New month, big news! For the April (2304) service release, we're excited to bring improvements to the security and user experience for three of the platforms we support for management – Windows, Android, and Mac. First, we're announcing the long-awaited Windows Local Administrator Password Solution (LAPS), which brings the popular security capabilities of on-premises LAPS to the cloud. In another important development, Intune now offers IT pros the ability to add Google accounts to Android Enterprise personally owned devices. And third, new macOS software update policy settings allow end users more choice in scheduling updates while maintaining admin oversight.
Windows Local Administrator Password Solution is finally here
Enterprises have long relied on the widely adopted Microsoft LAPS on-premises solution, which stores and manages the local admin password through the MSFT directory. But until now, LAPS has only worked on-prem - a major roadblock for enterprises looking to move to the cloud. The new Windows LAPS, now generally available, enables all the legacy LAPS features and functionality also to be supported through the cloud.
It's a development that's been years in the making and anticipated by millions of Windows customers. One customer summed it up nicely: "I'm probably more excited about LAPS than any feature rolled out in the last year."
Windows LAPS provides protection against pass-the-hash and lateral-traversal attacks, improved security for remote help desk scenarios, and the ability to sign in to and recover otherwise inaccessible devices. It offers a fine-grained security model for securing passwords stored in Windows Server Active Directory and support for the Azure role-based access control model for securing passwords stored in Azure Active Directory.
The new solution is built into Windows, which enables improved servicing opportunities and support. You don't need to deploy a client for it. IT admins can use the first-class management experiences built into Microsoft Intune to configure cloud LAPS for a new set of capabilities. With Windows LAPS, admins can:
Configure a policy to choose which directory they want to back up the local admin password.
Create settings related to password complexity, rotation schedule, and target them to devices in their environment.
Monitor success using Intune's native reports.
Choose to manually rotate the local admin password on a device outside the scheduled rotation.
View the password itself with the right permissions and see schedules for the last and next rotations.
Adding Google accounts to Android Enterprise personally owned devices
For organizations that use Google Workspace, IT pros can now add Google accounts to Android Enterprise personally owned devices in Intune with a work profile. You can also restrict the features and settings for these devices.
A supplementary feature enables IT pros to configure an "allow" list for the domains of Google accounts that can be added to the work profile. Previously, this was implemented through a separate Custom OMA-URI policy but was often difficult to troubleshoot and challenging to support. Follow-up features will integrate this allow list into the configuration profile creation experience.
These changes deliver on numerous customer requests for this flexibility and open the door for the many organizations using Google Workspace to take advantage of Intune's management capabilities. When released, this capability will be available in all Intune environments, including gov clouds.
Here's a look at the old vs. new user experience:
The old and new user experience for adding Google accounts
New macOS software update policy settings balance admin control and UX
You know I couldn't go long without mentioning great additions we are making to Intune's macOS management! This month we're introducing new settings for software update policies for macOS which will now allow Intune admins to configure the maximum number of user deferrals and specify the scheduling priority of updates to enhance the user experience while maintaining admin control.
The new settings enable greater flexibility for end users to choose when they update while still allowing admins to define guardrails and priority of updates. These settings can be configured for non-critical updates when the "all other updates" field is set to "install later" in the macOS update policy. These settings will be available in all Intune environments, including gov clouds at release.
Here's a screenshot of the new options:
Screenshot of the Microsoft Intune admin center showing options for update policy behavior settings, which include critical updates, firmware updates, configuration file updates, and scheduling
Let us know what you think
What do you think about our new releases? We'd love to hear from you! Please share your feedback by commenting on this post or connect with me on LinkedIn. And stay tuned for more updates next month.