When trees lose their leaves, you see the structure beneath. The branches you couldn’t see. The shape that was always there.
January is like that for IT admins. You get a fresh view of your endpoint management landscape, such as where elevation can get sharper, where application deployment process can be improved, and where admin tasks could be made more efficient.
The same is true for Intune. January isn’t just about celebrating what we’ve accomplished in the past year, but it’s also about looking forward to what new challenges we will face and new ways we can help IT admins be more productive. In this blog post, I’ll highlight the recent capabilities that I’m personally excited about.
Accelerate deployment with PowerShell script installers for Win32 apps
Today, many organizations customize app deployments outside Intune using PowerShell scripts to handle prerequisite checks, post-install steps, dependencies, and registry updates. Previously, each time the script changed, the entire app binary needed to be repackaged and re-uploaded. That friction often can add hours to deployment cycles and kept critical work outside the admin center.
This month, that changes that. When creating a Win32 app in Intune, admins can now upload a PowerShell script that acts as the app installer, rather than specifying a command line. The script runs natively. Intune packages it with app content and runs it in the same context as the installer. Installation results show in the admin center as 'success' or 'failure' based on return codes, providing visibility into what happened.
So, what does this mean? It means app deployment gets faster, customization gets easier, and teams in highly regulated industries like finance and healthcare can use the script to enforce compliance steps as part of the app installation process. It means system requirements can be checked before anything else runs, and app-specific settings can be configured after the app is installed. It means admins gain even more control.
Endpoint Privilege Management gets sharper
When users need elevated privilege, we are introducing a new Endpoint Privilege Management (EPM) capability to elevate users in a way that preserves their current profile. For example, profile paths, environment variables, and personalized settings.
This matters for installers and tools that depend on the active user’s profile. Before,
EPM isolated virtual accounts. Now, the user’s identity is maintained throughout elevation, meaning your audit trails stay cleaner and compliance records are more accurate.
In addition, the ability to enforce scope tags for elevation scenarios safeguards admins can only view elevation requests for which they have permission. This is critical for compartmentalizing data in regulated environments. Together with 'Elevate as current user,' this enables organizations to easily oversee who is allowed to perform elevated actions, while avoiding the disclosure of excessive context. These two capabilities integrate seamlessly out of the box, with no configuration required.
Admin tasks capability brings your work together
The new year brings clarity. Admins manage privilege elevation, device offboarding, security alerts, and policy approvals. Admin tasks, now generally available (GA) in Microsoft Intune, brings that work into a single, prioritized queue.
Admin tasks centralizes these workflows to help admins focus on high-impact actions that need their attention now. It is under Tenant Administration, where admins can search, filter, and sort across requests, tasks, and approvals. Currently, admin tasks includes Endpoint Privilege Management (EPM) requests, Multi Admin Approval (MAA) tasks, Microsoft Defender for Endpoint (MDE) security tasks, and the Device Offboarding Agent (part of Microsoft Security Copilot) for tasks.
EPM elevation requests help admins quickly approve or deny elevation needs and create reusable rules. Microsoft Defender for Endpoint security tasks enables admins to review recommended remediation actions, take corrective action on security issues, and monitor task status through a consistent Intune workflow. The Device Offboarding Agent helps detect unused or outdated devices that may no longer be needed or may pose a security risk, surfacing these findings as actionable tasks within admin tasks. Multi Admin Approval requests, such as scripts, device wipes, and role changes, are reviewed and approved with this same view. Each approval or rejection is recorded to support audit and compliance requirements. Learn more by taking a deeper dive in this blog on admin tasks in the Intune.
Apple enrollment keeps evolving with new certificate support
The technical foundation for enrollment of Apple devices just got stronger. We're rolling out support for the Automated Certificate Management Environment (ACME) protocol for new iOS, iPadOS, and macOS enrollments.
So, what’s the difference? ACME provides better protection than the previous SCEP approach against unauthorized certificate issuance. It includes improved validation mechanisms and automated processes that reduce errors in certificate management. Now, when new Apple devices enroll, they receive an ACME certificate instead of a SCEP certificate.
There's no change to your enrollment experience or Intune admin center doesn’t change. Its infrastructure works better in the background. This applies to Apple Device Enrollment, Apple Configurator enrollment, and automated device enrollment (ADE) methods. We also added 12 new Setup Assistant screens you can control during ADE. Want to skip the App Store screen? Hide camera settings? Now you can. This gives you more flexibility in how your end-users experience onboarding.
What's ahead
January always feels like a restart. New year, fresh roadmap, the engineering teams recharged and looking at what's next. When I talk with the team building these capabilities, the energy is real. They're already thinking about solving more challenges
IT admins face. The momentum is here with the team at Microsoft Intune.
Stay up to date with Intune, please bookmark the Microsoft Intune Blog, and follow us on LinkedIn or @MSIntune on X.
Microsoft