Microsoft

Microsoft Endpoint Manager Intune Feedback

Suggestion box powered by UserVoice

Ideas

What features would you like to see?

All of the feedback that you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Microsoft Endpoint Manager Intune, though we can’t promise to reply to all posts.

Standard Disclaimer – our lawyers made us put this here ;-) We have partnered with UserVoice, a third-party service, so you can give us feedback. Please note that the Intune feedback site is moderated and is a voluntary participation-based project. Please send only feature suggestions and ideas to improve Intune. Do not send any novel or patentable ideas, copyrighted materials, samples or demos. Your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy, including the license terms.


  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Support Multiple Sites / Locations

    We need the ability to have multiple sites or locations with different configurations from enrolment restrictions and automated enrolment, all the way through to configuration profiles and applications.

    e.g. Personas - One site for Production users and another for Developers
    e.g. Locations - One site for New Zealand and another for Australia

    This would allow companies to have greater separation of environments, locations and/or persona configurations from the ground up.

    All other MDM's support this type of segregation and it allows for a much safer, simpler operating model.

    15 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Mobile Device Management (general)  ·  Flag idea as inappropriate…  ·  Admin →
  2. Extend WIP to protect Outlook mailbox data

    In this Gitlab thread it has been confirmed that at this point in time Windows Information Protection does not protect Outlook OST and PST files for remote wipe or encryption by default.

    This means if Outlook is used in Cached Exchange Mode (the default), any mailbox data downloaded by Outlook will not be removed as part of a remote device wipe, nor will it be protected by WIP encryption by default.

    This should be highlighted as a major limitation in WIP until it is no longer the case.

    https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6172

    19 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  3. Fill dynamic group with (non)compliant devices based on specific compliancy setting

    I would like the ability to create a dynamic device group that will fill with devices based on a (non)compliant setting for example Trusted Platform Module (TPM) or Secure Boot, but would be best to have all compliancy settings available. I want to use this group to link it to a PowerShell script or win32 application to fix problems intune can't fix/remediate for you.

    7 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add sync option to Intune for Android Enterprise Fully Managed Devices

    Without the sync option cannot force devices to check in with Intune. Devices that have not checked in recently to Intune (due to being switched off during vacation or long term leave) cannot have there passcode reset. This will mean these devices will need to be factory reset and re-enrolled. This will cause a huge knock on effect during the holiday season for both the staff and ICT department.

    29 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Remote Assistance/Control  ·  Flag idea as inappropriate…  ·  Admin →
  5. Let us use dual sim app duplication

    Many dual sim phones let the user create two identical apps for applications that are bound to the sim and doesn't let create multiple account(like for instance WhatsApp). For instance on Samsung phones there is a feature for this purpose called "Dual Messaging" that relies on the underlying KNOX Secure Folder app. Sadly there is no way to enable KNOX Secure Folder on a android enterprise-enrolled phone(even when enabling the app there are still restrictions that make it impossible to install/run) so this is not possible. Until android makes it natively possible to install multiple copies of an app(or magically…

    34 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Android-specfiic  ·  Flag idea as inappropriate…  ·  Admin →
  6. Conditional Access Policy "Require app protection policy" support for Teams mobile app

    Support Microsoft Teams mobile app for use with 'require app protection policy' access control in Conditional Access policies.

    Currently only OneDrive, Outlook, Cortana, and Planner are supported.

    https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-app-protection-policy

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  App protection policies (APP/MAM)  ·  Flag idea as inappropriate…  ·  Admin →
  7. Don't pop-up PowerShell console when running script in user context

    When a PowerShell script is deployed in user context to Windows devices, a PowerShell window will briefly pop-up for the user, which can interrupt their productivity when there are many scripts being deployed.

    The AgentExecutor (C:\Program Files (x86)\IntuneManagementExtension\AgentExecutor.exe) runs PowerShell scripts entirely silent, when example when it does detections for Win32 apps.

    Please allow us to deploy PowerShell scripts with Intune fully silent too, without briefly popping up the PowerShell window.

    17 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Scripting-Graph/PowerShell  ·  Flag idea as inappropriate…  ·  Admin →
  8. Microsoft Whiteboard Client as Approved client app requirement for Conditional Access

    Please add Microsoft Whiteboard Client as Approved client app requirement for Conditional Access so that this is not blocking productive on IOS/Android when trying to secure SharePoint/OneDrive.
    https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/technical-reference#approved-client-app-requirement

    295 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    9 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Set custom background and logos via Android Enterprise device configuration policy

    Currently setting custom backgrounds on Android Enterprise MDM devices in Intune is only available for devices that are in a kiosk mode configuration, it would be useful to enforce a custom background and logo on managed Android Enterprise devices within Intune in a non-kiosk mode configuration.

    Is this something in the pipeline?

    36 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Mobile Device Management (general)  ·  Flag idea as inappropriate…  ·  Admin →
  10. Intune MAM setup of Edge to download to user's Onedrive using a Protection Policy or Configuration Policy

    We are trying to use MAM setup of the Office products with Intune. We have run into an issue when a user gets a meeting invite through a URL link. Because of Protection Policy does not allow local download to mobile device they could not open it.

    It would be useful to configure the managed browser (Edge) to download (or temporarily download and share) directly to their Onedrive.

    36 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  11. Android Dedicated Device - Enforce PIN for Device Unlock

    Enable a way we can enforce a policy to set a PIN code on Corporate Owned Dedicated Devices (Kiosk mode) PIN at a device level.

    At present we are having to get our onsite IT staff to manually set a PIN on the device after enrollment, but still the users could go in and change the lock screen method from PIN code to Swipe, thus removing the security aspect.

    113 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    14 comments  ·  Android-specfiic  ·  Flag idea as inappropriate…  ·  Admin →
  12. Disable prompts that offer to save password is not working as expected.

    According to Microsoft documentation, Disable prompts that offer to save password setting for Edge browser for iOS and Android devices should be working. However, after deploying this setting to managed and unmanaged devices, the setting does not seem to work as suggested in Microsoft documentation: https://docs.microsoft.com/en-us/mem/intune/apps/manage-microsoft-edge#disable-prompts-that-offer-to-save-passwords

    18 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Apps config and deployment  ·  Flag idea as inappropriate…  ·  Admin →
  13. toast

    Move toast notifications to only show AFTER application detection ran and requires installation.

    13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Apps config and deployment  ·  Flag idea as inappropriate…  ·  Admin →
  14. Need to be able to report on Multiple Sim card Numbers

    At the moment I seem to be able to report on 1 ICCID\Sim card number however alot of devices these days can support multiple "Esims" or Soft sims and have a physical Simcard\s slots also.

    Issue I have is that some devices that i am supporting will have 1 physical sim card and also a esim. The physical sim card is their personal sim and the Esim is the corporate number. When I report on it at the moment I get a mix between either the Physical Sim or the esim but i need to report on ALL sims in…

    36 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Intune Data Warehouse  ·  Flag idea as inappropriate…  ·  Admin →
  15. direct device / machine risk integration in CA

    Please make the device/machine risk from MDATP (and via the Mobile Threat Defense Connector) available as a condition in CA. The integration via the device compliance is too limited.
    As an example I'd like to configure the following scenario:
    - Access to App A only with Compliant Devices
    - Access to App B only with Compliant Devices and max risk level low

    15 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Attack surface reduction rule setting names and reporting

    1) Make sure that the attack surface reduction rule setting names are the same across security baselines and device configuration baselines are the same.

    2) Instead of just reporting all attack surface reduction rules conflict in one big bag as "AttackSurfaceReductionRules", separate each setting so we know which setting is in conflict.

    3) Put the 3 missing attack ruface reduction rules from device configuration profile in security baselines so we avoid setting conflict when we have those enabled. The settings are "Process creation from PSExec and WMI commands", "Executables that don’t meet a prevalence, age, or trusted list criteria" and…

    13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  17. Support configuring "MAC randomization"-attribute for Android 10+

    The Android 10+ default setting for new WiFi-neworks seems to be "MAC-randomization = enabled" to prevent tracking across public WiFis.
    This setting should be changeable for Intune-configured networks to keep the network functional with MAC whitelisting-rules in your WiFi-configuration.

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Certs, Email , VPN, Wi-Fi  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow shared mailbox in app configuration profile for Outlook

    When we create an app configuration profile for Outlook and enable the option for users to add only work or school accounts, they are not allowed to add a shared work mailbox. And when we disable the option they are allowed to add a shared work mailbox but also a personal mailbox (i.e. Gmail). This is clearly not as intended. Make sure that users can add shared work/school mailboxes but not personal mailboxes!

    62 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Apps config and deployment  ·  Flag idea as inappropriate…  ·  Admin →
  19. Merge Windows Defender Antivirus Exclusions from multiple policies

    If you configure multiple Device Configurations policies for Defender Antivirus the file,folder and process exclusions are not merged like they do with Group Policies.
    Only one policy configuration will win with the settings.

    Please change the behavior that File, Folder and Process exclusions are merged from multiple policies in Intune.

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Device Configuration Profiles  ·  Flag idea as inappropriate…  ·  Admin →
  20. Remove DEM-account restriction of max 10 Device Owner (Fully managed) enrollments

    Intune-documentation says a Device Enrollment Manager has a restriction of 10 Work-profile enrollments, but apparently the same limit applies for Device Owner (Fully managed) -enrollments.
    https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll

    Sometimes you can enroll more than 10 Device Owner -devices, but it's not supported (according to Microsoft support) and the limit can be reached anytime.

    This makes DEM-accounts very ineffective for Android mass enrollment (since Device Admin -deprecation).

    18 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Android-specfiic  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base