Blog Post

Microsoft Intune Blog
3 MIN READ

What's new in Microsoft Intune October 2024

ScottSawyer's avatar
ScottSawyer
Icon for Microsoft rankMicrosoft
Oct 18, 2024

The changing leaves and lengthening shadows on my side of the globe are harbingers of the winter to come and of ghosts, goblins, and other frights that are part of the Halloween celebration. Foremost among the things that scare me—and other IT professionals I know—are security breaches. We are almost a year into our Secure Future Initiative (read more about it in this article by Charlie Bell, Executive Vice President, Microsoft Security), and new Microsoft Intune features are oriented toward improving security. Below are some of the features on offer to help thwart hackers’ “tricks” and a “treat” to help keep the focus on fun when the work day is done.

Anti-spoofing updates for on-premises devices

Spoofing, the act of forging digital credentials to assume a false identity, has long been a strategy for bad actors trying to infiltrate systems. As part of the effort to combat certificate spoofing in on-premises environments, a May 10, 2022, security update, KB5014754 made changes to the Active Directory Kerberos Key Distribution Center (KDC), requiring “strong mapping” for all certificates. This required all Simple Certificate Enrollment Protocol (SCEP) certificates delivered through Intune and used for cert-based authentication against KDCs to have additional security identifier (SID) information embedded in the certificate that associates it with a device or user. Enforcement of this change is scheduled to begin February 2025. In this post, we detailed how Intune might address these new strong mapping requirements for comanaged devices. As a result of customer feedback, we elected to explore an alternate solution.

That solution arrives this month, in the form of support for an SID variable in SCEP profiles as part of the subject alternative name (SAN) value. This initial release supports Windows, iOS/iPadOS, and macOS devices, and we expect Android support to follow next month.

New SID variables are shown as Uniform Resource Identifier (URI) values in the Subject alternative name field of a SCEP certificate configuration policy in Intune.

There is a lot of nuance and detail to this operation, and we recommend testing thoroughly before implementing broadly. 

Working time

With this month’s release, IT administrators can now configure notification muting and block access to the Microsoft Teams app for shift workers based on their working time status. This guards valuable time “off the clock” needed to rest and recharge, and it helps employers reduce their liability for notifications outside of working time. Note that the Working Time API must be integrated with your tenant before configuring this capability (or some users could lose access). Read more in the documentation.

Quiet time

When notifications are muted via Intune, which is indicated on the conversation, users will not get pop-up windows or notification badges on app icons. However, they will still be able to see sent messages if they open the app.

Messages can be viewed when notifications are muted, but the conversation icon shows that notifications are “snoozed.”

Blocking access

When access is blocked outside of working time, a user trying to open the app will get the message shown below when the app checks to see if they are clocked in.

Message showing check for working time.

Windows Autopilot device preparation ready for China

In China, Microsoft services including Intune are operated by 21Vianet, an independent data service provider. 21Vianet meets local requirements for secure, reliable, and scalable cloud services, which results in some feature differences for Intune. This month we’re introducing Windows Autopilot device preparation to this market. Prior to this release, devices had to be manually provisioned by IT departments. Now, with this release, the time required to get a new device prepared for end users will be reduced significantly, which will also improve user experience.

Let us know how Intune can help allay your fears as an IT pro. Add your comments, too, if you’re excited to implement these capabilities.


Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.

Updated Oct 18, 2024
Version 2.0
  • mbelik's avatar
    mbelik
    Copper Contributor

    In the intune are missing a lot of Edge browser policies in Administrative Templates and also in Setting Catalog.

    If you would like to move users from GPO to cloud you need to offer same minimal features as on premise and add more.

    But after many years from Intune was born  there is still basic setting that is still not updated and admins cannot managed as on historical GPOs.

     

    Please add Edge policies to correct strate

     

    This is missing for example 

    https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#control-access-to-page-content-for-entra-id-profiles-accessing-microsoft-copilot-with-enterprise-data-protection-edp-from-the-microsoft-edge-sidebar

     

    I would not hear why this is not in Intune. I would to hear how fast you will correct all polices and when this will be available in intune as on zero DAY when the browser accept this policies

    Thank you

     

  • I agree with mbelik. The Microsoft Edge GPO team needs to talk to the Intune Settings Catalogue team when they push changes. Sometimes we have to wait multiple months to see the same settings appear in Intune that we had on day one with GPOs. How can we take the move to cloud seriously when Microsoft clearly doesn't have a procedure in place to do this already.

  • JoeH45's avatar
    JoeH45
    Iron Contributor

    Anthonymelwhrhs   This has been going on with multiple products since the Settings Catalog was released.  There are also new settings from Windows 11 24H2 that are missing from the Settings Catalog.  With Edge, I suspect it's because they are trying to force people into using that Edge configuration policy tool in the O365 Admin Center.

  • AaronMHall's avatar
    AaronMHall
    Brass Contributor

    Like others, I would love to see a better consistency between GPO Administrative Templates with their on-prem templates and Settings Catalog. These should be updated ahead of every major release cycle. This is intern and contractor level work, Microsoft... fix these basic things!

     

    How is anyone supposed to take your AI and Copilot initiatives seriously when the basic things don't work properly?

  • Thanks for the updates, ScottSawyer!

     

    Are you able to share when can we expect Windows 11, version 24H2 to be added as a Target OS in the "Windows Feature Update Device Readiness Report" and "Windows Feature Update Compatibility Risks Report" reports in Intune?

     

    Also, I've just taken a look at the article you linked to about implementing strong mapping for Intune certificates, and it looks like there is an implementation for PKCS certificates too, not just 

    SCEP. You might want to add that to your post!