Microsoft Intune Blog articles

Microsoft Intune announces Android Enterprise management support for Android XR

Priya_Ravichandran — Tue, 07 Apr 2026 17:29:21 GMT

Microsoft Intune now supports the Android XR platform, including management of the Samsung Galaxy XR headset, which is built on Android XR platform. This means that IT admins can begin evaluating and deploying Android XR devices using familiar Intune management capabilities, building on the Android Enterprise security foundation they already have.

With the April Android XR release, Intune will support core Android Enterprise management scenarios on Android XR devices. This means IT admins can start evaluating and deploying XR devices using existing enrollment, policy, and app management workflows, while planning ahead for more advanced scenarios as the platform matures. This release reflects close collaboration between Microsoft, Google, and Samsung, and extends familiar Intune and Android Enterprise enrollment, policy, and app management capabilities to Android XR, starting with a strong foundational set of features.

Android XR devices will be managed in Intune as specialty devices, consistent with other immersive and purpose-built form factors. This is currently tied to the Intune Plan 2 SKU. Availability within Windows 365 E3 and E5 licenses is planned for later in 2026. You can check the Intune licensing documentation for current details.

What is supported in Intune

With this release, IT admins can now manage their Android XR based devices in Intune with the following capabilities:

Android Enterprise enrollment and baseline management
Devices can enroll using supported Android Enterprise flows for Fully Managed and Dedicated devices and receive policies as expected.
App deployment with Managed Google Play
Admins can distribute and manage approved applications through Managed Google Play.
Security and compliance policies
Core Android Enterprise security and compliance settings will be supported, subject to Android XR platform constraints.
Visibility in the Intune admin center
Android XR devices appear in the Intune console and can be monitored and managed alongside other Android endpoints.

These capabilities enable organizations to begin testing and deploying Android XR for user-assigned and managed scenarios where foundational device and app management are required.

What is not supported

The following capabilities are not supported with this platform release:

Lock task (kiosk) mode
Lock task mode—whether for 2D or 3D apps—will not be supported in Intune with the initial Android XR release. This means kiosk scenarios will not be supported at this time, even though assigning policy is not blocked.
Custom launchers and Managed Home Screen
Custom launcher experiences, including Managed Home Screen, will not be supported.
OEMConfig and OEM‑specific extensions
Android XR devices do not have support for OEMConfig. As a result, OEM-specific management extensions (including Knox‑based APIs) are unavailable.
Intune Remote Help
Intune Remote Help capabilities will not be available for Android XR with this latest release. On Samsung devices, Remote Help relies on Knox APIs, which are not present in Android XR at launch. These exclusions reflect the current state of the Android XR platform. As the platform matures and new capabilities become available, we anticipate opportunities to expand Intune's management coverage accordingly.

Next steps

Android XR is a new platform with an evolving management and validation model. As Android XR matures, Microsoft Intune intends to align with new platform management capabilities as they become available. Updates will be communicated through Intune release notes, documentation, and future blog posts.

For now, you can begin testing enrollment, policy application, and app deployment with Intune, while planning for kiosk, launcher, and remote support scenarios as future platform updates roll out.

We look forward to supporting customers as Android XR evolves and becomes part of the modern endpoint landscape.

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune and @IntuneSuppTeam on X to continue the conversation.

Windows 365 + Intune Advanced Endpoint Management Capabilities: Better Together

tanialima — Thu, 02 Apr 2026 16:00:00 GMT

Overview

Windows 365 and Microsoft Intune form a tightly integrated solution for modern endpoint management. With Windows 365 delivering secure Cloud PCs (full Windows desktops hosted in the Microsoft cloud) and Intune’s recently extended advanced endpoint management capabilities, organizations can manage Cloud PCs and physical devices side-by-side in a single view. This “better together” approach helps IT teams enforce consistent security and compliance policies across all endpoints following Zero Trust principles while improving the user experience.

Key technical integration highlights

Before exploring the specific advantages that Intune features bring to Windows 365 Cloud PCs, let’s first outline some of the key overall advantages of the native integration between Windows 365 and Intune.

Unified Endpoint Management: Windows 365 Cloud PCs are managed directly through Microsoft Intune, appearing alongside standard Windows devices in the same cloud-based admin portal. This unified approach eliminates the need for separate Virtual Desktop Infrastructure (VDI) tools or infrastructure; instead, Microsoft hosts and manages the Cloud PC platform so that IT admins can easily provision, configure, and monitor both Cloud and physical PCs in one interface by simply assigning licenses and policies. As a result, device management is streamlined and complexity is reduced.

“Both the allocation and deletion of Windows 365 can be completed in just a few minutes using Microsoft Entra ID and Intune. It was exactly the same when we switched the environment to Windows 365 for employees participating in overseas projects. I did it while sitting in my seat at the office.” Shunsuke Hanano, Assistant Manager, IT Planning Group, Group IT Promotion Department, Avant Group Corporation

Identity & Zero Trust Security: Cloud PCs use Microsoft Entra ID (formerly Azure Active Directory) for authentication, allowing organizations to enforce Intune and Conditional Access policies, including multi-factor authentication and device compliance checks, before granting access to Cloud PCs. This ensures that only verified users on compliant devices can sign-in, supporting a Zero Trust security model. Integration with Microsoft Defender provides Cloud PCs with consistent security baselines, antivirus, and threat monitoring, just like physical endpoints.
Security & Compliance Policies: Intune treats Cloud PCs as equal to physical devices, applying security baselines, compliance policies, and updates consistently. It enforces requirements like up-to-date OS and antivirus, and monitors compliance—restricting access or prompting remediation if standards are not met. Cloud PCs send threat data to Microsoft Defender, integrating with company-wide security monitoring. Device compliance policies, configuration profiles, Windows Update rings, and application deployments are all uniformly managed through Intune, ensuring Cloud PCs meet the same security and update standards as other corporate devices.
Monitoring & Analytics: Through Endpoint Analytics in Intune, admins get deep visibility into Cloud PC performance and reliability. Intune reports can highlight whether a Cloud PC is under-resourced (e.g., frequent CPU or memory spikes) and recommend resizing that Cloud PC for better performance.

Now, let’s focus on each Intune advanced capability and how it can benefit Windows 365 users and admins. Intune Suite add-ons will soon be natively available within the E3/E5 Microsoft 365 offerings. Those add-ons are designed to work natively with Windows 365 too, using the same workflow as for physical devices

Coming to enterprise mobility and security E3 (Included in Microsoft 365 E3)

Remote Help (secure remote support): Allows IT to assist remote Cloud PC users in real time with secure, authenticated screen sharing/control. Both helper and user use corporate Entra ID accounts, preventing impersonation and non-compliant Cloud PCs trigger warnings so that issues are resolved safely. This also expedites troubleshooting and reduces downtime for distributed teams.
Advanced Endpoint Analytics: Provides deep insight into Cloud PC performance and user experience. Advanced Analytics through Intune identifies patterns like high CPU/RAM usage or slow boot times on Cloud PCs and offers recommendations to fix issues (such as resizing a Cloud PC’s resources). Anomaly detection proactively surfaces device health issues like app crashes, hangs, and Stop Error restarts early, preventing user impact and allowing IT admins to spot and proactively resolve problems, as well as compare Cloud PC health across models or against industry benchmarks, resulting in better reliability and happier users.

And coming into Microsoft 365 E5

Endpoint Privilege Management (EPM): Enables Cloud PC users to run with standard user rights (no local admin), improving security by minimizing privileges. Through EPM, specific tasks or apps can be elevated on demand via policy when needed, helping users stay productive (e.g., installing approved software) without permanent admin rights. Admins get full control and auditing of these elevations.

“With the introduction of Windows 365, we will eliminate administrative privileges as part of our security enhancements, and to do so, we are testing Microsoft Intune Endpoint Privilege Management. It will allow us to temporarily grant administrative privileges and install only specific applications.” Masahiro Kimura, Head of the OA and Communication Infrastructure Office, Network and OA Technology Department, Hino Motors

Cloud PKI: Enables an enterprise scale PKI to be deployed fully in the cloud, allowing for secure deployment of certificates to end user devices without the need for an on-premises network connection VPN or a traditional PKI infrastructure. This enables a move to modern management, both for Cloud PC’s and physical enterprise devices.
Enterprise App Management: Streamlines the entire application lifecycle for Windows 365 Cloud PCs. IT admins can use the Microsoft-hosted Enterprise App Catalog to easily deploy, update, and maintain essential Microsoft and third-party Win32 apps—removing the need for manual packaging and updates. This ensures Cloud PCs are provisioned with the necessary applications from the start and remain up to date without extra effort.

Conclusion and administrative benefits

For IT administrators, the “better together” solution of Windows 365 and Intune means simpler operations and more streamlined management. All endpoints, whether physical or Cloud PC, are handled with a common set of tools and processes, reducing the need for specialized expertise. Admins can provision or deprovision Cloud PCs quickly (no need to image devices or to maintain a complex VDI environment), and the unified policies in Intune ensure configuration drift is minimized. This integrated approach also means fewer vendors and agents to deal with: endpoint security, management, and virtualization all come from Microsoft, which improves reliability and support.

Many organizations are seeking to consolidate their security and endpoint tools to eliminate inefficiencies—and the Windows 365 + Intune combination is well-positioned to meet this need. In summary, Windows 365 and Intune provide a competitive edge: they simplify IT administration, strengthen security across all devices, and empower users—all within one holistic, cloud-first solution.

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune and @IntuneSuppTeam on X to continue the conversation.

What’s new in Microsoft Intune – March

ScottSawyer — Tue, 31 Mar 2026 18:00:00 GMT

In a typical week, IT admins are enrolling devices, deploying apps, enforcing policies, and making a hundred small decisions that keep their organizations running. This month’s updates focus on improving the experience around daily actions, compliance visibility, and management capabilities for Apple devices and mobile apps.

More timely notifications for Microsoft Intune

Intune sends notifications to devices when changes occur that require devices to check in. When those notifications are delayed, whether from devices being offline or in a particular state (network instability, low battery, etc.), the action can be delayed, and devices can miss the check in. Now, on Windows devices, we're complementing the Windows Notification Service (WNS) with the same notification protocol that powers Microsoft Teams to support more timely notification delivery that gives admins the traceability they need for troubleshooting.

We're introducing this functionality with Remote Help for Windows to help reduce the likelihood of stalled session starts when devices are online and reachable. We recommend updating firewall rules to include this new endpoint: *.trouter.communications.svc.cloud.microsoft. Stay informed about our progress by bookmarking the Intune Management Extension logs documentation and the Remote Help for Windows documentation.

New controls for role assignment, device setup, and update readiness

Scope tags are used by Intune to control resources that an administrator can act on in Microsoft Intune. When an admin holds multiple role assignments with different scope tags, those tags can be combined and grant more access than intended. A new de-union setting lets admins keep these scopes discrete and within the boundaries they define. This prevents a role assignment from expanding based on how they overlap with permissions.

Before enabling the capability, admins can use the new ‘Permissions assessment report’ to review how changes to roles and permission allocation will affect their IT team’s day-to-day operations, giving them the chance to plan and adjust before implementing changes. To get started configuring permissions behaviors, read our learn page on permission behavior across role assignments.

Turning to device setup, having to manually authorize each app before it can run can slow down deployment and create gaps that are hard to track. Managed installer policy helps address this by automatically marking apps deployed through Intune as authorized, removing the need to manually whitelist each app. This month, Managed installer policy now applies during Windows Autopilot device preparation, running during out-of-box experience (OOBE) so that Win32, Microsoft Store, and Enterprise App Catalog apps are trusted and available earlier in the setup experience, before the user reaches the desktop.

Beyond a great setup experience, the next job is keeping devices current. Windows Autopatch update readiness is now generally available to help just that. With four additional experiences that provide visibility of the status across their tenant, device-level details into the quality update process, centralized alerts with remediation guidance, and an Update Readiness Checker, admins gain tools intended to support a more proactive approach to update management. For the full story, the Windows IT Pro Blog has the complete announcement.

Management options to further protect Apple devices and apps

Intune's adoption of Apple's Declarative Device Management (DDM) protocol has moved quickly, from software update reporting and day zero configuration support to our most recent release of assignment filters. This month, DDM extends to line-of-business (LOB) apps on iOS and iPadOS devices. Until now, app install status was only reported once devices check in. With DDM-based LOB apps, devices proactively report installation status back to Intune as it changes.

This change represents progress toward broader DDM support within the apps infrastructure, with additional capabilities under consideration for future releases. To dive deeper into these topics, check out the Tech Takeoff session on iOS management at scale and the iOS line-of-business app documentation.

On Mac, admins previously had no MDM-based way to set a password on the recovery OS, leaving Apple Silicon devices with a potential exposure that could be difficult to address. With macOS Recovery lock, admins can now set that password directly, helping prevent users from booting into recovery mode to bypass security controls, and support both on-demand and scheduled password rotation. The March 2026 Tech Takeoff session on Apple device security best practices covers this in detail. With this improvement, Recovery Lock support in Intune helps organizations progress towards compliance with security baselines such as STIG, preventing users from booting into recovery mode to bypass security controls.

When I think of a month like this, I don't think about any one of those new capabilities in isolation. I think about the IT admins who have greater visibility into whether a device action reached its destination, or the help desk professionals who don't have to wonder whether a policy applied. It's not exactly headline grabbing, but it's exactly this kind of continuous improvement that makes for a strong foundation for our customers. That same idea holds whether we're talking about improvements aimed at supporting more reliable Windows device notifications, tighter permission boundaries, or Apple devices that are protected all the way down to its recovery partition. We'd love to hear what resonated most with you this month, so please leave a comment below.

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune and @IntuneSuppTeam on X to continue the conversation.

Secure apps: Where people, data, and AI intersect

Talal_Alqinawi — Fri, 20 Mar 2026 16:00:00 GMT

At RSAC, Microsoft is highlighting a foundational truth: more and more AI interactions—whether through Copilot, an agent, or an automated workflow—ultimately run through an application on a device. As organizations adopt more AI-driven workflows, the application layer is becoming an increasingly important enforcement point in modern security architecture.

Security teams are working to maintain visibility and control as new categories of software are introduced into the environment. When applications are unknown, outdated, over-privileged, or allowed to run without control, organizations may face increased risk of unauthorized access to sensitive data or systems. Maintaining visibility into the application estate and helping ensure that users primarily interact with approved and trusted applications has therefore become an important part of reducing risk.

Moving application management into cloud-native workflows can support cross-platform visibility and help organizations streamline how they manage their application estate. This strategy supports organization's ability to respond to vulnerabilities more quickly and apply security policies more consistently across their environment.

Microsoft Intune’s upcoming releases and recent updates strengthen how organizations secure the application layer across discovery, version control, privilege management, execution control, and data protection.

Upcoming releases include Intune enhanced app inventory, designed to gain visibility into your app estate across devices. Intune Enterprise Application Management auto-updates are designed to help reduce the time between new releases and deployment of business-critical apps. Expanded Endpoint Privilege Management capabilities help to further support least-privilege enforcement with improved approvals and reporting.

Recent releases strengthen both execution control and data protection through App Control for Business with managed installer and expanded app-level protection with Intune Application Protection Policies and Microsoft Edge for Business work profiles. Managed installer support now extends to Windows Autopilot device preparation, helping ensure applications deployed through trusted provisioning workflows are recognized by execution policies. Additionally, application migration partner motions also help organizations modernize and standardize their app estate.

Together, these capabilities help IT and security teams address application-based attack paths and support AI-driven work in a more controlled way, without disrupting productivity. Securing the application layer can benefit from a clearer risk-to-control chain that improves visibility into what’s installed and reduces the time older app versions remain in use. This approach also helps organizations limit unnecessary privileges, support trusted execution, and apply app-level data protection in scenarios when device management isn’t feasible.

The following scenarios demonstrate how Intune can help strengthen application security.

1. Reduce blind spots across the app estate installed on devices

A secure application strategy starts with understanding what is running across their device environment. Without reliable application intelligence, it is difficult to accurately assess exposure, prioritize remediation, or enforce policy consistently. Cloud-native endpoint management with Intune enables organizations to view their app estate across Windows, macOS, iOS, and Android devices, helping teams understand their broader application footprint.

Intune enhanced app inventory, generally available starting in May, is designed to provide richer and more current data for managed and user-installed Windows applications on Intune-enrolled devices. As Intune continues to expand app inventory, additional platforms and capabilities are expected to follow.

The improved app inventory experience is intended to help admins:

Help detect unexpected or risky applications more quickly through improved latency
Target investigations and remediation using added application attributes
Use fine-grained controls to choose which devices and app attributes are included in inventory
Access richer and more actionable reporting directly in the device blade

With clearer visibility into application presence and state, IT and SecOps teams can better target remediation of unauthorized, unmanaged, or unexpected applications—and in turn, scope policies more precisely, investigate incidents faster, and reduce application-based attack paths.

Figure 1 View from Intune app installer showing a list of installed applications, including version and date.

2. Keep applications current and reduce vulnerability exposure

Keeping applications up to date across devices is an important part of managing application risk. Manual packaging processes often lead to version drift and inconsistent application states, making it harder to remediate vulnerabilities and maintain a predictable security posture. Intune Enterprise Application Management (EAM) helps organizations move away from fragmented workflows to a more unified, cloud-native application lifecycle management approach—bringing deployments, updates, and policy enforcement together.

EAM auto-updates, generally available starting in July, streamline app packaging and keep applications up to date. EAM auto-updates help organizations deploy new application versions faster and shorten the time between updates and deployment. This approach can help reduce version drift and exposure to known vulnerabilities.

Figure 2 View of the Intune admin center showing how to apply auto‑updates for application management.

While auto-updates help shrink the vulnerability window and attack surface, vulnerability-driven remediation is still required to identify new risks. The Vulnerability Remediation Agent (part of Microsoft Security Copilot), in limited public preview, helps connect vulnerability intelligence with remediation actions. When vulnerable application versions are identified through Common Vulnerabilities and Exposures (CVEs), remediation suggestions can be surfaced in Intune and used to drive targeted remediations, helping IT admins respond more quickly when new vulnerabilities are discovered.

Script installer support for Enterprise Application Management and Win32 provides IT admins with greater customization and control over application installs and uninstalls, without relying solely on command-line logic or repackaging apps. By using script installer, admins can more effectively manage deployment complexities such as dependencies, configuration steps, and cleanup actions, while keeping installation logic easy to update as requirements change.

3. Replace standing admin rights with just-in-time elevation

Some applications and support tasks require elevated permissions to complete. When elevation is handled through broad local administrator rights, those permissions can extend beyond the intended task, creating opportunities for unwanted or untrusted processes to run with elevated privileges. These capabilities are intended to help admins manage elevation in complex environments while maintaining least-privilege access.

By June, a set of expanded Endpoint Privilege Management (EPM) capabilities are expected to be available in Intune, helping organizations move from standing administrator rights toward just-in-time elevation with more controlled and auditable workflows.

Recent EPM enhancements help improve how elevations are requested, approved, and reviewed:

Support approvals for non-primary users allows elevation requests on shared devices and helpdesk-managed scenarios without permanently expanding administrator access. Generally available starting in April.
Scope tag support for EPM reporting data allows elevation activity to be segmented across teams and administrative scopes. Generally available starting in June.

4. Enforce trusted application execution

Trusted applications can still be weaponized. Even widely deployed software can be exploited to launch unauthorized tools or run malicious code—which is why controlling what’s allowed to run is as important as controlling what gets installed. Deployment and update controls help standardize the application estate, but execution policies determine which applications can run on managed devices.

App Control for Business in Intune helps enforce trusted application execution on Windows devices by specifying which applications are allowed to run. Applications not permitted by these policies can be blocked, helping maintain a more controlled application environment.

Managed installer support in Intune helps simplify policy management by automatically identifying trusted applications deployed through Intune. Applications installed by Intune are allowed to run without requiring individual rules, helping admins maintain execution policies as the application estate evolves.

The managed installer policy is now also applied during Windows Autopilot device preparation before apps are installed, generally available starting in April. This update helps ensure that apps delivered during Autopilot device preparation are marked as trusted during provisioning. By aligning trusted deployment workflows with execution policy, organizations can support controlled application environments without introducing friction during device onboarding.

Figure 3 Intune's admin center via App Control for Business to begin configuring a policy from the managed installer.

Read moreabout App Control for Business and managed installer to help maintain a more predictable and policy-aligned application environment.

5. Protect corporate data at the app level

Work increasingly takes place on devices that an organization cannot enroll—agency-managed PCs, partner devices, and personal endpoints. In these scenarios, secure access to corporate resources is still required even when device-level controls cannot be applied.

Intune Application Protection Policies (APP) enable organizations to protect corporate data at the application layer without requiring device enrollment. APP helps enforce data protection controls—such as restricting copy and paste—to help maintain data boundaries between corporate and personal work.

New support for Microsoft Edge for Business work profiles on Windows PCs managed by another organization extends APP protection to browser-based work without creating tenant management conflicts. Recent Microsoft Entra sign-in improvements further help guide users into the intended app-protection experience and help prevent unintended device enrollment.

Read moreabout these enhancements and how Intune applies Zero Trust-aligned principles to the browser on externally managed Windows PCs.

Securing the application layer across the full lifecycle

The application layer has long been the center of work, and with the rise of AI, it’s rapidly becoming the center of decision-making as well. As organizations adopt Copilot and agents, it becomes an increasingly important enforcement point—and the place where the next wave of security investments need to land. Securing this layer requires applying consistent controls across visibility, updates, controlled privilege, trusted execution, and app-level data protection.

Intune is designed to help organizations secure the application layer end-to-end, across discovery, deployment, updates, privilege, execution, and data protection. As organizations modernize their app estates, moving them into cloud-native management can provide a foundation for more consistent visibility, streamlined remediation, and stronger security controls across the environment. By applying Zero Trust-aligned principles consistently throughout the application lifecycle, organizations can work to minimize application-related risks while enabling safer and more flexible ways of working.

To support these modernization efforts, application migration partners can work to transition existing applications into cloud-native Intune management by automating assessment, packaging conversion, and remediation. Bringing applications into Intune-managed workflows helps organizations identify potential Shadow IT, help strengthen their security posture, manage updates, apply privilege controls and enforce policies more consistently across the environment.

Here are the next steps to take toward securing the application layer:

Connect with Intune experts at the Microsoft Booth #5744 at RSA Conference, Moscone Center, March 23–26.
Move Windows app packaging and updates into cloud-native management
Learn how to apply Zero Trust principles to data within the applications
Migrate app management to Intune with partner assistance
Learn which Intune advanced solutions will be coming to the M365 E3 and E5 suites

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune and @IntuneSuppTeam on X to continue the conversation.

Announcing three new partners for multi-tenant management with Microsoft Intune

Lior_Bela — Tue, 17 Mar 2026 16:18:31 GMT

The challenge: Scaling Intune across customer environments

Managed service providers (MSPs) of all sizes are under pressure to manage an expanding portfolio of customer environments efficiently, securely, and profitably. Historically, MSPs have had to choose between building custom multi-tenant tooling or relying on third-party platforms that lack deep Microsoft integration. As client expectations rise and competitive pricing pressures intensify, MSPs need solutions that help them deliver more value from the Microsoft 365 investments their customers already have—investments that already include Microsoft Intune—without fragmenting data or security outside Microsoft's ecosystem.

Managing multiple tenants often means duplicating routine processes, reconciling policy inconsistencies, and navigating separate management portals. MSPs need centralized oversight across all tenants without sacrificing security, compliance, or operational efficiency. Microsoft Intune is the answer—and the right partner solutions make it scale.

The solution: Microsoft Intune, extended by validated partners

In September, we announced our collaboration with two leading multi-tenant management providers—inforcer and Nerdio—and the response was remarkable. The program, which we call #IntuneForMSPs, has exceeded our expectations. We heard strong positive feedback from MSPs and enterprises at events around the world and across social media, from organizations that have long needed a better way to manage multiple tenants at scale.

Today, we're excited to announce three additional validated partners joining the #IntuneForMSPs ecosystem. Each has been validated against Microsoft's product and business requirements, enabling MSPs to scale efficiently, standardize operations, and deliver more secure, Intune-aligned experiences to their customers.

Momentum in the MSP market

Over the past year, we've seen strong momentum across the MSP market—through global events, partner sessions, and #IntuneForMSPs meetups. One message has been consistent across all of these conversations:

MSPs want Intune-aligned solutions that respect Microsoft's security model, tenant boundaries, and licensing investments.

At recent in-person and virtual events, the energy around this shift has been clear. MSPs are actively moving away from traditional RMM-centric approaches toward models where Microsoft Intune serves as the control plane for device management, security, and compliance. That shift is what makes today's announcement particularly meaningful.

Welcoming three new #IntuneForMSPs partners

We're pleased to welcome three new validated partners to the #IntuneForMSPs ecosystem. Each offers independent, complementary capabilities built on top of and alongside the Microsoft Intune platform—preserving their unique workflows and features while extending what Intune can do for MSPs at scale. Partners are presented in alphabetical order; the descriptions below were provided by each partner.

We encourage you to learn more about all validated partners at https://aka.ms/IntuneForMSPs.

AvePoint Confidence Platform: Elements Edition

AvePoint is the global leader in data protection, unifying data security, governance, and resilience to provide a trusted foundation for AI. More than 28,000 customers rely on the AvePoint Confidence Platform to secure, govern, and rapidly recover data across multi‑cloud environments.

Through AvePoint Confidence Platform: Elements Edition, AvePoint extends Microsoft Intune with secured multi‑tenant automation, lifecycle management, and centralized visibility—enabling partners to scale Intune delivery profitably and consistently across customers. With a single platform for governance, lifecycle control, and recovery, partners reduce operational overhead, prevent sprawl, and accelerate Copilot readiness.

AvePoint supports a global partner ecosystem of 6,000 MSPs, VARs, and SIs, with solutions available in over 100 cloud marketplaces.

Learn more at: avpt.is/intune

CyberDrain CIPP

CyberDrain CIPP provides MSPs with a centralized, multi-tenant management platform for Microsoft 365. It enables partners to securely manage tenants at scale, automate common administrative tasks, enforce standards across environments, and gain deep visibility into tenant security and configuration.

With built-in automation, governance controls, and extensibility, CIPP reduces reliance on custom scripts and manual processes. MSPs can standardize operations, streamline user and tenant management, monitor security posture, and respond quickly to issues across all customers from a single interface.

CIPP is supported by one of the largest and most active MSP communities in the Microsoft ecosystem, with thousands of partners contributing feedback, automation ideas, and best practices. As one of the most widely adopted platforms for Microsoft 365 multi-tenant management, CyberDrain CIPP continues to evolve rapidly to meet the needs of modern MSPs.

Learn more at: cyberdrain.com/intuneformsps

SoftwareCentral Tenant Manager

SoftwareCentral Tenant Manager helps MSPs run Microsoft Intune across multiple customer tenants with consistency and control. MSP teams can standardize policies, manage applications and devices across environments, monitor configuration drift, and maintain visibility into changes across tenants from a single platform. The platform runs entirely on Microsoft Azure with region-selectable deployment for your data protection requirements. It includes CIS certified security baselines, helping MSPs deliver secure, repeatable Intune services as their customer portfolios grow, even without in-depth Intune knowledge.

Learn more at: tenantmanager.com/intuneformsps/

What’s next for #IntuneForMSPs

Today's announcement reflects our continued and reinvigorated commitment to the MSP market. Going forward, you can expect:

More news about the #IntuneForMSPs ecosystem
Continued monthly meetups and technical sessions for MSPs—open to any MSP interested in learning how Intune can help scale their business
MSP-specific guidance and resources to help MSPs grow with Microsoft

Microsoft Intune MVP Jonathan Edwards (also known as the Bearded365Guy) created a video1 reviewing three of our partner solutions. Watch the video and explore all our validated partners at https://aka.ms/IntuneForMSPs.

Jonathan Edwards reviews Nerdio, inforcer, and CIPP in one video.

If you're an MSP modernizing your management approach—or a partner building on Intune—we invite you to explore these new solutions and stay engaged with the #IntuneForMSPs partner program at our resource page aka.ms/IntuneForMSPs and monthly meetups.

"Jonathan Edwards is a Microsoft Intune MVP. Microsoft's MVP program is an independent recognition program; Jonathan was not compensated by Microsoft for this video."

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune and @IntuneSuppTeam on X to continue the conversation.

What's New in Microsoft Intune – February

ScottSawyer — Thu, 26 Feb 2026 19:00:00 GMT

Every IT environment has workarounds. Policies are duplicated instead of edited because there's no approval process. Apple software updates are pushed to every device because Declarative Device Management (DDM) policies couldn't filter by ownership type.

Workarounds aren't just inconvenient. They can increase risk. Duplicate policies, broad software updates, and unchecked changes expand the attack surface and undermine Zero Trust principles. This month’s Microsoft Intune updates focus on eliminating those workarounds by giving admins greater control, clearer accountability, and more precise targeting. Helping to ensure security policies are enforced the way they were intended, without slowing IT teams down.

Reduce policy risk with greater oversight over compliance and configuration changes

To provide an extra security measure against any unauthorized or accidental changes, additional multi-administrator approval options are now available for device configuration policies created through the settings catalog and device compliance policies (for more information see Compliance settings, and Device cleanup rules). With this control enabled, critical policy changes (creation, alteration, or deletion) will need approval from a second administrator before they can be implemented.

This latest update expands the multi-admin approval capabilities introduced over the past year, which include apps, scripts, device actions like wipe, retire, and delete, RBAC roles, and device categories. The addition of compliance and configuration policies approvals help enable organizations to offer a more comprehensive safety net for their most critical policies. In environments where configuration drift can lead to non-compliance and security risks, this level of oversight is not simply a good practice, but rather a preventive control and governance option integrated into the IT workflow.

Furthermore, since every request, approval, and business justification is documented in the Intune audit logs, this control not only helps prevent potential problems but also documents them.

Find and fix issues faster with updates for multiple device queries

Zero Trust decisions depend on accurate, actionable data, and IT admins need precise queries to identify compliance gaps or missing configurations across their fleet. Advanced Analytics now includes the operator details in multiple device query (MDQ) results, (including join types such as new leftanti and rightsemi operators). This assists in finding the specific settings of missing devices and helps you run fleet-wide queries more accurately, especially if you are managing thousands of devices of all OS types.

Additionally, Advanced Analytics device join syntax in MDQ results are now clickable for faster navigation to device details and improved error messaging. A good example to illustrate this improvement is a query to retrieve all devices with ARM processors, ordered alphabetically. The column for the Device field in the results is now clickable when the Device entity is joined. In addition, admins can now join the results on the Device field without using custom Device syntax.

Figure 1: Device query results showing x64 CPU data joined on Device.

For more detail, please refer to the Microsoft Learn page on device query for multiple devices.

Target Apple updates precisely—without overreaching

When managing Apple devices, targeting matters; not every policy needs to reach every device. But until now, Declarative Device Management (DDM) policies did not account for assignment filters. Admins couldn't target devices by OS version or differentiate between company-owned and personally owned devices.

A common challenge for admins is enforcing software updates on company-owned devices while avoiding personal devices. The enhancements included in this month’s Intune release help resolve this challenge. Now admins can use DDM-based policies with assignment filters in the same way they do for MDM-based policies. For instance, if an organization wants to target devices running iOS 17 or later with software updates, they can use an operating system version filter. To target Automated Device Enrollment (ADE) supervised devices while ignoring personal devices, they can use an enrollment profile name filter.

This capability is becoming more important as Apple has expanded Declarative Device Management across iOS, iPadOS, macOS, Vision OS, and Apple TV. Intune keeps pace with that shift by doing what it has always done: giving admins a consistent way to apply policies across every platform they manage.

Fewer workarounds, stronger Zero Trust across every platform

The capabilities rolling out in our February release all have something in common: multi-admin approval, multi-device queries, and assignment filters for Declarative Device Management collectively eliminate the need for workarounds.

I know that workarounds are part of every IT environment. However, with each workaround there may be concessions: more access, more policies created without proper scrutiny, or updates not intended for particular devices. While this month’s new capabilities will not eliminate all workarounds, they are a step toward managing devices the way Zero Trust requires: precisely, reliably, and with built-in least privilege.

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune and @IntuneSuppTeam on X to continue the conversation.

Protect browser-based work on agency-managed Windows PCs

LiMiller — Tue, 24 Feb 2026 19:41:58 GMT

From SaaS apps and internal web portals to AI-powered tools, the browser is now a major workspace for many employees and contractors alike. This shift has introduced new opportunities for organizations to enable an extended workforce. At the same time, it creates new data protection complexities for IT administrators.

Securing corporate data has traditionally relied on full device management. However, when work occurs on a Windows PC that your organization doesn't own—such as a device already enrolled and managed by a contractor’s home agency—full device enrollment isn't a viable option. Organizations need a flexible way to reduce these data blind spots without taking over the device itself.

To address this, Microsoft continues to expand data protection capabilities across Microsoft Edge for Business, Microsoft Entra, Microsoft Intune, and Microsoft Purview. Recent profile and sign-in updates with Edge for Business and Entra now help organizations to secure browser-based work on Windows PCs managed by another organization. And these updates work alongside inline data loss prevention with Purview and prescriptive deployment guidance from Intune to help administrators apply protections consistently rather than configuring policies in isolation.

Support and protection for agency-managed Windows PCs

Edge for Business now extends Intune app protection policies (APP) to the Edge for Business work profile on Windows PCs managed by another organization. This new capability, currently in public preview, helps organizations to protect work contractors do in the browser, while respecting existing device ownership and management boundaries. This protects corporate data without requiring full device enrollment or creating conflicts with another tenant’s management.

Figure 1 Demo showing Intune app protection policies in action within an Edge for Business work profile on a Windows PC managed by another organization.

Key capabilities include:

Browser-level protection through the Edge work profile: Intune APP policies can be applied directly to Edge for Business user profiles, helping to create a protected boundary for work data. Contractors can securely access corporate resources in an Edge for Business profile without enrolling the device or altering existing management.
Tenant-scoped controls within Edge for Business: Organizations can help protect corporate data within the browser by redirecting downloads to OneDrive for Business, restricting copy and paste, and enforcing data boundaries inside the managed Edge for Business profile.

Learn more: How to get started with agency-managed device support in Edge for Business and apply APP.

Simplified onboarding for APP policies on Windows

Recent Entra improvements to the Edge on Windows sign-in flow enable admins to configure the enrollment screen to create a more predictable setup and enrollment experience. These new sign-in updates help route users into Intune application protection polices, while reducing accidental full device enrollment.

Figure 2 Microsoft Entra updated sign-in experience pop-up window.

These Entra updates include:

Modernized Entra registration page for the user: An updated account registration flow provides clearer guidance during sign-in, helping users understand when they are registering an account versus enrolling a device.
Prevention of unintended device enrollment: Administrators can enable the “Disable MDM enrollment when adding work or school account” setting to block the prompt for devince enrollment during the account registration flow. Users are directed into the intended app-protection experience without unnecessary prompts or management conflicts.

Learn more: Read more about how to apply the updated Entra sign-in flow.

Apply data security across browser-based work

Microsoft Purview Data Loss Prevention (DLP) helps protect sensitive corporate data during browser-based work on Windows PCs that are managed by another organization or not enrolled at all. Purview DLP is built directly into Edge for Business and applies to the user’s work profile, so organizations can detect and control sensitive actions without requiring device onboarding into Purview or taking ownership of the device.

Figure 3 Purview DLP: Displays a pop-up message to indicate organizational protection for a file download.

With Purview DLP in Edge for Business, organizations can:

Apply inline DLP protection in the browser: Support detection and control for sensitive actions, such as uploads, downloads, copy/paste, printing, and across cloud apps accessed in the browser.
Extend coverage to unmanaged cloud apps: Apply DLP policies to enrolled apps and extend protection to unenrolled cloud apps, helping prevent oversharing or unintended data movement during browser activity.
Reduce data leakage without limiting productivity: Detect and prevent risky actions involving sensitive data without blocking site access or disrupting normal workflows.

Learn more: Apply Purview Data Loss Prevention in Edge for Business to protect sensitive data during browser-based work.

Guidance to help secure corporate data in the browser

Microsoft published “Secure Your Corporate Data in Intune with Microsoft Edge for Business” to provide guidance on how administrators can operationalize browser-based protections across platforms. This guidance provides step-by-step configuration paths that align identity, app protection, browser configuration, and device controls into a single, structured deployment model rather than isolated policy setup.

The guide covers:

Three-level security framework: Basic, Enhanced, and High protection tiers mapped to common industry standards such as NIST and DISA STIG, enabling organizations to align browser security posture with risk tolerance and user roles.
Cross-platform policy mapping: Clear guidance on when to use app protection policies, app configuration policies, settings catalog controls, and conditional access across Windows, macOS, iOS, and Android without creating policy conflicts or double-applying browser policies.
Sequenced configuration paths: Ordered implementation steps that show how identity enforcement, app protection, browser configuration, and device-level controls work together to form a cohesive secure enterprise browser strategy.

Learn more: Read more on how to get started with Intune’s configuration guidance to protect browser-based work and align identity, app protection, and browser controls.

Apply additional protections for a more consistent sign-in flow today

Organizations do not need to treat browser-based work as an exception to endpoint protection. By combining identity routing in Entra, app-level boundaries through Intune, workspace separation in Edge for Business, and inline data governance with Purview, organizations can apply consistent controls even on Windows PCs they don’t own or manage.

With this approach, protection moves from the device to the work context itself. Administrators can secure corporate data where work happens, while preserving productivity and respecting existing device ownership and management boundaries.

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune and @IntuneSuppTeam on X to continue the conversation.

What's New in Microsoft Intune – January 2026

ScottSawyer — Thu, 05 Feb 2026 17:00:00 GMT

When trees lose their leaves, you see the structure beneath. The branches you couldn’t see. The shape that was always there.

January is like that for IT admins. You get a fresh view of your endpoint management landscape, such as where elevation can get sharper, where application deployment process can be improved, and where admin tasks could be made more efficient.

The same is true for Intune. January isn’t just about celebrating what we’ve accomplished in the past year, but it’s also about looking forward to what new challenges we will face and new ways we can help IT admins be more productive. In this blog post, I’ll highlight the recent capabilities that I’m personally excited about.

Accelerate deployment with PowerShell script installers for Win32 apps

Today, many organizations customize app deployments outside Intune using PowerShell scripts to handle prerequisite checks, post-install steps, dependencies, and registry updates. Previously, each time the script changed, the entire app binary needed to be repackaged and re-uploaded. That friction often can add hours to deployment cycles and kept critical work outside the admin center.

This month, that changes that. When creating a Win32 app in Intune, admins can now upload a PowerShell script that acts as the app installer, rather than specifying a command line. The script runs natively. Intune packages it with app content and runs it in the same context as the installer. Installation results show in the admin center as 'success' or 'failure' based on return codes, providing visibility into what happened.

So, what does this mean? It means app deployment gets faster, customization gets easier, and teams in highly regulated industries like finance and healthcare can use the script to enforce compliance steps as part of the app installation process. It means system requirements can be checked before anything else runs, and app-specific settings can be configured after the app is installed. It means admins gain even more control.

Endpoint Privilege Management gets sharper

When users need elevated privilege, we are introducing a new Endpoint Privilege Management (EPM) capability to elevate users in a way that preserves their current profile. For example, profile paths, environment variables, and personalized settings.
This matters for installers and tools that depend on the active user’s profile. Before,
EPM isolated virtual accounts. Now, the user’s identity is maintained throughout elevation, meaning your audit trails stay cleaner and compliance records are more accurate.

In addition, the ability to enforce scope tags for elevation scenarios safeguards admins can only view elevation requests for which they have permission. This is critical for compartmentalizing data in regulated environments. Together with 'Elevate as current user,' this enables organizations to easily oversee who is allowed to perform elevated actions, while avoiding the disclosure of excessive context. These two capabilities integrate seamlessly out of the box, with no configuration required.

Admin tasks capability brings your work together

The new year brings clarity. Admins manage privilege elevation, device offboarding, security alerts, and policy approvals. Admin tasks, now generally available (GA) in Microsoft Intune, brings that work into a single, prioritized queue.

Admin tasks centralizes these workflows to help admins focus on high-impact actions that need their attention now. It is under Tenant Administration, where admins can search, filter, and sort across requests, tasks, and approvals. Currently, admin tasks includes Endpoint Privilege Management (EPM) requests, Multi Admin Approval (MAA) tasks, Microsoft Defender for Endpoint (MDE) security tasks, and the Device Offboarding Agent (part of Microsoft Security Copilot) for tasks.

EPM elevation requests help admins quickly approve or deny elevation needs and create reusable rules. Microsoft Defender for Endpoint security tasks enables admins to review recommended remediation actions, take corrective action on security issues, and monitor task status through a consistent Intune workflow. The Device Offboarding Agent helps detect unused or outdated devices that may no longer be needed or may pose a security risk, surfacing these findings as actionable tasks within admin tasks. Multi Admin Approval requests, such as scripts, device wipes, and role changes, are reviewed and approved with this same view. Each approval or rejection is recorded to support audit and compliance requirements. Learn more by taking a deeper dive in this blog on admin tasks in the Intune.

Apple enrollment keeps evolving with new certificate support

The technical foundation for enrollment of Apple devices just got stronger. We're rolling out support for the Automated Certificate Management Environment (ACME) protocol for new iOS, iPadOS, and macOS enrollments.

So, what’s the difference? ACME provides better protection than the previous SCEP approach against unauthorized certificate issuance. It includes improved validation mechanisms and automated processes that reduce errors in certificate management. Now, when new Apple devices enroll, they receive an ACME certificate instead of a SCEP certificate.

There's no change to your enrollment experience or Intune admin center doesn’t change. Its infrastructure works better in the background. This applies to Apple Device Enrollment, Apple Configurator enrollment, and automated device enrollment (ADE) methods. We also added 12 new Setup Assistant screens you can control during ADE. Want to skip the App Store screen? Hide camera settings? Now you can. This gives you more flexibility in how your end-users experience onboarding.

What's ahead

January always feels like a restart. New year, fresh roadmap, the engineering teams recharged and looking at what's next. When I talk with the team building these capabilities, the energy is real. They're already thinking about solving more challenges
IT admins face. The momentum is here with the team at Microsoft Intune.

Stay up to date with Intune, please bookmark the Microsoft Intune Blog, and follow us on LinkedIn or @MSIntune on X.

Admin tasks in Microsoft Intune: Centralized control today, AI-ready for tomorrow

LiMiller — Tue, 03 Feb 2026 17:00:00 GMT

IT admins make daily, quiet decisions that determine whether an organization stays secure, compliant, and productive. They review privilege requests, security remediation actions, and high-impact configuration changes across multiple consoles. Given the growing breadth of their daily responsibilities, scattered decision points could lead to slower response times, increased risks, and make audit readiness harder to maintain.

Microsoft Intune already consolidates endpoint management into one place. And now with the general availability (GA) of admin tasks it aggregates high-impact approvals and remediation workflows, into a single, prioritized queue, giving admins a unified view of what needs action right now. Introduced at Microsoft Ignite, admin tasks brings together three essential decision points: Endpoint Privilege Management (EPM) elevation requests, Microsoft Defender for Endpoint (MDE) security tasks, and Multi Admin Approval (MAA) requests. And now, admin tasks also incorporates actions from the Device Offboarding Agent (part of Microsoft Security Copilot), currently in public preview, extending centralized decision-making to device lifecycle cleanup.

As organizations adopt Zero Trust principles and prepare for AI-assisted operations, IT teams need more automation without sacrificing oversight. As Intune expands automated and AI-assisted capabilities, admin tasks adds an oversight layer that helps ensure AI-driven recommendations remain under administrator control. Over time, additional task types will continually be integrated, consolidating even more high-impact operational decision points into a single experience.

“Admin tasks in Intune is a centralized, prioritized task view that cuts through the noise. The simplified processes boost our team’s ability to respond quickly and confidently to critical requests.” –Michael Meier, IT Workplace Design, Krones AG

Admin tasks is available in the Intune admin center under Tenant administration. The following sections outline what admins can access today.

Four ways to streamline IT operations with admin tasks

Endpoint Privilege Management elevation requests

EPM enables standard users to run approved applications with elevated privileges without granting permanent local admin rights. In admin tasks, elevation requests appear in the same prioritized queue as other high-impact actions, so admins can review and approve requests from a single view.

Key actions to take in admin tasks: Approve or deny elevation requests, create reusable rules based on file details, or add files to reusable settings.

What EPM enables:

Flexible elevation models: Supports automatic, user-confirmed, and support-approved workflows.
Granular controls: Defines elevation rules based on publisher, file hash, or command-line arguments.
Audit and compliance: Logs elevation activity for visibility, reporting, and compliance.
Improved user experience: Helps standard users stay productive, while reducing help desk tickets and security exposure.
Contextual risk analysis*: With EPM and Security Copilot, it enables admin tasks to surface contextual risk signals to help inform elevation approval decisions.

*Note: This capability requires Microsoft Security Copilot, get started here. Security Copilot will be included for Microsoft 365 E5 customers, roll out began for existing Security Copilot users and is continuing in the upcoming months, learn more here. EPM is also coming to M365 E5; learn more about the Intune capabilities coming to both the E3 and E5 bundle here.

Figure 1: View of granular controls for elevation requests in Intune Endpoint Privilege Management within admin tasks.

Defender for Endpoint security tasks

MDE requests for remediation generate security tasks that surface in the Intune admin center, when threats or configuration issues are detected on devices. Admins can track and complete security remediation work from the same queue used for other critical IT decisions.

Key actions to take in admin tasks: Mark tasks as complete or reject them, and review impacted device lists.

What MDE security task in Intune enables:

Unified task management: View and act on security tasks from Defender in a single queue.
Recommended endpoint security profiles: Supports new configurations for Endpoint Detection and Response (EDR) and Antivirus exclusions on Linux devices.
Audit and compliance: Logs all task activities for visibility, reporting, and compliance.
Integrated security settings management: Manage antivirus and EDR settings directly through Defender for Endpoint security settings management in Intune using security tasks recommendations.

Figure 2: View of Microsoft Defender for Endpoint with security tasks surfaced in admin tasks.

The Device Offboarding Agent

Admin tasks now incorporates the Device Offboarding Agent tasks. Admins can review and act on the cleanup of stale devices using the same flow used for other high-impact tasks. The preview supports Intune managed devices running Windows, iOS/iPadOS, macOS, Android, and Linux, and allows admins to disable Microsoft Entra ID objects with guided remediation.

Key actions to take in admin tasks: Download a CSV list of affected devices.

What the Device Offboarding Agent enables*:

Routine reviews: Pre-packaged tasks reduce manual investigation and help make cleanup repeatable.
Automated identification: Detects unused or outdated devices using automated signals across Intune and Microsoft Entra to help reduce the attack surface.
Offboarding insights: Provides actionable recommendations and details requiring approval before offboarding.

*Note The Device Offboarding Agent requires Microsoft Security Copilot, get started here. Security Copilot will be included for all Microsoft 365 E5 customers, roll out began for existing Security Copilot users and is continuing in the upcoming months, learn more here.

Figure 3: View of potential devices identified for removal by the Device Offboarding Agent within admin tasks.

Multi Admin Approval requests

Multi Admin Approval requires a second administrator to approve high-impact actions, such as scripts, remote actions, role changes, and device wipes before they are executed. MAA requests now appear in admin tasks, ensuring sensitive configuration changes follow a consistent, centralized review process.

Key actions to take in admin tasks: Approve or reject a request, complete a change, and add requester and approver notes for audit and compliance.

What MAA enables

Alignment with access policies: Applies to protected configurations that require approvals, such as scripts, roles, settings, and remote actions.
Audit and compliance: Logs all approval, rejection, and completion of activity for visibility, reporting, and compliance.
Protection against compromised accounts: Helps ensure sensitive changes—such as script executions, device wipes, or role permission updates—cannot be performed by a single administrator.
Contextual risk analysis*: The Change Review Agent (part of Microsoft Security Copilot) analyzes MAA script requests in context providing detailed insights on potential impact and clear recommendations.

*Note: The Change Review Agent requires Microsoft Security Copilot, get started here. Security Copilot will be included for all Microsoft 365 E5 customers, roll out began for existing Security Copilot users and is continuing in the upcoming months, learn more here.

Figure 4: View of Multi Admin Approval script requests displayed within admin tasks.

Simplify decisions and prepare for AI-assisted workflows today

Admin tasks in Intune offers a single, prioritized view to act quickly on what matters most—while building the secure foundation organizations need for agentic automation. As Intune continues to expand its AI-driven capabilities, this centralized model gives IT more control and deeper insights across the platform.

Explore admin tasks in Microsoft Intune today and see how the expanded Microsoft 365 E3 and E5 value helps organizations scale securely and confidently.

What's in store for Intune at Microsoft Technical Takeoff 2026

Rachelle_Blanchard — Mon, 02 Feb 2026 17:00:00 GMT

It’s almost time for Microsoft Technical Takeoff, our month‑long digital skilling event designed to help IT admins and technical decision-makers go deeper with Windows, Microsoft Intune, and Windows 365. Every Monday in March, you’ll get fresh technical content, hands‑on guidance, and direct engagement with the engineering teams who build the products you use every day.

This year’s event brings together technical deep dives, Ask Microsoft Anything (AMA) sessions, and feedback‑gathering sessions—all streamed live on the Microsoft Tech Community. Expect deep, scenario‑driven guidance spanning security, automation, cloud management, and cross‑platform device administration. You’ll also be able to engage directly with the product engineering teams with live Q&A during the sessions.

Start your Technical Takeoff experience right

As you explore the full agenda, make sure you tune in to our annual kickoff panel, Let’s Talk Windows & Intune, Monday, March 2 at 7:00 AM PT. Engineering leaders Sangeetha Visweswaran, John Cable, and Bhavya Chopra will share what they’re learning from IT admins around the world, as well as what’s shaping the future of device management, security, and cloud‑powered productivity.

Explore Intune sessions at Technical Takeoff

You can bookmark and watch the full event at https://aka.ms/TechnicalTakeoff. All the sessions are also listed day-by-day below. From each session page, you can:

“Add to Calendar” to save the date.
Click “Attend” to hold your spot and receive reminders.
Post your Q&A questions early for the engineering team. (Of course, you can also post questions live as you learn!)
Tune in live or watch on demand afterward.

See you on Mondays in March!

Whether you’re modernizing your endpoint estate, strengthening security, or looking for practical configuration guidance, Microsoft Technical Takeoff is your chance to get actionable insights straight from engineering.

Can’t attend live? No problem. All sessions are recorded and available on demand shortly after they air. You can also post your Q&A questions in advance or anytime during the week of the session. In addition, although sessions will feature AI-generated captions during the live broadcast, we will update those with human-generated, human-verified captions (and transcripts) by the end of each week.

We hope to see you at Microsoft Technical Takeoff! Grab your seat, customize your agenda, and get answers directly from the experts behind Windows and Intune. Visit https://aka.ms/TechnicalTakeoff to get started and see our sister guide to Windows and Windows 365 at Tech Takeoff.

Save the date: Intune Tech Community Live – January 26

Rachelle_Blanchard — Fri, 30 Jan 2026 17:35:10 GMT

Level up your endpoint management skills at Tech Community Live: Intune Edition.

IT professionals: mark your calendars for Monday, January 26, 2026. If you manage endpoints with Microsoft Intune, this is your chance to connect directly with the experts and get answers to your toughest questions.

This isn’t your typical webinar. It’s an interactive event packed with four Ask Microsoft Anything (AMA) sessions, where you can bring your toughest questions and get real answers from the experts. Here’s what’s on the agenda (all times in PST):

8:00 AM – Secure your endpoints with policy and Microsoft Defender
9:00 AM – Manage apps like a pro with Microsoft Intune
10:00 AM – Best practices for applying Zero Trust using Intune
10:30 AM – Copilot and agentic-centered endpoint management

Why Tech Community Live?

Endpoint management is evolving fast—and so are the challenges. This event gives you direct access to the Microsoft engineering teams creating new features and capabilities in Intune. It’s your chance to:

Get answers to real-world questions straight from the experts.
Learn best practices you can apply immediately.
Influence the future by sharing your feedback with the people who build the product.

Whether you’re looking to strengthen compliance, streamline app deployment, or embrace Zero Trust strategies, you’ll walk away with actionable insights to keep your organization secure and efficient.

How to join the fun

Browse the session topics above.
Hit Add to calendar on the session pages to save them, well, to your calendar.
Sign in to the Tech Community (top right corner of the site) then click Attend to receive event reminders.

Post your questions in the Comments section at the bottom of each session page early and often. We’ll be ready to tackle them live! Don’t miss this opportunity to learn from Microsoft experts and elevate your Intune skills. See you there!

Community matters. Let your network know they get the Intune answers and insights they need on January 26 on the Microsoft Tech Community.

What's new in Microsoft Intune: December 2025

ScottSawyer — Thu, 11 Dec 2025 19:00:00 GMT

Following Microsoft Ignite 2025, I caught up with colleagues and Intune MVPs who made the trip to San Francisco. There was a lot to talk about, but one conversation stood out: When I asked what surprised them most about this year for Microsoft Intune, the answer wasn't a single capability. It was witnessing busy IT admin work disappear by automating work that used to consume hours of admin time.

Microsoft Security Copilot agents in Intune exemplify that shift, but the introduction of additional agents doesn’t address other IT challenges. Throughout 2025, the Intune engineering team has shipped capabilities for cross-platform support, security, and more that has helped to remove many areas of friction from day-to-day operations. For a more complete story about what was delivered and what’s coming soon, watch the on-demand Microsoft Ignite presentation or read the What’s new in Microsoft Intune at Ignite blog.

Today, I'll focus on several recent capabilities worth examining in detail from November and December.

Empowering IT by automating and enhancing workflows

For many of the customers I spoke with this year, context-switching drains productivity. Switching between multiple console nodes to manage security tasks, elevation requests, and admin approvals increases friction and the chance of missing something.

The new Admin tasks node under Tenant Administration in the Intune admin center consolidates this workflow into a single view. Now in public preview, this centralized location surfaces Endpoint Privilege Management (EPM) file elevation requests, Defender for Endpoint security tasks, and
Multi-Admin Approval requests in one place. Administrators can search, filter, and sort across all task types without jumping between console areas. The centralized view reduces time spent hunting for what needs attention and creates a more reliable review process.

This helps centralize admin tasks, but visibility without boundaries can create noise. Until now, administrators with permission to review Endpoint Privilege Management elevation requests could see every request across the organization, regardless of their assigned scope. Scope tag enforcement adds role-based access control to this highly valued capability, aligning EPM with Zero Trust by ensuring admins only access the elevation requests required for their role. This reduces unnecessary visibility into devices and users outside their remit and lowers the risk of accidental or inappropriate actions.

Enhancing visibility and control across platforms

November's updates deliver improvements across three areas: app management, privacy controls, and policy targeting. These areas give IT administrators even more granular control for diverse device fleets running iOS, macOS, and Android.

Android: User experience and app management options

Intune has introduced new capabilities to Managed Home Screen for IT to enhance the end user experience on frontline Android devices: Offline mode and App access without sign-in offers users greater flexibility to access critical applications, while improved volume controls now allow more granular adjustments for call, ring, notifications, alarms, and media.

Additionally, if customizing your managed Google Play app catalog becomes too time consuming, you can use the new “Reset to Basic” mode. This reverts to the default "all approved apps visible" experience instantly, without support tickets or manual collection rebuilds. Taken together, these changes move Android app management away from low-level device plumbing and toward intentional experience design.

Android: Data protection and privacy controls

Beneath the user-facing improvements, the November Intune release tightens Android data protection. This is critical for AI features that may not have been part of the original security model. The Intune Settings Catalog now provides access to Android controls, which include:

“Block assist content sharing with privileged apps", a setting that helps mitigate the emerging risk of AI assistants and screen readers from capturing work profile screenshots and app details. This stops AI services like Circle to Search from ingesting corporate context into external learning datasets while still allowing personal AI features to function.

Work-profile privacy settings that block Bluetooth contact sharing and prevent work contacts from appearing in personal caller ID Control data flows.

New work profile password options (expiration, reuse history, and device wipe on failure).

Android: Policy targeting and security enforcement

To help ensure your most sensitive controls reach only the devices that need them, IT can now use Device Management Type as an assignment filter property in Intune for precision policy targeting. Instead of over-applying rules to all Android devices, you can now differentiate between corporate and personal devices across Android Enterprise and AOSP.

This precision extends into real-time security enforcement. When Microsoft Defender for Endpoint detects a rooted Android device, Microsoft Tunnel immediately blocks VPN access, dropping active connections until the device is remediated. Because Defender's detection works natively within Intune, your existing compliance policies are automatically enforced through Tunnel (across both MDM-managed and MAM scenarios) without manual reconfiguration. Learn more in the following blog on native root detection support for Microsoft Defender on Android.

iOS and macOS: Enrollment experience design

First impressions during enrollment shape user expectations and IT confidence alike.

When an employee unboxes a new device enrolled through your organization, those initial screens become an opportunity to empower users and position IT as an enabler. Finding the right balance has sometimes meant accepting trade-offs. IT admins could streamline the flow, or show every configuration option, but rarely both.

Setup Assistant customization for iOS/iPadOS and macOS automated device enrollment, now generally available, delivers both of these benefits. Administrators can now hide or show specific Setup Assistant screens, enabling fine-grained control over the enrollment experience while preserving flexibility. Want to show App Store and camera configuration on some devices but hide privacy settings on others based on policy? You can do that now. The result is enrollment tailored to your actual requirements, not constrained by platform defaults. For detailed configuration guidance, see Set up automated device enrollment for iOS/iPadOS and Set up automated device enrollment for macOS.

In summary, whether Android users require precise privacy controls or iOS users benefit from a customized enrollment experience, the November Intune release emphasizes that effective, cross-platform management involves respecting each device platform's uniqueness and working to optimize for them.

Improving end-user onboarding experiences

Providing employees with immediate access to devices equipped with necessary applications can enhance employee satisfaction, optimize security measures, and increase overall productivity. Upon logging into a Cloud PC environment, end-users encounter pre-installed applications, enabling them to begin working efficiently without delay.

Windows Autopilot device preparation in automatic mode is now available in public preview for Windows 365 Enterprise, Windows 365 Frontline dedicated mode, and Windows 365 Cloud Apps. IT administrators now can include device preparation policies as part of their Cloud PC provisioning process.

This capability streamlines the Cloud PC provisioning process, improves the end-user experience, and eliminates the need for custom images, while providing visibility into installation progress with both the CPC report and the Autopilot device prep deployment report. This ensures the device is set up with critical apps and scripts when the end-user logs in on day one.

Looking forward to 2026

Cloud-native endpoint management on a trusted platform is the foundation for how organizations will support AI safely across endpoints. The investments throughout 2025 focused on reducing friction at critical points, rather than painting with a broad brush, across every aspect of endpoint management, and showed what's possible when management infrastructure is built for modern threats and modern work.

Whether it's automating tedious admin tasks, respecting platform-specific security needs, or accelerating device readiness, a cloud-powered, AI-driven approach helps move IT from firefighting to strategy. In 2026, we will continue to innovate with this focus and share more updates on Intune's advanced capabilities coming to Microsoft 365 E3 and Microsoft 365 E5, which will expand access to the solutions of the Microsoft Intune Suite to more customers. See you in 2026!

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.

Microsoft 365 adds advanced Microsoft Intune solutions at scale

Talal_Alqinawi — Tue, 16 Dec 2025 23:05:27 GMT

Note: New capabilities will begin to roll out CY26 Q3. Customers will receive a 30‑day notice in Message Center before the update becomes available in their tenant.

In the last three years, Microsoft launched multiple endpoint management solutions with advanced capabilities that enable IT professionals to unify mission critical endpoint management functionality in one cost-effective plan with the Microsoft Intune Suite. These capabilities are essential to accelerate every organization’s journey towards Zero Trust security, improving end user productivity, and empowering IT and security professionals to improve total cost of ownership (TCO).

Today, IT teams face new challenges, as device inventories grow larger, more diverse, and are much more widely distributed and dynamic than just a few years ago. At the same time, they are still expected to keep systems protected, compliant, and operational with limited budgets. To meet evolving security needs and growing demands, organizations need more advanced security and management tools capable of transforming IT operations in ways that can safeguard against AI-enhanced attack vectors and new risks while preserving productivity on every endpoint.

To help organizations make this transition, Microsoft is bringing powerful capabilities of the Microsoft Intune Suite to Microsoft 365 E3 and Microsoft 365 E5. By expanding these offerings, more customers can confidently embrace transformation and stay secure in the age of AI.

“Intune Suite makes managing 10,000 or 40,000 devices effortless through automation and unification. The capacity to scale effortlessly while simplifying processes has led to more efficient updates and quicker incorporation of new assets.” –Roman Kleyn, Head of Workplace Design, Krones AGⁱ

Unifying Endpoint Management: Key capabilities driving customer choice

Microsoft Intune empowers IT to solve issues faster, get proactive with data and secure diverse devices with Intune Remote Help, Intune Advanced Analytics, Microsoft Tunnel for Mobile Application Management, specialty device management and firmware updates. These capabilities will be added to Microsoft Enterprise Mobility and Security E3 (EMS E3) which also extends this value to Microsoft 365 E3. Furthermore, to unify advanced security and device management, Intune Endpoint Privilege Management, Intune Enterprise Application Management and Microsoft Cloud PKI will be added to Microsoft 365 E5.

These changes, alongside the Microsoft Security Copilot and Microsoft 365 updates, will fundamentally expand the availability of Intune integrated, cloud powered capabilities. This expansion will provide seamless access to advanced management and security features as well as agentic, automated workflow capabilities within Microsoft’s most comprehensive commercial products. It will empower IT to help safeguard productivity and strengthen their Zero Trust posture by minimizing risk, maintaining compliance, and ensuring seamless, secure digital employee experiences. Ultimately, this change will enable proactive issue prevention, more secure work, and efficient ways to scale operations.

With the rollout of Microsoft Security Copilot in Intune, we’ve helped organizations enter a new era where AI is increasingly incorporated into their IT operations. Last month at Microsoft Ignite 2025, we announced a significant step that goes even further, putting AI at the core of endpoint management. With the launch of a new wave of Security Copilot agents in Intune and more ways to explore Intune data, IT can ask important questions, take action on the answers, and simplify complex tasks with intelligence and automation.

Here’s a closer look at why organizations are choosing Intune and Security Copilot as their endpoint management solution.

Enhanced security simplifies implementation of Zero Trust principles

In 2025, 79% of ransomware attacks involved remote management tools on endpoints, highlighting the critical need for Zero Trust controls and least-privilege access on every device.ⁱⁱ

Endpoint Privilege Management enables organizations to adopt a least privilege approach, mitigating systemic risks of local admin privileges by providing elevated access only to approved apps or services. Just-in-time elevation helps to maintain productivity without compromising security.
- Copilot in Intune offers assistance by providing valuable insights based on Microsoft Defender threat intelligence that assesses an app’s risk before IT approves an elevation.
Microsoft Tunnel for Mobile Application Management supports Zero Trust principles by providing secure per-app VPN connectivity access to company resources without requiring enrollment, protects corporate data and respects employee privacy.

AI-powered insights and remote assistance powers productivity

“Remote Help closed the gap that we had for remote management. Now we have an enterprise-compatible solution with audit logs, allowing us to see what’s happened, who is connected to whom, etc. These are true benefits from an enterprise solution,” – Michael Meier, Senior System Administrator, Krones AGⁱⁱⁱ

Advanced Analytics offers AI-powered anomaly detection to proactively identify device health and other forms of digital friction and gives IT visibility into areas of focus to keep operations running smoothly and ensure device compliance.
- Copilot in Intune assists admins of all experience levels in performing complex tasks such as writing KQL queries through the simple use of natural language.
Remote Help allows IT teams to safely and remotely support and fix issues more quickly. All interactions are fully auditable and use strong authentication, trusted connections, role-based access control, and device compliance checks.

Streamlined app deployment and automated certificate lifecycle management helps maintain compliance and protection at scale

“Cloud PKI within the Intune Suite allows you to go cloud native in terms of certificate deployment, which means you can provision PKIs with just a few clicks — that’s a blessing for all the IT administrators. With this built-in service, Microsoft hosts everything for you to manage certificates.” Niklas Tinner, Founder/Solution Architect, Oceanleaf GmbH^iv

Enterprise Application Management streamlines app deployment and updates, reduces IT overhead, and improves the digital user experience with a curated catalog of 1000+ of prepackaged applications.
- The Vulnerability Remediation Agent helps reduce the effort of discovering and prioritizing breach or work disruption risks, giving IT insight on what patches to prioritize.
Microsoft Cloud PKI allows IT to streamline the management of the complete certificate lifecycle and reduce the dependency on on-premises infrastructure. It also helps prevent phishing and mitigate other risks with certificate based authentication to Wi-Fi and VPN services.

A unified IT ecosystem for long term value

Including Intune’s advanced capabilities directly into Microsoft 365 is the latest step in our larger vision to create a unified, strategic foundation that enables companies to manage and secure their endpoints. Intune and Security Copilot are built to work seamlessly within Microsoft 365, Windows 11, Windows 365, Entra, Purview and Defender.

“One New Zealand saved $800K by modernizing with Windows 365 and Microsoft Intune, cutting provisioning-related tickets by 80%. Devices that once took four to six hours to provision are now ready in 30 minutes. User assignments take less than 15 seconds, and onboarding time for call center staff dropped almost 95%.^v

In addition to Intune’s upcoming changes within Microsoft 365, the recently announced Windows resiliency and security capabilities will be added to Windows Enterprise E3:

Windows Resiliency Initiative recovery tools now include quick machine recovery (QMR) with enterprise-level controls, point-in-time restore, and cloud rebuild for Windows 11. Through Intune, QMR enables fast restoration of apps, settings, and files, as well as Windows Backup and OneDrive.
Windows Autopatch now includes update readiness, in preview, giving IT teams real-time visibility into device compliance and risks through a pre-built Intune dashboard. Administrators can quickly identify, diagnose, and remediate updates, telemetry and policy issues directly within Autopatch.

What does this mean for your organization?

Microsoft is committed to delivering a unified management and security foundation on a trusted, cloud platform that elevates how organizations operate and defend at scale. Aligning this with AI-powered and agentic automation enables stronger Zero Trust controls to help safeguard productivity, minimizes risks, and improves agility for IT teams and end users.

When you’re ready to learn more, connect with your Microsoft account team to discuss adoption roadmaps and discover how a comprehensive, AI-ready portfolio can help you solve even the most complex IT challenges.

FAQ

1. Which Intune related capabilities are included in each plan?

Here is a summary of the Microsoft 365 plan changes related to Microsoft Intune:

Microsoft 365 plans	Included capabilities
Microsoft Enterprise Mobility and Security E3 (EMS E3) (included in Microsoft 365 E3)	· Intune Remote Help · Intune Advanced Analytics · Intune Plan 2
Microsoft 365 E5	All Microsoft 365 E3 features plus: · Intune Endpoint Privilege Management · Microsoft Cloud PKI · Intune Enterprise App Management
Microsoft 365 E5	· Microsoft Security Copilot
Windows Enterprise E3 (included in Microsoft 365 E3)	· Quick Machine Recovery (QMR) · Cloud rebuild for Windows 11 · Point-in-time restore for desktop · Post-quantum security APIs · Autopatch update readiness
Windows Enterprise per-device license	· Basic resiliency features (QMR, point in time restore) · Software Assurance

2. What is included in Intune Plan 2?

Intune Plan 2 capabilities planned to be included in Microsoft Enterprise Mobility and Security E3 include: Tunnel for Mobile Application Management (MAM) for secure per-app VPN connectivity access to company resources without requiring full device enrollment. Specialty device management covers the protection for devices such as AR/VR headsets, smart screens, and certain meeting room systems for specialized business needs. Firmware over the air (FOTA) updates for supported Zebra devices.

3. When do these changes take effect?

For the 2026 planned product additions to Microsoft 365, a Microsoft 365 admin center notification will be posted for administrators of eligible organizations 30 days in advance of the effective change.

4. Do I need to change my plan to use the Intune Suite capabilities or any of its add-ons?

No action is necessary. All eligible tenants with Microsoft Enterprise Mobility and Security E3 and Microsoft 365 E5 will automatically be provisioned with the Intune Suite capabilities based on the table above. 

^{i Success with Intune Suite streamlines Krones AG global operations | Microsoft Customer Stories}^{ii Microsoft Digital Defense Report 2025 – Safeguarding Trust in the AI Era}^{iii Success with Intune Suite streamlines Krones AG global operations | Microsoft Customer Stories}^{iv Microsoft Cloud PKI—Certificate Management | Microsoft Security}^{v One New Zealand saves $800,000 by modernizing with Windows 365 and Microsoft Intune | Microsoft Customer Stories}

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.

Essential Intune reading list: MVP community content for 2025

Lior_Bela — Thu, 04 Dec 2025 20:04:15 GMT

As we head into the holiday season, I wanted to take a moment to celebrate something truly special: the incredible contributions from our Microsoft Intune MVP community this year. Last year, I released our first Holiday Reading post, which got a lot of traction, and I was asked to do it again this year — so I guess we are starting a new tradition!

Whether you're a security-focused admin exploring Zero Trust architecture, a Windows specialist diving into the latest policy enforcement mechanisms, a Mac admin navigating the evolving Apple ecosystem, or an automation advocate building the next great community tool, there's something here for you.

This collection represents the spirit of our community, packed with real-world lessons, practical insights, and suggested solutions from experts in the field. While this is a select set of collected content, I strongly recommend checking out all of the content created by our MVPs — you can find a list of our active Intune MVPs here (make sure to set the filter for Microsoft Intune under Technology).

Introduction to Intune

Know someone who needs to get up to speed on Intune quickly? Share these resources:

Getting started with Intune – Important hints and tips for Intune beginners — settings you won't want to overlook (Andrew Taylor)

12 reasons why Intune – A comprehensive podcast covering Zero Trust-ready, BYOD-friendly endpoint management (Sucheta Gawade)

Security & compliance

A stronger security posture is at the top of almost every organization’s wish list. Read and watch what MVPs are recommending:

Cloud PKI essentials – A deep dive into what Cloud PKI is, deployment approaches, and where organizations stand today with certificate distribution (Shady Khorshed)

Device-centric Zero Trust with Intune + Defender – Learn how to implement a complete Zero Trust strategy using Intune and Microsoft Defender for Endpoint (Sucheta Gawade)

Windows patching best practices – Common mistakes Intune admins make and how to patch Windows correctly (Pavel Mirochnitchenko)

Advanced conditional access scenarios – Real-world field experience and best practices for complex conditional access setups (Niklas Tinner)

Edge password sync security – How to manage Edge password sync on unmanaged devices when using Microsoft Password Manager (Kenneth van Surksum)

AppLocker automation – Automate your AppLocker configuration directly in Intune with scripts (Niels Kok)

NIS2 compliance with Microsoft 365 – Comprehensive guide to reaching NIS2 compliance using Intune and Azure (Jeroen Burgerhout)

Mobile Application Management (MAM) – Step-by-step setup for iOS and Android MAM with automation scripts (Gannon Novak)

Windows & Windows 365

Master the latest Windows capabilities with this guidance from our top experts:

Windows 11 kiosk multi-app mode – Tackle the XML struggle and get your kiosk devices working with Edge and the Windows App (Joery Van den Bosch)

Multi-admin approval in Intune – Set up Intune's multi-admin approval feature with ease, plus insights on the end-user experience (Joery Van den Bosch)

Windows Backup for Organizations – Introducing Windows Backup with Intune for smooth device upgrades and refreshes (Joery Van den Bosch)

Windows 11 hotpatching – A comprehensive deep-dive into applying critical security updates without reboots using Intune (Sucheta Gawade)

OMA-DM and policy enforcement – Understanding how Intune uses the OMA-DM protocol to manage and enforce policies (Joost Gelijsteen)

Declared configuration – The evolution of Windows policy enforcement with MMP-C and declared configuration (Joost Gelijsteen)

Device query for multiple devices – Extract device data across your fleet using endpoint analytics (Joost Gelijsteen)

Windows shared PCs configuration – Master Windows shared PCs with Intune and understand how it differs from kiosk mode (Jeroen Burgerhout)

Administrator protection in Windows 11 25H2 – Explore the new isolated privilege model replacing traditional admin elevation (Rudy Ooms)

Entra group SID translation – Finally! Translate Entra group SIDs into readable names on your devices (Rudy Ooms)

Intune policy delivery – Debunking the 8-hour sync myth and understanding how policy delivery really works (Rudy Ooms)

Windows 365 Link experience – Best practice configurations and everything you need to know about Windows 365 Link (Niklas Tinner)

Entra ID joined kiosk devices – Deploy fully functional, self-deploying kiosk devices on modern Windows endpoints (Joey Verlinden)

App Control for Business – Solving unsigned WIX .dll issues with App Control for Business (Jörgen Nilsson)

macOS & Apple ecosystem

Apple device management is evolving fast. The Intune community helps keep you up to date:

macOS LAPS configuration – Complete guide to setting up Local Administrator Password Solution for macOS with Intune (Joery Van den Bosch)

JUMP-IN: macOS MDM migration tool – Discover this all-in-one macOS MDM migration tool and learn how it's revolutionizing transitions (Shady Khorshed)

macOS 26 & iOS 26 for enterprises – Apple's biggest shift in enterprise device management in years — key changes and deadlines for IT admins (Somesh Pathak)

macOS migration glow-up – Step-by-step process for switching macOS MDM using the new ABM update (Somesh Pathak)

Introduction to macOS management – Beginner-friendly guide to managing macOS with Intune (Jeroen Burgerhout)

iOS app protection policy features – New features in app protection policies for iOS and what they mean for your setup (Arno Van Dijk)

Updates, patching & device management

Get tips to keep your devices running smoothly and securely:

Driver management in Intune – Compare script-based driver updates vs. Intune's Driver Update Management solution (Pavel Mirochnitchenko)

Enterprise App Management – Explore the Intune Suite's features for simplified app deployment and maintenance (Arno Van Dijk)

Remove Default Windows Store packages – Control Windows 11 built-in apps using the Settings Catalog without scripts (Arno Van Dijk)

IntuneBrew – Application and patch management for macOS apps made easy (Ugur Koc)

Community tools & automation

Supercharge your Intune management with these community-created solutions:

Intune Assistant – Empower yourself with unparalleled efficiency in Intune management through advanced visualization and analysis (Sander Rozemuller)

IntuneStack – Manage Intune policy as code with GitHub Actions, OIDC authentication, and ring-based deployments (Hailey Phillips)

Intune Log Reader for Windows – Real-time analysis and monitoring of Microsoft Intune Management Extension logs on Windows (Somesh Pathak)

Intune Log Reader for macOS – Real-time analysis and monitoring of Microsoft Intune MDM logs on macOS (Somesh Pathak)

ABM API Client – Native macOS client for Apple Business Manager and Apple School Manager APIs with an intuitive GUI (Somesh Pathak)

Fleetly – iOS app for IT administrators to manage and monitor Intune-enrolled devices on the go (Somesh Pathak)

TenuVault – Backup and restore for Intune with full automation (Ugur Koc)

Intune Documentation Generator – Generate PDF reports of all your Intune configurations in minutes (Ugur Koc)

Envoy Lightweight UEM – PowerShell-based User Environment Manager designed for Intune-managed Windows machines (Joey Verlinden)

OpenIntuneBaseline – Community-supported security baseline for Intune with real-world best practices (James Robinson)

IntuneQLinks – Comprehensive catalog of community articles, blogs, videos, and diagrams — your go-to resource library (Andy Jones)

Azure Virtual Desktop PowerShell module – Streamline Azure Virtual Desktop management with this powerful community tool (Sander Rozemuller)

Daily Checks – Get a daily digest of what's happening in your tenant via email with this free service (Andrew Taylor)

Community groups & resources

Microsoft Intune - Android and iOS Admins LinkedIn Group – A focused community for mobile device management with Intune (Andy Jones)

Community Events

Participate in the Intune community in person at these upcoming events

Workplace Ninjas US 2025 – Dallas, Texas, USA – Dec 9–10, 2025
Event page: https://workplaceninjas.us

Experts Live Denmark 2026 – Copenhagen, Denmark – February 24–25, 2026
Event page: https://cloudway.com/calendar-event/experts-live-denmark/

Modern Endpoint Management Summit 2026 EMEA Edition (MEM Summit Paris) – Paris, France – April 22–24, 2026
Event page: https://sessionize.com/MEMSummit2026/

Workplace Ninjas Norway 2026 – Oslo, Norway-May 27, 2026
Event page: https://wpninjas.no/

Workplace Ninja Summit 2026 – Baden, Switzerland – TBD
Event page: https://summit.wpninjas.global/

Intune Community Resources

Get trusted Intune tips and strategies from these blogs, videos, and podcasts from industry experts.

Andrew Taylor Newsletter and blogs - https://andrewstaylor.com/

Lewis Barry - https://conditionalaccess.uk/

MsEndpointmgr- (33) MSEndpointMgr - Jungling the Cloud - YouTube

Peter van der Woude – All about Microsoft Intune - https://petervanderwoude.nl/

Simon Skotheimsvik - https://skotheimsvik.no/

Niklas Tinner - https://www.oceanleaf.ch/

Adam Gross Intune Training - https://www.youtube.com/@IntuneTraining

Jonathan Edwards M365 Training - https://www.youtube.com/@bearded365guy

Steven Weiner - https://www.getrubix.com/

Workplace Ninjas Netherlands Podcast - https://creators.spotify.com/pod/show/wpninjasnl

Workplace Ninja User Group Netherlands Video - https://www.youtube.com/@wpninjasnl

Workplace Ninja User Group India - https://www.meetup.com/workplace-ninja-user-group-india/events/

Microsoft Cloud and Client Management Community Belgium - https://www.linkedin.com/company/mc2mcbe/

A special thanks to our contributors

A heartfelt thank you to all the MVPs who contributed to this year's roundup:

Your expertise, generosity, and passion for sharing knowledge continue to elevate the entire Intune community. Thank you for everything you do. Wishing you a wonderful holiday season and a successful 2026! Stay secure, stay innovative, and be well.

Disclaimer: This content has been created and curated by the community. Readers are encouraged to independently verify technical details and evaluate resources for their specific environments.

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.

What's new in Microsoft Intune at Ignite

Jason_Roszak — Wed, 26 Nov 2025 19:43:34 GMT

Welcome to Microsoft Ignite, where the future of IT is being reimagined. Today we’re unveiling how Microsoft Intune is transforming endpoint management by putting AI at its core, with assistive chat-based and agentic experiences to help you streamline operations, unify cross-service insights, and enable scalable action, tailored to your organization's needs. With Security Copilot chat embedded across Intune, you gain expert assistance to help guide you through daily operations while new AI agents help scale your team to tackle your most time-consuming tasks.

These AI experiences will be available for even more IT professionals with the announcement that Security Copilot is being included in Microsoft 365 E5. We're entering a new era in how IT teams manage, secure, and scale operations for their organizations.

Alongside these AI-powered innovations, we're also announcing foundational platform improvements that help IT teams act with confidence — centralizing critical tasks, reducing rollout risk, and strengthening recovery and update control for a more resilient environment.

Streamline operations with agentic AI

A new wave of Security Copilot agents in Intune is here to help make complex tasks easier and security stronger. From transforming requirements into policies, to identifying devices for removal, to assessing changes before they impact productivity — these agents help deliver smarter decisions, better compliance, and reduced risk through intelligence and automation.

Every change that IT admins make matters. From app deployments to policy updates, even small adjustments can ripple across your environment impacting productivity or security. The new Change Review Agent uses advanced AI to analyze each change in context, checking for risks, conflicts, and compliance. It provides detailed insights and clear recommendations, so you can move forward with confidence knowing your decision is informed. Initially the Change Review Agent will handle Multi-Admin Approval script requests, and we will continue to add more types of change requests over time.

The Change Review Agent provides detailed insights into the request, its purpose, history, and potential impacts.

Configuring Intune policies is a job where every choice can shape your organization's security, productivity, and compliance. The Policy Configuration Agent is here to help. By using natural language input, it translates your organization’s requirements into clear, actionable configurations and provides guidance on settings. IT admins can now create and validate policies easily — making security and productivity goals easier to achieve.

For organizations operating under strict compliance frameworks such as PCI, HIPAA, DISA STIG, or other industry-specific mandates, regulatory compliance is critical. The Policy Configuration Agent is designed to complement your existing compliance efforts. It checks for alignment with these standards and continuously audits your environment to support ongoing monitoring. The agent adds expertise and efficiency — helping flag deviations before they become risks so IT teams can continue to maintain a secure, compliant posture with greater agility and scalability. 

The Policy Configuration Agent reviews a document and recommends steps to fulfill unmatched requirements in Intune.

Unused or outdated devices aren’t just clutter — they’re a security risk. Every unmanaged endpoint increases the chance of vulnerabilities and compliance gaps. The Device Offboarding Agent takes the guesswork out of cleanup by scanning your entire digital estate to identify devices that no longer belong. It offers an efficient, straightforward way to offboard those devices from your organization, helping maintain the hygiene of the digital estate and helping reduce the attack surface.

The Device Offboarding Agent provides a summary including reasoning for removing devices and recommended actions to offboard them.

All three agents are currently rolling out to preview and can be found under “Agents” on the left side of the Intune portal once rolled out.

To make the agents easily accessible and teams get started more quickly, we are excited to announce that Security Copilot will be available to all Microsoft 365 E5 customers.

Rollout starts today for existing Security Copilot customers with Microsoft 365 E5 and will continue in the upcoming months for all Microsoft 365 E5 customers. Customers will receive 30 day advanced notice before activation. Learn more: https://aka.ms/SCP-Ignite25

Explore data with assistive AI

Copilot is there to assist you in your daily IT work — delivering guidance when and where you need it. You can use everyday language with Copilot chat to gain deep insights and get actionable recommendations, making it even easier to manage your environments. Copilot chat enables you to quickly access and manage all your endpoints including Windows 365 Cloud PCs.

When you need to dive deeper into your data and take action on it, Copilot is there to help. The explorer experience allows you to interact with data using natural language queries and view customized data sets. There's even more flexibility in the data queries you can explore, and we are consistently broadening the range of data available for Copilot to reason over, which now includes your Autopilot, Endpoint Privilege Management (EPM), and Advanced Analytics data.

Build the foundation for secure AI deployments

Every action and rollout must be secure, compliant, and predictable. Intune is building that foundation with two capabilities that keep IT in control today and prepare for agentic workflows tomorrow.

IT admins face a flood of requests across multiple portals. Soon, those requests won’t just come from people — they’ll come from agents recommending actions. That’s why we’re introducing admin tasks, a centralized view for high-priority items, so admins can act quickly on what matters most. Today, that includes critical approvals like elevation requests, multi-admin approvals, and security tasks. Expected in the first quarter of calendar year 2026, agent-driven approval needs will appear here too, keeping control firmly in IT’s hands.

Admin tasks is a consolidated list helping IT admins focus on what matters most from a centralized place.

Changes to the environment should start small, validate stability and impact, and then scale with confidence. Intune introduces deployments, a controlled, phased approach to rollouts. This capability brings ring-based deployments — already proven in Windows Autopatch — into application workloads, helping IT apply changes safely across the fleet. Looking ahead, deployments will play a critical role in rolling out AI-driven experiences, ensuring every change is rolled out in phases, minimizing risks and downtime. Deployments is now in limited private preview.

Discover improved operational recovery and resilience

Recovering a Windows device boot failure used to mean hands-on, one-at-a-time fixes. Intune introduces a new feature, recovery, for remote management of the Windows Recovery Environment (WinRE) at scale. IT admins can respond to mass outages or tailor recovery with custom scripts, all without being physically present. IT admins gain fleet-wide visibility into which devices are in WinRE and their recovery readiness, making it possible to act quickly and confidently. Security is included, with actions authenticated and authorized using hardware-bound recovery certificates. Recovery is in limited, private preview.

Keeping devices secure and up to date often means balancing update schedules with the end user experience and mission-critical operations. Intune introduces maintenance windows for cloud-managed devices, giving IT precise control over when updates — including OS, drivers, and firmware — can run. This capability helps minimize disruption and improve patch compliance while delivering the agility and security of a cloud-based management platform, without the complexity and cost of on-prem infrastructure. Maintenance windows is expected to roll out to preview in the first quarter of calendar year 2026.

Windows Autopatch introduces proactive update readiness capabilities that help IT teams identify blockers before deployment begins. With tenant-wide inventory views, admins can see their Windows fleet update posture across OS, drivers, and firmware. Readiness checkups surface “at risk” devices early, highlighting issues like connectivity gaps, safeguard holds, or hotpatch prerequisites. These capabilities reduce surprises and accelerate compliance. Update readiness is now available in preview as part of Windows Autopatch. Read the blog for more information.

Endpoint Privilege Management empowers IT administrators to enable users to run elevated applications under the current user's identity, improving the user experience by preserving personal data and settings. Support for elevation requests from non-primary device users has been added, ensuring users utilizing shared devices can leverage the value of EPM and elevate critical applications. The new EPM readiness dashboard offers comprehensive oversight of rollouts and provides rule recommendations. Additionally, expected to roll out in the first quarter of calendar year 2026, IT administrators will be able to create elevation rules that allow users to change certain network configuration settings, supporting productivity without compromising security.

We’re also excited to announce several previewed capabilities are now generally available. Installer script support for Enterprise App Catalog apps gives IT admins the flexibility to include PowerShell scripts when deploying apps through Intune — ideal for handling prerequisites, custom parameters, or post-install steps at scale. Support for Win32 apps is expected in the first quarter of calendar year 2026. App Control for Business with Managed Installer allows IT admins to designate the Intune Management Extension as a managed installer so apps deployed through Intune are recognized as trusted when your policy allows managed installers — helping reduce the risk of unapproved or malicious code. Finally, Windows Backup for Organizations, configurable through Intune, enables IT to back up and restore user settings and Microsoft Store app lists during enrollment or recovery, helping minimize downtime and helping users return to a known-good state fast.

Learn how Intune is driving impact for customers

Intune delivers impact at enterprise scale: at PepsiCo, unified endpoint management helped cut device build time by 50% and drove a 99% drop in sign-in time for shift workers, reducing costs while boosting reliability across a global fleet. Read the full story.

As organizations modernize on Intune, they’re also positioned to harness emerging AI-powered capabilities like Copilot in Intune to surface risk insights faster, guide troubleshooting, and automate routine work. LTI Mindtree integrated Microsoft Security Copilot with Microsoft Intune, Defender XDR, Threat Intelligence, and Sentinel to automate and enhance threat detection and response. Chandan Pani, Chief Information Security Officer says “Microsoft Security Copilot is our true AI partner in cyber defense. It provides AI-enabled automated incident response, integrated threat intelligence, and advanced threat analysis. With adaptive detection engineering, it improves future responses and generates more accurate detection rules.” Read the full story to learn more.

Join us at Ignite

Whether you’re in person or online, there are great sessions you can attend:

Online and in-person:

Hands-on lab (in-person only):

LAB 542 Microsoft Zero Trust Workshop Lab: Securing Identities and Devices with Intune & Entra

Additional sessions

That’s not all — check out these hybrid sessions covering Security, Copilot, Windows, and more!

For more information on announcements, read the blogs:

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.

What’s New in Microsoft Intune: October 2025

ScottSawyer — Thu, 30 Oct 2025 18:00:00 GMT

Last week, someone asked me what keeps me up at night when it comes to endpoint management. The answer surprised them; it was not the sophisticated threats or latest vulnerabilities we read about in headlines. What concerns me most is the friction between security and productivity, that invisible tax we've all paid for years when security can get in the way of getting work done. October marks Cybersecurity Awareness Month, and this year's theme, "Security Starts with You," resonates deeply with the work our team has been doing. The features landing in Microsoft Intune this month reflect a fundamental shift in how we think about security — not as a barrier, but as an enabler. From enrollment-time grouping that helps IT teams surface issues faster to new Endpoint Privilege Management (EPM) capabilities that make IT professionals' lives easier.

Faster reporting with new enrollment time grouping reports

There's no single reason why a device might not end up in the right group during provisioning — and that's exactly what makes it so hard to troubleshoot. For teams managing hundreds or thousands of devices, these blind spots add up fast. That’s why I’m glad the enrollment time grouping failures report is now generally available in the Microsoft Intune admin center. This helps eliminate blind spots and gives IT teams visibility to address issues proactively. The new capability surfaces failures across Windows Autopilot device preparation provisioning, Android Enterprise fully managed devices, Android corporate-owned work profile devices, and Android Enterprise dedicated devices.

Administrators can now navigate enrollment time grouping failures in the admin center to gain more visibility of devices that didn't become members of their specified static device groups during enrollment. The enrollment time grouping failures report is available in the admin center under **Devices** > **Monitor** > **Enrollment time grouping failures**. Now updated information is displayed within 20 minutes, helping device configuration removal when a device is not part of the required group.

Identity-aware privilege management

The new elevate as current user capability in EPM gives IT admins finer control over how elevation works. When creating rules, you can now specify whether an elevated process runs under the user’s own account or the EPM default virtual account.

Why does this matter? Because some applications, especially during runtime, fail when they lose awareness of the user’s profile, environment variables, or registry settings. Processes such as user customization, accessing profile information, or obtaining a server license require that the system maintains the context of the user with elevated privileges. With this new mode, those processes keep the user’s identity, so they work as expected, while still maintaining full audit trails.

Zero Trust principles favor virtual account elevation, which strips user context from tokens entirely. When applications need user profile paths or settings to function correctly, the elevate as current user capability gives you that flexibility while maintaining control through scoped rules and audit trails. Configure these elevation options based on your specific application requirements — learn more in the elevation settings documentation.

Improving security posture visibility with new EPM Overview dashboard

Greenfield organizations moving to standard user accounts for the first time needed a better way to identify deployment targets, gauge health, and measure impact. The new EPM Overview Dashboard provides a centralized view in Intune showing readiness for migrating local admin accounts to standard users, including managed versus unmanaged elevation activity and trends.

Figure 1: Screenshot of the new EPM Overview Dashboard

This new dashboard (shown above) answers three critical questions. It identifies which users are experiencing friction, shows what changes improve user experience based on actual elevation patterns, and enables adjustments without manual data entry. Enterprise IT security teams gain faster policy refinement, improved security posture through removal of persistent admin rights, and reduced helpdesk load by identifying candidates for auto-approval rules.

Updated network endpoints for Azure Front Door

Behind every feature you use in Microsoft Intune runs an infrastructure designed for security, reliability, and performance. As part of Microsoft's ongoing Secure Future Initiative, network service endpoints for Microsoft Intune are adopting new IP addresses defined by Azure Front Door. This change affects customers using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags.

This improvement supports better alignment with modern security practices and makes it easier over time for organizations using multiple Microsoft products to manage and maintain their firewall configurations. It's the kind of behind-the-scenes work that doesn't make headlines but reinforces the secure foundation upon which everything else depends. If you're managing third-party firewalls or proxy configurations, now is the time to review your allowlists and ensure these endpoints are included. Detailed information about all IP addresses that should be allowed for use by Intune client and host services is available in the Network endpoints for Microsoft Intune documentation under Intune core service here.

Windows Autopilot delivers secure-by-default device provisioning

A quick update on an item we shared in August: the ability for the Enrollment Status Page to install Windows security updates during out-of-box experience (OOBE) is now scheduled for January 2026. While the setting is visible in your profiles, updates to Windows are not yet available during OOBE. This extra time allows the team to ensure a reliable, seamless experience for every device.

Administrators continue to have complete authority over when updates are installed, using the enrollment status page (ESP) to manage configurations. This applies to both Intune-managed devices and Windows Autopilot scenarios, ensuring the core benefit remains consistent. Please read the Intune documentation for more details, requirements, and limitations.

This aligns with the "Security starts with you" theme Microsoft has been emphasizing for Cybersecurity month. Devices that are patched from the moment users first ‘sign in’ reduce the window of vulnerability that comes with delayed updates.

Looking ahead

In summary, October's updates reflect what IT teams have been working toward — security that empowers rather than restricts. When the tools supporting security work this seamlessly, "Security starts with you" becomes more than a theme, it becomes the foundation every device is built on. I encourage you to explore these capabilities in your own environment and share your experiences. The Microsoft Intune community thrives on feedback from IT professionals solving real-world challenges, and your insights help shape where we invest next.

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.

Your guide to Intune at Microsoft Ignite 2025

Talal_Alqinawi — Fri, 07 Nov 2025 17:30:16 GMT

The Microsoft Intune team is gearing up for Microsoft Ignite, happening November 17-21 in San Francisco! Whether you'll be joining in person or online, this guide is the best place to learn all about the sessions and experiences where you can connect with the Intune team, learn about the latest innovations, and boost your skills. Don't forget to register today.

Attendees will have opportunities to learn about a range of product innovations and scenarios, from streamlining endpoint management to simplifying operations and improving security. Discover how Security Copilot can help safeguard your organization and streamline productivity — ensuring you stay informed and prepared for the future of secure endpoint solutions.

We’ll continue to add times and dates here as soon as the schedule is released and the session builder tool is up and running for you to personalize your agenda.

Don’t forget to bookmark this post at https://aka.ms/IntuneAtIgnite for quick and easy reference!

Featured sessions

What's new in Intune: empower IT, protect endpoints & optimize with AI

Wednesday November 19th, 2:45pm-3:30pm PST

Discover what’s new in Microsoft Intune — from exploring deeper data with Copilot, simplifying workflows and cloud native deployments, to scaling with agents. Learn about the latest innovation across platforms to build resilient, secure, and productive environments, to stay ahead of rapidly evolving threats, app updates and device compliance. Empower IT, protect endpoints, and optimize with AI to get there.

Demystify Zero Trust with Intune: cloud-connected, secure, and AI-ready endpoints

Thursday November 20th, 11:00am-11:45am PST

Managing endpoints in the cloud is a fundamental piece of the Zero Trust puzzle and of delivering the optimal AI experience for business. In this session, we’ll demystify what that means in practice. See how Microsoft Intune brings Zero Trust to life by connecting device and app management, compliance, and threat protection. We’ll show how cloud-native management establishes a stronger security foundation and enables safe, scalable adoption of AI. Strengthen endpoint protection across Windows, macOS, iOS, and Android—helping IT teams stay ahead of threats while empowering employees to work productively and securely from anywhere.

Microsoft Intune sessions at a glance

What's new in Intune: empower IT, protect endpoints & optimize with AI

Demystify Zero Trust with Intune: cloud-connected, secure, and AI-ready endpoints

Zero Trust Lab: Securing Identities and Devices with Intune & Entra

Related sessions

Transform security and IT with Security Copilot agents

Top Essentials for an Integrated, AI-Ready Security Foundation

Security Copilot: Protect at the speed and scale of AI

Inside Windows Security, from client to cloud

Agents at Work: Windows Powers the Era of Intelligent Productivity

Resilient by design: How Windows has evolved with new recovery tools

Secure & Manage the Most Productive, Intelligent OS: Windows 11

Dive deep into latest product updates

Last year, our Intune sessions at Ignite generated incredible buzz. One breakout alone drew several thousand attendees — earning a spot as one of the top attended sessions of the entire week!

Last year, thousands of attendees learned how Intune and AI could help analyze large volumes of data to optimize endpoint performance and take action to mitigate risks.

Join this year’s in-depth breakout sessions to find out how Intune is evolving to help you tackle complex endpoint management challenges and use innovative solutions to protect against threats at the speed and scale of AI.

What's new in Intune: empower IT, protect endpoints & optimize with AI

Wednesday November 19th, 2:45pm-3:30pm PST

Discover what’s new in Microsoft Intune — from exploring deeper data with Copilot, simplifying workflows and cloud native deployments, to scaling with agents. Learn about the latest innovations across platforms to build resilient, secure, and productive environments, to stay ahead of rapidly evolving threats, app updates, and device compliance. Empower IT, protect endpoints, optimize with AI to get there.

Speakers: Jason Roszak, Eugenie Burrage

Demystify Zero Trust with Intune: cloud-connected, secure, and AI-ready endpoints

Thursday November 20th, 11:00am-11:45am PST

Managing endpoints in the cloud is a fundamental piece of the Zero Trust puzzle and of delivering the optimal AI experience for business. In this session, we’ll demystify what that means in practice. See how Microsoft Intune brings Zero Trust to life by connecting device and app management, compliance, and threat protection. We’ll show how cloud-native management establishes a stronger security foundation and enables safe, scalable adoption of AI. Strengthen endpoint protection across Windows, macOS, iOS, and Android — helping IT teams stay ahead of threats while empowering employees to work productively and securely from anywhere.

Speaker: Lior Bela, Sangeetha Visweswaren

Agents at Work: Windows Powers the Era of Intelligent Productivity

Tuesday November 18th, 2:30pm-3:15pm PST

The future of work is here. See how Windows combines security, adaptability, cloud, and AI to empower organizations and people to create, decide, and grow.

Speakers: Stefan Kinnestrand, Navjot Virk

Inside Windows Security, from client to cloud

Thursday November 20th, 8:30am-9:15am PST

The latest innovations across Windows — from client to cloud — are designed to improve your security posture and protect users, devices and data. Join this session to learn about the newest security releases and capabilities across Windows 11 and Windows 365, including features like administrator protection, token protection, protecting against malware, hotpatching, and more. We will also discuss how Cloud PC devices like Windows 365 Link are changing the game in Windows endpoints.

Speakers: Katharine Holdsworth, Pratik Shah

Transform security and IT with Security Copilot agents

Thursday November 20th, 8:30am-9:15am PST

Automate tasks, strengthen defense, and accelerate response with Security Copilot agents — built by Microsoft, partners, or tailored by you for the unique challenges of your environment.

Speakers: Sarat Subramaniam, Lizzie Heinze

Top Essentials for an Integrated, AI-Ready Security Foundation

Thursday November 20th, 4:45pm-5:30pm PST

To stay ahead, organizations need a secure, identity-based foundation for your digital landscape. Learn what Microsoft Entra and Intune bring across the M365 stack to help you reach a Zero Trust security posture with more compliance and control in the era of AI. We’ll dive into top scenarios that bring to life what you need to maximize your Microsoft investment.

Speakers: Joseph Dadzie, Mayaan Bar-Niv

Security Copilot: Protect at the speed and scale of AI

Wednesday November 19th, 1:30pm-2:15pm PST

Security teams face relentless pressure, complexity, and fewer resources. With generative AI, we have the opportunity to change the game. Join Microsoft product leaders to see what’s new in Security Copilot and how it’s transforming security and IT work.

Speaker: Dorothy Li, Dilip Radhakrishnan

Upskill with hands-on experiences

Demos and hands-on labs are exclusively available to in-person attendees, offering a direct experience with the newest endpoint management and security features from Intune.

Zero Trust Lab: Securing Identities and Devices with Intune & Entra

Wednesday November 19th, 2:00pm-3:15pm PST

Repeat: Thursday November 20th, 2:45pm-4:00pm PST

Discover the enhanced Microsoft Zero Trust Workshop — now covering all six technical pillars. Explore how Intune and Entra secure identities and devices, with new implementation indicators and cross-pillar guidance. Build a tailored roadmap, track progress, and leverage the latest integrations to accelerate adoption and boost your security posture.

Instructors: John Callaghan, Terrell Headen

And so much more!

Security is a core focus at Microsoft Ignite this year, with the Security Forum on November 17, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners. Join us in San Francisco, November 17–21, or online, November 18–20, to learn why endpoint security and management are critical in today’s hybrid environments. At Ignite, endpoint management sessions and labs will help you secure devices, automate management, and integrate with AI-powered security tools.

Security Forum — Make day 0 count (November 17)
Kick off with an immersive, in person pre-day focused on strategic security discussions and real-world guidance from Microsoft leaders and industry experts. If you’ll be there in person, make sure to select Security Forum during registration: Microsoft Ignite.

Join an Intune Product Roundtable at Ignite!

Don’t miss your chance to connect directly with the Intune product team and peers at our customer roundtables! These small-group sessions are your opportunity to:

Share feedback and real-world experiences with the Intune team

Dive deep into topics like AI-powered endpoint management, integrated security, Windows and Mac management, and more

Influence the future direction of Intune by engaging with Product managers, engineers, and fellow IT leaders

Ready to join?

Space is limited, if interested complete please this form. We look forward to hearing your insights and partnering to shape the future of endpoint management.

Windows Ignite Reception at the Levi's flagship store

Join us to celebrate 40 years of Windows at the Levi's® corporate headquarters in San Francisco. Wednesday, November 19th; 6:30-8:30 pm PST.

Get a head start

Got questions that can’t wait until Ignite? Watch our latest Tech Community Live on demand to learn more about Microsoft Intune Suite, Copilot in Intune, Security, and cross-platform management.

And be sure to bookmark the Microsoft Intune blog for news and announcements starting day one of Microsoft Ignite. We can’t wait to connect with you before, during, and after this year’s big event!

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.

10 ways Microsoft Intune supports a smooth upgrade to Windows 11

LiMiller — Wed, 22 Oct 2025 20:46:49 GMT

Upgrade to Windows 11 with confidence — 10 Intune tips from Microsoft engineers, MVPs, and guides.

Windows 10 reached end of support on October 14, 2025 for most editions. After this date, devices no longer receive new features, quality updates, security fixes, or support.

Organizations that need more time can enroll eligible devices in the Windows 10 Extended Security Updates (ESU) program, which provides critical security updates — but no new features or non-security fixes — for up to three additional years (through October 2028).

For organizations planning or completing their migration to Windows 11, Intune plays a key role in managing upgrades smoothly. The following ten tips — drawn from Microsoft engineers and MVPs — offer practical guidance to help IT teams align stakeholders, validate readiness, and structure upgrade strategies.

From readiness to rollout:

Check out these 10 tips with Intune to streamline your Windows 11 migration

Tip 1: Get leadership buy-in with a clear business case for Windows 11

Modernization starts with alignment at the top. MVP James Robinson, with over 20 years of IT experience, explains why moving to Windows 11 can deliver benefits such as smoother device management, stronger security, and simplified hardware procurement. It’s also an opportunity to shift from legacy tools to cloud-native endpoint management with Intune.

Explore James’s full perspective on framing your business case.

Tip 2: Prepare your foundation — verify hardware, policy, and enrollment readiness

Begin your Windows 11 migration by checking that every device is enrolled in Intune. Once enrolled, use Endpoint analytics to validate that devices meet Windows 11 requirements. Key considerations include licensing, hardware compatibility, and enrollment — all critical for reducing risk and supporting a smoother upgrade.

Microsoft engineer Steven Hosking outlines five steps to migrate Windows 10 domain-joined and co-managed devices to Windows 11.

Tip 3: Free up disk space with Intune Remediations and Storage Sense

Low free disk space is a common cause of upgrade failures, especially on devices with smaller SSDs. Use Remediations in Intune to deploy PowerShell scripts that check available storage, clean up locations like Recycle Bin and Downloads, and proactively notify users.

For ongoing maintenance, pair this with Storage Sense, a built-in Windows feature that automatically clears temporary and Recycle Bin files. While Storage Sense handles routine cleanup, custom Intune Remediations address additional scenarios — such as large user folders or legacy files — that Storage Sense doesn’t cover. Together, they provide a proactive, centrally managed way to keep devices upgrade ready.

Follow MVP Florian Salzmann’s step-by-step guide to create and deploy Remediation scripts in Intune.

Tip 4: Manage OS updates automatically with Windows Autopatch

Simplify your Windows 11 rollout with Windows Autopatch. Start by reviewing Windows 11 readiness reports in Intune to confirm which devices meet upgrade requirements. Next, use Autopatch Groups to organize pilot and production rings. Autopatch supports multi-phase feature update deployments for these groups to stagger rollout timing and reduce risk. Throughout deployment, track progress and resolve upgrade blocks leveraging the feature update reports in Autopatch. This structured approach provides clear visibility and helps upgrades progress smoothly at scale.

Check out the 4 steps to success in the playbook from Microsoft engineer, Akash Malhotra.

Tip 5: Run targeted, version-specific rollouts with feature update policies

When you need to manage Windows 11 upgrades outside of Autopatch—such as in highly customized environments—use feature update policies in Intune for direct control. These policies let you to deploy a specific Windows 11 version to selected device groups, keeping those devices on that current version until you decide to upgrade. This approach aligns to honor Microsoft safeguard holds to help prevent known issues.

Learn how to configure feature update policies for Windows devices in Intune.

Tip 6. Modernize provisioning with Intune and Windows Autopilot

Upgrading to Windows 11 is an ideal time to rethink your approach to provisioning. MVP Andrew Taylor recommends using hardware refresh cycles to switch from Microsoft Configuration Manager or on-premises methods to cloud-based provisioning with Intune and Windows Autopilot. This helps build a solid foundation for modern provisioning, enabling phased deployment and streamlining lifecycle management.

Read Andrew’s post on planning an Intune Autopilot migration.

Tip 7: Preserve user settings and app lists with Windows Backup for Organizations

Use Windows Backup for Organizations to capture user settings, personalization, and a list of installed Microsoft Store apps from Windows 10 before migration. These preferences can be restored during device enrollment when the user signs in to Windows 11 with the same Entra ID. This helps employees return to familiar configurations and quickly reinstall apps from their list — helping to reduce post-upgrade friction and improving user satisfaction.

Learn how to configure Windows Backup for Organizations in Intune and explore best practices.

Tip 8: Bridge hardware delays with Windows 365 Reserve

When hardware refresh cycles don’t align with your timeline, Windows 365 Reserve — now in limited public preview — can enhance business continuity. By provisioning secure temporary Cloud PCs, you can keep your workforce productive while you plan upgrade waves at your own pace. Because these Cloud PCs are managed with Intune, you apply more consistent security policies and app deployment across physical and virtual endpoints during the transition.

Explore more about the limited public preview and get practical guidance to plan upgrade waves.

Tip 9: Treat your upgrade as a security milestone

A Windows 11 migration is an opportunity to strengthen and modernize endpoint security. MVP Simon Hartmann shares practical insights from enterprise deployments with Intune, illustrating how aligning upgrades with stronger security measures and future-ready policies can help reduce risk, streamline management, and improve compliance readiness.

Use this stage to apply security baselines and enable features such as App Control for Business. This baseline helps to ensure only trusted applications run and reviews device-level protections such as BitLocker, Microsoft Defender for Endpoint, and Secure Boot.

Explore Simon’s tips to set the stage for a more secure, future-ready upgrade with Intune.

Tip 10: Maintain your new Windows 11 security posture with faster patching

After upgrading, keeping devices secure means minimizing the window between patch release and protection. Hotpatch updates — available for Windows 11 Enterprise, version 24H2 — apply Monthly B release security updates without waiting for a reboot. This helps organizations reduce exposure gaps and maintain compliance with minimal disruption. In the Intune admin center, you can configure Hotpatch as part of a Windows quality update policy for eligible devices, so updates take effect promptly.

Learn how to configure Hotpatch and apply quality-update policies in Intune.

What’s new Intune: What's new in Microsoft Intune - Microsoft Intune | Microsoft Learn

__________________________________________________________________________________________________________________________________________________________________

Stay up to date! Bookmark the Microsoft Intune Blog | Microsoft Community Hub and follow us on LinkedIn or @MSIntune on X to continue the conversation.
_________________________________________________________________________________________________________________________________________________________________________________________

Intune partner portal adds Intel vPro integration

Lior_Bela — Wed, 15 Oct 2025 21:35:08 GMT

Hardware-level management meets cloud-native simplicity: Intel vPro now in Intune Partner portal

IT pros regularly tell us about the challenges of managing devices that go offline, crash, or become unresponsive. In a world where company devices are spread across work sites, you can’t always send a technician to help, or wait for a device to be shipped, fixed, and returned.

We're excited to announce the arrival of Intel vPro® Fleet Services to the Microsoft Intune Partner portal, bringing hardware-level remote management to your Intune workflows.

A brief history

Last year, we welcomed the Dell Management Portal to this growing ecosystem of OEM integrations, joining the HP Connect Portal announced in spring of 2023 and the Surface Management Portal.

Announcing Intel vPro integration in the Intune admin center

Intel vPro® Fleet Services can be accessed through the Intune admin center, streamlining access to these hardware-level device management capabilities for Intel vPro®-enabled devices (8th Gen Intel Core processors and newer):

Hardware-level access. Manage devices even when they're powered off or the operating system has crashed — capabilities that traditional software-only management can't deliver.

Secure authentication. Leverage your existing Microsoft Entra ID credentials and conditional access policies for all hardware management operations.

Out-of-band management. Perform critical operations including:
- Remote power-on for maintenance and updates
- BIOS-level diagnostics and troubleshooting
- System recovery and re-imaging operations
- Security compliance monitoring for offline devices

Get started with Intel vPro Fleet services

IT admins can access these enterprise-grade capabilities with existing Intune licensing — no extra fees or infrastructure are required.

Intel vPro® Fleet Services will appear in the Partner portals tab in the Devices blade of the Intune admin center.

The Microsoft Intune Partner portals screen

Selecting Intel vPro® Fleet Services will authenticate using your Microsoft Entra tenant credentials and connect you directly to the Intel vPro® Fleet Services management portal.

The Intel vPro Fleet Services home screen

We look forward to sharing more updates on our OEM collaborations in the future.

Let us know what you think

We read the comments on posts like this and consolidate your feedback from the Microsoft Intune feedback portal. Your questions and comments inform and shape our product roadmap, so please continue to share your feedback. Subscribe to this blog for the latest official news, and follow me on LinkedIn to get the latest updates as soon as I do.

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.

What’s New in Microsoft Intune: September 2025

ScottSawyer — Mon, 29 Sep 2025 18:00:00 GMT

The most resilient IT environments aren't just reactive, they're built with hardware-level contingencies, flexible deployment methods, and automation that works asynchronously. Behind every new capability is our team of Microsoft Intune engineers, who think about the real-world problems IT admins face every day.

They're the ones building solutions that address questions like, 'What if a device goes offline and you can't reach it?' or 'How can we make a complex app installation less likely to fail?' This month’s updates are the result of that ongoing work — updates that give you early access to offline Intel vPro devices, PowerShell scripts for those fragile app deployments, and day-zero compatibility for Apple’s new operating systems. We’re also excited to share new AI enhancements that can optimize Cloud PC experiences and reduce costs.

These aren't just new capabilities; they're our way of getting ahead of and solving challenges that impact customers’ business every day.

Hardware-level management adds business resilience

When a device won't boot, traditional remote management fails. Companies with Intel vPro devices now have a better option. Microsoft has worked with Intel vPro Fleet Services, bringing hardware-level management directly into the Intune admin center. IT admins can recover and troubleshoot devices even when they're powered off. With Microsoft Entra ID single sign-on, IT teams gain authenticated access without requiring additional infrastructure or licensing.

After gaining access, IT teams can use Intel Active Management Technology (AMT) to get out-of-band management independent of the primary operating system. Teams can perform BIOS and OS recovery of Intel vPro devices from 2018 or later. This capability can help to build resilience for an Intel-powered fleet of devices. When standard remote access fails, hardware-level management ensures IT teams can still reach and recover critical business devices, helping to restore availability and maximize user productivity.

Comprehensive Apple device management on day zero

Apple's iOS/iPadOS and macOS 26 releases bring new capabilities that organizations want to use immediately, but they can sometimes introduce configuration requirements that can't wait. Our Intune team has extensively evaluated existing Intune endpoint management functionality against the changes introduced with Apple’s new operating systems to ensure compatibility. We added new settings introduced in the latest Intune releases and updated our OS version support statement to align with Apple's recommendations, ensuring end users can safely use new capabilities from Apple on day zero. The settings catalog now supports new iOS/iPadOS and macOS settings, including audio accessory configuration, Safari controls, security restrictions, app defaults, and web filtering. For more information on these settings, read our recent blog on day zero support for iOS/iPadOS and macOS 26.

Updated Purebred derived credentials experience

Companies using Purebred-derived credentials for personal user affinity devices will benefit from Intune Company Portal support for the improved Purebred 3.0 experience available with iOS 26.^* For devices without user affinity, we're maintaining our established support model: the three most recent OS versions receive full support, while older versions within range remain allowed with baseline functionality.

This approach helps to ensure that Apple device management doesn't create deployment delays. IT admins can confidently update to the latest Apple operating systems knowing that Intune capabilities will work as expected from day one.

Installer script support that delivers control for application deployment

Application deployment has traditionally been limited to command-line configurations, which can restrict customization and preparation work that complex installations often require. IT admins need the flexibility to configure environments, validate prerequisites, and perform post-installation tasks within a single deployment workflow.

Intune now supports PowerShell installer scripts for Enterprise Application Management (EAM) catalog apps, giving IT admins the option to use the command-line approach with flexible scripting capabilities.^** Admins can upload PowerShell scripts for installation and uninstallation processes, with Intune executing these scripts using the same privileges and context specified by the app installer.

This capability enables IT teams to configure user environments before installation, validate that installation requirements are met, prepare the operating system for specific applications, and perform cleanup or configuration tasks after installation completes. These scripts can report success and failure through standard exit codes while maintaining the same deployment reporting that administrators expect.

With installer script support, administrators can build sophisticated deployment workflows and ensure applications are installed correctly across diverse environments. If you are not yet managing applications in Intune, read our blog on this exciting app packaging partner offer.

AI-powered insights optimize Cloud PC experiences

Copilot in Intune now can reason over data about Windows 365 Cloud PCs, enabling administrators to gain insights into connectivity trends, optimize license usage, identify and resolve performance issues, and detect deployment gaps in Cloud PCs through AI-powered analysis and recommendations.

This represents an evolution of endpoint management cloud-first scenarios where traditional device metrics sometimes can’t tell the complete story. By bringing AI-powered insights to Cloud PC management, organizations can ensure their virtual desktop investments deliver maximum value while maintaining optimal user experiences. For a deep dive into the specific Copilot in Intune capabilities, check out this blog.

From hardware-level recovery capabilities to cloud-based AI insights, this month's updates are all about making endpoint management more resilient, easier to update and deploy, and empowering IT admins to make more informed decisions more quickly and cost-effectively. And as always, we look forward to your feedback—let us know what you think in the comments below.

^*If your company is planning to upgrade to the latest version of Purebred, the IT admin should update to Company Portal version 5.2509.0 to ensure compatibility.

^**EAM catalog app script support is not yet available in Government Community Cloud High (GCCH) environments.

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.

Microsoft Intune Blog articles

Microsoft Intune announces Android Enterprise management support for Android XR

What is supported in Intune

What is not supported

Next steps

Windows 365 + Intune Advanced Endpoint Management Capabilities: Better Together

Overview

Key technical integration highlights

Coming to enterprise mobility and security E3 (Included in Microsoft 365 E3)

And coming into Microsoft 365 E5

Conclusion and administrative benefits

What’s new in Microsoft Intune – March

More timely notifications for Microsoft Intune

New controls for role assignment, device setup, and update readiness

Management options to further protect Apple devices and apps

Secure apps: Where people, data, and AI intersect

1. Reduce blind spots across the app estate installed on devices

2. Keep applications current and reduce vulnerability exposure

3. Replace standing admin rights with just-in-time elevation

4. Enforce trusted application execution

5. Protect corporate data at the app level

Securing the application layer across the full lifecycle

Announcing three new partners for multi-tenant management with Microsoft Intune

The challenge: Scaling Intune across customer environments

The solution: Microsoft Intune, extended by validated partners

Momentum in the MSP market

Welcoming three new #IntuneForMSPs partners

What’s next for #IntuneForMSPs

What's New in Microsoft Intune – February

Reduce policy risk with greater oversight over compliance and configuration changes

Find and fix issues faster with updates for multiple device queries

Target Apple updates precisely—without overreaching

Fewer workarounds, stronger Zero Trust across every platform

Protect browser-based work on agency-managed Windows PCs

Support and protection for agency-managed Windows PCs

Simplified onboarding for APP policies on Windows

Apply data security across browser-based work

Guidance to help secure corporate data in the browser

Apply additional protections for a more consistent sign-in flow today

What's New in Microsoft Intune – January 2026

Accelerate deployment with PowerShell script installers for Win32 apps

Endpoint Privilege Management gets sharper

Admin tasks capability brings your work together

Apple enrollment keeps evolving with new certificate support

What's ahead

Admin tasks in Microsoft Intune: Centralized control today, AI-ready for tomorrow

Four ways to streamline IT operations with admin tasks

Simplify decisions and prepare for AI-assisted workflows today

What's in store for Intune at Microsoft Technical Takeoff 2026

Start your Technical Takeoff experience right

Explore Intune sessions at Technical Takeoff

🔐 Zero Trust and security

📦 Provisioning and device management

🤖 Automation and AI

📊 Apps, data, and reporting

🎥 All things endpoint management

See you on Mondays in March!

Save the date: Intune Tech Community Live – January 26

Why Tech Community Live?

How to join the fun

What's new in Microsoft Intune: December 2025

Empowering IT by automating and enhancing workflows

Enhancing visibility and control across platforms

Improving end-user onboarding experiences

Looking forward to 2026

Microsoft 365 adds advanced Microsoft Intune solutions at scale

Unifying Endpoint Management: Key capabilities driving customer choice

A unified IT ecosystem for long term value

What does this mean for your organization?

FAQ

Essential Intune reading list: MVP community content for 2025

Introduction to Intune

Security & compliance

Windows & Windows 365

macOS & Apple ecosystem

Updates, patching & device management

Community tools & automation

Community groups & resources

Community Events

Intune Community Resources