This article is contributed. See the original author and article here.

As spring turns to summer, and sprouts appear in my garden, I think about all the preparation I’ve made for their environment—turning the soil, setting up the watering system, adding peat moss—and know that the yield will be greater and the harvest better. Such is the case with Microsoft Intune. As we continue to enhance the capabilities, each one an investment, the cumulative result is a richer and more robust management experience. Below, we highlight some of the newest features.


New troubleshooting tool for mobile devices


Part of diagnosing an issue is not only defining what is wrong but also what is not wrong. Our customers asked for a simple way to temporarily remove apps and configurations from a device managed in Microsoft Intune as part of the troubleshooting process. The result is a feature we call Remove apps and configuration (RAC). Before RAC, removing settings involved excluding devices from policy assignments or removing users from groups, and then waiting for devices to check in. After diagnosing the device, those assignments and group memberships would need to be restored one by one. Now, RAC affords a set of useful troubleshooting steps:



  • Real-time monitoring of which policies and apps are removed/restored

  • Selective restore of individual apps and policies

  • Temporary removal of apps and policies with an automated restore in 8 to 24 hours

  • Policy assignments and group membership remain unchanged


This initial release will be distributed in early July. It will support iOS/iPadOS and Android corporate-owned devices, and it will be available to GCC, GCC High, and DoD environments on release. For more information on this tool, follow the update on the Microsoft 365 roadmap.


Windows enrollment attestation preview is here


Last month we talked about device attestation capabilities coming to Intune. This month, the public preview of Windows enrollment attestation is starting to roll out with the new reporting and Device Attest action.


This feature builds on attestation by applying it to enrollment. Applicable Windows devices have their enrollment credentials stored in the device hardware, in this case Trusted Platform Module (TPM) 2.0, and Intune can then attest to this storage—meaning that the device enrolled securely. Successful devices show as Completed in the report. Devices that are Not Started or Failed can be retried using the new Device Attest at the top of the report. This will be available in public preview by the end of June.


Screenshot of the preview of the device attestation status report in the Intune admin center listing the name, ID, and primary UPN of a device that failed device attestation.Screenshot of the preview of the device attestation status report in the Intune admin center listing the name, ID, and primary UPN of a device that failed device attestation.


Stay up to date on the release of this capability to the public Microsoft 365 roadmap.


More granular endpoint security access controls


Role-based access control (RBAC) enhances organizations’ ability to configure access to specific workloads while maintaining a robust security posture. Our customers asked for even more granular controls to help scope security work across geographic areas, business units, or different teams to only relevant information and features. In this latest release, we are adding specific permission sets to enable more flexibility in creating custom roles for:



  • Endpoint detection and response

  • Application control

  • Attack surface reduction


We plan to have new permission sets for all endpoint security workloads in the future.


We know that many of our customers use a custom role with Security baselines permission to manage security workloads, so we are automatically adding the new permissions to this role. This way, no permissions will be lost for existing users. For new custom roles that are granted Security baselines permission, these will not include the new permissions by default but rather only those without specific permission sets.


This update also applies to customers using the Microsoft Defender console to manage security policies, and it is available in GCC, GCC High, and DoD environments. Read more about granular RBAC permissions.


So much of what we do is a direct result of customer feedback. Please join our community, visit the Microsoft Feedback portal, or leave a comment on this post. We value all your input, so please share it, especially after working with these exciting new capabilities.




Stay up to date! Bookmark the Microsoft Intune Blog and follow us @MSIntune on X and on LinkedIn to continue the conversation.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.