Intune Customer Success articles

Unpacking Endpoint Management is back - and we’ve got a lot to talk about

Intune_Support_Team — Sat, 25 Apr 2026 00:05:17 GMT

If you’ve been missing real, candid conversations about endpoint management, good news! Unpacking Endpoint Management is officially back.

This series is all about what actually works. No fluff, just practical tips, proven strategies, and honest discussions to help you optimize and simplify the way you manage and secure endpoints today (and prepare for what’s next).

We’re bringing together people from across Microsoft Intune, Security, and Customer Experience engineering and product teams, along with guest practitioners, to share what’s worked, what hasn’t, and what we’ve learned along the way. And yes…we’re absolutely here for the tough questions.

A quick update on the hosts

Danny Guillory, a familiar face to the community and a Product Manager for Intune and Configuration Manager, will continue to host the series. He’s joined this season by Rachelle Blanchard as co‑host, bringing a strong community and discovery lens to the series. Rachelle focuses on surfacing real customer questions and guiding conversations toward practical outcomes, helping ensure each episode reflects how endpoint management works in the real world.

What’s coming up

We’ve got four new episodes lined up, including our first one kicking off next week on April 30!

Stay tuned for topics, speakers, and registration details:

Device security with Microsoft Intune - Unpacking Endpoint Management
April 30 – 9:00 AM PDT
May 28 – 9:00 AM PDT
June 30 – 9:00 AM PDT
July 29 – 9:00 AM PDT

Be sure to bookmark aka.ms/UEM or follow this post for the latest schedule updates.

What’s the format?

This web series is streamed live on Tech Community, LinkedIn, YouTube, and X. In addition to open discussion, we answer your questions so sign in (or sign up for) the Tech Community and RSVP to submit questions early and throughout the live show.

How do I join?

There’s no call or meeting to join. Simply head to aka.ms/JoinUEM. Show up at start time, watch live, and jump into the discussion with us.

Help shape the series

This series is for you - so tell us what you want to hear. Drop a comment below with:

Topics you’d like us to cover
Tough questions you want answered
Speakers you’d love to hear from

We can’t wait to get started - and even more excited to hear from you along the way.

Join the Community to get early insight into what’s coming for Intune, connect with experts, and share real-world feedback that helps shape the product. 👉 aka.ms/JoinIntuneCommunity

As vulnerability discovery moves at AI speed, keeping current is foundational to reduce exposure

Intune_Support_Team — Wed, 22 Apr 2026 22:35:25 GMT

Recent advances in automation and AI are accelerating vulnerability discovery and shortening the window between disclosure and exploitation. As Microsoft outlined in our recent Security blog, this shift raises the bar for how quickly organizations need to reduce exposure across their environments.

For IT and security teams, this makes staying current on updates more critical than before. While responding to individual Common Vulnerabilities Exposures (CVE) remains essential, keeping current across devices and applications is foundational to reducing exposure as threats evolve.

This post focuses on the endpoint execution layer - how Microsoft Intune helps organizations understand their update posture, prioritize action, and reduce the time it takes for protections to land.

Introducing the security update status dashboard in Microsoft Intune

To act decisively, teams need clear visibility into where systems are current, where gaps exist, and how update deployments are progressing. Without a shared, defensible view of update status, it’s difficult to prioritize remediation or answer a basic question from leadership: “Are we patched?”

To address this, Intune is introducing the General Availability of a new security update status dashboard providing centralized visibility into update compliance across Windows Clients, Windows Servers, and Microsoft 365 Apps. The dashboard provides a clear, current view for leadership, backed by current data — without switching between multiple reports or tools.

Figure 1: Security update dashboard showing patch status for Windows clients, servers, and Microsoft 365 apps.

The dashboard surfaces:

Visibility into which devices are current on quality and feature updates, which are falling behind, and where remediation gaps exist across your Intune-managed estate
The data needed to prioritize action, track progress across deployment rings, and help demonstrate a more accurate compliance posture
Insight to where exposure is critical and needs immediate attention

Four ways to shrink your vulnerability window

The dashboard delivers visibility. The capabilities below help you act on it.

1) Windows Autopatch: deploy updates at scale with control

Windows Autopatch manages update orchestration through predefined deployment rings, releasing updates progressively across representative device groups so that quality and security updates reach broad production populations only after passing validation in pilot environments. IT teams shift from manually coordinating deployment schedules each month to focusing on policy and exception management while Windows Autopatch handles sequencing, scheduling, and rollout logic.

When critical vulnerabilities emerge, expedited update deployment allows devices to advance more quickly through the rollout process, providing security teams with an additional lever for reducing time-to-secure when AI-driven discovery shortens the window between disclosure and exploitation.

2) Hotpatch updates: Windows updates without the reboot

Even when updates deploy rapidly, protection is not realized until a device restarts, and users routinely defer reboots for hours or days. Hotpatch updates for Windows reduces this gap by applying supported security updates to in-memory processes without requiring frequent restarts. Eligible Windows 11 Enterprise devices can reach a protected state immediately after installation, helping reduce the vulnerability window.

Operationally, hotpatch updates shifts the restart requirement from monthly update to a smaller number of planned baseline updates per year, enabling organizations to deploy critical fixes without the productivity impact of forced restarts. You can enable hotpatch updates through quality update policies in Intune on supported systems.

In addition, with Autopatch update readiness, IT admins can better anticipate when planned quality or feature updates won’t reach a device, understand Autopatch and hotpatch enrollment coverage, and quickly identify blockers to bringing devices into a ready state.

3) Microsoft 365 Apps patching: keep Office and other apps current in lockstep

The Microsoft 365 Apps admin center includes Inventory and Cloud Update, giving administrators visibility into update status across connected devices by update channel so they can quickly spot systems missing the latest security updates and track progress. When an accelerated response is required, teams can tighten deadlines and move from staged rollout to immediate enforcement by removing waves, deferrals, or exclusion windows that may delay availability for specific groups, especially where channel divergence or scoped targeting leaves devices outside policy. Because expedited servicing reduces time for testing across diverse configurations, Cloud Update controls such as pausing a deployment or rolling back an update help mitigate risk while closing security gaps quickly.

4) Server updates: Configuration Manager or Azure Arc to accelerate compliance and operational workloads

For organizations managing servers, Configuration Manager helps streamline the identification, packaging, and assignment of security updates (for example, with Automatic Deployment Rules) based on classification and severity. Cloud-based sourcing through the Microsoft Update service can prevent deployment failures in distributed environments, while maintenance windows let you pre-stage updates for highly available systems and install them during defined downtime intervals - achieving compliance without unplanned service interruptions. For server estates that are Arc-enabled, you can also use Azure Arc to extend visibility and management across hybrid and multicloud infrastructure.

If you need even deeper coverage and insight, consider integrating Microsoft Defender Vulnerability Management (MDVM) to enrich update posture with vulnerability intelligence and prioritize remediation based on real exposure.

Using update currency as an enforcement signal

Deploying updates is half the job. Verifying they land - and holding the line when they don't - is the other half. Intune compliance policies let you define minimum OS build numbers, required update levels, and grace periods. Devices that fall out of compliance are flagged automatically.

Paired with Microsoft Entra ID Conditional Access, update currency can become a condition of access - checking that only current, healthy devices connect to corporate resources. This turns update posture into an enforceable control, not just a reporting metric.

Actions you can take today

The increasing use of AI in vulnerability discovery, combined with a rapidly evolving threat landscape, underscores the importance of taking proactive security measures. Here are actions you can take today:

Assess. Open the new security update status dashboard and know the baseline of your fleet. See how many Windows devices are behind on feature releases, quality updates, and Microsoft 365 Apps patches.
Automate. Configure Windows Autopatch for ring-based deployment, enable hotpatch updates on eligible devices, and set Microsoft 365 Apps servicing profiles. Enable expedited updates so you can respond to critical vulnerabilities quickly.
Enforce. Pair compliance policies with Conditional Access. Make being current a condition of access to corporate data.
Monitor. Review the dashboard weekly. Investigate deployment failures promptly and deploy proactive remediations to clear blockers.
Communicate. Share dashboard trends with security leadership and application owners. When stakeholders see the data, update compliance becomes a shared priority, not just an IT burden.
Evolve. Revisit your deployment rings, deferral windows, and compliance thresholds quarterly. Use failure patterns from the dashboard to refine your approach and evaluate Windows Autopatch for a fully managed experience that scales with your organization.

Every day a device remains out of date is potential exposure to unnecessary vulnerabilities. Intune gives you the tools, and now the visibility, to get current, stay current, and defend your organization at the speed the threat landscape demands.

Closing

Reducing exposure starts with knowing where you stand. The security update status dashboard in Intune provides a single place to understand update status across Windows devices and Microsoft 365 Apps, helping you identify lagging systems and prioritize action.

Make the dashboard part of your regular operational rhythm: review it, act on the gaps it surfaces, and track progress over time. With the right visibility and tooling, staying current becomes repeatable - not reactive.

Feature availability varies by license. Learn more about plan details and requirements here.

Read the latest Microsoft Security blog to learn how turning AI‑driven discovery into protection at scale can help secure your estate in an AI‑driven threat landscape.

Get started with Microsoft Secure Now for guidance in assessing risk and take recommended actions.

Migrating Frontline Mobile Devices: Understanding the reality of your estate

Intune_Support_Team — Wed, 15 Apr 2026 21:04:35 GMT

By: Carol Burns - Principal Product Manager | Microsoft Intune and Sucheta Gawade, Microsoft MVP (Azure & Security / Intune)

Practitioner perspective from Sucheta Gawade, Microsoft MVP (Azure & Security / Intune), with deep experience in secure frontline mobility, including regulated healthcare environments.

Frontline devices have evolved from a small set of task-specific tools into the way day-to-day work gets done. As new workflows, apps, locations, and teams get added over time, device estates expand quickly, making it harder to maintain consistency and visibility.

For many organizations, the reality of the estate isn't easy to keep track of. Devices may have been purchased locally, inherited through acquisitions, shared across teams, or left unused in lockers. They may be repurposed for new workflows or kept running far longer than originally planned.

This creates a gap between what teams think they have, how they expect devices to be used, and what happens in the field.

“Frontline estates aren’t complex because teams don’t care, they’re complex because operations evolve faster than governance.” -Sucheta Gawade, Microsoft MVP

If teams don’t close this gap early, it tends to show up during pilots and cutover: devices fail in real conditions, frontline teams revert to workarounds, and the migration slows down through rework, exceptions, and avoidable disruption.

To understand the estate, teams need to start by determining what the business needs devices to do and not just who happens to use them.

Start with what devices need to do

While some devices are assigned to individual users, many are shared across shifts, used for specific tasks, or operate without a fixed user at all.

Designing a migration around users or roles can obscure what really matters: the job the device must perform, when it must be available, and the impact if it isn’t.

Anchoring on business needs helps teams:

Focus on outcomes rather than ownership models
Simplify stakeholder conversations
Make clearer tradeoffs, when required, around user experience, productivity and security

One simple way for teams to gather this information is by mapping business tasks to what devices must reliably do.

Business Task	What the device must do	When it must work	Impact if unavailable
Take payment for goods	Run secure POS applications	Store open hours	Lost revenue
Pick inventory	Scan bar codes quickly and accurately	During shifts	Orders delayed
Document patient observations	Capture and submit clinical data	During care delivery	Delayed or incomplete care

This framing applies equally across retail, healthcare, manufacturing, transport, logistics and utilities. It creates a shared language between IT, operations, and security - one that is grounded in business impact rather than tooling.

Once business needs and intended device usage are clear, the next step is understanding how those devices support frontline work day to day.

Understand how devices are used in practice

Frontline usage patterns often diverge from what business owners and IT expect. Devices may be shared across shifts or used by alternate users. They may also be repurposed to support new workflows or kept running beyond their intended lifecycle, all without IT or executive oversight.

These gaps are best identified by partnering with operational and business owners to validate real-world usage through quick workflow walk-throughs, targeted questions, and a review of how devices are accessed and supported day-to-day. Some helpful questions:

How are devices shared?
When are they offline or unavailable?
What workarounds exist to keep critical tasks moving?

It’s also critical to confirm whether corporate-assigned devices have been used for personal activity. Personally used devices may also be treated as work devices, whether authorized or otherwise. This affects wipe and re-enroll decisions because personal use can introduce data retention, user impact, and acceptance risks.

Intended usage	Actual observed use	Notes/Workarounds
Assigned device	Shared across the shift	Shared credentials used
Always connected	Intermittent Wi-Fi	Offline workarounds
Single-app device	Multi-app usage	Local exceptions for multiple apps

This is also where identity assumptions surface, particularly in environments where devices are shared but access shouldn’t be.

“Identity reality matters: shared devices should not mean shared credentials. Migration is often the right moment to address this. Otherwise, teams simply re‑platform the same risks.” -Sucheta Gawade, Microsoft MVP

Teams often uncover important dependencies at this stage. For example, some frontline workflows rely on constant connectivity, while others must function reliably in low‑bandwidth or offline conditions. Similarly, older operating systems or unsupported device models may still be in active use because replacing them has operational or budgetary implications.

Understanding these realities early helps teams avoid designing for ideal conditions that don’t exist in the field.

Ground plans in device inventory

Inventory is most valuable when it supports planning decisions, not when it aims for completeness. For frontline migrations, teams need decision relevant information rather than a perfect asset register.

Understanding how devices are procured and funded across the organization is important. For example, whether devices are purchased centrally through IT or sourced locally by business/departments. Procurement paths often explain why inventory is fragmented and help determine who owns refresh cycles, warranties, and enrollment readiness.

At a minimum, this includes:

Device types and OEMs
OS version ranges and supportability
Whether devices are active, dormant, or missing
How devices align to business-critical tasks
Where specialist or certified devices are required such as intrinsically safe or ruggedized devices

This helps surface ecosystem considerations early:

Are required apps and services supported on the OS versions in use today?
Do OEMs still support the hardware?
Do environment constraints affect enrollment, updates, or day‑to‑day operation?

These questions are not about selecting solutions yet. They’re about understanding constraints that will shape options later.

With business needs understood, usage patterns mapped, and inventory validated, teams are ready to start designing approaches that work in frontline conditions.

Migration is also a good opportunity to plan for standardization and set a future procurement standard. Even if you migrate the current estate as-is, defining an approved OEM or model catalog for future purchases improves consistency. It can also accelerate troubleshooting and strengthen lifecycle governance as devices reach end of support.

What we’ve learned

The key lesson is simple: validate reality before designing anything.

Teams that invest time here:

Reduce rework during pilots
Avoid late‑stage surprises
Have stronger conversations with operational, security, and platform stakeholders

“We don’t declare success at enrollment. We declare success when a frontline workflow can run end-to-end with predictable support.” -Sucheta Gawade, Microsoft MVP

In future articles, we’ll look at how these insights shape design decisions. In the meantime, we’re interested in hearing what gaps you’ve uncovered between intended and actual device usage in your frontline environments. Leave a comment below or reach out on X @IntuneSupportTeam.

Create historical reports using Azure Log Analytics and Microsoft Intune diagnostic data

Intune_Support_Team — Tue, 07 Apr 2026 23:27:45 GMT

By: Janusz Gal – Sr Product Manager | Microsoft Intune

Azure Log Analytics gives Intune admins a flexible way to create custom reports from diagnostic data, especially when you need longer history or tailored calculations that go beyond what the Microsoft Intune admin center’s built-in reports provide. By using the Intune diagnostic data you’re already collecting, you can customize reporting for your organization’s unique requirements. In this post, you’ll walk through the steps to create a 30-day device compliance trend report. The resultant report can be run automatically, used in dashboards, or even further customized for a longer period or with additional data.

Before we begin, if you haven’t configured a Log Analytics workspace in your tenant, review the following detailed information on the pre-requisites and costs on Microsoft Learn: Route logs to Azure Monitor using Microsoft Intune.

In the Microsoft Intune admin center, navigate to Reports > Diagnostic settings, and add a new Diagnostic setting policy to send data to a Log Analytics workspace.

Figure 1 Reports > Diagnostic settings, used to configure new or existing diagnostic settings.

For a device compliance trend report, ensure the Devices log category is selected:

Figure 2 Reports > Diagnostic settings > Selected configuration; Devices log selected.

After configuring the setting, navigate to Reports > under Azure monitor, Log Analytics.

Figure 3 Reports > Log Analytics; used to query log Analytics workspaces.

In the New Query window, enter the following query:

IntuneDevices | where TimeGenerated > ago(30d) | summarize Total = count(), Compliant = countif(CompliantState == "Compliant"), NonCompliant = countif(CompliantState == "Noncompliant"), InGracePeriod = countif(CompliantState == "InGracePeriod"), NotEvaluated = countif(CompliantState == "Not Evaluated" or CompliantState == ""), ConfigManager = countif(CompliantState == "ConfigManager") by bin(TimeGenerated, 1d) | extend ComplianceRate = round(100.0 * Compliant / Total, 2) | order by TimeGenerated asc

This query will return daily device compliance trends over the past 30 days, from the IntuneDevice table.

Figure 4 Reports > Log Analytics; results after running query.

Select Chart > Chart type > Stacked Area to show a visual of the trending device state over time.

Figure 5 Reports > Log Analytics > Chart > Stacked Area.

If you’d like to create other reports but aren’t sure of the schema, one trick you can use is to run the following query in the above Log Analytics workspace to get all the column names:

IntuneDevices | getschema

Then to get all the values from those columns, you can modify the query to return the distinct values from a specific column such as CompliantState:

IntuneDevices | distinct CompliantState

Now that you have the query created in Log Analytics, you can save it to run anytime, pin it to a dashboard, or even create a new alert rule to let you know if compliance has gone below a certain threshold.

To pin it as a dashboard, on the Query pane select the ellipsis (…) > Pin to > Azure dashboard.

Figure 6 Reports > Log Analytics; pin query to dashboard flow.

Then select the dashboard you’d like to use.

Figure 7 Reports > Log Analytics; select dashboard to pin.

Once pinned, simply navigate to Dashboard within the Intune admin center, and you’ll see the query pinned on the selected dashboard.

Figure 8 Dashboard showing Log Analytics query.

To show more than the past 24-hours, select the Customize Tile button and select Override the dashboard time settings at the tile level, with Timespan set to Past 30 days.

Figure 9 Dashboard > Selected Query > Customize Tile button.

If you’d like to always see the data in a chart form, select the edit icon on the pinned dashboard item and append the following to the end of the query:

| render areachart with (kind=stacked)

Figure 10 Dashboard > Selected query > Edit > modified query to show chart.

After clicking Apply, the dashboard shows the following:

Figure 11 Dashboard showing updated historical device compliance query as a stacked area chart.

You’ve now seen end-to-end how to turn Intune diagnostic data into a 30-day device compliance trend report with diagnostic data and Log Analytics. From here, the next step is to operationalize it - save the query, extend the timeframe, join in additional diagnostic tables, or set an alert so you’re notified when compliance drops below your threshold. Better yet, see if you can pick one reporting gap your team is living with today and build it using this pattern. With the right tooling, Intune data can be shaped into views and insights that reflect your organization’s unique needs.

Let us know if you have any questions by leaving a comment below or reach out on X @IntuneSuppTeam!

Migrating frontline mobile devices: A frontline-first approach to moving to Microsoft Intune

Intune_Support_Team — Mon, 30 Mar 2026 17:52:54 GMT

Frontline organizations consistently tell us that unified management is the goal but the challenge is getting there without disrupting day-to-day operations. Smartphones, Android handhelds, rugged scanners, and shared tablets now sit at the center of how retail stores run, how clinicians deliver care, how supply chains move, and how field workers’ complete work. These devices are mission critical, and any disruption is immediately felt on the ground.

To strengthen security, reduce costs, and simplify operations, many IT architects and administrators are now evaluating or planning to move to Intune.

This new series, “Migrating Frontline Mobile Devices - is designed to help. We’ve worked side by side with frontline customers, observing what works, where projects stall, and how small decisions early on can dramatically improve outcomes later. The articles in this series distil those lessons into practical guidance for teams who are considering, planning, or actively migrating devices.

Frontline devices serve different needs and follow different operational rhythms than knowledge worker devices. Frontline migrations aren’t the same as standard knowledge-worker migrations and treating them as such often leads to operational problems or rollout delays.

This article explains what the difference means in practice and how it shapes planning for successful frontline migrations.

Why failures hurt more on the frontline

A failed knowledge worker enrollment is an inconvenience. A failed frontline device enrollment or non-functioning device can affect revenue, disrupt essential services, and in some industries compromise safety. When a device is unavailable, critical work halts immediately:

Pickers can’t complete scanning tasks
Cashiers can’t take payments
Health practitioners can’t document or prescribe care
Drivers can’t dispatch
Production lines stop
Workers can’t perform required safety or compliance actions

What we’ve learned: Frontline migrations must be coordinated with business and operational leaders; store managers, shift supervisors, clinical leads, and supply chain teams because they decide what is required and when devices can be taken offline.

Why mobile frontline device migrations are different

The operational impact of failure is higher on the frontline because frontline devices operate in very different environments to knowledge worker devices.

Knowledge worker devices usually run in stable, well understood environments with known device catalogues, predictable lifecycles, assigned users, and steady connectivity.

Frontline devices operate in conditions that introduce unique design and migration challenges. The environments they run in directly affect how and when a device can be enrolled or updated. Devices may run in low bandwidth or intermittent connectivity environments, making enrollment flows and policy delivery harder to complete reliably. Some operate in high-risk industrial or clinical settings where devices can only be taken offline during narrow operational windows. Others return to charging racks between shifts, meaning migrations must align with shift changes rather than user availability. Many run in kiosk or locked task modes tied to a single workflow, so even small configuration changes can disrupt critical tasks if not planned carefully.

These environmental and operational realities show up across the entire device lifecycle from provisioning to updates to support. To make the differences clearer, here’s a concise comparison of frontline and knowledge worker devices:

Category	Frontline devices	Knowledge worker devices
Devices	Smartphones, handhelds, rugged devices, scanners, wearables, tablets	Laptops, desktops, smartphones
OS and patch posture	Often older versions; inconsistent patch levels due to operational constraints	Typically, current OS or N-1; regular security patching cycles
Ownership	Shared, shift-based or individually assigned depending on role	Individually assigned
Network conditions	Variable, often constrained	Generally stable
Provisioning	Zero-touch essential	User-led viable
Updates	Highly controlled	Standard update cycles
Apps	Task-specific, time-sensitive updates	Broad, less time critical updates
Workflow impact	Operationally critical	Productivity-focused
Typical usage scenarios	Point-of-sale, healthcare, barcode scanning, delivery routing, inventory checks	Email, productivity tools, collaboration, creative workflows
Failure impact	Immediate operational issues	Localized user disruption

Standard knowledge worker migrations are designed for predictable conditions such as consistent users, steady connectivity, current OS levels, and a governed device lifecycle. Frontline fleets rarely match this baseline, so their migrations require planning and design that reflects actual device state and use.

A migration is a design moment, not just a technical step

A migration offers an opportunity to reassess business needs, tighten governance, simplify and modernize app delivery, and confirm assumptions about how devices are used. It’s also a chance to raise your frontline security, aligning devices with Zero Trust principles.

In successful frontline migrations: Teams build in time for design, evaluation, and piloting. Early alignment across stakeholders supports smoother execution and reduces the risk of disruptive rework later.

Understand your estate before designing the migration

Frontline migration projects always reveal something unexpected. Common patterns include:

Mixed iOS/Android versions and multiple original equipment manufacturers (OEM) such as Samsung, Zebra, Honeywell, Apple and more.
Devices running outdated OS versions or custom OEM images.
Devices that haven’t checked in for months, often sitting unused in cabinets.
App delivery paths reliant on sideloading or site specific packages with no update mechanism.
Multiple active mobile device management (MDM) systems inherited through acquisitions or decentralized teams.

Most migration issues that appear later in the project can be traced back to decisions made before anyone understood what existed in the field, how devices were being used, or what the business needed them to do in the future.

What we’ve learned: Migration success improves dramatically when teams validate device inventory, usage patterns, and business requirements before choosing an enrollment method and designing configuration profiles. Real-world data turns assumptions into facts and avoids costly rework.

Plan for identity – even if devices don’t use it today

Many frontline devices run with shared logins or no user at all. Intune fully supports these scenarios, but identity gaps - shared credentials, app only authentication, and managed access patterns - often emerge over years of organic growth. These gaps can show up during migrations as both user experience issues and security risks.

What we’ve learned: Even if you’re not ready to modernize frontline identity or introduce Microsoft 365 tools for workers, consider laying out the foundation. Mapping which users or roles should have identities, simplifying and securing access, and aligning devices to Microsoft Entra foundations will future proof your estate.

What’s coming next in the series

This series will explore the areas that consistently shape successful frontline mobile migrations the steps, patterns, and design decisions that matter most in real frontline environments. Over the coming weeks we’ll cover themes such as:

Understanding your frontline estate - what exists today, how devices are used, and the realities that shape migration decisions
Designing for frontline conditions - identity foundations, shared device patterns, kiosk considerations, and reliable enrolment flows
Designing for frontline device scenarios - single user, shared, rugged, kiosk, and high-risk operational models
Consolidating to a single Intune tenant - simplifying governance, policies, and operating models
Getting the ecosystem right - apps, connectivity, certificates, and the infrastructure dependencies that influence reliability
Executing the migration safely - pilots, phasing, cutover windows, and planning for 24/7 operations
Life after migration - monitoring, support readiness, and ongoing operational ownership

We’ll share practical guidance, common friction points, and patterns we’ve seen work across industries.

Future articles will include perspectives from Microsoft Product Managers and community experts with hands-on experience managing large scale frontline device estates. Look out for the next article in the series - Understanding the reality of your estate.

We’d love to include your perspective. If you have questions, scenarios, or experiences you want this series to address, share them in the comments below to help shape the upcoming articles, or reach out to us on X @IntuneSuppTeam.

Our goal is simple: To help you migrate frontline mobile fleets to Intune without disrupting the business.

Best practices for securing Microsoft Intune

Intune_Support_Team — Sat, 14 Mar 2026 22:31:16 GMT

Microsoft Intune gives IT and security teams a powerful way to manage endpoints at scale - deploying apps, enforcing security baselines, and configuring the settings that keep users productive and your organization protected. That’s why strong admin protections matter, so the right people can make the right changes, in the right scope, with the right safeguards.

In this post, we’ll walk through three practical approaches to strengthen Intune protections:

Start with least-privilege, designing roles around real admin jobs
Embrace phishing-resistant authentication and privileged access hygiene, leveraging Microsoft Entra capabilities to reduce account and token compromise
Enable Multi Admin Approval in Intune for sensitive changes

Below we outline how to put each approach into practice.

1) Start with least-privilege: design roles around real admin jobs

Least-privilege works best when it’s grounded in how your team operates. As a best practice, don’t grant more administrative access than a role truly needs. In Intune, role-based access control (RBAC) lets you tailor permissions and scopes so teams can run day-to-day operations with the minimum set of permissions required, nothing more. Microsoft Entra ID roles that have access to Intune, such as Global Administrator and Intune Administrator, are considered privileged roles with broad permissions in Intune. The use and assignment of privileged roles should be limited and not used for daily administrative tasks within Intune.

Least-privilege is about limiting both the actions an admin can take and the users/devices those actions can be applied to. In Intune RBAC, scope tags enable you to constrain an admin’s visibility and actions to a defined set of users and devices - for example, only the devices assigned to a specific region, business unit, or platform team. When implementing RBAC policies, limit both the actions and users/devices an admin has permissions over.

Call to action: Treat Intune administration as a set of job-specific roles, not a blanket entitlement.

Inventory who has Intune Administrator, Global Administrator, or other high-impact roles, then remove broad assignments that don’t map to a named job function.
Leverage Intune built-in role definitions for common personas (Help Desk Operator, Application Manager, Endpoint Security Manager, Read Only Operator) and standardize assignments. Create custom roles for ultimate least-privilege control.
Implement scoped administration (scope groups and scope tags) for business units, regions, or platform teams, and validate that admins can only affect resources within their assigned scope.
Adopt time-bound privilege elevation such as Microsoft Entra Privileged Identity Management (PIM) for admin roles and require reauthentication on elevation and sensitive operations.

2) Embrace phishing-resistant authentication and privileged access hygiene

The security objective is straightforward: privileged access should be hard to obtain and hard to reuse. Microsoft Entra ID capabilities (Conditional Access, phishing-resistant multifactor authentication (MFA), risk signals, and privileged access controls) provide the policy engine that governs who can administer Intune, from where, and under what conditions.

Call to action: Every privileged Intune action (Intune RBAC Role Management, device wipe, script deployment) should require strong, policy-verified sign-in, not just a password.

Create Conditional Access policies dedicated to privileged roles and admin portals (Intune, Microsoft Entra, and related admin endpoints): require phishing-resistant authentication only, require a compliant device, challenge high-risk users or sign-ins, and restrict access by location or trusted network where feasible. Reduce or eliminate policy exclusions.
Eliminate standing access by using Microsoft Entra Privileged Identity Management to assign time-bound roles based on conditions and approval steps, including restricting access to who can administer and assign permissions to apps.
Move privileged accounts to phishing-resistant authentication methods and disable weaker methods for those accounts and through policy (see Plan a phishing-resistant passwordless authentication deployment).
Establish privilege admin workstations with higher security baselines and use them for Intune high privilege admin accounts.
Operationalize your token theft response plan by investigating risky sign-ins and unusual admin activity in Microsoft Defender XDR with signals from Microsoft Entra, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoints.
Adopt a defense‑in‑depth strategy to reduce the risk and impact of token theft (see Protecting tokens in Microsoft Entra).

3) Multi-admin approval in Intune for sensitive changes

Multi Admin Approval introduces a practical governance control: selected Intune changes require a second authorized admin to review and approve before deployment. This is enforced for both Intune admin center actions and actions performed through Intune APIs. Multi Admin Approval reduces the risk that a single action can result in tenant-wide impact.

Call to action: Require a second approval for high-impact Intune workflows (such as Intune RBAC role management, device wipe, and script deployment) to add an additional safeguard and help contain potential tenant wide impact.

Decide which change types require approval - start with high-impact changes such as Intune RBAC role management and device wipe. Then, add access policies for changes that affect authentication, compliance, security baselines, or broad assignment scopes.
Define approver roles and coverage (who can approve, SLAs, and what happens during incidents).
Document an emergency/break-glass path with explicit post-change review, so speed doesn’t erase governance.

How these measures add up to strong administrative protections

When combined, these practices help you shift from relying on “trusted administrators” toward building a more protected administration by design: least-privilege to contain impact, Microsoft Entra-based controls to ensure users are trusted and are who they say they are, and multi-admin approval to govern the changes that matter most. These practices help organizations advance safer speed, clearer separation of duties, stronger audit readiness, and more resilient endpoint operations.

If you’re looking for a place to start, here are a few quick steps: start with a quick wins pass - inventory broad, standing Intune role assignments and replace them with least-privilege RBAC roles; enforce Conditional Access and adopt phishing-resistant multifactor authentication for all admin scenarios; and place Intune RBAC role management, device wipe, script deployment behind multi-admin approval.

Rethinking “Allow my organization to manage my device” Why opt‑in enrollment works better for Intune

RamyaSharma — Wed, 11 Mar 2026 21:18:54 GMT

By: Ramya B Sharma – Senior Software Engineer | Microsoft Intune

A new public preview feature in Microsoft Intune, we’ve introduced a toggle that allows admins to block automatic mobile device management (MDM) enrollment during the modern app sign-in flow on Windows. This enhancement directly responds to frequent customer requests for greater control over device enrollment, specifically the ability to prevent automatic MDM enrollment on Windows devices during app sign-in.

While Microsoft Entra generally recommends automatic enrollment by default, most Intune customers - especially those supporting bring your own device (BYOD), mixed ownership, or multi-tenant access scenarios - benefit from an opt-in enrollment model instead.

Recommended best practice

Keep “MDM user scope” set to All so enrollment is available when needed, but configure the new toggle “Disable MDM enrollment when adding a work or school account on Windows” to Yes so MDM enrollment is not automatically selected by default during app sign in. This ensures devices are enrolled into Intune only through intentional enrollment flows, reducing accidental enrollments, support burden, and difficult recovery scenarios. Learn more:

Automatic MDM enrollment in the Intune admin center.

Why this matters

For years, Windows users signing into work or school apps have been presented with:

“Allow my organization to manage my device.”

In most environments, this option was selected by default or clicked through without full understanding. That single action could result in:

Microsoft Entra device registration
Automatic Intune MDM enrollment
Immediate policy application to the device

For IT teams, this often led to:

Unintended device enrollments
Personal or BYOD devices becoming fully managed
Difficult unenrollment and recovery experiences

The new public preview toggle directly addresses these long‑standing issues.

How the modern app sign in enrollment flow works

When a user signs into a Microsoft work or school app on Windows, Windows may start a device registration flow. Historically, if:

Automatic enrollment was enabled, and
The user was in the MDM user scope

Then registration could immediately turn into full MDM enrollment, even though the user only intended to sign into an app.

What the new toggle changes

The new setting“Disable MDM enrollment when adding a work or school account on Windows”:

Allows account registration
Stops the flow before MDM enrollment
Removes the “Allow my organization to manage my device” screen from the app sign-in flow
Preserves intentional enrollment paths

Important: This setting applies to modern app sign in flows, not Windows settings–based enrollment.

Allowing enrollment versus forcing enrollment

This distinction is critical.

Allowing enrollment:

MDM user scope is configured to “All” or “Some”
Enrollment is available when needed
Devices enroll through deliberate flows

Forcing enrollment

Enrollment triggered implicitly
App sign in becomes an enrollment decision
Users may not realize the device is managed
Recovery is harder later

The new toggle lets organizations separate these behaviors.

Impact across common Windows enrollment scenarios

Scenario	Default behavior	Opt-in recommended behavior
BYOD / personal devices	High risk of accidental enrollment	App access without device takeover
Microsoft Office / Teams sign in	May initiate MDM enrollment	No MDM enrollment unless user chooses
Microsoft Entra hybrid join (corporate)	Microsoft Entra joined	Microsoft Entra joined
Windows settings enrollment	MDM enrollment	MDM enrollment
Windows Autopilot / provisioning	MDM enrollment	MDM enrollment

Security and governance benefits

Opt-in enrollment supports:

Least surprise
Explicit consent
Cleaner BYOD posture
Safer break glass scenarios
Reduced support escalations

It also aligns well with Conditional Access and app level protection strategies.

When to use the default behavior

Default automatic enrollment may still be appropriate for:

Fully corporate owned device fleets
Locked down environments
Dedicated provisioning scenarios

The key is that it should be a conscious decision, not an accidental one.

Summary

In conclusion, for most organizations, the modern best practice is:

Allow enrollment everywhere - require intent.

Using the new Intune toggle to make enrollment opt-in during app sign in reduces risk, improves user trust, and simplifies the device lifecycle - without sacrificing Intune’s management capabilities.

Recommended reading: For a concrete example of the end‑user experience with this model, see Step 6: Understand Microsoft Edge for Business End User Experience for Windows, which walks through how opt‑in enrollment and app‑level management are presented to users in Microsoft Edge for Business.
Understand Microsoft Edge for Business End User Experience for Windows.

If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam!

How to enable HTTPS support for Microsoft Connected Cache for Enterprise and Education

Intune_Support_Team — Thu, 09 Apr 2026 02:38:29 GMT

By: Aditya Middha | Product Manager 2 - Microsoft Connected Cache

Starting on June 16^th, 2026, or soon after, Intune will enforce HTTPS content delivery for customers using Microsoft Connected Cache for Enterprise and Education. To continue using Microsoft Connected Cache to localize Intune Win32 app downloads and reduce the bandwidth impact on your network, you’ll need to configure HTTPS on Connected Cache nodes. Without this configuration, devices will still fetch the requested content, but they’ll fall back to the Content Delivery Network (CDN) and lose the performance and bandwidth savings that Microsoft Connected Cache provides.

This guide assumes you have already deployed a standalone Microsoft Connected Cache node in your environment. If not, please see the Create and configure Microsoft Connected Cache nodes page.

By the end of this walkthrough, you’ll be able to:

Prepare the TLS certificate that your Connected Cache needs
Enable HTTPS support on both Windows and Linux‑based Microsoft Connected Cache servers
Validate that HTTPS is working end‑to‑end
Diagnose the most common setup issues

This guide mirrors the workflow described in Microsoft Connected Cache’s public documentation. For further explanation of what HTTPS support changes for Microsoft Connected Cache review HTTPS Support for Microsoft Connected Cache Overview, then proceed to Configure HTTPS on Windows or Configure HTTPS on Linux.

Step-by-step: Enabling HTTPS support

To keep this walkthrough easy to follow, the screenshots and command examples use a simple, reproducible environment that matches what most admins will see during their first HTTPS configuration. In this guide, the examples are based on:

A single Connected Cache node deployment
Windows 11, using a local user runtime account
Public certificate authority (CA)-signed TLS certificate

This baseline environment is only meant to make the screenshots and file paths predictable. Your own environment may look different, and that’s completely fine. Many customers run Microsoft Connected Cache on:

Linux (Ubuntu or RHEL)
Windows Server 2022 or Windows Server 2025
Networks with outbound restrictions

Most of the workflow is identical across these variations. The folder structure, log locations, and command flow will look nearly the same on any Windows host. If you’re running Microsoft Connected Cache on Linux, the workflow is the same, but simpler—bash scripts are ran directly instead of being invoked through PowerShell.

If your environment includes proxies, make sure all required endpoints are allowed.

Before you start

Before generating a certificate signing request (CSR) or importing a certificate, there are a few quick checks to make sure your Connected Cache server can enable HTTPS successfully.

First, visit the “Cache Node Management” tab on Azure portal. Under the “Software Version” column, verify that your cache node is running on software version 2.0.0.2112 or higher. If not, you will need to reinstall Connected Cache.

Next, confirm the hostname or IP address your client devices use to reach your Connected Cache node—this value will be configured when you generate the CSR. Also, ake sure port 443 is free on the host; Microsoft Connected Cache needs to bind to it.

Finally, if your network performs TLS-inspection, ensure the required endpoints are allowed. Intercepted HTTPS traffic will cause devices to reject Microsoft Connected Cache’s TLS certificate, even if everything else is configured correctly.

Once these checks are done, your node is ready for the HTTPS workflow: generate the CSR on your Connected Cache host machine, sign it with your CA, and import the resulting certificate.

For more details, refer to the documentation: HTTPS on Windows Prerequisites.

1. Generate a CSR

The first step in enabling HTTPS support is generating a CSR directly on your Microsoft Connected Cache node. This step cannot be skipped. Microsoft Connected Cache must create the CSR itself so it can generate and retain the private key that will later be paired with your signed certificate during TLS negotiation.

When configuring the parameters for the generateCsr script, the most important values to get right are the Subject and SAN. These must match exactly how your managed client devices connect to your Connected Cache node. If the client devices use FQDN, include that FQDN; if they connect via IP, include that IP. A mismatch here won’t break CSR generation, but it’ll cause clients to bypass Microsoft Connected Cache later since they won’t trust the certificate during the TLS negotiation.

For parameter configuration guidance on your specific environment, review these documented scenario-based parameter examples.

After parameter configuration, you will need to locate the Installer scripts directory, the same as when you installed Microsoft Connected Cache originally. You can move directly to this path by running the following command in your terminal:

Push-Location (deliveryoptimization-cli Microsoft Connected Cache-get-scripts-path)

Once in the correct folder path, run the generateCsr command with your configured parameters. Running the command launches the CSR generation workflow inside the Microsoft Connected Cache-managed Windows Subsystem for Linux (WSL) distribution. The terminal output shows exactly what Connected Cache is doing: where it stores certificate files, where logs are written, which WSL distribution is being used, and the final location of the generated CSR. You’ll also see that Microsoft Connected Cache runs the CSR generation as a scheduled task inside WSL—this is expected and part of the normal flow.

For example:

This output confirms that Microsoft Connected Cache:

Validated the CSR request
Passed the Subject (Common Name) and SAN values to the internal script
Generated the private key and CSR, stored both inside the container
Wrote logs to the \Certificates\logs folder
Created the CSR file in the Certificates folder

When the process completes, you’ll see the timestamped CSR written to the Windows-side certificates folder (…\Certificates\certs). This is the file you’ll submit to your signing CA:

Troubleshooting:

Every time you run generateCsr, Microsoft Connected Cache writes a full log to a directory that ends with …\Certificates\logs. The terminal output shows you the exact path, and you can always return to this folder if you need to understand what happened during CSR generation. If you do need to troubleshoot, start by opening the most recent log file.

The generateCsr log provides a detailed trace of each step. The following lines are checkpoints (in order) that you can look for in the more extensive log output:

“Algorithm validation passed / CSR name validation passed” - Microsoft Connected Cache accepted your inputs and is ready to generate the CSR.
“Subject Components: … / SAN Components: …” - Microsoft Connected Cache will embed these values into the CSR. If these don’t match your Connected Cache server hostname or IP address, regenerate the CSR.
“Attempting to call http://localhost:5000/csr” - Microsoft Connected Cache internal controller is generating the keypair and CSR inside the WSL container.
“Key verification succeeded” - Microsoft Connected Cache successfully generated and validated the private key.
“CSR verification successful” - OpenSSL has validated the CSR structure.
“Successfully copied logs to windowsCerts location” - The logs were written to the host machine directory.
“CSR generation completed successfully” - Completed end-to-end successfully.

One thing to be aware of: during a successful run, you may still see messages like:

mkdir: cannot create directory '/keys': Permission denied chmod: cannot access '/keys': No such file or directory

These are not errors.

The script checks for required folders before creating them, and if they already exist, those checks generate harmless warnings. As long as the script finishes with a success message and you see a .csr file in the certs folder, the run is successful.

2. Sign the CSR

This step occurs outside of the scope of Microsoft Connected Cache. Signing your CSR will rely on the PKI that your organization has chosen to use. This may include an internal ADCS, other enterprise internal PKI, or an externally hosted PKI (DigiCert, Let’s Encrypt, etc.). Of note, Cloud PKI will not work with Connected Cache because it requires the CSR be generated via SCEP before signing.

Ensure that your client devices will be able to trust the CA signature. For many customers, we recommend signing using a public CA that Windows client devices automatically trust. Please reference documentation on signing the CSR for more details.

The only requirement on the Connected Cache side is that the certificate is in unencrypted .crt format. Microsoft Connected Cache cannot import password-protected certificate formats yet - including .pfx bundles - even if they contain the correct certificate. For now, make sure your signing CA gives you, or allows you to export, a plain X.509 .crt file.

After your CA signs the CSR, you’ll import the resulting certificate back to Microsoft Connected Cache. With the signed certificate in hand, place it in the same certs folder where your CSR was generated. Microsoft Connected Cache expects both files to live together so it can pair the returned certificate with the private key created earlier. A successful setup in the folder directory looks like this:

If the certificate exists in the Certificates folder in .crt format, you’re ready to continue. Note: The CSR and .crt certificate do not have to have the same name.

3. Import the certificate back to Microsoft Connected Cache

Before importing your certificate, remember that the CSR must have been generated on the same Microsoft Connected Cache node. You cannot skip directly to importing a certificate - Microsoft Connected Cache must have created the private key during CSR generation so it can pair the signed certificate with that key.

After configuring the parameters referenced in the documentation to import the signed TLS certificate, run the importCert command from the same scripts directory used during CSR generation.

When you start the import, Microsoft Connected Cache runs a full verification workflow inside its managed WSL distribution. The terminal output for this step is intentionally simple—it shows only that the certificate file passed basic validation, that the internal import script was invoked, and that the import is running as a scheduled task within the WSL distribution. You’ll also see that logging is active and that Microsoft Connected Cache has begun monitoring the process:

Although the terminal output is brief, the full workflow is visible in the import logs. A successful import means Microsoft Connected Cache:

Found your .crt file in the expected folder
Ran cryptographic verification confirming the certificate, CSR, and private key all match
Copied the certificate into the container and updated Microsoft Connected Cache internal configuration
Restarted the container with the new certificate
Enabled HTTPS for Microsoft Connected Cache’s Intune content endpoints

Once these steps are complete, Microsoft Connected Cache is fully configured to serve HTTPS content. You usually won’t see new files added to the Windows certs folder after import as the changes occur inside the Connected Cache container. The final validation that import is successful is if the script exits successfully and the logs show that Microsoft Connected Cache restarted with the new certificate in place.

Troubleshooting

Troubleshooting certificate import is similar to troubleshooting CSR generation: every run produces a detailed log in the ...\Certificates\logs folder. If import fails, these logs will show exactly which step did not complete. At this stage, SAN or hostname mismatches do not show up; those only appear later during client-side validation.

The importCert script only ensures that your certificate, CSR, and private key match (stored inside container, not visible from Certificates folder) and that Microsoft Connected Cache can load them.

To help interpret the log, below are the checkpoints you can reference (in order):

“Certificate file validation passed” - Microsoft Connected Cache found the .crt file in the certs folder and its .crt format is valid.
“Using CertName: … / CSR being used: …” - Microsoft Connected Cache matched the certificate to the CSR that generated the private key.
“SUCCESS: The CSR, certificate and private key cryptographic materials all match” - Microsoft Connected Cache verified the keypair, CSR, and certificate are a correct trio.
“Nginx restarted successfully with new certificates” - Microsoft Connected Cache is now configured to serve HTTPS on port 443 inside the container.
“Certificate import completed successfully” - The end-to-end import succeeded with no errors.

Once the importCert script succeeds, your node is ready for validation.

Validating HTTPS support end-to-end

Once your certificate is imported, the final step is validating that Microsoft Connected Cache is now serving content over HTTPS. Detailed test commands are all documented in the Validate HTTPS on Windows guide. Complete the tests first on the Microsoft Connected Cache server, then on a client device. This order matters - server-side validation confirms Microsoft Connected Cache is listening on port 443 with its new TLS certificate; client-side validation confirms that client devices can trust and use that certificate.

On your Microsoft Connected Cache server

Start validation on the Microsoft Connected Cache host server. The server side tests include HTTPS and HTTP health endpoint checks that confirm:

Microsoft Connected Cache is successfully bound to port 443
The TLS certificate loaded correctly
The TLS certificate, private key, and CSR all correspond
Microsoft Connected Cache can return its health endpoint over HTTPS

If any of the server-side validation steps fail, check the generateCsr and importCert logs in the …\Certificates\logs folder. The validation guide includes troubleshooting tests that help distinguish whether the issue is certificate-related, connectivity-related, or due to another process on the host.

Only move on to client-side validation once the Microsoft Connected Cache server passes its own tests.

On your client device

After confirming the server is configured correctly, the next stage is validating HTTPS content delivery from a client device that is pointed to use Microsoft Connected Cache. The client-side tests contain both browser-based and command line tests that help verify:

The client trusts the issuing CA
DNS resolves the Microsoft Connected Cache hostname correctly
The device can complete a full TLS handshake with Microsoft Connected Cache
The device is retrieving HTTPS content from Microsoft Connected Cache rather than falling back to CDN

Once both server-side and client side-validation steps succeed, you can be confident that your Microsoft Connected Cache node is fully configured and ready to serve Intune content securely over HTTPS.

Known issues with HTTPS Support Configuration

Most customers will complete the HTTPS workflow without any problems, but there are a few known issues we want to call out proactively.

These issues have been fully addressed with the release of the new Windows-hosted deployment application (v1.0.26.0) for Windows host machines, the new Linux-hosted deployment package (v1.10) for Linux host machines, and the latest GA container release (v2.0.0.2124_e) for all cache nodes.

ImportCert issues on Windows Server 2022/2025 using a gMSA account, and on Windows 11 using a local user runtime account

If your Microsoft Connected Cache runtime account is a Group Managed Service Account (gMSA) on a Windows Server 2022 or Windows Server 2025 host machine, you may see failures when running importCert. In the importCert logs, this can show up as unsuccessful permissions access or indefinite logging.

The same importCert issues can also appear on Windows 11 if you are using a local user as the runtime account.

Status: RESOLVED

Please download Windows-hosted deployment application v1.0.26.0 by running the following command in an elevated PowerShell window:

Add-AppxPackage https://aka.ms/do-mcc-ent-windows-x64

Then you may proceed to re-deploy your Connected Cache node, which will implement the necessary changes.

You can further verify that you are deploying with the correct application version. When run in the terminal, the copied “Cache Node deployment command” given in the Azure portal will run deploymcconwsl.ps1 out of the folder path that looks like:

C:\ProgramFiles\WindowsApps\Microsoft.DeliveryOptimization_1.0.26.0_neutral__8wekyb3d8bbwe\deliveryoptimization-cli

ImportCert hangs on software version 2119_e (buffer bug)

During the week of January 19^th, 2026, we deployed container version 2119_e to all customer cache nodes.
We discovered a bug where the container’s internal buffer is not cleared during importCert, causing the import to run indefinitely. If you see this behavior and your Azure portal shows that your cache node is on version 2119_e, this is likely the cause.

Status: RESOLVED:

On March 3^rd, 2026, we pushed container version 2124_e to all cache nodes on the “Fast Ring” update schedule.

If your cache node is on software version 2119_e today, you can change the update schedule configuration to the “Fast Ring”. Head to the 3^rd tab (“Updates”) of the Cache Node Configuration on the Azure portal and configure the update ring. Container version 2124_e will be pushed to all “Slow Ring” nodes in early April 2026.

If your cache node is still not pulling down container version 2124_e after being configured on the Fast Ring, please reach out to us.

The fixes for these issues have all been validated. Once ready for public release, the latest software version will be pushed to all cache nodes and the updated Windows installer will be available to download in Azure portal. Stay tuned to the Microsoft Connected Cache Release Notes for up-to-date information.

Enabling HTTPS support on Linux hosts

This guide walked through the setup of HTTPS using a Windows-based Microsoft Connected Cache host, since that’s what most customers deploy today. If you're running Microsoft Connected Cache on Linux, the overall steps are the same - generate a CSR on the node, sign it with your CA, and import the resulting .crt file - but a few details differ.

For a Linux-hosted Microsoft Connected Cache nodes, shell scripts handle the entire process, specifically generateCsr.sh and importCert.sh. The Enable HTTPS Support on Linux guide documents these steps in detail, including the exact script parameters, file locations, and how to interpret the Linux-specific logs. The biggest differences on Linux are:

You run the CSR and import scripts directly in bash (no WSL component).
File paths and log locations follow the Linux directory structure (/var/mcc/...).
Check port conflicts, firewall configuration, and TLS inspection using Linux tools (ss, iptables, proxy settings).
Validation steps use Linux equivalents of the server side tests documented in the Windows validation guide.

Maintaining your HTTPS configuration

Once your Microsoft Connected Cache node is serving content over HTTPS, the next thing to plan for is ongoing certificate maintenance. TLS certificates aren’t a onetime import - certificates expire, CA chains change, and your operational process needs to keep up. Microsoft Connected Cache will soon surface certificate details both through a command line script and directly in the Azure portal, but those capabilities are not available yet. Until then, verification and rotation rely on simple checks you perform on the Microsoft Connected Cache host.

Monitoring

The easiest way to monitor your deployment today is to periodically check the Key Metrics chart in the Overview blade of your Microsoft Connected Cache resource in Azure. If Intune content is flowing through Microsoft Connected Cache, that’s a strong proxy signal that HTTPS is healthy.

For the certificate itself, many admins perform a lightweight weekly or monthly review: ensuring the TLS certificate is still valid, not approaching expiration, and still matches the configuration you imported. Re-running the validation tests from our public documentation every so often is also a good way to catch any issues early.

The updated Windows installer, as mentioned in Known Issues, will also have a PowerShell script that displays the status and expiration date of existing TLS certificates.

Renewal

When planning for renewal, we recommend starting at least 60 days before the certificate expires. Renewal is typically straightforward: either reuse the existing CSR (most common) or generate a new one, then have your CA resign it, convert it into .crt format, and test the renewed certificate on a test node if you have one. If your workflow doesn’t include a test Connected Cache node, you can still safely import the renewed certificate on your production node - if import fails, Microsoft Connected Cache simply keeps using the existing certificate until a valid one is applied, so you won’t break your environment.

If your certificate management system has automation capabilities, you can script Microsoft Connected Cache’s certificate renewal workflow as well - for example, by using Secure Shell (SSH) to remotely to run the generateCSR or importCert scripts on the host machine.

For larger or distributed environments, testing the signing and import processes on a non-production node first can help confirm SAN correctness, trust behavior, and chain completeness before touching production.

We are actively working to streamline certificate monitoring and renewal inside Microsoft Connected Cache.

Summary

HTTPS support for Microsoft Connected Cache will soon become a requirement for delivering Intune Win32 apps, and every Microsoft Connected Cache node must be configured for HTTPS by June 16, 2026. After the deadline, Intune Win32 apps will only be delivered via HTTPS. However, all other content – Windows updates, Office apps, etc – will continue to be served via HTTP after the June 16^th enforcement date.

This guide walked through the essentials: generating a CSR on your Microsoft Connected Cache node, submitting it to your CA, importing the signed certificate, and validating HTTPS from both the server and client devices. Along the way, you saw how to interpret the logs, verify Connected Cache is using your certificate correctly, and ensure that Teams and/or Intune content is flowing over HTTPS instead of falling back to CDN.

As you move forward, keep your workflow consistent - regenerate or reuse CSRs the same way each cycle, validate regularly, and renew certificates well before expiration. Even though improvements are coming soon, completing this setup now ensures your environment is ready long before Intune HTTPS enforcement begins. With your certificate in place, HTTPS validated, and a simple renewal process in hand, your Microsoft Connected Cache deployment is prepared for the June 16^th, 2026 deadline and ready to deliver Intune content securely.

FAQs

Do I really need HTTPS Support, and by when?
Yes. All Microsoft Connected Cache nodes serving Intune Win32 apps must deliver over HTTPS by June 16, 2026. If HTTPS isn’t configured, devices will fall back to CDN when requesting Intune win32 apps —content delivery still works, but you’ll lose caching benefits.
Why do I have to generate the CSR on the Connected Cache node?
Since Microsoft Connected Cache must generate and retain the private key itself. Certificates signed from any other machine, keypair, or CSR cannot be imported. The CSR you generate on the node produces the only key that Microsoft Connected Cache will accept.
Can I reuse an existing certificate?
Only if it was originally issued from the CSR generated on the same Microsoft Connected Cache node. If the certificate was created elsewhere (different machine, tooling, or CSR), Microsoft Connected Cache won’t accept it.
Can I reuse my CSR when renewing the certificate?
Yes. Many customers reuse the same CSR each cycle as long as the CA resigns it. Reusing the old certificate output is not supported.
Can I “bring my own certificate”?
Not yet. Microsoft Connected Cache only supports certificates created from its own CSR. Support for bringing an external certificate is coming soon; stay up to date by viewing the latest Microsoft Connected Cache Release Notes
Can I use a wildcard certificate?
Microsoft Connected Cache does not officially support them and they’re not recommended. Wildcards often involve shared private keys across systems, which creates operational and security risks.
What certificate formats does Microsoft Connected Cache support?
Microsoft Connected Cache only supports unencrypted .crt files today. Password protected .pfx or .p12 formats cannot be imported.
What happens if I redeploy Microsoft Connected Cache or the hostname changes?
If the hostname or connection path changes, you must request a new certificate that matches the new SAN parameters. If the hostname stays the same and the certificate came from the Connected Cache-generated CSR, you can continue using it.

If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam!

Post Updates:
04/08/26: Updated the “Known issues with HTTPS Support Configuration” section to reflect that previously identified issues have been fully resolved in the latest deployment application and container releases, along with updated guidance for affected cache nodes.

Support tip: Resolve device noncompliance with Mobile Threat Defense partner apps

Intune_Support_Team — Thu, 05 Feb 2026 22:16:46 GMT

Using a Mobile Threat Defense (MTD) solution, such as Microsoft Defender for Endpoint, with Microsoft Intune helps keep your organization’s resources protected and allows you to block devices that aren’t compliant with your organization’s policies.

When an MTD detects a threat or determines that a device is noncompliant the device user will see one of two types of messages indicating:

Install and activate partner app: The device needs the [MTD app] installed and activated to restore access to work or school resources. This message indicates that Intune hasn't received a signal from the [MTD app] the device, or the connection was lost.
Resolve detected threats: The [MTD app] app identified one or more threats on the device. Open the [MTD app] and follow the guidance to resolve the threats before accessing work or school resources.

In this blog, we’ll focus on troubleshooting and resolving the first scenario, where users will need to install and activate the MTD app.

Note: For help resolving threats detected by the MTD app, open the partner app directly on the device for remediation guidance.

Prerequisites

Before you begin troubleshooting, confirm that:

The user device is enrolled in Intune through the Company Portal app.
The user has access to their work or school account credentials.
The device has an active internet connection.

Restore device compliance

Have the user follow these steps to resolve the noncompliance issue and restore access to work or school resources.

Step 1: Install and activate the partner app

If the [MTD app] isn’t installed on the device:

Open the Intune Company Portal app on the device.
Go to Devices and select the device.
Install the required [MTD app] shown in the noncompliance message.
Open the [MTD app] and sign in with your work or school account.
Complete any required setup or activation steps in the app.
Wait up to 30 minutes for the device compliance status to update.

If your device remains noncompliant after 30 minutes, continue to the next step.

Step 2: Refresh the connection

If the [MTD app] is already installed and the user is signed in, the connection between the app and Intune services may need to be refreshed:

Open the [MTD app] on the device.
Sign out of the work or school account.
Sign back in with the same work or school account.
Wait up to 30 minutes for the device compliance status to update.

If the device remains noncompliant after 30 minutes, continue to the next step.

Step 3: Reinstall the MTD app

If refreshing the connection doesn't resolve the issue, reinstalling the app can restore the signal between services:

Uninstall the [MTD app] from the device.
Restart the device.
Open the Company Portal app on the device.
Reinstall the [MTD app].
Open the app and sign in with the work or school account.
Complete any required setup or activation steps.
Wait up to 30 minutes for the device compliance status to update.

Check device compliance status

Users can verify their device's compliance status at any time:

Open the Company Portal app.
Go to Devices.
Select the device to view its current status.

If the device shows as compliant, they can access work or school resources. If it shows as noncompliant and they’ve taken steps to resolve, wait a few more minutes and check again, as compliance status updates can take up to 30 minutes to appear in the Company Portal app.

iOS/iPadOS: Enable simplified remediation for users

Admins can configure a simplified remediation experience on iOS and iPadOS to help end‑users return to a compliant state more easily. This experience streamlines how users address Mobile Threat Defense (MTD)–related noncompliance and reduces the number of steps required to restore access.

To enable this experience:

Follow the guidance in Simplifying compliance remediation with Microsoft Intune and Defender on iOS/iPadOS to configure the updated remediation workflow for your organization.
Once enabled, end‑users will see clearer guidance within the Microsoft Defender app when their device is marked noncompliant.
The Defender app will direct users through the necessary remediation steps automatically - such as re‑authentication, resolving threat signals, or re‑establishing the MTD connection.
After the guided process is complete, Defender will send updated device status to Intune so the device can return to a compliant state.

This simplified flow reduces support overhead and increases user success resolving MTD‑related compliance issues on iOS/iPadOS.

Android: Refresh the MTD connection when sign‑out is blocked

If the user is on an Android device, first have them try signing out of the Mobile Threat Defense (MTD) app and signing back in. This often re‑establishes the connection and allows Intune to receive updated device status.

If the option to sign out of the MTD app is blocked by IT policy, follow these steps to reset the app’s data instead:

Long‑press the Defender app in the work profile.
Tap ⓘ App info.
Go to Storage & cache → Clear data (do not select Clear cache).
Relaunch the Defender app - it will open to the welcome screen.
Sign back in with the work or school account.

Once signed back in, Defender will update Intune with the latest device data, and the device should return to a compliant state after Intune receives the refreshed signals.

If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam!

Post updates:
02/05/26: Added two new sections covering simplified user remediation on iOS/iPadOS and refreshing the MTD connection on Android when sign-out is blocked.

Intune my Macs: Accelerating macOS proof of concepts with Microsoft Intune

Intune_Support_Team — Mon, 30 Mar 2026 23:01:38 GMT

By: Neil Johnson and Chris Kunze - Principal Product Managers | Microsoft Intune

Intune provides a broad and mature set of capabilities for managing macOS devices across security, compliance, applications, and user onboarding. Many customers, however, aren’t always aware of just how much functionality is available or how to bring it all together. We've developed a starter kit to make it easy to explore and set up macOS configurations in Intune: Intune my Macs. Intune my Macs helps bridge that gap by making it easy to explore some recommended macOS configurations and quickly set up a successful proof of concept using Intune.

What is Intune my Macs?

Intune my Macs is an open-source project from the Microsoft Intune Customer Experience Engineering team that allows you to deploy a complete macOS proof of concept in minutes. This starter kit brings together over 31 enterprise-grade configurations - identified by Apple’s Mac Evaluation Utility - along with policies, scripts, and applications, all of which can be deployed using a single PowerShell script.

The project operates in dry-run mode by default, letting you preview exactly what will be created before committing any changes to your Intune tenant. When you're ready, simply add the --apply flag to the command-line to commit changes.

Important: From a support perspective, Microsoft fully supports Intune and its ability to deploy PowerShell scripts. However, Microsoft does not support the scripts themselves, even if they are on our GitHub repository. They’re provided for example only. You are responsible for anything that they may do within your environment. Always test!

See it in action

Want a quick walkthrough before you dive in? Watch the video below to see a deep-dive on Intune my Macs - from authentication to policy creation, app deployment, and beyond.

Why would you use it?

1. Jumpstart your macOS management

Instead of building macOS configurations from scratch, Intune my Macs provides a ready-to-use baseline of production quality Intune artifacts. These configurations are designed to help you quickly evaluate Microsoft Intune for macOS management while also serving as reference implementations you can adapt to your environment.

Below is an overview of what Intune my Macs deploys into your tenant, organized by category.

Category	Example configurations
Security	FileVault configuration, firewall enablement, Gatekeeper policies, Microsoft Edge policies
Compliance	Minimum macOS version (15.0), SIP enforcement, encryption requirements
Identity	Platform SSO via Secure Enclave with Microsoft Entra ID
Applications	Intune Company Portal, Microsoft 365, Remote Help, Intune Log Watch, Microsoft 365 Copilot, Windows App, and Edge
Scripts	Dock customization, FileVault key escrow (Escrow Buddy), onboarding automation
Custom Attributes	Hardware compatibility checks, Intune agent version reporting

2. Learn by example

Each configuration in the repository serves as a practical reference implementation. The naming conventions follow a consistent pattern (for example, pol-sec-001-filevault, scr-app-100-install-company-portal), and detailed documentation explains what each setting does and why it's configured that way.

3. Reduce time to value

Tasks that typically require extensive research, configuration, and testing can now be completed in just about 5 minutes, thanks to this streamlined approach. The script handles:

Microsoft Graph SDK authentication
Policy creation via Intune settings catalog and custom configuration profiles
Script deployment with proper execution settings
PKG application uploads
Optional group assignments
Optional Microsoft Defender for Endpoint integration

If you're evaluating Microsoft Defender for Endpoint on macOS, the project includes an optional --mde command-line flag that deploys the full Defender for Endpoint configuration, including system extensions, privacy preferences, network filter settings, and a script that can be used to install the client.

How it works

This starter kit is driven by XML manifest files that define each configuration artifact. The main PowerShell script reads these manifests, resolves the associated JSON/mobileconfig/script files, and creates the corresponding objects in Intune via the Microsoft Graph API.

You can scope this starter kit to specific artifact types using command-line flags like --apps, --config, --compliance, --scripts, or --custom-attributes. A custom naming prefix defined using the –prefix command-line flag) keeps your deployed objects easily identifiable, and the --remove-all command-line flag provides a clean way, based on the custom naming prefix, to delete everything created by an earlier run.

For more information on how to use this project, be sure to review the prerequisites and instruction in the readme file.

Bonus: Utility tools

The project also includes several analysis and documentation tools:

Export-MacOSConfigPolicies.ps1 - Back up existing Intune macOS policies to JSON

Find-DuplicatePayloadSettings.ps1 - Detect conflicting settings across all your Mac configuration files

Generate-ConfigurationDocumentation.py - Create Markdown or Word documentation from the manifests

Get-IntuneAgentProcessingOrder.ps1 - Understand script and app processing sequence

Get-MacOSGlobalAssignments.ps1 - List Mac policies assigned to All Devices or All Users

Summary

Intune my Macs isn't meant to be a one-size-fits-all production starter kit, but it’s a great way to get started. Use it to quickly implement a proof of concept, learn from the configuration patterns, and adapt the policies to your organization's specific requirements.

Whether you're evaluating Intune for macOS management, setting up a new tenant, or just looking for reference implementations of common security configurations, this project can save you significant time and effort.

Resources

GitHub Repository

Full Configuration Documentation

Microsoft Defender for Endpoint Setup

If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam!

Post Updates
03/30/26: A video walkthrough has been added above. Watch to see Intune my Macs deploy a complete macOS proof of concept in minutes.

Debunking the myth: Cloud-native Windows devices and access to on-premises resources

Intune_Support_Team — Sat, 15 Nov 2025 00:05:54 GMT

By: Roger Southgate - Sr. Product Manager | Microsoft Intune

Myth vs reality

Myth: Cloud-native Windows devices can’t access on-premises resources such as file shares or legacy applications.

Reality: With minimal or no configuration, cloud-native devices can seamlessly access on-premises resources using NTLM or Kerberos.

Introduction

Microsoft’s vision for secure, productive workplaces is clear: adopt cloud-first services, integrate Zero Trust throughout, and deploy Windows 11 devices as cloud-native endpoints to stay agile and future-ready. If you’re yet to begin this journey, review the Set up and configure a cloud-native Windows endpoint with Microsoft Intune tutorial.

For context, a cloud-native device is a Windows device, joined to Microsoft Entra and managed by Intune. No domain join, no group policy, and no Microsoft Configuration Manager required. Leveraging complementary services such as Windows Autopilot and Windows Autopatch enables users to self-provision their devices, work remotely, and remain secure by applying the latest Windows Updates.

But what about user’s data, files, and applications that they require to be productive? Moving to the cloud is a common goal for many organizations, though practical realities can make this a gradual process. Legacy technology, operational constraints, complexity, and other challenges can hinder adoption. While the goal might be to migrate all data to cloud-friendly repositories such as SharePoint Online and OneDrive, and transition applications to SaaS solutions, these migrations don’t happen overnight. In many cases, data may remain scattered across internal servers and on-premises repositories, creating scenarios where cloud-native devices still need to connect to these resources.

Accessing on-premises resources

What happens when you take a cloud-native device and try to access an on-premises resource such as a file share? Similarly, what about access to an application that is located on-premises? While these are just two examples, they can be used interchangeably in this scenario since the process of getting access is the same, regardless of apps or files. This is a topic that is raised (and often misunderstood) when discussing the transition of Windows devices to the cloud. Cloud-native devices were designed to take this scenario into account and have seamless access to on-premises resources.

Note: This assumes you have line-of-sight to an Active Directory Domain Controller and that your on-premises resources, such as file shares and applications, use Windows authentication. Like a domain-joined device, a cloud-native device won’t have line of sight by default unless it’s physically on-site (for example, in a corporate office). If you require this functionality, you may need to use a VPN or Zero Trust Network Access (ZTNA) solution to provide this connectivity to on-premises resources. More on this later, when we touch on Microsoft Entra Global Secure Access.

Legacy applications and authentication

When people talk about legacy applications in this context, they typically mean apps that can only do legacy (NTLM or Kerberos) authentication with Active Directory.

The good news is that for users synchronized using Microsoft Entra Connect Sync, cloud-native devices can seamlessly authenticate using NTLM and Kerberos just like domain-joined devices. When an on-premises domain account is synchronized to Microsoft Entra ID via Microsoft Entra Connect Sync, Windows uses details from Microsoft Entra ID, such as the source Active Directory domain name and the user’s User Principal Name (UPN), to locate a Domain Controller the same way an Active Directory domain-joined device does.

If the user has signed into Windows using a password, Windows sends the on-premises domain information and user credentials to the Domain Controller to obtain a Kerberos Ticket-Granting Ticket (TGT) or NTLM token, based on the protocol the on-premises resource or application supports. From that point onwards, the TGT is used to get session keys that grant access to resources.

Refer to How SSO to on-premises resources works on Microsoft Entra joined devices for additional details on how this process works.

Note: Windows 11, version 24H2 and later releases have removed the NTLMv1 protocol as part of Microsoft's broader initiative to phase out NTLM. Refer to the Microsoft support article on Upcoming changes to NTLMv1 in Windows 11, version 24H2 and Windows Server 2025 for additional details.

Windows Hello for Business

Passwordless authentication mechanisms such as FIDO2 and Windows Hello for Business are a cornerstone of Microsoft’s security vision. Adopting these authentication methods delivers stronger security and better, simpler user experiences. Windows Hello for Business provides phishing-resistant credentials as required by some security guidelines such as the Australian Cyber Security Centre ‘Essential Eight’. If you’re not already doing so, deploying cloud-native devices is a great opportunity to start using Windows Hello for Business, especially since it’s enabled by default on these devices. Windows Hello for Business is also a feature which results in a win-win scenario by enhancing security for IT, while also improving the user experience.

While enabling Windows Hello for Business is a simple process, there’s some additional configuration required to enable single sign-on to on-premises Active Directory authenticated resources, and this is where we sometimes see customers running into issues. If username and password work successfully to access an on-premises resource, but Windows Hello for Business credentials don’t then ensure that you’ve setup Cloud Kerberos trust to enable single sign-on. Cloud Kerberos Trust removes much of the complexity once associated with configuring Windows Hello for Business, greatly simplifying the deployment process.

When signing in with Windows Hello for Business, the device uses a partial Kerberos TGT issued by Microsoft Entra ID to obtain a full TGT from Active Directory, which in turn is used to get session keys to access resources. Refer to Microsoft Entra join authentication to Active Directory using cloud Kerberos trust for additional details.

Zero Trust and modern connectivity

On your Zero Trust journey, if you need to provide access to on-premises applications and services, consider replacing your traditional VPN with a modern solution, enabled by Microsoft Entra Private Access. Doing so will help you ensure secure, fine-grained access to private applications and resources, without exposing your full network - aligned with Microsoft’s three Zero Trust principles: verify explicitly, enforce least privilege, and assume breach. Review Zero Trust and Cloud-Native Windows for a deeper dive into this topic.

On the subject of Zero Trust, did you know that Microsoft has developed a Zero Trust Workshop?
By adopting Zero Trust, your organization can enhance its security posture and reduce risk and complexity while improving compliance and governance. Navigating the complexities of modern security is challenging and a Zero Trust strategy is the first step in providing clarity and direction. The Zero Trust Workshop is a guided framework to help you translate your Zero Trust strategy into actionable implementation steps which track your deployment progress and align with Microsoft recommendations. We’ve had many customers leverage the workshop to supercharge their Zero Trust journey and realize the full value of their existing security investments. The workshop can be run self-guided or in collaboration with your Microsoft account team or a partner and is vendor agnostic.

Key takeaways

If you aren’t already provisioning new Windows devices as cloud-native, check out Set up and configure a cloud-native Windows endpoint with Microsoft Intune and Cloud-native Windows endpoints: Begin by beginning to get started with a cloud-native Windows proof of concept today.
Cloud-native doesn’t mean cloud only, these devices get the benefits of being cloud-first while maintaining the backward compatibility needed to access on-premises resources when necessary.
Modern identity solutions such as Microsoft Entra ID, Windows Hello for Business, and Zero Trust Network Access can simultaneously enhance security and user experience.
Be sure to check out our Zero Trust Workshop to help you plan and implement these and other technologies as part of your Zero Trust strategy.

If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam!

Support tip: Aligning network policy with Microsoft Intune and Zero Trust

Intune_Support_Team — Sat, 08 Nov 2025 01:04:31 GMT

By: Jon Callahan – Sr Product Manager | Microsoft Intune

Cloud services don’t just rely on the network. They redefine it. As organizations adopt Microsoft Intune and advance their Zero Trust strategies, many discover that traditional, perimeter-based architectures no longer align with modern security expectations or the connectivity needs of a distributed workforce.

Zero Trust is built on the principle of "never trust, always verify,” where access decisions are enforced through identity, device health, and compliance signals. Microsoft Intune strengthens this model by extending security and management through the cloud. By removing dependencies on on-premises infrastructure, it strengthens network resilience and Zero Trust enforcement with policy-driven device management and secure connectivity to Microsoft endpoints.

This is where friction occurs. Traditional enterprise networks were built around a castle-and-moat model of perimeter defense: build high walls around the perimeter and trust everything inside, rather than identity-based access. Centralized egress points, VPNs, proxy servers, and deep packet or TLS inspection worked well when apps, data, and users stayed inside the moat.

Today, work and data are everywhere. Legacy network designs often force traffic into hairpinned routes (indirect paths through central gateways) that add latency, reduce performance, and increase management overhead for Intune, Microsoft 365, and other SaaS apps.

The challenge deepens when network teams try to maintain allow lists for cloud services using static IP addresses. Microsoft’s endpoint IPs can change frequently, especially with CDN-backed services like Intune and Microsoft 365, to strengthen security, improve resilience, and scale globally. This is why Microsoft recommends domain-based egress policies, frequent updates based on the published endpoint lists, and bypassing SSL inspection for Microsoft-bound traffic that doesn’t support inspection.

Enabling cloud services

The shift to hybrid work environments shows the limits of perimeter-based networks. Users expect fast and reliable access to their apps and data whether at home, in the office, or on the go.

To support this shift, organizations need to modernize their network architecture and policies. Local internet egress and optimized paths to trusted services like Intune are essential. Policies built on Zero Trust and cloud-native principles help ensure performance and security. In contrast, controls such as VPN-only access, TLS inspection, or centralized proxies often slow users down and block required endpoints.

When networks get in the way, the impact is noticed:

Device check-ins and compliance evaluations fail, leaving devices marked as non-compliant
Enrollments stall or time out
Apps download slowly, fail to update, or never install

When these failures occur, users often blame Intune or their IT admins, even when the real issue is network policies.

In a Zero Trust model, network policy works alongside identity and device-based signals to enforce access decisions. Network policy should enable cloud services, not obstruct them. Adopting cloud-native connectivity and Zero Trust enforcement protects users, devices, and data while improving reliability and user experience.

This approach aligns with Microsoft’s Secure Future Initiative (SFI) and the principle of “Secure by Design,” which extend Zero Trust principles into the foundation of how services are built and operated. As part of this effort, Intune service endpoints are moving to Azure Front Door to enhance security, reliability, and performance while simplifying firewall management across Microsoft services. For details on required IP addresses and endpoints, see Support tip: Upcoming Microsoft Intune network changes.

Outbound traffic management

Aligning network policies with Zero Trust and cloud-native architecture can require trade-offs. Outbound traffic management is critical for Intune’s performance, but organizations differ in their compliance needs and tolerance for complexity. Below are three common models we see with our customers.

Endpoint enforced access

This model eliminates perimeter bottlenecks by moving enforcement closer to the user, device, and apps, which is the core of Zero Trust. Enforcement happens at the endpoint through identity, compliance, and device health signals, while the network provides fast, direct internet access with minimal restrictive filtering.

Best for: Organizations ready to adopt a Zero Trust network architecture built on Intune and identity-driven signals, or those with minimal outbound filtering requirements.

How to implement:

Policy-based enforcement and compliance: Intune enforces and validates device health and measures device compliance and app protection policies for Microsoft Entra Conditional Access
Identity-driven enforcement: Microsoft Entra Conditional Access evaluates signals such as user identity, device compliance, and risk level before granting access to cloud resources
Threat protection: Microsoft Defender for Endpoint monitors device risk and blocks compromised endpoints from accessing cloud resources; enforce the built-in firewall on Windows and macOS devices
Bypass traffic inspection: Don’t decrypt or inspect Intune and related Microsoft traffic using technologies like proxies, TLS inspection, deep packet inspection, or data loss prevention systems
Use split-tunnel VPN and local internet egress: Route Intune and Microsoft 365 traffic locally to avoid unnecessary hairpinning

Benefits:

Establishes Zero Trust controls with identity, device, and threat-based enforcement
Local internet egress and optimized paths to Intune and Microsoft 365 avoid latency and centralized paths
No allow list or complex firewall rules to manage
Avoids VPN, proxies, and TLS inspections and reduces the risk of interfering with user experience and device management failures

This model requires strong endpoint management and identity controls to ensure Zero Trust enforcement.

Domain enforced filtering

When endpoint-only enforcement doesn’t meet your organization's requirements, Fully Qualified Domain Name (FQDN) filtering offers a middle ground by adding network controls while staying adaptable to dynamic cloud services. This approach should be paired with endpoint enforcement to maintain a Zero Trust architecture.

Best for: Organizations that need outbound restrictions for compliance, while maintaining reliability and flexibility in cloud services.

How to implement:

Use domain-based rules: Filter traffic by FQDN rules that rely on DNS to adapt to changing IP addresses and CDN-backed services.
Leverage automation: Leverage the consolidated endpoint list, Azure Firewall service tags, or vendor tools to keep rules up to date.
Bypass traffic inspection for trusted services: Avoid decrypting or inspecting Intune traffic, which can break certificate pinning and cause service failures.
Resolve locally: Use local DNS and Internet egress so devices connect to the closest Microsoft endpoint.

Benefits:

Builds on endpoint enforced Zero Trust controls
Easier maintenance than IP-based filtering
Automatically adapts to Microsoft's dynamic, cloud-hosted services
Reduces service disruptions when automated
Aligns with most regulatory and compliance frameworks

This model requires more robust network automation and may introduce additional processing overhead compared to endpoint-enforced access.

Domain and IP enforced filtering

This model combines FQDN-based rules with IP filtering for the strictest assurance. It provides maximum control but introduces the most overhead. Like domain enforced filtering, this too should be combined with endpoint enforcement to maintain a Zero Trust posture.

Best for: Organizations in highly regulated industries that require dual enforcement with domains and IPs to meet strict audit and assurance needs.

How to implement for Intune:

Combine domain with IP rules: Use FQDN alongside IP address ranges to filter traffic.
Automate aggressively: Leverage the consolidated endpoint list, Azure Firewall service tags, or vendor tools to keep rules up to date.
Bypass traffic inspection for trusted services: Exclude certificate-pinned services from TLS inspection to avoid breaking Intune functionality.
Optimize performance: Architect your network to use local DNS and internet egress so devices connect to the closest Microsoft endpoint.

Benefits:

Builds on Zero Trust with the strictest network controls
Provides dual verification for outbound traffic
Helps satisfy strict regulatory and compliance requirements

This model introduces the highest administrative overhead and complexity to maintain. It’s also the most likely to cause performance issues and service disruptions if not properly automated. However, for organizations with strict regulatory requirements, these trade-offs may be necessary to meet compliance obligations.

Extending with cloud-first controls

While traditional network models address outbound traffic at the infrastructure layer, a Zero Trust approach uses cloud-native security tools that eliminate many of these challenges. Issues like hairpinning, brittle IP allow lists, TLS inspection conflicts, and complex firewall rules stem from applying perimeter-era tools to cloud-based services. Cloud-first network and security tools reduce friction and strengthen Zero Trust.

Cloud-delivered secure web gateway (SWG): Provides secure access to internet and SaaS apps while protecting against internet threats, building on the capabilities of traditional proxies (Microsoft Entra Internet Access)
Zero Trust Network Access (ZTNA): Connects users securely from any device and any network without relying on VPNs or central tunneling (Microsoft Entra Private Access)
Data loss prevention (DLP): Protects sensitive information across endpoints, Microsoft 365 apps, SaaS services, browsers, and on-premises file shares, with classification and policy enforcement (Microsoft Purview DLP)
Cloud access security broker (CASB): Provides SaaS discovery, session control, and real-time policy enforcement (Microsoft Defender for Cloud Apps)

Managing outbound traffic for cloud services is about more than connectivity. It’s about aligning network policies so they enable cloud services and embrace Zero Trust principles like identity, device health, and compliance signals over legacy perimeter defenses. Microsoft Intune supports through policy-driven device management and security that reinforce Zero Trust and cloud-native adoption. The result is an architecture that secures your environment and delivers the reliability and user experience needed for today’s hybrid work.

Resources

As always, if you have any questions let us know in the comments or reach out to us on X @IntuneSuppTeam!

Post updates:
11/06/25: Updated URLs for Automation category (see Domain-Enforced Filtering section).

From the frontlines: Empowering call center agents with Windows 365 Frontline

Intune_Support_Team — Thu, 20 Nov 2025 00:53:25 GMT

By: Tania Lima – Sr Product Manager | Windows 365

Editor’s Note - Updated 11/19/25: The new User Experience Sync for Windows 365 Frontline in shared mode, announced at Ignite, delivers a consistent and seamless experience for users who frequently switch between shared Cloud PCs. This feature ensures that user settings and application data persist across sessions and devices within the same provisioning policy. Included with the Frontline license at no extra cost, it provides fast, transparent sign-ins and allows IT admins to monitor storage quotas and clear user storage when needed to resolve issues. Learn more here: Windows 365 Frontline updates and Cloud Apps general availability.

Call centers are dynamic environments where agents often work in shifts, handling customer inquiries around the clock. Providing these frontline employees with secure, consistent, and accessible computing environments is critical to maintaining productivity and excellent service. However, traditional desktop deployments, whether physical PCs or complex virtual desktop infrastructure (VDI), are often challenging to manage and scale for a shift-based workforce.

Microsoft Windows 365 Frontline addresses this challenge by delivering Cloud PCs optimized for shift and part-time workers. With Windows 365 Frontline, organizations give call center agents full Windows desktop experiences from the cloud, while optimizing costs through a flexible licensing model that enables multiple employees to share Cloud PC resources during their respective shifts. This article explores the two modes of Windows 365 Frontline – dedicated and shared – and offers guidance on choosing the right approach for call centers, along with best practices for Microsoft Intune configuration and provisioning in these scenarios.

Windows 365 Frontline overview

Windows 365 is Microsoft's Cloud PC service that streams a full Windows desktop to any device. Windows 365 Frontline is a specialized offering within Windows 365 designed for organizations with frontline or shift-based workers – employees who don't need a Cloud PC 24/7, but rather only during working hours or on an intermittent basis. Instead of assigning a traditional one-to-one Cloud PC license per user, Frontline licenses are shared at the tenant level, allowing multiple users to utilize the same Cloud PC resources at different times. This model can significantly reduce costs for call centers and similar environments by ensuring you only pay for the maximum number of concurrent Cloud PC sessions needed, not for every employee in the directory.

Windows 365 Frontline offers two modes of operation to accommodate different use cases: dedicated mode and shared mode. Both modes provide the same secure, high-performance Windows experience via the cloud, integrated with Microsoft Intune for management and Microsoft Entra ID for identity and security. The difference lies in how Cloud PCs are provisioned and used by multiple users.

Dedicated mode: Personalized Cloud PCs for shift workers

With Frontline Cloud PC in dedicated mode, each licensed user is provisioned their own personal Cloud PC, the same as a standard Windows 365 Enterprise scenario – with one crucial twist: a single Frontline license entitles up to three Cloud PCs, assigned to three different users, so long as only one Cloud PC is in use at any given time. In other words, one license is equivalent to 3 users (one active session at a time). This non-concurrent licensing is ideal for shift work. For example, if you have three call center agents covering morning, afternoon, and night shifts, you can assign each their own Cloud PC while consuming only one Frontline license. Each agent gets a dedicated, persistent Windows desktop with their apps, settings, and data, which remains available every time they log in.

Because Frontline Cloud PC in dedicated mode is personal to each user, the user experience is consistent and tailored. Agents can customize their desktop, set up applications (or have them deployed via Intune), and retain files or settings from session to session. We recommend this mode or scenarios where employees require a prolonged and consistent desktop experience – for instance, full-time or regular part-time call center employees who work scheduled shifts on a daily basis. It ensures that each agent always returns to their own workspace in the cloud.

To streamline shift handovers, Windows 365 Frontline Cloud PC in dedicated mode includes a built-in concurrency buffer that allows a temporary overlap of active sessions beyond the license limit. This is designed for those situations where one agent hasn't signed off yet and the next shift agent needs to sign in a few minutes early. The concurrency buffer permits exceeding the max concurrent user limit for short periods (up to 1 hour, a few times per day) to avoid blocking users during shift handovers. This means if one agent's session slightly overlaps with another's, both can be connected briefly without needing an extra license, and without being forced to log off. Once the time limit expires, users will be unable to log in until a Cloud PC is available.

Shared mode: Ephemeral Cloud PCs for occasional use

In Frontline Cloud PC in shared mode, a Cloud PC is not tied to any single user. Instead, you set up a collection of one or more Frontline Cloud PC in shared mode that a group of users can access one at a time. When someone in the group connects to a shared Cloud PC, they can receive either a persistent or a non-persistent session. Administrators can turn on the new User Experience Sync feature if they want users to enjoy a consistent experience—this ensures that applications storing user settings or app data will keep that information across sessions, including maintaining other Windows features like accessibility options. Alternatively, if preferred, a new user profile is created at each login, and once the user signs out, all session data is erased and the next user to sign in starts with a clean environment. This mode allows a Cloud PC to be truly shared among many users serially. Each Frontline license in shared mode allows you to provision one Cloud PC for the pool (thus one license = one Cloud PC accessible by many users, but still only one active user on that Cloud PC at a time).

Shared mode is well-suited for scenarios where users need only occasional or brief access to a Windows environment rather than a daily dedicated workspace. For example, consider a training workstation in a call center or a kiosk-style PC for supervisors to quickly check reports. Another use case is for temporary staff or contractors who log in infrequently. In a call center context, shared mode could be used for a “floater” Cloud PC that any agent can use when extra capacity is needed, or for machines set aside for specific short tasks such as quality assurance checks by various team members. We don’t recommend shared mode for standard call center agents who have regular shifts, because those users benefit more from a persistent environment and dedicated mode can still provide cost savings in those cases. Instead, shared mode shines for truly ad-hoc access scenarios, where personalization isn't required.

With Frontline Cloud PC in shared mode, since no user profile persists, it's important to ensure apps and configurations needed for the common tasks are pre-installed or available on demand. Users rely on cloud storage (OneDrive, SharePoint, web applications) for any data they need to save, because once they log off a shared Cloud PC, nothing is retained locally. The upside is that IT maintains a singular baseline configuration for all shared sessions and there's zero risk of one user’s data bleeding into the next session – the wipe on logoff provides a clean slate and extra security.

Dedicated vs. shared mode comparison

Feature	Frontline Cloud PC in dedicated mode	Frontline Cloud PC in shared mode
Cloud PCs per license	Up to 3 Cloud PCs per license (user-specific). Only 1 Cloud PC can be active at once (per license).	1 Cloud PC per license (pooled). Only 1 user session active at once (per Cloud PC).
User experience	Personalized persistent desktop for each user; data and settings saved between sessions.	Non-persistent, generic desktop; user profile and data are reset on sign-out.
Suitable use cases	Shift workers who need their own space and apps (ex., daily call center agents with dedicated logins).	Intermittent or short task usage (ex. shared training PC, occasional contractors or roaming supervisors).
Provisioning method	Cloud PCs are provisioned per user via Microsoft Entra ID group assignment. Each user gets their own Cloud PC instance.	Cloud PCs are provisioned as a static pool (set number of identical Cloud PCs) and assigned to a group of users to share.
Intune management	Managed like any other individually assigned device. Supports user-targeted configurations.	Managed as shared devices. Use device-targeted configs for apps/scripts (via device groups or Autopilot device prep) since users do not retain installs.
Data storage	Files and data persist on the Cloud PC (roam with user). Still recommended to use OneDrive/SharePoint for backup and mobility.	Files and data do NOT persist locally. Must use OneDrive, SharePoint, or other cloud services for any data that needs to be retained.

Intune configuration and recommendations for call centers

Successfully deploying Windows 365 Frontline in a call center scenario requires optimal configuration of Microsoft Intune and adherence to best practices that maximize security and efficiency. Below are key recommendations.

Provisioning policies

Set up separate Windows 365 provisioning policies for your call center users depending on mode. In the Intune admin center, under Devices > Windows 365 > Provisioning policies, choose License type: Frontline, then specify the mode as dedicated or shared.

For dedicated mode, assign the policy to a Microsoft Entra ID group containing your call center agents – Intune will automatically provision a Cloud PC for each user in the group (up to your license concurrency limits).

For shared mode, assign the policy to a group of users and define the number of Cloud PC instances to create for that group. Name the shared Cloud PC pool descriptively (ex. "Call Center Training PC") so users recognize it. Use the Microsoft-hosted network unless integration with on-premises networks is needed and select a region close to your users for optimal performance.

Image and applications

Choose a base Cloud PC image that includes your core call center applications to speed up deployment. Microsoft provides gallery images (including options with Microsoft 365 Apps pre-installed). For Frontline Cloud PC in dedicated mode, each user gets this baseline image and can receive additional apps via Intune app deployment or Company Portal. For Frontline Cloud PC in shared mode, it's crucial to preload critical apps since users won't persist installs. Leverage the Windows Autopilot deployment preparation (preview) feature for shared mode provisioning policies. This feature lets you specify device-targeted apps and scripts that Intune should install on each Cloud PC during provisioning, ensuring that even the first user to sign in has all the required software ready. It helps avoid managing custom images while still delivering necessary apps on a clean shared PC each time.

Microsoft Entra ID groups for access

Manage which users can access Cloud PCs by controlling Microsoft Entra ID group membership. Since Frontline licenses are not assigned to individuals but pooled, any user in the provisioning policy’s assignment group will get access. For dedicated mode, ensure the group size aligns with available licenses (3 users per license). If the group has more users than license capacity, some users may not get a Cloud PC provisioned until additional licenses are added. Use the Connected Frontline Cloud PCs report in the Intune admin center to monitor how many Cloud PCs are active and if you’re hitting your license concurrency limit. Adjust group membership or purchase more licenses as needed to meet peak demand.

Session time limits

Configure automatic session timeouts to prevent a user from inadvertently locking a Cloud PC and blocking others. Use Intune to enforce idle session time limits and disconnected session sign-off for Windows 365 Frontline. For example, for a Frontline Cloud PC in shared mode that is idle for 15 minutes, disconnect the session, and for a session that has been disconnected for more than 5 or 10 minutes, sign the user out (ending the session).This ensures a Frontline Cloud PC in shared mode isn’t held by an inactive session, making it available to the next agent. For Frontline Cloud PC in dedicated mode, an idle timeout (e.g., 30 minutes) can free up the license concurrency slot without immediately logging the user off. You configure these settings in the Intune admin center using the settings catalog: Remote Desktop Session Host > Session Time Limits settings. Tuning these values helps balance user convenience with resource availability.

OneDrive and user data

Encourage or enforce the use of OneDrive Known Folder Move for Desktop, Documents, and Pictures so that user files are redirected to cloud storage. In dedicated mode, this ensures that if a user moves to a new Cloud PC or device, their files roam with them. In shared mode, this step is even more critical: when the user logs off, anything saved only on the local profile is erased. With Known Folder Move and cloud-based productivity apps, even a non-persistent session feels seamless as users access their files from OneDrive or SharePoint. Similarly, if users use Outlook, enable cached Exchange mode with cloud mailboxes so that email data isn't lost between sessions. Alternatively, direct users to access the new Outlook or Outlook on the web to avoid local data use.

Security controls

Treat Cloud PCs as you would any corporate device: apply Microsoft Defender for Endpoint monitoring and security baselines via Intune. One big advantage of Windows 365 for call centers is enhanced security – by default, Cloud PCs keep data off the local machine that the user is connecting from. Use Intune policies or Windows 365 settings to disable clipboard and drive redirection, prevent screenshots, and add watermarking if agents handle highly sensitive information (so data on the Cloud PC can't be easily copied out). Additionally, enforce multi-factor authentication (MFA) for Cloud PC access through Microsoft Entra ID Conditional Access, and limit Cloud PC access to only trusted networks or compliant endpoint devices for an extra layer of protection.

Monitoring and scaling

Continuously monitor usage patterns. Windows 365 usage reports help identify if your call center is reaching the concurrent connection limit. If agents frequently find Cloud PCs unavailable (shared mode) or get blocked due to concurrency (dedicated mode), you likely need more Frontline licenses or an adjusted strategy. Aim to have enough Cloud PCs to cover peak usage. Thankfully, adding capacity is straightforward – purchase additional Frontline licenses and update your provisioning policies. For shared mode, increase the Cloud PC count in the pool; for dedicated, new users in the group automatically get Cloud PCs if licenses are available. Likewise, if usage is consistently below capacity, consider reducing the number of provisioned Cloud PCs to optimize costs. Windows 365 provides the flexibility to scale up or down easily as your call center staffing changes, enabling organizations to efficiently adapt to operational fluctuations and changing demands.

Endpoint devices

When call center agents operate on-site with shared physical PCs or thin clients to connect to their Cloud PCs, configure these physical endpoints appropriately for shared usage. Windows PCs can be set up in Microsoft Entra ID Shared Device Mode or as kiosk devices that only allow launching the Windows App or a web browser for Cloud PC access. This ensures the local device doesn't store data between users and is locked down to its purpose. Intune can manage these Frontline Cloud PC in shared mode with policies to clear temp files on logout, enforce idle sign-out, and automatically launch the Windows App at login. By managing both the Cloud PC and the access device in Intune, IT creates a cohesive, secure experience for rotating call center shifts.

Windows 365 Link devices in call centers

Windows 365 Link devices offer a transformative solution for call centers by simplifying endpoint management and enhancing remote operability. These devices enable seamless access to Cloud PCs with high-fidelity Microsoft Teams support and multimedia redirection, which is critical for voice and video-heavy workflows. Windows 365 Link allows secure connections even to Cloud PCs that have never been signed into before, reducing onboarding friction for third-party agents. This is especially valuable for remote call centers, where maintaining client machines is challenging. Windows 365 Link can be shipped pre-configured, minimizing setup complexity and support overhead. Using Link devices supports scalable, secure, and efficient operations without compromising user experience or enterprise security policies. Windows 365 Link devices are intended to be managed in a manner consistent with other Windows endpoints within Intune; however, they operate on a streamlined Windows Cloud PC OS. This design reduces the range of management actions available, particularly with respect to enrollment and ongoing management actions. For more information visit Windows 365 Link documentation.

Microsoft Teams

If Microsoft Teams is part of the daily workflow for call center agents, we strongly recommend deploying the Microsoft Teams-optimized Windows App to access their Cloud PCs from Windows-based clients, in place of using the standard web-client. This approach ensures better performance, enhanced audio and video quality, and full support for Teams-specific optimizations such as offloading media traffic and reducing latency.

Simple connection requirements for partners

Many large organizations will work with third party call center partners to provide agents to support their customers, either as business as usual, or to provide out of hours and coverage for high call volume events. Ensuring these partner organizations can connect to your infrastructure, and connect to your applications, can be challenging and any changes can take time for your partners to roll out. By using Windows 365, you can deliver a defined list of software and network requirements (Windows App, with access to the Windows Cloud endpoints / Teams / Call Centre software), and minimize the number of changes required as your business evolves. Providing access to a new application, service, or resource is handled within the Cloud PCs that you control with no technical changes needed by the vendor or partner.

Remote call center and BYOD scenarios

Windows 365 empowers organizations to support remote call center agents through secure, scalable Cloud PC deployments that work seamlessly across bring your own device (BYOD) environments. Whether agents use personal laptops, tablets, or mobile phones, Windows 365 ensures secure access to corporate resources via the Windows app or browser-based clients, minimizing infrastructure overhead and simplifying endpoint management. This flexibility is especially valuable for outsourced or third-party call center partners, where device diversity and network variability are common. By centralizing application access within the Cloud PC, organizations enforce consistent security policies, reduce onboarding friction, and deliver reliable user experience, regardless of the agent’s physical location or device type. This model not only enhances operational agility but also strengthens data protection by isolating corporate workloads from unmanaged endpoints.

Conclusion

Windows 365 Frontline represents a transformative approach for call centers seeking to empower their agents with secure, flexible, and cost-effective computing environments. By offering both dedicated and shared modes, organizations can tailor Cloud PC deployments to match the unique needs of shift-based and occasional workers, optimizing resource utilization and reducing operational complexity. With robust integration into Microsoft Intune and Microsoft Entra ID, IT teams can streamline provisioning, enforce security best practices, and ensure seamless user experiences, whether agents are on-site, remote, or using their own devices. Ultimately, Windows 365 Frontline enables call centers to scale efficiently, enhance data protection, and deliver consistent service quality in today’s dynamic work landscape.

This blog is part of the “From the Frontlines” series, where we explore different scenarios of how workers in field use devices and how IT admins can enable them. Check the other blog posts for more inspiration!

As always, if you have any questions let us know in the comments or reach out to us on X @IntuneSuppTeam or @MSIntune!

Post Updates:
11/19/25: Updates to the "Shared mode: Ephemeral Cloud PCs for occasional use" section highlighting new flexibility in shared Frontline Cloud PCs, including optional user experience persistence and simplified shared licensing.

Simplifying compliance remediation with Microsoft Intune and Defender on iOS/iPadOS

Intune_Support_Team — Thu, 30 Oct 2025 17:49:50 GMT

By: Harish S | Sr. Product Manager - Microsoft Defender & Rishita Sarin | Product Manager 2 - Microsoft Intune

One tap to compliance: Introducing the Resolve workflow for Compliance Remediation in Microsoft Intune and Microsoft Defender on iOS.

We’re thrilled to announce a major step forward in simplifying the compliance remediation experience for users and IT admins alike. As part of a collaboration between Microsoft Intune and Microsoft Defender, we’re introducing a new compliance remediation workflow, which uses a Resolve button to make it easier than ever for users to bring their mobile device back into compliance.

Why this matters

Traditionally, when a user’s device was marked noncompliant due to missing security apps like Microsoft Defender, they had to navigate through multiple apps, follow multi-step instructions, and often re-authenticate – often to resolve a single issue. This created friction, confusion, and delays in regaining access to corporate resources.

With the new end-to-end remediation workflow triggered by the Resolve button, we’re eliminating those extra steps.

What’s news

Starting with the latest releases in Intune and Defender, users on iOS and iPadOS will have a Resolve button directly within Microsoft 365 productivity apps (such as Microsoft Outlook or Teams) when their device is non-compliant due to Defender-related requirements. This button:

Detects the non-compliance reason.
Launches or installs Microsoft Defender if it’s missing.
Automatically re-evaluates compliance requirements once Defender is running.
Returns the user to their app – no switching, no guesswork.

This is powered by just-in-time (JIT) registration and compliance remediation which embeds the compliance flow directly into the app experience.

Microsoft Defender experience: Guided, automated, and frictionless return to compliance

The Resolve button is more than just a shortcut, it’s the entry point to a guided remediation workflow powered by Defender. Once launched:

Defender auto-triggers a guided workflow that remediates issues with minimal or no user interaction.
A checklist guides the user through necessary steps to return to compliance, ensuring clarity and confidence on common scenarios such as authentication issues, missing permissions, device registration issues, remediate active threats, and more.
Upon completion, Defender updates the compliance state of the device.
The user is automatically redirected back to the productivity app they started from with no manual navigation required.

This seamless handoff between Intune and Defender ensures that users stay focused on their work, not on troubleshooting.

Conclusion

Effortless for users, efficient for admins.

If you already use JIT registration and compliance remediation in Intune for enrolled iOS devices, the Resolve button is automatically enabled for supported scenarios. If not, consider setting up JIT now to experience the new compliance remediation experience, it’s simple to configure and significantly improves user experience and support efficiency. Refer to the following documentation for more information:

If you have any questions, leave a comment on this post or reach out on X @IntuneSuppTeam.

Microsoft Intune Settings Catalog Updated to Support New Windows 11, version 25H2 Settings

Intune_Support_Team — Fri, 24 Oct 2025 17:12:19 GMT

By Mayur Jahdav, Product Manager | Microsoft Intune

With the recent release of Windows 11, version 25H2, Microsoft Intune delivered support for 36 new 25H2 settings. IT admins can confidently manage devices running the latest Windows OS version from the moment they deploy it in their environment for testing or production use.

We continue to invest in the settings catalog infrastructure to ensure timely support for new Windows policy settings. This enables organizations to adopt new OS versions and features without delay and maintain secure, compliant, and well-managed environments.

New settings in the settings catalog

As part of our day zero support for Windows 11, version 25H2, the settings catalog includes the newly released Windows 11, version 25H2 settings. The following table lists newly added settings that are now available for configuration using the settings catalog and are ready for use in device configuration profiles to manage Windows endpoints.

Category Name	Name	Friendly Name
Administrative Templates\Windows Components\App Package Deployment	RemoveDefaultMicrosoftStorePackages	Remove Default Microsoft Store packages from the system.
Administrative Templates\Windows Components\Sync your settings	EnableWindowsBackup	Enable Windows Backup
Auditing	AccountLogonLogoff_AuditGroupMembership	Account Logon Logoff Audit Group Membership
Human Presence	ForceOnlookerDetectionAction	Force Onlooker Detection Action
Human Presence	ForceOnlookerDetection	Force Onlooker Detection
Microsoft App Store	ConfigureMSIXAuthenticationAuthorizedDomains	Configure MSIX Authentication Authorized Domains
News And Interests	DisableWidgetsBoard	Disable Widgets Board
News And Interests	DisableWidgetsOnLockScreen	Disable Widgets On Lock Screen
Power	EnableEnergySaver	Enable Energy Saver
Printers	RequireIppsPolicy	Require Ipps Policy
Privacy	LetAppsAccessSystemAIModels	Let Apps Access System AI Models
Start	TurnOffAbbreviatedDateTimeFormat	Turn Off Abbreviated Date Time Format (User)
Start	HideCategoryView	Hide Category View (User)
Start	ConfigureStartPins	Configure Start Pins (User)
Start	AlwaysShowNotificationIcon	Always Show Notification Icon (User)
Start	ConfigureStartPins	Configure Start Pins
Start	HideCategoryView	Hide Category View
System	AllowOOBEUpdates	Allow OOBE Updates
Windows AI	SetMaximumStorageSpaceForRecallSnapshots	Set Maximum Storage Space For Recall Snapshots
Windows AI	DisableSettingsAgent	Disable Settings Agent
Windows AI	AllowRecallEnablement	Allow Recall Enablement
Windows AI	SetDenyAppListForRecall	Set Deny App List For Recall (User)
Windows AI	DisableClickToDo	Disable Click To Do (User)
Windows AI	SetCopilotHardwareKey	Set Copilot Hardware Key (User)
Windows AI	SetDenyAppListForRecall	Set Deny App List For Recall
Windows AI	DisableImageCreator	Disable Image Creator
Windows AI	DisableCocreator	Disable Cocreator
Windows AI	SetMaximumStorageSpaceForRecallSnapshots	Set Maximum Storage Space For Recall Snapshots (User)
Windows AI	DisableClickToDo	Disable Click To Do
Windows AI	SetDenyUriListForRecall	Set Deny Uri List For Recall (User)
Windows AI	DisableGenerativeFill	Disable Generative Fill
Windows AI	SetDenyUriListForRecall	Set Deny Uri List For Recall
Display	ConfigureMultipleDisplayMode	Configure Multiple Display Mode (User)
Windows Backup And Restore	EnableWindowsRestore	Enable Windows Restore

As Windows evolves and releases features through future feature updates as well as continuous innovation, we’ll continue to review newly added or updated settings to includ in the Intune settings catalog. These may include new controls for security, privacy, user experience, and device management. Be sure to check What's new in Microsoft Intune regularly for additional settings as we add them and check out Create a policy using settings catalog in Microsoft Intune for guidance on how to configure and assign settings to your managed devices.

If you have questions or feedback, please leave a comment on this post or reach out to the Intune support team on X @IntuneSuppTeam.

Post updates:
10/23/25: The Settings Catalog table has been updated. Settings that were previously limited to 'Windows Insider users' are now generally available.

Microsoft Intune Advanced Analytics in action: Real-world scenarios for IT teams

Intune_Support_Team — Wed, 08 Oct 2025 18:00:31 GMT

By: Janusz Gal – Sr Product Manager | Microsoft Intune

Microsoft Intune Advanced Analytics empowers IT admins and enterprise users to gain deep insights into device health, user experience, and organizational trends. Building on the foundation of Microsoft Endpoint analytics, Advanced Analytics offers enhanced device timeline reporting, flexible query options, anomaly detection, battery health monitoring, and resource performance tracking.

IT admins can use Advanced Analytics to proactively manage their user devices, by turning raw telemetry into actionable insights, and optimizing IT support processes with near real time device information.

In this blog post, we’ll review the capabilities provided by Advanced Analytics with example scenarios for how they can be used.

Getting started

Getting started with Advanced Analytics is easy! Once your license is in place and Endpoint analytics is enabled, Advanced Analytics features will become available in your tenant. For more details on the licensing requirements, review the following: What is Microsoft Intune Advanced Analytics.

For those who haven’t enabled Endpoint analytics, now is the time. In the Intune admin center, navigate to Reports > Endpoint analytics. Select All cloud-managed devices in the dropdown (or a subset) and select Start to enable Endpoint analytics for your tenant.

Figure 1 Endpoint analytics introduction pane in the Microsoft Intune admin center (Reports > Endpoint analytics).

Some capabilities may take up to 48 hours for data to populate for Advanced Analytics analysis, such as anomaly detection, battery health monitoring, and inventory data shown in Device Query for multiple devices. Review Planning Advanced Analytics for a full list of prerequisites, a planning checklist, FAQ and more.

Let’s take a look at the new capabilities available when you enable Advanced Analytics in Microsoft Intune.

Custom device scopes

Think of a subset of the organization you’d like to better understand and compare to the rest of the tenant. Possible examples include executive devices, maybe a specific country or region with a different budget, or even Microsoft Entra hybrid joined and cloud-native devices. With custom device scopes you can recalculate the whole set of Endpoint analytics reports based on scope tags and get the comparisons you need to make informed decisions.

Let’s consider a scenario where a subset of the organization has Microsoft Entra hybrid joined Windows devices with decades of group policy being applied and you want to make the business case to invest the time in reviewing and building new policy in Intune. You can create a scope tag, for this example we’ll name it “Hybrid joined devices”, that you apply to hybrid joined devices, and then add that to the device scopes capability within Endpoint analytics. The manage device scopes setting can be accessed by selecting on the device scope selector on any filterable Endpoint analytics pane:

Figure 2. Endpoint analytics device scope selection (Reports > Endpoint analytics > Overview).

Figure 3. Manage device scopes pane for selecting and creating new device scopes (Reports > Endpoint analytics > Overview > Device scope > Manage device scopes).

Under Endpoint analytics reports, navigate to the Startup performance report which showcases Core boot time and Core sign-in time. By default, this report is scoped to All Devices but is filterable using any tag including the one you just created: “Hybrid joined devices”.

Figure 4. Startup performance report (Reports > Endpoint analytics > Startup performance).

While results will differ for each organization, in the tenant shown here when you set the scope to “Hybrid joined devices”, you’ll see that Group Policy contributes 8 seconds to your Core-sign in time, and overall devices report 9 seconds slower boot times and 30 second slower sign-ins:

Figure 5. Startup performance report, recalculated with Device scope.

Just like that, you know that users are losing time on each reboot. Depending on how large the fleet is for your organization, that could be a significant amount and worth what it would take to modernize and plan to implement new policies.

Of course, you can also use a custom device scope across the rest of the Endpoint analytics reports such as application reliability and work from anywhere. And with Advanced Analytics you also get two additional reports that can be sliced with device scopes – Resource performance and Battery health.

Resource performance

The resource performance report provides an analysis and score of CPU, memory, and storage metrics over time to identify underperforming devices. Let’s take the same scenario from before – reviewing the hybrid joined devices in your organization.

If you have existing hybrid joined devices that are expecting a future device refresh, would it make sense to schedule that sooner because of their performance?

When you review the resource performance score, you see how All devices are performing based on their CPU and RAM spike time scores – effectively, how often they are hitting their resource limits.

Figure 6. Endpoint analytics resource performance report (Reports > Endpoint analytics > Resource performance).

In Endpoint analytics, higher scores indicate that devices are providing better user experiences. For example, in the Resource performance report, a higher score indicates that devices are seeing less CPU spikes.

Figure 7. CPU spike time score details pane (Reports > Endpoint analytics > Resource performance > CPU spike time score).

You can view performance by specific models or devices using the navigation tabs at the top of the report. Periodically reviewing these results is helpful to ensure your devices are performing well within their ownership or refresh cycles. Better yet, you can use Baselines, which capture a snapshot of the scores for your tenant and allow you to track progress over time:

Figure 8. Baselines selection (Reports > Endpoint Analytics > Overview > Baseline).

You could, for example, directly see how the overall baseline scores improve a few months after a hardware refresh by checking a previous baseline against the current scores. This can help further justify hardware spending by showing quantifiable improvements to the user experience.

For this example, since you know the hybrid joined devices are older than your cloud-native ones, you can reuse your custom device scope here to filter the resource performance report and compare the scores:

Figure 9. Resource performance report recalculated via Device scope (Reports > Endpoint Analytics > Resource performance > Device scope set).

Now you can also easily identify that your hybrid joined devices are performing worse than average, as they have a significantly lower resource performance score than All devices.

Battery health monitoring

Advanced Analytics also gives us access to the Battery health report which details capacity and runtime scores across the organization.

Figure 10. Battery health report (Reports > Endpoint Analytics > Battery health).

The top level report shows a battery capacity score and a battery runtime score, both of which provide a flyout with granular details on how devices are performing:

Figure 11. Battery capacity score detail (Reports > Endpoint Analytics > Battery health > Battery capacity score).

Figure 12. Battery runtime score detail (Reports > Endpoint Analytics > Battery health > Battery runtime score).

Using these reports, you can easily identify devices that need a battery replacement, such as older devices or laptops that have been plugged in for years. These are great candidates to replace sooner – as ever-changing home or office work locations shift, you can improve user confidence in their devices by ensuring a fully charged battery lasts for hours.

On the flipside – you can use the Battery health report to assess whether existing devices can have their lifespan extended. Maybe they are five years old but the batteries are still reporting more than 5 hours of runtime on a charge and greater than 80% health. For example, in the hybrid joined device scenario, you were looking for budget to refresh those devices sooner – if you can find existing devices with healthy batteries, you could also check their resource performance results and decide to keep them an extra few years if they are performing well.

Device query for multiple devices

Suppose you have used the previous capabilities – custom device scopes, resource performance reporting, and battery health reporting – to determine a group of devices within your organization that you want to perform some action on. As mentioned before, this could be extending their lifespan, planning a refresh, or investing in a tooling migration.

If you need additional details from devices before making that decision you can use Device query for multiple devices. Device query for multiple devices provides insights about the entire fleet of devices using previously collected inventory data. And since it leverages the flexible and powerful Kusto Query Language (KQL), you can mix and match inventory attributes to get the list of devices that meet your requirements.

For Windows devices, before you can use Device query for multiple devices you’ll need to create a Properties Catalog policy. Add the properties you would like to collect and assign the profile to the intended devices. All available properties are automatically collected for Android Enterprise, iOS, iPadOS, and macOS devices, so no extra configuration is needed.

Figure 13. Configure and deploy a Properties Catalog profile.

You can view collected inventory information for a single device under the Device inventory pane. After a device syncs with Intune, it can take up to 24 hours for initial harvesting of inventory data.

Once you have the inventory information collected across the fleet, navigate to Devices > Device query to start querying.

Figure 14. Device query for multiple devices (Devices > Device query).

Expanding on the scenarios from before, consider a requirement to replace devices with high battery cycle counts. With Device query for multiple devices, you could join battery and CPU data, and better target planned replacements:

Figure 15. Running a query (Devices > Device Query).

Of course, you can use any of the inventory categories to find applicable devices including storage space, TPM details, enrollment information, and so on. For organizations with Security Copilot licensed and enabled, you can leverage Query with Copilot to generate the KQL queries for you using natural language:

Figure 16. Copilot query generation (Devices > Device query > Query with Copilot).

Once you have the results, you can export to a .csv to use elsewhere like sharing to the team handling procurement and hardware lifecycle management.

Figure 17. Export device query results (Devices > Device Query > Run query > Export).

Now that you have your list of devices, what if you need even more detailed information?

Granular details from enhanced device timeline and Device query

With the results from Figure 15, you were able to find a device with high battery cycles and a relatively old processor. At first glance this is a great candidate for replacement.

With Advanced Analytics, you can explore further by navigating to Devices > Windows select a device and leverage the enhanced device timeline and Device query capabilities.

The enhanced device timeline shows a 30-day history of events that occurred on a specific device including details on app crashes, unresponsive apps, device boots, device logons, and anomaly detected events:

Figure 18. Device timeline pane showing multiple app crashes over the past two days (Devices > Windows > select device > User experience > Device timeline).

From here, you have a much better and direct understanding of how a user’s device is performing. If a user frequently sees unresponsive apps, you are now reasonably confident that you’ve found a device worthy of further troubleshooting or replacement.

Device query for a single device, on the other hand, let’s you investigate even further and query the device for real-time data such as Windows Event Log Events, Registry configuration, or Bios details. For the full list of properties refer to Intune data platform schema.

Figure 19. Device query for a single device, returning process details (Devices > Windows > select device > Device query).

With Device query and the enhanced device timeline, you can get all of the granular information needed to make informed decisions about a device.

Find additional scenarios with anomaly detection

Don’t have a specific goal or unsure of what needs to be resolved? Want to proactively address issues before users start reporting them? Use the Anomalies tab to identify deviations from normal behavior across your environment, such as a spike in application crashes.

Figure 20. Anomalies tab showing multiple high severity detections (Reports > Endpoint Analytics > Overview > Anomalies).

With the other capabilities provided by Advanced Analytics, you can investigate anomalies in several ways. To start, each anomaly provides a list of affected devices. By clicking through each of these devices, you can use Device query or the enhanced device timeline to get detailed information needed to troubleshoot properly.

Figure 21. Anomaly detection report detailing affected devices (Reports > Endpoint Analytics > Overview > Anomalies > select affected devices).

Medium and high severity anomalies include device correlation groups based on one or more shared attributes such as app version, driver update, OS version, and device model.

Figure 22. Anomaly detection report detailing behavior and impact (Reports > Endpoint Analytics > Overview > Anomalies > select anomaly title).

To investigate further, you could create a new custom device scope to recalculate the Endpoint analytics reports for affected devices, use the Resource performance report, or even the Battery health report if that is seemingly causing issues.

While a common approach for organizations is an internal initiative that drives an investigation into analytics reports, anomaly detection is certainly a great starting point as well for improving user experience.

What’s next

Advanced Analytics is continuing to evolve with new capabilities to give you the insights you need on the user device experience. Stay tuned for further blog posts around additional Advanced Analytics and Intune reporting capabilities.

If you have any questions or want to share how you’re using Advanced Analytics in Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune!

From the frontlines: Delivering critical early responder device management

Intune_Support_Team — Tue, 30 Sep 2025 16:12:21 GMT

By: Catarina Rodrigues – Product Manager 2 | Microsoft Intune

In high-stakes environments like emergency response, speed, accuracy, and security are essential. Whether it’s paramedics delivering life-saving care or police officers responding to critical incidents, frontline teams need real-time access to information—right where the action is. To meet these demands, emergency services are increasingly deploying mobile devices, paired with advanced device management solutions, to empower their teams in the field.

I’m Catarina Rodrigues, a Product Manager in the Microsoft Intune team, and in this blog of the “From the Frontlines” series, I’ll share my experience working with emergency services, exploring how to deploy and manage iPads and Android tablets using Intune. For more information refer to: Frontline worker device management overview in Microsoft Intune.

Shared iPads in ambulances

Ambulances operate around the clock, often with rotating crews. To ensure seamless and secure access to clinical apps, maps, and emergency protocols, organizations are increasingly often equipping vehicles with iPads that are prepared to be shared by personnel working shift.

There are different ways to support Apple devices for frontline scenarios depending on the requirements. Shared iPad mode is recommended for shared use of iPads; it creates multiple user partitions, making it easy for several users to log in and access their applications and data according to their preferences. Intune together with Apple's Automated Device Enrollment (ADE) makes it simple to address this scenario seamlessly, enabling zero-touch provisioning and device supervision for additional security configurations.

Below is an ADE enrollment profile configured to setup devices as Shared iPads:

User affinity: Enroll without User Affinity
Supervised: Yes
Locked enrollment: Yes
Shared iPad: Yes

You can then configure the number of maximum cached users and inactivity settings for these profiles, as needed.

Once iPads are enrolled and functional, users will be able to setup their profiles, where they’ll have access to the applications and data according to their permissions. Once their profiles are setup, users can see them in the login screen, as they will be available for them to login again in the future.

Benefits of Shared iPad with ADE for IT admins and frontline workers

Zero-touch deployment: Devices are automatically enrolled and configured via Apple’s Automated Device Enrollment (ADE), reducing manual setup and ensuring consistency across the fleet.
Targeted assignment: Enables IT admins to permanently assign an iPad to a specific ambulance, streamlining shift handovers and ensuring paramedics always have access to the right tools.
Persistent configuration: Shared iPad can cache up to 100 user profiles (24 recommended on a 32 or 64 GB iPad), ensuring device settings and apps remain consistent and reducing login friction.
Enhanced security and compliance: While these devices are shared, device-level management and app protection policies keep sensitive data secure and encrypted.
Remote actions and support: IT teams can monitor, lock, or wipe devices remotely through Intune, with supervision mode enabling deeper administrative controls, such as Lost Mode and Locate Device.

This setup gives paramedics immediate access to clinical apps, maps, and protocols and all information they might need to access or share without compromising security or adding friction to their workflow.

Fully managed Android tablets for police

For police departments, data sensitivity is paramount. Officers need access to real-time intelligence, case files, and communication tools without risking exposure of confidential information. While there are other options to enroll Android devices in Intune (you can see an overview here), setting up corporate-owned, fully-managed Android tablets with Intune can deliver the data protection and device lock-down that police departments need, while ensuring police officers remain productive. Users won’t be able to change pre-defined configurations and install applications from the public store. These devices are associated with a single user, in this case a police officer, as they aren’t intended for shared use. To ensure minimal disruption in the working day of these users, IT admins can use device staging to decrease the number of steps needed to enroll a brand-new device and get it to a functional state.

Device staging

Device staging is designed to simplify and accelerate the deployment of corporate-owned, fully managed Android devices—especially in high-stakes environments. Instead of requiring police officers to navigate a lengthy setup process, IT teams or authorized third-party vendors pre-configure the devices using a secure enrollment token generated in the Intune admin center. This token allows the device enrollment and provisioning without needing the officer’s credentials, ensuring that critical apps, such as Intune and Microsoft Authenticator, are installed and ready before the device is even handed over.

When the officer powers on the device for the first time, they simply sign in to the Intune app, and the device completes its configuration, applying all necessary policies and security settings (see image below). This approach not only saves valuable time during rollouts but also ensures that every police officer receives a consistent, secure, and fully operational device from the moment they turn it on—an essential advantage when reliability and speed are crucial.

In the picture below, you see the steps users go through to complete enrollment which requires authentication using the Intune application, so that apps and policies assigned to that user identity are applied.

Microsoft Intune and Android Enterprise corporate-owned, fully managed enrollment

To enable device staging, IT sets up an Android Enterprise enrollment profile, with a token associated that has a configurable expiry date, up to 65 years in the future. This token can be revoked any time as needed. In addition, IT can also apply a device naming template to all the devices that are enrolled under the same profile, making it easier to identify and group devices by police station, department, or region. You can check the supported strings for this device naming template here.

Below you can see an example of an enrollment profile configured with the following parameters:

Token type: Corporate-owned, fully managed, via staging
Apply device name template: Yes
Device name template: {{SERIAL}}

Benefits of corporate-owned, fully managed, via staging for IT admins and frontline workers

End-to-end control and security: IT admins retains full control over the device lifecycle—from provisioning to retirement—ensuring that only approved apps, settings, and security policies are applied and maintained throughout use.
Simplified, secure user experience with Managed Home Screen: Managed Home Screen provides a locked-down, customizable launcher that ensures users access only approved apps and settings. This minimizes distractions, enhances security, and delivers a consistent, role-based experience across all devices—ideal for high-stakes field environments.
Faster, frictionless rollouts: Device staging eliminates the need for users to complete complex setup steps. Devices arrive pre-enrolled and pre-configured, so users can simply sign in and start working immediately.
Consistent, compliant configuration: Every device is enrolled with the same baseline—apps, policies, and restrictions—ensuring compliance with organizational standards and reducing variability in the field.
Reduced IT overhead: By shifting setup responsibilities to staging teams or vendors, IT departments can scale deployments without increasing support load or requiring one-on-one onboarding.
Operational readiness from day one: Users receive devices that are mission-ready, with secure access to critical apps like dispatch systems, communication tools, and field data—right out of the box.

This setup gives officers the tools they need while maintaining operational integrity and data confidentiality.

Summary

This blog post explored how to securely manage devices used by emergency services teams. These examples are applicable to other scenarios where workers need to access confidential, sensitive information while in the field. I hope this blog inspires you to try these methods and look forward to answering questions in the comments.

Please refer to the documentation here for more guidance:

For information on how to support Apple devices in the frontline refer to: Get started with iOS/iPadOS frontline worker devices.
For information on how to set up Shared iPad refer to: Shared iPad devices.
For information on how to support Android devices in the frontline refer to: Get started with Android frontline worker devices.
For information on how to set up corporate-owned, fully managed Android devices refer to: Set up enrollment for Android Enterprise fully managed devices.
If you'd like to learn more about incorporating device staging to reduce user steps during enrollment see: Device staging overview.
To ensure your organization can navigate modern security challenges following Microsoft's Zero Trust approach see: Zero Trust security strategy.

As always, if you have any questions let us know in the comments or reach out to us on X @IntuneSuppTeam or @MSIntune!

Deep dive into Windows Autopilot device preparation: How to deploy and when to use it

Intune_Support_Team — Wed, 15 Oct 2025 20:58:29 GMT

By: Maggie Dakeva - Sr. Product Manager | Microsoft Intune

Provisioning devices at scale used to be complex and time-consuming, especially with today’s remote and hybrid work models. Windows Autopilot and Windows Autopilot device preparation simplify and secure the process, helping IT teams deliver ready-to-go devices with minimal touch. Understanding the differences between the two helps organizations choose the right approach for device lifecycle and deployment strategy.

Understanding Windows Autopilot device preparation

Windows Autopilot device preparation is a next-generation provisioning solution designed to simplify IT setup, improve reliability during device provisioning and provide better reporting and troubleshooting capabilities. While Windows Autopilot has long empowered organizations to automate device setup, Windows Autopilot device preparation introduces significant improvements in consistency, real-time visibility, and flexibility for device management.

Key benefits of Windows Autopilot device preparation

Simpler setup: Configure a single device provisioning policy that includes both Windows deployment configuration and out-of-box experience (OOBE) settings.
Consistent and reliable provisioning experience: Windows Autopilot device preparation removes most of the complexity and unpredictability from device deployments, ensuring better workload coordination.
Enrollment time grouping: Allows granular targeting of unregistered devices, reduces the complexity of dynamic group management and latency, and avoids conflicts due to group membership calculations during provisioning.
Near real-time reporting: IT admins can review detailed status of each configured app and script in addition to overall status, speeding up issue resolution and unblocking user productivity.

Windows Autopilot vs Windows Autopilot device preparation

Many customers wonder when they should use Windows Autopilot and when to use Windows Autopilot device preparation. The key difference is in their supported provisioning modes and requirements:

Windows Autopilot: Best suited for organizations needing advanced customization, multiple device type support, and hybrid join scenarios. Requires device registration and delivers configurations both during device and user phases.
Windows Autopilot device preparation: Designed for rapid, Microsoft Entra joined deployments without the need for Windows Autopilot registration. Focuses on device-based targeting during OOBE and can deliver both apps and scripts, with enhanced troubleshooting and reporting capabilities.

For a detailed comparison, review Compare Windows Autopilot solutions.

Use Windows Autopilot device preparation if:

You haven’t deployed Windows Autopilot before or are looking to simplify your deployment process.
Your organization will use a user-driven flow where each user will set up their device.
Your organization is transitioning to cloud-native (Microsoft Entra joined) devices or Windows 11.
Your organization is deploying Windows 365 Frontline devices.
You want to avoid managing Windows Autopilot registration and the complexities it brings during the device lifecycle and repairs.
Your organization needs to deploy devices in sovereign clouds (GCCH, 21Vianet in China).
You’d like better visibility into the provisioning experience with a more detailed report.

Use Windows Autopilot if:

Your organization requires pre-provisioning (device is prepared by technician) or self-deploying (shared device) flow.
Your organization requires Windows Autopilot registration or the features it provides, such as hiding OOBE pages and renaming devices before enrollment, and device firmware configuration interface (DFCI).

Device setup flow step-by-step

Understanding the device preparation flow is key to leveraging this method effectively. Here’s an overview of the typical device journey:

Overview of all steps of device preparation, described in detail below.

Intune setup: You’d need to create a new device security group (steps) and a Device preparation policy in Intune where you include the group. Devices will receive configuration from that security group and will automatically be added to it during provisioning.
Physical device setup: Windows Autopilot device preparation requires Windows 11 devices which are not registered for Windows Autopilot and supports only Microsoft Entra joined (cloud-native) deployments. You should always start with a clean image, pre-loaded with drivers.
OOBE flow: User authenticates with their Microsoft Entra credentials.
Enrollment: Device automatically Microsoft Entra-joins and enrolls in Intune.
Windows backup (optional): If Windows Backup for organizations is configured for this user, they will see a page with options to restore user settings from previous device.
Device preparation setup: Next, the Intune Management Extension is installed, then the bootstrapper agent which controls the provisioning process, and the device syncs with the mobile device management service (Intune).).
Enrollment time grouping: After the device joins Microsoft Entra and enrolls in Intune, Windows Autopilot looks up the configuration assigned to the security group set for enrollment time grouping.
Policy installation: Intune policies, line-of-business (LOB) apps, and Microsoft 365 apps are delivered to the device. If any LOB or Microsoft 365 apps are selected in the device preparation policy Windows Autopilot will ensure they deliver successfully before continuing to the next step.
Script installation: PowerShell scripts selected in the device preparation policy are delivered. If successful, provisioning continues to the next step. Remediation and custom compliance scripts are not yet available.
App installation: Win32, Microsoft Store, and Enterprise App Catalog apps selected in the device preparation policy are installed. If successful, provisioning continues. Apps must also be targeted to the device security group configured during step 1.
Reboot: If needed, a coalesced reboot will be triggered prior to moving to the desktop.
Device preparation completes: The device completes the Windows Autopilot device preparation setup, user is informed that Required setup is complete. After the device preparation setup is completed, the user may receive a cumulative Windows update at the end of OOBE (learn more) and then set up Windows Hello for Business.
Desktop: The user proceeds to the desktop where additional Intune configuration which was not selected in the device preparation policy may be applied.

Best practices for Windows Autopilot device preparation

To maximize the benefits of Windows Autopilot device preparation, organizations should follow these best practices:

Define clear security groups: Create a dedicated device security group in Microsoft Entra and assign the Intune Provisioning Client service principal as the group owner. This step is critical for profile assignment and app delivery.
Use policies strategically: Windows Autopilot device preparation policies control the configuration of devices during OOBE. Carefully curate the list of critical apps and scripts, leaving additional configuration to deploy at the desktop. This will ensure an optimal user experience during OOBE.
Use device-based apps: Assign apps to the device security group and configure them to install in the system context for successful deployment during OOBE.
Manage timeout values: Review and adjust timeout settings in the device prep policy to ensure deployments don’t fail due to time constraints.
Start troubleshooting by reviewing the report: Use the Windows Autopilot device preparation deployment report in Intune’s “Monitor” section for near real-time insights into deployment progress and to quickly spot any issues.

Common issues and troubleshooting tips

Even with the best planning, device preparation may encounter roadblocks. Here are some of the most frequently reported issues and strategies for addressing them:

Device enrollment failures

Blocked by enrollment restrictions: If corporate identifiers aren’t uploaded, devices may fail to enroll. Ensure these identifiers are added as required.
Unsupported OS Version: Devices with incompatible OS versions will not appear in the device preparation deployment report and won’t display the device preparation page in OOBE. They may get the Enrollment status page, if configured for All users and all devices, or proceed straight to the Privacy settings page.
Previously registered devices: If a device is already registered for Windows Autopilot, it can’t go through device preparation. Confirm that the registration is removed before deploying with Windows Autopilot device preparation.

Application and script deployment issues

App detection rules: Always review Win32 app detection rules and the Apps report in Intune. Inaccurate detection logic can cause apps to fail deployment. This is one of the most common issues causing deployment failures.
Network constraints: Proxy settings, VPN clients, and Wi-Fi profile configurations may cause network instability if applied during the provisioning process. In addition, Delivery Optimization failures (often caused by network issues) can impede downloading app content. Review network setup and ensure reliable connectivity during the provisioning process.
Script execution testing: Execute PowerShell scripts outside of Autopilot to ensure they work independently before inclusion in device preparation policies.
Managed installer issues: If Managed Installer policy is enabled for your tenant, Win32 and Microsoft Store apps are skipped. This will be addressed in a future release. Monitor announcements on What's new in Windows Autopilot device preparation | Microsoft Learn.
Targeting and context: Make sure apps are set to install in the system context and targeted to the device security group specified in the device preparation policy.

Deployment timeout: If a device preparation deployment fails due to timeout, compare the timeout value in the device preparation policy with the actual deployment time reported and adjust as needed.

Conclusion

Windows Autopilot device preparation marks a significant evolution in Windows device provisioning, offering IT admins a predictable, flexible, and transparent deployment framework. By following the best practices outlined above and leveraging the robust troubleshooting features built in, organizations can minimize deployment headaches and ensure users can provision their devices and become productive as quickly as possible.

FAQ

Are corporate identifiers the new registration?

Corporate identifiers aren’t a replacement for Windows Autopilot registration. They’re needed for organizations that block personal devices and to ensure only trusted devices can be enrolled in your tenant.

How do I move from Windows Autopilot to Autopilot device preparation?

You’d need to follow these steps:

Create an assigned device security group and make sure all configurations are assigned to it.
Create a new device preparation profile and assign it to your users.
Deregister all devices from Windows Autopilot.
Reset all devices.

Note that some advanced scenarios aren’t yet available for Windows Autopilot device preparation but may be available in the future.

Resources

For more details, including updates and a full list of known policies or issues, review the Microsoft documentation below:

As always, if you have any questions let us know in the comments or reach out to us on X @IntuneSuppTeam or @MSIntune!

Day zero support for iOS/iPadOS and macOS 26

Intune_Support_Team — Wed, 15 Oct 2025 21:15:08 GMT

With Apple's release of iOS/iPadOS and macOS 26 Tahoe, we’ve been working hard to ensure that Microsoft Intune provides day zero support for Apple’s latest operating systems (OS) so that existing features work as expected.

We’ll continue to upgrade our service and release new capabilities that integrate elements of the new OS versions.

New settings

With continued investments in the Intune data-driven infrastructure that powers the settings catalog, we’re able to provide day zero support for new OS settings as they’re released by Apple. The settings catalog has been updated to support newly released iOS/iPadOS and macOS settings for both declarative device management (DDM) and mobile device management (MDM) to empower your IT teams to have devices ready on day zero. New settings include:

Audio Accessory Settings

Configure temporary pairing behavior for AirPods and Beats audio accessories. Located under the Declarative Device Management (DDM) category.

Temporary Pairing Disabled
Temporary Pairing Unpairing Time
Unpairing Policy
Unpairing Hour

Safari Settings

Customize the Safari browsing experience. Located under the Declarative Device Management (DDM) category.

Accept Cookies
Allow Disabling Fraud Warning
Allow History Clearing
Allow JavaScript
Allow Private Browsing
Allow Popups
Allow Summary
Page Type
Homepage URL
Extension Identifier

Restrictions

Restrict specific features on devices. Located under the Restrictions category.

Allow Safari History Clearing
Allow Safari Private Browsing
Allowed Camera Restriction Bundle IDs
Denied ICCIDs For iMessage And FaceTime
Denied ICCIDs For RCS

Default Applications

Restrict modifications to the default calling and messaging apps. Located under the Managed Settings category.

Calling
Messaging

Web Content Filter

Configure Safari History behavior when using content filtering. Located under the Web Content Filter category.

Safari History Retention Enabled

More information on configuring these new settings using the settings catalog can be found at Create a policy using settings catalog in Microsoft Intune.

Intune Company Portal support for improved Purebred derived credentials flow

With iOS 26, Purebred (version 3) is supporting a new and improved derived credentials user experience. As part of Intune’s day zero support, the Intune Company Portal for iOS/iPadOS will support Purebred's new experience.

If your organization continues to use an older version of Purebred, there will be no changes to your Purebred and Company Portal derived credentials experience. If your organization is planning on upgrading to the new version of Purebred, be sure you have the latest Company Portal version (v5.2509.0).

Support statement for “supported” versus “allowed” versions for user-less Apple devices

As new operating system updates are released throughout the year by Apple, Intune plans to support critical functionality that comes with each new OS version. With the release of iOS/iPadOS and macOS 26, we’ll continue with our existing model for enrolling user-less devices for supported and allowed OS versions to keep enrolled devices secure and efficient.

This includes devices enrolling without user affinity (user-less devices), such as shared iPads and devices enrolling through Automated Device Enrollment (ADE) without user affinity. We highly recommend updating your organization’s devices to the most recent Apple OS version publicly available to keep your devices secure and up to date.

Supported OS versions means that user-less devices running the three most recent iOS/iPadOS versions will be fully supported by Intune. Devices running iOS/iPadOS 26.x, 18.x, and 17.x can enroll and take advantage of all Intune MDM functionality that is applicable to user-less devices, and all new eligible features will work on these devices.

Allowed OS versions means that user-less devices running a non-supported iOS/iPadOS version (within three versions of the supported versions) will be able to enroll and take advantage of Intune’s eligible features supported by the MDM protocol but doesn’t guarantee that there won’t be breaking OS features, bugs, or issues. Devices enrolled with user affinity or apps that rely on user sign-in will continue to not be supported.

User-less enrollment and feature support

	Supported	Allowed
Applicable Versions	Three most recent versions (N-2): iOS/iPadOS 17.x and later macOS 14.x and later	Up to three versions below the supported version (N-5): iOS/iPadOS 15.x and later macOS 12.x and later
Can enroll	Yes	Yes
User-less eligible Intune MDM Features	Yes	Yes. May be impacted by breaking OS features, bugs, or issues.
User affinity enrollment	Yes	No
Apps that require user sign-in	Yes	No

For more details review the blog: Support statement for supported versus allowed versions for user-less Apple devices: Support statement for supported versus allowed versions for user-less Apple devices.

If you have any questions or feedback, leave a comment on this post or reach out on X @IntuneSuppTeam. Stay tuned to What’s new in Intune for additional settings and capabilities that will soon be available.

Known Issues

We’ve received reports that devices configured using the App Lock (also known as Kiosk mode in Intune located under Device configuration > Templates > Device restrictions) may be unable to unlock from the lock screen after upgrading to iOS/iPadOS 26.

To work around this issue, you can turn the screen off and back on, then enter the passcode to get access to the home screen. We’re working with Apple on a resolution and will update this blog as soon as more information becomes available.

Post updates:
10/15/25: Added a 'Known Issues' section, and a details on a current known issue about the App Lock scenario.

Support tip: Upcoming Microsoft Intune network changes

Intune_Support_Team — Wed, 18 Mar 2026 21:50:47 GMT

3/18/2026 Update: The rollout of the Intune network changes described in this blog are in progress across each workload. Additionally, we are beginning to slowly rollout to each scale unit starting with North America 0702. You can find your scale unit location under Tenant administration > Tenant status > Tenant details. To avoid issues or failures with your device management, ensure your network infrastructure allows traffic for Azure Front Door IP addresses. See the details below to verify if your configuration requires an update and use the Azure Front Door Connectivity Diagnostics Tool to validate or troubleshoot.

We know many customers don’t always check their service change messages in the Microsoft 365 admin center or the corresponding Message Center content in the Microsoft Intune admin center, so in this blog post we’re highlighting an important upcoming change to Intune network service endpoints. Starting on or shortly after December 2, 2025, Intune will also use Azure Front Door IP addresses to improve security and simplify firewall management.

If your organization uses outbound traffic policies based on IP addresses or service tags, you’ll want to review and update your firewall rules to avoid service disruptions.

We’ll keep you updated if the timeline shifts. In the meantime, here’s the service change communication that posted to all Intune customers:

MC1147982 - Action Required: Update firewall configurations to include new Intune network endpoints

As part of Microsoft’s ongoing Secure Future Initiative (SFI), starting on or shortly after December 2, 2025, the network service endpoints for Microsoft Intune will also use Azure Front Door IP addresses. This improvement supports better alignment with modern security practices and over time will make it easier for organizations using multiple Microsoft products to manage and maintain their firewall configurations. As a result, customers may be required to add these network (firewall) configurations in third-party applications to enable proper function of Intune device and app management. This change will affect customers using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags.

Do not remove any existing network endpoints required for Microsoft Intune. Additional network endpoints are documented as part of the Azure Front Door and service tags information referenced in the files linked below:

- - Public clouds: Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center
  - Government clouds: Download Azure IP Ranges and Service Tags – US Government Cloud from Official Microsoft Download Center

The additional ranges are those listed in the JSON files linked above and can be found by searching for “AzureFrontDoor.MicrosoftSecurity”.

How this will affect your organization

If you have configured an outbound traffic policy for Intune IP address ranges or Azure service tags for your firewalls, routers, proxy servers, client-based firewalls, VPN or network security groups, you will need to update them to include the new Azure Front Door ranges with the “AzureFrontDoor.MicrosoftSecurity” tag.

Intune requires internet access for devices under Intune management, whether for mobile device management or mobile application management. If your outbound traffic policy doesn’t include the new Azure Front Door IP address ranges, users may face login issues, devices might lose connectivity with Intune, and access to apps like the Intune Company Portal or those protected by app protection policies could be disrupted.

What you need to do to prepare

Ensure that your firewall rules are updated and added to your firewall’s allowlist with the additional IP addresses documented under Azure Front Door by December 2, 2025.

Alternatively, you may add the service tag “AzureFrontDoor.MicrosoftSecurity” to your firewall rules to allow outbound traffic on port 443 for the addresses in the tag.

If you are not the IT admin who can make this change, notify your networking team. If you are responsible for configuring internet traffic, refer to the following documentation for more details:

If you have a helpdesk, inform them about this upcoming change. If you need additional assistance, contact Microsoft Intune Support and refer to this Message Center post.

Note: The above post went to all customers in our public cloud. Customers in Microsoft Intune for US Government GCC High and DoD received the following post (the only difference is the focus on US government network endpoints):

MC1147978 - Action Required: Update firewall configurations to include additional Intune network endpoints

Note: The previously available PowerShell scripts for retrieving Microsoft Intune endpoint IP addresses and FQDNs no longer returns accurate data from the Office 365 Endpoint service. Instead, use the consolidated list provided in the Intune endpoints documentation. Using the original scripts or endpoint lists from the Office 365 Endpoint service is insufficient and may lead to incorrect configurations.

For network best practices, make sure to check out the blog: Support tip: Aligning network policy with Intune and Zero Trust.

New: Azure Front Door Connectivity Diagnostics Tool for Intune

To help you validate or troubleshoot the recent Intune network changes, we’ve published a lightweight Azure Front Door (AFD) Connectivity Diagnostics Tool. The script tests DNS resolution, outbound TCP connectivity on ports 80 and 443, and HTTPS reachability to the AFD IP ranges used by Intune, directly from an Intune-managed device. This is useful for environments that rely on IP-based firewall, proxy, or VPN rules.

Important: This script only tests Azure Front Door endpoints. It does not validate connectivity to non-AFD Intune endpoints, including existing Intune IPs, service FQDNs, or related services such as Windows Notification Service (WNS) or Windows Autopilot.

If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn.

Post updates:
11/13/25: Added a note to use the consolidated list of Intune endpoints.
12/18/25: We’ve published a new Azure Front Door (AFD) Connectivity Diagnostics Tool to help validate and troubleshoot Intune connectivity after updating firewall rules.

Intune Customer Success articles

Unpacking Endpoint Management is back - and we’ve got a lot to talk about

A quick update on the hosts

What’s coming up

What’s the format?

How do I join?

Help shape the series

As vulnerability discovery moves at AI speed, keeping current is foundational to reduce exposure

Introducing the security update status dashboard in Microsoft Intune

Four ways to shrink your vulnerability window

1) Windows Autopatch: deploy updates at scale with control

2) Hotpatch updates: Windows updates without the reboot

3) Microsoft 365 Apps patching: keep Office and other apps current in lockstep

4) Server updates: Configuration Manager or Azure Arc to accelerate compliance and operational workloads

Using update currency as an enforcement signal

Actions you can take today

Closing

Migrating Frontline Mobile Devices: Understanding the reality of your estate

Start with what devices need to do

Understand how devices are used in practice

Ground plans in device inventory

What we’ve learned

Create historical reports using Azure Log Analytics and Microsoft Intune diagnostic data

Migrating frontline mobile devices: A frontline-first approach to moving to Microsoft Intune

Why failures hurt more on the frontline

Why mobile frontline device migrations are different

A migration is a design moment, not just a technical step

Understand your estate before designing the migration

Plan for identity – even if devices don’t use it today

What’s coming next in the series

Best practices for securing Microsoft Intune

1) Start with least-privilege: design roles around real admin jobs

2) Embrace phishing-resistant authentication and privileged access hygiene

3) Multi-admin approval in Intune for sensitive changes

How these measures add up to strong administrative protections

Rethinking “Allow my organization to manage my device” Why opt‑in enrollment works better for Intune

Recommended best practice

Why this matters

How the modern app sign in enrollment flow works

What the new toggle changes

Allowing enrollment versus forcing enrollment

Security and governance benefits

When to use the default behavior

Summary

How to enable HTTPS support for Microsoft Connected Cache for Enterprise and Education

Step-by-step: Enabling HTTPS support

Before you start

1. Generate a CSR

2. Sign the CSR

3. Import the certificate back to Microsoft Connected Cache

Troubleshooting

Validating HTTPS support end-to-end

On your Microsoft Connected Cache server

On your client device

Known issues with HTTPS Support Configuration

Enabling HTTPS support on Linux hosts

Maintaining your HTTPS configuration

Monitoring

Renewal

Summary

FAQs

Support tip: Resolve device noncompliance with Mobile Threat Defense partner apps

Prerequisites

iOS/iPadOS: Enable simplified remediation for users

Android: Refresh the MTD connection when sign‑out is blocked

Related articles

Intune my Macs: Accelerating macOS proof of concepts with Microsoft Intune

What is Intune my Macs?

See it in action

Why would you use it?

1. Jumpstart your macOS management

2. Learn by example

3. Reduce time to value

How it works

Bonus: Utility tools

Summary

Resources

Debunking the myth: Cloud-native Windows devices and access to on-premises resources

Myth vs reality

Introduction