The strongest IT strategies anticipate challenges and build systems that protect what matters most: users, data, and productivity. Application control means controlled deployments, not environment-wide complexity. Devices arrive work-ready, not waiting for configuration. Apple updates get proactive management, not reactive guesswork.
This month's new capabilities tackle these everyday challenges with four key improvements: smarter application control, devices that manage their own patching, multi-admin approval for critical workflows, and better visibility into Apple updates.
App Control with new targeting capabilities across every Windows device
App Control for Business is now generally available with new targeting capabilities that make Managed Installer enterprise ready. Previously available in preview with tenant-wide Managed Installer settings, organizations can now assign App Control policies with granular targeting to specific groups instead of applying them across the entire organization. Test with a pilot group first and roll out to departments gradually. This isn't just an update – it's what makes App Control enterprise-ready. Organizations can now implement Zero Trust application control with more precision by adding these targeting capabilities.
This new capability also includes a UX wizard (see figure 1) that walks administrators through scoping, assignments, and review steps without the guesswork. Apps installed through trusted sources automatically get approval under the Intune controls for Windows Defender Application Control (WDAC), keeping security on-point without impacting the user’s productivity.
Figure 1- Screenshot of App Control for Business UX wizard capability
Windows Autopilot now patches devices during setup
That sinking feeling when handing over a fresh device to an employee, only to have them call three days later because Windows is demanding a restart for security patches, is about to become a thing of the past. Windows is changing how device setup works-installing patches automatically during the out-of-box experience-and Intune is introducing a control over this new behavior for admins, so you decide whether devices get critical updates before they reach users.
When enabled, devices automatically download and install critical Windows updates during the initial setup process. This means employees receive devices that are already current with security patches, eliminating any restart interruptions during their first week. If your organization needs to wait before applying the latest updates, you can disable this feature, and the latest quality updates will not be pushed during setup. Windows 11 devices now grab quality updates automatically during their out-of-box experience on Microsoft Entra-joined devices.
Think about what this means for end-users' first impressions. While security patches remain essential, IT teams can now create a much smoother experience. Instead of the usual setup delays, new devices arrive already updated and ready for immediate use. The update process takes about 30 minutes on average, though it'll vary depending on network and device hardware. The beauty of this approach is in how it respects the IT admins existing update strategies. Current quality update settings are synchronized directly with the device, including deferral options and pause policies.
Real-time visibility comes to Apple device updates
Mac update management has come a long way, but IT teams still faced a visibility gap. IT teams would push an update policy and then just...wait. They maybe got a call from a user whose device failed somewhere in the process, leaving administrators to piece together what went wrong.
This month, we are launching enhanced reporting for Apple software updates built on declarative device management (DDM), and it is exactly what IT teams have been asking for. Near real-time progress tracking, detailed failure visibility, and insights into how end users interact with these updates.
Devices now report back proactively through each stage such as downloading and installing, without the need for manual check-ins. This timing couldn't be better since Apple announced at WWDC that they're deprecating MDM software updates with the Apple OS 26 releases coming in 2025. Without a transition to DDM, IT teams will lose control over critical security patches and OS updates on newer Apple devices, leaving update decisions entirely to users. Read this blog for details.
Multiple administrator approval prevents accidental device management mistakes
We've all heard the horror stories. A single click wipes a critical device, or a role permission change affects an entire team. These single-administrator workflows create unnecessary risk when dealing with changes that can disrupt business operations. Multiple administrator approval now covers Intune RBAC roles and critical device actions. Updates to roles, assignments, scope tags, and critical device actions (e.g., wipe, retire, delete) can now choose to have the approval from a second administrator.
For organizations with multiple people managing Intune, this creates a safety net without slowing down day-to-day operations. IT teams can lower the likelihood of unintended changes, limit potential disruptions to employee devices, and implement safeguards to prevent unauthorized changes.
Together, this month's updates put IT teams in greater control of the user experience without compromising security. Organizations can now deploy application control policies with confidence, deliver devices that are productive from the start, and add approval workflows that strengthen security without creating bottlenecks.
Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.
Microsoft
