What's new in Microsoft Intune: April 2025

Microsoft Intune's April 2025 release introduces several enhancements aimed at improving device management and security:

Custom Naming for Android Enterprise Devices - Administrators can now create custom naming templates during Android Enterprise device enrollment. This feature allows the inclusion of fixed text and device-specific variables (like serial numbers), promoting consistency and reducing post-enrollment renaming efforts.




Enhanced Controls for Apple Devices - Intune expands its Mobile Application Management (MAM) capabilities for unmanaged iOS devices. New Application Protection Policies (APP) now allow administrators to:

• Block screen captures within the Apple Intelligence app.
• Control access to AI-driven tools like Writing Tools and Genmojis. These controls help balance user productivity with data security.

Microsoft Intune: Customization of app installs with Enterprise Application Management (Sep 2025 Rollout Update)

Script installer offers you a way to have more control and customization around Win32 (including in EAM catalog) app installations. You now have the option to use a PowerShell script in place of command line configurations to install your app.

Troubleshooting Windows Feature updates in Microsoft Intune

Managing Windows feature updates through Microsoft Intune is crucial for maintaining device security and performance. However, administrators may encounter challenges during deployment. This guide outlines essential troubleshooting steps to address common issues with feature update policies in Intune.

Prerequisites for Feature Update Deployment

Before deploying feature updates, ensure the following prerequisites are met:​

• Licensing Requirements: Devices must have appropriate licenses that include access to the Windows Update for Business deployment service, such as:​

  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)

  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)​

  • Windows Virtual Desktop Access E3 or E5​

  • Microsoft 365 Business Premium​

  These licenses enable features like gradual rollout and optional feature updates.​

• Telemetry Configuration: Deploy a device restriction policy to all targeted devices, setting the "Share usage data" option to "Required." This ensures accurate reporting and telemetry.​

• Diagnostic Data Collection: Configure diagnostic data collection tenant-wide in the Intune admin center under Tenant administration > Connectors and tokens > Windows data. Proper configuration is vital for accurate feature update reporting.​

• Service Status:

  • Microsoft Account Sign-in Assistant: Ensure this service is not disabled; it should be set to "Manual" by default.​

  • Connected User Experiences and Telemetry: Confirm this service is set to "Automatic" and is running.​

• Supported Windows Versions: Devices should be running supported editions such as Professional, Enterprise, or Education.​

• Network Connectivity: Verify that devices can access necessary Intune and Windows Update endpoints.​

Configuring Update Rings with Feature Update Policies

When deploying update rings alongside feature update policies, consider the following:​

• Feature Update Deferral Period: Set this to '0' days to avoid delaying feature updates.​

• Upgrade to Latest Windows 11 Release: If enabled, eligible Windows 10 devices will upgrade to the latest Windows 11 feature update, potentially overriding specific feature update policies.

Common Troubleshooting Steps

If devices are not receiving or installing feature updates as expected:

1. Policy Assignment Verification: Ensure that the feature update policy is correctly assigned to the intended device groups.

2. Update Compliance Monitoring: Utilize Intune's reporting features to monitor update compliance and identify devices that are not updating.​

3. Windows Update Service Checks: Confirm that the Windows Update service is running and not disabled on the devices.​

4. Registry Configuration: Verify that registry settings align with the deployed policies.​

5. Safeguard Holds: Be aware of any safeguard holds that might prevent the update from being offered to certain devices due to known compatibility issues.​

6. Manual Update Attempts: Attempt to manually initiate the update on a device to determine if the issue is with policy deployment or the update process itself.​

By systematically verifying prerequisites, configuring policies correctly, and utilizing Intune's monitoring tools, administrators can effectively troubleshoot and resolve issues related to Windows feature updates in Microsoft Intune.

The future of Mac device management is with Microsoft Intune

​Managing Mac devices in the enterprise has traditionally been a complex task, often requiring multiple tools and platforms. However, Microsoft Intune is transforming this landscape by offering a unified, efficient, and secure solution for macOS management.​

Key Advantages of Using Microsoft Intune for Mac Management:

• Unified Device Management: Intune allows organizations to manage all devices—Windows, macOS, iOS, and Android—through a single platform, simplifying administration and ensuring consistent policies across different operating systems.

• Enhanced Security and Compliance: With robust security features like encryption enforcement, password requirements, and remote wipe capabilities, Intune helps protect corporate data on Mac devices. Administrators can enforce compliance policies to ensure devices adhere to organizational standards.

• Seamless Application Deployment: Intune simplifies the deployment and management of applications on Mac devices, supporting both DMG and PKG app package types. This ensures users have access to necessary software without complex procedures. 

• Declarative Device Management (DDM): Intune supports Apple's DDM protocol, enhancing policy delivery performance and enabling more robust device compliance and app inventory capabilities. ​

• Integration with Microsoft Ecosystem: Intune integrates seamlessly with Microsoft Entra ID (formerly Azure Active Directory) and other Microsoft services, providing a cohesive and secure environment for device management.

By leveraging Microsoft Intune, organizations can streamline their Mac management processes, enhance security, and provide a better experience for both IT administrators and end-users.​

For a more in-depth look at how Intune is revolutionizing macOS management, check out this Microsoft Mechanics podcast:

Microsoft Mechanics Podcast

Note: This post is inspired by insights from the Microsoft Tech Community blog on macOS management with Intune.

Create Configuration Manager Collection based on Heartbeat DDR

 We'll look at how to create a Device collection that will display clients who haven't reported back to Configuration Manager in 14 days based on the client Heartbeat DDR agent date.

To find configuration manager clients that aren't sending heartbeat DDR older than 14 days, copy the below query to create a device collection. You can also change the 14 days to any number of days based on your office's needs.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId not in (select ResourceID from SMS_R_System where AgentName in ("Heartbeat Discovery") and DATEDIFF(day,AgentTime,GetDate())<14)

Clear - CCMCache remotely using Configuration Manger Console & PowerShell Script

Have you ever needed to remotely clean the ccmcache folder on a computer? This blog article will explain how:

Step 1 - Add following PowerShell script in Software Library > Scripts:

## Initialize the CCM resource manager com object
[__comobject]$CCMComObject = New-Object -ComObject 'UIResource.UIResourceMgr'
## Get the CacheElementIDs to delete
$CacheInfo = $CCMComObject.GetCacheInfo().GetCacheElements()
## Remove cache items
ForEach ($CacheItem in $CacheInfo) {
$null = $CCMComObject.GetCacheInfo().DeleteCacheElement([string]$($CacheItem.CacheElementID))
}

Step 2 - In the Configuration Manager (SCCM/MECM) console, locate the computer. 

Step 3 - Click it with the right mouse button and select Run Script > Select the Script you added > Next. 

Step 4 - Wait for the process to complete, and monitor Script Status Monitoring for output.

Feature Update to Windows 10 Version 21H2 x64-based systems 2021-11 via Enablement Package

Here are the download links for the update mentioned in the title.

System requirements from Microsoft:

KB5003791: Update to Windows 10, version 21H2 by using an enablement package

Windows Build number: 19041/19042/19043.1237 or higher.

Download the package and install it with a double click on the file.

x64: http://b1.download.windowsupdate.com/d/upgr/2021/11/windows10.0-kb5003791-x64_14e7547b08f1b29cae6e41c9f7da5f1347d9955c.msu

Name: windows10.0-kb5003791-x64_14e7547b08f1b29cae6e41c9f7da5f1347d9955c.msu
Size: 168099 bytes (164 KiB)
CRC32: A83F3B3A
CRC64: 72F8B925467B2CD8
SHA256: A51288BDE7C8228C3244FEA5AA7BC7DB1A014E48EAAF7DC1DC04A16A2E45C0DF
SHA1: 14E7547B08F1B29CAE6E41C9F7DA5F1347D9955C
BLAKE2sp: 85D747995B03CEC0A18D2E23649FE05C7D2D64D277ECC0FFE7AC0A00117A3DE5

x86: http://b1.download.windowsupdate.com/d/upgr/2021/11/windows10.0-kb5003791-x86_ac1fc53b104c6ce0ffa50b70af754b81e56829ce.msu

Name: windows10.0-kb5003791-x86_ac1fc53b104c6ce0ffa50b70af754b81e56829ce.msu
Size: 168642 bytes (164 KiB)
CRC32: F0C57E17
CRC64: 304DC7C229403463
SHA256: 4C7F1F715FC335AA046E4BF6667B69B6B0512426F03792BBCA3262B486D128CE
SHA1: AC1FC53B104C6CE0FFA50B70AF754B81E56829CE
BLAKE2sp: 84A45BC25ABE3C9271F6FDD89DFE79CEA0D886D81E88E845AF5CE52F347063AD

arm64: http://b1.download.windowsupdate.com/d/upgr/2021/11/windows10.0-kb5003791-arm64_047071577e1aa33883b851a8b2c749b1e723e369.msu

Name: windows10.0-kb5003791-arm64_047071577e1aa33883b851a8b2c749b1e723e369.msu
Size: 168718 bytes (164 KiB)
CRC32: 85C4ACF6
CRC64: 1050BF8A799234A2
SHA256: 79689953E8B3E542B08C788E760BD9BDFBBCB3AF7D9E29ECEB9AC3FDBDF1DA79
SHA1: 047071577E1AA33883B851A8B2C749B1E723E369
BLAKE2sp: B5192D05461BEBAA91B2482ADEAA12727B4FB63A22FBFABD069FBACD9D4F292E

Introducing the next feature update to Windows 10: 21H2 | Windows Experience Blog

More information can be found in the following post:

https://www.reddit.com/r/Windows10/comments/qvenhp/windows_10_21h2_19044_launch_megathread/

Rev. 3 - Link to megathread added.

How to open directly Configuration Manager properties using cmd

How to open directly Configuration Manager properties using cmd

Control.exe smscfgrc

Register a Service Principle Name (SPN) for MBAM Web Application

When I am working to build MBAM infrastructure and during the MBAM web server setup I got below warnings/errors on MBAM web and setup event logs:

MBAM Event logs:

 

Log Name: Microsoft-Windows-MBAM-Setup/Admin
Task Category: WebProviderWarning
Event ID: 502
Keywords: Configurator,Cmdlet,WebApplication
Web application provider warning.
Description:
Cannot register the Service Principal Name (SPN) "HTTP/MBAMWEB.pj360i.co.uk" on the AppPool account "pj360i\MBAMAppPool". You may not have the required permissions to create the SPN. The SPN must be created for MBAM to function properly. Configure the SPN manually. http://go.microsoft.com/fwlink/?LinkId=390155
Could not set Service Principal Name (SPN) "HTTP/MBAMWEB.pj360i.co.uk". Error 0x21C7.
Could not set Service Principal Name (SPN) "HTTP/recoverykey.pj360i.co.uk". Error 0x2098.

Log Name: Microsoft-Windows-MBAM-Web/Admin
Task Category: WebAppSpnError
Event ID: 1
Keywords: Spn,WebApplication
Application: Microsoft BitLocker Administration and Monitoring/ServiceDesk is missing the following Service Principal Names (SPNs): http/HTTP/MBAMWEB.pj360i.co.uk

Application: Microsoft BitLocker Administration and Monitoring/SelfService is missing the following Service Principal Names (SPNs):

http/HTTP/MBAMWEB.pj360i.co.uk

Register the required SPNs on the account: MBAMAppPool.
For more information go to: http://go.microsoft.com/fwlink/?LinkId=526511

Register a Service Principle Name (SPN) for MBAM Web Application

When using the setspn command to add SPNs, the SPN must be specified correctly. The format of an HTTP SPN is http/host. The following is the command syntax for using the SetSPN tool to create an SPN for the service/server:

Syntax: Setspn -s http/<computer-name>.<domain-name> <domain-user-account>

Steps to register SPN:

1. Log in as domain administrator to the domain controller.

2. Launch the Command Prompt window.

3. Copy the following command, substituting placeholder values with actual data:

        Setspn -s http/<computer-name>.<domain-name> <domain-user-account>

    In my case: Setspn -s http/MBAMWEB.pj360i.co.uk pj360i\MBAMAppPool

4. Execute the command.

Managed Apple IDs: This Apple ID cannot be used to make purchases

Managed Apple IDs cannot be used to download apps; instead, Device-Based Assignment must be used.

Managed Apple IDs are not permitted to be used in any commercial transaction. This implies that IAPs, storage or service purchases, as well as app purchases, are no longer available. Apps may be distributed via Device Based Assignment. To compensate for the inability to purchase more, Apple has increased iCloud storage restrictions. There is presently no workaround for IAPs; you will need to contact the app creator for alternatives. To deal with this scenario, several apps provide a full-featured version.

Migrating ADE iOS Devices to Intune

The following article helps IT Pros and mobile device administrators understand some of the finer details regarding iOS device migration from an existing MDM platform to Intune when using Apple’s Automated Device Enrolment program (ADE), formally known as the Device Enrolment Program (DEP). We receive a lot of questions on how best to approach the issue of factory resets and how to handle the Apple Business Manager (ABM) side of things. We hope this article helps with some of the decisions you will face when deciding the best path forward for your organization.

 

As you migrate your mobile device management to Microsoft Intune, arguably one of the most important parts of the transition will be the impact to your users. Before considering how you will migrate your devices to Intune, it is important to understand your device landscape and how your employees are using their devices. This information will largely drive your migration path.

 

Based on our experience working with customers, the following are the most common points that will help you decide how you will migrate, and what the user experience will be during the migration:

• You currently have iOS Apple Business Manager devices enrolled in another MDM platform.

  • In this scenario, the devices will need to be moved to a new (Intune) MDM server in Apple Business Manager to be able to pick up an Intune ADE profile.

  • Devices must be factory reset to properly enrol in Intune and remain in a fully supported state with Microsoft and Apple.

• Users store personal data on these devices.

  • Devices with personal data on them will need to be backed up by the user to their iCloud account if they wish to retain it, however this does require you to backup corporate data to a consumer cloud service that is not controlled by your organization.

  • Devices must be unenrolled from the current MDM platform before the final backup is taken.

  • If users decide to use the restore option in the Apple Setup Assistant, once the restore is complete they will have to visit the App Store to install the Intune Company Portal.

• Users backup the device to personal iCloud.
  • Backing up a device while it is still enrolled in your current MDM will mean the management profile will also be backed up, and, subsequently, re-applied to the device at the point of restore.
• You are/are not willing to factory reset the devices.
  • The only supported way to enrol an ADE device is from the out-of-box experience, which requires a factory reset of the device. While it is technically possible to unenroll from one MDM platform and enrol into Intune manually via the App Store version of Company Portal, this is not recommended for several reasons:

    • It is not possible to “lock” a management profile to a device enrolled in this manner (however, the device does retain its “supervised” state).

    • The device will not show as being enrolled against an ADE profile in Intune, which means any configuration applied based on that logic will not be applied to the device.

    • Devices will not get automatically marked as “Corporate”.

 

NOTE: If you ever need to re-enrol your ADE device, you must first add the IMEI number of that device as a corporate identifier. You might need to re-enrol your ADE device if you are troubleshooting an issue, like the device not receiving policy. In this case, you would:

1. Retire the device from the Intune console.
2. Add the device's serial number as a corporate device identifier.
3. Re-enrol the device by downloading the Company Portal and going through device enrolment.

Failing to do this will mean the device will be marked as “Personal” and not “Corporate”.

 

Now let us look at an example scenario that we commonly see when working with our customers.

 

Example iOS scenario

Contoso has iOS ADE devices currently enrolled in an MDM platform. They allow their staff to use their personal Apple IDs on their devices and store personal data on them. Most of their users do this, and back-up their content to iCloud. Staff understand that devices may, from time to time, need to be factory reset and may be wiped if lost or stolen. Contoso IT wants the migration to Intune to be done as quickly as possible, so they are only managing two MDM platforms for a short time. They want minimal IT interaction when it comes to users enrolling their devices. Contoso has users in regions where ADE is not supported by Apple.

 

In this example, the migration flow for ADE devices could look like this:

1. IT Pro Action: In Apple Business Manager, move the user’s device to the new Intune MDM Server and sync devices in Intune.
2. IT Pro Action: Unenroll the device from the current MDM.
3. User Action: Backup the device to iCloud.
4. User Action: Factory reset the device.
5. User Action: Enrol device through ADE flow (do not select restore option as this will break the enrolment flow).
6. User Action: Once enrolled, add Apple ID and Once enrolled, add Apple ID and let the data resync to the device.

 

This procedure ensures that the data on the device is backed up without the old management profile and the device has been enrolled correctly with the new Intune-based ADE profile. Many of our customers add the user to a Conditional Access group after step #3, which blocks access to corporate resources until the user enrols and their device is compliant.

 

In the same example, the migration flow for non-ADE devices would look like this:

1. IT Pro Action: Unenroll the device from the current MDM.

2. User Action: Backup the device to iCloud.

3. User Action: Download Company Portal from the App Store.

4. User Action: Enrol device through Company Portal app.

5. User Action: Once enrolled, add Apple ID and restore any required data.

 

NOTE: The Intune service synchronizes with Apple at the following frequencies*:

• ADE: Once every 12 hours
• VPP: Once every 15 hours

*It is possible to run a manual synchronization, or use a synchronization script to increase the frequency, which can be found here (ADE) and here (VPP).

 

Conclusion

As you can see from the examples, the migration path will largely be determined by the way the devices are being used by your employees, so it is important to do some analysis before deciding the best path forward for your organization.

 

More info and feedback

For further resources on this subject, please see the links below.

 

Supported operating systems and browsers in Intune

Automatically enroll iOS/iPadOS devices with Apple's Automated Device Enrolment

Enroll iOS/iPadOS devices in Intune

Backup and restore scenarios for iOS/iPadOS

Troubleshoot iOS/iPadOS device enrolment problems in Microsoft Intune

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community Page, or leave a comment below.

 

Follow @MSIntune and @IntuneSuppTeam  on Twitter.

Microsoft Intune Policy Refresh Intervals

What are the policy refresh intervals for the various device platforms in Microsoft Intune?

1. iOS - Every 8hrs
2. Android - Every 8hrs
3. Windows Phone - Every 8hrs
4. Windows PCs - Every 24hrs

In addition to the above-mentioned policy update intervals, if the device was recently enrolled in Microsoft Intune, there are a few other intervals worth mentioning:

1. iOS - Every 15 minutes for 6 hours and then every 6 hours
2. Android - Every 3 minutes for 15 minutes then every 15 minutes for 2 hours, and then every 8 hours
3. Windows Phone - Every 5 minutes for 15 minutes then every 15 minutes for 2 hours, and then every 8 hours
4. Windows PCs enrolled as devices - Every 3 minutes for 30 minutes, and then every 24 hours

Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned