Ensuring comprehensive endpoint management and security is crucial for safeguarding company data and achieving a Zero Trust security posture. Microsoft Intune and Windows continue to lead this effort by helping IT shift from reactive responses to a proactive approach that delivers strategic impact by embracing cloud and AI securely and efficiently.
Today we are sharing the latest updates to the Microsoft Intune Suite specifically designed to enhance the security of Windows endpoints, with multilayered security built into every component of the stack. Intune is expanding the capabilities of Microsoft Intune Endpoint Privilege Management (EPM), Microsoft Intune Enterprise Application Management, and Microsoft Intune Remote Help to exceed the highest standards for endpoint security and to address the challenges organizations face in protecting users, devices, and data from modern, sophisticated threats.
In line with the intent of the Windows Resiliency Initiative, Intune enhancements streamline security processes, making them easier to deploy and helping to ensure that protective measures are consistently applied without disrupting daily operations. Together, Intune, Windows, and the Microsoft 365 integration across our security portfolio enhance team coordination, response times, and the prompt implementation of corrective measures when facing threats. These advancements promote more efficient management, preemptive measures, and monitoring that fortify a security posture.
Reduce risk with control for more scenarios, apps, and devices with the Intune Suite
The Microsoft Intune Suite includes security solutions are both robust and seamless, reducing administrative overhead while strengthening security measures across the board. By providing enhanced capabilities across more devices, supporting an increasing range of scenarios, and ensuring that applications remain up to date, these new capabilities will enable organizations to keep their digital estates secure while minimizing disruptions to business operations.
Increased granular control in EPM improves security and productivity
Endpoint Privilege Management helps IT realize the Zero Trust security posture principle of least privilege by enabling the removal of local administrator privileges while allowing users to elevate only what they need to stay productive. We are announcing the plan to offer more granular control over the rules that define what a user can elevate. One control rolling out soon enables IT admins to create more precise rules to specify a list of allowable command parameters, ensuring elevation for only the allowed arguments. When an elevation rule is configured to define one or more file arguments, EPM allows that file to run in an elevated request only if the arguments are defined in the allow list. EPM will also allow administrators to deny elevation of the file should a command line argument be used that is not defined by the elevation rule. Use of file arguments in your file elevation rules can help refine how and for what intent different files are successfully run in an elevated context by EPM. As a follow on to argument control, EPM is adding the ability to specify deny rules in the coming months. Based on customer feedback, Intune will release the ability to also specify files that should be blocked for elevation regardless of the default elevation behavior policy. If a user tries to elevate a file that matches one of these deny rules, the elevation will be blocked, and the reporting will show up in the EPM elevation reports. The EPM page in the Intune admin center will soon be redesigned—adding new reports and visual dashboard elements to give IT teams improved insights about elevations in their environment, including trends in elevations over time and top unmanaged elevations.
Additionally, EPM now offers expanded support for Windows running on Arm-based PCs, including Windows 11 Copilot+ PCs, as announced at Microsoft Ignite 2024. IT teams can assign EPM policy to these devices like any other Windows PC, and they can use filters for granular targeting. Be sure to watch our most recent technical deep dive into EPM to learn more about these and other top tips to move from admin to standard Windows users.
Expanded app deployment and Arm64 support for easy app management
Intune recently updated Enterprise Application Management to include guided updated supersedence that simplifies how administrators can ensure apps stay up to date and compliant. This reduces the complexity of app lifecycle management and minimizes manual intervention, lowering operational overhead while promptly applying critical security updates. In the coming months, Enterprise App Management will support the ability to add Arm64 to the requirements when adding a Win32 app to the Enterprise App Catalog. As it nears 1,000 apps, these updates enable faster deployment of more apps across a wider range of devices, helping to ensure secure and compliant app deployments and updates.
Add apps from the Enterprise App CatalogRemote Help improves efficiency and security in shared VM environments
Intune is also extending Remote Help support to multisession Azure Virtual Desktop environments. IT teams can now assist multiple users on a single virtual machine (VM) simultaneously, improving efficiency and security in virtualized environments. This update streamlines troubleshooting, updates, and user support in shared VM environments, optimizing resource use while reducing security risks. This feature is vital for organizations using Azure Virtual Desktop to lower costs and enhance virtualized environment efficiency while maintaining performance and security.
As the threat landscape evolves, so does Intune Suite with continuous updates to address emerging threats. Its integration with Microsoft 365 and the broader security ecosystem ensures up-to-date protection across a wider device landscape. Intune Suite offers a unified approach to endpoint management and security that scales with organizational needs, whether for traditional PCs, mobile devices, or cloud-based devices. Learn more about how Microsoft Intune Advanced Analytics is broadening functionality across device platforms.
Integrated security value of Intune
Microsoft Intune extends the power of your Microsoft 365 investment by unifying security and endpoint management into a single, integrated solution that scales with your business needs. This cohesive approach to security helps organizations fortify their security posture from all touchpoints, including endpoint management, advanced threat detection, and streamlined coordination through the workloads to swiftly mitigate risks and enhance their overall IT infrastructure—all while enabling a more agile, productive workforce. Intune integrates seamlessly with Microsoft solutions such as Windows updates with hotpatch, Windows Autopilot enrollment time grouping, Microsoft Defender for Endpoint, Edge for Business, and Windows 365 Link to unify endpoint management and enhance organizational security posture.
Windows Resiliency Initiative provides framework for stronger security posture
The Windows Resiliency Initiative, announced at Microsoft Ignite 2024, aims to bolster the security and reliability of the Windows operating system. This comprehensive effort focuses on strengthening reliability, enabling more apps and users to run without admin privileges, implementing stronger controls for app and driver permissions, and improving identity protection to prevent phishing attacks. By addressing these key areas, the initiative provides a robust framework that enhances the overall security posture of organizations. The Windows Insider Program for Business is now available to join to get early access to new Windows features and provide feedback to improve the operating system.
One example of the Windows Resiliency Initiative in action is hotpatch for Windows clients. Managing the deployment of updates in Intune with hotpatch allows for the application of security updates to devices without interrupting the device’s user. Organizations can address vulnerabilities mitigated by a Windows security update immediately, thereby reducing the window of exposure to cyberthreats. The expansion of hotpatching to Windows 11 Enterprise client devices—currently in public preview with general availability planned for spring 2025—signifies a major step forward in maintaining secure and efficient IT environments. Watch this Tackling Tech video to learn more about hotpatching Windows 11.
Enhance security using enrollment time grouping
Another example of how organizations can enhance their security measures with Intune and Windows is with enrollment time grouping. Today, administrators can use this capability with Windows Autopilot device preparation in Intune to configure and help secure devices immediately upon enrollment, reducing the risk time and improving overall security. Using this approach helps teams apply security policies and access controls before users get access, minimizing the time devices remain unconfigured and therefore reducing the risk of unauthorized access during device setup. Intune plans to extend enrollment time grouping to Android and iOS/iPadOS devices before the end of June 2025 for general availability. This consistent approach across device platforms ensures a seamless and unified experience for endpoint management.
Expanded security setting configuration support with Microsoft Defender for Endpoint and Intune
Integration of Intune with Microsoft Defender for Endpoint allows the use of Intune endpoint security policies to manage the Defender security settings on devices that are not enrolled with Intune. In the April release, Intune will expand security setting configuration support for devices that are managed by Defender for Endpoint. The settings within the existing Windows Security Experience policy and new Linux Microsoft Defender (antivirus and endpoint detection and response) global exclusions endpoint security policies are included in this expansion. Additionally, new settings can configure a policy to exclude certain files, folders, processes, and process-opened files from Defender for Endpoint for Linux server devices. As part of this integration, security policies can be managed through the Defender for Endpoint portal to help ensure security and productivity for security administrators operating within Intune and Defender for Endpoint.
Enhanced browsing and data security with Edge for Business, Intune, and Microsoft Purview
New built-in data protection capabilities for personal and unmanaged devices will be in preview in the coming weeks in Edge for Business, a secure enterprise browser optimized for AI. The rise in the use of personal devices for work can introduce additional risks and complexities as they can lack necessary security configurations, increasing their vulnerability to malware and data breaches. This is where Edge for Business, Intune, and Microsoft Purview converge to provide a secure enterprise browser solution for personal devices. Intune performs device health checks before granting access to corporate resources, helping to ensure compliance with security standards. This is complemented by app protection policies that enforce access to all corporate resources through Edge for Business. And with new Purview data security controls in Edge for Business, organizations can create nuanced, real-time, and context-aware data security policies that allow or block access to sensitive data. This not only helps maintain compliance with regulatory requirements but also empowers businesses to implement tailored security policies that align with their specific needs.
Streamlined management with Intune and Windows 365 Link
Windows 365 Link, also announced at Ignite 2024, is the first Cloud PC device purpose-built by Microsoft to connect securely to Windows 365 in seconds. It is seamless to manage alongside other devices using Intune with minimal applicable policies given its small Windows-based OS and the familiar actions available such as restart and remote wipe. Windows 365 Link is secure by design. It does not support local data, local apps, or local users with administrative rights. Corporate data stays protected within the Microsoft Cloud. Windows 365 Link is another example of how Intune and Windows help organizations balance robust security with operational efficiency. This compact device for desk-based Windows 365 is currently in preview and will become generally available for purchase in select markets starting in April 2025.
Next steps
Intune continues to enhance Intune Suite solutions, deepen management value with Windows, and improve integration with Microsoft 365 to deliver advanced capabilities that bolster security and streamline device management. These innovations are designed to meet the ever-growing demands of modern organizations. Start your free Intune Suite 90-day trial today. If your organization is already using the Microsoft Intune Suite, you can explore and implement new EPM, Enterprise App Management, and Remote Help features as they roll out.
To learn more about how to take advantage of all Intune capabilities, visit the Microsoft Intune documentation.
Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. Being secure is the first step towards AI innovation. Learn how to harden your defenses by exploring new AI-first tools, demos, and best practices. Register now.
Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.
Microsoft