Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
This article applies to Microsoft Intune features only. If you're looking for information on other features, then go to that specific documentation. For example, for Microsoft Teams devices, see Teams Rooms on Windows and Android.
The Intune U.S. government service description is as an overview of the service offering in the Government Community Cloud (GCC) High and U.S. Department of Defense (DoD) environments.
This article lists the feature differences compared to the commercial offering of Microsoft Intune. To learn more about Intune for GCC customers, see EMS offers for US Government and Microsoft 365 interoperability.
Intune commercial and government instances
The Intune GCC High and DoD offerings are built on the Microsoft Azure Government Cloud. This cloud is designed to interoperate with Microsoft 365 GCC High and DoD environments.
Intune has two service instances:
- Commercial service: The commercial service is available to anyone with an Intune license and is used by most Intune customers.
- Government cloud: This service is also known as GCC High or DoD. This instance is a datacenter that's physically separate from the commercial instances. The datacenter is locked down and is only used by government customers who purchase the appropriate license.
These government instances are also known as IL4 and IL5, where IL refers to Impact Level.
In the government cloud, the Intune service instance is shared with GCC High and DoD tenants. This architecture is slightly different than other services, such as Microsoft 365 and Azure.
GCC is the same instance as Microsoft Intune in the commercial space. Other services, like Microsoft 365, have a separate GCC instance. Intune doesn't have a separate GCC instance.
So, when you see GCC in this Intune article, it refers to the commercial service. When you see GCC High or DoD, it refers to the government cloud.
GCC instances are commonly used by state and local government customers that require extra accreditation for the cloud services they use.
Enroll in government tenant
If your resources are in a commercial tenant and you want to move to the government cloud, the devices need to unenroll from the current tenant, and then re-enroll in the new tenant. There isn't a built-in way to migrate from the commercial service to the government cloud, and vice versa.
This process is similar to unenrolling from another mobile device management (MDM) service and enrolling in Intune. For more information, see Deployment guide: Setup or move to Microsoft Intune.
Administrators can get help locking down their Intune tenants using the Secure Technical Implementation Guide (STIG). To get guidance from the cyber.mil website, see the STIGs Document Library (opens the public.cyber.mil website).
Compliance and certifications
Intune is Common Criteria certified and is on the National Information Assurance Partnership (NIAP) Product Compliance List (PCL). To see the certification materials, see NIAP - Product Details.
For information on the US Federal Risk and Authorization Management Program (FedRAMP) accreditation and Microsoft, see FedRAMP.
Supported Intune features in GCC High and DoD
The following features are available and supported in Microsoft GCC High and/or DoD clouds:
| Feature | Availability |
|---|---|
| Standard MDM features | 
You can use app policies, device configuration profiles, compliance policies, and more. |
| Mobile Threat Defense (MTD) |
Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices with MTD vendors that also support the GCC High environment can be used. When you sign in to a GCC High tenant, you see the connectors that are available in these environments. |
| Microsoft Defender for Endpoint security settings management |
On devices onboarded to Defender but not enrolled in Intune, you can use Intune endpoint security policies to manage Defender security settings. This support extends to the US Government Community Cloud (GCC), US Government Community High (GCC High), and Department of Defense (DoD) environments. For more information on this feature, see Defender for Endpoint security settings management. |
| Platform support |
You can use the same operating systems - Android, Android Open Source Project (AOSP), iOS/iPadOS, Linux, macOS, and Windows. - Android (AOSP): There are some device restrictions. For more information, see Supported operating systems and browsers in Intune - AOSP. - Linux: Generally available (GA) in February 2024. |
| Windows Autopilot device preparation |
Some features are available now, such as user-driven deployments, and some are still in the planning phase. For more information about Windows Autopilot solutions, see Compare Windows Autopilot device preparation and Windows Autopilot. To get started with Windows Autopilot device preparation, see Windows Autopilot Device Preparation overview. |
| Log Analytics |
You can send Intune log data to Azure Storage, Event Hubs, or Log Analytics. For more information on this feature, see Send log data to storage, event hubs, or log analytics from Intune. |
| Microsoft Intune Plan 2 and Microsoft advanced capabilities |
For more information on these plans, see Microsoft Intune advanced capabilities. The following Plan 2 features support the GCC High and DoD environments: - Microsoft Tunnel for Mobile Application Management - Firmware-over-the-air update - Specialty devices management The following Microsoft Intune Suite features support the GCC High and DoD environments: - Endpoint Privilege Management - Advanced Analytics |
Intune features planned for GCC High and DoD
The following features are currently not available and aren't supported in GCC High and DoD clouds. Planning is started to support these features for GCC High and DoD environments. If ETAs are available, then they're listed.
| Feature | Feature documentation |
|---|---|
| Advanced capabilities | Cloud PKI (GCC High only) |
| Enterprise Application Management (EAM) | |
| Remote Help | |
| Autopatch and updates | Windows Autopatch |
| Feature updates for Windows in Intune | |
| Quality updates for Windows in Intune | |
| Expedite updates for Windows in Intune | |
| Driver updates for Windows in Intune | |
| Delivery Optimization for Win32 Apps | |
| BIOS and DFCI | BIOS configuration profiles for Windows in Intune |
| Device Firmware Configuration Interface (DFCI) Management | |
| Security Copilot | What is Microsoft Security Copilot? |
| Windows Device Health Attestation (DHA) | Device Health Attestation |
| Windows Autopilot device preparation | Customize out-of-box experience (OOBE) and rename devices during provisioning based on organizational structure |
| Self-deploying and pre-provisioning mode | |
| More admin-specified configurations delivered before allowing desktop access | |
| Enhanced optional desktop onboarding experience inside the Windows Company Portal app | |
| The ability to associate a device with a tenant. Provisioning modes which require Windows Autopilot registration are not supported. |
Intune features not available in GCC High and DoD
The following features aren't available and there's currently no planning to support these features for GCC High and DoD environments: