The latest Microsoft Intune update brings a range of enhancements across app management, device configuration, enrollment, security, and the admin experience. It’s a lengthy release, so let’s start with some highlights.
Specific areas to note are the better visualization of Win32 application dependencies in the Intune console, which helps sort out some major headaches when managing application dependencies. For better or worse, the Delivery Optimization configuration is moving to a template to standardize the configurations of Delivery Optimization to support best configuration practices.
Endpoint Privilege Management is more granular, with rules around command-line arguments. Non-Windows endpoints see several minor updates to refine the device management experience across different device platforms as we embrace the modern management reality of trying to manage nearly every device type.
Now, let’s dive into some details. I’ve also included links to more relevant information to help where possible. Look and get used to processing these service update notifications like I do.
Endpoint Privilege Management: Fine-Tuned Elevation Rules
Endpoint Privilege Management (EPM) now supports command-line file arguments in elevation rules. Admins can specify which arguments are allowed for file elevation and block unapproved arguments. This granular control helps reduce the risk of privilege misuse and ensures only intended operations run with elevated rights, tightening endpoint security.
Configure policies to manage Endpoint Privilege Management with Microsoft Intune | Microsoft Learn
Application Management: Better Visibility and Apple AI Support
- Relationship Viewer for Apps:
A new graphical relationship viewer shows dependencies and supersedence between Win32 and Enterprise App Catalog apps. This visualization streamlines troubleshooting and planning for app updates or replacements.
How Microsoft Intune Graphical Relationship Viewer Helps Manage Win32 Applications HTMD Blog
Win32 app management in Microsoft Intune | Microsoft Learn
- Apple AI Features in App Protection Policies:
New standalone settings let admins control Apple Intelligence features like Genmojis and writing tools. Apps must be updated to recent SDK versions to support these settings. By default, these features are blocked unless data sharing is set to “All apps,” giving admins more flexibility in managing sensitive data on iOS devices.
Microsoft Intune support for Apple Intelligence | Microsoft Community Hub
- Apple VPP API v2.0:
Intune now uses Apple’s faster, more scalable Volume Purchase Program API v2.0, ensuring continued compatibility and improved performance for app and book deployments on Apple devices.
Manage Apple volume-purchased apps – Microsoft Intune | Microsoft Learn
- Expanded Org Data Storage Options:
iManage and Egnyte are now available as exempted storage services for saving organizational data on Android and iOS, offering more choices for secure data handling.
Customize Your Cloud Storage on Egnyte – Egnyte
Device Configuration: Templates and Catalog Enhancements
- Windows Delivery Optimization Template:
The updated template adopts the Settings Catalog format, aligning with Windows CSPs. While old profiles remain usable, new configurations must use the updated template, simplifying policy management and future-proofing deployments.
Windows Delivery Optimization settings in Microsoft Intune | Microsoft Learn
- Apple macOS Settings Catalog:
A new setting (“Show Input Menu” at the login window setting) is available for macOS, expanding customization options for Mac environments. - Android Settings Catalog Experience:
Android device configuration now mirrors the UI of iOS, macOS, and Windows, consolidating templates under “Profile Type.” This is a UI change only existing policies remain unaffected, but the streamlined experience will help reduce admin errors and training time.
Create a policy using settings catalog in Microsoft Intune | Microsoft Learn
Device Enrollment: Streamlined Naming and Grouping
- Custom Device Naming for Android Enterprise:
Admins can now use templates—including variables like serial number and username—to name corporate-owned Android devices at enrollment, improving device identification and inventory management. - Enrollment-Time Grouping:
Devices can be auto-assigned to static Microsoft Entra groups during enrollment, ensuring policies, apps, and settings are applied immediately. This reduces manual group management and accelerates device readiness.
Set up enrollment time grouping – Microsoft Intune | Microsoft Learn
Device Management: End of Custom Profiles for BYOD Android
Support for custom profiles on Android Enterprise personally owned work profile devices is ending. Admins can no longer create new custom profiles, though existing ones can still be viewed and edited. Microsoft recommends migrating to supported policy types to maintain manageability and support.
Device Security: Expanded Windows Security Baseline
The Windows security baseline (version 24H2) now includes 16 new settings for Lanman Server and Workstation CSPs, plus a new Defender setting. These additions offer enhanced auditing, encryption, and SMB protocol controls. Admins must edit and save existing baselines to access the new settings or create new baselines for immediate availability.
Learn about Intune security baselines for Windows devices | Microsoft Learn
Intune Apps: More Protected Apps
Three new apps-FileOrbis for Intune, PagerDuty for Intune, and Outreach.io-are now protected, expanding the ecosystem of secure, managed applications available to organizations.
Tenant Administration: Improved Admin Center Home Page
The Intune admin center homepage now features more links to demos, documentation, and training resources, making it easier for admins to find help and stay current with best practices.
Key Impact for Intune Administrators
- Enhanced Security: More granular controls in EPM, Android, macOS, and Windows baselines improve endpoint protection.
- Simplified Management: UI consistency and new application relationship visualization tools reduce complexity and speed up troubleshooting.
- Better Compliance: Apple and Android management updates align organizations with the latest platform requirements.
- Operational Efficiency: Automated device grouping and naming, improved app deployment APIs, and streamlined onboarding and day-to-day management.
- Future-Proofing: Implementing Delivery Optimization templates as a new practice.
These updates empower Intune administrators to deliver more secure, efficient, and user-friendly device management across platforms. Review the changes above and work them into your operational processes to introduce features that make sense for your environment. I’ll beat it to death, but staying current isn’t optional. With the cloud, we must be on top of changes to operate the solutions we use properly.
