April's Intune updates focus on three areas administrators have consistently asked us to improve: fresher device data, streamlined identity foundations across platforms, and simpler management for non-traditional endpoints. This month includes advancements in Windows app inventory, Linux single sign-on (SSO), and expanded enrollment and control for Apple devices.
Higher‑frequency app inventory updates for Windows devices
IT administrators monitoring applications often rely on a feature known as Discovered apps. With the general release of enhanced app inventory capabilities in the “All Apps” tab, this function provides more detailed and more frequently refreshed inventory data. Some platforms refresh Discovered apps inventory every seven days. App inventory now updates Windows apps on a more frequent schedule, uploading only changes since the last sync, which can help limit additional network usage. App inventory data is updated across the fleet, with most active, healthy Windows devices refreshed multiple times per day.
Besides more frequent data, the range of properties collected by the inventory agent has expanded. Install paths, install dates, uninstall commands, estimated size, architecture, and per-user install scope are now included. Store-specific identifiers and supported languages, which were not part of the Discovered apps before, are also included here. IT admins also benefit with how inventory collection takes place across all users who have accessed the device and not just the logged-in user, helping reduce issues of applications coming and going as users change.
To take advantage of app inventory, a new device configuration policy should be set up based on Properties Catalog and assigned to corporate-owned Windows 11 devices enrolled in Microsoft Entra ID. Once configured, inventory data will start coming in on subsequent check-ins.
Modernized SSO for Linux endpoints
The new sign-in process offers Linux users a low-friction and phishing-resistant sign-in option similar to Windows and macOS, alongside a smaller footprint and more integrated use of Entra ID technology. This introduces advanced SSO functionality for Linux endpoints, utilizing the Microsoft Identity Broker. This is a modern C++ identity broker that integrates Linux devices with Microsoft Entra ID and replaces the legacy Java broker for Intune. To learn more visit Microsoft single sign-on for Linux.
The Microsoft Identity Broker supports a more integrated trust model between the endpoint and Microsoft Entra ID by using full device join to issue device-bound authentication tokens, going beyond what basic enrollment supports. This way, admins can employ Phishing-Resistant Multi-Factor Authentication (PRMFA ) to authenticate, which includes certificate-based authentication, smart cards, and Personal Identity Verification (PIV) enabled security keys. Additionally, the same SSO flow now works on iOS as it does on Windows and macOS, where Microsoft Authentication Library (MSAL) APIs can provide SSO for non-Microsoft applications. For configuration details about SSO on Linux with Entra ID, read our Device Registration Command Tool for Linux instructions. It's a win for admins and end users alike:
- End users receive a Primary Refresh Token (PRT) and see fewer credential prompts, improving the sign-in experience.
- IT admins get full Conditional Access and device compliance through Entra ID join, plus a smaller installation package and reduced background authentication tasks now that the Java runtime dependency is gone.
Expanded management capabilities for Apple devices
Microsoft Intune has worked to enhance endpoint management for iOS, iPadOS, macOS, visionOS, and tvOS devices in enterprise environments. In this section, we will look at some of the capabilities released this month to help simplify management of Apple devices at scale and set up end users for success with an identity-ready setup.
visionOS and tvOS enrollment, including government cloud
Expanding Intune Plan 2 specialty devices, automated device enrollment (ADE) for visionOS and tvOS is now available, including Government Community Cloud High, all government cloud tenants, and will be included from July 1 for Microsoft 365 E3 and E5 licenses. Organizations managing large-scale Apple device deployments in unattended and shared-use scenarios can now leverage userless ADE for visionOS and tvOS. This includes devices like Apple TVs in conference rooms, patient rooms, or retail locations, and Vision Pro headsets deployed to training and design teams. These devices can now be enrolled and managed without user affinity or individual sign-in.
After enrollment, visionOS and tvOS devices can be remotely deleted, retired, restarted, renamed, or synced, individually or in bulk. Admins can send down configuration profiles via custom file upload for these devices. They can also restrict enrollment by specifying if these operating systems can enroll into their organization.
With enrollment time grouping within the ADE enrollment policy, administrators will have the ability to group devices at enrollment time within the new ADE enrollment policies experience, helping ensure critically assigned policies, scripts, and apps start installation during Setup Assistant. Read our blog post about the new iOS/iPadOS and macOS ADE enrollment policies experience to learn more.
Figure1Example of how to createvisionOS/tvOS enrollment policy using ADE in the Intune admin center.Tighter control over Managed Apple Accounts
Rounding out this month's Apple updates, Intune now allows organizations to choose whether Managed Apple Accounts can be used on any Apple device or only on organization-owned devices. In practice, this means corporate identities stay on corporate hardware, and personal Apple Accounts can be blocked from signing in to organization-owned devices entirely. This is especially important in regulated sectors, such as financial services, where organizations need to prevent corporate data from residing on unmanaged, non-organization-owned devices.
Intune: Myth vs. Reality (new segment)
Starting this month, the What’s New in Intune blog includes a new segment, Intune: Myth vs. Reality. This series will address common assumptions about endpoint management and how Intune works in practice.
This month’s topic: Change-based delivery speed and responsiveness
- Myth: App and policy changes take 8-hours to apply
- Reality: Intune processes 90% of device changes in less than an hour
- How: The commonly cited “8‑hour” timing reflects a routine maintenance check‑in — not how Intune delivers meaningful changes today. Most high-impact app deployments, policy updates, and device actions are delivered through prioritized, change‑based delivery paths that typically reach online devices much faster. By distinguishing these time-sensitive changes from routine maintenance activity and handling them differently, Intune helps reduce the likelihood that important changes aren’t unnecessarily delayed.
To go deeper, read our latest blog, which explains how Intune processes updates at scale, including priority‑aware check‑ins, push‑based signaling, and platform‑specific optimizations that improve consistency and responsiveness across devices.
That’s a wrap for April. Whether you were interested in device data improvements, Apple enrollment expansions, or the Myth vs. Reality section, we'd love to hear your thoughts in the comments below.
Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune and @IntuneSuppTeam on X to continue the conversation.
Microsoft