Microsoft Intune announces device-only subscription for shared resources
Microsoft Intune is pleased to announce a new device-only subscription service that helps organizations manage devices that are not affiliated with specific users, such as digital signage, public kiosks, and phone room devices. The Intune device SKU is licensed per device per month.Windows App Management in Microsoft Intune
Audit every managed and unmanaged app per device with more metadata, including publisher, architecture, estimated size on disk, install location, uninstall commands, to help troubleshoot PCs and expose shadow IT before it spreads. Pull curated Win32 apps straight from the Enterprise App Catalog or upload PowerShell scripts to control exactly how each app installs. Stage rollouts in rings with Intune deployments, to gradually deploy, pause or cancel any deployment in flight; and auto-trust every app you push using App Control for Business with Managed Installer, which also works with Autopilot as you provision new devices, now with up to 25 apps. Keep your fleet of apps up-to-date automatically as vendors publish new versions through the Enterprise App Catalog, or trigger updates on demand from the Guided Upgrade Supersedence report. Nicole Zhao, Microsoft Intune Product Manager, shares how to put these built-in enhancements to work across every managed device. *Intune Deployments is currently in private preview. Capabilities shown are subject to change and not yet generally available. Identify shadow apps across your managed devices. Microsoft Intune’s app inventory now surfaces publisher, architecture, size on disk, install location, & uninstall command per device. See how it works. Auto-trust every app you deploy through Intune. App Control for Business with Managed Installer tags your deployments as safe and scopes trust to specific user groups. Check it out. One toggle, continuous app updates. The Enterprise App Catalog in Intune pushes vendor releases to managed devices automatically, or surfaces them in a Guided Supersedence report for manual review. Try it now. QUICK LINKS: 00:00 — Built-in app management 00:51 — App Inventory Visibility 01:42 — Enterprise Application Management (EAM) 02:28 — PowerShell Script Installer GA 03:09 — Ring-Based Deployment Plans 04:44 — Managed Installer Auto-Trust 05:39 — Enterprise App Catalog Auto-Update 06:12 — Guided supersedence 06:50 — Wrap up Link References Go to https://aka.ms/IntuneAppManagement Check out https://aka.ms/RSAC26-Intune-Blog from the RSA Conference for additional security context and guidance when managing apps with Microsoft Intune. Unfamiliar with Microsoft Mechanics? As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast Keep getting this insider knowledge, join us on social: Follow us on Twitter: https://twitter.com/MSFTMechanics Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ Enjoy us on Instagram: https://www.instagram.com/msftmechanics/ Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics Video Transcript: -Controlling the application layer on devices, delivering the right apps, keeping them secure, up to date, and protected has always been one of the toughest challenges as you manage IT environments. This is nothing new, but what is new is how much easier Microsoft Intune now makes it. With the latest built‑in app management enhancements, you can more easily discover apps across your environment with clearer visibility into your full app inventory per device, simplify app preparation and deployment through pre-packaged apps or with scripted installs, as well as safer, gradual app roll-outs using ring-based deployments. -Ensure only trusted apps run by automatically trusting deployed apps through App Control for Business with Managed Installer, and keep devices automatically on the latest versions as vendors release updates, using the new auto-update capability with your Enterprise App Catalog. It all starts with knowing what apps people have running on their managed devices. And that’s where the latest improvements to app inventory in Intune give you the full up-to-date picture with minimal latency. -Here, for each device, you can see a comprehensive list of inventoried applications, including both managed and unmanaged apps. Importantly, we’ve added more app metadata to help you make better decisions about your apps or start troubleshooting. For each app, you can see the publisher name, architecture, and now even estimated size on disk, as well as installed location, uninstall command, and languages, as long as that information was registered in Windows. For shared devices, we’ve also improved the per user app information to include all users on the device. This gives you clear visibility into which applications exist in your environment, to help you identify unknown or shadow applications that may be running against your policy and governance controls. Next, for getting the right apps deployed, let me show you how we’ve made it easier to bring apps into your managed catalog. -Here, Enterprise App Management, or EAM, is designed to simplify app lifecycle management. I’m going to start by creating an app. Unlike the consumer-focused Microsoft Store, which uses community-driven WinGet app types for app discovery, EAM provides a curated list of enterprise-ready Win32 apps. You can find these apps by choosing the Enterprise App Catalog app type and Confirm. From there, you just need to search for the apps you want. In this case, I’ll look for Blender, and then under Configuration, you’ll find available architectures and versions. You’ll see that it pre-populates the app information. And in the Program tab, the install and uninstall command lines are pre-populated, as well as the exit codes. -Now, this used a command line installer type, but something new to give you even more control is the script installer, which is now generally available. This lets you use PowerShell script to control the installation of your Win32 apps. So, I’ll change the installer type to be a PowerShell script, and that will expose a control to upload a custom script as a PS1 file. Next, I’ll choose the Blenderinstaller script from File Explorer. It conveniently enters the name field for me and then mounts the script to give a preview of the pre-installation commands it runs. This gives you precise control over the install behavior of your apps using script-based installation. And as we progress, the rest of the steps for getting this app deployed to your managed devices should be pretty familiar. -Next, for app roll-outs, Intune’s policy-driven deployment lets you introduce application changes gradually using Deployment Plans. This helps avoid issues from misconfigured, compromised, or unintended app updates, giving you more control over the roll-out process. Let me show you how to create a deployment. You’ll start in Deployments, which you’ll find under Managed Devices. At the top, you’ll see two tabs: Deployments, which lists the app payloads targeted for existing roll-outs; and Deployment Plans, which are reusable deployment schedules that you create with ring timing, as well as assigned groups. I’ll move to the Deployments tab and select Create. Then I’ll give it a name, Global Secure Access Client, and description, East Coast rollout, Next, I’ll select a payload. I’ll choose Win32 and Add Payload, and select Global Secure Access Client. -Now I’ll configure the deployment schedule, which is the key step when setting up this deployment. Here I can either build rings manually, where you’ll add time offsets per ring, or I can load an existing deployment plan. In this case, I’ll load a plan. From here, I can choose the plan I want. I’ll pick the East Coast retail store rollout plan. I’ll choose a start date and add a time. Once the plan loads, all the rings are added with their timelines and associated groups or exclusions. For example, this one has a one-week offset between each ring. When I move to the last Review step, this dialog on top tells me that, once created, I can pause, resume, or cancel the deployment at any time. -From there, I can review my deployment and confirm by hitting Create. Now my app will roll out based on this defined schedule. Let’s look at the latest capabilities for keeping your apps trusted. First, App Control for Business with Managed Installer in Intune means that apps you deploy using this method are automatically tagged as safe apps, without manual allow-listing. It lets you upload your app control policies as XML files or leverage built-in controls to automatically trust apps from the managed installer. -There’s also a new option to target the Managed Installer to specific groups where you enable Intune Managed Extension as Managed Installer and scope the managed installer to specific users with inclusion and exclusion policies. Additionally, with Managed Installer enabled during Autopilot device preparation, you can ensure apps are trusted right from the start as you provision new devices. And using device preparation policies, Autopilot also supports an increased app limit of up to 25 apps. Of course, you can combine these capabilities with Windows Defender Application Control together with Intune to allow only trusted and approved apps to run on your managed devices. Now let’s look at new ways to keep apps on the latest version. -First, with the new auto-update capability using the Enterprise App Catalog, you can have Intune automatically keep apps up-to-date on your managed devices. When you add a new app using the Enterprise App Catalog, as part of the initial configuration in the Updates tab, you can choose between Automatically Update and Update with Supersedence. This is a one-time setting that allows Intune to automatically install updates as they are published. From there, once you confirm, you’ll see that, by design, many of the subsequent settings have been streamlined to just Scope tags, Assignments and Review + Create. -And if you want more control over app updates, our second option, Guided Upgrade Supersedence, automatically surfaces available updates of your deployed apps without you having to go look for new versions of each app manually. You’ll see that, under Apps in the Monitor blade, you’ll find a new report called Enterprise App Catalog apps with updates. By clicking into one of these apps, you’ll see that there is an update button in the upper left corner. This lets you supersede existing app versions for that app on managed devices in just a few clicks. You’ll see that all of the necessary information is pre-populated. And this is the same with the program tab and subsequent tabs in the app deployment workflow, including the supersedence relationship. -Everything you’ve seen today is about simplifying control of your application layer, making apps easier to discover, deploy, trust from day one, and keep automatically up to date, so you can deliver the right apps securely and consistently across your environment. To find out more, check out aka.ms/IntuneAppManagement Keep watching Microsoft Mechanics for the latest tech updates, and thanks for watching!
Best approach for migrating AD joined devices to Entra ID without wiping user profiles?
We’ve seen many organizations struggle with device migration when moving from traditional Active Directory (AD) or hybrid environments to Microsoft Entra ID. The biggest challenge is avoiding user disruption especially when wiping devices causes profile loss, app reconfiguration, and downtime. In large environments, wipe-and-reload becomes difficult to scale and impacts productivity significantly. Curious to know how others are handling this: Are you still using wipe/reimage methods, or are you using alternative approaches that preserve user profiles, applications, and settings? Would love to hear practical experiences from the community.
MacOS platform SSO deployment issues
Hello, We tried to deploy MacOS platform SSO but the devices are having problems with their authentication. The devices are connected through company portal but keep asking for logins and authentication, especially on reboot. Some users are prompted to sign-in to their entra account several times per hour. To Deploy it we used the configuration setting template: Authentication > Extensible Single Sign On (SSO) Settings: Extension Identifier: com.microsoft.CompanyPortalMac.ssoextension Authentication Method: Password Token To User Mapping: Account Name: preferred_username Full Name: name Use Shared Device Keys: Disabled Team Identifier: UBXXXXXX Type: Redirect Has anyone here experienced similar issues or found a fix for these constant re-authentication prompts? Thanks!
Feature Request: Extend Security Copilot inclusion (M365 E5) to M365 A5 Education tenants
Background At Ignite 2025, Microsoft announced that Security Copilot is included for all Microsoft 365 E5 customers, with a phased rollout starting November 18, 2025. This is a significant step forward for security operations. The gap Microsoft 365 A5 for Education is the academic equivalent of E5 — it includes the same core security stack: Microsoft Defender, Entra, Intune, and Purview. However, the Security Copilot inclusion explicitly covers only commercial E5 customers. There is no public roadmap or timeline for extending this benefit to A5 education tenants. Why this matters Education institutions face the same cybersecurity threats as commercial organizations — often with fewer dedicated security resources. The A5 license was positioned as the premium security offering for education. Excluding it from Security Copilot inclusion creates an inequity between commercial and education customers holding functionally equivalent license tiers. Request We would like Microsoft to: Confirm whether Security Copilot inclusion will be extended to M365 A5 Education tenants If yes, provide an indicative timeline If no, clarify the rationale and what alternative paths exist for education customers Are other EDU admins in the same situation? Would appreciate any upvotes or comments to help raise visibility with the product team.Welcome to the Microsoft Security Community!
We have moved! Registering for webinars is now easier than ever—you can add any session directly to your calendar with a single click using the link below. Please visit: https://securitycommunity.microsoft.com/VirtualEvents/ to sign up for future webinars!
A Practical Look at Device Analytics and Risk Signals with Microsoft Intune
As organizations increasingly rely on laptops, mobile devices, and cloud‑connected applications, visibility into device health, configuration, and security posture is critical. Performance degradation, outdated configurations, and elevated device risk can negatively affect productivity and increase exposure to security threats. Microsoft provides an integrated set of services—Microsoft Intune and Microsoft Defender for Endpoint—that support modern device management, evaluate device risk, and help organizations enforce consistent security controls across their environments. This guide explains how these services work together, the role of Microsoft Configuration Manager, and how built‑in analytics and compliance signals can be used to improve device reliability and security. The Role of Microsoft Configuration Manager Microsoft Configuration Manager (formerly System Center Configuration Manager, or SCCM) is an on‑premises management platform used to deploy applications, manage software updates, enforce configuration baselines, and evaluate compliance—primarily for Windows devices. When Configuration Manager is used together with Microsoft Intune through co‑management, organizations can extend their existing on‑premises management with cloud‑based capabilities. In a co‑managed environment: Configuration Manager continues to manage traditional workloads. Microsoft Intune adds cloud‑based device management and compliance evaluation. Management workloads can be moved gradually from Configuration Manager to Intune. This approach enables organizations to support both legacy infrastructure and modern cloud‑first device management strategies during transitions or hybrid deployments. Learn more: Co-management for Windows devices - Configuration Manager | Microsoft Learn How Microsoft Defender for Endpoint Contributes to Device Security Microsoft Defender for Endpoint is a unified endpoint security platform that delivers preventive protection, post‑breach detection, automated investigation, and response. It continuously evaluates device activity and assigns device risk levels based on observed threats and security signals. Core capabilities include: Threat and vulnerability management, which identifies software vulnerabilities and security misconfigurations Attack surface reduction capabilities to limit common attack vectors Endpoint detection and response (EDR) for alerting, investigation, and forensic analysis Automated investigation and remediation to reduce manual response effort Threat intelligence derived from Microsoft’s global security telemetry When Defender for Endpoint is integrated with Microsoft Intune, device risk levels can be used within compliance policies and Conditional Access to restrict access to organizational resources when risk thresholds are exceeded. Learn more: Integrate Microsoft Defender for Endpoint with Intune for Device Compliance - Microsoft Intune | Microsoft Learn What Microsoft Intune Provides Microsoft Intune is a cloud‑based unified endpoint management (UEM) service that enables organizations to manage devices, protect organizational data, and enforce security requirements across Windows, macOS, iOS, iPadOS, and Android devices. Core Intune capabilities include: Cross‑platform device enrollment and lifecycle management Configuration profiles to apply standardized device settings Compliance policies to evaluate whether devices meet security requirements App protection policies that safeguard organizational data within applications, including on personal (BYOD) devices Integration with Microsoft Entra ID Conditional Access for access decisions based on compliance and risk By integrating Intune with Defender for Endpoint and Conditional Access, organizations can adopt a risk‑based access model that takes real‑time device health and security posture into account. Learn more: What is Microsoft Intune - Microsoft Intune | Microsoft Learn Choosing How to Use Intune and Defender for Endpoint Microsoft positions these services as complementary: Microsoft Intune focuses on device and application management, configuration, and compliance. Microsoft Defender for Endpoint focuses on endpoint threat protection, detection, and response. Many organizations deploy both to combine centralized management with advanced security capabilities. Together, they allow device configuration, security monitoring, and access control to operate as a unified system rather than isolated tools. Microsoft Intune Licensing Overview Microsoft Intune Plan 1 is included with several Microsoft subscription offerings. For nonprofits and small organizations, Microsoft 365 Business Premium includes Intune Plan 1 by default. Other plans that include Intune Plan 1 (as of March 2025) include: Microsoft 365 E3 and E5 Enterprise Mobility + Security (EMS) E3 and E5 Microsoft 365 F1 and F3 Microsoft 365 Government G3 and G5 Microsoft Intune for Education Feature availability may vary by license, and organizations should always review the official service descriptions for current inclusions and limitations. Learn more: Licenses available for Microsoft Intune - Microsoft Intune | Microsoft Learn Designing an Effective Device Enrollment Strategy An effective enrollment strategy establishes consistent management and security controls from the start. Microsoft recommends that organizations: Define security and management objectives. Select appropriate enrollment methods such as Windows Autopilot, Microsoft Entra ID join, or manual enrollment. Apply standardized configuration and security policies. Use compliance policies to evaluate device posture. Plan for scalability and long‑term device lifecycle management. Provide end‑user guidance to support adoption. Enrollment is the foundation for applying policy, evaluating compliance, and maintaining ongoing visibility into managed devices. [learn.microsoft.com] Coordinating Intune and Defender During Device Onboarding Microsoft documents a layered onboarding approach that commonly includes: App protection policies Protect organizational data within supported applications, including on unenrolled BYOD devices. Device enrollment in Intune Enables configuration management, compliance assessment, and reporting. Compliance policies Define security requirements such as OS version, encryption, password policies, and update status. Conditional Access Enforces access decisions based on Intune compliance results and Defender for Endpoint device risk levels. Configuration profiles Apply standardized security and operational settings. This approach helps ensure devices meet baseline security requirements before accessing sensitive organizational resources. Using Endpoint Analytics to Improve Device Experience Endpoint Analytics, available in Microsoft Intune, provides insights into device performance, reliability, and user experience. Microsoft positions Endpoint Analytics as an operational analytics tool, not a real‑time threat detection system With Endpoint Analytics, IT teams can: View dashboards showing startup performance, application reliability, and device health Compare devices against established performance baselines to identify underperforming endpoints Use generated scores and insights to prioritize remediation Investigate issues affecting the end‑user experience, such as slow boot times or outdated configurations These insights help organizations shift from reactive troubleshooting toward proactive device optimization. Learn more: Endpoint analytics overview - Microsoft Intune | Microsoft Learn Summary By combining Microsoft Intune, Microsoft Defender for Endpoint, and Endpoint Analytics, organizations can manage devices consistently, evaluate device health and risk, and enforce access controls based on real conditions rather than assumptions. This integrated approach supports modern work by improving visibility, strengthening security posture, and enabling IT teams to make data‑driven decisions that protect users and organizational data.
