Every IT environment has workarounds. Policies are duplicated instead of edited because there's no approval process. Apple software updates are pushed to every device because Declarative Device Management (DDM) policies couldn't filter by ownership type.
Workarounds aren't just inconvenient. They can increase risk. Duplicate policies, broad software updates, and unchecked changes expand the attack surface and undermine Zero Trust principles. This month’s Microsoft Intune updates focus on eliminating those workarounds by giving admins greater control, clearer accountability, and more precise targeting. Helping to ensure security policies are enforced the way they were intended, without slowing IT teams down.
Reduce policy risk with greater oversight over compliance and configuration changes
To provide an extra security measure against any unauthorized or accidental changes, additional multi-administrator approval options are now available for device configuration policies created through the settings catalog and device compliance policies (for more information see Compliance settings, and Device cleanup rules). With this control enabled, critical policy changes (creation, alteration, or deletion) will need approval from a second administrator before they can be implemented.
This latest update expands the multi-admin approval capabilities introduced over the past year, which include apps, scripts, device actions like wipe, retire, and delete, RBAC roles, and device categories. The addition of compliance and configuration policies approvals help enable organizations to offer a more comprehensive safety net for their most critical policies. In environments where configuration drift can lead to non-compliance and security risks, this level of oversight is not simply a good practice, but rather a preventive control and governance option integrated into the IT workflow.
Furthermore, since every request, approval, and business justification is documented in the Intune audit logs, this control not only helps prevent potential problems but also documents them.
Find and fix issues faster with updates for multiple device queries
Zero Trust decisions depend on accurate, actionable data, and IT admins need precise queries to identify compliance gaps or missing configurations across their fleet. Advanced Analytics now includes the operator details in multiple device query (MDQ) results, (including join types such as new leftanti and rightsemi operators). This assists in finding the specific settings of missing devices and helps you run fleet-wide queries more accurately, especially if you are managing thousands of devices of all OS types.
Additionally, Advanced Analytics device join syntax in MDQ results are now clickable for faster navigation to device details and improved error messaging. A good example to illustrate this improvement is a query to retrieve all devices with ARM processors, ordered alphabetically. The column for the Device field in the results is now clickable when the Device entity is joined. In addition, admins can now join the results on the Device field without using custom Device syntax.
Figure 1: Device query results showing x64 CPU data joined on Device.
For more detail, please refer to the Microsoft Learn page on device query for multiple devices.
Target Apple updates precisely—without overreaching
When managing Apple devices, targeting matters; not every policy needs to reach every device. But until now, Declarative Device Management (DDM) policies did not account for assignment filters. Admins couldn't target devices by OS version or differentiate between company-owned and personally owned devices.
A common challenge for admins is enforcing software updates on company-owned devices while avoiding personal devices. The enhancements included in this month’s Intune release help resolve this challenge. Now admins can use DDM-based policies with assignment filters in the same way they do for MDM-based policies. For instance, if an organization wants to target devices running iOS 17 or later with software updates, they can use an operating system version filter. To target Automated Device Enrollment (ADE) supervised devices while ignoring personal devices, they can use an enrollment profile name filter.
This capability is becoming more important as Apple has expanded Declarative Device Management across iOS, iPadOS, macOS, Vision OS, and Apple TV. Intune keeps pace with that shift by doing what it has always done: giving admins a consistent way to apply policies across every platform they manage.
Fewer workarounds, stronger Zero Trust across every platform
The capabilities rolling out in our February release all have something in common: multi-admin approval, multi-device queries, and assignment filters for Declarative Device Management collectively eliminate the need for workarounds.
I know that workarounds are part of every IT environment. However, with each workaround there may be concessions: more access, more policies created without proper scrutiny, or updates not intended for particular devices. While this month’s new capabilities will not eliminate all workarounds, they are a step toward managing devices the way Zero Trust requires: precisely, reliably, and with built-in least privilege.
Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune and @IntuneSuppTeam on X to continue the conversation.
Microsoft