New features and updates are paramount to improving the functionality of the various devices and applications that businesses use. This is necessary, especially if companies expect high levels of performance. It’s also essential as the tasks that we deal with grow more complex.
Not only do companies want to maintain performance but they also need tech companies to address any existing issues. As a result, organizations like Microsoft will offer many new features. These updates are for services like Microsoft Intune and Windows 365.
Because of the updates, released in 2024, overall user experiences will greatly improve. Let’s discuss the recent additions and explore how they might help elevate, simplify, and improve your business operations.
Improvements to Microsoft Intune
2024 has been a year with a lot of innovation from Microsoft across its various products and services. Plenty of this effort prioritizes Microsoft Intune improvements, bringing us features such as:
New capabilities for Windows Autopilot
Windows Autopilot is a service that makes the device deployment process faster and less complex. Companies benefit immensely from Autopilot’s ability to do away with the labor-intensive process previously necessary to provision new devices. And, Microsoft has additional service improvements to share.
Earlier this year, an announcement introduced an exciting new release – device preparation. This brilliant new innovation will enable the accommodation of more devices and delivery of more efficient results. Moreover, it will allow for the provisioning of cloud instances such as Windows 365.
Still, Microsoft ensures customers that the original, existing Windows Autopilot architecture is still in place. Because of this, you still have access to all your favorite features. IT admins can now enjoy a faster and simpler addition of groups to devices. This is due to enrollment time grouping, which replaces dynamic grouping. This creates a process that assigns app policies and scripts to devices more efficiently.
NEW SECURITY BASELINE
A key reason for updating devices and applications is to strengthen security and address vulnerabilities. Companies want to make sure that their security measures can stay ahead of the methods being employed by cybercriminals.
Hence the introduction of an update to the Microsoft Defender for Endpoint security baseline. These one-click collections of policies can be applied to devices (and device groups) in Intune. They also provide you with a way to configure all your organization’s devices with the same security policies.
Setting up your security measures in this way makes it’s easier to maintain the same security levels across the entire enterprise. This particular update offers a much better way of implementing the configuration recommendations made by the Microsoft Defender for Endpoint team. Furthermore, because it’s based on the Windows unified settings platform, you also get:
- Quicker turnaround for updates.
- Improved reporting, including per-setting status reports.
- Assignment filter support.
- Improved UI.
- Consistent names across Intune.
Platform single sign-on (SSO) has arrived for macOS device enrollment
Signing in to multiple applications and websites using different credentials can be a tedious task. It can also be difficult for many people to keep up with all their sign-in information and passwords. This is why Platform Single Sign On (SSO) is a wonderful solution for streamlining the authentication process.
Because of how local account credentials synchronize with an individual’s IdP, one will only need to log in once. Platform SSO can help your company improve its security posture and enhance productivity.
Owing to the integration of SSI with Apple’s Secure Enclave technology, your organization can enable phishing-resistant, hardware-bound, passwordless authentication on Mac through Intune. In addition to better security, end-users can enjoy a less complex and faster out-of-the-box experience. This is possible because all they’ll need to set up their devices are their Entra ID passwords.
End-users also get to work more efficiently. This SSO experience, unique to Intune, enables them to sign in to their Outlook, Teams, and other Microsoft 365 apps simultaneously.
Installation of macOS apps on demand via Intune
Microsoft has done plenty of work to develop systems that can provide more capable Mac management. Intune has made providing IT admins and end-users a better, more efficient platform one of its key objectives. And one of the main reasons they’ve been able to achieve that is by leveraging feedback from customers.
Of note among the latest developments, are options that admins can provide to users for downloading unmanaged applications. These specifically apply in PKG and DMG format via the Intune Company Portal app.
Furthermore, to reduce the reliance on line-of-business app workflow or third-party tools to deploy optional applications, Intune added the “available” assignment type to the well-known “required” type. As one of the most requested features by Mac device administrators, this should be a well-received development as it will help both end-users and admins save time.
Expanded support for Microsoft Managed Home Screen
Microsoft Managed Home Screen (MHS) is an enterprise launcher application that enables IT admins to customize their devices and restrict the capabilities that a user can access. If you configure in multi-kiosk mode in Intune, MHS launches automatically as the default home screen on the device. This customizable launcher serves as a key tool for IT admins to better manage devices. It also ensures that users are performing at the expected levels.
As organizations provide users with increasingly more powerful devices, they need to make sure that business operations improve accordingly. The availability of Managed Home Screen is expanding from just user-less kiosks or shared devices to corporate-owned, fully managed devices associated with a specific user as well. As a result, this means capabilities are will extend to a wider range of use cases and applications.
BitLocker RECOVERY KEY
Having access to a BitLocker recovery key allows you to unlock an Intune-enrolled PC if you have the misfortune of forgetting your sign-in password and getting locked out. The stored recovery key is accessible from the Intune Company Portal website. It’s also accessible in the Intune Company Portal app.
Without this key, users would typically need to contact the Help Desk for assistance. As one can imagine, it’s easy to see why this option is better. It offers greater support to users while lightening the load on IT professionals.
Going forward, this update will enable end-users to access their BitLocker recovery key directly from the Company Portal website. Because of this, your organization can expect to benefit from a more intuitive and streamlined path to recovery.
This should also help improve productivity because end-users won’t need to wait for the delays that sometimes occur while waiting for IT support to assist them. And with IT having this task taken care of for them, they will have more time to dedicate to more productive endeavors.
CORPORATE IDENTIFIERS
This feature aims to verify that corporate devices are labeled as corporate-owned as soon as they enroll. It does so by adding their corporate identifiers ahead of time in the Microsoft Intune admin center.
For businesses, corporate device management provides you with more capabilities than that for personal devices. This new change will help organizations restrict the application of the corporate-owned devices label only to authorized devices.
Adding corporate identifiers to Intune requires you to upload a file of corporate identifiers in the admin center or enter each identifier separately. Also important to note is the fact that you don’t need to add corporate identifiers for all deployments. During enrollment, Intune automatically assigns corporate-owned status to devices that join to Microsoft Entra via:
- Device enrollment manager account (all platforms)
- An Apple device enrollment program such as Apple School Manager, Apple Business Manager, or Apple Configurator (iOS/iPadOS only)
- Windows Autopilot
- Co-management with Microsoft Intune and group policy (GPO)
- Azure Virtual Desktop
- Automatic mobile device management (MDM) enrollment via provisioning package
- Knox Mobile Enrollment
- Android Enterprise management:
- Corporate-owned devices with work profile.
- Fully managed devices.
- Dedicated devices.
- Android Open Source Project (AOSP) management:
- Corporate-owned user-associated devices
- Corporate-owned userless devices
- Google Zero Touch
Windows 365 Cloud PC security baseline updates
From the new, additional features and updates to Microsoft Intune, it’s clear to see that increasing efficiency matters. Strengthening security is also of utmost importance. And the same applies here.
Configuring security settings can often be a complex, time-consuming task that few will enjoy especially if you are still a novice. These deployed policy templates with Intune aim to establish Microsoft Security–recommended settings are central to the security strategies employed by Intune.
To ensure that you get the most from these measures, Intune has set it up such that these baselines can be tailored to your unique needs. Additionally, this particular update requires you to manually update your customizations, if any, from the previous baseline. This baseline, which comes highly recommended, will also give you:
- Faster deployment of baseline version updates
- Improved user interface and reporting experience (such as per-setting status reports)
- More consistent naming across the Intune portal
- Elimination of setting “tattooing”
- Ability to use assignment filters for profiles
New updates and features for Windows 365
Similar to Microsoft Intune, Windows 365 has also introduced several updates to the Cloud PC service. Some of these include:
ADDITIONS TO DEVICE MANAGEMENT CAPABILITIES
| Update | What it offers |
| Windows 11 Cloud PCs now support EN-NZ | As of September 2024, Windows 11 Cloud PCs now support EN-NZ. |
| Support for symmetric NAT with RDP Shortpath | The goal is to develop an RDP Short path in Windows 365 such that it can support setting up an indirect UDP connection using Traversal Using Relays around NAT (TURN) for symmetric NAT. Most are probably aware that TURN is a widely accepted standard for device-to-device networking for low latency, high-throughput data transmission. |
| Uni-directional clipboard support is now generally available | With service release 2407 in July 2024, came the release of uni-directional clipboard support into general availability. |
| Closing port 3389 by default for newly provisioned and reprovisioned Cloud PCs | Going forward, expect to find the inbound port 3389 closed by default. This update has come about as a means to further safeguard your Windows 365 environment. |
| Chroma subsampling default change to 4:2:0 | This change has been made to help reduce monitor support issues. The Windows 365 service will now default to the chroma subsampling at 4:2:0. instead of the previous 4:4:4. |
| Windows 365 Boot and Windows 365 Switch now support battery status redirection | In a move that should be welcomed by users, Windows 365 Boot and Windows 365 Switch will now offer support for battery status redirection. Therefore, you can now view your local PCs battery status on a Cloud PC. |
| Upgrade Windows 365 licenses in Microsoft admin center | All clients with Modern Microsoft Cloud Agreements can now upgrade their existing Windows 365 licenses in the Microsoft Admin Center. |
| New Windows 365 Cloud PC images available in the gallery | As of May 2024, you can now access new Cloud PC gallery images for Windows 10 and Windows 11. These improved images have harmonized optimizations with Windows 365 apps images for better policy management: Win 10 Enterprise Cloud PC: 21H2, 22H2,Win 11 Enterprise Cloud PC: 21H2, 22H2, 23H2 |
| Manage redirections for Cloud PCs on iOS/iPadOS devices | The Intune admin center can now be used to handle redirections for iOS/iPadOS users who access their Cloud PCs using Microsoft Remote Desktop and Windows App. |
DEVICE SECURITY UPDATES
| Update | What it offers |
| Session lock experience configuration for single sign-on | This new update offers clients the ability to configure the remote session lock experience when single sign-on (SSO) is enabled between the default disconnect behavior and showing the remote lock screen. Enabling SSO allows you to use passwordless authentication and third-party Identity Providers that federate with Microsoft Entra ID to sign in to your Cloud PC. This tool offers an SSO experience when authenticating to the Cloud PC and inside the session when accessing Microsoft Entra ID-based apps and websites. |
| Windows 365 support for Microsoft Purview Customer Key | Windows 365 clients are also being given a feature that supports the encryption of Cloud PCs by setting up Microsoft Purview Customer Key. |
| Customer Lockbox | With service release 2407 is new Windows 365 Government support for Microsoft Purview Customer Lockbox. The Customer Lockbox prevents Microsoft from accessing your content without explicit approval. This feature gets you integrated into the approval workflow process that Microsoft uses thereby restricting access to your content only to authorized requests. |
| Single sign-on Windows 365 clients authentication change | Single sign-on for Windows 365 is switching to the use of the Windows Cloud Login Entra ID cloud app for Windows authentication. This change will begin with the Windows and Web clients. |
| FQDNs removed from requirement list | Several of the required FQDNs have in the past been moved to the *.infra.windows365.microsoft.com wildcard FQDN. This move reduces the initial configuration requirements and the change rate of connectivity requirements. As of May 2024, the old FQDNs have been removed from the requirement list. |
| Microsoft Purview Data Loss Prevention | In March 2024 (service release 2403), it was announced that Microsoft Purview Data Loss Prevention (DLP) will now support Windows 365 Enterprise. Getting access to DLP means that you can now monitor the actions that are being taken on items you’ve determined to be sensitive. Moreover, this also helps you block unintentional sharing of these items. As soon as you onboard devices into the Microsoft Purview solutions, data concerning what users are doing with sensitive items becomes available in activity explorer. |
| Windows 365 Boot shared mode supports FIDO | This change can help your business strengthen the security of your Windows 365 environment. Because Windows 365 Boot shared mode now supports FIDO, enterprises can leverage hardened authentication measures that minimize the risk of successful attacks. |
MONITOR AND TROUBLESHOOT
| Update | What it offers |
| New Intune report and device action for Windows enrollment attestation (public preview) | The device status attestation report gives you information about devices that have either Completed, Failed, or Not started enrollment attestation. With the new device attestation status report in Microsoft Intune, you can find out if a device has attested and enrolled securely while being hardware-backed. |
| Cloud PC utilization report for Windows 365 Government | The Cloud PC utilization report offers you a useful tool for monitoring and optimizing Cloud PC usage in your organization. You can glean from it information such as how much time users are spending on their Cloud PCs or when they last connected. As of June 2024, support for this feature is now available to Windows 365 Government. |
| Cloud PC size recommendations report | This Cloud PC recommendations report is now out of preview and generally available. The report is an AI-powered feature that enables administrators to determine the correct size for Cloud PCs. By assessing data such as end-user Cloud PC usage patterns, platform level resource utilization data, and performance needs, you can work out the best Cloud PC configuration for your users. |
| Cloud PCs that aren’t available report | Generally available as of May 2024 (service release 2404). Simplifies the task for admins by helping them identify Cloud PCs that may be currently unavailable. The report will give you information concerning conditions up to 5 to 15 minutes ago. As a result, you could potentially find Cloud PCs in the report that have already recovered. |
| Improvements to Cloud PC connection quality report | Several upgrades to the Cloud PC connection quality report became generally available in March. The improvements that you can look forward to include: A more comprehensive view of the overall performance of your Cloud PCs.A more detailed view of devices when they are in a state of poor performance due to high round trip times.Tenant level visibility to most recent/current for:Round Trip Time.Bandwidth.Connection Time.UDP Utilization.Connection specific detail on client IP and associated CPC Gateway.Filters for all columns. |
| Alerts for Windows 365 Frontline maximum concurrent Cloud PCs | Windows 365 administrators will be getting even more information to help them better manage their Cloud PC environments. With this update, admins receive alerts notifying them when the maximum concurrent Cloud PCs are active for Windows 365 Frontline subscriptions. |
| Device action data kept for 90 days | You get to view actions performed within the last 90 days. To access this information, navigate to the Overview page for individual Cloud PCs. |
UPDATES TO WINDOWS 365 BOOT
| Update | What it offers |
| Shared and dedicated Windows 365 Boot device | Using Windows 365 Boot, admins can configure Windows 11 physical devices so that users can: Avoid signing in to their physical device.Sign in directly to their Windows 365 Cloud PC on their physical device. To add to the flexibility, Windows 365 Boot now supports both dedicated and shared PC scenarios. |
| Windows 365 Boot sign-in page customization | Another update for Windows 365 Boot is the availability of sign-in page customization. Previously in preview, this feature became generally available in February. |
| Windows 365 Boot fail fast notifications | Adding to the previous new updates is fail fast notifications. Beginning in February as well, Windows 365 Boot detection and notification of network or application setup issues transitioned to general availability. |
| Management of local PC settings | The last update for February allowed for changes regarding the management of local PC settings. Going forward, users will be able to manage local PC settings through their Windows 365 Boot Cloud PC. |
Wrap up
Ensuring that your IT environment is operating at peak efficiency is a goal that every company should have. Optimizing the functions of applications and devices is integral to maintaining elevated productivity levels. This is why one cannot overstate the importance of the new features and updates. It’s why we regularly see them from Microsoft Intune and Windows 365.
Not only do they keep your business running smoothly. They constantly address any issues that may arise. As a business, your needs change as the operating environment evolves. Therefore, there is a need for services like Intune and the Cloud PC that can keep up with those changes.
