another data plan with a
different mobile operator for personal use. When traveling, you can get Internet access
by finding mobile operators with data plans in that area.
Windows 11
Windows 10
In Intune, you can bulk activate eSIM codes using the following options:
Option 1 - Import activation codes (this article)
In Intune, you can import one time use activation codes provided by your mobile
operator. To configure cellular data plans on the eSIM module, deploy those
activation codes to your eSIM-capable devices. When Intune installs the activation
code, the eSIM hardware module uses the data in the activation code to contact
the mobile operator. Once complete, the eSIM profile is downloaded on the
device, and configured for cellular activation.
Option 2 - Use an eSIM download server with the Settings Catalog
For more information on this option, go to Configure eSIM download server using
Microsoft Intune.
This article describes how to import the activation codes in bulk, and then deploy these
codes to your eSIM-capable devices. This feature is in public preview.
７ Note
You can create a custom OMA-URI profile using the eUICCs CSP. Be sure to deploy
one custom profile for each device. The profile must include the device ICCID and
matching activation code from the carrier for each device.
Prerequisites
To deploy eSIM to your devices using Intune, the following are needed:
eSIM capable devices, such as the Surface LTE: See if your device supports eSIM .
If you're unsure if your devices support eSIM, then contact your device
manufacturer. On Windows devices, you can confirm eSIM supportability. For more
information, go to Use an eSIM to get a cellular data connection on your Windows
client device .
Windows 10 Fall creators update PC (1709 or later) that is enrolled and MDM
managed by Intune
Activation codes provided by your mobile operator. These one time-use activation
codes are added to Intune, and deployed to your eSIM capable devices. Contact
your mobile operator to acquire eSIM activation codes.
Deploy eSIM to devices - overview

To deploy eSIM to devices, an Administrator completes the following tasks:
1. Import activation codes provided by your mobile operator

2. Create an Azure Active Directory (Azure AD) device group that includes your eSIM
capable devices
3. Assign the Azure AD group to your imported subscription pool
4. Monitor the deployment
This article guides you through these steps.
Step 1: Add cellular activation codes

Cellular activation codes are provided by your mobile operator in a comma-separated
file (csv). When you have this file, add it to Intune using the following steps:

2. Select Devices > eSIM cellular profiles > Add.
3. Select the CSV file that has your activation codes.
4. Select OK to save your changes.
CSV file requirements
When working with the csv file with the activation codes, be sure you or your mobile
operator follows the requirements:
The file must be in csv format (filename.csv).

The file structure must adhere to a strict format. Otherwise, the import fail. Intune
checks the file on import, and fails if errors are found.
Activation codes are used one time. It's not recommended to import activation
codes that you previously imported, as it may cause problems when you deploy to
the same or different device.
Each file should be specific to a single mobile operator, and all activation codes
specific to the same billing plan. Intune randomly distributes the activation codes
to targeted devices. There isn't any guarantee which device gets a specific
activation code.
A maximum of 1000 activation codes can be imported in one csv file.
CSV file example

1. The first row and first cell of the csv is the URL of the mobile operator eSIM
activation service, which is called SM-DP+ (Subscription Manager Data Preparation
server). The URL should be a fully qualified domain name (FQDN) without any
commas.
2. The second and all later rows are unique one-time use activation codes that
include two values:
a. First column is the unique ICCID (the identifier of the SIM chip)
b. Second column is the Matching ID with only a comma separating them (no
comma at the end). See the following example:
3. The cellular subscription becomes the first part of the SMDP of your mobile
operator. For example, in the previous image, the first row includes the
smdp.skynet.mobile URL of the mobile operator. Intune names the cellular
subscription pool name as smdp :
） Important
You can't have two lists with the same provider. If you try to upload two lists with
the same provider, you may get a The request is invalid error message.
To add more devices with the same provider or carrier, then you must:
Remove the current .csv .

Upload a new .csv that has all the old device/ICCID pairs and has the new
devices you want to add.
Step 2: Create an Azure AD device group

Create a Device group that includes the eSIM capable devices. Add groups lists the
steps.
７ Note
Only devices are targeted, users aren't targeted.

We recommend creating a static Azure AD device group that includes your
eSIM devices. Using a group confirms you target only eSIM devices.
Step 3: Assign eSIM activation codes to devices

Assign the profile to the Azure AD group that includes your eSIM devices.
2. Select Devices > eSIM cellular profiles.

3. In the list of profiles, select the eSIM cellular subscription pool you want to assign,
and then select Assignments.
4. Choose to Include groups or Exclude groups, and then select the groups.
5. When you select your groups, you're choosing an Azure AD group. To select
multiple groups, use the Ctrl key, and select the groups.
6. When done, Save your changes.
eSIM activation codes are used once. After Intune installs an activation code on a device,
the eSIM module contacts the mobile operator to download the cellular profile. This
contact finishes registering the device with mobile operator network.
Step 4: Monitor deployment
Review the deployment status

After you assign the profile, you can monitor the deployment status of a subscription
pool.

2. Select Devices > eSIM cellular profiles. All of your existing eSIM cellular
subscription pools are listed.
3. Select a subscription, and review the Deployment Status.
Check the profile status

After you create your device profile, Intune provides graphical charts. These charts
display the status of a profile, such as it being successfully assigned to devices, or if the
profile shows a conflict.
1. Select Devices > eSIM cellular profiles > Select an existing subscription.
2. In the Overview tab, the top graphical chart shows the number of devices assigned
to the specific eSIM cellular subscription pool deployment.
It also shows the number of devices for other platforms that are assigned the same
device profile.
Intune shows the delivery and installation status for the activation code targeted to
devices.
Device not synced: The targeted device hasn't contacted Intune since the
eSIM deployment policy was created
Activation pending: A transient state when Intune is actively installing the
activation code on the device
Active: Activation code installation successful
Activation fail: Activation code installation failed – see troubleshooting guide.
View the detailed device status
You can monitor and view a detailed list of devices you can view in Device Status.**
1. Select Devices > eSIM cellular profiles > Select an existing subscription.
2. Select Device Status. Intune shows more details about the device:
Device Name: Name of the device that is targeted

User: User of the enrolled device
ICCID: Unique code provided by the mobile operate within the activation
code installed on the device
Activation Status: Intune delivery and installation status of the activation
code on the device
Cellular status: State provided by the mobile operator. Follow up with mobile
operator to troubleshoot.
Last Check-In: Date the device last communicated with Intune
Monitor eSIM profile details on the actual device

1. On your device, open Settings > go to Network & Internet.
2. Select Cellular > Manage eSIM profiles
3. The eSIM profiles are listed:

Remove the eSIM profile from device
When you remove the device from the Azure AD group, the eSIM profile is also
removed. Be sure to:
1. Confirm you're using the eSIM devices Azure AD group.

2. Go to the Azure AD group, and remove the device from the group.
3. When the removed device contacts Intune, the updated policy is evaluated, and
the eSIM profile removed.
The eSIM profile is also removed when the device is retired or unenrolled by the user, or
when the reset device remote action runs on the device.
７ Note
Removing the profile may not stop billing. Contact your mobile operator to check
the billing status for your device.
Best practices & troubleshooting

Be sure your .csv file is properly formatted. Confirm the file doesn't include
duplicate codes, doesn't include multiple mobile operators, or doesn't include
different data plans. Remember, each file must be unique to a mobile operator and
cellular data plan.
Create a static device Azure AD group that only includes the eSIM devices that are
targeted.
If there's an issue with the deployment status, check the following settings:
File format not proper: See Step 1: Add cellular activation codes (in this article)
on how to properly format your file.
Cellular activation failure, contact mobile operator: The activation code may
not be activated within their network. Or, the profile download and cellular
activation failed.
Next steps
Configure device profiles
Use custom settings for Android devices
in Microsoft Intune
Article • 05/16/2023
Using Microsoft Intune, you can add or create custom settings for your Android devices
using a "custom profile". Custom profiles are a feature in Intune. They're designed to
add device settings and features that aren't built in to Intune.
Android device administrator (DA)
Android custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-
URI) settings to configure different features on Android devices. These settings are
typically used by mobile device manufacturers to control these features.
Using a custom profile, you can configure and assign the following Android settings.
The following settings aren't built in to Intune:
Create a Wi-Fi profile with a pre-shared key

Create a per-app VPN profile
Allow and block apps for Samsung Knox Standard devices
Configure web protection in Microsoft Defender for Endpoint for Android
） Important
Only the settings listed can be configured by in a custom profile. Android devices
don't expose a complete list of OMA-URI settings you can configure. If you'd like to
see more settings, then vote for more settings at the Feedback for Intune site .
This article shows you how to create a custom profile for Android devices.
Create the profile


4. Select Create.
DA custom profile.
recommended.
6. Select Next.
settings:
Name: Enter a unique name for the OMA-URI setting so you can easily find it.
OMA-URI: Enter the OMA-URI you want to use as a setting.
Data type: Select the data type for this OMA-URI setting. Your options:
String
String (XML file)
Date and time
Integer
Floating point
Boolean
Base64 (file)
Value: Enter the data value you want to associate with the OMA-URI you
entered. The value depends on the data type you selected. For example, if
you select Date and time, select the value from a date picker.
8. Select Save to save your changes. Continue to add more settings as needed. After
you add some settings, you can select Export. Export creates a list of all the values
you added in a comma-separated values (.csv) file.
Select Next.
Select Next.
Select Next.
shown in the list.
Next steps
Create a custom profile on Android Enterprise devices.
Use custom policies in Microsoft Intune
to allow and block apps for Samsung
Knox Standard devices
Article • 05/17/2023
Use the steps in this article to create a Microsoft Intune custom policy that creates one
of the following lists:
A list of apps that are blocked from running on the device. Apps in this list are
blocked from being run, even if they were already installed when the policy was
applied.
A list of apps that users of the device are allowed to install from the Google Play
store. Only the apps you list can be installed. No other apps can be installed from
the store.
These settings can only be used by devices that run Samsung Knox Standard.
Create an allowed or blocked app list


4. Select Create.
Samsung Knox custom profile - blocks apps.
other important details. This setting is optional, but recommended.
6. Select Next.
7. In Configuration settings, select Add. Enter the following custom OMA-URI

settings:
For a list of apps that are blocked from running on the device:
Name: Enter PreventStartPackages.

other relevant information to help you locate the profile. For example, enter
List of apps that are blocked from running.
OMA-URI (case sensitive): Enter
./Vendor/MSFT/PolicyManager/My/ApplicationManagement/PreventStartPackage
s.
Data type: Select String.

Value: Enter a list of the app package names you want to block. You can use
; , : , or | as a delimiter. For example, enter package1;package2; .
For a list of apps that users are allowed to install from the Google Play store while
excluding all other apps:
Name: Enter AllowInstallPackages.

other relevant information to help you locate the profile. For example, enter
List of apps that users can install from Google Play.
OMA-URI (case sensitive): Enter
./Vendor/MSFT/PolicyManager/My/ApplicationManagement/AllowInstallPackage
s.
Data type: Select String.

Value: Enter a list of the app package names you want to allow. You can use
; , : , or | as a delimiter. For example, enter package1;package2; .
8. Save your changes > Next.
Select Next.
10. In Assignments, select the users or device groups that will receive your profile. For
more information on assigning profiles, go to assign user and device profiles.
Select Next.
 Tip
You can find the package ID of an app by browsing to the app on the Google Play
store. The package ID is contained in the URL of the app's page. For example, the
package ID of the Microsoft Word app is com.microsoft.office.word.
The next time each targeted device checks in, the app settings are applied.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and
monitor its status.
Android and Samsung Knox Standard
device restriction settings lists in Intune
Article • 02/22/2023
This article shows you all the Microsoft Intune device restrictions settings that you can
configure for devices running Android. As part of your mobile device management
(MDM) solution, use these settings to allow or disable features, set password
requirements, control security, and more.
 Tip
If the settings you want are not available, you might be able to configure your
devices using a custom profile.
Before you begin

Create an Android device administrator device restrictions configuration profile.
General
Camera: Block prevents access to the device camera. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might
allow access to the device camera.
Intune only manages access to the device camera. It doesn't have access to
pictures or videos.
Copy and paste (Samsung Knox only): Block prevents copy-and-paste. Not
configured allows copy and paste functions on devices.
Clipboard sharing between apps (Samsung Knox only): Block prevents using the
clipboard to copy-and-paste between apps. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow copy
and paste functions on devices.
Diagnostic data submission (Samsung Knox only): Block stops users from
submitting bug reports from devices. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow users to
submit the data.
Wipe (Samsung Knox only): Allows users to run a wipe action on devices. When
set to Not configured (default), Intune doesn't change or update this setting.
Geolocation (Samsung Knox only): Block disables devices from using location
information. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow devices to use the location
information.
Power off (Samsung Knox only): Block prevents users from powering off device. It
also prevents the Number of sign-in failures before wiping device setting from
being configured, and from working. When set to Not configured (default), Intune
power off devices.
Screen capture (Samsung Knox only): Block prevents screenshots. When set to
Not configured (default), Intune doesn't change or update this setting. By default,
the OS might let users capture the screen contents as an image.
Voice assistant (Samsung Knox only): Block disables the S Voice service. When set
to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow using the S Voice service and app on devices. This
setting doesn't apply to Bixby or the voice assistant for accessibility that reads the
screen content aloud.
YouTube (Samsung Knox only): Block prevents users from using the YouTube app.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow using the YouTube app on devices.
Shared devices (Samsung Knox only): Configure a managed Samsung Knox

Standard device as shared. Allow lets users sign in and out of devices with their
Azure AD credentials. Devices stay managed, whether they're in use or not.
When used in with a SCEP certificate profile, this feature allows users to share a
device with the same apps for all users. But, each user has their own SCEP user
certificate. When users sign out, all app data is cleared. This feature is limited to
LOB apps only.
setting. By default, the OS might prevent multiple users from signing in to the
Company Portal app on devices using their Azure AD credentials.
Block date and time changes (Samsung Knox): Block prevents users from
changing the date and time settings on devices. When set to Not configured
allow users to change the date and time settings.
Password
Encryption: Select Require so that files on the device are encrypted. Not all devices
support encryption. When set to Not configured (default), Intune doesn't change
or update this setting. To configure this setting, and correctly report compliance,
also configure:
1. Password: Set to Require.

2. Required password type: Set to At least numeric.
3. Minimum password length: Set to at least 4 .
７ Note
If an encryption policy is enforced, Samsung Knox devices require users to set

a 6-character complex password as the device passcode.
All Android devices

These settings apply to Android 4.0 and newer, and Knox 4.0 and newer.
Maximum minutes of inactivity until screen locks: Enter the length of time a
device must be idle before the screen is automatically locked. For example, enter 5
to lock devices after 5 minutes of being idle. When the value is blank or set to Not
configured, Intune doesn't change or update this setting.
On a device, users can't set a time value greater than the configured time in the
profile. Users can set a lower time value. For example, if the profile is set to 15
minutes, users can set the value to 5 minutes. Users can't set the value to 30
minutes.
Number of sign-in failures before wiping device: Enter the number of wrong
passwords allowed before devices are wiped, from 4-11. 0 (zero) might disable
device wipe functionality. When the value is blank, Intune doesn't change or
update this setting.
Password: Require users to enter a password to access devices. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might allow users to access devices without entering a password.
７ Note
Samsung Knox devices automatically require a 4-digit PIN during MDM

enrollment. Native Android devices may automatically require a PIN to
become compliant with Conditional Access.

Password complexity: Enter the required password complexity. Your options:
None (default): No password required.
Low: The password satisfies one of the following conditions:
Pattern
Numeric PIN has a repeating (4444) or ordered (1234, 4321, 2468) sequence.
Medium: The password satisfies one of the following conditions:
High: The password satisfies one of the following conditions:
This setting applies to:

Android 10 and newer, but not on Samsung Knox.
） Important
The Password complexity setting is a work in progress. In late October 2020,

Password complexity will take effect on devices.
If you set Password complexity to something other than None, then also set
the Password setting to Require, which is found under the All Android devices
section. Users with passwords that don't meet your complexity requirements
receive a warning to update their password. If you don’t set the Password
setting to Require, users with weak passwords won’t receive the warning.
Android 9 and earlier, or Samsung Knox (any version)
Minimum password length: Enter the minimum number of characters required,
from 4-16. For example, enter 6 to require at least six numbers or characters in the
password length.
Password expiration (days): Enter the number of days, until the device password
must be changed, from 1-365. For example, enter 90 to expire the password after
90 days. When the password expires, users are prompted to create a new
password. When the value is blank, Intune doesn't change or update this setting.
Required password type: Enter the required password complexity level, and
whether biometric devices can be used. Your options:
Device default
Low security biometric: Strong vs. weak biometrics (opens Android's web
site)
At least numeric: Includes numeric characters, such as 123456789 .
Numeric complex: Repeated or consecutive numbers, such as "1111" or "1234",

aren't allowed. Before you assign this setting to devices, be sure to update the
Company Portal app to the latest version on those devices.
When set to Numeric complex, and you assign the setting to devices running
an Android version earlier than 5.0, then the following behavior applies:
If the Company Portal app is running a version earlier than 1704, no PIN
policy applies to devices, and an error shows in the Microsoft Intune admin
center.
If the Company Portal app runs the 1704 version or later, only a simple PIN
can be applied. Android version earlier than 5.0 don't support this setting. No
error is shown in the Microsoft Intune admin center.
At least alphabetic: Includes letters in the alphabet. Numbers and symbols

aren't required.
At least alphanumeric: Includes uppercase letters, lowercase letters, and

numeric characters.
At least alphanumeric with symbols: Includes uppercase letters, lowercase

letters, numeric characters, punctuation marks, and symbols.
Prevent reuse of previous passwords: Use this setting to restrict users from
creating previously used passwords. Enter the number of previously used
passwords that can't be used, from 1-24. For example, enter 5 so users can't set a
new password to their current password or any of their previous four passwords.
When the value is blank, Intune doesn't change or update this setting.
Fingerprint unlock (Samsung Knox only): Block prevents using a fingerprint to

unlock devices. When set to Not configured (default), Intune doesn't change or
update this setting.By default, the OS might allow users to unlock devices using a
fingerprint.
Smart Lock and other trust agents: Block prevents Smart Lock or other trust
agents from adjusting lock screen settings. If the device is in a trusted location,
then this feature, also known as a trust agent, lets you disable or bypass the device
lock screen password. For example, use this feature when devices are connected to
a specific Bluetooth device, or when devices are close to an NFC tag. You can use
this setting to prevent users from configuring Smart Lock.
setting.

Samsung KNOX Standard 5.0 and newer
Google Play Store

Google Play store (Samsung Knox only): Block prevents users from using the
Google Play store. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to access the Google Play
store on devices.
Restricted apps
This feature is supported on Android and Samsung Knox Standard devices.
Type of restricted apps list: Create a list of apps to allow or block on devices. This
feature is supported on Android and Samsung Knox Standard devices. Your
options:
Not configured (default): Intune doesn't change or update this setting.
Prohibited apps: List the apps (not managed by Intune) that users aren't
allowed to install and run. If a user installs an app from this list, you're notified
by Intune.
Approved apps: List the apps that users are allowed to install. To stay compliant,
users must not install other apps. Apps that are managed by Intune are
automatically allowed, including the Company Portal app.
Apps list: Add your app:
App store URL: Enter the Google Play Store URL of the app you want. For
example, to add the Microsoft Remote Desktop app for Android, enter
https://play.google.com/store/apps/details?id=com.microsoft.rdc.android .
To find the URL of an app, open the Google Play store , and search for the app.
For example, search for Microsoft Remote Desktop Play Store or Microsoft
Planner . Select the app, and copy the URL.
App bundle ID: Enter the app bundle ID.
App name: Enter the name you want. This name is shown to users.
Publisher (optional): Enter the publisher of the app, such as Microsoft .
You can also Import a CSV file with details about the app, including the URL. Use the
<app url>, <app name>, <app publisher> format. Or, Export an existing list that
includes the restricted apps list in the same format.
） Important
Device profiles that use the restricted app settings must be assigned to user
groups, not device groups.
Browser
Web browser (Samsung Knox only): Block prevents the default web browser from
being used on devices. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow the device's default
web browser to be used.
Autofill (Samsung Knox only): Block prevents the browser from automatically
filling in text. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow Autofill.
Cookies (Samsung Knox only): Choose how to handle cookies from websites on
devices. Your options:
Allow
Block all cookies
Allow cookies from visited web sites
Allow cookies from current web site
JavaScript (Samsung Knox only): Block prevents JavaScript from running in the
browser. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow these scripts.
Pop-ups (Samsung Knox only): Block turns on Pop-up Blocker to prevent pop-ups
in the web browser. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might allow pop-ups.
Allow or Block apps

Use these settings to allow, block, or hide specific apps on Samsung Knox Standard
devices. Apps that are hidden can't be opened or ran by users.
Your options:
Apps allowed to be installed (Samsung Knox Standard only): Add apps that users
can install. Users can't install apps that aren't on the list.
Apps blocked from launching (Samsung Knox Standard only): Enter the apps that
users can't run on their device.
Apps hidden from user (Samsung Knox Standard only): Enter the apps that are
hidden on devices. Users can't discover or run these apps.
For each setting, add your apps:
Add apps by package name: Enter the app name, and the name of the app
package. Primarily used for line-of-business apps.
Add apps by URL: Enter the app name, and its URL in the Google Play store.
Add store app: Select an app from the existing list of apps you manage in Intune.
Cloud and Storage

Google backup (Samsung Knox only): Block prevents devices from syncing to
Google backup. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow using Google backup.
Google account auto sync (Samsung Knox only): Block prevents the Google
account auto sync feature on devices. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow
Google account settings to be automatically synchronized.
Removable storage (Samsung Knox only): Block prevents devices from using
removable storage. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might allow devices to use removable
storage, like an SD card.
Encryption on storage cards (Samsung Knox only): Require enforces that storage
cards must be encrypted. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow unencrypted storage
cards to be used. Not all devices support storage card encryption. To confirm,
check with the device manufacturer.
Cellular and Connectivity

Data roaming (Samsung Knox only): Block prevents data roaming over the cellular
network. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow data roaming.
SMS/MMS messaging (Samsung Knox only): Block prevents text messaging on
devices. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow using SMS and MMS messaging.
Voice dialing (Samsung Knox only): Block prevents users from using the voice
dialing feature on devices. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow voice dialing.
Voice roaming (Samsung Knox only): Block prevents voice roaming over the
cellular network. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow voice roaming.
Bluetooth (Samsung Knox only): Block prevents using Bluetooth on devices.
setting. By default, the OS might allow using Bluetooth.
NFC (Samsung Knox only): Block disables operations that use near field
communication (NFC) on devices that support it. When set to Not configured
allow NFC operations.
Wi-Fi (Samsung Knox only): Block prevents using Wi-Fi on devices. When set to
the OS might allow using Wi-Fi.
Wi-Fi tethering (Samsung Knox only): Block prevents using Wi-Fi tethering on
this setting. By default, the OS might allow using Wi-Fi tethering.
Kiosk
Kiosk settings apply only to Samsung Knox Standard devices, and only to apps you
manage using Intune.
Add apps you want to run when the device is in kiosk mode. In kiosk mode, only
the apps you add run; apps not added don't run. Pre-installed browsers don't run
as an app when the device is in kiosk mode. If a browser is required, consider using
the Managed Browser.
Your app options:

Add apps by package name: Primarily used for line-of-business apps. Enter the
app name, and the name of the app package.
Add apps by URL: Enter the app name, and its URL in the Google Play store.
Add store app: Select an app from the existing list of apps you manage in
Intune.
Screen sleep button: Block prevents or hides the screen sleep button. When set to
the OS might allow the screen sleep wake button on devices.
Volume buttons: Block prevents users from adjusting the volume by disabling the
volume buttons. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow using the volume buttons on
devices.
Next steps
You can also create kiosk profiles for Android Enterprise and Windows 10 devices.
Android device settings to configure
email, authentication, and
synchronization in Intune
Article • 02/21/2023
This article describes the different email settings you can control on Android Samsung
Knox devices in Intune. As part of your mobile device management (MDM) solution, use
these settings to configure an Exchange email server, use SSL to encrypt emails, and
more. The email profile uses the native or built-in email app on the device, and allows
users to connect to their organization email.
As an Intune administrator, you can create and assign email settings to Android
Samsung Knox Standard devices. To learn more about email profiles in Intune, see
configure email settings.
Before you begin

Create an Android device administrator Email device configuration profile.
Android (Samsung Knox)

Email server: Enter the host name of your Exchange server. For example, enter
outlook.office365.com .
Account name: Enter the display name for the email account. This name is shown
to users on their devices.
Username attribute from AAD: This name is the attribute Intune gets from Azure
Active Directory (Azure AD). Intune dynamically generates the username that's
used by this profile. Your options:
User Principal Name: Gets the name, such as user1 or user1@contoso.com .
User name: Gets only the name, such as user1 .
sAM Account Name: Requires the domain, such as domain\user1 . sAM account
name is only used with Android devices. Also enter:
User domain name source: Choose AAD (Azure Active Directory) or Custom.
When choosing to get the attributes from AAD, enter:

User domain name attribute from AAD: Choose to get the Full domain
name or the NetBIOS name attribute of the user.
When choosing to use Custom attributes, enter:

Custom domain name to use: Enter a value that Intune uses for the
domain name, such as contoso.com or contoso .
Email address attribute from AAD: This name is the email attribute Intune gets
from Azure AD. Intune dynamically generates the email address that's used by this
profile. Make sure your users have email addresses that match the attribute you
select. Your options:
User principal name: Uses the full principal name, such as user1@contoso.com or
user1 , as the email address.
Primary SMTP address: Uses the primary SMTP address, such as

user1@contoso.com , to sign in to Exchange.
Authentication method: Select either Username and Password or Certificates as

the authentication method used by the email profile.
If you select Certificate, select a client SCEP or PKCS certificate profile that you
previously created to authenticate the Exchange connection.
Security settings
SSL: Use Secure Sockets Layer (SSL) communication when sending emails,
receiving emails, and communicating with the Exchange server.
S/MIME: Send outgoing email using S/MIME encryption.
Synchronization settings
Amount of email to synchronize: Choose the number of days of email that you
want to synchronize, or select Unlimited to synchronize all available email.
Sync schedule: Select the schedule for devices to synchronize data from the
Exchange server. You can also select As Messages arrive, which synchronizes data
when it arrives, or Manual, where the user of the device must initiate the
synchronization.
Content sync settings
Content type to sync: Select the content types that you want to synchronize on
the devices. Not configured disables this setting. When set to Not configured, if
an end user enables synchronization on the device, synchronization is disabled
again when the device syncs with Intune, as the policy is reinforced.
You can sync the following content:

Contacts: Choose Enable to allow end users to sync contacts to their devices.
Calendar: Choose Enable to allow end users to sync the calendar to their
devices.
Tasks: Choose Enable to allow end users to sync any tasks to their devices.
Next steps
You can also create email profiles for Android Enterprise, iOS/iPadOS, and Windows 10
and later.
Android device settings to configure
VPN in Intune
Article • 02/21/2023
This article describes the different VPN connection settings you can control on Android
to create a VPN connection, choose how the VPN authenticates, select a VPN server
type, and more.
As an Intune administrator, you can create and assign VPN settings to Android devices.
To learn more about VPN profiles in Intune, see VPN profiles.
Before you begin

Create an Android device administrator VPN device configuration profile.
Some Microsoft 365 services, such as Outlook, may not perform well using third
party or partner VPNs. If you're using a third party or partner VPN, and experience
a latency or performance issue, then remove the VPN.
If removing the VPN resolves the behavior, then you can:

Work with the third party or partner VPN for possible resolutions. Microsoft
doesn't provide technical support for third party or partner VPNs.
Don't use a VPN with Outlook traffic.
If you need to use a VPN, then use a split-tunnel VPN. And, allow the Outlook
traffic to bypass the VPN.

Overview: VPN split tunneling for Microsoft 365
Using third-party network devices or solutions with Microsoft 365
Alternative ways for security professionals and IT to achieve modern security
controls in today's unique remote work scenarios blog
Microsoft 365 network connectivity principles
Base VPN
Connection name: Enter a name for this connection. End users see this name when
they browse their device for the available VPN connections. For example, enter
Contoso VPN .
VPN server address: Enter the IP address or fully qualified domain name (FQDN) of
the VPN server that devices connect. For example, enter 192.168.1.1 or
vpn.contoso.com .
Authentication method: Choose how devices authenticate to the VPN server. Your
options:
Certificates: Select an existing SCEP or PKCS certificate profile to authenticate

the connection. Configure certificates lists the steps to create a certificate
profile.
Username and password: When signing into the VPN server, end users are
prompted to enter their user name and password.
Derived credential: Use a certificate that's derived from a user's smart card. If
no derived credential issuer is configured, Intune prompts you to add one.
For more information, see Use derived credentials in Intune.
Connection type: Select the VPN connection type. Your options:

Cisco AnyConnect
F5 Access
Pulse Secure
Citrix SSO
Fingerprint (Check Point Capsule VPN only): Enter the fingerprint string given to
you by the VPN vendor, such as Contoso Fingerprint Code . This fingerprint verifies
that the VPN server can be trusted.
When authenticating, a fingerprint is sent to the client so the client knows to trust
any server that has the same fingerprint. If the device doesn't have the fingerprint,
it prompts the user to trust the VPN server while showing the fingerprint. The user
manually verifies the fingerprint, and chooses to trust to connect.
Next steps
You can also create VPN profiles for Android Enterprise, iOS/iPadOS, macOS, and
Windows 10 and later.
Add Wi-Fi settings for devices running
Android device administrator in
Microsoft Intune
Article • 06/14/2023
You can create a profile with specific WiFi settings, and then deploy this profile to your
Android devices. Microsoft Intune offers many features, including authenticating to your
network, adding a PKCS or SCEP certificate, and more.
These Wi-Fi settings are separated in to two categories: Basic settings and Enterprise-
level settings. This article describes these settings.
Before you begin

Create an Android device administrator Wi-Fi device configuration profile.
Basic
Wi-Fi type: Choose Basic.
SSID: Enter the service set identifier, which is the real name of the wireless
network that devices connect to. However, users only see the network name you
configured when they choose the connection.
Hidden network: Choose Enable to hide this network from the list of available
networks on the device. The SSID isn't broadcasted. Choose Disable to show this
network in the list of available networks on the device.
Enterprise
Wi-Fi type: Choose Enterprise.
Hidden network: Choose Enable to hide this network from the list of available
networks on the device. The SSID isn't broadcasted. Choose Disable to show this
EAP type: Choose the Extensible Authentication Protocol (EAP) type used to
authenticate secured wireless connections. Your options:
EAP-TLS: Also enter:
Server Trust - Root certificate for server validation: Select one or more
existing trusted root certificate profiles. When the client connects to the
network, these certificates are used to establish a chain of trust with the
server. If your authentication server uses a public certificate, then you don't
need to include a root certificate.
Client Authentication - Client certificate for client authentication (Identity

certificate): Choose the SCEP or PKCS client certificate profile that is also
deployed to the device. This certificate is the identity presented by the device
to the server to authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an
EAP identity request. This text can be any value, such as anonymous . During
authentication, this anonymous identity is initially sent, and then followed by
the real identification sent in a secure tunnel.
EAP-TTLS: Also enter:
Client Authentication: Choose an Authentication method. Your options:
Username and Password: Prompt the user for a user name and password
to authenticate the connection. Also enter:
Non-EAP method (inner identity): Choose how you authenticate the

connection. Be sure you choose the same protocol that's configured on
your Wi-Fi network. Your options:
Unencrypted password (PAP)
Challenge Handshake Authentication Protocol (CHAP)
Microsoft CHAP (MS-CHAP)
Microsoft CHAP Version 2 (MS-CHAP v2)
Certificates: Choose the SCEP or PKCS client certificate profile that is also
deployed to the device. This certificate is the identity presented by the
device to the server to authenticate the connection.
authentication, this anonymous identity is initially sent, and then followed
by the real identification sent in a secure tunnel.
PEAP: Also enter:
Client Authentication: Choose an Authentication method. Your options:
Non-EAP method for authentication (inner identity): Choose how you

authenticate the connection. Be sure you choose the same protocol
that's configured on your Wi-Fi network. Your options:
None
Certificates: Choose the SCEP or PKCS client certificate profile that is also
Next steps
The profile is created, but it's not doing anything. Next, assign this profile.
More resources
Wi-Fi settings overview, including other platforms.
Using Android Enterprise or Android Kiosk devices? If yes, then look at Wi-Fi
settings for devices running Android Enterprise and dedicated devices.
Android (AOSP) device settings to allow
or restrict features using Intune
Article • 07/12/2023
This article describes the different settings you can control on Android (AOSP) devices.
You can use these restrictions to configure password requirements and access to device
features.
Android Open Source Project (AOSP) corporate-owned userless devices (shared)

Android Open Source Project (AOSP) corporate-owned user-associated devices
(single user)
Before you begin

Create an AOSP device restrictions profile. For the platform, select Android (AOSP).
Device password
Required password type: Require users to use a certain type of password. Your
options:
Device default: To evaluate password compliance, be sure to select a password

strength other than Device default. If you want to require users to set up a
passcode on their devices, configure this setting to a more secure option.
Numeric (default): Password must only be numbers, such as 123456789 . Also

enter:
Minimum password length: Enter the minimum number of digits the
password must have, from 4 to 16.
Numeric complex: Doesn't permit repeat or consecutive numbers, such as 1111

or 1234 . Also enter:
Minimum password length: Enter the minimum number of digits or
characters a password must have, from 4 to 16.
Number of sign-in failures before wiping device: Enter the number of sign-in
attempts allowed, from 4 to 11, before the device is wiped. 0 (zero) might disable
the device wipe functionality. When the value is blank, Intune doesn't change or
Maximum minutes of inactivity until screen locks: Enter the maximum length of
time, from 1 minute to 1 hour, that devices can be idle before the screen is
automatically locked. Users must enter their credentials to regain access. For
example, enter 5 to lock the device after 5 minutes of inactivity. When the value is
blank or set to Not configured, Intune doesn't change or update this setting.
７ Note
RealWear devices currently only support device default, numeric, and numeric
complex password types.
The password type Password required, no restrictions appears as an option
but doesn't currently work on devices, which is a known issue.
General
Block access to camera: Prevents access to the camera on the device. When set to
the OS might allow access to the camera.
pictures or videos.
Block screen capture: Prevents screenshots or screen captures on the device. It

also prevents the content from being shown on display devices that don't have a
secure video output. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might let users capture the screen
contents as an image.
Disable factory reset: Prevents users from using the factory reset option in the
device's settings. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow external media on the device.
Block mounting of external media: Prevents users from using or connecting any
external media on the device. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow users to connect
external media.
Block USB file transfer: Prevents users from transferring files over USB. When set
default, the OS might allow users to transfer files.
Block Wi-Fi setting changes: Prevents users from creating or changing any Wi-Fi
configurations. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to change the Wi-Fi
settings on the device.
Disable Bluetooth: Disables Bluetooth on the device so that users can't pair with
other devices. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might enable Bluetooth on the device.
Block Bluetooth configuration: Prevents users from configuring Bluetooth on the

device. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow users to configure Bluetooth.
Allow users to turn on debugging features: Permits users to access the debugging
features on the device. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might prevent users from using
the debugging features on the device.
Block users from turning on unknown sources: Prevents users from sideloading
apps. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow users to sideload apps from unknown
sources.
Next steps
Create an Android (AOSP) device compliance policy.
Add actions for noncompliant devices.
Add Wi-Fi settings for Android (AOSP)
Article • 06/14/2023
You can create a profile with specific Wi-Fi settings, and then deploy this profile to your
Android Open Source Project (AOSP) devices. Microsoft Intune offers many features,
including authenticating to your network, using a pre-shared key, and more.
Android (AOSP)
This article describes these settings. Use Wi-Fi on your devices includes more
information about the Wi-Fi feature in Microsoft Intune.
For more information on AOSP, go to Android Open Source Project (opens Android's
website).
Before you begin

Create an Android (AOSP) device configuration profile.
Basic
Wi-Fi type: Select Basic.
Network name: Enter a name for this Wi-Fi connection. End users see this name
when they browse their device for available Wi-Fi connections. For example, enter
Contoso WiFi.
Connect automatically: Enable automatically connects to your Wi-Fi network when

devices are in range. Select Disable to prevent or block this automatic connection.
When devices are connected to another preferred Wi-Fi connection, then they
won't automatically connect to this Wi-Fi network. If devices fail to connect
automatically when this setting is enabled, then disconnect the devices from any
existing Wi-Fi connections.
Hidden network: Select Enable to hide this network from the list of available
networks on the device. The SSID isn't broadcasted. Select Disable to show this
Wi-Fi type: Select the security protocol to authenticate to the Wi-Fi network. Your
options:
Open (no authentication): Only use this option if the network is unsecured.
WEP-Pre-shared key: Enter the password in Pre-shared key (PSK). When your
organization's network is set up or configured, a password or network key is
also configured. Enter this password or network key for the PSK value.
WPA-Pre-shared key: Enter the password in Pre-shared key (PSK). When your
Enterprise
Wi-Fi type: Select Enterprise.

EAP type: Select the Extensible Authentication Protocol (EAP) type used to
EAP-TLS: To authenticate, the Extensible Authentication Protocol (EAP)

Transport Layer Security (TLS) uses a digital certificate on the server, and a
digital certificate on the client. Both certificates are signed by a certificate
authority (CA) that the server and client trust.
Also enter:
Radius server name: Enter the DNS name that's used in the certificate
presented by the Radius Server during client authentication to the Wi-Fi
access point. For example, enter Contoso.com , uk.contoso.com , or
jp.contoso.com .
If you have multiple Radius servers with the same DNS suffix in their fully
qualified domain name, then you can enter only the suffix. For example, you
can enter contoso.com .
When you enter this value, user devices can bypass the dynamic trust dialog
that's sometimes shown when connecting to the Wi-Fi network.
On Android 11 and newer, new Wi-Fi profiles may require this setting be
configured. Otherwise, the devices may not connect to your Wi-Fi network.
Root certificate for server validation: Select one or more existing trusted
root certificate profiles. When the client connects to the network, these
certificates are used to establish a chain of trust with the server. If your
authentication server uses a public certificate, then you don't need to include
a root certificate.
EAP-TTLS: To authenticate, the Extensible Authentication Protocol (EAP)

Tunneled Transport Layer Security (TTLS) uses a digital certificate on the server.
When the client makes the authentication request, the server uses the tunnel,
which is a secure connection, to complete the authentication request.
Also enter:
jp.contoso.com .
a root certificate.
Certificates: Select the SCEP or PKCS client certificate profile that's also
PEAP: Protected Extensible Authentication Protocol (PEAP) encrypts and

authenticates using a protected tunnel. Also enter:
jp.contoso.com .
a root certificate.
Certificates: Select the SCEP or PKCS client certificate profile that's also
Next steps
The profile is created, but might not be doing anything. Be sure to assign this profile
and monitor its status..
You can also create Wi-Fi profiles for Android Enterprise, iOS/iPadOS, macOS, and
Windows 10/11.
Troubleshoot common issues with Wi-Fi profiles.

Use custom settings for Android
Enterprise devices in Microsoft Intune
Article • 05/16/2023
Using Microsoft Intune, you can add or create custom settings for your Android
Enterprise personally owned devices with a work profile using a "custom profile".
Custom profiles are a feature in Intune. They're designed to add device settings and
features that aren't built in to Intune.
Android Enterprise personally owned devices with a work profile (BYOD)
Android Enterprise custom profiles use Open Mobile Alliance Uniform Resource
Identifier (OMA-URI) settings to control features on Android Enterprise devices. These
settings are typically used by mobile device manufacturers to control these features.
Intune supports the following limited number of Android Enterprise custom profiles:
./Vendor/MSFT/WiFi/Profile/SSID/Settings : Create a Wi-Fi profile with a pre-

shared key has some examples.
./Vendor/MSFT/VPN/Profile/Name/PackageList : Create a per-app VPN profile has
some examples.
./Vendor/MSFT/WorkProfile/DisallowCrossProfileCopyPaste : See the example in
this article. This setting is also available in the user interface. For more information,
see Android Enterprise device settings to allow or restrict features.
If you need to add more settings, then use OEMConfig for Android Enterprise.
This article shows you how to create a custom profile for Android Enterprise devices. It
also provides an example of a custom profile that blocks copy-and-paste.
Create the profile


Profile: Select Personally-owned work profile > Custom.
4. Select Create.
Enterprise custom profile.
recommended.
6. Select Next.
settings:
Name: Enter a unique name for the OMA-URI setting so you can easily find it.
OMA-URI: Enter the OMA-URI you want to use as a setting.
Data type: Select the data type for this OMA-URI setting. Your options:
String
String (XML file)
Date and time
Integer
Floating point
Boolean
Base64 (file)
Value: Enter the data value you want to associate with the OMA-URI you
entered. The value depends on the data type you selected. For example, if
you select Date and time, select the value from a date picker.
After you add some settings, you can select Export. Export creates a list of all the
values you added in a comma-separated values (.csv) file.
8. Select Save to save your changes. Continue to add more settings as needed.
Select Next.
Select Next.
Select Next.
shown in the list.
Example
In this example, you create a custom profile that restricts copy and paste actions
between work and personal apps on Android Enterprise devices.

Profile: Select Personally-owned work profile > Custom.
can easily identify them later. For example, enter AE block copy paste custom
profile.
recommended.
5. Select Next.
settings:
Name: Enter something like Block copy and paste .

Description: Enter something like Blocks copy/paste between work and
personal apps .
OMA-URI: Enter ./Vendor/MSFT/WorkProfile/DisallowCrossProfileCopyPaste .
Data type: Select Boolean so the value for this OMA-URI is True or False.
Value: Select True.
Your settings look similar to the following image:

7. Select Save to save your changes. Continue to add more settings as needed. After
you add some settings, you can select Export. Export creates a list of all the values
you added in a comma-separated values (.csv) file.
After you enter the settings, your environment looks similar to the following
image:
8. Select Next.
Select Next.
Select Next.
11. In Review + create, when you're done, choose Create. The profile is created and is
shown in the list.
When you assign this profile to Android Enterprise devices you manage, copy and
paste are blocked between apps in the work and personal profiles.
Next steps
Create a custom profile on Android device administrator devices.
Android Enterprise device settings list to
allow or restrict features on corporate-
owned devices using Intune
Article • 07/31/2023
This article describes the different settings you can control and restrict on Android
Enterprise devices owned by your organization. As part of your mobile device
management (MDM) solution, use these settings to allow or disable features, run apps
on dedicated devices, control security, and more.
Android Enterprise corporate-owned work profile (COPE)

Android Enterprise corporate owned fully managed (COBO)
Android Enterprise corporate owned dedicated devices (COSU)
 Tip
For AOSP devices, go to Android (AOSP) device settings to allow or restrict

features using Intune.
For Android Enterprise personally owned devices with a work profile (BYOD),
go to Android Enterprise device settings to allow or restrict features on
personally owned devices using Intune.
Before you begin

When you create device restriction policies, there are many settings available. To
help determine the settings that are right for your organization, you can use the
security configuration framework guidance:
Android Enterprise fully managed, dedicated, and corporate-owned work profile
security settings
Fully managed, dedicated, and corporate-

owned work profile
These settings apply to Android Enterprise enrollment types where Intune controls the
entire device, such as Android Enterprise fully managed, dedicated, and corporate-
owned work profile devices.
Some settings aren't supported by all enrollment types. To see which settings are
supported by the different enrollment types, sign into the Intune admin center . Each
setting is under a heading that indicates the enrollment types that can use the setting.
For corporate-owned devices with a work profile, some settings only apply in the work
profile. These settings have (work profile-level) in the setting name. For fully managed
and dedicated devices, these settings apply device-wide.
General
Fully managed, dedicated, and corporate-owned work

profile devices
Screen capture (work profile-level): Block prevents screenshots or screen captures
on the device. It also prevents the content from being shown on display devices
that don't have a secure video output. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might let users
capture the screen contents as an image.
Camera (work profile-level): Block prevents access to the camera on the device.
setting. By default, the OS might allow access to the camera.
pictures or videos.
Default permission policy (work profile-level): This setting defines the default
permission policy for requests for runtime permissions. Your options
Device default (default): Use the device's default setting.
Prompt: Users are prompted to approve the permission.
Auto grant: Permissions are automatically granted.
Auto deny: Permissions are automatically denied.
Date and Time changes: Block prevents users from manually setting the date and
time. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow users to the set date and time on the
device.
Roaming data services: Block prevents data roaming over the cellular network.
setting. By default, the OS might allow data roaming when the device is on a
cellular network.
Wi-Fi access point configuration: Block prevents users from creating or changing
any Wi-Fi configurations. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow users to change the
Wi-Fi settings on the device.
Bluetooth configuration: Block prevents users from configuring Bluetooth on the

setting. By default, the OS might allow using Bluetooth on the device.
Tethering and access to hotspots: Block prevents tethering and access to portable
hotspots. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow tethering and access to portable
hotspots.
USB file transfer: Block prevents transferring files over USB. When set to Not
OS might allow transferring files.
External media: Block prevents using or connecting any external media on the
setting. By default, the OS might allow external media on the device.
Beam data using NFC (work-profile level): Block prevents using the Near Field
Communication (NFC) technology to beam data from apps. When set to Not
OS might allow using NFC to share data between devices.
Developer settings: Choose Allow to let users access developer settings on the
device. When set to Not configured (default), Intune doesn’t change or update this
setting. By default, the OS might prevent users from accessing developer settings
on the device.
Microphone adjustment: Block prevents users from unmuting the microphone

and adjusting the microphone volume. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow users
to use and adjust the volume of the microphone on the device.
Factory reset protection emails: Choose Google account email addresses. Enter
the email addresses of device administrators that can unlock the device after it's
wiped. Be sure to separate the email addresses with a semi-colon, such as
admin1@gmail.com;admin2@gmail.com . These emails only apply when a non-user
factory reset is run, such as running a factory reset using the recovery menu.
setting.
System update: Choose an option to define how the device handles over-the-air
updates. Your options
Device Default (default): Use the device's default setting. By default, if the
device is connected to Wi-Fi, is charging, and is idle, then the OS updates
automatically. For app updates, the OS also validates if the app isn't running in
the foreground.
Automatic: Updates are automatically installed without user interaction. Setting

this policy immediately installs any pending updates.
Postponed: Updates are postponed for 30 days. At the end of the 30 days,
Android prompts users to install the update. It's possible for device
manufacturers or carriers to prevent (exempt) important security updates from
being postponed. An exempted update shows a system notification to users on
the device.
Maintenance window: Installs updates automatically during a daily

maintenance window that you set in Intune. Installation tries daily for 30 days,
and can fail if there's insufficient space or battery levels. After 30 days, Android
prompts users to install.
This setting applies to operating system and Play Store app updates. Any
maintenance window takes precedence over in-progress device changes.
Use this option for dedicated devices, such as kiosks, as single-app dedicated
device foreground apps can be updated.
Freeze periods for system updates: Optional. When you set the System update
setting to Automatic, Postponed, or Maintenance window, use this setting to
create a freeze period:
Start date: Enter the start date in MM/DD format, up to 90 days long. For
example, enter 11/15 to start the freeze period on November 15.
End date: Enter the end date in MM/DD format, up to 90 days long. For example,
enter 01/15 to end the freeze period on January 15.
During this freeze period, all incoming system updates and security patches are
blocked, including manually checking for updates.
When a device's clock is outside the freeze period, the device continues to receive
updates based on your System update setting.
To set multiple annually recurring freeze periods, make sure the freeze periods are
separated by at least 60 days.

Android 9.0 and newer
Fully managed and dedicated devices

Volume changes: Block prevents users from changing the device's volume, and
also mutes the main volume. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow using the volume
settings on the device.
Factory reset: Block prevents users from using the factory reset option in the
device's settings. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to use this setting on the
device.
Status bar: Block prevents access to the status bar, including notifications and
quick settings. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users access to the status bar.
Wi-Fi setting changes: Block prevents users from changing Wi-Fi settings created
by the device owner. Users can create their own Wi-Fi configurations. When set to
the OS might allow users to change the Wi-Fi settings on the device.
USB storage: Choose Allow to access USB storage on the device. When set to Not
OS might prevent access to USB storage.
Network escape hatch: Enable allows users to turn on the network escape hatch
feature. If a network connection isn't made when the device boots, then the escape
hatch asks to temporarily connect to a network and refresh the device policy. After
applying the policy, the temporary network is forgotten and the device continues
booting. This feature connects devices to a network if:
There isn't a suitable network in the last policy.
The device boots into an app in lock task mode.
Users are unable to reach the device settings.
setting. By default, the OS might prevent users from turning on the network
escape hatch feature on the device.
Notification windows: When set to Disable, window notifications, including toasts,

incoming calls, outgoing calls, system alerts, and system errors aren't shown on the
setting. By default, the OS might show notifications.
Skip first use hints: Enable hides or skips suggestions from apps that step through
tutorials, or hints when the app starts. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might show these
suggestions when the app starts.
Dedicated devices
Power button menu: Block hides the power options when users hold down the
power button when in kiosk mode. Hiding these options prevents users from
accidentally or intentionally shutting down devices. When set to Not configured
(default), Intune doesn't change or update this setting. By default, when users hold
down the power button on a device, they're shown power options, such as Restart
and Power off.

System error warnings: Allow shows system warnings on the screen when in kiosk
mode, including unresponsive apps and system warnings. When set to Not
OS might hide these warnings. When one of these events occurs, the system forces
the app to close.

Enabled system navigation features: Allow users to access the device home and
overview buttons when in kiosk mode. Your options:
Not configured (default): Intune doesn't change or update this setting. By
default, the OS might disable the device home and overview buttons.
Home button only: Users can see and select the home button. They can't see or
select the overview buttons.
Home and overview buttons: Users can see and select the home and overview
buttons.

System notifications and information: Allow users to access the device status bar,
and receive notifications from the status bar when in kiosk mode. Your options:
default, the OS might disable the status bar, and disable notifications on the
status bar.
Show system information in device's status bar: Users can see system
information on the status bar. Users can't see or receive notifications from the
status bar.
Show system notifications and information in device's status bar: Users can
see the system information, and receive notifications from the status bar. To see
notifications, enable the device home button using the Enabled system
navigation features setting.

End-user access to device settings: Block prevents users from accessing the
Settings app. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to access the Settings app.

Corporate-owned work profile devices

Contact sharing via Bluetooth (work profile-level): Block prevents users from
sharing their work profile contacts with devices over Bluetooth. When set to Not
OS might allow users to share their contacts via Bluetooth.
Search work contacts and display work contact caller-id in personal profile: In
the personal profile, Block prevents users from searching work contacts, and
showing work caller ID information.
setting. By default, the OS might allow searching work contacts, and show work
caller IDs.
ShowWorkContactsInPersonalProfile
Copy and paste between work and personal profiles: Allow lets users copy and
paste data between the work and personal profiles.
setting. By default, the OS might:
Prevent users from pasting text into the personal profile that's copied from the
work profile.
Allow users to copy text from the personal profile, and paste into the work
profile.
Allow users to copy text from the work profile, and paste into the work profile.
CrossProfileCopyPaste
Data sharing between work and personal profiles: Choose if data can be shared
between work and personal profiles. Your options:
Device default: Intune doesn't change or update this setting. By default, the OS
might prevent users from sharing data in the work profile with the personal
profile. Data in the personal profile can be shared in the work profile.
Block all sharing between profiles: Prevents users from sharing data between
the work and personal profiles.
Block sharing from work to personal profile: Prevents users from sharing data
in the work profile with the personal profile. Data in the personal profile can be
shared with the work profile.
No restrictions on sharing: Data can be shared between the work and personal
profiles.
CrossProfileDataSharing
System security
Threat scan on apps: Require (default) enables Google Play Protect to scan apps
before and after they're installed. If it detects a threat, it may warn users to remove
the app from the device. When set to Not configured, Intune doesn't change or
update this setting. By default, the OS might not enable or run Google Play Protect
to scan apps.
Common Criteria mode: Require enables an elevated set of security standards that
are most often used in highly sensitive organizations, such as government
establishments. Those settings include but aren't limited to:
AES-GCM encryption of Bluetooth Long Term Keys
Wi-Fi configuration stores
Blocks bootloader download mode, the manual method for software updates
Mandates additional key zeroization on key deletion
Prevents non-authenticated Bluetooth connections
Requires that FOTA updates have 2048-bit RSA-PSS signature
setting.
Learn more about Common Criteria:

Common Criteria for Information Technology Security Evaluation at
commoncriteriaportal.org
CommonCriteriaMode in the Android Management API documentation.
Knox Deep Dive: Common Criteria Mode at samsungknox.com
Device experience
Use these settings to configure a kiosk-style experience on your dedicated devices, or to
customize the home screen experiences on your fully managed devices. You can
configure devices to run one app, or run many apps. When a device is set with kiosk
mode, only the apps you add are available.
Enrollment profile type: Select an enrollment profile type to start configuring Microsoft
Launcher or the Microsoft Managed Home Screen on your devices. Your options:
Not configured: Intune doesn't change or update this setting. By default, users
might see the device's default home screen experience.
Dedicated device: Configure a kiosk-style experience on your dedicated devices.

Before you configure these settings, be sure to add, and assign the apps you want
on the devices.
Kiosk mode: Choose if the device runs one app or runs multiple apps. Your
options:
Single app: Users can only access a single app on the device. When the
device starts, only the specific app starts. Users are restricted from opening
new apps or from changing the running app.
Select an app to use for kiosk mode: Select the Managed Google Play
app from the list.
） Important
When using single-app kiosk mode, to use dialer/phone apps, then

enable system notifications. This feature is available on Android devices
running 9.0 and newer. To enable system notifications, see General
settings for dedicated devices (in this article).
Multi-app: Users can access a limited set of apps on the device. When the
device starts, only the apps you add start. You can also add some web links
that users can open. When the policy is applied, users see icons for the
allowed apps on the home screen.
） Important
For multi-app dedicated devices, the Managed Home Screen app

from Google Play must be:
Added in Intune
Assigned to the device group created for your dedicated devices
The Managed Home Screen app isn't required to be in the

configuration profile, but it's required to be added as an app. When the
Managed Home Screen app is added, any other apps you add in the
configuration profile are shown as icons on the Managed Home Screen
app.
When using multi-app kiosk mode, to use dialer/phone apps, then

enable system notifications. This feature is available on Android devices
running 9.0 and newer. To enable system notifications, see General
settings for dedicated devices (in this article).
For more information on the Managed Home screen, see setup

Microsoft Managed Home Screen on Dedicated devices in multi-app
kiosk mode .
Custom app layout: Enable lets you put apps and folders in different
places on the Managed Home Screen. When set to Not configured,
Intune doesn't change or update this setting. By default, the apps and
folders you add are shown on the home screen in alphabetical order.
Grid size: Select the size of your home screen. An app or folder takes
one place on the grid.
Home screen: Select the add button, and select an app from the list.
Select the Folder option to create a folder, enter the Folder name, and
add apps from your list to the folder.
When you add items, select the context menu to remove items, or
move them to different positions:
Add: Select your apps from the list.
If the Managed Home Screen app isn't listed, then add it from Google
Play . Be sure to assign the app to the device group created for your
dedicated devices.
You can also add other Android apps and web apps created by your
organization to the device. Be sure to assign the app to the device group
created for your dedicated devices.
） Important
When using multi-app mode, every app in the policy must be a

required app, and must be assigned to the devices. If an app isn't
required, or isn't assigned, then the devices may lock out users, and
show a Contact your IT admin. This phone will be erased.
message.
Lock home screen: Enable prevents users from moving app icons and
folders. They're locked, and can't be dragged-and-dropped to different
places on the grid. When set to Not configured, Intune doesn't change or
update this setting. By default, users can move these items.
Folder icon: Select the color and shape of the folder icon that's shown on
the Managed Home Screen. Your options:
Not configured
Dark theme rectangle
Dark theme circle
Light theme rectangle
Light theme circle
App and Folder icon size: Select the size of the folder icon that's shown
on the Managed Home Screen. Your options:
Not configured
Extra small
Small
Average
Large
Extra large
Depending on the screen size, the actual icon size may be different.
Screen orientation: Select the direction the Managed Home Screen is

shown on devices. Your options:
Not configured
Portrait
Landscape
Autorotate
App notification badges: Enable shows the number of new and unread
notifications on app icons. When set to Not configured, Intune doesn't
change or update this setting.
Virtual home button: A soft-key button that returns users to the Managed
Home Screen so users can switch between apps. Your options:
Not configured (default): A home button isn't shown. Users must use
the back button to switch between apps.
Swipe-up: A home button shows when a user swipes up on the device.
Floating: Shows a persistent, floating home button on the device.
Leave kiosk mode: Enable allows Administrators to temporarily pause

kiosk mode to update the device. To use this feature, the administrator:
1. Continues to select the back button until the Exit kiosk button
shows.
2. Selects the Exit kiosk button, and enters the Leave kiosk mode code
PIN.
3. When finished, select the Managed Home Screen app. This step
relocks the device into multi-app kiosk mode.
When set to Not configured (default), Intune doesn't change or update

this setting. By default, the OS might prevent administrators from pausing
kiosk mode. If the administrator keeps selecting the back button, and
selects the Exit kiosk button, then a message states that a passcode is
required.
Leave kiosk mode code: Enter a 4-6 digit numeric PIN. The administrator
uses this PIN to temporarily pause kiosk mode.
Set custom URL background: Enter a URL to customize the background

screen on the dedicated device. For example, enter
http://contoso.com/backgroundimage.jpg .
７ Note
For most cases, we recommend starting with images of at least the

following sizes:
Phone: 1080x1920 px
Tablet: 1920x1080 px
For the best experience and crisp details, it's suggested that per
device image assets be created to the display specifications.
Modern displays have higher pixel densities and can display

equivalent 2K/4K definition images.
Shortcut to settings menu: Disable hides the Managed Settings shortcut

on the Managed Home Screen. Users can still swipe down to access the
settings. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the Managed Settings shortcut is shown on
devices. Users can also swipe down to access these settings.
Quick access to debug menu: This setting controls how users access the
debug menu. Your options:
Enable: Users can access the debug menu easier. Specifically, they can
swipe down, or use the Managed Settings shortcut. As always, they can
continue to select the back button 15 times.
By default, easy access to the debug menu is turned off. Users must
select the back button 15 times to open the debug menu.
In the debug menu, users can:

See and upload Managed Home Screen logs
Open Google's Android Device Policy Manager app
Open the Microsoft Intune app
Exit kiosk mode
Wi-Fi configuration: Enable shows the Wi-Fi control on the Managed

Home Screen, and allows users to connect the device to different WiFi
networks. Enabling this feature also turns on device location. When set to
Not configured (default), Intune doesn't change or update this setting. By
default, the OS might not show the Wi-Fi control on the Managed Home
Screen. It prevents users from connecting to Wi-Fi networks while using
the Managed Home Screen.
Wi-Fi allow list: Create a list of valid wireless network names, also
known as the service set identifier (SSID). Managed Home Screen users
can only connect to the SSIDs you enter.
Wi-Fi SSIDs are case sensitive. If the SSID is valid but the capitalization
you enter doesn't match the network name, then the network isn't
shown.
When left blank, Intune doesn't change or update this setting. By

default, all available Wi-Fi networks are allowed.
Import a .csv file that includes a list of valid SSIDs.
Export your current list to a .csv file.
SSID: You can also enter the Wi-Fi network names (SSID) that Managed
Home Screen users can connect to. Be sure to enter valid SSIDs.
） Important
In the October 2020 release, the Managed Home Screen API was
updated to be compliant with the Google Play Store requirements.
The following changes impact Wi-Fi configuration policies in the
Managed Home Screen:
Users can't enable or disable Wi-Fi connections on devices. Users

can switch between Wi-Fi networks, but can't turn Wi-Fi on or off.
If a Wi-Fi network is password protected, then users must enter

the password. After they enter the password, the configured
network automatically connects. If they disconnect and then
reconnect to the Wi-Fi network, then users may need to enter the
password again.
On Android 11 devices, when users connect to a network using the
Managed Home Screen, they're prompted to consent. This prompt
comes from Android, and isn't specific to the Managed Home
Screen.
On Android 10 devices, when users connect to a network using the

Managed Home Screen, a notification prompts them to consent.
So, users need access to the status bar and notifications to
consent. To enable system notifications, see General settings for
dedicated devices (in this article).
On Android 10 devices, when users connect to a password

protected Wi-Fi network using the Managed Home Screen, they're
prompted for the password. If the device is connected to an
unstable network, then the Wi-Fi network changes. This behavaior
happens even when users enter the correct password.
Bluetooth configuration: Enable shows the Bluetooth control on the

Managed Home Screen, and allows users to pair devices over Bluetooth.
Enabling this feature also turns on device location. When set to Not
configured (default), Intune doesn't change or update this setting. By
default, the OS might not show the Bluetooth control on the Managed
Home Screen. It prevents users from configuring Bluetooth and pairing
devices while using the Managed Home Screen.
） Important
For devices running on Android 10+ and using Managed Home Screen,
for Bluetooth pairing to successfully work on devices that require a
pairing key, admins must enable the following Android system apps:
Android System Bluetooth
Android System Settings
Android System UI
For more information on how to enable Android system apps, go to:

Manage Android Enterprise system apps
Flashlight access: Enable shows the flashlight control on the Managed

Home Screen, and allows users to turn the flashlight on or off. When set
to Not configured (default), Intune doesn't change or update this setting.
By default, the OS might not show the flashlight control on Managed
Home Screen. It prevents users from using the flashlight while using the
Media volume control: Enable shows the media volume control on the
Managed Home Screen, and allows users to adjust the device's media
volume using a slider. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might not show
the media volume control on Managed Home Screen. It prevents users
from adjusting the device's media volume while using the Managed Home
Screen, unless their hardware buttons support it.
Quick access to device information: Enable allows users to swipe down to

see the device information on the Managed Home Screen, such as the
serial number, make and model number, and SDK level. When set to Not
default, the device information might not be shown.
Screen saver mode: Enable shows a screensaver on the Managed Home

Screen when the device is locked or times out. When set to Not
default, the OS might not show a screensaver on the Managed Home
Screen.
When enabled, also configure:
Set custom screen saver image: Enter the URL to a custom PNG, JPG,
JPEG, GIF, BMP, WebP, or ICOimage. If you don't enter a URL, then the
device's default image is used, if there's a default image.
For example, enter:

http://www.contoso.com/image.jpg
www.contoso.com/image.bmp
https://www.contoso.com/image.webp
 Tip
Any file resource URL that can be turned into a bitmap is

supported.
Number of seconds the device shows screen saver before turning off
screen: Choose how long the device shows the screensaver. Enter a
value between 0-9999999 seconds. Default is 0 seconds. When left
blank, or set to zero ( 0 ), the screen saver is active until a user interacts
with the device.
Number of seconds the device is inactive before showing screen

saver: Choose how long the device is idle before showing the
screensaver. Enter a value between 1-9999999 seconds. Default is 30
seconds. You must enter a number greater than zero ( 0 ).
Detect media before starting screen saver: Enable (default) doesn't

show the screen saver if audio or video is playing on the device. When
set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might show the screen saver, even if audio or
video is playing.
７ Note
Managed Home Screen starts the screensaver whenever the lock

screen appears:
If the system's lock screen timeout is longer than the number of
seconds for device to show the screensaver, then the screensaver
shows until the lock screen appears.
If the system's lock screen timeout is shorter than the number of
seconds the device is inactive, then the screensaver shows as soon
as the device's lock screen appears.
MHS Sign-in screen: Enable shows a sign-in screen on the Managed

Home Screen. When set to Not configured (default), Intune doesn't
change or update this setting. This sign-in screen and related settings are
intended for use on dedicated devices enrolled with Azure AD Shared
device mode.
When enabled, also configure:

Set custom URL background for sign-in screen: Enter the URL of the
URL background for the sign-in screen. The sign-in screen must be
enabled to configure this setting.
Set custom URL branding logo for sign-in screen and session pin
page: Enter the URL branding logo for the sign-in screen and session
pin page.
Require user to set a PIN for sign-in session: When set to Enable, the
user must set a PIN for their sign-in session. When set to Not
configured (default), the user isn't required to set a PIN. This setting
must be enabled to show the subsettings.
Choose complexity of PIN for sign-in session: Select the complexity

of the session PIN. Your options:
Not configured: Intune doesn't change or update this setting. By
default, MHS requires at least one character in the session PIN.
Simple: Requires numbers. There are no restrictions on repeating
(444) or ordered (123, 321, 246) sequences.
Complex: Allows users to create a PIN with alphanumeric
characters. Can't use repeating (444) or ordered (123, 321, 246)
sequences.
For more information on this setting, see Complexity of session PIN

at Configure the Microsoft Managed Home Screen app for Android
Enterprise.
Require user to enter session PIN if screensaver has appeared:

Select Enable to require the user to enter their session PIN to
resume using the Managed Home Screen after the screensaver has
appeared.
Automatically sign-out of MHS and Shared device mode applications
after inactivity: Select Enable to auto sign out of the Managed Home
Screen based on inactivity. This setting must be enabled to show the
subsettings.
Number of seconds device is inactive before automatically signing
user out: Define the period of inactivity, in seconds, before user is
automatically signed out from Managed Home Screen. By default,
this value is set to 300 seconds.
Number of seconds to give user notice before automatically
signing them out: Define the amount of time, in seconds, for user to
have option to resume their session before getting automatically
signed out from Managed Home Screen. By default, this value is set
to 60 seconds.
Fully managed: Configures the Microsoft Launcher app on fully managed devices.
Make Microsoft Launcher the default launcher: Enable sets Microsoft Launcher
as the default launcher on the home screen. If you make Launcher the default,
users can't use another launcher. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the Microsoft Launcher isn't
forced as the default launcher.
Configure custom wallpaper: In the Microsoft Launcher app, Enable lets you
apply your own image as the home screen wallpaper, and choose if users can
change the image. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the device keeps its current wallpaper.
Enter URL of wallpaper image: Enter the URL of your wallpaper image. This
image shows on the device home screen. For example, enter
http://www.contoso.com/image.jpg .
Allow user to modify wallpaper: Enable allows users to change the

wallpaper image. When set to Not configured (default), Intune doesn't
change or update this setting. By default, users are prevented from changing
the wallpaper.
Enable launcher feed: Enable turns on the launcher feed, which shows
calendars, documents, and recent activities. When set to Not configured
(default), Intune doesn't change or update this setting. By default, this feed isn't
shown.
Allow user to enable/disable feed: Enable lets users enable or disable the
launcher feed. Enable only forces this setting the first time the profile is
assigned. Any future profile assignments don't force this setting. When set to
Not configured (default), Intune doesn't change or update this setting. By
default, users are prevented from changing the launcher feed settings.
Dock presence: The dock gives users quick access to their apps and tools. Your
options:
Show: The dock is shown on devices.
Hide: The dock is hidden. Users must swipe up to access the dock.
Disabled: The dock isn't shown on devices, and users are prevented from
showing it.
Allow user to change dock presence: Enable allows users to show or hide the
dock. Enable only forces this setting the first time the profile is assigned. Any
future profile assignments don't force this setting. When set to Not configured
(default), Intune doesn't change or update this setting. By default, users aren't
allowed to change the device dock configuration.
Search bar replacement: Choose where to put the search bar. Your options:
Top: Search bar is shown at the top of devices.
Bottom: Search bar is shown at the bottom of devices.
Hide: Search bar is hidden.
Device password

profile devices
Device default (default): Most devices don't require a password when set to
Device default. If you want to require users to set up a passcode on their
devices, configure this setting to something more secure than Device default.
Weak biometric: Strong vs. weak biometrics (opens Android's web site)
Numeric: Password must only be numbers, such as 123456789 . Also enter:

Minimum password length: Enter the minimum length the password must

Alphabetic: Letters in the alphabet are required. Numbers and symbols aren't
required. Also enter:
Alphanumeric: Includes uppercase letters, lowercase letters, and numeric

characters. Also enter:
Alphanumeric with symbols: Includes uppercase letters, lowercase letters,

numeric characters, punctuation marks, and symbols. Also enter:
Number of characters required: Enter the number of characters the
Number of lowercase characters required: Enter the number of lowercase
characters the password must have, between 0 and 16 characters.
Number of uppercase characters required: Enter the number of uppercase
Number of non-letter characters required: Enter the number of non-letters
(anything other than letters in the alphabet) the password must have,
Number of numeric characters required: Enter the number of numeric
characters ( 1 , 2 , 3 , and so on) the password must have, between 0 and 16
characters.
Number of symbol characters required: Enter the number of symbol
characters ( & , # , % , and so on) the password must have, between 0 and 16
characters.
Number of days until password expires: Enter the number of days, until the device
password must be changed, from 1-365. For example, enter 90 to expire the
password after 90 days. When the password expires, users are prompted to create
a new password. When the value is blank, Intune doesn't change or update this
setting.
Number of passwords required before user can reuse a password: Use this
setting to restrict users from creating previously used passwords. Enter the number
of previously used passwords that can't be used, from 1-24. For example, enter 5
so users can't set a new password to their current password or any of their
previous four passwords. When the value is blank, Intune doesn't change or
passwords allowed before the device is wiped, from 4-11. When the value is blank,
Intune doesn't change or update this setting.
７ Note
Users on fully managed, and corporate-owned work profile devices are not
prompted to set a password. The settings are required, but users might not
be notified. Users need to set the password manually. The policy reports as
failed until the user sets a password that meets your requirements.
To apply the device password settings during device enrollment, assign the
device restriction profile to users, not devices. During enrollment, users are
asked to set a screen lock. Then, they must choose a device password that
meets all the requirements in this device restriction profile.
On dedicated devices, if the device is set up with single or multi-app kiosk

mode, then users are prompted to set a password. Screens force and guide
users to create a compliant password before they can continue using the
device.
On dedicated devices that are not using kiosk mode, users are not notified
of any password requirement. Users need to set the password manually.
The policy reports as failed until the user sets a password that meets your
requirements.
Disabled lock screen features: When the device is locked, choose the features that
can't be used. For example, when Secure camera is checked, the camera feature is
disabled on the device. Any features not checked are enabled on the device.
These features are available to users when the device is locked. Users won't see or
access features that are checked.
On corporate-owned work profile devices, only Unredacted notifications, Trust
agents, and Fingerprint unlock can be disabled.
If users turn off the Use one lock setting on their device, then disabling
Fingerprint unlock and disabling Trust agents apply at the corporate-owned
work profile-level. If users turn on the Use one lock setting, then disabling
Fingerprint unlock and disabling Trust agents apply at the device-level.
Required unlock frequency: Strong authentication is when users unlock a device

using a password, PIN, or pattern. Non-strong authentication methods are when
users unlock a device using some biometric options, such as a fingerprint or face
scan.
Select how long users have before they're required to unlock the device using a
strong authentication method. Your options:
Device default (default): The screen locks using the device's default time.
24 hours since last pin, password, or pattern unlock: The screen locks 24 hours
after users last used a strong authentication method to unlock the device. When
the timeout is reached, non-strong authentication methods are disabled until
the device is unlocked using strong authentication.
2.3.4 Advanced passcode management: Strong Authentication required timeout
(opens Android's web site)

Disable lock screen: Disable blocks all Keyguard lock screen features from being
used. When set to Not configured (default), Intune doesn't change or update this
setting. By default, when the device is in lock screen, the OS might allow all the
Keyguard features, such as camera, fingerprint unlock, and more.
Power settings

profile devices
Time to lock screen (work profile-level): Enter the maximum time a user can set
until the device locks. For example, if you set this setting to 10 minutes , then users
can set the time from 15 seconds up to 10 minutes. When set to Not configured
(default), Intune doesn't change or update this setting.

Screen on while device plugged in: Choose which power sources cause the
device's screen to stay on when plugged in.
Users and Accounts

profile devices
Add new users: Block prevents users from adding new users. Each user has a
personal space on the device for custom Home screens, accounts, apps, and
settings. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow users to add other users to the device.
User can configure credentials (work profile-level): Block prevents users from
configuring certificates assigned to devices, even devices that aren't associated
with a user account. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might make it possible for users to
configure or change their credentials when they access them in the keystore.

User removal: Block prevents users from removing users. When set to Not
OS might allow users to remove other users from the device.
Personal Google Accounts: Block prevents users from adding their personal
Google account to the device. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow users to add
their personal Google account.
Dedicated devices
Account changes: Block prevents users from updating or changing accounts when
in kiosk mode. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to update user accounts
on the device.
Applications

profile devices
Allow installation from unknown sources: Allow lets users turn on Unknown
sources. This setting allows apps to install from unknown sources, including
sources other than the Google Play Store. It allows users to side-load apps on the
device using means other than the Google Play Store. When set to Not configured
prevent users from turning on Unknown sources.
App auto-updates (work profile-level): Devices check for app updates daily.
Choose when automatic updates are installed. Your options:
User choice: The OS might default to this option. Users can set their preferences
in the Managed Google Play app.
Never: Updates are never installed. This option isn't recommended.
Wi-Fi only: Updates are installed only when the device is connected to a Wi-Fi
network.
Always: Updates are installed when they're available.
Allow access to all apps in Google Play store: When set to Allow:
Users get access to all apps in the Google Play store.
Users can't use apps that are explicitly targeted with uninstall.
Users can't use apps that are added to a blocklist on the personal profile of
corporate-owned devices with a work profile.
For more information on excluding users and groups from specific apps, see
setting. By default, the OS might:
Only show apps in the Managed Google Play store that are approved, or apps
that are required.
Uninstall apps that were installed outside of the Managed Google Play store.
If you want to enable side-loading, set the Allow installation from unknown sources
and Allow access to all apps in Google Play store settings to Allow.
Dedicated devices
Clear local data in apps not optimized for Shared device mode: Add any app not
optimized for shared device mode to the list. The app's local data will be cleared
whenever a user signs out of an app that's optimized for shared device mode.
Available for dedicated devices enrolled with Shared mode running Android 9 and
later.
When you use this setting, users can't initiate sign out from non-optimized apps
and get single sign-out.
Users will need to sign out of an app that has been optimized for Shared Device
mode. Microsoft apps that are optimized for Shared device mode on Android
include Teams and Intune’s Managed Home Screen.
For apps that haven't been optimized for Shared Device mode, deleting
application data extends to local app storage only. Data may be left in other
areas of the device. User identifying artifacts such as email address and
username may be left behind on the app and visible by others.
Non-optimized apps that provide support for multiple accounts could exhibit
indeterminate behavior and are therefore not recommended.
All non-optimized apps should be thoroughly tested before being used in multi-
user scenarios on shared devices to ensure they work as expected. For example,
validate your core scenarios in each app, verify that the app signs out properly, and
that all data is sufficiently cleared for your organization’s needs.
Connectivity

profile devices
Always-on VPN (work profile-level): Enable sets the VPN client to automatically
connect and reconnect to the VPN. Always-on VPN connections stay connected.
Or, immediately connect when users lock their device, the device restarts, or the
wireless network changes.
Choose Not configured to disable always-on VPN for all VPN clients.
） Important
Be sure to deploy only one Always-on VPN policy to a single device.

Deploying multiple Always-on VPN policies to a single device isn't supported.
VPN client: Choose a VPN client that supports Always On. Your options:
Cisco AnyConnect
F5 Access
Pulse Secure
Custom
Package ID: Enter the package ID of the app in the Google Play store. For
example, if the URL for the app in the Play store is
https://play.google.com/store/details?id=com.contosovpn.android.prod ,
then the package ID is com.contosovpn.android.prod .
） Important
The VPN client you choose must be installed on the device, and it must
support per-app VPN in corporate-owned work profiles. Otherwise, an
error occurs.
You do need to approve the VPN client app in the Managed Google Play
Store, sync the app to Intune, and deploy the app to the device. After you
do this, then the app is installed in the user's corporate-owned work
profile.
You still need to configure the VPN client with a VPN profile, or through an
app configuration profile.
There may be known issues when using per-app VPN with F5 Access for
Android 3.0.4. For more information, see F5's release notes for F5 Access
for Android 3.0.4 .
Lockdown mode: Enable forces all network traffic to use the VPN tunnel. If a
connection to the VPN isn't established, then the device won't have network
access. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow traffic to flow through the VPN tunnel or
through the mobile network.

Recommended global proxy: Enable adds a global proxy to the devices. When
enabled, HTTP and HTTPS traffic, including some apps on the device, use the proxy
you enter. This proxy is only a recommendation. It's possible some apps won't use
the proxy. Not configured (default) doesn't add a recommended global proxy.
For more information on this feature, see setRecommendedGlobalProxy (opens

an Android site).
When enabled, also enter the Type of proxy. Your options:
Direct: Manually enter the proxy server details, including:

Host: Enter the hostname or IP address of your proxy server. For example,
enter proxy.contoso.com or 127.0.0.1 .
Port number: Enter the TCP port number used by the proxy server. For
example, enter 8080 .
Excluded hosts: Enter a list of host names or IP addresses that won't use the
proxy. This list can include an asterisk ( * ) wildcard and multiple hosts
separated by semicolons ( ; ) with no spaces. For example, enter
127.0.0.1;web.contoso.com;*.microsoft.com .
Proxy Auto-Config: Enter the PAC URL to a proxy autoconfiguration script. For
example, enter https://proxy.contoso.com/proxy.pac .
For more information on PAC files, see Proxy Auto-Configuration (PAC) file
(opens a non-Microsoft site).
For more information on this feature, see setRecommendedGlobalProxy (opens
an Android site).
Work profile password

These settings apply to corporate-owned work profiles.
Device default
Weak biometric: Strong vs. weak biometrics (opens Android's web site)
Numeric: Password must only be numbers, such as 123456789 . Also enter:


Alphabetic: Letters in the alphabet are required. Numbers and symbols aren't
required. Also enter:

characters. Also enter:
Alphanumeric with symbols: Includes uppercase letters, lowercase letters,

numeric characters, punctuation marks, and symbols. Also enter:
Number of characters required: Enter the number of characters the
Number of lowercase characters required: Enter the number of lowercase
Number of uppercase characters required: Enter the number of uppercase
Number of non-letter characters required: Enter the number of non-letters
(anything other than letters in the alphabet) the password must have,
Number of numeric characters required: Enter the number of numeric
characters ( 1 , 2 , 3 , and so on) the password must have, between 0 and 16
characters.
Number of symbol characters required: Enter the number of symbol
characters ( & , # , % , and so on) the password must have, between 0 and 16
characters.
Number of days until password expires: Enter the number of days, until the device
password must be changed, from 1-365. For example, enter 90 to expire the
password after 90 days. When the password expires, users are prompted to create
a new password. When the value is blank, Intune doesn't change or update this
setting.
Number of passwords required before user can reuse a password: Use this
setting to restrict users from creating previously used passwords. Enter the number
of previously used passwords that can't be used, from 1-24. For example, enter 5
so users can't set a new password to their current password or any of their
previous four passwords. When the value is blank, Intune doesn't change or
passwords allowed before the device is wiped, from 4-11. 0 (zero) might disable
the device wipe functionality. When the value is blank, Intune doesn't change or
７ Note
Fully managed, dedicated, and corporate-owned work profile devices are not
prompted to set a password. The settings are required, but users might not be
notified. Users need to set the password manually. The policy reports as failed
until the user sets a password that meets your requirements.
Required unlock frequency: Strong authentication is when users unlock the work
profile using a password, PIN, or pattern. Non-strong authentication methods are
when users unlock the work profile using some biometric options, such as a
fingerprint or face scan.
Select how long users have before they're required to unlock the work profile
using a strong authentication method. Your options:
Device default (default): The screen locks using the device's default time.
24 hours since last pin, password, or pattern unlock: The screen locks 24 hours
after users last used a strong authentication method to unlock the work profile.
When the timeout is reached, non-strong authentication methods are disabled
until the work profile is unlocked using strong authentication.
2.3.4 Advanced passcode management: Strong Authentication required timeout

(opens Android's web site)
Personal profile
Camera: Block prevents access to the camera during personal use. When set to
the OS might allow using the camera in the personal profile.
Screen capture: Block prevents screen captures during personal use. When set to
the OS might allow users to get screen captures or screenshots in the personal
profile.
Allow users to enable app installation from unknown sources in the personal
profile: Select Allow so users can install apps from unknown sources in the
personal profile. It allows users to install apps from sources other than the Google
Play Store. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might prevent users from installing apps from
unknown sources in the personal profile.
Type of restricted apps list: Select Allow apps to create a list of Managed Google
Play apps that are allowed and approved to install and run in the personal profile
on the device. Select Blocked apps to create a list of Managed Google Play apps
that are prohibited and prevented from installing and running in the personal
profile on the device. When set to Not configured (default), Intune doesn't include
a list of apps to allow or block.
Custom support information

Using these settings, you can customize some support messages shown to users, and
show these messages in different languages.
By default, the OEM default messages are shown. When you deploy a custom message
using Intune, the Intune default message is also deployed. If you don't enter a custom
message for the device's default language, then the Intune default message is
automatically shown.
By default, the Intune default message is in English (United States).
For example, you deploy a custom message for English and French. The user changes
the device's default language to Spanish. Since you didn't deploy a custom message to
the Spanish language, then the Intune default message is shown.
The Intune default message is translated for all languages in the Endpoint Manger
admin center (Settings > Language + Region). The Language setting value
determines the default language used by Intune. By default, it's set to English.
You can configure the following settings:
Short support message: When users try to change a setting that's managed by the
organization, a short message is shown.
Using the following settings, you can customize this message and enter a different
message for different languages. By default, this message is in English (United
States).
All, except when specified: This message is the Intune default message, and is
shown for all languages. If you don't enter a custom message, then this text is
automatically shown. This text is also automatically translated to the device's
default language.
You can change this message. Any changes aren't translated. If you delete all
the text in this message and leave this setting blank, then the following original
short Intune default message is used and is translated:
You do not have permission for this action. For more information, contact
your IT admin.
Select Locale: Select the locale or region to show a different custom message
for that specific locale.
For example, to show a custom message on devices using Spanish as the

default language, select Spanish (Spain). Only devices using the Spanish (Spain)
default language will see your custom message. All other languages will see the
All, except when specified message text.
You can add multiple locales and messages.

Message: Enter the text you want shown, a max of 200 characters. The text you
enter isn't translated to the device's default language. So if you want to show a
message in Spanish, enter the text in Spanish.
Long support message: On the device, in Settings > Security > Device admin
apps > Device Policy, a long support message is shown.
States).
All, except when specified: This message is the Intune default message, and is
shown for all languages. If you don't enter a custom message, then this text is
automatically shown, and is automatically translated to the device's default
language.
You can change this message. Any changes aren't translated. If you delete all
the text in this message and leave this setting blank, then the following original
long Intune default message is used and is translated:
The organization's IT admin can monitor and manage apps and data associated
with this device, including settings, permissions, corporate access,
network activity and the device's location information.

Lock screen message: Enter the text you want shown on the device lock screen.
States).
All, except when specified: Enter the text you want shown for all languages, a
max of 4096 characters. This text is automatically translated to the device's
default language. If you don't enter a custom message, then Intune doesn't
change or update this setting. By default, the OS might not show a lock screen
message.

When you configure the Lock screen message, you can also use the following
device tokens to show device-specific information:
{{AADDeviceId}} : Azure AD device ID
{{AccountId}} : Intune tenant ID or account ID
{{DeviceId}} : Intune device ID
{{DeviceName}} : Intune device name

{{domain}} : Domain name
{{EASID}} : Exchange Active Sync ID

{{IMEI}} : IMEI of the device
{{mail}} : Email address of the user

{{MEID}} : MEID of the device
{{partialUPN}} : UPN prefix before the @ symbol
{{SerialNumber}} : Device serial number

{{SerialNumberLast4Digits}} : Last four digits of the device serial number
{{UserId}} : Intune user ID

{{UserName}} : User name
{{userPrincipalName}} : UPN of the user
７ Note
Variables aren't validated in the UI and are case sensitive. As a result, you may
see profiles saved with incorrect input. For example, if you enter
{{DeviceID}} , instead of {{deviceid}} or {{DEVICEID}} , then the literal string
is shown instead of the device's unique ID. Be sure to enter the correct
information. All lowercase or all uppercase variables are supported, but not a
mix.
Next steps
You can also create dedicated device kiosk profiles for Android and Windows 10 devices.
Configure and troubleshoot Android enterprise devices in Microsoft Intune .

Android Enterprise device settings list to
allow or restrict features on personally
owned devices using Intune
Article • 05/04/2023
This article describes the different settings you can control on Android Enterprise
to allow or disable features, control security, and more.
 Tip
For AOSP, go to Android (AOSP) device settings to allow or restrict features

using Intune.
For Android Enterprise corporate-owned work profile (COPE), fully managed
(COBO), or dedicated devices (COSU), go to Android Enterprise device
settings to allow or restrict features on corporate-owned devices using
Intune.
Before you begin

When you create device restriction policies, there are many settings available. To
help determine the settings that are right for your organization, you can use the
security configuration framework guidance:
Android Enterprise personally owned work profile security settings
Work profile settings

These settings apply to Android Enterprise personally owned devices with a work profile
(BYOD).
General settings
Copy and paste between work and personal profiles: Block prevents copy-and-
paste between work and personal apps. When set to Not configured (default),
to share data using copy-and-paste with apps in the personal profile.
Data sharing between work and personal profiles: Choose if apps in the work
profile can share with apps in the personal profile. For example, you can control
sharing actions within applications, such as the Share… option in the Chrome
browser app. This setting doesn't apply to copy/paste clipboard behavior. Your
options:
Device default: Sharing from the work profile to the personal profile is blocked.
Sharing from the personal profile to the work profile is allowed.
Apps in work profile can handle sharing request from personal profile:
Enables the built-in Android feature that allows sharing from the personal
profile to the work profile. When enabled, a sharing request from an app in the
personal profile can share with apps in the work profile.
No restrictions on sharing: Enables sharing across the work profile boundary in
both directions. When you select this setting, apps in the work profile can share
data with unbadged apps in the personal profile. This setting allows managed
apps in the work profile to share with apps on the unmanaged side of the
device. So, use this setting carefully.
Work profile notifications while device locked: Block prevents window

notifications, including toasts, incoming calls, outgoing calls, system alerts, and
system errors from showing on locked devices. When set to Not configured
show notifications.
Default app permissions: Sets the default permission policy for all apps in the
work profile. Starting with Android 6, users are prompted to grant certain
permissions required by apps when the app is launched. This policy setting lets
you decide if users are prompted to grant permissions for all apps in the work
profile. For example, you assign an app to the work profile that requires location
access. Normally that app prompts users to approve or deny location access to the
app. Use this policy to automatically grant permissions without a prompt,
automatically deny permissions without a prompt, or let users decide. Your
options:
Device default
Prompt
Auto grant
Auto deny
You can also use an app configuration policy to grant permissions for individual
apps (Apps > App configuration policies).
Add and remove accounts: This setting allows or prevents accounts from being
added in the work profile, including Google accounts. Your options:
Allow all accounts types, except Google accounts (default): Intune doesn't
change or update this setting. By default, the OS might allow adding accounts
in the work profile.
In a previous release, this setting was named Not configured.
Allow all account types: Allows all accounts, including Google accounts. These
Google accounts are blocked from installing apps from the Managed Google
Play Store.
You can also configure:
domains in the work profile. You can import a list of allowed domains in the
following format:
csv
contoso.com
microsoft.com
Or, add the domains individually using the contoso.com format. When left
blank, by default, the OS might allow adding all Google domains in the work
profile.

Block all account types: Prevents users from manually adding or removing
accounts in the work profile. For example, when you deploy the Gmail app into
the work profile, you can prevent users from adding or removing accounts in
this work profile.
７ Note
On personally owned devices with a work profile (BYOD) and corporate owned
devices with work profile (COPE), Google accounts can't be added to the
Settings app > Accounts > Work.
Contact sharing via Bluetooth: Enable allows sharing and access to personally
owned devices with a work profile contacts from another device, including a car,
that's paired using Bluetooth. Enabling this setting may allow certain Bluetooth
devices to cache work contacts upon first connection. Disabling this policy after an
initial pairing/sync may not remove work contacts from a Bluetooth device.
setting. By default, the OS might not share work contacts.

Android 8.0 and newer personally owned devices with a work profile
Screen capture: Block prevents screenshots or screen captures on the device in the
work profile. It also prevents the content from being shown on display devices that
don't have a secure video output. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow getting
screenshots.
Display work contact caller-id in personal profile: Block doesn't show the work
contact caller number in the personal profile. When set to Not configured
show work contact caller details.

Search work contacts from personal profile: Block prevents users from searching
for work contacts in apps in the personal profile. When set to Not configured
allow searching for work contacts in the personal profile.
Camera: Block prevents access to the camera on the device in the personally
owned work profile. The camera on the personal side isn't affected by the setting.
setting. By default, the OS might allow access to the camera.
Allow widgets from work profile apps: Enable allows users to put widgets
exposed by apps on the home screen. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might disable this
feature.
For example, Outlook is installed on your users' work profile. When set to Enable,
users can put the agenda widget on the device home screen.
Work Profile Password
These password settings apply to the work profile password on personally owned
devices with a work profile.
All Android devices
Require Work Profile Password: Require forces a passcode policy that only applies
to apps in the work profile. By default, users can use the two separately defined
PINs. Or, users can combine the PINs into the stronger of the two PINs. When set
default, the OS might allow users to use work apps without entering a password.

Maximum minutes of inactivity until work profile locks: Enter the length of time
devices must be idle before the screen is automatically locked. Users must enter
their credentials to regain access. For example, enter 5 to lock the device after 5
minutes of being idle. When the value is blank or set to Not configured, Intune
On devices, users can't set a time value greater than the configured time in the
minutes.
passwords allowed before the work profile on the device is wiped, from 4-11. 0
(zero) might disable the device wipe functionality. When the value is blank, Intune
Password expiration (days): Enter the number of days until user passwords must
be changed (from 1-365).
Face unlock: Block prevents users from using the device's facial recognition to
unlock the personally owned work profile. When set to Not configured (default),
to unlock the device using facial recognition.
Fingerprint unlock: Block prevents users from using the device's fingerprint
scanner to unlock the personally owned work profile. When set to Not configured
allow users to unlock the device using a fingerprint.
Iris unlock: Block prevents users from using the device's iris scanner to unlock the
personally owned work profile. When set to Not configured (default), Intune
unlock the device using the iris scanner.
agents from adjusting lock screen settings on compatible devices. If devices are in
a trusted location, then this feature, also known as a trust agent, lets you disable or
bypass the device lock screen password. For example, bypass the work profile
password when devices are connected to a specific Bluetooth device, or when
devices are close to an NFC tag. Use this setting to prevent users from configuring
Smart Lock.
setting.
Password complexity: Use this setting to set the password complexity

requirements. Your options:
None: Intune doesn't change or update this setting. By default, the OS may not
require a password.
Low: A pattern or PIN with repeating (4444) or ordered (1234, 4321, 2468)
Medium: PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences are
blocked. The length, alphabetic length, or alphanumeric length must be at least
4 characters.
High: PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences are
） Important

personally owned devices with a work profile. For information on these
If the Required password type and Minimum password length settings are
changed from the default values in a policy, then:

setting.

Required password type and Minimum password length settings, and
the existing values that are already configured.
If you change an existing policy with the Required password type and
Minimum password length settings that already configured, then
Android Enterprise 12+ devices will automatically use the Password
complexity setting with the High complexity.

If the Required password type and Minimum password length settings

aren't changed from the default values in a policy, then no password policy
is automatically applied to newly enrolled Android Enterprise 12+ devices.
Android 11 and earlier
） Important

13 .
Device default (default): Intune doesn't change or update this setting. By
default, the OS might not require a password.
site)
Required
Numeric complex: Repeated or consecutive numbers, such as 1111 or 1234 ,
aren't allowed.
aren't required.
numeric characters.
Minimum password length: Enter the minimum length the password must have,
between 4 (default) and 16 characters.
Password
These password settings apply to the device password on personally owned devices
with a work profile.
All Android devices
Maximum minutes of inactivity until screen locks: Enter the length of time devices
must be idle before the screen is automatically locked. Users must enter their
credentials to regain access. For example, enter 5 to lock the device after 5
minutes of being idle. When the value is blank or set to Not configured, Intune
On devices, users can't set a time value greater than the configured time in the
minutes.
passwords allowed before the personally owned work profile in the device is
wiped, from 4-11. 0 (zero) might disable the device wipe functionality. When the
value is blank, Intune doesn't change or update this setting.
Password expiration (days): Enter the number of days, until the device password
must be changed, from 1-365. For example, enter 90 to expire the password after
90 days. When the password expires, users are prompted to create a new
password. When the value is blank, Intune doesn't change or update this setting.
Fingerprint unlock: Block prevents users from using the device's fingerprint
scanner to unlock the device. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow users to unlock the
device using a fingerprint.
Face unlock: Block prevents users from using the device's facial recognition to
unlock the device. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to unlock the device using
facial recognition.
Iris unlock: Block prevents users from using the device's iris scanner to unlock the
setting. By default, the OS might allow users to unlock the device using the iris
scanner.
agents from adjusting lock screen settings on compatible devices. If devices are in
a trusted location, then this feature, also known as a trust agent, lets you disable or
bypass the device lock screen password. For example, bypass the personally owned
work profile password when devices are connected to a specific Bluetooth device,
or when devices are close to an NFC tag. Use this setting to prevent users from
configuring Smart Lock.
setting.

Password complexity: Use this setting to set the password complexity
requirements. Your options:
None: Intune doesn't change or update this setting. By default, the OS may not
require a password.
Low: A pattern or PIN with repeating (4444) or ordered (1234, 4321, 2468)
Medium: PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences are
blocked. The length, alphabetic length, or alphanumeric length must be at least
4 characters.
High: PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences are
） Important

personally owned devices with a work profile. For more information on these
If the Required password type and Minimum password length settings are
changed from the default values in a policy, then:

setting.

Required password type and Minimum password length settings, and
the existing values that are already configured.
If you change an existing policy with the Required password type and
Minimum password length settings that already configured, then
Android Enterprise 12+ devices will automatically use the Password
complexity setting with the High complexity.

If the Required password type and Minimum password length settings

aren't changed from the default values in a policy, then no password policy
is automatically applied to newly enrolled Android Enterprise 12+ devices.
Android 11 and earlier
） Important

13 .
Device default (default): Intune doesn't change or update this setting. By
default, the OS might not require a password.
site)
Required
Numeric complex: Repeated or consecutive numbers, such as 1111 or 1234 ,
aren't allowed.
aren't required.
numeric characters.
between 4 (default) and 16 characters.
System security
Threat scan on apps: Require enforces that the Verify Apps setting is enabled for
work and personal profiles. When set to Not configured (default), Intune doesn't
change or update this setting.

Android 8 (Oreo) and newer personally owned devices with a work profile
Prevent app installations from unknown sources in the personal profile: By

design, Android Enterprise personally owned devices with a work profile can't
install apps from sources other than the Play Store. This setting allows
administrators more control of app installations from unknown sources. Block
prevents app installations from sources other than the Google Play Store in the
personal profile. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow app installations from unknown
sources in the personal profile. By nature, personally owned devices with a work
profile are intended to be dual-profile:
A personally owned device with a work profile managed using MDM.
A personal profile that's isolated from MDM management.
Connectivity
Always-on VPN: Enable sets a VPN client to automatically connect and reconnect
to the VPN. Always-on VPN connections stay connected. Or, immediately connect
when users lock their device, the device restarts, or the wireless network changes.
setting. By default, the OS might disable always-on VPN for all VPN clients.
） Important
Be sure to deploy only one Always On VPN policy to a single device.

Deploying multiple Always VPN policies to a single device isn't supported.
VPN client: Choose a VPN client that supports Always On. Your options:
Cisco AnyConnect
F5 Access
Pulse Secure
Custom
Package ID: Enter the package ID of the app in the Google Play store. For
example, if the URL for the app in the Play store is
https://play.google.com/store/details?id=com.contosovpn.android.prod ,
then the package ID is com.contosovpn.android.prod .
） Important
The VPN client you choose must be installed on the device. It must also
support per-app VPN in personally owned devices with a work profile.
Otherwise, an error occurs.
You do need to approve the VPN client app in the Managed Google Play
Store, sync the app to Intune, and deploy the app to the device. After you
do this, then the app is installed in the user's personally owned devices
with a work profile.
There may be known issues when using per-app VPN with F5 Access for
Android 3.0.4. For more information, see F5's release notes for F5 Access
for Android 3.0.4 .
Lockdown mode: Enable forces all network traffic to use the VPN tunnel. If a
connection to the VPN isn't established, then the device won't have network
access.
setting. By default, the OS might allow traffic to flow through the VPN tunnel or
through the mobile network.
Next steps
Configure and troubleshoot Android enterprise devices in Microsoft Intune .

Android Enterprise device settings to
configure email, authentication, and
synchronization in Intune
Article • 02/21/2023
This article describes the different email settings you can control on Android Enterprise
personally owned devices with a work profile. As part of your mobile device
management (MDM) solution, use these settings to configure an Exchange email server,
use SSL to encrypt emails, and more. The email profile uses the email app on the device,
and allows users to connect to their organization email.
On Android Enterprise Fully Managed, Dedicated, and Corporate-owned Work Profiles,

use app configuration policies. For Android device administrator, see Android device
settings to configure email.
As an Intune administrator, you can create and assign email settings to Android
Enterprise personally owned devices with a work profile. To learn more about email
profiles in Intune, see configure email settings.
Before you begin

Deploy your email app. For more information, go to Configure email apps.
If your profile will use Gmail and you want to use modern authentication, then
you may have to deploy the Google Chrome app to the work profile.
Create an Android Enterprise email device configuration profile > Personally-

owned work profile.
Android Enterprise
Email app: Select Gmail or Nine Work. This app is the client app that connects to
the email server you enter.
Email server: Enter the host name of your Exchange server. For example, enter
outlook.office365.com .
Active Directory (Azure AD). Intune dynamically generates the username that's
used by this profile. Make sure your users have email addresses that match the
attribute you select. Your options:
User Principal Name: Gets the name, such as user1 or user1@contoso.com .
User name: Gets only the name, such as user1 .
Email address attribute from AAD: This name is the email attribute Intune gets
from Azure AD. Intune dynamically generates the email address that's used by this
profile. Your options:
User principal name: Uses the full principal name, such as user1@contoso.com or
user1 , as the email address.
Primary SMTP address: Uses the primary SMTP address, such as

user1@contoso.com , to sign in to Exchange.
Authentication method: Select Username and Password or Certificates as the

authentication method used by the email profile.
SSL: Choose Enable to use Secure Sockets Layer (SSL) communication when
sending emails, receiving emails, and communicating with the Exchange server.
Amount of email to synchronize: Choose the amount of time of email you want to
synchronize. Or, select Unlimited to synchronize all available email.
Content type to sync (Nine Work only): Choose which data you want to
synchronize on the devices. Your options:
Contacts: Choose Enable to allow end users to sync contacts to their devices.
Calendar: Choose Enable to allow end users to sync the calendar to their
devices.
Tasks: Choose Enable to allow end users to sync any tasks to their devices.
Next steps
You can also create email profiles for Android Samsung Knox, iOS/iPadOS, and Windows
10 and later devices.
Android Enterprise device settings to
configure VPN in Intune
Article • 07/13/2023
This article describes the different VPN connection settings you can control on Android
Enterprise devices. As part of your mobile device management (MDM) solution, use
these settings to create a VPN connection, choose how the VPN authenticates, select a
VPN server type, and more.

Android Enterprise corporate-owned work profile (COPE)
As an Intune administrator, you can create and assign VPN settings to Android
Enterprise devices. To learn more about VPN profiles in Intune, see VPN profiles.
７ Note
To configure always-on VPN, you need to create a VPN profile, and also create a
device restrictions profile with the Always-on VPN setting configured.
Before you begin

Create an Android Enterprise VPN device configuration profile:
Fully managed, dedicated, and corporate-owned work profile
Personally owned work profile

If you need these devices to access on-premises resources using modern

authentication and Conditional Access, then you can use the Microsoft Tunnel,
which supports split tunneling.

Owned Work Profile
Cisco AnyConnect
F5 Access
Pulse Secure
Microsoft Tunnel (Not supported on Android Enterprise dedicated devices.)
） Important
14 2021, both the standalone tunnel app and standalone client connection
type are deprecated and drop from support after January 31, 2022.
The available settings depend on the VPN client you choose. Some settings are only
available for specific VPN clients.
Base VPN (fully managed, dedicated, and corporate-

owned work profile)
Contoso VPN .
VPN server address or FQDN: Enter the IP address or fully qualified domain name
(FQDN) of the VPN server that devices connect. For example, enter 192.168.1.1 or
vpn.contoso.com .
options:

profile.
Username and password: When end users sign into the VPN server, they're
Enter key and value pairs for the NetMotion Mobility VPN attributes: Add or
import Keys and Values that customize your VPN connection. These values are
typically supplied by your VPN provider.
Microsoft Tunnel site (Microsoft Tunnel only): Select an existing site. The VPN
client connects to the public IP address or FQDN of this site.
For more information, see Microsoft Tunnel for Intune.
Per-app VPN (fully managed, dedicated, and corporate-

owned work profile)
Add: Select managed apps from the list. When users start the apps you add, traffic
automatically routes through the VPN connection.
For more information, see Use a VPN and per-app VPN policy on Android Enterprise
devices.
Always-on VPN (fully managed, dedicated, and

corporate-owned work profile)
Always-on VPN: Enable turns on always-on VPN so VPN clients automatically
connect and reconnect to the VPN when possible. When set to Not configured,
Intune doesn't change or update this setting. By default, always-on VPN might be
disabled for all VPN clients.
Only one VPN client can be configured for always-on VPN on a device. Be sure to
have no more than one always-on VPN policy deployed to a single device.
Proxy (fully managed, dedicated, and corporate-owned

work profile)
Automatic configuration script: Use a file to configure the proxy server. Enter the
proxy server URL that includes the configuration file. For example, enter
http://proxy.contoso.com/pac .
Address: Enter the IP address or fully qualified host name of the proxy server. For
example, enter 10.0.0.3 or vpn.contoso.com .
Port number: Enter the port number associated with the proxy server. For example,
enter 8080 .

Cisco AnyConnect
７ Note
With Cisco AnyConnect in the personally owned work profile, there may be
some extra steps for end users to complete the VPN connection. For more
information, go to VPN profiles - What successful VPN profiles look like.
F5 Access
Pulse Secure
NetMotion Mobility
Microsoft Tunnel
） Important
14, 2021, both the standalone tunnel app and standalone client connection
type are deprecated and drop from support after January 31, 2022.
The available settings depend on the VPN client you choose. Some settings are only
available for specific VPN clients.
Base VPN (personally owned work profile)

Contoso VPN .
VPN server address: Enter the IP address or fully qualified domain name (FQDN) of
the VPN server that devices connect. For example, enter 192.168.1.1 or
vpn.contoso.com .
options:

profile.
Username and password: When end users sign into the VPN server, they're
Fingerprint (Check Point Capsule VPN only): Enter the fingerprint string given to
you by the VPN vendor, such as Contoso Fingerprint Code . This fingerprint verifies
that the VPN server can be trusted.
When authenticating, a fingerprint is sent to the client so the client knows to trust
any server that has the same fingerprint. If the device doesn't have the fingerprint,
it prompts the user to trust the VPN server while showing the fingerprint. The user
manually verifies the fingerprint, and chooses to trust to connect.
Enter key and value pairs for the NetMotion Mobility VPN attributes: Add or
import Keys and Values that customize your VPN connection. These values are
typically supplied by your VPN provider.
Per-app VPN (personally owned work profile)

Add: Select managed apps from the list. When users start the apps you add, traffic
automatically routes through the VPN connection.
For more information, see Use a VPN and per-app VPN policy on Android Enterprise
devices.
Always-on VPN (personally owned work profile)

Always-on VPN: Enable turns on always-on VPN so VPN clients automatically
connect and reconnect to the VPN when possible. When set to Not configured,
Intune doesn't change or update this setting. By default, always-on VPN might be
disabled for all VPN clients.
Only one VPN client can be configured for always-on VPN on a device. Be sure to
have no more than one always-on VPN policy deployed to a single device.
Proxy (personally owned work profile)

Automatic configuration script: Use a file to configure the proxy server. Enter the
proxy server URL that includes the configuration file. For example, enter
http://proxy.contoso.com/pac .
Address: Enter the IP address or fully qualified host name of the proxy server. For
example, enter 10.0.0.3 or vpn.contoso.com .
Port number: Enter the port number associated with the proxy server. For example,
enter 8080 .
Next steps
You can also create VPN profiles for Android device administrator, iOS/iPadOS, macOS,
and Windows 10 and later.
Troubleshooting VPN profile issues in Microsoft Intune

Add Wi-Fi settings for Android
Enterprise dedicated and fully managed
Article • 06/14/2023
You can create a profile with specific Wi-Fi settings, and then deploy this profile to your
Android Enterprise fully managed and dedicated devices. Microsoft Intune offers many
features, including authenticating to your network, using a pre-shared key, and more.

Android Enterprise corporate owned work profile (COPE)
This article describes these settings. Use Wi-Fi on your devices includes more
information about the Wi-Fi feature in Microsoft Intune.
Before you begin

Create an Android Enterprise Wi-Fi device configuration profile:
Fully managed, dedicated, and corporate-owned work profile


Owned Work Profile
Select this option if you're deploying to an Android Enterprise dedicated, corporate-
owned work profile, or fully managed device.
Basic
Network name: Enter a name for this Wi-Fi connection. End users see this name
when they browse their device for available Wi-Fi connections. For example, enter
Contoso WiFi.

Wi-Fi type: Select the security protocol to authenticate to the Wi-Fi network. Your
options:
Open (no authentication): Only use this option if the network is unsecured.
WEP-Pre-shared key: Enter the password in Pre-shared key. When your
WPA-Pre-shared key: Enter the password in Pre-shared key. When your
Proxy settings: Select a proxy configuration. Your options:
None: No proxy settings are configured.
Manual: Manually configure the proxy settings:
Proxy server address: Enter the IP address of the proxy server. For example,
enter 10.0.0.22 .
Port number: Enter the port number of the proxy server. For example, enter
8080 .
Exclusion list: Enter a hostname or IP address that won't use the proxy. You
can use the * wildcard character and enter multiple host names and IP
addresses. If you enter multiple host names or IP addresses, they must be on
a separate line. For example, you can enter:
*.contoso.com
test.contoso1.com
mysite.contoso2.com
10.0.0.5
10.0.0.6
Automatic: Use a file to configure the proxy server. Enter the Proxy server URL
that contains the configuration file. For example, enter
http://proxy.contoso.com , 10.0.0.11 , or http://proxy.contoso.com/proxy.pac .
Enterprise

EAP-TLS: To authenticate, the Extensible Authentication Protocol (EAP)

Transport Layer Security (TLS) uses a digital certificate on the server, and a
digital certificate on the client. Both certificates are signed by a certificate
authority (CA) that the server and client trust.
Also enter:
jp.contoso.com .
a root certificate.
７ Note
Depending on your Android OS version and your Wi-Fi authentication

infrastructure, the certificate requirements can vary. You may need to
add your secure hash algorithm(s) (SHA) from the certificate used by
your network policy server (NPS). Or, if your Radius or NPS server has a
publicly signed certificate, then a root certificate may not be needed for
validation.
A good practice is to enter the Radius server name and add a Root
certificate for server validation.
Authentication method: Select the authentication method used by your

device clients. Your options:
Derived credential: Use a certificate that's derived from a user's smart
card. If no derived credential issuer is configured, Intune prompts you to
add one. For more information, see Use derived credentials in Microsoft
Intune.
Certificates: Select the SCEP or PKCS client certificate profile that is also
EAP-TTLS: To authenticate, the Extensible Authentication Protocol (EAP)

Tunneled Transport Layer Security (TTLS) uses a digital certificate on the server.
When the client makes the authentication request, the server uses the tunnel,
which is a secure connection, to complete the authentication request.
Also enter:
jp.contoso.com .
a root certificate.


Intune.
connection. Be sure you select the same protocol that's configured on
PEAP: Protected Extensible Authentication Protocol (PEAP) encrypts and

authenticates using a protected tunnel. Also enter:
jp.contoso.com .
a root certificate.

Intune.

authenticate the connection. Be sure you select the same protocol
None
Manual: Manually configure the proxy settings:
Proxy server address: Enter the IP address of the proxy server. For example,
enter 10.0.0.22 .
Port number: Enter the port number of the proxy server. For example, enter
8080 .
Exclusion list: Enter a hostname or IP address that won't use the proxy. You
can use the * wildcard character and enter multiple host names and IP
addresses. If you enter multiple host names or IP addresses, they must be on
a separate line. For example, you can enter:
*.contoso.com
test.contoso1.com
mysite.contoso2.com
10.0.0.5
10.0.0.6
７ Note
When a device is marked as corporate during enrollment (organization-

owned), policies control device features and settings. Users can be
prevented from managing features and settings in the policy.
When a Wi-Fi
policy is assigned to devices, then Wi-Fi is enabled, and users can be
prevented from turning off Wi-Fi.
Basic (personally owned work profile)

Enterprise (personally owned work profile)

EAP-TLS: Also enter:
Certificate server names: Add one or more common names used in the
certificates issued by your trusted certificate authority (CA) to your wireless
network access servers. For example, add mywirelessserver.contoso.com or
mywirelessserver . When you enter this information, you can bypass the
dynamic trust window displayed on user's devices when they connect to this
Wi-Fi network.
a root certificate.
EAP-TTLS: Also enter:
a root certificate.

connection. Be sure you select the same protocol that's configured on
PEAP: Also enter:
Root certificate for server validation: Select an existing trusted root

certificate profile. When the client connects to the network, this certificate is
presented to the server, and authenticates the connection.


authenticate the connection. Be sure you select the same protocol
None

Next steps
The profile is created, but might not be doing anything. Be sure to assign this profile
and monitor its status..
You can also create Wi-Fi profiles for Android, iOS/iPadOS, macOS, and Windows 10.
Troubleshoot common issues with Wi-Fi profiles.

Use custom settings for iOS and iPadOS
Article • 05/16/2023
） Important
Don't use custom configuration profiles for sensitive information, such as Wi-Fi
connections or authenticating apps, sites, and more. Instead, use the built-in
profiles for sensitive information, as they're designed and configured to handle
sensitive information.
For example, use the built-in Wi-Fi profile to deploy a Wi-Fi connection. Use the
built-in certificates profile for authentication.
Using Microsoft Intune, you can add or create custom settings for your iOS/iPadOS
devices using "custom profiles". Custom profiles are a feature in Intune. They're
designed to add device settings and features that aren't built in to Intune.
iOS/iPadOS
When using iOS/iPadOS devices, there are two ways to get custom settings into Intune:
Apple Configurator
Apple Profile Manager
You can use these tools to export settings to a configuration profile. In Intune, you
import this file, and then assign the profile to your iOS/iPadOS users and devices. Once
assigned, the settings are distributed. They also create a baseline or standard for
iOS/iPadOS in your organization.
This article provides some guidance on using Apple Configurator and Apple Profile
Manager, and describes the properties you can configure.
Before you begin

Create an iOS/iPadOS custom device configuration profile.

When using Apple Configurator to create the configuration profile, be sure the
settings you export are compatible with the iOS/iPadOS version on the devices. For
information on resolving incompatible settings, search for Configuration Profile
Reference and Mobile Device Management Protocol Reference on the Apple
Developer website.
When using Apple Profile Manager, be sure to:
Enable mobile device management in Profile Manager.
Add iOS/iPadOS devices in Profile Manager.
After you add a device in Profile Manager, go to Under the Library > Devices >
select your device > Settings. Enter the general settings for the device.
Download and save this file. You enter this file in the Intune profile.
Be sure the settings you export from the Apple Profile Manager are compatible
with the iOS/iPadOS version on the devices. For information on resolving
incompatible settings, search for Configuration Profile Reference and Mobile
Device Management Protocol Reference on the Apple Developer website.
Custom configuration profile settings

When you configure the profile, enter the following settings:
Custom configuration profile name: Enter a name for the policy. This name is
shown on the device, and in the Intune status.
Configuration profile file: Browse to the configuration profile you created using
the Apple Configurator or Apple Profile Manager. The max file size is 1000000
bytes (just under 1 MB). The imported file is shown in the File contents area.
You can also add device tokens to your custom configuration files. Device tokens
are used to add device-specific information. For example, to show the serial
number, enter {{serialnumber}} . On the device, the text shows similar to
123456789ABC , which is unique to each device. When entering variables, be sure to
use curly brackets {{ }} . App configuration tokens includes a list of variables that
can be used. You can also use deviceid or any other device-specific value.
７ Note
Variables aren't validated in the UI, and are case sensitive. As a result, you may
see profiles saved with incorrect input. For example, if you enter {{DeviceID}}
instead of {{deviceid}} , then the literal string is shown instead of the device's
unique ID. Be sure to enter the correct information.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile.
See how to create the profile on macOS devices.

iOS and iPadOS device settings to use
common iOS/iPadOS features in Intune
Article • 04/11/2023
７ Note
Intune includes some built-in settings to allow iOS/iPadOS users to use different Apple
features on their devices. For example, you can control AirPrint printers, add apps and
folders to the dock and home screen pages, show app notifications, show asset tag
details on the lock screen, use single sign-on authentication, and use certificate
authentication.
iOS/iPadOS
Use these features to control iOS/iPadOS devices as part of your mobile device
management (MDM) solution.
This article lists these settings, and describes what each setting does. For more
information on these features, go to Add iOS/iPadOS or macOS device feature settings.
Before you begin

Create an iOS/iPadOS device features configuration profile.
７ Note
These settings apply to different enrollment types, with some settings applying to
all enrollment options. For more information on the different enrollment types, see
iOS/iPadOS enrollment.
AirPrint
Settings apply to: All enrollment types
７ Note
Be sure to add all printers to the same profile. Apple prevents multiple AirPrint
profiles from targeting the same device.
IP address: Enter the IPv4 or IPv6 address of the printer. If you use hostnames to
identify printers, you can get the IP address by pinging the printer in the terminal.
Get the IP address and path (in this article) provides more details.
Resource path: The path is typically ipp/print for printers on your network. Get
the IP address and path (in this article) provides more details.
Port: Enter the listening port of the AirPrint destination. If you leave this property
blank, AirPrint uses the default port. Available on iOS 11.0+, and iPadOS 13.0+.
Force TLS: Enable secures AirPrint connections with Transport Layer Security (TLS).
Available on iOS 11.0+, and iPadOS 13.0+.
To add AirPrint servers, you can:
Enter printer details to add an AirPrint destination to the list. Many AirPrint servers
can be added.
Import a comma-separated file (.csv) with this information. Or, Export to create a
list of the AirPrint servers you added.
Get server IP address, resource path, and port

To add AirPrinter servers, you need the IP address of the printer, the resource path, and
the port. The following steps show you how to get this information.
1. On a Mac that's connected to the same local network (subnet) as the AirPrint
printers, open Terminal (from /Applications/Utilities).
2. In the Terminal, type ippfind , and select enter.
Note the printer information. For example, it may return something similar to
ipp://myprinter.local.:631/ipp/port1 . The first part is the name of the printer.
The last part ( ipp/port1 ) is the resource path.
3. In the Terminal, type ping myprinter.local , and select enter.
Note the IP address. For example, it may return something similar to PING
myprinter.local (10.50.25.21) .
4. Use the IP address and resource path values. In this example, the IP address is
10.50.25.21 , and the resource path is /ipp/port1 .
Home screen layout

iOS 9.3 or newer

Automated device enrollment (supervised)
７ Note
Only add an app once to the dock, page, folder on a page, or folder in the
dock. Adding the same app in any two places prevents the app from showing
on devices, and may show reporting errors.
For example, if you add the camera app to a dock and a page, the camera app
isn't shown, and reporting might show an error for the policy. To add the
camera app to the home screen layout, choose only the dock or a page, not
both.
When you apply a home screen layout, it overwrites any user-defined layout.
So, it's recommended to use home screen layouts on userless devices.
You can have preexisting apps installed on the device that are not included in
the home screen layout configuration. These apps are shown in alphabetical
order after the configured apps.
Home screen
Use this feature to add apps. And, see how these apps look on pages, the dock, and
within folders. It also shows you the app icons. Volume Purchase Program (VPP) apps,
line-of business apps, and web link apps (web app URLs) are populated from the client
apps you add.
Layout size: Choose an appropriate grid size for the device's home screen. An app
or folder takes up one place in the grid. If the target device doesn't support the
selected size, some apps may not fit and will be pushed to the next available
position on a new page. For reference:
iPhone 6 and later support 4 columns x 6 rows
iPhone 5 supports 4 columns x 5 rows
iPads support 5 columns x 6 rows
+: Select the add button to add apps.
Create folder or add apps: Add an App or a Folder:
App: Select existing apps from the list. This option adds apps to the home
screen on devices. If you don't have any apps, then Add apps to Intune.
You can also search for apps by the app name, such as authenticator or drive .
Or, search by the app publisher, such as Microsoft or Apple .
Folder: Adds a folder to the home screen. Enter the Folder name, and select
existing apps from the list to go in the folder. This folder name is shown to users
on their devices.
Apps are arranged from left to right, and in the same order as shown. Apps can
be moved to other positions. You can only have one page in a folder. As a work
around, add nine (9) or more apps to the folder. Apps are automatically moved
to the next page. You can add any combination of VPP apps, web links (web
apps), store apps, line-of-business apps, and system apps.
Dock
Add up to four (4) items for iPhones, and up to six (6) items for iPads (apps and folders
combined) to the dock on the screen. Many devices support fewer items. For example,
iPhone devices support up to four items. So, only the first four items you add are shown.
+: Select the add button to add apps or folders to the dock.
Create folder or add apps: Add an App or a Folder:
App: Select existing apps from the list. This option adds apps to the dock on the
screen. If you don't have any apps, then Add apps to Intune.
Folder: Adds a folder to the dock on the screen. Enter the Folder name, and
select existing apps from the list to go in the folder. This folder name is shown
Apps are arranged from left to right, and in the same order as shown. Apps can
be moved to other positions. If you add more apps than can fit on a page, then
the apps are automatically moved to another page. You can add up to 20 pages
in a folder on the dock. You can add any combination of VPP apps, web links
(web apps), store apps, line-of-business apps, and system apps.
７ Note
When you use the Home Screen Layout settings to add pages, or add pages and
apps to the dock, the icons on the Home Screen and pages are locked. They can't
be moved or deleted. This behavior might be by design with iOS/iPadOS and
Apple's MDM policies.
Example
In the following example, the dock screen shows the Safari, Mail, and Stocks apps. The
Stocks app is selected to show its properties:
When you assign the policy to an iPhone, the dock looks similar to the following image:
App notifications
Settings apply to: Automated device enrollment

(supervised)
Add: Add notifications for apps:
App bundle ID: Enter the App Bundle ID of the app you want to add. See
Bundle IDs for built-in iOS/iPadOS apps for some examples.
App name: Enter the name of the app you want to add. This name is used for
your reference in the Microsoft Intune admin center. It isn't shown on devices.
Publisher: Enter the publisher of the app you're adding. This name is used for
your reference in the Microsoft Intune admin center. It isn't shown on devices.
Notifications: Enable or Disable the app from sending notifications to devices.
Show in notifications center: Enable allows the app to show notifications in

the device Notification Center. Disable prevents the app from showing
notifications in the Notification Center.
Show on Lock Screen: Enable shows app notifications on the device lock
screen. Disable prevents the app from showing notifications on the lock
screen.
Alert type: When devices are unlocked, choose how the notification is shown.
Your options:
None: No notification is shown.
Banner: A banner is briefly shown with the notification. This setting might
also be known as Temporary Banner.
Modal: The notification is shown and users must manually dismiss it
before continuing to use the device. This setting might also be known as
Persistent Banner.
Badge on app icon: Select Enable to add a badge to the app icon. The badge
means the app sent a notification.
Enable sounds: Select Enable to play a sound when a notification is

delivered.
Show previews: Shows a preview of recent app notifications. Select when to

show the preview. The value you choose overrides the user configured value
on the device (Settings > Notifications > Show Previews). Your options:
When unlocked: The preview only shows when the device is unlocked.
Always: The preview always shows on the lock screen.
Never: The preview never shows.

Lock screen message

iOS 9.3 and later


(supervised)
"If Lost, Return to..." Message: If devices are lost or stolen, enter a note that might
help get the device returned if found. You can enter any text you want. For
example, enter something like If found, call Contoso at ... .
The text you enter is shown on the sign in window and lock screen on devices.
Asset tag information: Enter information about the asset tag of the device. For
example, enter Owned by Contoso Corp or Serial Number: {{serialnumber}} .
Device tokens can also be used to add device-specific information to these fields.
For example, to show the serial number, enter Serial Number: {{serialnumber}} or
Device ID: {{DEVICEID}} . On the lock screen, the text shows similar to Serial
Number 123456789ABC . When entering variables, be sure to use curly brackets {{ }} .
The following device information variables are supported:

{{AADDeviceId}} : Azure AD device ID
{{AccountId}} : Intune tenant ID or account ID

{{AccountName}} : Intune tenant name or account name
{{AppleId}} : Apple ID of the user

{{Department}} : Department assigned during Setup Assistant
{{DeviceId}} : Intune device ID
{{DeviceName}} : Intune device name

{{domain}} : Domain name
{{EASID}} : Exchange Active Sync ID

{{EDUUserType}} : Type of user
{{IMEI}} : IMEI of the device
{{mail}} : Email address of the user

{{ManagedAppleId}} : Managed Apple ID of the user
{{MEID}} : MEID of the device

{{partialUPN}} : UPN prefix before the @ symbol
{{SearchableDeviceKey}} : NGC Key ID
{{SerialNumber}} : Device serial number

{{SerialNumberLast4Digits}} : Last 4 digits of the device serial number
{{SIGNEDDEVICEID}} : Device ID blob assigned to client during Company Portal

enrollment
{{SignedDeviceIdWithUserId}} : Device ID blob assigned to client with user-
affinity during Apple Setup Assistant
{{UDID}} : Device UDID
{{UDIDLast4Digits}} : Last 4 digits of the device UDID

{{UserId}} : Intune user ID
{{UserName}} : User name

{{userPrincipalName}} : UPN of the user
７ Note
Variables aren't validated in the UI, and are case sensitive. As a result, you may
see profiles saved with incorrect input. For example, if you enter {{DeviceID}}
instead of {{deviceid}} or '{{DEVICEID}}', then the literal string is shown
instead of the device's unique ID. Be sure to enter the correct information. All
lowercase or all uppercase variables are supported, but not a mix.
Single sign-on
Settings apply to: Device enrollment, Automated device
enrollment (supervised)
Realm: Enter the domain part of the URL. For example, enter contoso.com .
Azure AD username attribute: Intune looks for this attribute for each user in Azure
AD. Intune then populates the respective field (such as UPN) before generating the
XML that gets installed on devices. Your options:
Not configured: Intune doesn't change or update this setting. By default, the
OS will prompt users for a Kerberos principal name when the profile is deployed
to devices. A principal name is required for MDMs to install SSO profiles.
User principal name: The user principal name (UPN) is parsed in the following
way:
You can also overwrite the realm with the text you enter in the Realm text box.
For example, Contoso has several regions, including Europe, Asia, and North
America. Contoso wants their Asia users to use SSO, and the app requires the
UPN in the username@asia.contoso.com format. When you select User Principal
Name, the realm for each user is taken from Azure AD, which is contoso.com . So
for users in Asia, select User Principal Name, and enter asia.contoso.com . The
user's UPN becomes username@asia.contoso.com , instead of
username@contoso.com .
Intune device ID: Intune automatically selects the Intune Device ID.
By default, apps only need to use the device ID. But if your app uses the realm
and the device ID, you can type the realm in the Realm text box.
７ Note
By default, keep the realm empty if you use device ID.

Azure AD device ID
SAM account name: Intune populates the on-premises Security Accounts

Manager (SAM) account name.
Apps: Add apps on users devices that can use single sign-on.
The AppIdentifierMatches array must include strings that match app bundle IDs.
These strings may be exact matches, such as com.contoso.myapp , or enter a prefix
match on the bundle ID using the * wildcard character. The wildcard character
must appear after a period character (.), and may appear only once, at the end of
the string, such as com.contoso.* . When a wildcard is included, any app whose
bundle ID begins with the prefix is granted access to the account.
Use App Name to enter a user-friendly name to help you identify the bundle ID.
URL prefixes: Add any URLs in your organization that require user single sign-on
authentication.
For example, when a user connects to any of these sites, the iOS/iPadOS device
uses the single sign-on credentials. Users don't need to enter any additional
credentials. If multi-factor authentication is enabled, then users are required to
enter the second authentication.
７ Note
These URLs must be properly formatted FQDN. Apple requires these to be in

the http://<yourURL.domain> format.
The URL matching patterns must begin with either http:// or https:// . A simple
string match is run, so the http://www.contoso.com/ URL prefix doesn't match
http://www.contoso.com:80/ . With iOS 10.0+ and iPadOS 13.0+, a single wildcard *
may be used to enter all matching values. For example, http://*.contoso.com/

matches both http://store.contoso.com/ and http://www.contoso.com .
The http://.com and https://.com patterns match all HTTP and HTTPS URLs,
respectively.
Credential renewal certificate: If using certificates for authentication (not

passwords), select the existing SCEP or PFX certificate as the authentication
certificate. Typically, this certificate is the same certificate that's deployed to users
for other profiles, such as VPN, Wi-Fi, or email.
Web content filter

(supervised)
 Tip
These settings use Apple's Web Content Filter settings. For more information on
these settings, see Apple's Platform Deployment site (opens Apple's web site).
Filter Type: Choose to allow specific web sites. Your options:
Configure URLs: Use Apple's built-in web filter that looks for adult terms,
including profanity and sexually explicit language. This feature evaluates each
web page as it's loaded, and identifies and blocks unsuitable content. You can
also add URLs that you don't want checked by the filter. Or, block specific URLs,
regardless of Apple's filter settings.
Permitted URLs: Add the URLs you want to allow. These URLs bypass Apple's
web filter.
７ Note
The URLs you enter are the URLs you don't want evaluated by the Apple
web filter. These URLs aren't a list of allowed web sites. To create a list of
allowed websites, set the Filter Type to Specific websites only.
Blocked URLs: Add the URLs you want to stop from opening, regardless of
the Apple web filter settings.
Specific websites only (for the Safari web browser only): These URLs are added
to the Safari browser's bookmarks. Users are only allowed to visit these sites; no
other sites can be opened. Use this option only if you know the exact list of
URLs that users can access.
URL: Enter the URL of the website you want to allow. For example, enter
https://www.contoso.com .
Bookmark Path: Apple changed this setting. All bookmarks go into the
Allowed Sites folder. Bookmarks don't go in to the bookmark path you enter.
Title: Enter a descriptive title for the bookmark.
If you don't enter any URLs, then users can't access any websites except for
microsoft.com , microsoft.net , and apple.com . These URLs are automatically
allowed by Intune.
Single sign-on app extension

iOS 13.0 and later

iPadOS 13.0 and later

SSO app extension type: Choose the type of SSO app extension. Your options:
Not configured: Intune doesn't change or update this setting. By default, the
OS doesn't use app extensions. To disable an app extension, you can switch the
SSO app extension type to Not configured.
Microsoft Azure AD: Uses the Microsoft Enterprise SSO plug-in, which is a
redirect-type SSO app extension. This plug-in provides SSO for Active Directory
accounts across all applications that support Apple's Enterprise Single Sign-
On feature. Use this SSO app extension type to enable SSO on Microsoft
apps, organization apps, and websites that authenticate using Azure AD.
The SSO plug-in acts as an advanced authentication broker that offers security
and user experience improvements. All apps that use the Microsoft
Authenticator app for authentication continue to get SSO with the Microsoft
） Important
To achieve SSO with the Microsoft Azure AD SSO app extension type, first
install the iOS/iPadOS Microsoft Authenticator app on devices. The
Authenticator app delivers the Microsoft Enterprise SSO plug-in to devices,
and the MDM SSO app extension settings activate the plug-in. Once
Authenticator and the SSO app extension profile are installed on devices,
users must enter their credentials to sign in, and establish a session on
their devices. This session is then used across different applications without
requiring users to authenticate again. For more information about
Authenticator, see What is the Microsoft Authenticator app.
Redirect: Use a generic, customizable redirect app extension to use SSO with
modern authentication flows. Be sure you know the extension ID for your
organization's app extension.
Credential: Use a generic, customizable credential app extension to use SSO

with challenge-and-response authentication flows. Be sure you know the
extension ID for your organization's app extension.
Kerberos: Use Apple's built-in Kerberos extension, which is included on iOS

13.0+ and iPadOS 13.0+. This option is a Kerberos-specific version of the
Credential app extension.
 Tip
With the Redirect and Credential types, you add your own configuration
values to pass through the extension. If you're using Credential, consider
using built-in configuration settings provided by Apple in the Kerberos type.
After users successfully sign in to the Authenticator app, they aren't prompted to
sign in to other apps that use the SSO extension. The first time users open
managed apps that don't use the SSO extension, they're prompted to select the
account that's signed in.
Enable shared device mode (Microsoft Azure AD only): Choose Yes if you're
deploying the Microsoft Enterprise SSO plug-in to iOS/iPadOS devices configured
for Azure AD's shared device mode feature. Devices in shared mode allow many
users to globally sign in and out of applications that support shared device mode.
When set to Not configured, Intune doesn't change or update this setting. By
default, iOS/iPadOS devices aren't intended to be shared among multiple users.
For more information about shared device mode and how to enable it, see
Overview of shared device mode and Shared device mode for iOS devices.

Extension ID (Redirect and Credential): Enter the bundle identifier that identifies
your SSO app extension, such as com.apple.extensiblesso .
Team ID (Redirect and Credential): Enter the team identifier of your SSO app
extension. A team identifier is a 10-character alphanumerical (numbers and letters)
string generated by Apple, such as ABCDE12345 . The team ID isn't required.
Locate your Team ID (opens Apple's website) has more information.
Realm (Credential and Kerberos): Enter the name of your authentication realm. The
realm name should be capitalized, such as CONTOSO.COM . Typically, your realm name
is the same as your DNS domain name, but in all uppercase.
Domains (Credential and Kerberos): Enter the domain or host names of the sites
that can authenticate through SSO. For example, if your website is
mysite.contoso.com , then mysite is the host name, and .contoso.com is the
domain name. When users connect to any of these sites, the app extension
handles the authentication challenge. This authentication allows users to use Face
ID, Touch ID, or Apple pincode/passcode to sign in.
All the domains in your single sign-on app extension Intune profiles must be
unique. You can't repeat a domain in any sign-on app extension profile, even if
you're using different types of SSO app extensions.
These domains aren't case-sensitive.
The domain must begin with a period ( . ).
URLs (Redirect only): Enter the URL prefixes of your identity providers on whose
behalf the redirect app extension uses SSO. When users are redirected to these
URLs, the SSO app extension intervenes and prompts SSO.
All the URLs in your Intune single sign-on app extension profiles must be
unique. You can't repeat a domain in any SSO app extension profile, even if
you're using different types of SSO app extensions.
The URLs must begin with http:// or https:// .
Additional configuration (Microsoft Azure AD, Redirect, and Credential): Enter

additional extension-specific data to pass to the SSO app extension:
Key: Enter the name of the item you want to add, such as user name or
'AppAllowList'.
Type: Enter the type of data. Your options:

String
Boolean: In Configuration value, enter True or False .
Integer: In Configuration value, enter a number.
Value: Enter the data.

Add: Select to add your configuration keys.
Block keychain usage (Kerberos only): Yes prevents passwords from being saved
and stored in the keychain. If blocked, users aren't prompted to save their
password, and need to reenter the password when the Kerberos ticket expires.
setting. By default, the OS might allow passwords to be saved and stored in the
keychain. Users aren't prompted to reenter their password when the ticket expires.
Require Face ID, Touch ID, or passcode (Kerberos only): Yes forces users to enter
their Face ID, Touch ID, or device passcode when the credential is needed to
refresh the Kerberos ticket. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might not require users to use
biometrics or device passcode to refresh the Kerberos ticket. If Keychain usage is
blocked, then this setting doesn't apply.
Set as default realm (Kerberos only): Yes sets the Realm value you entered as the
default realm. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might not set a default realm.
 Tip
Select Yes for this setting if you're configuring multiple Kerberos SSO app
extensions in your organization.
Select Yes for this setting if you're using multiple realms. It sets the Realm
value you entered as the default realm.
If you only have one realm, leave it Not configured (default).
Block Autodiscover (Kerberos only): Yes prevents the Kerberos extension from
automatically using LDAP and DNS to determine its Active Directory site name.
Allow only managed apps (Kerberos only): When set to Yes, the Kerberos
extension allows only managed apps, and any apps entered with the app bundle
ID to access the credential. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow non-managed apps
to access the credential.

iOS/iPadOS 14 and newer
Principal name (Kerberos only): Enter the username of the Kerberos principal. You
don't need to include the realm name. For example, in user@contoso.com , user is
the principal name, and contoso.com is the realm name.
 Tip
You can also use variables in the principal name by entering curly brackets
{{ }} . For example, to show the username, enter Username: {{username}} .
However, be careful with variable substitution because variables aren't

validated in the UI and they are case sensitive. Be sure to enter the correct
information.
Active Directory site code (Kerberos only): Enter the name of the Active Directory
site that the Kerberos extension should use. You may not need to change this
value, as the Kerberos extension may automatically find the Active Directory site
code.
Cache name (Kerberos only): Enter the Generic Security Services (GSS) name of the
Kerberos cache. You most likely don't need to set this value.
Sign in window text (Kerberos only): Enter the text shown to users at the Kerberos
sign in window.

App bundle IDs (Microsoft Azure AD, Kerberos): Enter the bundle IDs of the
additional apps that should get single sign-on through an extension on your
devices.
If you use the Microsoft Azure AD SSO app extension type, then:
These apps use the Microsoft Enterprise SSO plug-in to authenticate the user
without requiring a sign-in.
The app bundle IDs you enter have permission to use the Microsoft Azure AD
SSO app extension if they don't use any Microsoft libraries, such as Microsoft
Authentication Library (MSAL).
The experience for these apps may not be as seamless compared to the
Microsoft libraries. Older apps that use MSAL authentication, or apps that don't
use the newest Microsoft libraries, must be added to this list to work properly
with the Microsoft Azure SSO app extension.
If you use the Kerberos SSO app extension type, then these apps:
Have access to the Kerberos Ticket Granting Ticket
Have access to the authentication ticket
Authenticate users to services they're authorized to access
Domain realm mapping (Kerberos only): Enter the domain DNS suffixes that
should map to your realm. Use this setting when the DNS names of the hosts don't
match the realm name. You most likely don't need to create this custom domain-
to-realm mapping.
PKINIT certificate (Kerberos only): Select the Public Key Cryptography for Initial
Authentication (PKINIT) certificate that can be used for Kerberos authentication.
You can choose from PKCS or SCEP certificates that you've added in Intune. For
more information about certificates, see Use certificates for authentication in
Microsoft Intune.
Wallpaper
You can experience unexpected behavior when a profile with no image is assigned to
devices with an existing image. For example, you create a profile without an image. This
profile is assigned to devices that already have an image. In this scenario, the image may
change to the device default, or the original image may stay on the device. This
behavior is controlled and limited by Apple's MDM platform.

(supervised)
Wallpaper Display Location: Choose a location on devices to show the image. Your
options:
Not configured: Intune doesn't change or update this setting. A custom image
isn't added to devices. By default, the OS might set its own image.
Lock screen: Adds the image to the lock screen.
Home screen: Adds the image to the home screen.
Lock screen and Home screen: Uses the same image on the lock screen and
home screen.
Wallpaper Image: Upload an existing .png, .jpg, or .jpeg image you want to use. Be
sure the file size is less than 750 KB. You can also remove an image that you
added.
 Tip
When configuring a wallpaper policy, Microsoft recommends enabling the
Block modification of Wallpaper setting. This setting prevents users from
changing the wallpaper.
To display different images on the lock screen and home screen, create a
profile with the lock screen image. Create another profile with the home
screen image. Assign both profiles to your iOS/iPadOS user or device groups.
Next steps
You can also create device feature profiles for macOS devices.
iOS and iPadOS device settings to allow
or restrict features using Intune
Article • 06/29/2023
７ Note
This article describes the different settings you can control on iOS and iPadOS devices.
As part of your mobile device management (MDM) solution, use these settings to allow
or disable features, set password rules, allow or restrict specific apps, and more.
iOS/iPadOS
These settings are added to a device configuration profile in Intune, and then assigned
or deployed to your iOS/iPadOS devices.
 Tip
These settings use Apple's restriction settings. For more information on these
settings, see Apple's mobile device management settings site (opens Apple's
web site).
Before you begin

When configuring device restriction policies, the broad range of settings enable you to
tailor protection to your specific needs. To better understand how to implement specific
iOS device restriction policies.
off the previous level.
The available levels and settings in each level vary by device type:
For personal devices, see iOS/iPadOS personal device security configurations

For supervised devices, see iOS/iPadOS supervised device security configurations
When you're ready to proceed, create an iOS/iPadOS device restrictions configuration

profile.
７ Note
These settings apply to different enrollment types, with some settings applying to
all enrollment options. For more information on the different enrollment types, see
iOS/iPadOS enrollment.
App Store, Doc Viewing, Gaming

Block viewing corporate documents in unmanaged apps: Yes prevents viewing
corporate documents in unmanaged apps. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow
corporate documents to be viewed in any app.
For example, you want to prevent users from saving files from the OneDrive app to
Dropbox. Configure this setting as Yes. After devices receive the policy (for
example, after a restart), it no longer allows saving.
７ Note
When this setting is blocked (set to Yes), third party keyboards installed from
the App Store are also blocked.
Allow unmanaged apps to read from managed contacts accounts: Yes lets
unmanaged apps, such as the built-in iOS/iPadOS Contacts app, to read and
access contact information from managed apps, including the Outlook mobile
app. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might prevent reading from the built-in Contacts
app on devices.
This setting allows or prevents reading contact information. It doesn't control
syncing contacts between the apps.
To use this setting, set the Block viewing corporate documents in unmanaged
apps setting to Yes.
For more information about these two settings, and their impact on Outlook for
iOS/iPadOS contact export synchronization, see Support Tip: Use Intune custom
profile settings with the iOS/iPadOS Native Contacts App .
Treat AirDrop as an unmanaged destination: Yes forces AirDrop to be considered

an unmanaged drop target. It stops managed apps from sending data using
Airdrop. When set to Not configured (default), Intune doesn't change or update
this setting.
Block viewing non-corporate documents in corporate apps: Yes prevents viewing

non-corporate documents in corporate apps. When set to Not configured
allow any document to be viewed in corporate managed apps.
Yes also prevents contact export synchronization in Outlook for iOS/iPadOS. For
more information, see Support Tip: Enabling Outlook iOS/iPadOS Contact Sync
with iOS12 MDM Controls .
Allow copy/paste to be affected by managed open-in: Yes enforces copy/paste

restrictions based on how you configured Block viewing corporate documents in
unmanaged apps and Block viewing non-corporate documents in corporate
apps. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might not enforce any copy/paste restrictions.

Require iTunes Store password for all purchases: Yes forces users to enter the
Apple ID password for each in-app or ITunes purchase. When set to Not
OS might allow purchases without prompting for a password every time.
Block in-app purchases: Yes prevents in-app purchases from the store. When set
default, the OS might allow store purchases within a running app.
Block download of explicit sexual content in Apple Books: Yes prevents users
from downloading media from the iBook store that's tagged as erotica. When set
default, the OS might allow users to download books with the "Erotica" category.
Allow managed apps to write contacts to unmanaged contacts accounts: Yes lets
managed apps, such as the Outlook mobile app, save or sync contact information,
including business and corporate contacts, to the built-in iOS/iPadOS Contacts
app. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might prevent managed apps from saving or syncing
contact information to the built-in iOS/iPadOS Contacts app on devices.
To use this setting, set the Block viewing corporate documents in unmanaged
apps setting to Yes.
Ratings region: Select the ratings region you want to use for allowed downloads.
And then select the allowed ratings for Movies, TV Shows, and Apps.

(supervised)
Block App store: Yes prevents access to the app store on supervised devices. When
set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow access.
Starting with iOS/iPadOS 13.0, this setting requires supervised devices.

Block installing apps using App Store: Yes doesn't show the app store on the
device home screen. Users can continue to use iTunes or the Apple Configurator
to install apps. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow the app store on the home
screen.
Block automatic app downloads: Yes prevents automatic downloading of apps
bought on other devices and automatic updates to new apps. It doesn't affect
updates to existing apps. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow apps bought on
other iOS/iPadOS devices to download and update on the device.
Block playback of explicit music, podcast, and iTunes U: Yes prevents explicit
iTunes music, podcast, or news content. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow the
device to access content rated as adult from the store.
Block adding Game Center friends: Yes prevents users from adding Game Center
friends. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow users to add friends in Game Center.
Block Game Center: Yes prevents using the Game Center app. When set to Not
OS might allow using the Game Center app on devices.
Block multiplayer gaming in Game Center: Yes prevents multiplayer gaming.

setting. By default, the OS might allow users to play multiplayer games on devices.
Block access to network drive in Files app: Using the Server Message Block (SMB)
protocol, devices can access files or other resources on a network server. Yes
prevents accessing files on a network SMB drive. When set to Not configured
allow access.

iOS 13.0 and newer
Autonomous single app mode (ASAM)

Use these settings to configure iOS/iPadOS devices to run specific apps in autonomous
single app mode (ASAM). When ASAM is configured, and users start one of the
configured apps, then the device is locked to that app. App/task switching is disabled
until users exit the allowed app.
For the ASAM configuration to apply, users must manually open the specific app. This
task also applies to the Company Portal app.
For example, in a school or university environment, add an app that lets users take
a test on the device. Or, lock the device into the Company Portal app until the user
authenticates. When the apps actions are completed by users, or you remove this
policy, the device returns to its normal state.
Not all apps support autonomous single app mode. To put an app in ASAM, a
bundle ID or a key value pair delivered by an app config policy are typically
required. For more information, see the
autonomousSingleAppModePermittedAppIDs restriction in Apple's MDM
documentation. For more information on the specific settings required for the app
you're configuring, see the vendor documentation.
For example, to configure Zoom Rooms in autonomous single app mode, Zoom
says to use the us.zoom.zpcontroller bundle ID. In this instance, you also make a
change in the Zoom web portal. For more information, see the Zoom help
center .
On iOS/iPadOS devices, the Company Portal app supports ASAM. When the
Company Portal app is in ASAM, users must manually open the Company Portal
app. Then the device is locked in the Company Portal app until the user
authenticates. When users sign in to the Company Portal app, they can use other
apps and the Home screen button on the device. When they sign out of the
Company Portal app, the device returns to single app mode, and locks on the
Company Portal app.
To turn the Company Portal app into a 'sign in/sign out' app (enable ASAM), enter
the Company Portal app name, such as Microsoft Intune Company Portal , and the
bundle ID ( com.microsoft.CompanyPortal ) in these settings. After this profile is
assigned, you must open the Company Portal app to lock the app so users can
sign in and sign out of it. For the ASAM configuration to apply, users must
manually open the Company Portal app.
When the device configuration profile is removed, and the user signs out, the
device isn't locked in the Company Portal app.

(supervised)
App name: Enter the name of the app you want.
App Bundle ID: Enter the bundle ID of the app you want.
You can also Import a CSV file with the list of app names and their bundle IDs. Or,
Export an existing list that includes the apps.
Built-in Apps
Block Siri: Yes prevents access to Siri. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow using the Siri
voice assistant on devices.
Block Siri while device is locked: Yes prevents access to Siri when devices are
locked. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow using the Siri voice assistant on
devices when they're locked.
Require Safari fraud warnings: Yes requires fraud warnings to be shown in the web
browser on devices. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might not show these warnings.
Block Siri for dictation: Yes prevents connections to Siri servers. Users can't use Siri
to dictate text. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow Siri to be used for dictation.
Also available for user enrollment.

Block Siri for translation: Yes prevents connections to Siri servers so that users
can't use Siri to translate text. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow Siri to be used for
translation. Also available for user enrollment.

Settings apply to: Device enrollment and Automated

device enrollment (supervised)
Block internet search results from Spotlight: Yes stops Spotlight from returning
any results from an Internet search. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow Spotlight
search connect to the Internet to provide search results.
Safari cookies: By default, Apple allows all cookies, and blocks cross site tracking.
Use this setting to allow users to enable or disable these features. Your options:
default, the OS allows all cookies and blocks cross site tracking, and might allow
users to enable and disable these features.
Allow all cookies, and allow cross site tracking: Cookies are allowed, and can
be disabled by users. By default, cross site tracking is blocked, and can be
enabled by users.
Block all cookies, and block cross site tracking: Cookies and cross site tracking
are both blocked. Users can't enable or disable either setting.
Allow all cookies, and block cross site tracking: Cookies are allowed, and can
be disabled by users. By default, cross site tracking is blocked, and can't be
enabled or disabled by users.
Block Safari JavaScript: Yes prevents Java scripts in the browser from running on
this setting. By default, the OS might allow Java scripts.
Block Safari Pop-ups: Yes blocks all pop-ups in the Safari web browser. When set
default, the OS might allow the pop-up blocker.

(supervised)
Block camera: Yes prevents access to the camera on the device. When set to Not
OS might allow access to the device's camera.
pictures or videos.
Block FaceTime: Yes prevents access to the FaceTime app. When set to Not
configured (default), Intune doesn't change or update this setting. By default,
the OS might allow access to the FaceTime app on devices.
Require Siri profanity filter: Yes turns on the filter, and prevents Siri from dictating,
or speaking profane language. When set to Not configured (default), Intune
To use this setting, set the Block Siri setting to Not configured.

iOS 11.0 and newer
Block user-generated content in Siri: Yes prevents Siri from accessing websites to
answer questions. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow Siri to access user-generated
content from the internet.
To use this setting, set the Block Siri setting to Not configured.
Block Apple News: Yes prevents access to the Apple News app on devices. When
default, the OS might allow using the Apple News app.
Block Apple Books: Yes prevents access to the iBooks store. When set to Not
OS might allow users to browse and buy books from the iBooks store.
Block iMessage: Yes prevents using the Messages app for iMessage. If devices
support text messaging, then users can still send and receive text messages using
SMS. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow using the Messages app to send and read
messages over the internet.
Block Podcasts: Yes prevents using the Podcasts app. When set to Not configured
allow using the Podcasts app.
Music service: Yes disables the Music Service, and reverts the Music app to classic
mode. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow using the Apple Music app.
Block iTunes Radio: Yes prevents using the iTunes Radio app. When set to Not
OS might allow using the iTunes Radio app.
Block iTunes store: Yes prevents using iTunes on devices. When set to Not
OS might allow iTunes.

iOS 4.0 and newer
Block Find My iPhone: In the Find My app, Yes disables/hides the Devices tab. Yes
may also prevent pairing of AirTags. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow using the
Devices tab in the Find My app to get the approximate location of the device.

iOS 13.0 and newer
Block Find My Friends: Yes prevents this feature in the Find My app. When set to
the OS might allow using this Find My app feature to find family and friends from
an Apple device or iCloud.com.

iOS 13.0 and newer
Block user modification to the Find My Friends settings: Yes prevents changes to
the Find My Friends app settings. When set to Not configured (default), Intune
change settings for the Find My Friends app.
Block removal of system apps from device: Yes prevents removing system apps
from devices. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to remove system apps.
Block Safari: Yes prevents using the Safari browser on devices. When set to Not
OS might allow users to use the Safari browser.
Block Safari Autofill: Yes disables the autofill feature in Safari on devices. When set
default, the OS might allow users to change autocomplete settings in the web
browser.
Cloud and Storage

Force encrypted backup: Yes requires device backups be encrypted. When set to
Not configured (default), Intune doesn't change or update this setting.
Block managed apps from storing data in iCloud: Yes prevents Intune-managed
apps to sync data to the user's iCloud account. When set to Not configured
allow this data sync to iCloud.
Block backup of enterprise books: Yes prevents backing up enterprise books.
setting. By default, the OS might allow users to back up these books.
Block notes and highlights sync for enterprise books: Yes prevents syncing notes
and highlights in enterprise books. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow the syncing.

Block iCloud Photos sync: Yes prevents photo stream syncing to iCloud. Blocking
this feature may cause data loss. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might let users enable My
Photo Stream on their device to sync to iCloud, and have photos available on all
the user's devices.
Block iCloud Photo Library: Yes disables using iCloud photo library to store
photos and videos in the cloud. Any photos not fully downloaded from iCloud
Photo Library to devices are removed from the device. When set to Not
OS might allow using the iCloud photo library.
Block My Photo Stream: Yes disables iCloud Photo Sharing on devices. When set
default, the OS might allow shared photo streaming.
Block Handoff: Yes prevents users from starting work on an iOS/iPadOS device,
and then continuing the work on another iOS/iPadOS or macOS device. When set
default, the OS might allow this handoff.

(supervised)
Block iCloud backup: Yes stops users from backing up devices to iCloud. When set
default, the OS might allow users to back up devices to iCloud.
Block iCloud document and data sync: Yes prevents iCloud from syncing
documents and data. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might allow document and key-value
synchronization to your iCloud storage space.
Block iCloud Keychain sync: Yes disables syncing credentials stored in the
Keychain to iCloud. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might allow users to sync these
credentials.
Block iCloud Private Relay: Yes disables the iCloud Private Relay. When disabled,
Apple doesn't encrypt internet traffic leaving the device. When set to Not
OS might allow this feature, which prevents networks and servers from monitoring
a user's activity across the internet.

iCloud Private Relay (opens Apple's web site)
Connected Devices

Force Apple Watch wrist detection: Yes forces a paired Apple watch to use wrist
detection. When required, the Apple Watch won't display notifications when it's
not being worn. When set to Not configured (default), Intune doesn't change or

Require AirPlay outgoing requests pairing password: Yes requires a pairing
password when using AirPlay to stream content to other Apple devices. When set
default, the OS might allow users to stream content using AirPlay without entering
a password.
Block Apple Watch auto unlock: Yes prevents users from unlocking their device
with Apple Watch when an obstruction, such as a mask, prevents Face ID from
recognizing a user's face. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow Apple Watch to auto
unlock a device if an obstruction is preventing Face ID from recognizing the user.


(supervised)
Block AirDrop: Yes prevents using AirDrop on devices. When set to Not
OS might allow using the AirDrop feature to exchange content with nearby
devices.
Block pairing with Apple Watch: Yes prevents pairing with an Apple Watch. When
default, the OS might allow devices to pair with an Apple Watch.
Block modifying Bluetooth settings: Yes stops users from changing Bluetooth
settings on devices. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might allow users to change these
settings.
Block pairing with non-Configurator hosts: Yes prevents host pairing. When set to
the OS might allow host pairing to let the administrator control which devices an
iOS/iPadOS device can pair with.
Block AirPrint: Yes prevents using the AirPrint feature on devices. When set to Not
OS might allow users to use AirPrint.
Block storage of AirPrint credentials in Keychain: Block prevents using
Keychain storage for username and password on devices. When set to Not
the OS might allow storing the AirPrint username and password in the Keychain
app.
Require AirPrint to destinations with trusted certificates: Yes forces devices to
use trusted certificates for TLS printing communication. When set to Not
configured (default), Intune doesn't change or update this setting.
Block iBeacon discovery of AirPrint printers: Yes prevents malicious AirPrint
Bluetooth beacons from phishing for network traffic. When set to Not
the OS might allow advertising AirPrint printers on devices.
Block setting up new nearby devices: Yes disables the prompt to set up new
devices that are nearby. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow prompts for users to
connect to other nearby Apple devices.

iOS 11.0 and newer
Block access to USB drive in Files app: Devices can connect and open files on a
USB drive. Yes prevents device access to the USB drive in the Files app when a USB
is connected to the device. Blocking this feature also blocks users from transferring
files onto a USB drive connected to an iPad. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow access
to a USB drive in the Files app.

iOS 13.0 and newer
Disable near-field communication (NFC): Yes disables NFC, and prevents devices
from pairing with other NFC-enabled devices. When set to Not configured
(default), Intune doesn't change or update this setting. By default, users might be
allowed to use NFC, and connect to other NFC-enabled devices.

iOS 14.2 and newer
Allow users to boot devices into recovery mode with unpaired devices: Yes lets a
user boot a device into recovery mode with an unpaired device. When set to Not
OS might prevent users from booting devices into recovery mode with an unpaired
device.
Domains

Unmarked email domains: Add one or more domain URLs to the list. When users
receive an email from a domain other than the domains you enter, the email is
marked as untrusted in the iOS/iPadOS Mail app.
Managed Safari web domains: Add one or more web domain URLs to the list.
When documents are downloaded from the domains you enter, they're considered
managed. This setting applies only to documents downloaded using the Safari
browser.

(supervised)
Safari password domains: Add one or more domain URLs to the list. Users can
only save web passwords from URLs in this list. This setting applies only to the
Safari browser, and devices in supervised mode. If you don't enter any URLs, then
passwords can be saved from all web sites.

iOS 9.3 and newer
General

Block sending diagnostic and usage data to Apple: Yes prevents devices from
sending diagnostic and usage data to Apple. When set to Not configured
allow this data to be sent.
Block screenshots and screen recording: Yes prevents screenshots or screen

captures on devices. In iOS/iPadOS 9.0 and newer, it also blocks screen recordings.
setting. By default, the OS might let users capture the screen contents as an image
or as a video.

Block Untrusted TLS certificates: Yes prevents untrusted Transport Layer Security
(TLS) certificates on devices. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow TLS certificates.
Block over-the-air PKI updates: Yes prevents your users from receiving software
updates unless devices are connected to a computer. When set to Not configured
allow a device to receive software updates without being connected to a
computer.
Force limited ad tracking: Yes disables the device advertising identifier. When set
default, the OS might keep it enabled.
Block trusting new enterprise app authors: Yes removes the Trust Enterprise
Developer button in Settings > General > Profiles & Device Management on
this setting. By default, the OS might let users choose to trust apps that aren't
downloaded from the app store.
Block app clips: Yes blocks App Clips on managed devices. Specifically, setting to
Yes:
Prevents users from adding App Clips on devices.
Removes existing App Clips on devices.
setting. By default, the OS might allow adding and removing App Clips on devices.

iOS 14.0 and newer
Limit Apple personalized advertising: Yes limits Apple's personalized advertising

in the App Store, Apple News, and Stocks apps. On the device, the Settings >
Privacy > Apple Advertising is toggled off. This setting only impacts personalized
ads in these apps. It doesn't impact non-personalized ads, and may not reduce
ads. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might turn on personalized ads.
For more information on Apple's policy, see Apple Advertising & Privacy (opens
Apple's web site).

iOS 14.0 and newer

(supervised)
Block modification of diagnostics settings: Yes prevents users from changing the
diagnostic submission and app analytics settings in Diagnostics and Usage (device
Settings). When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow users to change these device settings.
To use this setting, set the Block sending diagnostic and usage data to Apple
setting to Not configured.

iOS 9.3.2 and newer
Block remote AirPlay, view screen by Classroom app, and screen sharing: Yes
prevents the Classroom app from remotely viewing the screen on devices. When
default, the OS might allow the Apple Classroom app to view the screen.
To use this setting, set the Block screenshots and screen recording setting to Not
configured.

iOS 9.3 - iOS 12.x: Requires supervised devices
iOS 13.0 and newer: Doesn't require supervised devices
iPadOS 13.0 and newer: Devices must be enrolled using Device Enrollment or
Automated Device Enrollment (ADE)
Allow Classroom app to perform AirPlay and view screen without prompting: Yes
lets teachers silently observe students' iOS/iPadOS screens using the Classroom
app without the students knowing. Student devices enrolled in a class using the
Classroom app automatically give permission to that course's teacher. When set to
the OS might prevent this feature.
To use this setting, set the Block screenshots and screen recording setting to Not
configured.
Block modification of account settings: Yes prevents users from updating device-
specific settings from the iOS/iPadOS settings app. For example, users can't create
new device accounts, or change the user name or password. When set to Not
OS might allow users to change these settings.
This feature also applies to settings in the iOS/iPadOS settings app, such as Mail,
Contacts, Calendar, Twitter, and more. This feature doesn't apply to apps with
account settings that aren't configurable in the iOS/iPadOS settings app, such as
the Microsoft Outlook app.
Block Screen time: Yes prevents users from setting their own restrictions in Screen
Time (device settings). When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow users to configure
device restrictions (such as parental controls or content, and privacy restrictions)
on devices.
This setting was renamed from Enabling restrictions in the device settings. Impact
of this change:
iOS 11.4.1 and older: Yes prevents users from setting their own restrictions in
the device settings. The behavior is the same; and there are no changes for
users.
iOS 12.0 and newer: Yes prevents users from setting their own Screen Time in
the device settings (Settings > General > Screen Time), including content and
privacy restrictions. Devices upgraded to iOS 12.0 won't see the restrictions tab
in the device settings anymore (Settings > General > Device Management >
Management Profile > Restrictions). These settings are in Screen Time.
Block use of erase all content and settings: Yes prevents using the erase all
content and settings option on devices. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might give users
access to these settings.
Block modification of device name: Yes prevents changing the device name
locally. When set to Yes, you can remotely rename a device with a remote device
action. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow users to change the name of devices.
Block modification of notifications settings: Yes prevents changing the
notification settings. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might allow users to change the device
notification settings.
Block modification of Wallpaper: Yes prevents the wallpaper from being changed.
setting. By default, the OS might allow users to change the wallpaper on devices.
Block configuration profile changes: Yes prevents configuration profile changes

on devices. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow users to install configuration profiles.
Allow activation Lock: Yes enables Activation Lock on supervised iOS/iPadOS

devices. Activation Lock makes it harder for a lost or stolen device to be
reactivated. When set to Not configured (default), Intune doesn't change or
Block removing apps: Yes prevents removing apps. When set to Not configured
allow users to remove apps from devices.
Allow USB accessories while device is locked: Yes lets USB accessories exchange
data with devices that are locked for over an hour. When set to Not configured
not update USB Restricted mode on devices, and USB accessories are blocked from
transferring data from devices if locked for over an hour.

iOS/iPadOS 11.4.1 and newer
Force automatic date and time: Yes forces supervised devices to set the Date &
Time automatically. The device's time zone is updated when the device has cellular
connections or has Wi-Fi with location services enabled. When set to Not
configured (default), Intune doesn't change or update this setting.
Require teacher permission to leave Classroom app unmanaged classes: Yes

forces students enrolled in an unmanaged course using the Classroom app to
request permission from the teacher to leave the course. When set to Not
OS might not force the student to ask for permission.

iOS 11.3 and newer
Allow Classroom to lock to an app and lock the device without prompting: Yes
allows teacher to lock apps or lock devices using the Classroom app without
prompting the student. Locking apps means devices can only access teacher
specified apps. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might prevent teachers from locking apps or
devices using the Classroom app without prompting the student.

iOS 11.0 and newer
Allow students to automatically join Classroom classes without prompting: Yes

automatically allows students to join a class that's in the Classroom app without
prompting the teacher. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might prompt the teacher that
students want to join a class that's in the Classroom app.

iOS 11.0 and newer
Block VPN creation: Yes prevents users from creating VPN configuration settings.
setting. By default, the OS might let users create VPNs on devices.
Block modification of eSIM settings: Yes prevents removing or adding a cellular

plan to the eSIM on devices. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow users to change
these settings.

iOS 12.1 and newer
Defer software updates: Enable allows you to delay when software updates are
shown on devices, from 1-90 days. This setting doesn't control when updates are
or aren't installed.
setting. By default, the OS might show software updates on devices as Apple
releases them. For example, if an iOS/iPadOS update gets released by Apple on a
specific date, then that update naturally shows up on devices around the release
date.
Delay visibility of software updates: Enter a value from 1-90 days. When the
delay expires, users get notified to update to the earliest OS version available
when the delay is triggered. Don't set this value to zero ( 0 ) days.
For example, if iOS 12.a is available on January 1, and Delay visibility is set to 5
days, then iOS 12.a isn't shown as an available update on user devices. On the
sixth day following the release, that update is available, and users can install it.

iOS 11.3 and newer
Keyboard and Dictionary

(supervised)
Block word definition lookup: Yes prevents highlighting a word, and then looking
up its definition. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow access to the definition lookup
feature.
Block predictive keyboards: Yes prevents using predictive keyboards to suggest

words users might want. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow this feature.
Block auto-correction: Yes prevents using autocorrection. When set to Not

OS might allow devices to automatically correct misspelled words.
Block spell-check: Yes prevents spell checker. When set to Not configured
allow using spellchecker.
Block keyboard shortcuts: Yes stops users from using keyboard shortcuts. When
default, the OS might allow using keyboard shortcuts on devices.
Block dictation: Yes stops users from using voice input to enter text. When set to
the OS might allow users to use dictation input.
Block QuickPath: Yes prevents users from using QuickPath. When set to Not
OS might allow users to use QuickPath, which allows a continuous input on the
device's keyboard. Users can type by swiping across the keys to create words.

iOS 13.0 and newer
Kiosk
Single App Mode (opens Apple's web site) is referred to as Kiosk mode in Intune.

(supervised)
App to run in kiosk mode: Select the type of apps you want to run in kiosk mode.
Your options:
default, the OS might not apply kiosk settings. The device doesn't run in kiosk-
mode.
Store App: Enter the URL to an app in the iTunes App store.
Managed App: Select an app you previously added to Intune.
Built-In App: Enter the bundle ID of the built-in app.
Require Assistive touch: Yes requires the Assistive Touch accessibility setting be on
devices. This feature helps users with on-screen gestures that might be difficult for
them. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might not run or enable this feature in kiosk mode.
Require invert colors: Yes requires the Invert Colors accessibility setting so users
with visual impairments can change the display screen. When set to Not
OS might not run or enable this feature in kiosk mode.
Require mono audio: Yes requires the Mono audio accessibility setting be on
this setting. By default, the OS might not run or enable this feature in kiosk mode.
Require Voice control: Yes enables voice control on devices, and allows users to
fully control the OS using Siri commands. Users can't turn it off. When set to Not
OS might disable voice control.

iOS 13.0 and newer
 Tip
If you have LOB apps available for your organization, and they're not Voice
Control ready on day 0 when iOS 13.0 releases, then we recommend you
leave this setting as Not configured.
Require VoiceOver: Yes requires the VoiceOver accessibility setting to read text on
the screen out loud. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might not run or enable this feature in
kiosk mode.
Require zoom: Yes requires the zoom setting so users can touch to zoom in on the
screen. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might not run or enable this feature in kiosk mode.
Block auto lock: Yes prevents automatic locking of devices. When set to Not
OS might allow this feature.
Block ringer switch: Yes disables the ringer (mute) switch on devices. When set to
the OS might allow this feature.
Block screen rotation: Yes prevents changing the screen orientation when users
rotate the device. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow this feature.
Block screen sleep button: Yes disables the screen sleep wake button on devices.
setting. By default, the OS might allow this feature.
Block touch: Yes disables the touchscreen on devices. When set to Not configured
allow users to use the touchscreen.
Block volume buttons: Yes prevents using the volume buttons on devices. When
default, the OS might allow the volume buttons.
Allow Assistive touch control: Yes lets users use the assistive touch function. When
default, the OS might disable this feature.
Allow invert colors control: Yes inverts color changes to let users adjust the invert
colors function. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might disable this feature.
Speak on selected text: Yes allows the Speak Selection accessibility settings be on
devices. This feature reads text out loud that users select. When set to Not
OS might disable this feature.
Allow Voice Control: Yes allows users to change the state of voice control on their
this setting. By default, the OS might block users from changing the state of voice
control on their devices.

iOS 13.0 and newer
Allow VoiceOver control: Yes allows voiceover changes to let users update the
VoiceOver function, such as how fast on-screen text is read out loud. When set to
the OS might prevent voiceover changes.
Allow zoom control: Yes allows zoom changes by users. When set to Not
OS might prevent zoom changes.
７ Note
Before you can configure an iOS/iPadOS device for kiosk mode, you must use the
Apple Configurator tool or the Apple Device Enrollment Program to put devices
into supervised mode. See Apple's guide on using the Apple Configurator tool.
If
the iOS/iPadOS app you enter is installed after you assign the profile, then the
device doesn't enter kiosk mode until the device is restarted.
Locked Screen Experience

Block Control Center access in lock screen: Yes prevents access to the Control
Center app while device is locked. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow access to the
Control Center app when devices are locked.
Block Notifications Center access in lock screen: Yes prevents access to
notifications when devices are locked. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow access
to notifications without unlocking devices.
Block Today view in lock screen: Yes prevents access to the Today view when
devices are locked. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to see the Today view
when devices are locked.

Block Wallet notifications in lock screen: Yes prevents access to the Wallet app
when devices are locked. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow access to the Wallet
app while devices are locked.
Password

Require password: Yes requires users to enter a password to access devices. When
default, the OS might allow users to access devices without entering a password.

） Important
On user-enrolled devices, if you configure any password setting, then the Simple
passwords settings is automatically set to Yes, and a 6 digit PIN is enforced.
For example, you configure the Password expiration setting, and push this policy
to user-enrolled devices. On the devices, the following happens:
The Password expiration setting is ignored.

Simple passwords, such as 1111 or 1234 , aren't allowed.
A 6 digit pin is enforced.
Block simple passwords: Yes blocks simple passwords, and requires more complex
passwords. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow simple passwords, such as 0000 and
1234 .
Required password type: Enter the required password complexity level your
organization requires. Your options:
Device default
Numeric: Can be alphabetic characters, such as abcdef, and numeric characters,
such as 123456789.
characters.
７ Note
Selecting alphanumeric can impact a paired Apple Watch. For more

information, see Set passcode restrictions for an Apple Watch (opens
Apple's web site).
Number of non-alphanumeric characters in password: Enter the number of

symbol characters, such as # or @ , that must be included in the password, from 1-
4. When set to Not configured (default), Intune doesn't change or update this
setting.
from 4-16 characters. On user enrolled devices, enter a length between 4 and 6
characters.
７ Note
For devices that are user enrolled, users can set a PIN greater than 6 digits.
But, no more than 6 digits are enforced on devices. For example, an
administrator sets the minimum length to 8 . On user-enrolled devices, users
are only required to set a 6 digit PIN. Intune doesn't force a PIN greater than
6 digits on user-enrolled devices.
Number of sign-in failures before wiping device: Enter the number of failed sign-
ins before the device is wiped, from 2-11. It's not recommended to set this value to
2 or 3 . It's common to enter the wrong password. Wiping the device after two or
three incorrect password attempts happens often. It's recommended to set this
value to at least 4 .
iOS/iPadOS has built-in security that can impact this setting. For example,
iOS/iPadOS may delay triggering the policy depending on the number of sign-in
failures. It may also consider repeatedly entering the same passcode as one
attempt. Apple's iOS/iPadOS security guide (opens Apple's web site) is a good
resource, and provides more specific details on passcodes.
Maximum minutes after screen lock before password is required1: Enter how
long devices stay idle before users must reenter their password. If the time you
enter is longer than what's currently set on the device, then the device ignores the
time you enter.

iOS 8.0+
iPadOS 13.0+
Maximum minutes of inactivity until screen locks1: Enter the maximum number of
minutes of inactivity allowed on devices until the screen locks.
iOS/iPadOS options:
Not configured (Default): Intune doesn't change or update this setting.
Immediately: Screen locks after 30 seconds of inactivity.
1: Screen locks after 1 minute of inactivity.
2: Screen locks after 2 minutes of inactivity.
iPadOS options:
Not configured (Default): Intune doesn't change or update this setting.
Immediately: Screen locks after 2 minutes of inactivity.
If a value doesn't apply to iOS and iPadOS, then Apple uses the closest lowest
value. For example, if you enter 4 minutes, then iPadOS devices use 2 minutes. If
you enter 10 minutes, then iOS devices use 5 minutes. This behavior is an Apple
limitation.
７ Note
The Intune UI for this setting doesn't separate the iOS and iPadOS supported
values. The UI might be updated in a future release.
Password expiration (days): Enter the number of days before the device password
must be changed, from 1-730.
Prevent reuse of previous passwords: Restrict users from creating previous

passwords. Enter the number of previously used passwords that can't be used,
from 1-24. For example, enter 5 so users can't set a new password to their current
password or any of their previous four passwords. When the value is blank, Intune
Block Touch ID and Face ID unlock: Yes prevents using a fingerprint or face to
unlock devices. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to unlock devices using
biometrics.
Setting to Yes also prevents using FaceID authentication to unlock devices.
Face ID applies to:

iOS 11.0 and newer

(supervised)
Block passcode modification: Yes stops the passcode from being changed, added,
or removed. After blocking this feature, changes to passcode restrictions are
ignored on supervised devices. This setting is ignored on Shared iPads. When set
default, the OS might allow passcodes to be added, changed, or removed.
Block modification of Touch ID fingerprints and Face ID faces: Yes stops users
from changing, adding, or removing TouchID fingerprints and Face ID. When set
default, the OS might allow users to update the TouchID fingerprints and Face
ID on devices.
Blocking this setting also stops users from changing, adding, or removing
FaceID authentication.
Face ID applies to:

iOS 11.0 and newer
Block password AutoFill: Yes prevents using the AutoFill Passwords feature.
Choosing Yes also has the following impact:
Users aren't prompted to use a saved password in Safari or in any apps.
Automatic Strong Passwords are disabled, and strong passwords aren't
suggested to users.
setting. By default, the OS might allow these features.
Block password proximity requests: Yes prevents devices from requesting

passwords from nearby devices. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow these
password requests.
Block password sharing: Yes prevents sharing passwords between devices using
AirDrop. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow passwords to be shared.
Require Touch ID or Face ID authentication for AutoFill of password or credit

card information: Yes forces users to authenticate using TouchID or FaceID before
passwords or credit card information can be auto filled in Safari and other apps.
setting. By default, the OS might allow users to control this feature in the device
settings.

iOS 11.0 and newer
1 When you configure the Maximum minutes of inactivity until screen locks and
Maximum minutes after screen lock before password is required settings, they're
applied in sequence. For example, if you set the value for both settings to 5 minutes,
then the screen turns off automatically after five minutes, and devices are locked after
another five minutes. However, if users turn off the screen manually, then the second
setting is immediately applied. In the same example, after users turn off the screen, the
device locks five minutes later.
Restricted apps

Type of restricted apps list: Create a list of apps that users aren't allowed to install
or use. Your options:
default, the OS might allow access to apps you assign, and built-in apps.
Prohibited apps: List the apps (not managed by Intune) that users aren't
allowed to install and run. Users aren't prevented from installing a prohibited
app. If a user installs an app from this list, then the device is reported in the
Devices with restricted apps report (Intune admin center > Devices >
Monitor > Devices with restricted apps).
Approved apps: List the apps that users are allowed to install. To stay compliant,
users must not install other apps. Apps that are managed by Intune are
automatically allowed, including the Company Portal app. Users aren't
prevented from installing an app that isn't on the approved list. But if they do,
it's reported in Intune.
７ Note
When there's a restricted app on the device, this setting reports as 'Not
compliant'.
To add apps to these lists, you can:
Enter the iTunes App store URL of the app you want. For example, to add the
Microsoft Work Folders app, enter https://itunes.apple.com/us/app/work-
folders/id950878067?mt=8 or https://apps.apple.com/us/app/work-
folders/id950878067?mt=8 .
To find the URL of an app, open the iTunes App Store, and search for the app. For
example, search for Microsoft Remote Desktop or Microsoft Word . Select the app,
and copy the URL.
You can also use iTunes to find the app, and then use the Copy Link task to get the
app URL.
Import a CSV file with details about the app, including the URL. Use the <app url>,
<app name>, <app publisher> format. Or, Export an existing list that includes the
restricted apps list in the same format.
） Important
Device profiles that use the restricted app settings must be assigned to user
groups, not device groups.
Shared iPad

Shared iPad

(supervised)
Block Shared iPad temporary sessions: Temporary sessions allow users to sign in
as Guest, and users aren't required to enter a Managed Apple ID or password.
When set to Yes:

Shared iPad users can't use temporary sessions.
Users must sign in to the device with their Managed Apple ID and password.
The Guest account option isn't shown on the lock screen on the devices.
setting. By default, the OS allows a Shared iPad user to sign in to the device with
the Guest account. When the user signs out, none of the user's data is saved or
synced to iCloud.
Show or hide apps

iOS 9.3 and newer


(supervised)
Type of apps list: Create a list of apps to show or hide. You can show or hide built-
in apps and line-of-business apps. Apple's web site has a list of built-in Apple
apps . Your options:
Hidden apps: Enter a list of apps that are hidden from users. Users can't view, or
open these apps.
Apple prevents hiding some native apps. For example, you can't hide the
Settings app on the device. Delete built-in Apple apps lists the apps that can
be hidden.
Visible apps: Enter a list of apps that users can view and launch. No other apps
can be viewed or launched.
App URL: Enter the store app URL of the app you want to show or hide. For
example:
To add the Microsoft Work Folders app, enter

https://itunes.apple.com/us/app/work-folders/id950878067?mt=8 or
https://apps.apple.com/us/app/work-folders/id950878067?mt=8 .
To add the Microsoft Word app, enter

https://itunes.apple.com/de/app/microsoft-word/id586447913 or
https://apps.apple.com/de/app/microsoft-word/id586447913 .
To find the URL of an app, open the iTunes App Store, and search for the app. For
example, search for Microsoft Remote Desktop or Microsoft Word . Select the app,
and copy the URL.
You can also use iTunes to find the app, and then use the Copy Link task to get the
app URL.
App Bundle ID: Enter the app bundle ID of the app you want. You can show or
hide built-in apps and line-of-business apps. Apple's web site has a list of built-in
Apple apps .
App name: Enter the app name of the app you want. You can show or hide built-in
apps and line-of-business apps. Apple's web site has a list of built-in Apple apps .
Publisher: Enter the publisher of the app you want.
You can also:
Import a CSV file with details about the app, including the URL. Use the <app url>,
<app name>, <app publisher> format. Or, Export to create a list of the restricted
apps you added, in the same format.
 Tip
You can import a list of preinstalled Apple apps by downloading the Apple
App BundleIDs CSV (opens a Microsoft GitHub site).
Wireless

Block data roaming: Yes prevents data roaming over the cellular network. When
default, the OS might allow data roaming when the device is on a cellular network.
） Important
This setting is treated as a remote device action. So, this setting isn't shown in
the management profile on devices. Every time the data roaming status
changes on the device, Data roaming is blocked by the Intune service. In
Intune, if the reporting status shows a success, then know that it's working,
even though the setting isn't shown in the management profile on the device.
Block global background fetch while roaming: Yes prevents using the global
background fetch feature when roaming over the cellular network. When set to
the OS might allow devices to fetch data, such as email, when it's roaming on a
cellular network.
Block voice dialing while device is locked: Yes prevents using the voice dialing
feature on devices. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow voice dialing on devices.
Block voice roaming: Yes prevents voice roaming over the cellular network. When
default, the OS might allow voice roaming when devices are on a cellular network.
Block personal Hotspot: Yes turns off the personal hotspot on devices with every
device sync. This setting might not be compatible with some carriers. When set to
the OS might keep the personal hotspot configuration as the default set by users.
） Important
This setting is treated as a remote device action. So, this setting isn't shown in
the management profile on devices. Every time the personal hotspot status
changes on the device, Personal Hotspot is blocked by the Intune service. In
Intune, if the reporting status shows a success, then know that it's working,
even though the setting isn't shown in the management profile on the device.
Cellular usage rules (managed apps only): Allow defines the data types that
managed apps can use when on cellular networks. When set to Not configured
(default), Intune doesn't change or update this setting. Your options:
Block use of cellular data: Choose the apps that can't use cellular data. Your
options:
All managed apps
Choose specific apps: Add the app bundle ID, app name, and publisher.
Block use of cellular data when roaming: Choose the apps that can't use
cellular data when roaming. Your options:
All managed apps
Choose specific apps: Add the app bundle ID, app name, and publisher.

(supervised)
Block changes to app cellular data usage settings: Yes prevents changes to the
app cellular data usage settings. When set to Not configured (default), Intune
control which apps are allowed to use cellular data.
Block changes to cellular plan settings: Yes prevents changing any settings in the
cellular plan. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to make changes.

iOS 11.0 and newer
Block modification of personal hotspot: Yes prevents changing the personal

hotspot setting. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to enable or disable their
personal hotspot.
If you set this setting and the Block personal Hotspot setting to Yes, then the
personal hotspot is turned off.

iOS 12.2 and newer
Require joining Wi-Fi networks only using configuration profiles: Yes forces
devices to use only Wi-Fi networks set up through Intune configuration profiles.
setting. By default, the OS might allow devices to use other Wi-Fi networks.
This setting is available for iOS/iPadOS 14.4 and older devices. On iOS/iPadOS
14.5 and newer devices, use the Require devices to use Wi-Fi networks set up
via configuration profiles setting.
When set to Yes, be sure the device has a Wi-Fi profile. If you don't assign a Wi-
Fi profile, then this setting can prevent devices from connecting to the internet.
For example, if this device restrictions profile is assigned before a Wi-Fi profile,
then the device might be blocked from connecting to the internet.
If the device can't connect, then unenroll the device, and re-enroll with a Wi-Fi
profile. Then, set this setting to Yes in a device restrictions profile, and assign
the profile to the device.

iOS/iPadOS 14.4 and older
Require Wi-Fi always on: Yes keeps Wi-Fi on in the Settings app. It can't be turned
off in Settings or in the Control Center, even when the device is in airplane mode.
setting. By default, the OS might allow users to turn on or turn off Wi-Fi.
Configuring this setting doesn't prevent users from selecting a Wi-Fi network.

iOS 13.0 and newer
Require devices to use Wi-Fi networks set up via configuration profiles: Yes
forces the device to use Wi-Fi networks set up through configuration profiles.
setting. By default, the OS might allow devices to use other Wi-Fi networks.
On iOS/iPadOS 14.5 and newer devices, use this setting. Don't use the Require
joining Wi-Fi networks only using configuration profiles setting.
When set to Yes, be sure the device has a Wi-Fi profile. If you don't assign a Wi-
Fi profile, then this setting can prevent devices from connecting to the internet.
For example, if this device restrictions profile is assigned before a Wi-Fi profile,
then the device might be blocked from connecting to the internet.
If the device can't connect, then unenroll the device, and re-enroll with a Wi-Fi
profile. Then, set this setting to Yes in a device restrictions profile, and assign
the profile to the device.

Settings that require supervised mode

iOS/iPadOS supervised mode can only be enabled during initial device setup through
Apple's Device Enrollment Program, or by using Apple Configurator. Once supervised
mode is enabled, Intune can configure a device with the following functionality:
Kiosk Mode (Single App Mode): Referred to as "app lock" in the Apple developer
documentation .
Disable Activation Lock
Autonomous Single App Mode
Web Content Filter
Set background and lock screen
Silent App Push
Always-On VPN
Allow managed app installation exclusively
iBookstore
iMessages
Game Center
AirDrop
AirPlay
Host pairing
Cloud Sync
Spotlight search
Handoff
Erase device
Restrictions UI
Installation of configuration profiles by UI
News
Keyboard shortcuts
Passcode modifications
Device name changes
Automatic app downloads
Apple Music
Mail Drop
Pair with Apple Watch
７ Note
Apple confirmed that certain settings move to supervised-only in 2019. We

recommend taking this into consideration when using these settings, instead of
waiting for Apple to migrate them to supervised-only:
App installation by end users

App removal
FaceTime
Safari
iTunes
Explicit content
iCloud documents and data
Multiplayer gaming
Add Game Center friends
Siri
Next steps
You can also restrict device features and settings on macOS devices.
Add e-mail settings for iOS and iPadOS
Article • 02/21/2023
In Microsoft Intune, you can create and configure email to connect to an Exchange
email server, choose how users authenticate, use S/MIME for encryption, and more. The
email profile uses the native or built-in email app on the device, and allows users to
connect to their organization email.
iOS/iPadOS
This article describes all the email settings available for devices running iOS/iPadOS. You
can create a device configuration profile to push or deploy these email settings to your
iOS/iPadOS devices.
Before you begin

Deploy your email app. For more information, go to Configure email apps.
Create an iOS/iPadOS e-mail device configuration profile.
７ Note
These settings are available for all enrollment types. For more information on the
enrollment types, see iOS/iPadOS enrollment.
These settings use the Apple ExchangeActiveSync payload (opens Apple's web
site).
Exchange ActiveSync account settings

Email server: Enter the host name of your Exchange server.
Account name: Enter the display name for the email account. This name is shown
Active Directory. Intune dynamically generates the username that's used by this
profile. Your options:
User Principal Name: Gets the name, such as user1 or user1@contoso.com
Primary SMTP address: Gets the name in email address format, such as
user1@contoso.com
sAM Account Name: Requires the domain, such as domain\user1 . Also enter:
User domain name source: Choose AAD (Azure Active Directory) or Custom.
AAD: Get the attributes from Azure AD. Also enter:

User domain name attribute from AAD: Choose to get the Full domain
name ( contoso.com ) or the NetBIOS name ( contoso ) attribute of the
user.
Custom: Get the attributes from a custom domain name. Also enter:
Custom domain name to use: Enter a value that Intune uses for the
domain name, such as contoso.com or contoso .
Email address attribute from AAD: Choose how the email address for the user is
generated. Make sure your users have email addresses that match the attribute
you select. Your options:
User principal name: Use the full principal name as the email address, such as
user1@contoso.com or user1 .
Primary SMTP address: Use the primary SMTP address to sign in to Exchange,
such as user1@contoso.com .
Authentication method: Choose how users to authenticate to the email server.

Your options:
Certificate: Select a client SCEP or PKCS certificate profile you previously created
to authenticate the Exchange connection. This option provides the most secure
and better experience for your users.
Username and Password: Users are prompted to enter their user name and
password.
Derived credential: Use a certificate that's derived from a user's smart card. For
more information, see Use derived credentials in Microsoft Intune.
７ Note
Azure multi-factor authentication isn't supported.
SSL: Enable uses Secure Sockets Layer (SSL) communication when sending emails,
receiving emails, and communicating with the Exchange server.
OAuth: Enable uses Open Authorization (OAuth) communication when sending

emails, receiving emails, and communicating with Exchange. If your OAuth server
uses certificate authentication, choose Certificate as the Authentication method,
and include the certificate with the profile. Otherwise, choose Username and
password as the Authentication method. When using OAuth, be sure to:
Confirm your email solution supports OAuth before targeting this profile to
your users. Microsoft 365 Exchange Online supports OAuth. On-premises
Exchange and other partner or third-party solutions may not support OAuth.
On-premises Exchange can be configured for Modern Authentication. For more
information, see Hybrid modern authentication overview and prerequisites for
on-premises Skype for Business and Exchange servers.
If the email profile uses Oauth, and the email service doesn't support it, then the
Re-Enter password option appears broken. For example, nothing happens when
the user selects Re-Enter password in Apple's device settings.
When OAuth is enabled, end users have a different "Modern Authentication"

email sign-in experience that supports multifactor authentication (MFA).
Some organizations disable the end user's ability to do self-service application

access. In this scenario, the Modern Authentication sign-in may fail until an
Administrator creates the "iOS Accounts" enterprise app, and grant users access
to the app in Azure AD.
The default action is to add an application using the Application Access Panel
Add App feature without business approval. For more information, see assign
users to applications.
７ Note
When you enable OAuth, the following happens:
1. Devices that are already targeted are issued a new profile.

2. End users are prompted to enter their credentials again.
Exchange ActiveSync profile configuration
） Important
Configuring these settings deploys a new profile to the device, even when an
existing email profile is updated to include these settings. Users are prompted to
enter their Exchange ActiveSync account password. These settings take effect when
the password is entered.
Exchange data to sync: When using Exchange ActiveSync, choose the Exchange
services that are synced on the device: Calendar, Contacts, Reminders, Notes, and
Email. Your options:
All data (default): Sync is enabled for all services.
Email only: Sync is enabled for Email only. Sync is disabled for the other
services.
Calendar only: Sync is enabled for Calendar only. Sync is disabled for the other
services.
Calendar and Contacts only: Sync is enabled for Calendar and Contacts only.
Sync is disabled for the other services.
Contacts only: Sync is enabled for Contacts only. Sync is disabled for the other
services.

iOS 13.0 and newer
Allow users to change sync settings: Choose if users can change the Exchange
ActiveSync settings for the Exchange services on the device: Calendar, Contacts,
Reminders, Notes, and Email. Your options:
Yes (default): Users can change the sync behavior of all services. Choosing Yes
allows changes to all services.
No: Users can't change the sync settings of all the services. Choosing No blocks
changes to all services.
 Tip
If you configured the Exchange data to sync setting to sync only some
services, we recommend selecting No for this setting. Choosing No prevents
users from changing the Exchange service that's synced.

iOS 13.0 and newer
Exchange ActiveSync email settings

S/MIME: S/MIME uses email certificates that provide extra security to your email
communications by signing, encrypting, and decrypting. When you use S/MIME
with an email message, you confirm the authenticity of the sender, and the
integrity and confidentiality of the message.
Your options:
Disable S/MIME (default): Doesn't use an S/MIME email certificate to sign,

encrypt, or decrypt emails.
Enable S/MIME: Allows users to sign and/or encrypt email in the iOS/iPadOS
native mail application. Also enter:
S/MIME signing enabled: Disable (default) doesn't allow users to digitally

sign the message. Enable allows users to digitally sign outgoing email for the
account you entered. Signing helps users who receive messages be certain
that the message came from the specific sender, and not from someone
pretending to be the sender.
Allow user to change setting: Enable allows users to change the signing
options. Disable (default) prevents users from changing the signing, and
forces users to use the signing you configured.
Signing certificate type: Your options:

Not configured: Intune doesn't update or change this setting.
None: As an administrator, you don't force a specific certificate. Select
this option so users can choose their own certificate.
card. For more information, see Use derived credentials in Microsoft
Intune.
Certificates: Select an existing PKCS or SCEP certificate profile that's
used for signing email messages.
Allow user to change setting: Enable allows users to change the signing
certificate. Disable (default) prevents users from changing the signing
certificate, and forces users to use the certificate you configured.

iOS 12 and newer
iPadOS 12 and newer
Encrypt by default: Enable encrypts all messages as the default behavior.

Disable (default) doesn't encrypt all messages as the default behavior.
Allow user to change setting: Enable allows users to change the default
encryption behavior. Disable prevents users from changing the encryption
default behavior, and forces users to use the encryption you configured.

iOS 12 and newer
iPadOS 12 and newer
Force per-message encryption: Per-message encryption allows users to

choose which emails are encrypted before being sent.
Enable shows the per-message encryption option when creating a new email.
Users can then choose to opt in or opt-out of per-message encryption. If the
Encrypt by default setting is also enabled, enabling per-message encryption
allows users to opt out of encryption per message.
Disable (default) prevents the per-message encryption option from showing.

If the Encrypt by default setting is also disabled, enabling per-message
encryption allows users to opt in to encryption per message.
Encryption certificate type: Your options:

Not configured: Intune doesn't update or change this setting.
None: As an administrator, you don't force a specific certificate. Select
this option so users can choose their own certificate.
card. For more information, see Use derived credentials in Microsoft
Intune.
Certificates: Select an existing PKCS or SCEP certificate profile that's
used for signing email messages.
Allow user to change setting: Enable allow users to change the

encryption certificate. Disable (default) prevents users from changing the
encryption certificate, and forces users to use the certificate you
configured.

iOS 12 and newer
iPadOS 12 and newer
Amount of email to synchronize: Choose the number of days of email that you
want to synchronize. Or select Unlimited to synchronize all available email.
Allow messages to be moved to other email accounts: Enable (default) allows

users to move email messages between different accounts the users configured on
their devices.
Allow email to be sent from third-party applications: Enable (default) allows users
to select this profile as the default account for sending email. It allows third-party
applications to open email in the native email app, such as attaching files to email.
Synchronize recently used email addresses: Enable (default) allows users to

synchronize the list of email addresses that have been recently used on the device
with the server.
VPN profile for per account VPN: Starting in iOS/iPadOS 14, email traffic for the
native Mail app can be routed through a VPN based on the account the user is
using. When set to None, Intune doesn't enable per-account VPN for this e-mail
profile.
Per-app VPN connections you create are shown in this list. If you select a VPN
profile from the list, any email that's sent to and from this account in the Mail app
uses the VPN tunnel. The per-app VPN connection automatically turns on when
users use their organization account in the Mail app.

iOS 14 and newer
iPadOS 14 and newer
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and
monitor its status.
Configure email settings on Android, Android Enterprise, and Windows 10 devices.

Add VPN settings on iOS and iPadOS
Article • 06/19/2023
Microsoft Intune includes many VPN settings that can be deployed to your iOS/iPadOS
devices. These settings are used to create and configure VPN connections to your
organization's network. This article describes these settings. Some settings are only
available for some VPN clients, such as Citrix, Zscaler, and more.
iOS/iPadOS
Before you begin

Create an iOS/iPadOS VPN device configuration profile.


If you need these devices to access on-premises resources using modern

authentication and Conditional Access, then you can use the Microsoft Tunnel,
which supports split tunneling.
７ Note
These settings are available for all enrollment types except user enrollment.
User enrollment is limited to per-app VPN. For more information on the
enrollment types, see iOS/iPadOS enrollment.
The available settings depend on the VPN client you choose. Some settings
are only available for specific VPN clients.
These settings use the Apple VPN payload (opens Apple's web site).
Connection type
Select the VPN connection type from the following list of vendors:
Cisco Legacy AnyConnect
Applies to Cisco Legacy AnyConnect app version 4.0.5x and earlier.
Cisco AnyConnect
Applies to Cisco AnyConnect app version 4.0.7x and later.
F5 Access Legacy
Applies to F5 Access app version 2.1 and earlier.
F5 Access
Applies to F5 Access app version 3.0 and later.
Palo Alto Networks GlobalProtect (Legacy)
Applies to Palo Alto Networks GlobalProtect app version 4.1 and earlier.
Applies to Palo Alto Networks GlobalProtect app version 5.0 and later.
Pulse Secure
Cisco (IPSec)
Citrix VPN
Citrix SSO
Zscaler
To use Conditional Access, or allow users to bypass the Zscaler sign-in screen, you
must integrate Zscaler Private Access (ZPA) with your Azure AD account. For
detailed steps, see the Zscaler documentation .
NetMotion Mobility
IKEv2
IKEv2 settings (in this article) describes the properties.
Microsoft Tunnel (standalone client)(preview)
Applies to the Microsoft Tunnel client app.
） Important
Microsoft Tunnel
Applies to the Microsoft Defender for Endpoint app that includes Tunnel client
functionality.
） Important
On April 29, 2022, this connection type became generally available and
supports Microsoft Defender for Endpoint as a tunnel client app. However, the
connection type continues to reflect preview.
Custom VPN
７ Note
Cisco, Citrix, F5, and Palo Alto have announced that their legacy clients don't work
on iOS 12 and later. You should migrate to the new apps as soon as possible. For
more information, see the Microsoft Intune Support Team Blog .
Base VPN settings

Connection name: End users see this name when they browse their device for a list
of available VPN connections.
Custom domain name (Zscaler only): Prepopulate the Zscaler app's sign-in field
with the domain your users belong to. For example, if a username is
Joe@contoso.net , then the contoso.net domain statically appears in the field when
the app opens. If you don't enter a domain name, then the domain portion of the
UPN in Azure Active Directory (AD) is used.
VPN server address: The IP address or fully qualified domain name (FQDN) of the
VPN server that devices connect with. For example, enter 192.168.1.1 or
vpn.contoso.com .
Organization's cloud name (Zscaler only): Enter the cloud name where your
organization is provisioned. The URL you use to sign in to Zscaler has the name.
Authentication method: Choose how devices authenticate to the VPN server.
Certificates: Under Authentication certificate, select an existing SCEP or PKCS

certificate profile to authenticate the connection. Configure certificates provides
some guidance about certificate profiles.
Username and password: End users must enter a username and password to
sign in to the VPN server.
７ Note
If username and password are used as the authentication method for Cisco
IPsec VPN, they must deliver the SharedSecret through a custom Apple
Configurator profile.
no derived credential issuer is configured, Intune prompts you to add one. For
more information, see Use derived credentials in Microsoft Intune.
Excluded URLs (Zscaler only): When connected to the Zscaler VPN, the listed URLs
are accessible outside the Zscaler cloud. You can add up to 50 URLs.
Split tunneling: Enable or Disable to let devices decide which connection to use,
depending on the traffic. For example, a user in a hotel uses the VPN connection to
access work files, but uses the hotel's standard network for regular web browsing.
VPN identifier (Custom VPN, Zscaler, and Citrix): An identifier for the VPN app
you're using, and is supplied by your VPN provider.
Enter key/value pairs for your organization's custom VPN attributes (Custom
VPN, Zscaler, and Citrix): Add or import Keys and Values that customize your VPN
connection. Remember, these values are typically supplied by your VPN provider.
Enable network access control (NAC) (Cisco AnyConnect, Citrix SSO, F5 Access):
When you choose I agree, the device ID is included in the VPN profile. This ID can
be used for authentication to the VPN to allow or prevent network access.
When using Cisco AnyConnect with ISE, be sure to:

If you haven't already, integrate ISE with Intune for NAC as described at
Configure Microsoft Intune as an MDM Server in the Cisco Identity Services
Engine Administrator Guide .
Enable NAC in the VPN profile.
When using Citrix SSO with Gateway, be sure to:

Confirm you're using Citrix Gateway 12.0.59 or higher.
Confirm your users have Citrix SSO 1.1.6 or later installed on their devices.
Integrate Citrix Gateway with Intune for NAC. See the Integrating Microsoft
Intune/Enterprise Mobility Suite with NetScaler (LDAP+OTP Scenario) Citrix
deployment guide.
When using F5 Access, be sure to:

Confirm you're using F5 BIG-IP 13.1.1.5 or later.
Integrate BIG-IP with Intune for NAC. See the Overview: Configuring APM for
device posture checks with endpoint management systems F5 guide.
For the VPN partners that support device ID, the VPN client, such as Citrix SSO, can
get the ID. Then, it can query Intune to confirm the device is enrolled, and if the
VPN profile is compliant or not compliant.
To remove this setting, recreate the profile, and don't select I agree. Then,
reassign the profile.
Enter key and value pairs for the NetMotion Mobility VPN attributes (NetMotion
Mobility only): Enter or import key and value pairs. These values may be supplied
by your VPN provider.
IKEv2 settings
These settings apply when you choose Connection type > IKEv2.
Always-on VPN: Enable sets a VPN client to automatically connect and reconnect
to the VPN. Always-on VPN connections stay connected or immediately connect
when the user locks their device, the device restarts, or the wireless network
changes. When set to Disable (default), always-on VPN for all VPN clients is
disabled. When enabled, also configure:
Network interface: All IKEv2 settings only apply to the network interface you
choose. Your options:
Wi-Fi and Cellular (default): The IKEv2 settings apply to the Wi-Fi and cellular
interfaces on the device.
Cellular: The IKEv2 settings only apply to the cellular interface on the device.
Select this option if you're deploying to devices with the Wi-Fi interface
disabled or removed.
Wi-Fi: The IKEv2 settings only apply to the Wi-Fi interface on the device.
User to disable VPN configuration: Enable lets users turn off always-on VPN.
Disable (default) prevents users from turning it off.The default value for this
setting is the most secure option.
Voicemail: Choose what happens with voicemail traffic when always-on VPN is
enabled. Your options:
Force network traffic through VPN (default): This setting is the most secure
option.
Allow network traffic to pass outside VPN
Drop network traffic
AirPrint: Choose what happens with AirPrint traffic when always-on VPN is
enabled. Your options:
option.
Cellular services: On iOS 13.0+, choose what happens with cellular traffic when
always-on VPN is enabled. Your options:
option.
Allow traffic from non-native captive networking apps to pass outside VPN: A
captive network refers to Wi-Fi hotspots typically found in restaurants and
hotels. Your options:
No: Forces all Captive Networking (CN) app traffic through the VPN tunnel.
Yes, all apps: Allows all CN app traffic to bypass the VPN.
Yes, specific apps: Add a list of CN apps whose traffic can bypass the VPN.
Enter the bundle identifiers of CN app. For example, enter
com.contoso.app.id.package .
Traffic from Captive Websheet app to pass outside VPN: Captive WebSheet is a
built-in web browser that handles captive sign-on. Enable allows the browser
app traffic to bypass the VPN. Disable (default) forces WebSheet traffic to use
the always-on VPN. The default value is the most secure option.
Network address translation (NAT) keepalive interval (seconds): To stay

connected to the VPN, the device sends network packets to remain active. Enter
a value in seconds on how often these packets are sent, from 20-1440. For
example, enter a value of 60 to send the network packets to the VPN every 60
seconds. By default, this value is set to 110 seconds.
Offload NAT keepalive to hardware when device is asleep: When a device is

asleep, Enable (default) has NAT continuously send keep-alive packets so the
device stays connected to the VPN. Disable turns off this feature.
Remote identifier: Enter the network IP address, FQDN, UserFQDN, or ASN1DN of

the IKEv2 server. For example, enter 10.0.0.3 or vpn.contoso.com . Typically, you
enter the same value as the Connection name (in this article). But, it does depend
on your IKEv2 server settings.
Local identifier: Enter the device FQDN or subject common name of the IKEv2 VPN
client on the device. Or, you can leave this value empty (default). Typically, the local
identifier should match the user or device certificate's identity. The IKEv2 server
may require the values to match so it can validate the client's identity.
Client Authentication type: Choose how the VPN client authenticates to the VPN.
Your options:
User authentication (default): User credentials authenticate to the VPN.
Machine authentication: Device credentials authenticate to the VPN.
Authentication method: Choose the type of client credentials to send to the

server. Your options:
Certificates: Uses an existing certificate profile to authenticate to the VPN. Be

sure this certificate profile is already assigned to the user or device. Otherwise,
the VPN connection fails.
Certificate type: Select the type of encryption used by the certificate. Be sure
the VPN server is configured to accept this type of certificate. Your options:
RSA (default)
ECDSA256
ECDSA384
ECDSA521
Shared secret (Machine authentication only): Allows you to enter a shared

secret to send to the VPN server.
Shared secret: Enter the shared secret, also known as the pre-shared key
(PSK). Be sure the value matches the shared secret configured on the VPN
server.
Server certificate issuer common name: Allows the VPN server to authenticate to
the VPN client. Enter the certificate issuer common name (CN) of the VPN server
certificate that's sent to the VPN client on the device. Be sure the CN value
matches the configuration on the VPN server. Otherwise, the VPN connection fails.
Server certificate common name: Enter the CN for the certificate itself. If left
blank, the remote identifier value is used.
Dead peer detection rate: Choose how often the VPN client checks if the VPN
tunnel is active. Your options:
Not configured: Uses the iOS/iPadOS system default, which may be the same as
choosing Medium.
None: Disables dead peer detection.
Low: Sends a keepalive message every 30 minutes.
Medium (default): Sends a keepalive message every 10 minutes.
High: Sends a keepalive message every 60 seconds.
TLS version range minimum: Enter the minimum TLS version to use. Enter 1.0 ,
1.1 , or 1.2 . If left blank, the default value of 1.0 is used. When using user
authentication and certificates, you must configure this setting.
TLS version range maximum: Enter the maximum TLS version to use. Enter 1.0 ,
1.1 , or 1.2 . If left blank, the default value of 1.2 is used. When using user
authentication and certificates, you must configure this setting.
Perfect forward secrecy: Select Enable to turn on perfect forward secrecy (PFS).
PFS is an IP security feature that reduces the impact if a session key is
compromised. Disable (default) doesn't use PFS.
Certificate revocation check: Select Enable to make sure the certificates aren't
revoked before allowing the VPN connection to succeed. This check is best-effort.
If the VPN server times out before determining if the certificate is revoked, access
is granted. Disable (default) doesn't check for revoked certificates.
Use IPv4/IPv6 internal subnet attributes: Some IKEv2 servers use the
INTERNAL_IP4_SUBNET or INTERNAL_IP6_SUBNET attributes. Enable forces the VPN
connection to use these attributes. Disable (default) doesn't force the VPN
connection to use these subnet attributes.
Mobility and multihoming (MOBIKE): MOBIKE allows VPN clients to change their
IP address without recreating a security association with the VPN server. Enable
(default) turns on MOBIKE, which can improve VPN connections when traveling
between networks. Disable turns off MOBIKE.
Redirect: Enable (default) redirects the IKEv2 connection if a redirect request is

received from the VPN server.Disable prevents the IKEv2 connection from
redirecting if a redirect request is received from the VPN server.
Maximum transmission unit: Enter the maximum transmission unit (MTU) in bytes,
from 1-65536. When set to Not configured or left blank, Intune doesn't change or
update this setting. By default, Apple may set this value to 1280.
Security association parameters: Enter the parameters to use when creating

security associations with the VPN server:
Encryption algorithm: Select the algorithm you want:

DES
3DES
AES-128
AES-256 (default)
AES-128-GCM
AES-256-GCM
７ Note
If you set the encryption algorithm to AES-128-GCM or AES-256-GCM , then

the AES-256 default is used. This is a known issue, and will be fixed in a
future release. There is no ETA.
Integrity algorithm: Select the algorithm you want:

SHA1-96
SHA1-160
SHA2-256 (default)
SHA2-384
SHA2-512
Diffie-Hellman group: Select the group you want. Default is group 2 .
Lifetime (minutes): Enter how long the security association stays active until the
keys are rotated. Enter a whole value between 10 and 1440 (1440 minutes is 24
hours). Default is 1440 .
Child security association parameters: iOS/iPadOS allows you to configure

separate parameters for the IKE connection, and any child connections. Enter the
parameters used when creating child security associations with the VPN server:
Encryption algorithm: Select the algorithm you want:

DES
3DES
AES-128
AES-256 (default)
AES-128-GCM
AES-256-GCM
７ Note
If you set the encryption algorithm to AES-128-GCM or AES-256-GCM , then

the AES-256 default is used. This is a known issue, and will be fixed in a
future release. There is no ETA.
Integrity algorithm: Select the algorithm you want:

SHA1-96
SHA1-160
SHA2-256 (default)
SHA2-384
SHA2-512
Also configure:
Diffie-Hellman group: Select the group you want. Default is group 2 .
Lifetime (minutes): Enter how long the security association stays active until the
keys are rotated. Enter a whole value between 10 and 1440 (1440 minutes is 24
hours). Default is 1440 .
Automatic VPN
Type of automatic VPN: Select the VPN type you want to configure: On-demand
VPN or per-app VPN:
On-demand VPN: On-demand VPN uses rules to automatically connect or

disconnect the VPN connection. When your devices attempt to connect to the
VPN, it looks for matches in the parameters and rules you create, such as a
matching domain name. If there's a match, then the action you choose runs.
For example, you can create a condition where the VPN connection is only used
when a device isn't connected to a company Wi-Fi network. Or, if a device can't
access a DNS search domain you enter, then the VPN connection isn't started.
On-demand rules > Add: Select Add to add a rule. If there isn't an existing
VPN connection, then use these settings to create an on-demand rule. If
there's a match to your rule, then the device does the action you select.
I want to do the following: If there's a match between the device value
and your on-demand rule, then select the action you want the device to
do. Your options:
Establish VPN: If there's a match between the device value and your
on-demand rule, then the device connects to the VPN.
Disconnect VPN: If there's a match between the device value and your
on-demand rule, then the VPN connection is disconnected.
Evaluate each connection attempt: If there's a match between the

device value and your on-demand rule, then use the Choose whether
to connect setting to decide what happens for each VPN connection
attempt:
Connect if needed: If the device is on an internal network, or if

there's already an established VPN connection to the internal
network, then the on-demand VPN won't connect. These settings
aren't used.
If there isn't an existing VPN connection, then for each VPN

connection attempt, decide if users should connect using a DNS
domain name. This rule only applies to domains in the When users
try to access these domains list. All other domains are ignored.
When users try to access these domains: Enter one or more DNS
domains, like contoso.com . If users try to connect to a domain in
this list, then the device uses DNS to resolve the domains you
enter. If the domain doesn't resolve, meaning it doesn't have
access to internal resources, then it connects to the VPN on-
demand. If the domain does resolve, meaning it already has
access to internal resources, then it doesn't connect to the VPN.
７ Note
If the When users try to access these domains setting is

empty, then the device uses the DNS servers configured
on the network connection service (Wi-Fi/ethernet) to
resolve the domain. The idea is that these DNS servers are
public servers.
The domains in the When users try to access these
domains list are internal resources. Internal resources
aren't on public DNS servers and can't be resolved. So, the
device connects to the VPN. Now, the domain is resolved
using the VPN connection's DNS servers and the internal
resource is available.
If the device is on the internal network, then the domain

resolves, and a VPN connection isn't created because the
internal domain is already available. You don't want to
waste VPN resources on devices already on the internal
network.
If the When users try to access these domains setting is

populated, then the DNS servers on this list are used to
resolve the domains in the list.
The idea is the opposite of the first bullet (When users try
to access these domains setting is empty). For instance,
the When users try to access these domains list has
internal DNS servers. A device on an external network
can't route to the internal DNS servers. The name
resolution times out, and the device connects to the VPN
on-demand. Now the internal resources are available.
Remember this information only applies to domains in the

When users try to access these domains list. All other
domains are resolved with public DNS servers. When the
device is connected to the internal network, the DNS
servers in the list are accessible, and there's no need to
connect to the VPN.
Use the following DNS servers to resolve these domains

(optional): Enter one or more DNS server IP addresses, like
10.0.0.22 . The DNS servers you enter are used to resolve the
domains in the When users try to access these domains setting.
When this URL is unreachable, force-connect the VPN: Optional.

Enter an HTTP or HTTPS probing URL that the rule uses as a test.
For example, enter https://probe.Contoso.com . This URL is
probed every time a user tries to access a domain in the When
users try to access these domains setting. The user doesn't see
the URL string probe site.
If the probe fails because the URL is unreachable or doesn't return

a 200 HTTP status code, then the device connects to the VPN.
The idea is that the URL is only accessible on the internal network.
If the URL can be accessed, then a VPN connection isn't needed. If
the URL can't be accessed, then the device is on an external
network, and it connects to the VPN on-demand. Once the VPN
connection is established

Mem Intune

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mem Intune

Uploaded by

Copyright:

Available Formats

Tell us about your PDF experience.

Microsoft Intune documentation

Get started with Microsoft Intune

Learn Try and evaluate

How-to guides Platform and industry guides

Related services Intune community resources

Set up Intune Manage apps App protection policies

Configure security for Use compliance rules Control device features

Browse all articles for

Assign and deploy Enroll devices Initiate remote actions

View reports and Microsoft Intune Suite Developer guidance

ｃ Use audit logs to track and capabilities ｐ Use PowerShell cmdlets to

Privacy and personal Get help and support Troubleshoot

Platform and industry guides

Platform guides Education Government

Browse all platform guides Ｔ

Windows Autopatch docs Microsoft Defender for

Intune community resources

Microsoft Q & A - Intune tech community Feedback for Intune

#Intune on Twitter Intune Customer Success

As organizations move to support hybrid and remote workforces, they're challenged

To help with these challenges and tasks, use Microsoft Intune .

This article lists some features and benefits of Microsoft Intune.

Key features and benefits

For more information, go to:

If you manage on-premises Windows Server, you can use Configuration

Intune automates policy deployment for apps, security, device configuration,

Intune integrates with mobile threat defense services, including Microsoft

For more information, go to Mobile Threat Defense integration with Intune.

You use a web-based admin center that focuses on endpoint management,

For more information, go to Walkthrough the Intune admin center. To sign in to

Integrates with other Microsoft services and

Configuration Manager for on-premises endpoint management and Windows

For more specific information, go to:

Windows Autopilot for modern OS deployment and provisioning

For more specific information, go to:

For more specific information, go to:

For more specific information, go to:

Microsoft Defender for Endpoint to help enterprises prevent, detect, investigate,

For more specific information, go to:

For more specific information, go to:

Integrates with third party partner devices and

For more information, go to Use TeamViewer to remotely administer Intune

With these services, Intune:

Gives admins simplified access to third party partner app services.

Deployment guide: Enroll Android devices in Microsoft Intune

Enroll in device management, application

With MAM, you can:

Publish mobile apps to users.

For more information, go to:

What is device enrollment in Intune?

Protect data on any device

On devices enrolled in Intune, you can:

On devices using application management, you can:

For more information, go to:

Protect data and devices with Microsoft Intune

Use Windows Hello for Business instead of passwords

For more information, go to:

Windows Hello for Business Overview

For more information, go to:

Create VPN profiles to connect to VPN servers in Intune

Create a Wi-Fi connection for on-premises users

For more information, go to:

Create Wi-Fi policy to connect to Wi-Fi networks in Intune