Secure apps: Where people, data, and AI intersect

Microsoft

Mar 20, 2026

How Microsoft Intune secures the application layer, from discovery to data protection.

At RSAC, Microsoft is highlighting a foundational truth: more and more AI interactions—whether through Copilot, an agent, or an automated workflow—ultimately run through an application on a device. As organizations adopt more AI-driven workflows, the application layer is becoming an increasingly important enforcement point in modern security architecture.

Security teams are working to maintain visibility and control as new categories of software are introduced into the environment. When applications are unknown, outdated, over-privileged, or allowed to run without control, organizations may face increased risk of unauthorized access to sensitive data or systems. Maintaining visibility into the application estate and helping ensure that users primarily interact with approved and trusted applications has therefore become an important part of reducing risk.

Moving application management into cloud-native workflows can support cross-platform visibility and help organizations streamline how they manage their application estate. This strategy supports organization's ability to respond to vulnerabilities more quickly and apply security policies more consistently across their environment.

Microsoft Intune’s upcoming releases and recent updates strengthen how organizations secure the application layer across discovery, version control, privilege management, execution control, and data protection.

Upcoming releases include Intune enhanced app inventory, designed to gain visibility into your app estate across devices. Intune Enterprise Application Management auto-updates are designed to help reduce the time between new releases and deployment of business-critical apps. Expanded Endpoint Privilege Management capabilities help to further support least-privilege enforcement with improved approvals and reporting.

Recent releases strengthen both execution control and data protection through App Control for Business with managed installer and expanded app-level protection with Intune Application Protection Policies and Microsoft Edge for Business work profiles. Managed installer support now extends to Windows Autopilot device preparation, helping ensure applications deployed through trusted provisioning workflows are recognized by execution policies. Additionally, application migration partner motions also help organizations modernize and standardize their app estate.

Together, these capabilities help IT and security teams address application-based attack paths and support AI-driven work in a more controlled way, without disrupting productivity. Securing the application layer can benefit from a clearer risk-to-control chain that improves visibility into what’s installed and reduces the time older app versions remain in use. This approach also helps organizations limit unnecessary privileges, support trusted execution, and apply app-level data protection in scenarios when device management isn’t feasible.

The following scenarios demonstrate how Intune can help strengthen application security.

1. Reduce blind spots across the app estate installed on devices

A secure application strategy starts with understanding what is running across their device environment. Without reliable application intelligence, it is difficult to accurately assess exposure, prioritize remediation, or enforce policy consistently. Cloud-native endpoint management with Intune enables organizations to view their app estate across Windows, macOS, iOS, and Android devices, helping teams understand their broader application footprint.

Intune enhanced app inventory, generally available starting in May, is designed to provide richer and more current data for managed and user-installed Windows applications on Intune-enrolled devices. As Intune continues to expand app inventory, additional platforms and capabilities are expected to follow.

The improved app inventory experience is intended to help admins:

Help detect unexpected or risky applications more quickly through improved latency
Target investigations and remediation using added application attributes
Use fine-grained controls to choose which devices and app attributes are included in inventory
Access richer and more actionable reporting directly in the device blade

With clearer visibility into application presence and state, IT and SecOps teams can better target remediation of unauthorized, unmanaged, or unexpected applications—and in turn, scope policies more precisely, investigate incidents faster, and reduce application-based attack paths.

Figure 1 View from Intune app installer showing a list of installed applications, including version and date.

2. Keep applications current and reduce vulnerability exposure

Keeping applications up to date across devices is an important part of managing application risk. Manual packaging processes often lead to version drift and inconsistent application states, making it harder to remediate vulnerabilities and maintain a predictable security posture. Intune Enterprise Application Management (EAM) helps organizations move away from fragmented workflows to a more unified, cloud-native application lifecycle management approach—bringing deployments, updates, and policy enforcement together.

EAM auto-updates, generally available starting in July, streamline app packaging and keep applications up to date. EAM auto-updates help organizations deploy new application versions faster and shorten the time between updates and deployment. This approach can help reduce version drift and exposure to known vulnerabilities.

Figure 2 View of the Intune admin center showing how to apply auto‑updates for application management.

While auto-updates help shrink the vulnerability window and attack surface, vulnerability-driven remediation is still required to identify new risks. The Vulnerability Remediation Agent (part of Microsoft Security Copilot), in limited public preview, helps connect vulnerability intelligence with remediation actions. When vulnerable application versions are identified through Common Vulnerabilities and Exposures (CVEs), remediation suggestions can be surfaced in Intune and used to drive targeted remediations, helping IT admins respond more quickly when new vulnerabilities are discovered.

Script installer support for Enterprise Application Management and Win32 provides IT admins with greater customization and control over application installs and uninstalls, without relying solely on command-line logic or repackaging apps. By using script installer, admins can more effectively manage deployment complexities such as dependencies, configuration steps, and cleanup actions, while keeping installation logic easy to update as requirements change.

3. Replace standing admin rights with just-in-time elevation

Some applications and support tasks require elevated permissions to complete. When elevation is handled through broad local administrator rights, those permissions can extend beyond the intended task, creating opportunities for unwanted or untrusted processes to run with elevated privileges. These capabilities are intended to help admins manage elevation in complex environments while maintaining least-privilege access.

By June, a set of expanded Endpoint Privilege Management (EPM) capabilities are expected to be available in Intune, helping organizations move from standing administrator rights toward just-in-time elevation with more controlled and auditable workflows.

Recent EPM enhancements help improve how elevations are requested, approved, and reviewed:

Support approvals for non-primary users allows elevation requests on shared devices and helpdesk-managed scenarios without permanently expanding administrator access. Generally available starting in April.
Scope tag support for EPM reporting data allows elevation activity to be segmented across teams and administrative scopes. Generally available starting in June.

4. Enforce trusted application execution

Trusted applications can still be weaponized. Even widely deployed software can be exploited to launch unauthorized tools or run malicious code—which is why controlling what’s allowed to run is as important as controlling what gets installed. Deployment and update controls help standardize the application estate, but execution policies determine which applications can run on managed devices.

App Control for Business in Intune helps enforce trusted application execution on Windows devices by specifying which applications are allowed to run. Applications not permitted by these policies can be blocked, helping maintain a more controlled application environment.

Managed installer support in Intune helps simplify policy management by automatically identifying trusted applications deployed through Intune. Applications installed by Intune are allowed to run without requiring individual rules, helping admins maintain execution policies as the application estate evolves.

The managed installer policy is now also applied during Windows Autopilot device preparation before apps are installed, generally available starting in April. This update helps ensure that apps delivered during Autopilot device preparation are marked as trusted during provisioning. By aligning trusted deployment workflows with execution policy, organizations can support controlled application environments without introducing friction during device onboarding.

Figure 3 Intune's admin center via App Control for Business to begin configuring a policy from the managed installer.

Read moreabout App Control for Business and managed installer to help maintain a more predictable and policy-aligned application environment.

5. Protect corporate data at the app level

Work increasingly takes place on devices that an organization cannot enroll—agency-managed PCs, partner devices, and personal endpoints. In these scenarios, secure access to corporate resources is still required even when device-level controls cannot be applied.

Intune Application Protection Policies (APP) enable organizations to protect corporate data at the application layer without requiring device enrollment. APP helps enforce data protection controls—such as restricting copy and paste—to help maintain data boundaries between corporate and personal work.

New support for Microsoft Edge for Business work profiles on Windows PCs managed by another organization extends APP protection to browser-based work without creating tenant management conflicts. Recent Microsoft Entra sign-in improvements further help guide users into the intended app-protection experience and help prevent unintended device enrollment.

Read moreabout these enhancements and how Intune applies Zero Trust-aligned principles to the browser on externally managed Windows PCs.

Securing the application layer across the full lifecycle

The application layer has long been the center of work, and with the rise of AI, it’s rapidly becoming the center of decision-making as well. As organizations adopt Copilot and agents, it becomes an increasingly important enforcement point—and the place where the next wave of security investments need to land. Securing this layer requires applying consistent controls across visibility, updates, controlled privilege, trusted execution, and app-level data protection.

Intune is designed to help organizations secure the application layer end-to-end, across discovery, deployment, updates, privilege, execution, and data protection. As organizations modernize their app estates, moving them into cloud-native management can provide a foundation for more consistent visibility, streamlined remediation, and stronger security controls across the environment. By applying Zero Trust-aligned principles consistently throughout the application lifecycle, organizations can work to minimize application-related risks while enabling safer and more flexible ways of working.

To support these modernization efforts, application migration partners can work to transition existing applications into cloud-native Intune management by automating assessment, packaging conversion, and remediation. Bringing applications into Intune-managed workflows helps organizations identify potential Shadow IT, help strengthen their security posture, manage updates, apply privilege controls and enforce policies more consistently across the environment.

Here are the next steps to take toward securing the application layer: