In a typical week, IT admins are enrolling devices, deploying apps, enforcing policies, and making a hundred small decisions that keep their organizations running. This month’s updates focus on improving the experience around daily actions, compliance visibility, and management capabilities for Apple devices and mobile apps.
More timely notifications for Microsoft Intune
Intune sends notifications to devices when changes occur that require devices to check in. When those notifications are delayed, whether from devices being offline or in a particular state (network instability, low battery, etc.), the action can be delayed, and devices can miss the check in. Now, on Windows devices, we're complementing the Windows Notification Service (WNS) with the same notification protocol that powers Microsoft Teams to support more timely notification delivery that gives admins the traceability they need for troubleshooting.
We're introducing this functionality with Remote Help for Windows to help reduce the likelihood of stalled session starts when devices are online and reachable. We recommend updating firewall rules to include this new endpoint: *.trouter.communications.svc.cloud.microsoft. Stay informed about our progress by bookmarking the Intune Management Extension logs documentation and the Remote Help for Windows documentation.
New controls for role assignment, device setup, and update readiness
Scope tags are used by Intune to control resources that an administrator can act on in Microsoft Intune. When an admin holds multiple role assignments with different scope tags, those tags can be combined and grant more access than intended. A new de-union setting lets admins keep these scopes discrete and within the boundaries they define. This prevents a role assignment from expanding based on how they overlap with permissions.
Before enabling the capability, admins can use the new ‘Permissions assessment report’ to review how changes to roles and permission allocation will affect their IT team’s day-to-day operations, giving them the chance to plan and adjust before implementing changes. To get started configuring permissions behaviors, read our learn page on permission behavior across role assignments.
Turning to device setup, having to manually authorize each app before it can run can slow down deployment and create gaps that are hard to track. Managed installer policy helps address this by automatically marking apps deployed through Intune as authorized, removing the need to manually whitelist each app. This month, Managed installer policy now applies during Windows Autopilot device preparation, running during out-of-box experience (OOBE) so that Win32, Microsoft Store, and Enterprise App Catalog apps are trusted and available earlier in the setup experience, before the user reaches the desktop.
Beyond a great setup experience, the next job is keeping devices current. Windows Autopatch update readiness is now generally available to help just that. With four additional experiences that provide visibility of the status across their tenant, device-level details into the quality update process, centralized alerts with remediation guidance, and an Update Readiness Checker, admins gain tools intended to support a more proactive approach to update management. For the full story, the Windows IT Pro Blog has the complete announcement.
Management options to further protect Apple devices and apps
Intune's adoption of Apple's Declarative Device Management (DDM) protocol has moved quickly, from software update reporting and day zero configuration support to our most recent release of assignment filters. This month, DDM extends to line-of-business (LOB) apps on iOS and iPadOS devices. Until now, app install status was only reported once devices check in. With DDM-based LOB apps, devices proactively report installation status back to Intune as it changes.
This change represents progress toward broader DDM support within the apps infrastructure, with additional capabilities under consideration for future releases. To dive deeper into these topics, check out the Tech Takeoff session on iOS management at scale and the iOS line-of-business app documentation.
On Mac, admins previously had no MDM-based way to set a password on the recovery OS, leaving Apple Silicon devices with a potential exposure that could be difficult to address. With macOS Recovery lock, admins can now set that password directly, helping prevent users from booting into recovery mode to bypass security controls, and support both on-demand and scheduled password rotation. The March 2026 Tech Takeoff session on Apple device security best practices covers this in detail. With this improvement, Recovery Lock support in Intune helps organizations progress towards compliance with security baselines such as STIG, preventing users from booting into recovery mode to bypass security controls.
When I think of a month like this, I don't think about any one of those new capabilities in isolation. I think about the IT admins who have greater visibility into whether a device action reached its destination, or the help desk professionals who don't have to wonder whether a policy applied. It's not exactly headline grabbing, but it's exactly this kind of continuous improvement that makes for a strong foundation for our customers. That same idea holds whether we're talking about improvements aimed at supporting more reliable Windows device notifications, tighter permission boundaries, or Apple devices that are protected all the way down to its recovery partition. We'd love to hear what resonated most with you this month, so please leave a comment below.
Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune and @IntuneSuppTeam on X to continue the conversation.
Microsoft