Following Microsoft Ignite 2025, I caught up with colleagues and Intune MVPs who made the trip to San Francisco. There was a lot to talk about, but one conversation stood out: When I asked what surprised them most about this year for Microsoft Intune, the answer wasn't a single capability. It was witnessing busy IT admin work disappear by automating work that used to consume hours of admin time.
Microsoft Security Copilot agents in Intune exemplify that shift, but the introduction of additional agents doesn’t address other IT challenges. Throughout 2025, the Intune engineering team has shipped capabilities for cross-platform support, security, and more that has helped to remove many areas of friction from day-to-day operations. For a more complete story about what was delivered and what’s coming soon, watch the on-demand Microsoft Ignite presentation or read the What’s new in Microsoft Intune at Ignite blog.
Today, I'll focus on several recent capabilities worth examining in detail from November and December.
Empowering IT by automating and enhancing workflows
For many of the customers I spoke with this year, context-switching drains productivity. Switching between multiple console nodes to manage security tasks, elevation requests, and admin approvals increases friction and the chance of missing something.
The new Admin tasks node under Tenant Administration in the Intune admin center consolidates this workflow into a single view. Now in public preview, this centralized location surfaces Endpoint Privilege Management (EPM) file elevation requests, Defender for Endpoint security tasks, and
Multi-Admin Approval requests in one place. Administrators can search, filter, and sort across all task types without jumping between console areas. The centralized view reduces time spent hunting for what needs attention and creates a more reliable review process.
This helps centralize admin tasks, but visibility without boundaries can create noise. Until now, administrators with permission to review Endpoint Privilege Management elevation requests could see every request across the organization, regardless of their assigned scope. Scope tag enforcement adds role-based access control to this highly valued capability, aligning EPM with Zero Trust by ensuring admins only access the elevation requests required for their role. This reduces unnecessary visibility into devices and users outside their remit and lowers the risk of accidental or inappropriate actions.
Enhancing visibility and control across platforms
November's updates deliver improvements across three areas: app management, privacy controls, and policy targeting. These areas give IT administrators even more granular control for diverse device fleets running iOS, macOS, and Android.
Android: User experience and app management options
Intune has introduced new capabilities to Managed Home Screen for IT to enhance the end user experience on frontline Android devices: Offline mode and App access without sign-in offers users greater flexibility to access critical applications, while improved volume controls now allow more granular adjustments for call, ring, notifications, alarms, and media.
Additionally, if customizing your managed Google Play app catalog becomes too time consuming, you can use the new “Reset to Basic” mode. This reverts to the default "all approved apps visible" experience instantly, without support tickets or manual collection rebuilds. Taken together, these changes move Android app management away from low-level device plumbing and toward intentional experience design.
Android: Data protection and privacy controls
Beneath the user-facing improvements, the November Intune release tightens Android data protection. This is critical for AI features that may not have been part of the original security model. The Intune Settings Catalog now provides access to Android controls, which include:
- “Block assist content sharing with privileged apps", a setting that helps mitigate the emerging risk of AI assistants and screen readers from capturing work profile screenshots and app details. This stops AI services like Circle to Search from ingesting corporate context into external learning datasets while still allowing personal AI features to function.
- Work-profile privacy settings that block Bluetooth contact sharing and prevent work contacts from appearing in personal caller ID Control data flows.
- New work profile password options (expiration, reuse history, and device wipe on failure).
Android: Policy targeting and security enforcement
To help ensure your most sensitive controls reach only the devices that need them, IT can now use Device Management Type as an assignment filter property in Intune for precision policy targeting. Instead of over-applying rules to all Android devices, you can now differentiate between corporate and personal devices across Android Enterprise and AOSP.
This precision extends into real-time security enforcement. When Microsoft Defender for Endpoint detects a rooted Android device, Microsoft Tunnel immediately blocks VPN access, dropping active connections until the device is remediated. Because Defender's detection works natively within Intune, your existing compliance policies are automatically enforced through Tunnel (across both MDM-managed and MAM scenarios) without manual reconfiguration. Learn more in the following blog on native root detection support for Microsoft Defender on Android.
iOS and macOS: Enrollment experience design
First impressions during enrollment shape user expectations and IT confidence alike.
When an employee unboxes a new device enrolled through your organization, those initial screens become an opportunity to empower users and position IT as an enabler. Finding the right balance has sometimes meant accepting trade-offs. IT admins could streamline the flow, or show every configuration option, but rarely both.
Setup Assistant customization for iOS/iPadOS and macOS automated device enrollment, now generally available, delivers both of these benefits. Administrators can now hide or show specific Setup Assistant screens, enabling fine-grained control over the enrollment experience while preserving flexibility. Want to show App Store and camera configuration on some devices but hide privacy settings on others based on policy? You can do that now. The result is enrollment tailored to your actual requirements, not constrained by platform defaults. For detailed configuration guidance, see Set up automated device enrollment for iOS/iPadOS and Set up automated device enrollment for macOS.
In summary, whether Android users require precise privacy controls or iOS users benefit from a customized enrollment experience, the November Intune release emphasizes that effective, cross-platform management involves respecting each device platform's uniqueness and working to optimize for them.
Improving end-user onboarding experiences
Providing employees with immediate access to devices equipped with necessary applications can enhance employee satisfaction, optimize security measures, and increase overall productivity. Upon logging into a Cloud PC environment, end-users encounter pre-installed applications, enabling them to begin working efficiently without delay.
Windows Autopilot device preparation in automatic mode is now available in public preview for Windows 365 Enterprise, Windows 365 Frontline dedicated mode, and Windows 365 Cloud Apps. IT administrators now can include device preparation policies as part of their Cloud PC provisioning process.
This capability streamlines the Cloud PC provisioning process, improves the end-user experience, and eliminates the need for custom images, while providing visibility into installation progress with both the CPC report and the Autopilot device prep deployment report. This ensures the device is set up with critical apps and scripts when the end-user logs in on day one.
Looking forward to 2026
Cloud-native endpoint management on a trusted platform is the foundation for how organizations will support AI safely across endpoints. The investments throughout 2025 focused on reducing friction at critical points, rather than painting with a broad brush, across every aspect of endpoint management, and showed what's possible when management infrastructure is built for modern threats and modern work.
Whether it's automating tedious admin tasks, respecting platform-specific security needs, or accelerating device readiness, a cloud-powered, AI-driven approach helps move IT from firefighting to strategy. In 2026, we will continue to innovate with this focus and share more updates on Intune's advanced capabilities coming to Microsoft 365 E3 and Microsoft 365 E5, which will expand access to the solutions of the Microsoft Intune Suite to more customers. See you in 2026!
Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.
Microsoft