Ideas
What features would you like to see?
All of the feedback that you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Microsoft Endpoint Manager Intune, though we can’t promise to reply to all posts.
Standard Disclaimer – our lawyers made us put this here ;-) We have partnered with UserVoice, a third-party service, so you can give us feedback. Please note that the Intune feedback site is moderated and is a voluntary participation-based project. Please send only feature suggestions and ideas to improve Intune. Do not send any novel or patentable ideas, copyrighted materials, samples or demos. Your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy, including the license terms.
-
Intune duplicate Compliance policies
Intune applies compliance policies to machines twice. One for the Signed in AAD user, and another for the 'System Account'. The devices in question become uncompliat due to the system account not getting logged into. When devices are marked not-compliant, and you have a conditional access policy this makes things difficult. Users will no longer be able to access company data when marked 'not-compliant'. Please have the compliance policy only apply to the signed in AAD user. Having to remote into PC's and sign into a root user just so the compliance policy hits is not good! Thanks
558 votes -
Device Compliance | Conditional Access | Firefox
Hello,
Please allow Firefox to be used with Conditional Access policy to be able check for Device Compliance.
Many users use Firefox as primary browser, but then they are limited in SharePoint.197 votes -
Force Application/Policy Updates
I need to be able to force application and configuration updates on devices, and not wait for the timers. Even through a "Sync" button was put in place, it still doesn't seem to invoke any immediate update to the devices.
Since all of our devices are supervised and we control apps via VPP, if for some reason they don't get an app update, I have to either set the app to uninstall for the group and then reinstall, or reset the device (and then wait for the device to reconfigure).
Optimal outcomes:
A "Install Now" button that will immediately go…
142 votes -
Device Compliance for Devices only
Device Compliance reporting for devices only. We user shared devices in our enviroment. Compliance policies are running for all users that sign into a device messing up our reporting. For instance, a compliance policy for minimum OS version runs for all users that sign into a device. One user sets the device non-compliant because it does not meet the requirements. Next user signs in after it updates to minimum requirements and sets the compliance only for that user. The device still shows non-compliant because of the previous user who may never login to that device again to mark it compliant.
108 votes -
noncompliant apps reports in Azure Portal
When creating rule for "Restricted Apps", the tooltip says
Device compliance can be viewed in the Restricted Apps Compliance report
However, there is no such report available in the Azure portal as confirmed by support. In the classic console, this report is called "Noncompliant Apps Reports".
Without such a report, the rule to specify noncompliant apps is actually useless. Please consider adding the feature to the new Azure portal to complete the migration.
107 votes -
Enable creation of custom compliance polices
Windows 10 CSPs are being extended in every Windows 10 release but many of these capabilities are not available in Intune. For configuration polices we have the ability to create our own custom policies so there is no roadblock to adoption.
However we cannot do this for compliance policies. I understand that compliance policy is a little more complex as it is critical to ensure the user understands the reason for non-compliance via the company portal.
This could be resolved by allowing us to specify some custom text to be displayed in the company portal if the device fails the…
78 votes -
Add firewall, AV, UAC to compliance policy
In Windows 10 1607 devicestatus.csp was extended to include support for AV, firewall and UAC status.
https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/devicestatus-csp
However none of these features can be utilised in Intune compliance policies. We would like the ability to block access to corporate resources if AV or FW are disabled etc. Whilst Windows 10 device health attestation can check for ELAM this requires TPM 2.0.
As the Windows 10 product team has added these capabilities into the OS... please add them into Intune! Unlike configuration policies we cannot create custom compliance policies in order to take advantage of these features ourselves. Allowing custom compliance…
65 votesFor the release the week of Nov 6:
Admins can now configure the Firewall settings on a device using a device configuration profile
Admins can turn on firewall for devices, and also configure various protocols for domain, private, and public networks. These firewall settings can be found in the “Endpoint protection” profile.
https://docs.microsoft.com/en-us/intune/whats-new -
Compliance details reporting
I love to use PowerBI to get data that I want. But I need to make a report which shows which compliance / configuration policy item fails and on which devices. Like report of devices that have one CI in Failed state.
63 votes -
Force device compliance check remote action
It would be great to have the possibility to force a device compliance check on one or multiple devices or even a group of devices.
It could be an additional remote action.
61 votes -
Forcing a device to become non-compliant based on one or more device configurations status
For example, if I configured a device configuration policy to block USB, and from some reason this setting couldn't execute to the device or returned with an error, the device become noncompliant and therefore will get blocked via "Require device to be marked as compliant" conditional access rule.
The idea is to have a check box next to each device configuration policy, which lets IT admin to enable or disable this policy as a mandatory requirement for the device to be compliant.Alternatively it could be a good idea to let IT admin configure a custom compliance condition, such as…
60 votes -
Compliance policy assignment function for "all devices"
When you assign a compliance policy to a device registered with a DEM account, you must assign that policy to the device.
Therefore, when assigning a policy, "All devices" is required as an option in addition to "All users".
※I used Google Translate.51 votes -
Expose compliance state to local processes
I'd like to be able to 'detect' if a device is compliance or not from local processes such as PowerShell scripts. I'm currently using this method to locally detect if a device is compliant or not but this is a bit 'hacky' and doesn't seem future proof.
https://www.lieben.nu/liebensraum/2020/01/ps-oneliner-to-get-local-device-compliance-state/
Please expose compliance state through the registry, a local API call or WMI.
46 votes -
Add option to block Jailbroken/Rooted devices
At my company and probably many others we have listed in our mobile device policy that jailbroken and/or rooted devices are not accepted. In Microsoft Intune's compliancy policy you can also state that an device is incompliant if it's jailbroken/rooted however its still accepted and it gets its certificate profiles and such.
Is it possible to create an option within Microsoft Intune when an user tries to enroll an jailbroken and/or rooted device that they receive an notificiation that enrollment is blocked for jailbroken/rooted devices?
it would make my job as Microsoft Intune responsible alot easier then playing policeman for…
34 votes -
Intune compliance policy based on script
Now we have only a specific set of compliance verification rules. A good solution would be to add ability to verify compliance based on the output of the PowerShell script. This will allow to create any compliance rules. For example, checking that the required software is installed.
32 votes -
Compliance Policy - An Application must be installed
It would be useful that we could prevent access to company data if an application is installed. Currently we have an app to control internet access. As there is no policy to prevent an app being uninstalled can we have conditional access or a compliance policy to prevent access if an application is not installed on a device.
29 votes -
Device Compliance policy support Windows Edition
Please support WIndows edition with compliance policy. Because there is no way to eliminate the Home Edition now. I would like to have access control by dividing Home, Pro, Enterprise
26 votes -
Compliance policy only works when location services is set to Always
Currently if you want to detect jailbroken devices and make them non compliant you have to set the location services to Always. If the user disables the location services their device becomes non compliant and theiir access or apps will be revoked. Having location always on have privacy issues and also drains the battery. If a user turns it off by accident then they lose access to apps/resources.
Other MDMs have different solutions for this problem for instance one sends a silent Apple Push Notifications from the server/cloud service and check for jailbroken device or policy updates in a interval…
22 votes -
Intune - Device Non-Compliance Notificaiton -End User must get the Non-Complaince alert with(Username, Device ID, Reason of non-Compliance)
End User & IT Admin must get the Non-Compliance alert & email notification with (Username, Device ID, Reason of non-compliance) and so on.
In the message option string option should be introduce for customize the notification template and end user will get the required Machine and device details in alert and email notification.
22 votes -
Real Delegation on configuration policies
Hello,
we are using InTune on more then 1000 clients and now the need arises, the configuration policies can only be edited by the creator.
At the moment every service administrator is able to edit every configuration policy.
15 votes -
Add "Last Check In Time" as a compliance policy parameter
I would like to be able to use the compliance policy feature to send an automated email to users who have a device with a "last check in" past a certain number of days. So if a user's iPad has not "checked in" with Intune for 7 days (for example), an email is sent to that user letting them know it needs to be powered on and connected.
14 votes
- Don't see your idea?