1. Home
  2. NHSmail Intune
  3. Whats New?
  4. NHSmail Intune Service | What’s New?

NHSmail Intune Service | What’s New?

This article provides an overview of new features which have been added to NHSmail Intune recently in order to enhance user experience and / or the security of the platform. This article will be updated periodically as and when additional new features are added.

Microsoft Tunnel


Microsoft Tunnel is a VPN gateway solution for Microsoft Intune that runs in a container on Linux and allows access to on-premises resources from iOS/iPadOS and Android Enterprise devices using modern authentication and Conditional Access.


  • An Azure subscription.
  • An Intune subscription e.g. EMS E3/E5
  • A Linux server that runs containers. This server can be on-premises or in the cloud:
    • Podman (RHEL)
    • Docker (Ubuntu/Debian)

Please note the following Linux distributions and corresponding container engines are supported:

Linux Distribution  Container Engine 
CentOS 7.4+(CentOS 8+ isn’t supported)  Docker-CE
Red Hat (RHEL) 7.4+ thru RHEL 8.3  Docker-CE
Red Hat (RHEL) 8.4+  Podman v3.0 minimum supported version
Ubuntu 18.04  Docker-CE
Ubuntu 20.04  Docker-CE

NOTE: RedHat does not supply support for Docker-CE. Docker community support is available for Docker-CE.

  • A Transport Layer Security (TLS) certificate for the Linux server to secure connections from devices to the Tunnel Gateway server.
  • Public DNS for the Linux instance that supports the on-premises tunnel
  • Devices that run Android or iOS/iPadOS.
  • To complete the Microsoft Tunnel configuration, organisations should raise a Service Request with the Intune Live Support Team only when Linux OnPremises Tunnel prerequisites are met.

More details on Microsoft Tunnel pre-requisites and configuration can be found here.

For more information and guidance on how you can use this feature, please take a look at the Ops Guide here.

Scoped Group Policy Analytics


Group Policy Analytics is a tool that shows which settings are supported in Intune. The tool helps to identify the deprecated GPO settings or GPO settings that are not available. It also provides options to migrate GPOs to Intune Settings Catalog policy. This works only for policies applicable to Windows 10/11 devices.

If your organisation uses on-premises GPOs to manage Windows 10/11 devices, then Group Policy Analytics is a good option to use.

Group Policy Analytics can be scoped now which presents a good option to allow organisations to manage their own GPOs analytics settings in the Intune NHSmail Tenant.

If you’re ready to remove the dependencies with on-premises AD, then analyzing your GPOs with Group Policy analytics is a good first step.

Note: It is not recommended to import all the Group policies from on-premises Active Directory to Intune. It is possible some settings don’t apply to cloud-based policy management or don’t apply to cloud native endpoints. Intune Local Admininstrators should assess each GPO’s requirement, then migrate it to Intune. 


  • Intune Admin access to Intune NHSMail
  • GPOs exported from their Domain Controllers and saved as XML file type.
  • The maximum size allowed for a single GPO XML file is 4 MB. The import will fail if a single GPO is larger than 4 MB. Also, the GPO file must be Unicode-encoded.

For more information and guidance on how you can use this feature, please take a look at the Ops Guide here.

 Autopilot Manufacturer Provisioning:


Autopilot Manufacturer Provisioning is now available to organisations on the Intune platform, that use Dell and Insight devices.
This means that organisations can import new devices that have been procured from the OEM (original equipment manufacturer).

Desktops and Laptops can be provisioned for:

  • Microsoft Surface
  • HP
  • DELL
  • ACER

Note: In up-coming releases, further vendors/manufacturers will become supported by the Autopilot provisioning process.
To request a new OEM/VAR vendor to be added to support your organisation, please raise a service request to the NHSmail Intune team.

Key Changes for organisations 

Autopilot Pre-Provisioning, formerly known as ‘white glove’, is a process that helps organisations provision devices by using a custom preinstalled OEM Image. The provisioning process is split between the OEM and the end user. The end user completes a few necessary settings and policies and can begin using their device. The time-consuming tasks can be actioned by IT, partners, or OEMs.

From the Local Admin perspective, the only interaction required from the end user is to connect to a network and verify their credentials. Everything beyond that is automated.
From the user’s perspective, it only takes a few simple operations to make their device ready for use.

What is the process for pre-provisioning a device?

When you purchase devices from an OEM, that OEM can automatically register the devices with the Windows Autopilot. Reference information to provide to your OEM for Autopilot registration, can be found here

Device Requirements:
  1. The Device Hardware OEM or VAR must be registered on the NHSmail Intune tenant. Please check with the NHSmail Intune team to validate that your manufacturer or VAR is supported.
  2. A supported version of Windows 11 or Windows 10 semi-annual channel is required to use Windows Autopilot.


Azure-AD Join deployment profiles are supported (Hybrid Join via Autopilot is not supported on the NHSmail Intune instance).

Note: Existing devices can also quickly prepare a new user with Windows Autopilot Reset. The Reset capability is also useful in break/fix scenarios to bring a device back to a readiness state quickly.
Supporting guidance is available in the NHSmail Intune LA Operations Guide, here.

Google zero-touch



Zero-touch enrolment is a streamlined process for Android devices to be provisioned for enterprise management. On the first boot, devices check to see if they’ve been assigned an enterprise configuration. If so, the device starts the fully managed device provisioning method and downloads the correct device policy controller app, which then completes the setup of the managed device.

Google zero-touch is supported in Intune for corporate-owned, fully managed user devices and corporate-owned dedicated devices.


To use zero-touch enrolment, the following requirements must be met:

  • A device running Android Pie (9.0) or later, a compatible device running Android Oreo (8.0), or a Pixel phone with Android Nougat (7.0) purchase from a reseller partner.
  • A zero-touch account created by an authorized zero-touch reseller partner
Important Note:

Devices eligible for zero-touch enrolment need to be purchased directly from an enterprise reseller or Google partner and not through a consumer store.

What if my device reseller is not an authorised zero-touch reseller?

You can request your device reseller to register for the Android Enterprise Partner Program where they can then apply to become a zero-touch reseller.

Take a look at the LA ops guide for more details on Google zero-touch, here.

Last Reviewed Date 27/07/2023
Updated on 27/07/2023
Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top