rss.livelink.threads-in-node

App Enforced Restrictions not working on Chrome

StuartK73 — Thu, 30 Apr 2026 18:14:53 GMT

Hi All

I hope you are well.

Anyway, a strange one here.

We have implemented App Enforced Restrictions on unmanaged / BYOD macOS devices.

This seems to have taken effect on Edge and Safari browsers but not Chrome.

Is there anything we can do to resolve this or force BYOD macOS to use Edge?

Info appreciated.

What’s new in Microsoft Intune – April

ScottSawyer — Thu, 30 Apr 2026 19:21:31 GMT

April's Intune updates focus on three areas administrators have consistently asked us to improve: fresher device data, streamlined identity foundations across platforms, and simpler management for non-traditional endpoints. This month includes advancements in Windows app inventory, Linux single sign-on (SSO), and expanded enrollment and control for Apple devices.

Higher‑frequency app inventory updates for Windows devices

IT administrators monitoring applications often rely on a feature known as Discovered apps. With the general release of enhanced app inventory capabilities in the “All Apps” tab, this function provides more detailed and more frequently refreshed inventory data. Some platforms refresh Discovered apps inventory every seven days. App inventory now updates Windows apps on a more frequent schedule, uploading only changes since the last sync, which can help limit additional network usage. App inventory data is updated across the fleet, with most active, healthy Windows devices refreshed multiple times per day.

Besides more frequent data, the range of properties collected by the inventory agent has expanded. Install paths, install dates, uninstall commands, estimated size, architecture, and per-user install scope are now included. Store-specific identifiers and supported languages, which were not part of the Discovered apps before, are also included here. IT admins also benefit with how inventory collection takes place across all users who have accessed the device and not just the logged-in user, helping reduce issues of applications coming and going as users change.

To take advantage of app inventory, a new device configuration policy should be set up based on Properties Catalog and assigned to corporate-owned Windows 11 devices enrolled in Microsoft Entra ID. Once configured, inventory data will start coming in on subsequent check-ins.

Modernized SSO for Linux endpoints

The new sign-in process offers Linux users a low-friction and phishing-resistant sign-in option similar to Windows and macOS, alongside a smaller footprint and more integrated use of Entra ID technology. This introduces advanced SSO functionality for Linux endpoints, utilizing the Microsoft Identity Broker. This is a modern C++ identity broker that integrates Linux devices with Microsoft Entra ID and replaces the legacy Java broker for Intune. To learn more visit Microsoft single sign-on for Linux.

The Microsoft Identity Broker supports a more integrated trust model between the endpoint and Microsoft Entra ID by using full device join to issue device-bound authentication tokens, going beyond what basic enrollment supports. This way, admins can employ Phishing-Resistant Multi-Factor Authentication (PRMFA ) to authenticate, which includes certificate-based authentication, smart cards, and Personal Identity Verification (PIV) enabled security keys. Additionally, the same SSO flow now works on iOS as it does on Windows and macOS, where Microsoft Authentication Library (MSAL) APIs can provide SSO for non-Microsoft applications. For configuration details about SSO on Linux with Entra ID, read our Device Registration Command Tool for Linux instructions. It's a win for admins and end users alike:

End users receive a Primary Refresh Token (PRT) and see fewer credential prompts, improving the sign-in experience.
IT admins get full Conditional Access and device compliance through Entra ID join, plus a smaller installation package and reduced background authentication tasks now that the Java runtime dependency is gone.

Expanded management capabilities for Apple devices

Microsoft Intune has worked to enhance endpoint management for iOS, iPadOS, macOS, visionOS, and tvOS devices in enterprise environments. In this section, we will look at some of the capabilities released this month to help simplify management of Apple devices at scale and set up end users for success with an identity-ready setup.

visionOS and tvOS enrollment, including government cloud

Expanding Intune Plan 2 specialty devices, automated device enrollment (ADE) for visionOS and tvOS is now available, including Government Community Cloud High, all government cloud tenants, and will be included from July 1 for Microsoft 365 E3 and E5 licenses. Organizations managing large-scale Apple device deployments in unattended and shared-use scenarios can now leverage userless ADE for visionOS and tvOS. This includes devices like Apple TVs in conference rooms, patient rooms, or retail locations, and Vision Pro headsets deployed to training and design teams. These devices can now be enrolled and managed without user affinity or individual sign-in.

After enrollment, visionOS and tvOS devices can be remotely deleted, retired, restarted, renamed, or synced, individually or in bulk. Admins can send down configuration profiles via custom file upload for these devices. They can also restrict enrollment by specifying if these operating systems can enroll into their organization.

With enrollment time grouping within the ADE enrollment policy, administrators will have the ability to group devices at enrollment time within the new ADE enrollment policies experience, helping ensure critically assigned policies, scripts, and apps start installation during Setup Assistant. Read our blog post about the new iOS/iPadOS and macOS ADE enrollment policies experience to learn more.

Figure1Example of how to createvisionOS/tvOS enrollment policy using ADE in the Intune admin center.

Tighter control over Managed Apple Accounts

Rounding out this month's Apple updates, Intune now allows organizations to choose whether Managed Apple Accounts can be used on any Apple device or only on organization-owned devices. In practice, this means corporate identities stay on corporate hardware, and personal Apple Accounts can be blocked from signing in to organization-owned devices entirely. This is especially important in regulated sectors, such as financial services, where organizations need to prevent corporate data from residing on unmanaged, non-organization-owned devices.

Intune: Myth vs. Reality (new segment)

Starting this month, the What’s New in Intune blog includes a new segment, Intune: Myth vs. Reality. This series will address common assumptions about endpoint management and how Intune works in practice.

This month’s topic: Change-based delivery speed and responsiveness

Myth: App and policy changes take 8-hours to apply

Reality: Intune processes 90% of device changes in less than an hour

How: The commonly cited “8‑hour” timing reflects a routine maintenance check‑in — not how Intune delivers meaningful changes today. Most high-impact app deployments, policy updates, and device actions are delivered through prioritized, change‑based delivery paths that typically reach online devices much faster. By distinguishing these time-sensitive changes from routine maintenance activity and handling them differently, Intune helps reduce the likelihood that important changes aren’t unnecessarily delayed.

To go deeper, read our latest blog, which explains how Intune processes updates at scale, including priority‑aware check‑ins, push‑based signaling, and platform‑specific optimizations that improve consistency and responsiveness across devices.

That’s a wrap for April. Whether you were interested in device data improvements, Apple enrollment expansions, or the Myth vs. Reality section, we'd love to hear your thoughts in the comments below.

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune and @IntuneSuppTeam on X to continue the conversation.

Speed where it matters: How Microsoft Intune helps IT prioritize time-sensitive actions

Intune_Support_Team — Thu, 30 Apr 2026 15:47:22 GMT

By: Albert Cabello Serrano | Principal Product Manager - Microsoft Intune

A closer look at how Intune delivers updates to devices and the investments we’re making to help important changes move faster and more predictably.

A common concern we hear from IT admins is, “How quickly will this change actually reach my device?” In many cases, the answer is much faster than expected. Today, 90% of policy updates, app deployments, and device actions in Intune are completed in under an hour.

So where does the idea of “8-hour latency” come from? That number reflects a routine maintenance check-in used when devices are idle - not how Intune processes meaningful changes. Intune uses notification-based, priority-driven processing so that high-impact actions, like security policy changes or remediation steps, are handled promptly and reliably as possible.

In this context, latency isn’t about making every action instant - it’s about providing predictable, prioritized delivery at global scale. The sections below break down how Intune prioritizes different types of updates and recent investments that are helping time-sensitive changes complete more consistently.

How Intune delivers changes to devices

Cloud-based device management is designed for real-world conditions; devices are not always online, fully charged, or on stable networks. Intune uses an eventual consistency model so devices can continue to be productive while converging to the desired state over time, without management actions unnecessarily disrupting users or workflows.

Because devices operate in different conditions, not all device activity is handled the same way. To manage change reliably at scale, Intune uses different types of device check-ins depending on what needs to happen.

Types of device check-ins in Intune

Device check-ins generally fall into several categories, each triggered by a different type of action:

Single‑device check‑ins: Occurs when an admin or user initiates an action on a specific device, such as starting a device action or installing an app from the Intune Company Portal.
Change‑based check‑ins: Push‑triggered check‑ins used to deliver meaningful changes to devices as soon as possible.
Client‑initiated check‑ins: Background activity that helps keep devices healthy, such as when a user signs in to a device or when malware status changes.
Maintenance check-ins: Scheduled syncs that occur at predetermined intervals and can be client or service-initiated, depending on the platform. These typically occur approximately every 8 hours.

Regardless of what triggers a check-in, any pending changes will be applied to the device when it occurs.

What happens when an admin makes a change

When an admin makes a change in Intune, such as updating a device compliance policy, deploying an app, or setting a configuration, Intune identifies the devices impacted by that change and initiates a change‑based check‑in for affected devices.

For online devices, Intune sends a push notification prompting the device to establish a management session with the service, apply the change, and report enforcement status back to Intune. If a device is offline or unreachable, the change is applied when the device next checks in through available mechanisms.

Four investments that help critical updates move forward faster

The following product changes focus on reducing device‑change latency by shortening the time between an admin action in Intune and enforcement on the device, especially during peak or constrained conditions.

1. Check-in prioritization focused on what matters most

Not all device activity carries the same urgency. Routine background check-ins can compete for service resources with devices that have important pending changes, such as compliance updates, remediation actions, or administrator-initiated configuration changes.

Intune evaluates the potential impact of delaying a device check-in on security posture, compliance state or user productivity, and dynamically prioritizes processing accordingly. This real-time prioritization model ensures that high-impact actions move forward without being delayed by lower‑impact background activity. Prioritization adapts as conditions change, helping important updates reach devices more quickly and predictably without being delayed by lower-impact background activity.

2. Built-in resilience when multiple changes occur in quick succession

Change activity often happens in bursts, with several related updates occurring in rapid succession. These periods of activity may be driven by operational needs or background processes, and can involve adjusting assignments, updating multiple policies, or rolling out configuration changes across the same set of devices.

Intune dynamically coordinates notifications, so that each change requiring action triggers a corresponding device notification, even during high-activity periods. This helps improve consistency when applying multiple updates and reduces delays across consecutive changes on devices.

Over the next several months, these improvements will extend to additional payloads delivered through the Intune Management Extension (IME), including scripts, Win32 apps, and custom compliance across both Windows and macOS platforms.

3. More timely notifications on Windows

Intune notifies devices to check-in when changes require action. If the device is offline, on an unstable network, or low on battery, notifications may be delayed. This can cause missed check-ins or delayed actions.

When notification services are delayed, blocked, or unavailable, devices may fall back to scheduled maintenance check‑ins to apply changes. For timely delivery, required notification service endpoints need to remain accessible so devices can receive management signals when updates occur.

On Windows devices, Intune complements the Windows Notification Service (WNS) with the same notification protocol that powers Microsoft Teams via the Intune Management Extension. This helps increase the likelihood that devices receive management notifications when they’re online and reachable, improving visibility into whether policy updates or device actions have reached their destination.

For more information, see the network endpoints for Intune documentation.

4. Optimized maintenance check-ins for iOS devices

Background check-ins are still important to keep devices healthy when nothing else is going on. Unlike Windows devices, iOS devices don’t have client scheduled check‑ins and depend on service‑initiated maintenance check‑ins to ensure device health and compliance.

During peak usage periods, these maintenance check‑ins can account for a significant portion of overall traffic, which can compete with devices that require immediate updates.

Intune considers device activity in the scheduling of maintenance check‑ins during peak activity, making room for higher‑impact updates, while continuing to ensure devices check in regularly. This helps manage traffic and improves responsiveness when applying policies or remediation actions.

What this means for you

For IT admins: No additional configuration or workflow changes are required to benefit from Intune’s built-in notification system. When bidirectional communication with notification service endpoints is open, devices can receive and act on updates as they become available.

For security teams: Faster delivery of device changes helps shorten the time between a policy update, a tightened Conditional Access rule, an updated compliance baseline, and a remediation action. For Zero Trust frameworks, where posture signals drive access decisions, this helps narrow the window during which a device could be out of compliance or vulnerable.

Together, these improvements reflect how Intune is evolving into a more intelligent, priority-aware system. Rather than making every action instant, the focus is on prioritizing high-impact updates so they are delivered without unnecessary delays. This approach is expanding across a number of scenarios to provide a more consistent and predictable experience, helping reduce delays for key updates.

Resources to learn more

For another perspective on this topic, read an MVP’s take on demystifying the “8-hour” timing myth in this LinkedIn post.

You can also watch the recent Tech Takeoff about this same topic to learn more about these improvements.

Also, in the April edition of the What's New in Intune blog, we introduced a new segment called Myth vs. Reality. This post is part of that series. To stay current on new capabilities and updates as they ship, follow the What's New in Microsoft Intune blog.

What myth should we debunk next? Leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune.

Reporting on Device CPU and Memory

StuartW — Wed, 29 Apr 2026 07:31:50 GMT

I have a requirement to produce a monthly report on all our Intune managed Windows devices and the applications they have installed. I have written a script that is able to report on UPN, Device Name, Manufacturer, Model, Serial Number, OS, Total HHD and Free space along with all the applications installed. I am however unable to output the devices CPU and Memory details.

I have tried using the Get-MgBetaDeviceManagementManagedDevices with the ProcessorArchitecture and PhysicalMemoryInBytes parameters but these just report 0 or NULL.

What is the best way to report on the CPU and Memory from Intune?

SCCM PXE Boot Deep Dive – Backend Flow & DP Migration

UdayKumarDevarapalli — Tue, 28 Apr 2026 01:14:25 GMT

SCCM PXE Boot Deep Dive – Backend Flow & DP Migration

I recently worked on a Distribution Point migration and noticed PXE requests were still routing to the old DP due to DHCP/IP helper configuration.

I put together a deep dive explaining:

PXE flow (DHCP and TFTP sequence)

Role of Distribution Points

What changes during DP migration

Common failure points

One key takeaway:

PXE issues are almost always network and routing related, not SCCM itself.

Curious how others are handling PXE in large environments.

Are you standardizing on IP helpers or still using DHCP options?

Full article:

https://medium.com/@ureddy.techno/sccm-pxe-boot-distribution-point-backend-flow-e7adcc6119c4

Protect org data on BYOD Windows / macOS devices

StuartK73 — Mon, 27 Apr 2026 07:38:28 GMT

Hi All

I hope you are well.

Anyway, I have a need to protect org data on:

Window personal / BYOD devices
MacOS personal / BYOD devices

What's the best way to achieve this?

My thinking is:

1 X Conditional Access policy that blocks
1 X Conditional Access policy that allows via Edge, no persistent session, no downloads etc
Device filter on both policies that target unmanaged devices

Any other suggestions?

Unpacking Endpoint Management is back - and we’ve got a lot to talk about

Intune_Support_Team — Thu, 30 Apr 2026 21:37:19 GMT

If you've been missing real, candid conversations about endpoint management, good news! Unpacking Endpoint Management is officially back.

This series is all about what actually works. No fluff, just practical tips, proven strategies, and honest discussions to help you optimize and simplify the way you manage and secure endpoints today (and prepare for what's next).

We're bringing together people from across Microsoft Intune, Security, and Customer Experience engineering and product teams, along with guest practitioners, to share what's worked, what hasn't, and what we've learned along the way. And yes…we're absolutely here for the tough questions.

A quick update on the hosts

Danny Guillory, a familiar face to the community and a Product Manager for Intune and Configuration Manager, will continue to host the series. He's joined this season by Rachelle Blanchard as co‑host, bringing a strong community and discovery lens to the series. Rachelle focuses on surfacing real customer questions and guiding conversations toward practical outcomes, helping ensure each episode reflects how endpoint management works in the real world.

Up next

Policy: from hybrid to cloud-native
May 28, 2026 - 9:00 a.m. PDT
June 2026 episode (topic TBD)
June 30, 2026 – 9:00 a.m. PDT
July 2026 episode (topic TBD)
July 29, 2026 – 9:00 a.m. PDT

Catch up on demand

Curious what it takes to secure endpoints in today’s Zero Trust world?
Watch our most recent episode on Device security with Microsoft Intune, now on demand!

What's the format?

This web series is streamed live on Tech Community, LinkedIn, YouTube, and X. In addition to open discussion, we answer your questions so sign in (or sign up for) the Tech Community and RSVP to submit questions early and throughout the live show.

How do I join?

There's no call or meeting to join. Simply head to aka.ms/JoinUEM. Show up at start time, watch live, and jump into the discussion with us.

Help shape the series

This series is for you - so tell us what you want to hear. Drop a comment below with:

Topics you'd like us to cover
Tough questions you want answered
Speakers you'd love to hear from

We can't wait to get started - and even more excited to hear from you along the way.

Join the Community to get early insight into what's coming for Intune, connect with experts, and share real-world feedback that helps shape the product. 👉 aka.ms/JoinIntuneCommunity

Best approach for migrating AD joined devices to Entra ID without wiping user profiles?

Pranavsethuraman10 — Fri, 24 Apr 2026 08:12:47 GMT

We’ve seen many organizations struggle with device migration when moving from traditional Active Directory (AD) or hybrid environments to Microsoft Entra ID.

The biggest challenge is avoiding user disruption especially when wiping devices causes profile loss, app reconfiguration, and downtime.

In large environments, wipe-and-reload becomes difficult to scale and impacts productivity significantly.

Curious to know how others are handling this:

Are you still using wipe/reimage methods, or are you using alternative approaches that preserve user profiles, applications, and settings?

Would love to hear practical experiences from the community.

Autopilot V1 vs “Device Preparation” (V2): Great direction — but is it enterprise-ready yet?

christiandominguezjp — Fri, 24 Apr 2026 06:39:18 GMT

We evaluated Autopilot v2 but decided to stay on Autopilot v1 for large‑enterprise scale.

Group Tags + dynamic groups are still essential for our device naming, segmentation, and governance model.

We intentionally limit apps in EAS to speed up provisioning, so EAS‑based app deployment in v2 isn’t a compelling advantage for us.

v2 looks promising, but until there’s stronger parity for enterprise‑scale targeting and naming, v1 remains the better fit.

Curious how others at scale are balancing provisioning speed vs. segmentation without Group Tags.

Unpacking Endpoint Management - July 2026

Heather_Poulsen — Fri, 24 Apr 2026 01:02:13 GMT

Let's talk about what actually works. Each month, Unpacking Endpoint Management brings you practical tips, proven strategies, and honest discussions. Our goal? To help you optimize and simplify the way you manage and secure endpoints today (and prepare for what’s next). Topics change monthly and are informed by your feedback so visit https://aka.ms/UEM and leave a comment to let us know you want to hear about.

How do I participate?

Registration is not required. Simply add this event to your calendar and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast.

Unpacking Endpoint Management - June 2026

Heather_Poulsen — Fri, 24 Apr 2026 01:00:12 GMT

Let's talk about what actually works. Each month, Unpacking Endpoint Management brings you practical tips, proven strategies, and honest discussions. Our goal? To help you optimize and simplify the way you manage and secure endpoints today, and prepare for what’s nex). Topics change monthly and are informed by your feedback so visit https://aka.ms/UEM and leave a comment to let us know you want to hear about.

How do I participate?

Registration is not required. Simply add this event to your calendar and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast.

Policy: From hybrid to cloud-native

Heather_Poulsen — Thu, 30 Apr 2026 21:27:52 GMT

Policy management has evolved fast: from on‑prem Group Policy/ADMX and domain‑joined assumptions to hybrid realities and truly cloud‑native configuration at scale. Tune in as we unpack what changes (and what should change) as you modernize policy in Microsoft Intune—including how to take inventory of what you have today, map it to modern equivalents, and decide what to migrate, redesign, or retire. We’ll share practical tips for creating cloud policies, talk about when to use templates vs. the settings catalog, and discuss how to avoid overlapping policy assignments during hybrid transition. Bring your edge cases! This is designed to be interactive, with plenty of time for your questions.

How do I participate?

Registration is not required. Simply add this event to your calendar and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast.

Let's talk about what actually works. Each month, Unpacking Endpoint Management brings you practical tips, proven strategies, and honest discussions. Our goal? To help you optimize and simplify the way you manage and secure endpoints today, and prepare for what’s next). Topics change monthly and are informed by your feedback so visit https://aka.ms/UEM and leave a comment to let us know you want to hear about.

Device security with Microsoft Intune

Heather_Poulsen — Wed, 29 Apr 2026 22:42:04 GMT

For tips and best practices to help you stay ahead of evolving threats and modern device management challenges with Microsoft Intune, tune in to this month's episode of Unpacking Endpoint Management.

We'll break down what it really takes to secure endpoints in today’s Zero Trust world—from implementing compliance policies and Conditional Access to enforcing least privilege with Endpoint Privilege Management. Bring your questions and leave with actionable insights you can apply today.

How do I participate?

Registration is not required. Simply add this event to your calendar and select Attend to receive reminders. Post your questions and thoughts in advance, or any time during the live broadcast.

If you're looking for practical tips, proven strategies, and honest discussions to help you optimize and simplify the way you manage and secure endpoints today (and prepare for what’s next), save the date for future episodes of Unpacking Endpoint Management!

Autopatch - Microsoft 365 Apps Update Rings

PaulJebastin — Thu, 23 Apr 2026 10:49:32 GMT

I’m trying to understand how the UpdateDeferredVersions registry value is updated in an Intune Autopatch scenario, specifically the version and FileTime values.

Registry path:

HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Updates

Example value:

UpdateDeferredVersions = 16.0.19725.20170:13420719560293 | 16.0.19822.20180:13421142577563

I’ve observed the following and would appreciate any clarification:

When I modify deadline or deferral settings via Autopatch (policy changes), the FileTime value does not update.
Is there a delay or specific trigger (e.g., policy refresh, scheduled task, CDN sync) that updates this FileTime?
How exactly is this FileTime calculated? Is it tied to when the build was released, assigned, or when the policy was applied?
Is there any supported way to force or influence this FileTime update?
Or is this value simply tracking when the build cap was issued, with deferral logic calculated relative to that timestamp?

Additionally, I’ve noticed that updates only seem to apply when the FileTime is approximately 4 days behind the current date, is this expected behavior with Autopatch deferral logic? I was able to successfully test this updating FileTime 4 days behind ((Get-Date).AddDays(-4)).ToFileTime().

Any insights into how this mechanism works under the hood (especially with Click-to-Run + Autopatch interaction) would be really helpful.

Below is Autopatch group settings for Microsoft 365 update rings that we set in our environment:

Test - Deferral 0 - Deadline 0

Ring 1 - Deferral 1 - Deadline 0

Ring 2 - Deferral 2 - Deadline 0

Last - Deferral 4 - Deadline 1

Thanks in advance!

As vulnerability discovery moves at AI speed, keeping current is foundational to reduce exposure

Intune_Support_Team — Wed, 22 Apr 2026 22:35:25 GMT

Recent advances in automation and AI are accelerating vulnerability discovery and shortening the window between disclosure and exploitation. As Microsoft outlined in our recent Security blog, this shift raises the bar for how quickly organizations need to reduce exposure across their environments.

For IT and security teams, this makes staying current on updates more critical than before. While responding to individual Common Vulnerabilities Exposures (CVE) remains essential, keeping current across devices and applications is foundational to reducing exposure as threats evolve.

This post focuses on the endpoint execution layer - how Microsoft Intune helps organizations understand their update posture, prioritize action, and reduce the time it takes for protections to land.

Introducing the security update status dashboard in Microsoft Intune

To act decisively, teams need clear visibility into where systems are current, where gaps exist, and how update deployments are progressing. Without a shared, defensible view of update status, it’s difficult to prioritize remediation or answer a basic question from leadership: “Are we patched?”

To address this, Intune is introducing the General Availability of a new security update status dashboard providing centralized visibility into update compliance across Windows Clients, Windows Servers, and Microsoft 365 Apps. The dashboard provides a clear, current view for leadership, backed by current data — without switching between multiple reports or tools.

Figure 1: Security update dashboard showing patch status for Windows clients, servers, and Microsoft 365 apps.

The dashboard surfaces:

Visibility into which devices are current on quality and feature updates, which are falling behind, and where remediation gaps exist across your Intune-managed estate
The data needed to prioritize action, track progress across deployment rings, and help demonstrate a more accurate compliance posture
Insight to where exposure is critical and needs immediate attention

Four ways to shrink your vulnerability window

The dashboard delivers visibility. The capabilities below help you act on it.

1) Windows Autopatch: deploy updates at scale with control

Windows Autopatch manages update orchestration through predefined deployment rings, releasing updates progressively across representative device groups so that quality and security updates reach broad production populations only after passing validation in pilot environments. IT teams shift from manually coordinating deployment schedules each month to focusing on policy and exception management while Windows Autopatch handles sequencing, scheduling, and rollout logic.

When critical vulnerabilities emerge, expedited update deployment allows devices to advance more quickly through the rollout process, providing security teams with an additional lever for reducing time-to-secure when AI-driven discovery shortens the window between disclosure and exploitation.

2) Hotpatch updates: Windows updates without the reboot

Even when updates deploy rapidly, protection is not realized until a device restarts, and users routinely defer reboots for hours or days. Hotpatch updates for Windows reduces this gap by applying supported security updates to in-memory processes without requiring frequent restarts. Eligible Windows 11 Enterprise devices can reach a protected state immediately after installation, helping reduce the vulnerability window.

Operationally, hotpatch updates shifts the restart requirement from monthly update to a smaller number of planned baseline updates per year, enabling organizations to deploy critical fixes without the productivity impact of forced restarts. You can enable hotpatch updates through quality update policies in Intune on supported systems.

In addition, with Autopatch update readiness, IT admins can better anticipate when planned quality or feature updates won’t reach a device, understand Autopatch and hotpatch enrollment coverage, and quickly identify blockers to bringing devices into a ready state.

3) Microsoft 365 Apps patching: keep Office and other apps current in lockstep

The Microsoft 365 Apps admin center includes Inventory and Cloud Update, giving administrators visibility into update status across connected devices by update channel so they can quickly spot systems missing the latest security updates and track progress. When an accelerated response is required, teams can tighten deadlines and move from staged rollout to immediate enforcement by removing waves, deferrals, or exclusion windows that may delay availability for specific groups, especially where channel divergence or scoped targeting leaves devices outside policy. Because expedited servicing reduces time for testing across diverse configurations, Cloud Update controls such as pausing a deployment or rolling back an update help mitigate risk while closing security gaps quickly.

4) Server updates: Configuration Manager or Azure Arc to accelerate compliance and operational workloads

For organizations managing servers, Configuration Manager helps streamline the identification, packaging, and assignment of security updates (for example, with Automatic Deployment Rules) based on classification and severity. Cloud-based sourcing through the Microsoft Update service can prevent deployment failures in distributed environments, while maintenance windows let you pre-stage updates for highly available systems and install them during defined downtime intervals - achieving compliance without unplanned service interruptions. For server estates that are Arc-enabled, you can also use Azure Arc to extend visibility and management across hybrid and multicloud infrastructure.

If you need even deeper coverage and insight, consider integrating Microsoft Defender Vulnerability Management (MDVM) to enrich update posture with vulnerability intelligence and prioritize remediation based on real exposure.

Using update currency as an enforcement signal

Deploying updates is half the job. Verifying they land - and holding the line when they don't - is the other half. Intune compliance policies let you define minimum OS build numbers, required update levels, and grace periods. Devices that fall out of compliance are flagged automatically.

Paired with Microsoft Entra ID Conditional Access, update currency can become a condition of access - checking that only current, healthy devices connect to corporate resources. This turns update posture into an enforceable control, not just a reporting metric.

Actions you can take today

The increasing use of AI in vulnerability discovery, combined with a rapidly evolving threat landscape, underscores the importance of taking proactive security measures. Here are actions you can take today:

Assess. Open the new security update status dashboard and know the baseline of your fleet. See how many Windows devices are behind on feature releases, quality updates, and Microsoft 365 Apps patches.
Automate. Configure Windows Autopatch for ring-based deployment, enable hotpatch updates on eligible devices, and set Microsoft 365 Apps servicing profiles. Enable expedited updates so you can respond to critical vulnerabilities quickly.
Enforce. Pair compliance policies with Conditional Access. Make being current a condition of access to corporate data.
Monitor. Review the dashboard weekly. Investigate deployment failures promptly and deploy proactive remediations to clear blockers.
Communicate. Share dashboard trends with security leadership and application owners. When stakeholders see the data, update compliance becomes a shared priority, not just an IT burden.
Evolve. Revisit your deployment rings, deferral windows, and compliance thresholds quarterly. Use failure patterns from the dashboard to refine your approach and evaluate Windows Autopatch for a fully managed experience that scales with your organization.

Every day a device remains out of date is potential exposure to unnecessary vulnerabilities. Intune gives you the tools, and now the visibility, to get current, stay current, and defend your organization at the speed the threat landscape demands.

Closing

Reducing exposure starts with knowing where you stand. The security update status dashboard in Intune provides a single place to understand update status across Windows devices and Microsoft 365 Apps, helping you identify lagging systems and prioritize action.

Make the dashboard part of your regular operational rhythm: review it, act on the gaps it surfaces, and track progress over time. With the right visibility and tooling, staying current becomes repeatable - not reactive.

Feature availability varies by license. Learn more about plan details and requirements here.

Read the latest Microsoft Security blog to learn how turning AI‑driven discovery into protection at scale can help secure your estate in an AI‑driven threat landscape.

Get started with Microsoft Secure Now for guidance in assessing risk and take recommended actions.

Intune application migration & app management

Lior_Bela — Tue, 21 Apr 2026 15:50:59 GMT

Migrating applications from Configuration Manager and other on-prem solutions to Microsoft Intune cloud native remains a challenging and time consuming undertaking, especially when dealing with complex line-of-business, legacy, and custom home-grown applications. Some organizations pursuing a full cloud-native management vision are encountering blockers related to application compatibility, re-packaging, and the scale of existing app estates - all while trying to maintain business continuity, device compliance, and preparing for the AI and Copilot era.

Start here

Read Face the future today by moving your application to cloud native
Bookmark the Microsoft Intune planning guide

Navigate to:
Why app migration matters | Application packaging partners | Frequently asked questions

Why app packaging matters

Centralizing application management in Intune can deliver operational benefits such as unified enforcement and improved security posture—while supporting broader modernization goals.

Common blockers that slow cloud-native adoption include:

App compatibility and dependency complexity
Manual repackaging effort at scale
Risk of disruption during cutover

Application packaging partners

To address the complex realities of app migration, the Microsoft partner ecosystem has stepped up with specialized offers designed to reduce risk and accelerate cloud adoption. As part of this initiative our Microsoft partners Rimo3 and Robopack are offering no-cost, time-limited app migration service to all Intune customers who are looking to move from Configuration Manager to Intune. These services can help IT teams automate assessment, package conversion, and remediation for various app types, helping organizations realize the full value of Intune faster and with less disruption.

Note: The app migration services listed on this page are offered directly by partners and are subject to their terms. Microsoft makes no guarantees or commitments regarding availability or outcome.

Rimo3 helps IT professionals modernize, migrate, and manage applications at enterprise scale. The platform eliminates manual effort by automating packaging, validation, and patch testing. With patented IP, Rimo3 ensures every app is compatible, secure, and visible for dependencies and update readiness before deployment. Automated, unattended workflows reduce migration timelines from months to days, while contextual patch validation minimizes production risk. Rimo3 keeps environments evergreen with zero-touch app management and enhances Microsoft Intune with bulk operations, advanced controls, and unified reporting.

Robopack is a cloud-native Intune app lifecycle platform that lets you package, deploy, and keep third-party apps updated, across one or many tenants, with phased control and PowerShell App Deployment Toolkit (PSADT)-based customization. Start with a self-service migration readiness report, mapped to the library of 41,000 pre-packaged, fully documented apps ready to go, or upload your own apps to be analysed and converted. Robopack Radar discovers apps installed across your estate, allowing you to quickly migrate to Intune and uncover Shadow IT.

Frequently asked questions

Q: Is this a Microsoft-managed service?
A: No. Partner offers are provided directly by partners and subject to partner terms; Microsoft makes no guarantees regarding availability or outcomes.

Q: What kinds of apps can these paths help with?
A: The published focus is on helping migrations from Conifguration Manager to Intune, including complex legacy and line-of-business apps.

Q: Where do I start if I’m early in planning?
A: Start with the Intune Planning Guide and Migration Guide.

Adobe reader update deployment via Intune

KarthickJokirathinam — Mon, 20 Apr 2026 06:28:32 GMT

Hi Team, can we integrate and deploy Adobe reader update automatically via Intune or we need to create package and deploy latest version every month.

Edge update deployment via Intune

KarthickJokirathinam — Mon, 20 Apr 2026 06:25:02 GMT

Hi Team, I am planning to deploy edge stable channel update from intune every month. Can anyone share the process & configuration settings in intune

Which Entra account are you supposed to use to connect to a managed Google Play account?

RyanSteele-CoV — Fri, 17 Apr 2026 20:47:42 GMT

At Connect Intune account to managed Google Play account - Microsoft Intune | Microsoft Learn, it says:

We recommend using the Microsoft Entra account you're signed into to create the Google Admin account.

So I used my Entra account to set it up. Now, though, when I look at the Managed Google Play item in Intune under Devices > Android > Enrollment, it has my email address under "Linked account".

Was I supposed to create a shared Entra account to make this connection? What happens when I leave the org?

How to repair an application deployed via Intune with no admin rights

sylsimp1 — Fri, 17 Apr 2026 15:42:40 GMT

Hi,

I would like to know how to repair an applcation deployed by Intune. User has no admin rights , so via control panel is not an option. User is not set as primary user on device.

Thks for all comments