What's new in Microsoft Intune

Learn what's new each week in Microsoft Intune.

You can also read:

• Important notices
• Past releases in the What's new archive
• Information about how Intune service updates are released

You can use RSS to be notified when this page is updated. For more information, see How to use the docs.

Week of June 8, 2026 (Service release 2605)

App management

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

• Caju AI by Caju AI
• eYACHO for Biz 7 Intune by MetaMoJi Corporation (iOS)
• eYACHO Viewer 7 Intune by MetaMoJi Corporation (iOS)
• Harvey AI by Harvey AI (Android)
• Notta for Intune by Notta
• SwiftConnect Mobile by SwiftConnect

For more information about protected apps, see Microsoft Intune protected apps.

APP Multiple Managed Accounts

Microsoft Intune mobile application management now supports Multiple Managed Accounts, letting users add and manage more than one managed account within the same app. App protection policies apply separately to each account, so you can tailor protection based on the account's organization or tenant. This capability helps consultants, acquisition teams, or users with multiple mailboxes stay productive without switching devices.

Currently we support Multiple Managed Accounts in Microsoft Teams on iOS/iPadOS (v8.10.0 or later). Support for additional apps and platforms is coming soon.

To learn more, see Multiple managed accounts for app protection policies.

Device configuration

Custom top bar elements on Managed Home Screen

You have the option to display custom text in the top bar of the Managed Home Screen (MHS). In addition to the existing choices (serial number, device name, tenant name), you can now select Custom and enter a free-text string of up to 63 characters. Custom strings support dynamic variables: {{SerialNumber}}, {{DeviceName}}, and {{TenantName}}. This is useful for kiosk scenarios such as checkout devices, departmental tagging, or any case where staff need a quick visual identifier.

Disable MAC address randomization on macOS Wi-Fi profiles

On macOS devices, the Disable MAC address randomization setting is now available for Wi-Fi profiles. Use this setting to disable MAC address randomization on managed macOS devices.

When connecting to a network, devices can present a randomized MAC address instead of the physical MAC address. Using randomized MAC addresses is recommended for privacy, as it's harder to track a device by its MAC address. However, randomized MAC addresses break functionality that relies on a static MAC address, including network access control (NAC).

For more information, see:

• Wi-Fi profile settings for Apple devices
• Add and use Wi-Fi settings on your devices in Microsoft Intune

Managed Home Screen exit lock task mode password now requires a device configuration profile

You can no longer configure the Managed Home Screen exit lock task mode password by using an app configuration policy. To set or update the lock task mode password for Managed Home Screen, create or update a device configuration profile that defines the lock task mode password policy.

For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

New Block Bluetooth sharing setting in the Android Enterprise settings catalog

There's a new Block Bluetooth sharing setting in the settings catalog (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Settings catalog for profile type > General). When set to True, the device can't share content over Bluetooth. When set to False, Intune doesn't change or update this setting. By default, the OS has the following behavior:

• Fully managed and dedicated devices allow Bluetooth sharing.
• Corporate-owned devices with a work profile block Bluetooth sharing.

For a list of existing settings you can configure in the settings catalog, see Android Enterprise device settings list in the Intune settings catalog.

Use DDM to manage Apple Intelligence settings on devices running 26.4 and later

With the release of 26.4, Apple deprecated several intelligence-related settings in the MDM restrictions payload. To manage these settings, use the DDM configurations released in March 2026 instead.

In the settings catalog, the following Restrictions are now deprecated:

• Allow Apple Intelligence Report
• Allow Assistant
• Allow Assistant User Generated Content
• Allow Assistant While Locked
• Allow Auto Correction
• Allow Continuous Path Keyboard
• Allow Definition Lookup
• Allow Dictation
• Allowed External Intelligence Workspace IDs
• Allow External Intelligence Integrations
• Allow External Intelligence Integrations Sign In
• Allow Genmoji
• Allow Image Playground
• Allow Image Wand
• Allow Keyboard Shortcuts
• Allow Mail Smart Replies
• Allow Mail Summary
• Allow Notes Transcription
• Allow Notes Transcription Summary
• Allow Personalized Handwriting Results
• Allow Predictive Keyboard
• Allow Safari Summary
• Allow Spell Check
• Allow Visual Intelligence Summary
• Allow Writing Tools
• Force Assistant Profanity Filter
• Force On Device Only Dictation
• Force On Device Only Translation

In the device restrictions template, the following settings are deprecated.

Built-in apps:

• Block Siri
• Block Siri while device is locked
• Block Siri for dictation
• Block Siri for translation
• Require Siri profanity filters
• Block user-generated content in Siri

Keyboard and dictionary:

• Block word definition lookup
• Block predictive keyboards
• Block auto-correction
• Block spell check
• Block keyboard shortcuts
• Block dictation

Silence apps on Managed Home Screen to prevent session PIN bypass

For devices using Managed Home Screen (MHS), you can now silence apps whenever MHS prompts the user for authentication, such as during sign-in or at the session PIN screen. When silenced, apps can't start activities, display notifications, appear in recent apps, or trigger toasts, dialogs, or device ringing. You can configure an allowlist of apps that remain unsilenced during the locked state, ensuring that critical communications like calls aren't interrupted. This feature is opt-in and configurable, allowing your organization to tailor the experience to its operational needs. Once the device is unlocked, all apps automatically return to their normal state.

For more information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

New Microsoft Edge settings in the Windows settings catalog

There are new Microsoft Edge 148 settings in the Windows settings catalog. To see and configure these settings in Intune, create a Windows settings catalog profile (Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type).

The new policies include:

• Microsoft Edge > Startup, home page and new tab page > Configure whether the Discover or Work feed tabs are shown on the New Tab Page

  This policy configures whether the Discover or Work feed tabs are shown on the New Tab Page. By default, both Work and Discover tabs are enabled. Your options:

  • EnableBothWorkDiscover: If you set this value or don't configure this policy, Microsoft Edge shows both the Work and Discover feed tabs on the new tab page.
  • EnableOnlyWork: Microsoft Edge shows only the Work feed tab on the new tab page.
  • EnableOnlyDiscover: Microsoft Edge shows only the Discover feed tab on the new tab page.

  This policy works with the Set the default New Tab Page feed tab to Work or Discover policy, which controls which feed tab is selected by default when both tabs are available.

  ConfigureNTPFeedTabVisibility

• Microsoft Edge - Default Settings (users can override) > Set the default New Tab Page feed tab to Work or Discover

  This policy sets the default feed tab on the New Tab Page to Work or Discover. Your options:

  • Work: If you set this value or don't configure this policy, Microsoft Edge sets the default feed tab to Work.
  • Discover: Microsoft Edge sets the default feed tab to Discover.

  This policy only takes effect when Configure whether the Discover or Work feed tabs are shown on the New Tab Page is set to EnableBothWorkDiscover or is not configured. If only one tab is visible, this policy has no effect.

  SetNTPDefaultFeedTab

• Microsoft Edge > Identity and sign-in > Allow M365 authentication popups in work profiles

  This policy controls whether Microsoft Edge allows Microsoft 365 authentication pop-ups to bypass the pop-up blocker in work profiles. When users are signed in with a work account, some Microsoft 365 sites, like microsoft.com, cloud.microsoft.com, and visualstudio.com, might open authentication pop-ups to login.microsoftonline.com, login.live.com, or login.microsoft.com. These pop-ups are required to complete sign-in.

  Your options:

  • If you enable this policy or don't configure it, Microsoft 365 authentication pop-ups are allowed in work profiles.
  • If you disable this policy, Microsoft 365 authentication pop-ups follow the default settings like other pop-ups. Users can choose to allow or block them, but they aren't automatically allowed.

  This policy only applies to work profiles. In personal profiles, Microsoft 365 authentication pop-ups are always allowed regardless of this policy's configuration.

  M365AuthPopupsInWorkEnabled

• Microsoft Edge > Automatically open Copilot side pane with contextual insights for links opened from Outlook

  This policy controls whether Microsoft Edge automatically opens the Microsoft Copilot side pane when users open web links from Outlook emails sent from the same tenant. Starting in Microsoft Edge version 148, when users open eligible links from Outlook emails sent from the same tenant, Microsoft Edge automatically opens the Copilot side pane with contextual insights. Copilot can use the originating Outlook email as context to surface relevant insights and suggested next steps alongside the web content.

  Your options:

  • If you enable this policy or don't configure it, the Copilot side pane opens automatically when users open links from Outlook emails sent from the same tenant.
  • If you disable this policy, the Copilot side pane doesn't open automatically when users open links from Outlook emails sent from the same tenant.

  This feature applies only to links opened from Outlook emails sent from the same tenant and requires Microsoft Copilot to be available for the user in Microsoft Edge. This feature is disabled if the Control Copilot access to page context for Microsoft Entra ID profiles policy or the Control Copilot access to Microsoft Edge page content for Entra account user profiles when using Copilot in the Microsoft Edge sidepane policy is disabled, regardless of this policy's configuration. Copilot requires access to page content to provide contextual insights.

  M365LinksAutoOpenCopilotEnabled

• Microsoft Edge > Enable the extended lifetime option for SharedWorkers

  Controls whether Microsoft Edge keeps a SharedWorker running briefly after all tabs using it are closed, allowing background tasks to finish.

  Your options:

  • If you enable or don't configure this policy, SharedWorkers can use the extended lifetime option.
  • If you disable this policy, the extended lifetime option is ignored, even if it is requested by the page.

  This policy is temporary and will be removed in a future release.

  SharedWorkerExtendedLifetimeEnabled

• Microsoft Edge > List of URL patterns for which developer tools are allowed to be opened

  This policy controls where developer tools can be used in Microsoft Edge by specifying an allowlist of URL patterns. URL patterns are matched against the URL of every frame on the page being inspected.

  Your options:

  • If you configure this policy and don't configure the List of URL patterns for which developer tools are blocked policy, developer tools are available only when every frame on the page matches a pattern in this allowlist. If any frame doesn't match, developer tools are blocked for the entire page. For information on the URL format, see Filter formats for URL list-based policies.
  • If you configure both this policy and the List of URL patterns for which developer tools are blocked policy, this allowlist takes precedence. URLs that match this allowlist are allowed even if they also match the blocklist. URLs that match the blocklist but not this allowlist are blocked. URLs that match neither are governed by the Control where developer tools can be used policy.
  • If you disable or don't configure this policy, developer tools availability is determined by the List of URL patterns for which developer tools are blocked and Control where developer tools can be used policies.

  This policy applies to developer tools opened for websites, extensions, and web applications. It supports up to 1,000 entries. Example value:

  contoso.com
  https://ssl.server.com
  contoso.com/good_path
  https://server.contoso.com:8080/path
  .exact.hostname.com
  file://*
  

  DeveloperToolsAvailabilityAllowlist

• Microsoft Edge > List of URL patterns for which developer tools are blocked

  This policy specifies URL patterns where developer tools are blocked. For information on the URL format, see Filter formats for URL list-based policies. URL patterns are evaluated against the URL of every frame on the page being inspected. If any frame matches a pattern in this policy, developer tools are blocked for the entire page.

  Your options:

  • If you configure this policy and don't configure the List of URL patterns for which developer tools are allowed to be opened policy, developer tools are blocked when any frame matches a pattern in this policy. If no frames match, availability is determined by the Control where developer tools can be used policy.
  • If you configure both this policy and the List of URL patterns for which developer tools are allowed to be opened policy, the allowlist takes precedence. URLs that match the allowlist are allowed, even if they also match this policy. URLs that match this policy (but not the allowlist) are blocked. If a URL matches neither, the Control where developer tools can be used policy determines availability.
  • If you disable or don't configure this policy, developer tools availability is determined by the List of URL patterns for which developer tools are allowed to be opened and Control where developer tools can be used policies.

  This policy supports up to 1,000 entries. Example value:

  https://contoso.com
  contoso.com
  https://ssl.server.com
  contoso.com/bad_path
  https://server.contoso.com:8080/path
  .exact.hostname.com
  *
  file://*
  

  DeveloperToolsAvailabilityBlocklist

• Microsoft Edge > Maximum number of concurrent connections to the proxy server for WebSocket requests

  Specifies the maximum number of simultaneous connections to a proxy server for WebSocket requests. To configure limits for non-WebSocket requests, see the MaxConnectionsPerProxy policy.

  If you don't configure this policy, the default value of 32 is used. Some web applications maintain multiple concurrent connections, like long-lived or hanging requests. Setting a value lower than the default may cause networking delays when many such applications are open. Some proxy servers can't handle a high number of concurrent connections per client. In these cases, reducing the value of this policy might improve reliability. The supported range is 6 to 256:

  • Values less than 6 are treated as 6.
  • Values greater than 256 are treated as 256.

  Modify this value only if required by your proxy server configuration or network environment.

  MaxConnectionsPerProxyForWebSocket

• Microsoft Edge > Controls the availability of browsing with Copilot in Microsoft Edge

  When browsing with Copilot is enabled, users can explicitly invoke it for a query. It isn't invoked automatically. Browsing with Copilot is available only on domains specified in the Browsing with Copilot Allowed URLs policy and is blocked on domains specified in the Browsing with Copilot Blocked URLs policy. If no domains are configured in the allow list, browsing with Copilot is effectively disabled.

  This feature is available only to users with an active Microsoft 365 Copilot subscription. For more information about configuring browsing with Copilot, see Configure browsing with Copilot.

  Your options:

  • If you enable this policy, browsing with Copilot is turned on for all users who receive the policy, and users can't turn it off.
  • If you disable this policy, browsing with Copilot is turned off for all users who receive the policy, and users can't turn it on.
  • If you don't configure this policy, browsing with Copilot is off by default, and users can turn it on.

  AllowBrowsingWithCopilot policy

• Microsoft Edge > Browsing with Copilot Allowed URLs

  Allows you to define a list of URLs where browsing with Copilot is available. Users can't modify this list.

  Your options:

  • If you enable this policy, browsing with Copilot is available only on the sites specified in the list. To allow a broader set of sites while blocking specific exceptions, configure this policy together with the Browsing with Copilot Blocked URLs policy. For example, you can include * to allow all sites, and then use the block list to restrict access to specific URLs. You can define exceptions based on schemes, subdomains, ports, or origins. When multiple filters apply, the most specific match determines whether a URL is allowed or blocked. The block list takes precedence over the allow list.
  • If you disable or don't configure this policy, browsing with Copilot is unavailable on all sites, even if the Controls the availability of browsing with Copilot in Microsoft Edge policy is enabled.

  Browsing with Copilot supports only HTTP and HTTPS protocols. Wildcards (*) are supported, and subdomains are matched even without wildcards. This policy applies only to the site origin; any path specified in the URL pattern is ignored. For guidance on formatting URL patterns, see Filter formats for URL list-based policies. Example value:

  https://www.contoso.com
  [*.]contoso.edu
  contoso.net
  login.contoso.us
  

  BrowsingWithCopilotAllowList

• Microsoft Edge > Browsing with Copilot Blocked URLs

  Controls the list of URLs where browsing with Copilot is blocked. Users can't modify this list. Use this policy to define exceptions to broader allowlists. For example, you can set Browsing with Copilot Allowed URLs to * to allow all sites, and then use this policy to block access to specific URLs. This policy supports blocking by scheme, subdomain, or port. When multiple URL patterns apply, the most specific match determines whether access is allowed or blocked. Blocklist entries take precedence over allowlist entries.

  If you don't configure this policy, no exceptions are applied to Browsing with Copilot Allowed URLs. Browsing with Copilot supports only HTTP and HTTPS protocols. Wildcards (*) are supported, and subdomains are matched even without wildcards. URL matching is based on the site origin only; any path specified in the pattern is ignored. For information about URL pattern format, see Filter formats for URL list-based policies. Example value:

  https://www.contoso.com
  [*.]contoso.edu
  contoso.net
  login.contoso.us
  

  BrowsingWithCopilotBlockList

• Microsoft Edge > Enable the Copilot new tab page

  This policy configures the availability of the Copilot new tab page in Microsoft Edge for Business. The Copilot new tab page combines search and chat into a single input box and includes personalized cards that provide quick access to relevant files, calendar events, and suggested Copilot prompts. Users who don't have a Microsoft 365 Copilot license might experience limited relevance in Copilot prompt card content.

  Most policies that customize the New Tab Page are supported on the Copilot new tab page. For a complete list of supported and unsupported policies, see Configure the Copilot new tab page. This policy applies only to Microsoft Entra ID profiles and controls the Copilot new tab page experience in Microsoft Edge for Business. This policy doesn't apply to the Copilot new tab page on personal Microsoft account profiles.

  Your options:

  • If you enable this policy, the Copilot new tab page is turned on.
  • If you disable or don't configure this policy, the Copilot new tab page is turned off. When the policy isn't configured, users can turn it on via user settings.

  CopilotNewTabPageEnabled

• Microsoft Edge > Manageability > Allow MAM enrollment when managed device has Purview DLP policy configured

  Controls whether Microsoft Edge allows Mobile Application Management (MAM) enrollment on managed devices when Microsoft Purview Data Loss Prevention (DLP) is configured.

  Your options:

  • If you enable this policy, MAM enrollment is allowed even when Purview DLP is detected on the device.
  • If you disable or don't configure this policy, MAM enrollment is blocked when Purview DLP is detected on the device.

  MAMWithDeviceDLPEnabled

To learn more about the settings catalog, see Use the Intune settings catalog to configure settings.

New Wired Networks device configuration profile for iOS/iPadOS

There's a new 802.1x Wired Networks device configuration profile for iOS/iPadOS devices. The feature supports 802.1x Ethernet access controls, which is ideal for M-series iPads that support native resolution screen extension. It allows iPads to securely connect to hot desk docks and monitors using wired access.

This profile:

• Supports EAP protocols, like TLS, PEAP, and TTLS
• Is similar to the macOS wired network profile experience

This feature helps with secure enterprise deployments for iPads in education, finance, and other regulated industries.

To learn more about wired networks, see Add and use wired networks settings on your devices.

Device management

Detect and block Shadow AI using the properties catalog, device query, and a security baseline (public preview)

Using Intune, you can detect and block a Local AI Agent, like OpenClaw, on Windows devices enrolled in Intune. Specifically, you can:

• Use a Properties catalog policy to collect the Local AI Agent entity. Admins can use this information to identify devices where OpenClaw is present or active.
• Use Device Query to view devices with a Local AI Agent, like OpenClaw.
• Use the Local AI Agent Baseline - OpenClaw (Preview) to block users from using OpenClaw.

This feature is in public preview.

Device security

In-place renewal of Cloud PKI issuing certification authorities (CAs)

Microsoft Intune now supports in-place renewal of eligible Cloud PKI issuing certification authorities (CAs). Previously, renewing an issuing CA required creating a new CA and manually updating dependent SCEP certificate profiles, which increased operational overhead and configuration risk. With in-place renewal, certificate issuance continues uninterrupted for scenarios such as Wi-Fi, VPN, and email, without changes to existing SCEP profiles or device assignments.

For more information, see Renew a certification authority in Cloud PKI.

Strict Tunnel Mode for Microsoft Tunnel on Android

Microsoft Tunnel now supports Strict Tunnel Mode on Android Enterprise devices. When Strict Tunnel Mode is enabled, all network traffic is forced through the VPN tunnel. If the VPN connection is unavailable or drops, all network traffic on the device is blocked until the VPN reconnects, preventing apps from accessing the public internet outside of the tunnel.

Strict Tunnel Mode is available when a Microsoft Tunnel VPN profile is configured with Always-on VPN. Admins can configure an app exclusion list to allow specific apps to bypass the tunnel and connect directly to the network, regardless of VPN connection status.

Strict Tunnel Mode requires devices enrolled through Android Management API (AM API). For unenrolled devices using Microsoft Tunnel for Mobile Application Management (MAM), Strict Tunnel Mode is available through the Microsoft Edge app configuration policy.

For more information about Microsoft Tunnel capabilities, see Overview of Microsoft Tunnel.

Grant enhanced security permissions to a Mobile Threat Defense app on Android

A new Mobile Threat Defense role category is available on the Mobile Threat Defense connector configuration page in the Microsoft Intune admin center. The Grant MTD role permissions to <MTD partner name> on enrolled Android COBO and COPE devices toggle lets you grant enhanced security permissions to one Mobile Threat Defense partner app, such as Microsoft Defender for Endpoint or a supported third-party partner, on enrolled Android Enterprise corporate-owned fully managed (COBO) and Android Enterprise corporate-owned work profile (COPE) devices.

When you turn on this toggle, the selected MTD app receives the following exemptions on targeted devices:

• Suspension — The app is prevented from being suspended.
• Hibernation — The app is prevented from entering hibernation.
• Power restrictions — The app is exempt from power-related restrictions such as app standby, and can start foreground services from the background.
• User controls — Users can't clear app data or force-stop the app.

These exemptions help the MTD app maintain continuous threat protection without interruption from system or user actions. Only one MTD partner can hold these permissions per tenant.

For Microsoft Defender for Endpoint, a second toggle is also available: Automatically launch Microsoft Defender for Endpoint during setup on Android COBO and COPE devices. When enabled, the Defender for Endpoint app automatically launches during device setup, allowing it to complete its initial configuration without requiring the user to manually open it.

For more information, see Mobile Threat Defense role.

Vulnerability Remediation Agent now uses Microsoft Entra agentic identity (public preview)

This feature is rolling out to tenants gradually and may take several weeks to become available in your environment.

The Vulnerability Remediation Agent is now available to all customers in public preview. Previously, the agent was available only to a select group of customers in a limited preview.

The Vulnerability Remediation Agent now uses Microsoft Entra agentic identity instead of a human user identity. When you set up a new agent instance, the setup process automatically provisions an agentic identity in your tenant's Entra directory. The agent runs under the permissions delegated to this agentic user, providing a more secure and scalable identity model.

What this means for existing agents: If you already have a Vulnerability Remediation Agent instance that uses a human user identity, your agent continues to work as-is for now. Human user identity support expires 90 days after this release, after which you must transition to an agentic identity. A banner on the agent page notifies you when agentic identity is available for your agent. For transition steps and details, see Transition existing agents to agentic identity.

What's new for agentic identity:

• New agent instances are provisioned with an agentic identity during setup.
• After setup, you must delegate the required permissions to the agentic user in the Microsoft Entra and Microsoft Defender admin centers.
• Use the Run Readiness Check button to verify that all required permissions are in place before running the agent.

For more information, see Agent identity.

Week of June 1, 2026

Device management

Remote Help for Windows updated with performance improvements

The latest version of Remote Help for Windows (version 5.2.1037.0) includes general bug fixes and performance improvements to enhance reliability.

Week of May 26, 2026

Role-based access control

Intune RBAC roles have access to Copilot in Intune

When Microsoft Intune is enabled as a data source in Security Copilot, by default:

• The Microsoft Entra ID Intune Administrator role automatically inherits Security Copilot owner access to Copilot in Intune.
• All the other built-in and custom Intune role-based access (RBAC) roles automatically inherit Security Copilot contributor access to Copilot in Intune.

Intune admins can use Security Copilot capabilities in Intune without requiring more role assignments.

Previously, access to Copilot in Intune required a separate role assignment in Security Copilot or a Microsoft Entra ID role, like the Intune Administrator role.

This update reduces access friction and simplifies Copilot onboarding for organizations.

To learn more, see:

• Microsoft Copilot in Intune
• Roles and authentication in Microsoft Security Copilot

Week of May 18, 2026

Device security

Guidance for device-reported values in compliance reports

We updated documentation to clarify how to interpret device-reported values in compliance reports. Some compliance reports include a Setting column with values reported directly by the device, providing additional context for noncompliance in scenarios such as custom compliance and Android app configuration reporting. This update adds guidance on treating these values as informational only and highlights security considerations for reviewing device-reported data. For more information, see Device-reported values in compliance reports.

Week of May 11, 2026

Device enrollment

Complete Platform SSO registration during macOS Automated Device Enrollment

On macOS devices enrolled with Automated Device Enrollment (ADE), you can run Platform SSO during device registration. Before you enroll, you:

1. Create an Intune settings catalog policy and configure the Enable Registration During Setup setting.
2. Deploy the Company Portal (5.2604.0 and newer) as a line-of-business app.
3. Configure the Automated Device Enrollment policy to use Setup Assistant with modern authentication and enable await final configuration.

When this feature is enabled, users have access to Microsoft Entra ID resources immediately when they arrive at desktop.

To learn more, see Configure Platform Single Sign-On (PSSO) during Automated Device Enrollment for macOS devices.

Week of May 4, 2026

Monitor and troubleshoot

Enhanced app inventory with faster data updates

Intune enhanced app inventory brings faster, more detailed visibility into the apps in your environment to support identification of outdated or risky software. Improved data freshness and richer app metadata provide clearer insight into installed applications, while new controls let you specify which devices are included in inventory collection.

This feature is initially available for Windows, with additional platforms to follow.

Week of April 27, 2026 (Service release 2604)

Advanced capabilities

Expanded support for Endpoint Privilege Management support approved elevation requests

Intune's Endpoint Privilege Management (EPM) now supports support approved elevation requests from all users of a device. This update expands the utility of support approved file elevations and helps to improve scenarios that involve shared devices.

Previously, file elevation requests that require support approval were supported from only a device's primary user or the user who enrolled the device.

For more information about this type of elevation request, see Support approved file elevations for Endpoint Privilege Management.

Device configuration

Configure credential manager permissions for Android Enterprise devices

You can now control which applications act as system-level credential providers on managed Android Enterprise devices running Android 14 and higher. Credential providers are responsible for password autofill and passkey storage.

To configure credential manager permissions, go to Apps > Android > Configuration > Managed Devices and choose Android Enterprise as the platform type.

By default, Android blocks third-party credential providers on managed devices. This configuration setting lets you:

• Allow specific apps (such as Microsoft Authenticator or a third-party password manager) to act as credential providers
• Enable passkey-based sign-in across managed Android Enterprise devices
• Maintain control over which credential sources are trusted on corporate devices

A known limitation is that Google Password Manager can't act as a credential provider on corporate-owned work profile or personally owned work profile devices. It is blocked on the end user's device. Use a different credential app as a workaround.

For more information, see Add app configuration policies for managed Android Enterprise devices.

Block location setting for Android Enterprise can keep Location services enabled

On Android Enterprise devices, you can use the General > Block location in the settings catalog to disable the location services on the device and prevent users from turning it on.

This setting is now called Location and has three options you can configure:

• Device default - Intune doesn't change or update this setting. By default, the OS allows end users to turn location services on or off.
• Location enabled - Requires location services to be on and prevents end users from turning them off.
• Location disabled - Requires location services to be off and prevents end users from turning them on.

For a list of all the settings you can configure, see Android Intune settings catalog settings list.

Device enrollment

Access management for Apple services

You can now use Apple access management settings in Apple Business Manager and Apple School Manager to configure service access for Apple accounts on organization-owned devices. These controls let you choose what devices users can sign in to and which apps and services are available to them. For more information, see Configure service access for Apple accounts.

Microsoft Intune supports userless ADE for visionOS and tvOS devices

Microsoft Intune has added support for userless Apple automated device enrollment (ADE) for visionOS and tvOS devices, enabling you to enroll and manage Apple Vision Pro and Apple TV through Apple Business Manager or Apple School Manager. This capability supports ADE without user affinity and includes custom configuration uploads for settings, default enrollment restrictions, and device actions. The feature is available with Microsoft Intune Plan 2 as part of the Microsoft 365 Suite.

Enrolled visionOS and tvOS devices appear alongside iOS and iPadOS devices in the Intune admin center within Apple mobile and can be filtered. Support requires tvOS 26 and later or visionOS 26 and later. We recommend that you keep these devices up to date to receive the latest security fixes.

For more information, see:

• Overview of Apple ADE for Apple mobile
• Use the Intune settings catalog to configure settings
• Device actions

Device management

Support for Ubuntu 26.04 LTS

Microsoft Intune now supports Ubuntu 26.04 LTS. Support for Ubuntu 22.04 LTS ends in August 2026. Devices already enrolled on Ubuntu 22.04 remain enrolled, but you should notify users to upgrade to a supported Ubuntu version. You can identify devices running Ubuntu 22.04 in the Intune admin center by going to Devices > All devices, filtering by Linux, and adding the OS version column. For more information, see Enroll Linux desktop devices in Microsoft Intune.

Preview the new device page in the Intune admin center (public preview)

In the Intune admin center, when you go to Devices > All Devices and select a device, you can see device-specific info, like device properties.

This page is redesigned and is available for you to preview. To enable the new experience:

1. In the Intune admin center, go to Devices > All Devices.
2. Move the Preview new device view toggle to On.

The new experience is only available when you go to Devices > All Devices and select a device. If you open a device page from a different part of the Intune admin center, like from a report, the original page view is shown, even with the toggle enabled.

When turned on, you see the new full page layout that gives you a single view of the device. Use this view to:

• Track device activity
• Access tools and reports
• Manage device information

The single device page has the following tabs:

• Device action status: Shows requested, in‑progress, and recently completed device actions. You can search, sort, and filter this list. You can quickly see what actions are running or have completed without leaving the device view.
• Tools and reports: This tab was previously called Overview. It shows monitoring reports, like compliance and device configuration status, tools, like remediations. These features were previously accessed in other parts of the Intune admin center.
• Properties: Contains admin‑modifiable device properties with visible scope tags and a dedicated editing view.
• Device details: This tab was previously called Hardware. It provides physical device information and key Intune and Microsoft Entra management details.

Other features:

• Device actions are grouped, ordered, and labeled consistently across platforms and device types, and only shows relevant and permitted actions. Destructive actions are separated and require confirmation, reducing unintentional actions.

• The updated layout uses a standard structure across device types and platforms, while adapting to platform‑specific capabilities.

• Improved labeling, hierarchy, and formatting make device information easier to scan and understand. The Essentials section elevates important device information and is accessible from any tab.

All existing device management capabilities remain available. This update focuses on making them easier to find and use.

New remote actions to suspend and restore Managed Home Screen on Android devices

Intune has two new remote actions that allow admins to temporarily suspend and restore Managed Home Screen (MHS) on Android devices. These actions let users exit MHS and access the device's default launcher for a defined period, without removing policies or requiring a PIN.

When the specified duration expires, or when the restore managed home screen action is triggered, MHS automatically re-locks the device into the kiosk experience. This helps maintain security while reducing disruption during troubleshooting or short-term use outside of MHS.

To learn more, see:

• Suspend Managed Home Screen
• Restore Managed Home Screen

Updated minimum version for Intune Management Extension on Windows

Windows devices managed by Intune need to run Intune Management Extension version 1.58.103.0 or later. Devices on earlier versions no longer receive configurations or updates that depend on the Intune Management Extension, including Win32 app deployments, PowerShell scripts, remediations, and platform scripts.

The Intune Management Extension updates automatically, so most managed devices should already have a compatible version. Verify that your devices can sync with Intune to receive updates.

Device security

Autopatch update risk visibility report

The Autopatch update risk visibility report extends the security update status dashboard with granular insight into patch compliance and risk across your managed devices. It classifies devices as Current, Exposed, or Critical and highlights policies contributing to risk, so you can identify and remediate issues faster.

For more information, see Protect your estate: Reassess your Windows update policies.

Updated security baseline for Microsoft Edge v139

Microsoft Edge version 139 security baseline is now available in Microsoft Intune. This baseline reflects current Microsoft security recommendations for the Microsoft Edge browser and is the latest available Edge security baseline in Intune.

The Edge v139 security baseline includes new settings, updated default values, and retired settings.

Existing security baseline profiles don't automatically update to the new version. To use this baseline, Intune admins can create a new baseline profile or update an existing profile to the latest version.

We recommend carefully reviewing the settings in the new baseline before moving from a previous baseline version, especially if existing profiles include customizations.

For a detailed breakdown of setting changes, see the blog post Security baseline for Microsoft Edge version 139.

To view the default configuration of settings in the updated baseline, see Microsoft Edge security baseline settings reference.

Intune apps

Direct Android line-of-business app management

You can now manage Android line-of-business (LOB) apps directly in Microsoft Intune without publishing them to Managed Google Play on Android Enterprise corporate-owned fully managed (COBO) and dedicated (COSU) devices.

With direct LOB app management, admins can upload APK files directly to Intune and deploy required apps to supported Android Enterprise enrollment types using a native Intune workflow.

Direct LOB app management enables you to:

• Deploy in-house LOB APKs to fully managed and dedicated devices without publishing them to Managed Google Play
• Manage the app lifecycle directly from Intune
• Create app configuration policies for directly deployed LOB apps, giving you the same configuration flexibility you have for Managed Google Play apps

For more information, see Add an Android line-of-business app to Microsoft Intune.

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

• Harvey AI by Harvey AI Corporation (iOS)
• Continia Expense App by Continia Software A/S

For more information about protected apps, see Microsoft Intune protected apps.

Tenant administration

Change Review Agent suggestions available inline in Multi Admin Approval (public preview)

The Change Review Agent now provides risk-based recommendations directly in the Multi Admin Approval experience for Windows PowerShell scripts. On the My requests and All requests tabs, a new Agent Response column displays when a suggestion is available. You can then select the suggestion to open and complete the Change Review Agent's approval workflow for that request without leaving the Multi Admin Approval node.

Change Review Agent suggestions continue to be available in the agent's primary experience as well.

For more information, see Change Review Agent suggestions in Multi Admin Approval.

Week of April 20, 2026

Device security

New reporting considerations for compliance policies

New guidance has been added to the Microsoft Intune compliance policy reporting documentation to help explain how device compliance results appear in Intune reports. This update clarifies expected reporting behavior related to device check-in timing and user association, helping you better interpret compliance policy reports. For more information, see Known reporting behaviors.

Monitor and troubleshoot

Intune Data Warehouse (beta) connector retirement in Power BI

The Intune Data Warehouse (beta) connector v1 in Power BI is retired. If you use Power BI reports that rely on this connector, you need to transition to Intune connector v2 or the OData Feed connector before the transition completes. Power BI reports created after November 2025 already use connector v2, while reports created before that date may still use the beta connector and need updating. This change improves the long-term reliability and supportability of Intune data access.

Customer impact: This change does not introduce new user interface experiences. Customers who still rely on the Intune Data Warehouse (beta) connector in Power BI may be affected if they have not transitioned to supported alternatives. Customers already using supported and documented data access options do not experience disruption.

Required customer action: Review the published guidance and transition away from the Intune Data Warehouse (beta) connector in Power BI before the transition completes. Customers who do not take action lose access to data through the beta connector after it is retired.

Timing and rollout: Customer communications begin in late April 2026. The transition occurs gradually over two weeks starting April 20, 2026.

For more information, see Use the Microsoft Intune Data Warehouse.

Week of April 6, 2026

Device enrollment

Support for Android XR devices

Microsoft Intune now supports management of Android XR devices using Android Enterprise dedicated and fully managed enrollment modes. You can enroll Android XR devices, deploy apps through managed Google Play, and apply core security and compliance policies. Android XR devices appear and are managed alongside other Android devices in the Intune admin center. For more information about supported scenarios and current limitations, see Microsoft Intune announces Android Enterprise management support for Android XR.

Tenant administration

New TeamViewer connector experience in Microsoft Intune

There is a new TeamViewer integration in Microsoft Intune that simplifies onboarding and improves reliability for remote assistance workflows. The new connector replaces the existing TeamViewer connector experience and provides a more streamlined experience in the Intune admin center. If you're using the previous TeamViewer connector, you must migrate to the new connector within 12 months to maintain functionality. For more information about the new connector, see Use the TeamViewer integration in Microsoft Intune.

Week of March 30, 2026 (Service release 2603)

App management

Declarative Device Management for Apple line-of-business apps on iOS/iPadOS

Microsoft Intune now supports Apple Declarative Device Management (DDM) for required line-of-business apps on devices running iOS/iPadOS 18 and later. By changing the management type to DDM in App information, you can deploy and configure apps using Apple's policy-based model, which improves delivery efficiency, provides real-time app status, and expands per-app options such as associated domains.

Device configuration

Recovery lock features available for macOS devices

On macOS devices, you can configure a recovery OS password that prevents users from booting company-owned devices into recovery mode, reinstalling macOS, and bypassing remote management. Admins can also rotate this password.

There are two ways to use this feature:

• Settings catalog policy - In a settings catalog policy, you can use the Recovery Lock settings to:

  • Turn on the recovery lock feature
  • Configure a password rotation schedule

• Remote device action - Use the Recovery Lock device action to manually rotate the recovery lock password for a specific device.

The Recovery Lock password can be viewed in the per-setting status report > Passwords and keys. To view the Recovery Lock password, the signed-in administrator needs the Remote tasks/View macOS recovery lock password permission.

New supported OEMConfig app for Android Enterprise

The following OEMConfig app is available in Intune for Android Enterprise:

• Inventus | com.inventus.oemconfig.gen

For more information about OEMConfig, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

New settings in the Windows settings catalog

There are new settings in the Windows settings catalog. To see and configure these settings in Intune, create a Windows settings catalog profile (Devices > Configuration profiles > Create profile > Windows 10 and later > Settings catalog).

The new policies include:

• Connectivity > Disable Cross Device Resume: This feature lets Windows suggest continuing an activity users start on a device, like a phone, to a PC. IT admins can use this policy to turn off this feature and prevent users from continuing tasks, like browsing files or continuing to use supported apps that require linking between a phone and PC.

  When set to CrossDeviceResume is Disabled, the Windows device doesn't receive any CrossDeviceResume notification. Users won't see any "resume from your phone" prompts. When you select CrossDeviceResume is Enabled, the Windows device does receive notification to resume activity from linked devices. If you don't configure this policy setting, the default behavior is that the CrossDeviceResume feature is turned on, which means users see the notification. Changes to this policy take effect on reboot.

  This policy:

  • Is available to Windows Insiders.
  • Uses the DisableCrossDeviceResume CSP.

• Windows AI > Remove Microsoft Copilot App: This policy setting allows you to uninstall the Microsoft Copilot app from devices. It applies to devices and users that meet the following conditions:

  • The Microsoft 365 Copilot and Microsoft Copilot apps are both installed.
  • The Microsoft Copilot app was not installed by the user.
  • The Microsoft Copilot app was not opened in the last 14 days.

  If this policy is enabled, the Microsoft Copilot app is uninstalled. Users can still re-install if they choose to.

  RemoveMicrosoftCopilotApp CSP

To learn more about the settings catalog, see Use the Intune settings catalog to configure settings.

New updates to the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Declarative Device Management (DDM) > External Intelligence Settings:

• Allow Sign In
• Allowed Workspace IDs

Declarative Device Management (DDM) > Intelligence Settings:

• Allow Apple Intelligence Report
• Allow Genmoji
• Allow Image Playground
• Allow Image Wand
• Allow Personalized Handwriting Results
• Allow Visual Intelligence Summary
• Allow Writing Tools
• Mail > Allow Smart Replies
• Mail > Allow Summary
• Notes > Allow Transcription
• Notes > Allow Transcription Summary
• Safari > Allow Summary
• Force On Device Only Dictation
• Force On Device Only Translation

Declarative Device Management (DDM) > Keyboard Settings:

• Allow Definition Lookup
• Allow Auto Correction
• Allow Dictation
• Allow Predictive Text
• Allow Slide To Type
• Allow Spell Check
• Allow Text Replacement
• Allow Math Keyboard Suggestions

Declarative Device Management (DDM) > Siri Settings:

• Allow User Generated Content
• Allow While Locked
• Force Profanity Filter

macOS

Declarative Device Management (DDM) > External Intelligence Settings:

• Allow Sign In
• Allowed Workspace IDs

Declarative Device Management (DDM) > Intelligence Settings:

• Allow Apple Intelligence Report
• Allow Genmoji
• Allow Image Playground
• Allow Writing Tools
• Mail > Allow Smart Replies
• Mail > Allow Summary
• Notes > Allow Transcription
• Notes > Allow Transcription Summary
• Safari > Allow Summary
• Force On Device Only Dictation

Declarative Device Management (DDM) > Keyboard Settings:

• Allow Definition Lookup
• Allow Dictation
• Allow Math Keyboard Suggestions

Declarative Device Management (DDM) > Siri Settings:

• Force Profanity Filter

System Configuration > File Provider:

• Management Allows Remote Syncing
• Management Remote Syncing Allow List
• Management Allows External Volume Syncing
• Management External Volume Syncing Allow List
• Management Domain Auto Enablement List

Restrictions:

• Allow Rosetta Usage Awareness

Device management

Remote Help connectivity update for Windows devices

We've improved connectivity when using the Launch Remote Help capability in the Intune admin center for Windows devices. For the best experience, we recommend updating firewall rules to include this new endpoint:

• *.trouter.communications.svc.cloud.microsoft

For the current list of required network endpoints, see Network requirements for PowerShell scripts and Win32 apps and Remote Help in the Intune endpoints documentation.

With this endpoint addition, we've also added a new Intune Management Extension log, NotificationInfra.log, which tracks notifications sent through the Microsoft real-time communication channel.

Support for Red Hat Enterprise Linux 9 and later

Microsoft Intune supports Red Hat Enterprise Linux (RHEL) 9 LTS and RHEL 10 LTS. Support for RHEL 8 LTS will end in July 2026. Devices already enrolled on RHEL 8 will remain enrolled. You can identify devices running RHEL 8 in the Intune admin center by going to Devices > All devices, filtering OS by Linux, and adding OS version columns. Notify users to upgrade their devices to a supported RHEL version. For more information about enrolling Linux devices, see Enrollment guide: Enroll Linux desktop devices in Microsoft Intune.

Microsoft Intune app for Linux now supports the Microsoft Identity Broker

The Microsoft Intune app for Linux now uses the Microsoft Identity Broker on supported Ubuntu and Red Hat Enterprise Linux (RHEL) distributions. Broker version 2.0.2 and later introduces a major architectural change from the previous Java-based broker. This update enables new single sign-on (SSO) experiences using phish-resistant MFA, smart card authentication, and certificate-based authentication with Microsoft Entra ID. For more information, see Enabling Phish-Resistant MFA (PRMFA) on Linux devices.

Device security

Intune security baseline for Windows 11, version 25H2

The Windows security baseline for Windows 11, version 25H2 is now available in Microsoft Intune. This baseline reflects current Microsoft security recommendations for supported Windows devices and is the latest available Windows security baseline in Intune.

The Windows 11, version 25H2 security baseline includes new settings, updated default values, retired settings, and revised security guidance. Existing security baseline profiles don't automatically update to the new version.

To use the Windows 11, version 25H2 security baseline, Intune admins can create a new baseline profile or update an existing profile to the latest version.

The following two settings aren't included in this baseline release and will be added in a future baseline update. Each change will be communicated to customers when available:

• Disable Internet Explorer 11 launch via COM automation – This setting isn't included at release due to a known issue. The Windows client team is addressing the issue, and the setting will be added in a future baseline update.
• Configure NetBIOS settings – This setting is pending availability in the Settings Catalog and will be added to the baseline in a future update.

We recommend carefully reviewing the settings in the new baseline before moving from a previous baseline version, especially if existing profiles include customizations.

For a detailed breakdown of setting changes, see the Windows blog post Windows 11, version 25H2 security baseline.

To view the default configuration of the Intune baseline for Windows 11, version 25H2, see Windows MDM baseline settings.

Hotpatching default enablement in Windows Autopatch

Starting with the May 2026 Windows security update, hotpatch updates are enabled by default for all eligible devices managed through Windows Autopatch. Hotpatch updates install faster and require fewer restarts, helping devices get secure sooner.

If your organization isn't ready for this change, you can opt out using either of the following options:

• Tenant-level setting: Opt out of hotpatch updates across all eligible devices in your tenant. This option becomes available April 1, 2026 in the Intune admin center.
• Quality update policy: Control hotpatch behavior for a specific group of devices. Hotpatch settings configured in a quality update policy override the tenant-level setting for devices assigned to that policy.

Key dates:

• April 1, 2026: Tenant-level opt-out setting available in the Intune admin center.
• May 2026 security update: Hotpatch updates enabled by default.

For more information, see the Windows IT Pro Blog (https://aka.ms/HotpatchByDefault).

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

• PerfectServe Clinical Collab by PerfectServe
• Synigo Pulse by Synigo B.V.
• DeepL for Intune by DeepL SE
• Foxit PDF Editor by Foxit Software Inc.
• EasyPlant QC Inspections by Technip Energies (Android)

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshooting

Support Assistant access expanded to all authenticated users

All authenticated users can now access Support Assistant in the Intune admin center to find solutions and troubleshooting guidance. Creating and managing support tickets still requires a Microsoft Entra role that includes the microsoft.office365.supportTickets permission. For more information, see How to get support in the Microsoft Intune admin center.

Support for system proxy settings in endpoint analytics and Advanced Analytics

Devices configured with system-level (WinHTTP) proxy settings can now send telemetry to endpoint analytics and Advanced Analytics, enabling more comprehensive reporting. Endpoint Privilege Management (EPM) will also include elevation usage data from these devices.

No admin action is required. If endpoint analytics or EPM is enabled for a device, telemetry and events will automatically appear in the User Experience (Device blade), endpoint Analytics reports, and EPM.

For more details about displaying advanced proxy settings, see Netsh.exe commands.

Improvements to device query for multiple devices

Device query for multiple devices now includes new capabilities to help you work with query results more efficiently.

You can use a search text box to search across all resulting rows of a query, use column headers to add filters for specific values, and create Microsoft Entra security groups directly from a query's device results.

For more information, see Device query for multiple devices.

Role-based access control

Scoped permissions for Role-based access control (public preview)

Intune now includes an opt-in public preview to enable Scoped permissions, making your role-based access control (RBAC) configuration more precise. Enabling Scoped permissions is a one-time choice that can't be undone. In the future, this will become the default behavior for all tenants.

Previously, when an admin had multiple role assignments using different scope tags for the same permission category, Intune merged permissions across those assignments, which could unintentionally grant broader access than intended. With Scoped permissions enabled, each role assignment's permissions apply only within its own scope tag context, so admins receive exactly the access you intended.

To help you prepare before enabling this change, Intune includes a new Permissions Assessment Report. The report details your tenant's current permissions and shows how they will change after enabling Scoped permissions. You can rerun the report as often as needed, adjust role assignments, and communicate any changes to affected admins before opting in.

For more information about the current default behavior, the Scoped permissions opt-in public preview, and the new report, see Permission behavior across role assignments.

Week of March 24, 2026

Tenant administration

Guided scenarios being removed from the Intune admin center

All guided scenarios except Windows 365 Boot are removed from the Microsoft Intune admin center. You can no longer access the guided scenario wizards, but any Intune objects previously created by these wizards remain available and manageable. The Windows 365 Boot guided scenario remains available from the Windows 365 overview page in the Intune admin center. No action is required.

For alternative step-by-step guidance, see the following resources:

• Microsoft Intune documentation
• Intune prescriptive guides
• Intune administration guides: https://m365accelerator.microsoft.com/intune
  • Securing apps for mobile | Android
  • Securing apps for mobile | iOS
  • Configuring Intune and Configuration Manager to co-manage devices
  • Manage and secure devices for Windows
• Microsoft Copilot in Intune

Week of March 16, 2026

Device management

Improved Remote Help update reporting on macOS

We've improved the update and reporting experience for Remote Help on macOS to make version management more reliable and transparent for IT admins.

After you deploy the latest Remote Help client (version 1.0.26012221) through Microsoft Intune, you can now view the full client version in your device inventory and during app upgrades. This improvement makes it easier to verify deployments. Remote Help installations deployed through Intune are also registered with Microsoft AutoUpdate (MAU), allowing Intune-managed macOS devices to automatically receive future Remote Help updates. For more information, see Deploy Remote Help with Microsoft Intune.

Week of March 2, 2026 (Service release 2602)

App management

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

• Jump by Accio Inc.
• Mijn InPlanning by Intus Workforce Solutions (Android)

For more information about protected apps, see Microsoft Intune protected apps.

Device configuration

Apple declarative device management (DDM) supports assignment filters

You can use assignment filters in policy assignments for DDM-based configurations, like software updates.

To learn more about filters, see Use assignment filters to assign your apps, policies, and profiles in Microsoft Intune.

New settings in the Windows settings catalog

There are new settings in the Windows settings catalog. To see and configure these settings in Intune, create a Windows settings catalog profile (Devices > Configuration profiles > Create profile > Windows 10 and later > Settings catalog).

The new policies include:

Microsoft Edge:

• Control whether an informational webpage for Edge for Business is shown in the new tab after major browser updates: When Enabled or not configured, users with Microsoft Entra ID profiles see an informational page about new Edge for Business features after major browser updates. When Disabled, the informational page isn't shown to users.

  This policy:

  • Applies only to Microsoft Entra ID profiles. It doesn't apply to Microsoft account (MSA) profiles.
  • Is available starting in Microsoft Edge version 144, which allows you to configure the setting before any version 145 changes.

• Enable Silent Printing: When Enabled, Microsoft Edge automatically closes the print preview window and prints to the default printer using its default settings. If the default printer is Save as PDF, the file is saved to the user's Downloads folder. When Disabled or not configured, silent printing is disabled. The print preview window stays open, and the user must choose the print settings as usual.

Microsoft Edge > Content settings:

• Allow precise geolocation on these sites: When Enabled, enter a list of URL patterns for sites that are allowed to access the user's high-accuracy geolocation without prompting for permission. When Disabled or not configured, the default geolocation setting applies to all sites (if configured) or the user's personal setting is used.

  For information about valid URL patterns and examples, see Filter formats for URL list-based policies. Wildcards (*) are supported.

• Block geolocation on these sites: When Enabled, enter a list of URL patterns for sites that are blocked from requesting or accessing the user's geolocation. These sites can't prompt the user for location permissions. When Disabled or not configured, the default geolocation setting applies to all sites (if configured) or the user's personal browser setting is used.

  For information about valid URL patterns and examples, see Filter formats for URL list-based policies. Wildcards (*) are supported.

Windows Backup and Restore:

• Enable Windows Restore: Choose to enable Windows Restore. When enabled, the restore process for a device can be initiated:

  • At the time of device enrollment during the out-of-box experience (OOBE), or
  • The first time a user signs in with their Microsoft Entra ID account after the device finishes enrolling.

  It allows a user to restore their backed‑up Windows settings and Microsoft Store apps from the cloud to a new or reset device. It restores the user experience settings and configuration preferences. It's not a full system image. To learn more, see Windows Backup for Organizations overview.

  Your options:

  • Windows Restore Not Configured
  • Windows Restore Enabled

  This policy:

  • Was previously for Windows Insiders and is now generally available (GA).
  • Uses the WindowsBackupAndRestore CSP.

To learn more about the settings catalog, see Use the Intune settings catalog to configure settings.

New updates to the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

AirPlay:

• Device Name

macOS

AirPlay:

• Device Name

Microsoft Defender:

• The Microsoft Defender category is updated with new settings. Learn more about available macOS Defender settings at Microsoft Defender - Policies.

Device enrollment

New setting controls MDM enrollment during account registration on Windows (public preview)

A new setting that affects the Microsoft Entra account registration experience on Windows is available in the Microsoft Intune admin center. The setting, Disable MDM enrollment when adding work or school account on Windows, controls whether devices enroll in MDM during the account registration flow. The default setting is set to No, which allows MDM enrollment. No action is required unless you want to change the default enrollment behavior. This Microsoft Entra setting is in public preview. For more information, see Enable MDM automatic enrollment for Windows.

Device management

Multi-administrator approval support for device compliance and device configuration policies

Multi-administrator approval now supports device configuration policies created through the settings catalog and device compliance policies. When you turn on this feature, any changes you make, including creating, editing, or deleting a policy, must be approved by a second administrator before they take effect. This dual-authorization process helps protect your organization from unauthorized or accidental changes to role-based access control.

For more information, see Use Access policies to require Multi Admin Approval.

Device security

Intune ending support for legacy Apple MDM software update policies

With the release of iOS 26, iPadOS 26, and macOS 26, Apple has deprecated legacy mobile device management (MDM) software update commands and payloads. As a result, Microsoft Intune will soon end support for creating legacy iOS/iPadOS and macOS software update policies. To continue managing Apple software updates in Intune, configure update policies using Apple's declarative device management (DDM) model. DDM provides a more modern and reliable approach to managing software updates, with improved device autonomy and reporting.

For guidance on moving to DDM‑based software updates, see the Intune Customer Success blog: Move to declarative device management for Apple software updates.

Autopatch update readiness

Autopatch update readiness provides a unified experience for tracking and remediating Windows update issues across Intune-enrolled devices and Windows Autopatch group-enrolled devices. With a single dashboard, admins can view all managed devices, including enrollment status and policy assignments, to better understand update readiness across their environment.

Key capabilities include:

• Device update journey: View granular update states for each device to quickly identify where updates are blocked and why.
• Centralized alerting: See actionable alerts for update failures, policy conflicts, and readiness gaps in one place, with integrated remediation guidance.
• Update readiness checker: Proactively evaluate devices for deployment risks and flag devices as At Risk based on signals such as disk space, appraiser data, and setup conditions.
• Repair devices with OS reinstall: Remediate upgrade‑blocked devices by triggering an OS reinstall for common issues like insufficient disk space or app compatibility problems, with supporting alerts and reporting.

For more information, see Autopatch update readiness.

Monitor and troubleshoot

Updates to operators in device query for multiple devices

Device query for multiple devices now includes expanded operator support, clearer query validation, and improved results to make building and interpreting queries easier.

• New join types supported
  You can now use the following join types when querying across entities:
  • leftsemi
  • rightsemi
  • leftanti
  • rightanti
• Updated join behavior
  Joins that use on Device.DeviceId are no longer supported. Queries should instead:
  • Use on Device, or
  • Omit the on clause entirely when joining on the device entity.
• Updated device references in operators
  Using Device by itself is no longer supported in operators such as distinct, summarize, or order by. Queries must reference a specific device property.
• Improved query results
  Queries that involve a device—either by querying a device directly or by joining a device with another entity—now return the device as a clickable link in the results, allowing you to quickly navigate to device details.
• Clearer error messages
  Some query error messages have been updated to provide clearer, more descriptive guidance when queries are invalid.

Week of February 9, 2026 (Service release 2601)

Advanced capabilities

Endpoint Privilege Management support on Azure Virtual Desktop

Endpoint Privilege Management (EPM) elevation policies now support deployment to users on Azure Virtual Desktop (AVD) single-session virtual machines.

For information about using EPM, see Plan and Prepare for Endpoint Privilege Management Deployment.

App management

Lenovo Device Orchestration (LDO) link in the Intune admin center

Microsoft Intune now includes a direct link to Lenovo Device Orchestration (LDO) in the Intune admin center. This integration expands the Partner portals experience by giving IT admins a single, secure entry point to manage supported Lenovo devices.

From the Intune admin center, IT admins can open the Lenovo Device Orchestration portal directly to access Lenovo-specific device management capabilities.

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

• Clarity Express for Intune by Rego Consulting Corporation
• Datadog by Datadog Inc.
• Qlik Analytics by Qlik
• Tier1 for Intune by SS&C Technologies, Inc. (iOS)

For more information about protected apps, see Microsoft Intune protected apps.

Device configuration

New settings in the Windows settings catalog

There are new settings in the Windows settings catalog. To see and configure these settings in Intune, create a Windows settings catalog profile (Devices > Configuration profiles > Create profile > Windows 10 and later > Settings catalog).

The new policies include:

• Microsoft Edge - Includes the latest Microsoft Edge browser policies, up to version 143.0.3650.23, including:

  • Allow sharing tenant-approved browsing history with Microsoft 365 Copilot Search
  • Enable RAM (memory) resource controls
  • Specifies whether to opt out of Local Network access restrictions

  Due to differences in release cadences between Microsoft Edge and Intune, there can be a one-to-two-week delay in the settings catalog.

• Experience > Disable Share App Promotions - This policy setting allows IT admins to control if promotional apps are shown in the Windows Share Sheet. If you enable this policy, Windows doesn't show promotional apps in the Share Sheet.

• Licensing > Enable ESU Subscription Check: This policy is deprecated and only works on Windows 10. Setting this policy has no effect on other supported Windows versions. This policy enables or disables subscription check for Windows 10 Extended Security Updates. If enabled, the device check for the ESU subscription status of the signed-in Microsoft Entra ID user account.

• Windows AI - Includes the following new settings that are available to Windows Insiders:

  • Disable Agent Workspaces - Enables or disables Agent Workspaces.
  • Disable Agent Connectors - Enables or disables Agent Connectors.
  • Disable Remote Agent Connectors - Enables or disables remote Agent Connectors.
  • Agent Connector Minimum Policy - Configures the minimum policy value that controls how agent connectors run on the machine.

• Google Chrome - Includes the Google Chrome ADMX browser policies, up to version 141.0.7390.108.

  Due to differences in release cadences between Chrome and Intune, Intune can be one to two versions behind the latest released Chrome version.

• Firewall > Enable Audit Mode - If enabled, the target machine goes into Firewall audit mode.

• Microsoft Visual Studio > Copilot settings > Disable agent mode - This existing Copilot setting is updated to include localization. This setting prevents users from using GitHub Copilot agent mode.

• Windows Components > Internet Explorer > Internet Control Panel > Security Page:

  • Turn on automatic detection of intranet - This policy setting enables intranet mapping rules to be applied automatically if the computer belongs to a domain. If you enable this policy setting, automatic detection of the intranet is turned on, and intranet mapping rules are applied automatically if the computer belongs to a domain.

  • Intranet Sites: Include all sites that bypass the proxy server - This policy setting controls whether sites which bypass the proxy server are mapped into the local Intranet security zone. If you enable this policy setting, sites which bypass the proxy server are mapped into the Intranet Zone.

To learn more about the settings catalog, see Use the Intune settings catalog to configure settings.

New supported OEMConfig apps for Android Enterprise

The following OEMConfig apps are available in Intune for Android Enterprise:

• FCNT - Senior Care | com.fcnt.mobile_phone.seniorcareconfig
• FCNT - Schema | com.fcnt.mobile_phone.schematest
• Sonim | com.sonim.oemappconfig

For more information about OEMConfig, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Filter by Android management mode in the settings catalog

The settings catalog includes hundreds of settings that you can configure. There are built-in features that help filter the available settings.

When you create an Android settings catalog policy, there's a management mode filter option that filters the available settings by their enrollment type, including:

• Fully managed
• Corporate-owned work profile
• Dedicated

To learn more about the settings catalog, see:

• Use the Intune settings catalog to configure settings
• Android Intune settings catalog settings list

New updates to the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There is a new setting in the Settings Catalog. To see this setting, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS for platform > Settings catalog for profile type.

iOS/iPadOS

Restrictions:

• Rating Apps Exempted Bundle IDs: This setting lets admins specify apps that can bypass the 17 and older restriction.

  For example, a device can have its content restricted to ages 9 and below. With this restriction, apps with an age-based rating of 17 and older are automatically blocked. Admins can use this setting to allow specific apps to bypass this restriction.

Apple rebranded Rapid Security Responses to Background Security Improvements. This change is updated in the settings catalog. For more information on Background Security Improvements, see Background Security Improvements on Apple devices (opens Apple's web site).

Device management

More options for assignment filters > Device Management Type property for managed apps on Android and iOS/iPadOS

When you create policies for your managed apps, you can use assignment filters to assign policies based on rules you create. In these rules, you can use different device and app properties, including the Device Management Type property on Android and iOS/iPadOS.

For Android, the Device Management Type property for managed apps is:

• Adding the following options:

  • Corporate-owned with work profile
  • Corporate-owned fully managed
  • Corporate-owned dedicated devices with Entra ID Shared mode
  • Corporate-owned dedicated devices without Entra ID Shared mode
  • Personally owned work profile

• To replace the following option:

  • Android Enterprise

For iOS/iPadOS, the Device Management Type property for managed apps is:

• Adding the following options:

  • Automated Device Enrollment user-associated devices
  • Automated Device Enrollment userless devices
  • Account Driven User Enrollment
  • Device Enrollment with Company Portal and Web Enrollment

• To replace the following option:

  • Managed

What you need to know

• If you're using the legacy values in your filters, the values are automatically mapped to the new available values for that platform.
• For the automatic mapping to work correctly, devices must be registered with Microsoft Entra and have a Microsoft Entra Device ID. If the devices don't meet these requirements, the app assignment filters won't match to the more granular management types. You can use an Intune app configuration policy to force Microsoft Entra device registration with the com.microsoft.intune.mam.IntuneMAMOnly.RequireAADRegistration=Enabled key.
• If the device is MDM-managed by a third-party or partner service, the managed app assignment filters won't match to the more granular management types.

To learn more about filters, see:

• Use assignment filters to assign your apps, policies, and profiles in Microsoft Intune
• App and device properties, operators, and rule editing when creating assignment filters in Microsoft Intune

Intune certificate inventory integration with Zimperium mobile threat defense

You can now configure the Zimperium Mobile Threat Defense (MTD) connector to synchronize certificate inventory from your managed iOS devices. This enhancement helps you identify when a device threat level is elevated due to approved but potentially malicious certificates on the device. The following settings are now available when configuring the connector:

• Enable Certificate Sync for iOS/iPadOS devices - Allows this Mobile Threat Defense partner to request a list of installed certificates on iOS/iPadOS devices from Intune to use for threat analysis purposes.
• Send full certificate inventory data on personally owned iOS/iPadOS devices - This setting controls the certificate inventory data that Intune shares with this Mobile Threat Defense partner for personally owned devices. Data is shared when the partner syncs certificate data and requests the certificate inventory list.

When certificate sync is enabled, the following data is shared:

• Account ID
• Entra ID Device ID
• Device Owner
• Certificate List
  • Common Name
  • Data
  • Is Identity

For more information, see Mobile Threat Defense toggle options.

Device security

Update firewall configurations for new Intune network endpoints

As part of Microsoft's ongoing Secure Future Initiative (SFI), Microsoft Intune began using Azure Front Door (AFD) IP addresses in addition to the existing Intune service IPs in December 2025.

Customers that use IP-based allowlist, Azure service tags, or have strict outbound filtering in their firewall, VPN, proxy, or other network infrastructure may block this new traffic, causing degraded or failed device connectivity. This can affect core Intune functions including device and app management.

• If your organization uses Fully Qualified Domain Name (FQDN)-based rules or does not restrict outbound traffic, no changes are typically required. However, you should verify that the appropriate wildcard rules are configured, specifically *.manage.microsoft.com, to ensure all Intune services remain reachable. Microsoft continues to recommend using FQDN-based wildcard rules whenever possible to reduce administrative overhead for organizations that require outbound filtering.
• If your organization uses IP-based allowlists in your firewall, proxy, or VPN rules, you must add the Azure Front Door IP ranges below or use Azure service tag AzureFrontDoor.MicrosoftSecurity to avoid potential connectivity issues for managed devices.

Required IP addresses for commercial endpoints:

• 13.107.219.0/24
• 13.107.227.0/24
• 13.107.228.0/23
• 150.171.97.0/24
• 2620:1ec:40::/48
• 2620:1ec:49::/48
• 2620:1ec:4a::/47

Required IP addresses for US government endpoints:

• 51.54.53.136/29
• 51.54.114.160/29
• 62.11.173.176/29

For the authoritative and up-to-date list of network endpoints required by Intune client and host services, see Intune core service in Network endpoints for Microsoft Intune, and Ports and IP addresses list in US government endpoints for Microsoft Intune.

For additional context on this change, see Support Tip: Upcoming Microsoft Intune Network Changes.

Monitor and troubleshoot

Windows feature update reports support Windows 11, version 25H2

The Windows feature update compatibility risks report and Windows feature update device readiness report support Windows 11, version 25H2 as a selectable target OS. When you choose this version under Select target OS, the reports provide updated insights to help you assess device readiness and identify potential compatibility risks before deploying the feature update.

Tenant administration

Admin tasks in Microsoft Intune are now generally available

Admin tasks in the Intune admin center are out of preview and now generally available. Admin tasks provide a centralized view where admins can discover, organize, and act on common tasks that are otherwise spread throughout the Intune admin center. Located under Tenant Administration, this unified experience supports search, filtering, and sorting to help you focus on what needs attention, without navigating across multiple nodes.

The following task types are supported:

• Endpoint Privilege Management file elevation requests
• Microsoft Defender security tasks
• Multi Admin Approval requests

Intune only shows tasks you have permission to manage. When you select a task, Intune opens the same interface and workflow you'd use if managing the task from its original location. This ensures a consistent experience whether you're working from the admin tasks node or directly within the source capability.

To learn more, see:

• Admin tasks

Week of January 12, 2026

App management

PowerShell script installer for Win32 apps

When adding a Win32 app, you can upload a PowerShell script to serve as the installer instead of specifying a command line. Intune packages the script with the app content and runs it in the same context as the app installer, enabling richer setup workflows like prerequisite checks, configuration changes, and post-install actions. Installation results appear in the Intune admin center based on the script's return code.

For more information, see Win32 app management in Microsoft Intune.

Week of December 8, 2025

Device enrollment

ACME protocol support for iOS/iPadOS and macOS enrollment

As we prepare to support managed device attestation in Intune, we are starting a phased rollout of an infrastructure change for new enrollments that includes support for the Automated Certificate Management Environment (ACME) protocol. Now when new Apple devices enroll, the management profile from Intune receives an ACME certificate instead of a SCEP certificate. ACME provides better protection than SCEP against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management.

Existing OS and hardware eligible devices do not get the ACME certificate unless they re-enroll. There is no change to the end user's enrollment experience, and no changes to the Microsoft Intune admin center. This change only impacts enrollment certificates and has no impact on any device configuration policies.

ACME is supported for Apple Device Enrollment (BYOD), Apple Configurator enrollment, and automated device enrollment (ADE) methods. Eligible OS versions include:

• iOS 16.0 or later

• iPadOS 16.1 or later

• macOS 13.1 or later

New Setup Assistant screens now generally available for iOS/iPadOS and macOS automated device enrollment profiles

You can hide or show 12 new Setup Assistant screens during automated device enrollment (ADE). The default is to show these screens in Setup Assistant.

The screens you can skip during iOS/iPadOS enrollment, and the applicable versions, include:

• App Store (iOS/iPadOS 14.3+)
• Camera button (iOS/iPadOS 18+)
• Web content filtering (iOS/iPadOS 18.2+)
• Safety and handling (iOS/iPadOS 18.4+)
• Multitasking (iOS/iPadOS 26+)
• OS Showcase (iOS/iPadOS 26+)

The screens you can skip during macOS enrollment include:

• App Store (macOS 11.1+)
  • Get Started (macOS 15+)
  • Software update (macOS 15.4+)
  • Additional privacy settings (macOS 26+)
  • OS Showcase (macOS 26.1+)
  • Update completed (macOS 26.1+)

For more information about available Setup Assistant skipkeys, see:

• Set up automated device enrollment for iOS/iPadOS
• Set up automated device enrollment for macOS

For previous months, see the What's new archive.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Update to the latest Intune Company Portal for Android, Intune App SDK for iOS, and Intune App Wrapper for iOS

Starting January 19, 2026, or soon after, we're making updates to improve the Intune mobile application management (MAM) service. To stay secure and run smoothly, this update will require iOS wrapped apps, iOS SDK integrated apps, and the Intune Company Portal for Android to be updated to the latest versions.

The way Android updates, once one Microsoft application with the updated SDK is on the device and the Company Portal is updated to the latest version, Android apps will update, so this message is focused on iOS SDK/app wrapper updates. We recommend to always update your Android and iOS apps to the latest SDK or app wrapper to ensure that your app continues to run smoothly. Review the following GitHub announcements for more details on the specific effect:

• SDK for iOS: Action Required: Update the MAM SDK in your application to avoid end user impact - microsoftconnect/ms-intune-app-sdk-ios Discussion #598 | GitHub
• Wrapper for iOS: Action Required: Wrap your application with version 20.8.1+ to avoid end user impact - microsoftconnect/intune-app-wrapping-tool-ios Discussion #143 | GitHub

If you have questions, leave a comment on the applicable GitHub announcement.

How does this change affect you or your users?

If your users haven't updated to the latest Microsoft or third-party app protection supported apps, they'll be blocked from launching their apps. If you have iOS line-of-business (LOB) applications that are using the Intune wrapper or Intune SDK, you must be on Wrapper/SDK version 20.8.0 or later for apps compiled with Xcode 16 and version 21.1.0 or later for apps compiled with Xcode 26 to avoid your users being blocked.

How can you prepare?

Plan to make the following changes before January 19, 2026:

• For apps using the Intune App SDK, you must update to the new version of the Intune App SDK for iOS:

  • For apps built with XCode 16 use v20.8.0 - Release 20.8.0 - microsoftconnect/ms-intune-app-sdk-ios | GitHub
  • For apps built with XCode 26 use v21.1.0 - Release 21.1.0 - microsoftconnect/ms-intune-app-sdk-ios | GitHub

• For apps using the wrapper, you must update to the new version of the Intune App Wrapping Tool for iOS:

  • For apps built with XCode 16 use v20.8.1 - Release 20.8.1 - microsoftconnect/intune-app-wrapping-tool-ios | GitHub
  • For apps built with XCode 26 use v21.1.0 - Release 21.1.0 - microsoftconnect/intune-app-wrapping-tool-ios | GitHub

• For tenants with policies targeted to iOS apps:

  • Notify your users that they need to upgrade to the latest version of the Microsoft apps. You can find the latest version of the apps in the App store. For example, you can find the latest version of Microsoft Teams here and Microsoft Outlook here.
  • Additionally, you can enable the following Conditional Launch settings:
    • The Min SDK version setting to block users if the app is using Intune SDK for iOS older than 20.8.0.
    • The Min app version setting to warn users on older Microsoft apps. Note, this setting must be in a policy targeted to only the targeted app.

• For tenants with policies targeted to Android apps:

  • Notify your users that they need to upgrade to the latest version (v5.0.6726.0) of the Intune Company Portal app.

  • Additionally, you can enable the following Conditional Launch device condition setting:

    • The Min Company Portal version setting to warn users using a Company Portal app version older than 5.0.6726.0.

Update firewall configurations to include new Intune network endpoints

As part of Microsoft's ongoing Secure Future Initiative (SFI), starting on or shortly after December 2, 2025, the network service endpoints for Microsoft Intune will also use the Azure Front Door IP addresses. This improvement supports better alignment with modern security practices and over time will make it easier for organizations using multiple Microsoft products to manage and maintain their firewall configurations. As a result, customers might be required to add these network (firewall) configurations in third-party applications to enable proper function of Intune device and app management. This change will affect customers using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags.

Don't remove any existing network endpoints required for Microsoft Intune. More network endpoints are documented as part of the Azure Front Door and service tags information referenced in the following files:

• Public clouds: Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center
• Government clouds: Download Azure IP Ranges and Service Tags – US Government Cloud from Official Microsoft Download Center

The other ranges are in the JSON files linked above and can be found by searching for "AzureFrontDoor.MicrosoftSecurity".

How does this change affect you or your users?

If you've configured an outbound traffic policy for Intune IP address ranges or Azure service tags for your firewalls, routers, proxy servers, client-based firewalls, VPN, or network security groups, you'll need to update them to include the new Azure Front Door ranges with the "AzureFrontDoor.MicrosoftSecurity" tag.

Intune requires internet access for devices under Intune management, whether for mobile device management or mobile application management. If your outbound traffic policy doesn't include the new Azure Front Door IP address ranges, users can face sign-in issues, devices might lose connectivity with Intune, and access to apps like the Intune Company Portal or the apps protected by app protection policies could be disrupted.

How can you prepare?

Ensure that your firewall rules are updated and added to your firewall's allowlist with the other IP addresses documented under Azure Front Door by December 2, 2025.

Alternatively, you can add the AzureFrontDoor.MicrosoftSecurity service tag to your firewall rules to allow outbound traffic on port 443 for the addresses in the tag.

If you aren't the IT admin who can make this change, notify your networking team. If you're responsible for configuring internet traffic, see the following documentation for more details:

• Azure Front Door
• Azure service tags
• Intune network endpoints
• US government network endpoints for Intune

If you have a helpdesk, inform them about this upcoming change.

Update to support statement for Windows 10 in Intune

Windows 10 has reached end of support on October 14, 2025. Windows 10 no longer receives quality or feature updates. Security updates are only available to commercial customers who have enrolled devices into the Extended Security Updates (ESU) program. For more details, review the following additional information.

How does this change affect you or your users?

Microsoft Intune continues to maintain core management functionality for Windows 10, including:

• Continuity of device management.
• Support for updates and migration workflows to Windows 11.
• Ability for ESU customers to deploy Windows security updates and maintain secure patch levels.

The final release of Windows 10 (version 22H2) is designated as an "allowed" version in Intune. While updates and new features are not available, devices running this version can still enroll in Intune and use eligible features, but functionality is not guaranteed and can vary.

How can you prepare?

Use the All devices report in the Intune admin center to identify devices still running Windows 10 and upgrade eligible devices to Windows 11.

If devices cannot be upgraded in time, consider enrolling eligible devices in the Windows 10 ESU program to continue receiving critical security updates.

Additional information

• Stay secure with Windows 11, Copilot+ PCs, and Windows 365 before support ends for Windows 10
• Windows 10 reaching end of support
• Enable Extended Security Updates (ESU)
• Windows 10 release information
• Windows 11 release information
• Lifecycle FAQ - Windows 

Plan for Change: Intune is moving to support iOS/iPadOS 17 and later

Later in calendar year 2025, we expect iOS 26 and iPadOS 26 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), requires iOS 17/iPadOS 17 and higher shortly after the iOS/iPadOS 26 release.

How does this change affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS 17/iPadOS 17).

Given that Microsoft 365 mobile apps are supported on iOS 17/iPadOS 17 and higher, this change might not affect you. You likely already upgraded your OS or devices.

To check which devices support iOS 17 or iPadOS 17 (if applicable), see the following Apple documentation:

• Supported iPhone models
• Supported iPad models

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status and use the Platform and Platform version columns to filter.

To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see Manage operating system versions with Intune.

Plan for change: Intune is moving to support macOS 14 and higher later this year

Later in calendar year 2025, we expect macOS Tahoe 26 to be released by Apple. Microsoft Intune, the Company Portal app, and the Intune mobile device management agent support macOS 14 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of macOS 26. This change doesn't affect existing enrolled devices.

How does this change affect you or your users?

This change only affects you if you currently manage, or plan to manage, macOS devices with Intune. If your users have likely already upgraded their macOS devices, then this change might not affect you. For a list of supported devices, refer to macOS Sonoma is compatible with these computers.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 13.x or earlier. Ask your users to upgrade their devices to a supported OS version.

Plan for Change: Google Play strong integrity definition update for Android 13 or above

Google recently updated the definition of "Strong Integrity" for devices running Android 13 or above, requiring hardware-backed security signals and recent security updates. For more information, see the Android Developers Blog: Making the Play Integrity API faster, more resilient, and more private. Microsoft Intune will enforce this change by October 31, 2026. Until then, we've adjusted app protection policy and compliance policy behavior to align with Google's recommended backward compatibility guidance to minimize disruption as detailed in Improved verdicts in Android 13 and later devices | Google Play | Android Developers.

How does this change affect you or your users?

If you have targeted users with app protection policies and/or compliance policies that are using devices running Android 13 or above without a security update in the past 12 months, these devices will no longer meet the "Strong Integrity" standard.

User impact - For users running devices on Android 13 or above after this change:

• Devices without the latest security updates might be downgraded from "Strong Integrity" to "Device Integrity", which could result in conditional launch blocks for affected devices.
• Devices without the latest security updates might see their devices become noncompliant in the Intune Company Portal app and could lose access to company resources based on your organization's Conditional Access policies.

Devices running Android versions 12 or below aren't affected by this change.

How can you prepare?

Review and update your policies as needed. Ensure users with devices running Android 13 or above are receiving timely security updates. You can use the app protection status report to monitor the date of the last Android Security Patch received by the device and notify users to update as needed. The following admin options are available to help warn or block users:

• For app protection policies, configure the Min OS version and Min patch version conditional launch settings. For more details, review Android app protection policy settings in Microsoft Intune | Microsoft Learn
• For compliance policies, configure the Minimum security patch level compliance setting. For more details, review: Device compliance settings for Android Enterprise in Intune

Plan for Change: New Intune connector for deploying Microsoft Entra hybrid joined devices using Windows Autopilot

As part of Microsoft's Secure Future Initiative, we recently released an update to the Intune Connector for Active Directory to use a Managed Service Account instead of a local SYSTEM account for deploying Microsoft Entra hybrid joined devices with Windows Autopilot. The new connector aims to enhance security by reducing unnecessary privileges and permissions associated with the local SYSTEM account.

How does this change affect you or your users?

If you have Microsoft Entra hybrid joined devices using Windows Autopilot, you need to transition to the new connector to continue deploying and managing devices effectively. If you don't update to the new connector, you won't be able to enroll new devices using the old connector.

How can you prepare?

Update your environment to the new connector by following these steps:

1. Download and install the new connector in the Intune admin center.
2. Sign in to set up the Managed Service Account (MSA).
3. Update the ODJConnectorEnrollmentWizard.exe.config file to include the required Organizational Units (OUs) for domain join.

For more detailed instructions, review: Microsoft Intune Connector for Active Directory security update and Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot.

Plan for Change: New settings for Apple AI features; Genmojis, Writing tools, Screen capture

Today, the Apple AI features for Genmojis, Writing tools, and screen capture are blocked when the app protection policy (APP) "Send Org data to other apps" setting is configured to a value other than "All apps". For more details on the current configuration, app requirements, and the list of current Apple AI controls review the blog: Microsoft Intune support for Apple Intelligence

In an upcoming release, Intune app protection policies have new standalone settings for blocking screen capture, Genmojis, and Writing tools. These standalone settings are supported by apps that have updated to version 19.7.12 or later for Xcode 15 and 20.4.0 or later for Xcode 16 of the Intune App SDK and App Wrapping Tool.

How does this change affect you or your users?

If you configured the APP "Send Org data to other apps" setting to a value other than "All apps", then the new "Genmoji", "Writing Tools" and "Screen capture" settings are set to Block in your app protection policy to prevent changes to your current user experience.

How can you prepare?

Review and update your app protection policies if you'd like more granular controls for blocking or allowing specific AI features. (Apps > Protection > select a policy > Properties > Basics > Apps > Data protection)

Plan for change: User alerts on iOS for when screen capture actions are blocked

In an upcoming version (20.3.0) of the Intune App SDK and Intune App Wrapping Tool for iOS, support is added to alert users when a screen capture action (including recording and mirroring) is detected in a managed app. The alert is only visible to users if you have configured an app protection policy (APP) to block screen capture.

How does this change affect you or your users?

If APP has been configured to block screen capturing, users see an alert indicating that screen capture actions are blocked by their organization when they attempt to screenshot, screen record, or screen mirror.

For apps that have updated to the latest Intune App SDK or Intune App Wrapping Tool versions, screen capture is blocked if you configured "Send Org data to other apps" to a value other than "All apps". To allow screen capture for your iOS/iPadOS devices, configure the Managed apps app configuration policy setting "com.microsoft.intune.mam.screencapturecontrol" to Disabled.

How can you prepare?

Update your IT admin documentation and notify your helpdesk or users as needed. You can learn more about blocking screen capture in the blog: New block screen capture for iOS/iPadOS MAM protected apps

Plan for Change: Blocking screen capture in the latest Intune App SDK for iOS and Intune App Wrapping Tool for iOS

We recently released updated versions of the Intune App SDK and the Intune App Wrapping Tool. Included in these releases (v19.7.5+ for Xcode 15 and v20.2.0+ for Xcode 16) is the support for blocking screen capture, Genmojis, and writing tools in response to the new AI features in iOS/iPadOS 18.2.

How does this change affect you or your users?

For apps that have updated to the latest Intune App SDK or Intune App Wrapping Tool versions screen capture will be blocked if you configured "Send Org data to other apps" to a value other than "All apps". To allow screen capture for your iOS/iPadOS devices, configure the Managed apps app configuration policy setting "com.microsoft.intune.mam.screencapturecontrol" to Disabled.

How can you prepare?

Review your app protection policies and if needed, create a Managed apps app configuration policy to allow screen capture by configuring the above setting (Apps > App configuration policies > Create > Managed apps > Step 3 'Settings' under General configuration). For more information review, iOS app protection policy settings – Data protection and App configuration policies - Managed apps.

Plan for Change: Implement strong mapping for SCEP and PKCS certificates

With the May 10, 2022, Windows update (KB5014754), changes were made to the Active Directory Kerberos Key Distribution (KDC) behavior in Windows Server 2008 and later versions to mitigate elevation of privilege vulnerabilities associated with certificate spoofing. Windows enforces these changes on February 11, 2025.

To prepare for this change, Intune has released the ability to include the security identifier to strongly map SCEP and PKCS certificates. For more information, review the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates.

How does this change affect you or your users?

These changes will affect SCEP and PKCS certificates delivered by Intune for Microsoft Entra hybrid joined users or devices. If a certificate can't be strongly mapped, authentication will be denied. To enable strong mapping:

• SCEP certificates: Add the security identifier to your SCEP profile. We strongly recommend testing with a small group of devices and then slowly rollout updated certificates to minimize disruptions to your users.
• PKCS certificates: Update to the latest version of the Certificate Connector, change the registry key to enable the security identifier, and then restart the connector service. Important: Before you modify the registry key, review how to change the registry key and how to back up and restore the registry.

For detailed steps and more guidance, review the Support tip: Implementing strong mapping in Microsoft Intune certificates blog.

How can you prepare?

If you use SCEP or PKCS certificates for Microsoft Entra Hybrid joined users or devices, you'll need to take action before February 11, 2025 to either:

• (Recommended) Enable strong mapping by reviewing the steps described in the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates
• Alternatively, if all certificates can't be renewed before February 11, 2025, with the SID included, enable Compatibility mode by adjusting the registry settings as described in KB5014754. Compatibility mode is valid until September 2025.

Update to the latest Intune App SDK and Intune App Wrapper for Android 15 support

We've recently released new versions of the Intune App SDK and Intune App Wrapping Tool for Android to support Android 15. We recommend upgrading your app to the latest SDK or wrapper versions to ensure applications stay secure and run smoothly.

How does this change affect you or your users?

If you have applications using the Intune App SDK or Intune App Wrapping Tool for Android, it's recommended that you update your app to the latest version to support Android 15.

How can you prepare?

If you choose to build apps targeting Android API 35, you need to adopt the new version of the Intune App SDK for Android (v11.0.0). If you wrapped your app and are targeting API 35, you need to use the new version of the App wrapper (v1.0.4549.6).

You should also plan to update your documentation or developer guidance if applicable to include this change in support for the SDK.

Here are the public repositories:

• Intune App SDK for Android
• Intune App Wrapping Tool for Android

Intune moving to support Android 10 and later for user-based management methods in October 2024

In October 2024, Intune supports Android 10 and later for user-based management methods, which includes:

• Android Enterprise personally owned work profile
• Android Enterprise corporate owned work profile
• Android Enterprise fully managed
• Android Open Source Project (AOSP) user-based
• Android device administrator
• App protection policies
• App configuration policies (ACP) for managed apps

Moving forward, we'll end support for one or two versions annually in October until we only support the latest four major versions of Android. You can learn more about this change by reading the blog: Intune moving to support Android 10 and later for user-based management methods in October 2024.

How does this change affect you or your users?

For user-based management methods (as listed above), Android devices running Android 9 or earlier won't be supported. For devices on unsupported Android OS versions:

• Intune technical support won't be provided.
• Intune won't make changes to address bugs or issues.
• New and existing features aren't guaranteed to work.

While Intune won't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. The following admin options are available to help warn or block users:

• Configure a conditional launch setting for APP with a minimum OS version requirement to warn and/or block users.
• Use a device compliance policy and set the action for noncompliance to send a message to users before marking them as noncompliant.
• Set enrollment restrictions to prevent enrollment on devices running older versions.

For more information, review: Manage operating system versions with Microsoft Intune.