What's New in Microsoft Intune — June 2026

June 2026 brings one of the most feature-dense Intune releases in recent memory. From agentic AI that autonomously remediates vulnerabilities to long-awaited GA milestones for Enterprise Application Management and Endpoint Privilege Management, there is a lot for endpoint admins to unpack. This post walks through every significant change, what it means operationally, and what action — if any — you need to take before the end of the month.

Vulnerability Remediation Agent — Public Preview

The headline feature for June is the Vulnerability Remediation Agent, a Security Copilot-powered agentic workflow that can autonomously discover, prioritise, and remediate software vulnerabilities across your managed fleet — without a human clicking through each remediation task individually.

Detailed coverage of the public preview is available in the Intune Customer Success blog post and the agent documentation on learn.microsoft.com.

How it works

The agent uses an Entra agentic identity — a new class of non-human identity distinct from service principals and managed identities — to authenticate against Intune and Microsoft Defender Vulnerability Management (MDVM). It ingests the MDVM vulnerability feed, applies CVSS v3 scoring and exploitability metadata, groups CVEs by affected software and device scope, then issues remediation tasks (software updates, configuration changes, or application removals) through Intune's existing remediation pipeline.

Prioritisation logic considers: CVSS base score, EPSS (Exploit Prediction Scoring System) probability, active exploitation status in the wild, and asset criticality tags you've applied in Defender for Endpoint. The agent presents a ranked remediation plan to an approving admin before any changes are deployed — it is not fully autonomous by default in preview.

Licensing and prerequisites

MVP Rudy Ooms (Call4Cloud) has been closely tracking agentic identity patterns in Intune — watch his blog for deep dives on the permission model once the preview widens.

Enterprise Application Management Auto-Updates — Generally Available

Enterprise Application Management (EAM) exits preview and reaches GA this month, with auto-updates for the Microsoft-managed app catalogue now fully supported in production tenants. EAM solves one of the most persistent operational headaches in enterprise endpoint management: keeping third-party applications current without packaging overhead.

When auto-updates are enabled for a catalogued app, Intune monitors the Microsoft-maintained package feed and automatically delivers incremental updates to enrolled devices as new versions are published. This is not a "check for updates" instruction sent to the client — it is a server-side version bump that results in a new Win32 app assignment revision reaching the device silently.

Licensing change — July 1 2026

EAM is moving from its current standalone add-on SKU into Microsoft 365 E5 as of July 1, 2026. If your organisation is already on M365 E5, EAM auto-updates will be included at no additional cost from that date. Organisations on lower SKUs will continue to need the EAM add-on. Review your licensing before July 1 to understand whether you gain access automatically or need a separate entitlement conversation with your Microsoft account team.

MVP Peter van der Woude has published extensive guidance on configuring EAM catalogues and update rings — his blog at petervanderwoude.nl is an essential reference for production deployment patterns.

Endpoint Privilege Management — New GA Features

EPM continues to mature with three notable additions in June, two reaching GA and one adding a new control type.

Non-primary user approval requests (GA)

Previously, EPM support-approved elevation requests only worked cleanly when the requesting user was the primary user of the device. Shared devices — common in healthcare, manufacturing, and education — effectively excluded secondary users from the approval workflow. This gap is now closed. Any enrolled user on a multi-user device can submit an elevation request, and the approval workflow routes correctly regardless of primary user assignment.

System-level network configuration (GA)

EPM elevation rules can now target system-level network configuration operations — specifically, tasks that previously required local administrator rights to complete, such as configuring VPN adapters, modifying network adapter properties, and managing static IP assignments. This is particularly relevant for organisations that need field technicians to reconfigure network settings on-site without granting standing admin rights. The elevation runs in a constrained context and is fully audited in the EPM report.

New Deny elevation type

EPM now supports an explicit Deny elevation type in policy rules. Previously, EPM rules were allow-list oriented — if no rule matched, the elevation request was handled by the default elevation policy. The new Deny type lets you create explicit block rules for specific executables or file paths, ensuring that even if a user attempts to elevate a known-bad or out-of-scope binary, EPM actively rejects the request and logs the attempt. This is useful for blocking elevation of known LOB apps that have been flagged by security, while keeping the default policy permissive for unmatched requests.

Scope tag fix for EPM reports

A bug in EPM reporting caused elevation events to appear in reports for admins whose scope tags should have excluded those devices. This is resolved in the June service update. If you operate a multi-tenant admin model with delegated scope tags, revalidate your EPM report views after the update rolls to your tenant.

STIG Audit Baseline — Windows 11 SCAP Benchmark v2 r7

Intune now ships a built-in STIG Audit Baseline for Windows 11, based on the Windows 11 STIG SCAP Benchmark v2 r7 published January 5, 2026. This is an audit-only baseline — it reports compliance against STIG controls without enforcing them, which is intentional: STIG enforcement without careful staged rollout is a reliable way to break production workloads.

The baseline uses NIST XCCDF (Extensible Configuration Checklist Description Format) mapping, meaning each control maps to its STIG rule ID, NIST SP 800-53 control identifier, and CCE (Common Configuration Enumeration) reference. This makes it straightforward to produce compliance artefacts for FedRAMP, CMMC, and DoD authorisation packages.

Graph API support

STIG baseline compliance data is exposed via the Microsoft Graph API, enabling automated compliance reporting pipelines. The following PowerShell snippet demonstrates pulling STIG audit results for all devices in a tenant:

# Requires: Microsoft.Graph.Beta module + DeviceManagementConfiguration.Read.All
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All"

# Retrieve STIG audit baseline assignments
$baselineId = "<your-stig-baseline-policy-id>"
$uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies/$baselineId/deviceStatuses"

$results = Invoke-MgGraphRequest -Uri $uri -Method GET

# Filter non-compliant devices and export
$nonCompliant = $results.value | Where-Object { $_.status -ne "compliant" }
$nonCompliant | Select-Object deviceDisplayName, status, lastReportedDateTime |
    Export-Csv -Path ".\STIG_NonCompliant_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "Non-compliant device count: $($nonCompliant.Count)"

MVP Jan Ketil Skanke (co-founder of MSEndpointMgr) has been a strong advocate for STIG-aligned baselines in Intune — his work on security benchmarks and compliance reporting is worth following as the feature matures toward enforcement capability.

Multi Admin Approval via Graph API

Multi Admin Approval (MAA) — Intune's four-eyes control for high-impact policy changes — now exposes its workflow via the Microsoft Graph API. Previously, all MAA interactions required the Intune admin centre UI, which made it impossible to integrate approval gates into existing ITSM pipelines or DevOps workflows.

With Graph API support, you can now programmatically submit change requests for approval, query pending approvals, and approve or reject requests from service accounts with appropriate RBAC roles. This unlocks scenarios such as ServiceNow change tickets that automatically trigger an MAA approval request in Intune, or GitOps pipelines where a pull request merge initiates a policy change pending dual approval.

Ubuntu 26.04 LTS Support

Intune now officially supports Ubuntu 26.04 LTS (Noble Numbat's successor) for Linux device management. This covers MDM enrolment via the Intune agent for Linux, compliance policy evaluation, and custom script deployment.

Connected Cache — HTTPS Enforcement (June 16, 2026)

Microsoft Connected Cache (MCC) nodes configured in Intune will enforce HTTPS-only communication from June 16, 2026. Any MCC-enabled distribution point still configured for HTTP-only content delivery will fail to serve cached content to clients after this date.

Action items before June 16:

• Verify TLS certificates on all MCC nodes are valid and not self-signed (or that self-signed certs are trusted by your client devices).
• Check MCC node configuration in the Intune admin centre under Tenant administration > Connectors and tokens > Microsoft Connected Cache.
• Review client Delivery Optimisation policy to ensure DOCacheHostSource is set appropriately and clients will fall back gracefully to CDN if MCC is unreachable.

Apple ADE — New Infrastructure and Enrollment Time Grouping

Apple's Automated Device Enrolment (ADE, formerly DEP) backend infrastructure is being updated by Apple, and Intune has updated its integration layer accordingly. No admin action is required for existing ADE tokens, but you should verify that your MDM server certificate and token in Apple Business Manager / Apple School Manager are current (tokens expire annually).

Enrollment Time Grouping is now available for ADE profiles. This allows you to assign a device to an Entra ID group at enrolment time — before the user signs in — based on metadata available in the ADE payload (such as device model, serial number prefix, or MDM server assignment). This is particularly useful for organisations that need to differentiate kiosk devices, shared iPads, or corporate-liable vs BYOD streams from the moment the device first contacts Intune.

Android XR Device Management

Intune now supports management of Android XR devices — the platform underpinning Samsung's Project Moohan and other enterprise mixed-reality hardware. This initial release covers:

• Device enrolment via Android Enterprise fully managed device mode
• Compliance policy evaluation (OS version, encryption, device health attestation)
• Application deployment for Android XR-compatible apps via Managed Google Play
• Remote wipe and lock

Configuration profile support for XR-specific settings (spatial input, display calibration, gaze-tracking controls) is expected in a future release. For now, treat Android XR devices as fully managed Android Enterprise endpoints with the caveat that some hardware-specific MDM capabilities are not yet surfaced in the Intune policy engine.

iOS MAM SDK Warning — Late June (Non-Blocking)

Starting in late June 2026, users on iOS devices may see a non-blocking warning dialog from apps built on older versions of the Intune App Protection (MAM) SDK. Affected apps include Microsoft Teams, Outlook for iOS, Microsoft Edge, and OneDrive for iOS — all of which ship with the MAM SDK embedded.

The warning is informational and does not block app functionality or data access. It is a signal that the app binary has not yet been updated to the latest MAM SDK version, which includes improvements to the conditional launch evaluation pipeline.

Policy Configuration Agent — STIG Reasoning

The Policy Configuration Agent — Intune's Security Copilot-powered assistant for building configuration profiles — has been updated to reason over STIG benchmarks. When you describe a compliance objective in natural language (e.g., "configure Windows 11 to meet STIG V-253264"), the agent can now map your request to the relevant STIG rule, identify the corresponding Intune CSP or Settings Catalog setting, suggest the correct value, and provide the rationale drawn from the XCCDF benchmark text.

This significantly lowers the barrier for organisations pursuing STIG compliance who lack dedicated ISSO staff fluent in both DISA STIG language and Intune's policy model. As with all Copilot-generated policy suggestions, treat the output as a starting point and validate against the authoritative STIG benchmark before deploying to production.

MVP Michael Niehaus has written about the trajectory of AI-assisted policy configuration — his perspective on where agentic policy authoring is heading is worth reading alongside the official documentation.

Change Review Agent

Rounding out the June AI feature set is the Change Review Agent, which provides automated impact analysis before you save or deploy a configuration policy change. When you edit a policy in the Intune admin centre, the agent analyses the delta between the current and proposed configuration, identifies devices that would be affected, checks for conflicts with other policies in scope, and flags any settings that are known to cause restart or disruption events.

The Change Review Agent surfaces its findings inline in the policy editor — you do not need to navigate to a separate Copilot pane. The analysis is logged to the Intune audit log with the agent identity, giving you a reviewable record of the pre-change assessment alongside the change itself.

Summary — Action Items for June 2026

Sources: Intune June 2026 What's New (Tech Community) · What's New in Intune (learn.microsoft.com) · Vulnerability Remediation Agent docs · Vulnerability Remediation Agent preview announcement