Support tip: Upcoming Microsoft Intune network changes
We know many customers don’t always check their service change messages in the Microsoft 365 admin center or the corresponding Message Center content in the Microsoft Intune admin center, so in this blog post we’re highlighting an important upcoming change to Intune network service endpoints. Starting on or shortly after December 2, 2025, Intune will also use Azure Front Door IP addresses to improve security and simplify firewall management. If your organization uses outbound traffic policies based on IP addresses or service tags, you’ll want to review and update your firewall rules to avoid service disruptions. We’ll keep you updated if the timeline shifts. In the meantime, here’s the service change communication that posted to all Intune customers: MC1147982 - Action Required: Update firewall configurations to include new Intune network endpoints As part of Microsoft’s ongoing Secure Future Initiative (SFI), starting on or shortly after December 2, 2025, the network service endpoints for Microsoft Intune will also use Azure Front Door IP addresses. This improvement supports better alignment with modern security practices and over time will make it easier for organizations using multiple Microsoft products to manage and maintain their firewall configurations. As a result, customers may be required to add these network (firewall) configurations in third-party applications to enable proper function of Intune device and app management. This change will affect customers using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags. Do not remove any existing network endpoints required for Microsoft Intune. Additional network endpoints are documented as part of the Azure Front Door and service tags information referenced in the files linked below: Public clouds: Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center Government clouds: Download Azure IP Ranges and Service Tags – US Government Cloud from Official Microsoft Download Center The additional ranges are those listed in the JSON files linked above and can be found by searching for “AzureFrontDoor.MicrosoftSecurity”. How this will affect your organization If you have configured an outbound traffic policy for Intune IP address ranges or Azure service tags for your firewalls, routers, proxy servers, client-based firewalls, VPN or network security groups, you will need to update them to include the new Azure Front Door ranges with the “AzureFrontDoor.MicrosoftSecurity” tag. Intune requires internet access for devices under Intune management, whether for mobile device management or mobile application management. If your outbound traffic policy doesn’t include the new Azure Front Door IP address ranges, users may face login issues, devices might lose connectivity with Intune, and access to apps like the Intune Company Portal or those protected by app protection policies could be disrupted. What you need to do to prepare Ensure that your firewall rules are updated and added to your firewall’s allowlist with the additional IP addresses documented under Azure Front Door by December 2, 2025. Alternatively, you may add the service tag “AzureFrontDoor.MicrosoftSecurity” to your firewall rules to allow outbound traffic on port 443 for the addresses in the tag. If you are not the IT admin who can make this change, notify your networking team. If you are responsible for configuring internet traffic, refer to the following documentation for more details: Azure Front Door Azure service tags Intune network endpoints US government network endpoints for Intune If you have a helpdesk, inform them about this upcoming change. If you need additional assistance, contact Microsoft Intune Support and refer to this Message Center post. Note: The above post went to all customers in our public cloud. Customers in Microsoft Intune for US Government GCC High and DoD received the following post (the only difference is the focus on US government network endpoints): MC1147978 - Action Required: Update firewall configurations to include additional Intune network endpoints If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn.Blocking and removing apps on Intune managed devices (Windows, iOS/iPadOS, Android and macOS)
By: Michael Dineen - Sr. Product Manager | Microsoft Intune This blog was written to provide guidance to Microsoft Intune admins that need to block or remove apps on their managed endpoints. This includes blocking the DeepSeek – AI Assistant app in accordance with government and company guidelines across the world (e.g. the Australian Government’s Department of Home Affairs Protective Policy Framework (PSPF) Direction 001-2025, Italy, South Korea). Guidance provided in this blog uses the DeepSeek – AI Assistant and associated website as an example, but you can use the provided guidance for other apps and websites as well. The information provided in this guidance is supplemental to previously provided guidance which is more exhaustive in the steps administrators need to take to identify, report on, and block prohibited apps across their managed and unmanaged mobile devices: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. iOS/iPadOS devices For ease of reference, the below information is required to block the DeepSeek – AI Assistant app: App name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Link to Apple app store page: DeepSeek – AI Assistant Publisher: 杭州深度求索人工智能基础技术研究有限公司 Corporate devices (Supervised) Hide and prevent the launch of the DeepSeek – AI Assistant app The most effective way to block an app on supervised iOS/iPadOS devices is to block the app from being shown or being launchable. Create a new device configuration profile and select Settings Catalog for the profile type. (Devices > iOS/iPadOS > Configuration profiles). On the Configuration settings tab, select Add settings and search for Blocked App Bundle IDs. Select the Restrictionscategory and then select the checkbox next to the Blocked App Bundle IDs setting. > Devices > Configuration profile settings picker = 'Blocked App Bundle IDs' Enter the Bundle ID: com.deepseek.chat Assign the policy to either a device or user group. Note: The ability to hide and prevent the launch of specific apps is only available on supervised iOS/iPadOS devices. Unsupervised devices, including personal devices, can’t use this option. Uninstall the DeepSeek – AI Assistant app If a user has already installed the app via the Apple App Store, even though they will be unable to launch it when the previously described policy is configured, it’ll persist on the device. Use the steps below to automatically uninstall the app on devices that have it installed. This policy will also uninstall the app if it somehow gets installed at any point in the future, while the policy remains assigned. Navigate to Apps > iOS/iPadOS apps. Select + Add and choose iOS store app from the list. Search for DeepSeek – AI Assistant and Select. > Apps > iOS/iPadOS > Add App searching for 'DeepSeek - AI Assistant' app Accept the default settings, then Next. Modify the Scope tags as required. On the Assignments tab, under the Uninstall section, select + Add group or select + Add all users or + Add all devices, depending on your organization’s needs. Click the Create button on the Review + create tab to complete the setup. Monitor the status of the uninstall by navigating to Apps > iOS/iPadOS, selecting the app, and then selecting Device install status or User install status. The status will change to Not installed. Personal Devices – Bring your own device (BYOD) Admins have fewer options to manage settings and apps on personal devices. Apple provides no facility on unsupervised (including personal) iOS/iPadOS devices to hide or block access to specified apps. Instead, admins have the following options: Use an Intune compliance policy to prevent access to corporate data via Microsoft Entra Conditional Access (simplest and quickest to implement). Use a report to identify personal devices with specific apps installed. Takeover the app with the user’s consent. Uninstall the app. This guide will focus on option 1. For further guidance on the other options refer to: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Identify personal devices that have DeepSeek – AI Assistant installed and prevent access to corporate resources You can use compliance policies in Intune to mark a device as either “compliant” or “not compliant” based on several properties, such as whether a specific app is installed. Combined with Conditional Access, you can now prevent the user from accessing protected company resources when using a non-compliant device. Create an iOS/iPadOS compliance policy, by navigating to Devices > iOS/iPadOS > Compliance policies > Create policy. On the Compliance settings tab, under System Security > Restricted apps, enter the name and app Bundle ID and select Next. Name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Under Actions for noncompliance, leave the default action Mark device noncompliant configured to Immediately and then select Next. Assign any Scope tags as required and select Next. Assign the policy to a user or device group and select Next. Review the policy and select Create. Devices that have the DeepSeek – AI Assistant app installed are shown in the Monitor section of the compliance policy. Navigate to the compliance policy and select Device status, under Monitor > View report. Devices that have the restricted app installed are shown in the report and marked as “Not compliant”. When combined with the Require device to be marked as compliant grant control, Conditional Access blocks access to protected corporate resources on devices that have the specified app installed. Android devices Android Enterprise corporate owned, fully managed devices Admins can optionally choose to allow only designated apps to be installed on corporate owned fully managed devices by configuring Allow access to all apps in Google Play store in a device restrictions policy. If this setting has been configured as Block or Not configured (the default), no additional configuration is required as users are only able to install apps allowed by the administrator. Uninstall DeepSeek To uninstall the app, and prevent it from being installed via the Google Play Store perform the following steps: Add a Managed Google Play app in the Microsoft Intune admin center by navigating to Apps > Android > Add, then select Managed Google Play app from the drop-down menu. r DeepSeek – AI Assistant in the Search bar, select the app in the results and click Select and then Sync. Navigate to Apps > Android and select DeepSeek – AI Assistant > Properties > Edit next to Assignments. Under the Uninstall section, add a user or device group and select Review + save and then Save. After the next sync, Google Play will uninstall the app, and the user will receive a notification on their managed device that the app was “deleted by your admin”: The Google Play Store will no longer display the app. If the user attempts to install or access the app directly via a link, the example error below is displayed on the user’s managed device: Android Enterprise personally owned devices with work profile For Android Enterprise personally owned devices with a work profile, use the same settings as described in the Android Enterprise corporate owned, fully managed devices section to uninstall and prevent the installation of restricted apps in the work profile. Note: Apps installed outside of the work profile can’t be managed by design. Windows devices You can block users from accessing the DeepSeek website on Windows devices that are enrolled into Microsoft Defender for Endpoint. Blocking users’ access to the website will also prevent them from adding DeepSeek as a progressive web app (PWA). This guidance assumes that devices are already enrolled into Microsoft Defender for Endpoint. Using Microsoft Defender for Endpoint to block access to websites in Microsoft Edge First, Custom Network Indicators needs to be enabled. Note: After configuring this setting, it may take up to 48 hours after a policy is created for a URL or IP Address to be blocked on a device. Access the Microsoft Defender admin center and navigate to Settings > Endpoints > Advanced features and enable Custom Network Indicators by selecting the corresponding radio button. Select Save preferences. Next, create a Custom Network Indicator. Navigate to Settings > Endpoints > Indicators and select URLs/Domains and click Add Item. Enter the following, and then click Next: URL/Domain: https://deepseek.com Title: DeepSeek Description: Block network access to DeepSeek Expires on (UTC): Never You can optionally generate an alert when a website is blocked by network protection by configuring the following and click Next: Generate alert: Ticked Severity: Informational Category: Unwanted software Note: Change the above settings according to your organization’s requirements. Select Block execution as the Action and click Next, review the Organizational scope and click Next. Review the summary and click Submit. Note: After configuring the Custom Network Indicator, it can take up to 48 hours for the URL to be blocked on a device. Once the Custom Network Indicator becomes active, the user will experience the following when attempting to access the DeepSeek website via Microsoft Edge: Using Defender for Endpoint to block websites in other browsers After configuring the above steps to block access to DeepSeek in Microsoft Edge, admins can leverage Network Protection to block access to DeepSeek in other browsers. Create a new Settings Catalog policy by navigating to Devices > Windows > Configuration > + Create > New Policy and selecting the following then click Create: Platform: Windows 10 and later Profile type: Settings Catalog Enter a name and description and click Next. Click + Add settings and in the search field, type Network Protection and click Search. Select the Defender category and select the checkbox next to Enable Network Protection. Close the settings picker and change the drop-down selection to Enabled (block mode) and click Next. Assign Scope Tags as required and click Next. Assign the policy to a user or device group and click Next. Review the policy and click Create. When users attempt to access the website in other browsers, they will experience an error that the content is blocked by their admin. macOS macOS devices that are onboarded to Defender for Endpoint and have Network Protection enabled are also unable to access the DeepSeek website in any browser as the same Custom Network Indicator works across both Windows and macOS. Ensure that you have configured the Custom Network Indicator as described earlier in the guidance. Enable Network Protection Enable Network Protection on macOS devices by performing the following in the Microsoft Intune admin center: Create a new configuration profile by navigating to Devices > macOS > Configuration > + Create > New Policy > Settings Catalog and select Create. Enter an appropriate name and description and select Next. Click + Add settings and in the search bar, enter Network Protection and select Search. Select the Microsoft Defender Network protection category and select the checkbox next to Enforcement Level and close the Settings Picker window. In the dropdown menu next to Enforcement Level, select Block and select Next. Add Scope Tags as required and select Next. Assign the policy to a user or devices group and select Next. Review the policy and select Create. The user when attempting to access the website will experience the following: http://www.deepseek.com showing error: This site can't be reached Conclusion This blog serves as a quick guide for admins needing to block and remove specific applications on their Intune managed endpoints in regulated organizations. Additional guidance for other mobile device enrollment methods can be found here: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Additional resources For further control and management of user access to unapproved DeepSeek services, consider utilizing the following resources. This article provides insights into monitoring and gaining visibility into DeepSeek usage within your organization using Microsoft Defender XDR. Additionally, our Microsoft Purview guide offers valuable information on managing AI services and ensuring compliance with organizational policies. These resources can help enhance your security posture and ensure that only approved applications are accessible to users. Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.Microsoft Security Copilot in Intune deep dive - Part 3: Explore and act on your Intune data with AI
By: Ravi Ashok - Sr. Product Manager & Zineb Takafi - Product Manager | Microsoft Intune Microsoft Security Copilot in Intune advances the way IT admins can accelerate their day-to-day endpoint management tasks by embedding generative AI capabilities directly into your Intune workflows, transforming how IT teams plan, troubleshoot, and optimize device configurations. Now generally available, Copilot in Intune delivers insights by summarizing policies, analyzing update deployments, and assisting IT with uncovering root causes of endpoint issues based on organizations Intune data. Today, we’re thrilled to introduce an AI-first experience in the Intune admin center to allow IT admins to explore and act on Intune data with the ease of natural language. As part of our ongoing commitment to help IT teams manage endpoints more effectively, this new experience provides a new way to find data they need about their digital estate and initiate endpoint management tasks based on the results. With a library of queries and using intelligent semantic search, admins can select natural language questions across key Intune domains including devices, apps, policies, users, compliance, app configuration, and app protection and refine the question with customizable parameters. Within the Intune admin center, IT admins can go from insights to taking direct action by adding devices or users to groups for streamlined endpoint management. This release marks a significant milestone towards simplifying endpoint management and accelerating day to day tasks by enabling iterative, natural language query refinement and actionable insights with generative AI assistance to enhance operational efficiency and decision-making. Explore Intune data across your workloads The new Explorer experience with Copilot in Intune enables admins to have a consistent experience viewing details about their Intune resources. Whether they’re navigating devices (including Windows 365 cloud PCs, physical PCs, or mobile devices), apps, users, or policies, IT admins can ask custom questions in natural language about their Intune resource data. They can see and iterate on the results of those questions, and then complete management tasks in one streamlined workflow. Admins can click into individual objects in the results view and navigate to Intune resources like a device details page as they complete their work. This journey in Intune applies to many workflows including: Troubleshooting and fixing issues: Identifying and acting on a specific set of devices, users, apps, or policies to resolve an issue. Creating custom reports: Building custom data views to answer questions that typically require exporting and joining reports today. Day-to-day management tasks: As part of regular admin tasks, navigate Intune data to find specific resources and inspect them to ensure things are configured correctly. Demo In today’s cyber threat landscape, maintaining device compliance is critical to minimizing security risks and ensuring operational continuity. In this demo scenario, the Explorer experience is used to identify and act on non-compliant devices in real time. To enforce compliance, an IT admin plans to mark Windows devices as noncompliant if they haven’t installed patches in the last three months. Given the variety of Windows versions, they want to understand the impact of excluding these devices. Using Copilot, they simply ask the natural language question and get a list of impacted devices without advanced filtering of the versions for each operating system release. The functionality surfaces devices and apps that haven’t received critical patches and seamlessly add them to a remediation group. This streamlined workflow reduces time-to-action and supports proactive compliance enforcement at scale. By integrating directly with Intune policies and device groups, this capability empowers organizations to close vulnerability gaps swiftly. Demo: aka.ms/Intune/CopilotJuly2025-Demo What’s next The addition of the new Explorer experience marks a significant step forward in how organizations can harness the power of Copilot to interact with their Intune data. By enabling IT admins to quickly surface insights, identify compliance gaps, and take action directly from query results, Copilot enables IT admins to streamline their endpoint management workflows to enhance operational agility. To learn more about setup and capabilities, be sure to read our documentation: Explore your Intune data with natural language. We look forward to providing further updates as part of the Copilot in Intune blog series. Make sure to check out the previous blogs if you missed it: Microsoft Security Copilot in Intune deep dive – Part 1: Features available in public preview, and Microsoft Security Copilot in Intune - Pt. 2: Vulnerability Remediation Agent in limited preview. And to learn what a few of the Microsoft MVPs think about Copilot in Intune, feel free to get perspectives from Andrew Taylor here, Ugur Koc here, and Mattias Melkers here and here. If you have any questions or want to share how you’re using Copilot in Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn.Microsoft Security Copilot in Intune - Pt. 2: Vulnerability Remediation Agent in limited preview
By: Julia Idaewor - Product Manager 2 | Microsoft Intune The threat landscape continues to evolve rapidly, with attackers constantly advancing their techniques to exploit zero-day vulnerabilities—leaving organizations at greater risk. In 2024, more than 40,000 vulnerabilities were disclosed, marking a 38% increase from 2023. For IT and security teams, evaluating the impact of thousands of vulnerabilities and deciding which to address first is a complex and resource-intensive task. It often involves manual analysis, siloed tools, and competing priorities. Microsoft Intune is bringing the power of AI directly to IT teams with the introduction of Security Copilot agents. The new Vulnerability Remediation Agent for Security Copilot is now in limited public preview. The agent helps reduce the burden of managing an ever-growing list of vulnerabilities by leveraging rich data from Microsoft Defender Vulnerability Management to detect and prioritize vulnerabilities across managed devices. It also delivers a comprehensive Copilot-assisted impact analysis, and step-by-step remediation guidance directly in the Intune admin center along with a comprehensive list of exposed devices that can be exported for actionable responses, enabling faster, more confident action. As part of the upcoming enhanced AI experience in Intune, the agent exemplifies how Microsoft is embedding Copilot into its workflows turning raw data into actionable insights and empowering security teams to stay ahead of evolving risks. Getting started You can get the Vulnerability Remediation agent up and running in just a few steps. To set up the agent navigate to the Endpoint security in the Intune admin center, review set up details and start the agent. Microsoft Defender Vulnerability Management to surface a prioritized list of top vulnerabilities based on risk and impact. The agent delivers these insights directly to the Intune admin center, giving admins clear visibility into the most critical threats across their device estate. directly to the Intune admin center, giving admins clear visibility into the most critical threats across their device estate. The Vulnerability Remediation Agent dashboard in the Intune admin center provides a comprehensive view, including an Impact score for each suggestion, number of exposed devices, remediation status, last applied time for tracking actions, and an agent activity log for historical context. By removing silos between IT and security teams and surfacing vulnerability data and actionable insights directly in Intune, the agent helps increase transparency, streamline workflows, and boost operational efficiency across the board. The Vulnerability Remediation agent provides IT pros with actionable insights from Microsoft Defender Vulnerability Management in the form of a prioritized list of suggestions. When admins open a suggestion, they can view a comprehensive, AI-assisted vulnerability impact analysis designed to equip admins with the most critical insights needed to assess high-impact vulnerabilities and the actionable steps to take in Intune to resolve them. Each suggestion highlights the recommended action to take, the most critical vulnerabilities, presence of active exploits, step-by-step recommended remediation steps, affected systems, and organizational exposure. To streamline next steps, the agent also surfaces a comprehensive list of exposed devices, which are easily added to either new or existing Microsoft Entra device groups for remediation. After reviewing and completing the recommended steps, admins can select “Mark as applied” to instantly update the status to “Applied”. This action serves as an attestation that remediation is now completed—providing teams with traceability. The agent does not take any action on the devices, ensuring that full control remains with your IT team. Demo The Vulnerability Remediation Agent empowers IT teams to proactively strengthen their endpoint security posture. By surfacing prioritized insights and delivering clear, actionable guidance within Intune, the agent helps admins quickly assess and remediate high-impact vulnerabilities. From insight to action, it’s never been easier to stay ahead of threats while bridging the traditional gap between IT and security teams. With AI-driven support, organizations can enforce best practices, respond faster, and build resilient, future-ready endpoint security strategies. The new Vulnerability Remediation Agent with Copilot in Intune transforms how IT teams manage vulnerabilities connecting insights from Microsoft Defender directly to action in Intune. Instead of relying on manual escalations across teams, the agent continuously scans for vulnerabilities, prioritizes them based on risk, and recommends remediations aligned with Defender guidance. IT admins can now review and approve these fixes directly within Intune, streamlining the path from detection to deployment. This reduces delays, increases control, and accelerates response - empowering teams to remediate confidently and efficiently. What’s next The launch of the Vulnerability Remediation Agent in preview paves the crucial foundation for our ultimate vision: achieving end-to-end automation for the entire vulnerability remediation lifecycle—dramatically reducing risk exposure and accelerating response times. By combining Copilot-assisted guidance with device ecosystem data, this agent represents a significant leap forward in streamlining operational efficiency and transforming how organizations not only focus on high-impact vulnerabilities but also understanding the right actions to take to protect their endpoints. As we continue to innovate, our commitment is to empower organizations with the tools and insights they need to build resilient, future-ready security infrastructures. The Vulnerability Remediation Agent is currently in a limited public preview and available to only a select group of customers. To learn more about setup and capabilities, be sure to explore our documentation on the Vulnerability Remediation Agent. We look forward to providing further updates as part of the Copilot in Intune blog series. Make sure to check out the previous blog if you missed it: Microsoft Security Copilot in Intune deep dive – Part 1: Features available in public preview. If you have any questions or want to share how you’re using Copilot in Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn.Windows Defender tamper protection management in Microsoft Intune
This month we’ve released Windows Defender tamper protection management in Microsoft Intune! Tamper protection is a new setting available in the Windows Security app which adds additional protections against change to key Windows Defender security features. Enabling this feature prevents others (including malicious apps) from changing/disabling important protection features such as: Real-time protection, which is the core antimalware scanning feature of Microsoft Defender ATP next gen protection and should rarely, if ever, be disabled Cloud-delivered protection, which uses our cloud-based detection and prevention services to block never-before seen malware within seconds IOAV, which handles the detection of suspicious files from the Internet Behavior monitoring, which works with real-time protection to analyze and determine if active processes are behaving in a suspicious or malicious way and blocks them The feature also prevents the deletion of security intelligence updates and the disabling of the entire antimalware solution. Enterprise management of this feature via Intune requires an E5 license (such as those with a Microsoft Defender ATP license) and the device be MDM enrolled into Intune. The feature is available on Windows 10 1903 Enterprise devices, and we’re looking at backporting the feature to down level Windows clients later this year. Before you can enable the setting, you need to connect Microsoft Defender ATP to Intune. To do this, browse to https://securitycenter.windows.com and visit Settings > Advanced features. Turn the Microsoft Intune connection on and press save. Next, browse to the Microsoft Intune console. To enable Windows Defender tamper protection, create an Endpoint Protection policy in Intune and enable the Tamper protection feature. Assign this policy to a user or device group, and tamper protection will be enabled. To disable the feature, change the setting to Disabled and deploy the policy to the target devices. Note: Not configured will not change the state of a previously deployed configuration. To disable tamper protection, you must deploy a Disabled policy state. For more information on the Windows Defender tamper protection feature, visit https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection Matt Shadbolt Senior Program Manager Microsoft Intune
GIA - Get Intune Assignments Application
Hello Everyone, Some time ago I was struggling to get all Assignments Intune for a Specific Azure AD Group. This option does not exist at console, and we need to run a lot of queries at MS Graph and/or use PowerShell to retrieve. So, to help the community I started to create PowerShell scripts to help to query some of the Assignments but, still, I had a lot of scripts each one to retrieve a specific type of items (like profiles, conditional access, apps, etc). After a while I decide to develop a C# .NET Application to facilitate the process. Today I want to share with all you my GIA App (Get Intune Assignments). It's available on my gitHub page: https://github.com/sibranda/GetIntuneAssignments I hope this app can help you guys the same way is helping me and my customers. Regards
