June 2026 was one of the busier months for Windows IT admins in recent memory. Kerberos RC4 enforcement reaches its final and permanent phase with the July 2026 security update - Audit mode is gone for good. The Modern Print Platform has been renamed Windows Ready Print, and its default installation behaviour changes next month. Intune Enterprise Application Management gets auto-update support. And two new Kerberos extensions are entering public preview that will finally let you reduce NTLM without the usual collateral damage. Here is what you need to know, and what you need to do before July hits your estate.
The July 2026 monthly security update removes Kerberos RC4 Audit mode on all domain controllers. If you still have RC4-dependent service accounts, applications, or network appliances, they will begin failing authentication once Enforcement mode becomes mandatory. Run the detection commands in Section 1 before you apply the July update.
1. Kerberos RC4 hardening - Enforcement is now mandatory, Audit mode removed
Microsoft has been deprecating RC4 encryption in Kerberos since 2022. The July 2026 Windows security update is the final phase: Audit mode is removed, and Enforcement mode becomes the only supported behaviour on domain controllers. If RC4 Kerberos tickets are still being issued anywhere in your domain after this update is applied, authentication for those accounts and services will fail - not log a warning, not fall back silently, fail with KRB_ERR_ETYPE_NOSUPP.
RC4 survives in enterprise environments for three common reasons: service accounts with a weak password hash type that can only generate RC4 keys, legacy applications that request RC4 explicitly in their Kerberos AS-REQ, and network appliances such as NAS boxes, older printers, and Linux hosts that cannot negotiate AES. You need to find all three categories before enforcement takes effect.
Step 1 - Detect RC4 Kerberos traffic in your domain
Run this on each domain controller. It searches the Security event log for Event ID 4769 (Kerberos Service Ticket Operations) with ticket encryption type 0x17 - that is decimal 23 - which is RC4_HMAC. Any result here is an account or service that will break after the July update.
auditpol /get /subcategory:"Kerberos Service Ticket Operations" on your DCs - it must show "Success and Failure". If it is not enabled, turn it on in Default Domain Controllers Policy and allow 24 hours of traffic to accumulate before trusting the absence of results.
Step 2 - Check the current encryption type configuration on your domain controllers
Step 3 - Disable RC4 via Group Policy
For Intune-managed hybrid-joined clients, apply the same restriction as a custom OMA-URI policy. This controls which encryption types the Kerberos client on the endpoint will negotiate when authenticating to on-premises resources:
| OMA-URI | ./Device/Vendor/MSFT/Registry/HKLM/SYSTEM/CurrentControlSet/Control/Lsa/Kerberos/Parameters/SupportedEncryptionTypes |
| Data type | Integer |
| Value | 24 (0x18 = AES128 + AES256 only, no RC4) |
msDS-SupportedEncryptionTypes attribute on the target service account principal. If that attribute is missing or includes RC4, the DC now actively rejects RC4 ticket requests rather than issuing the ticket with a warning. The client receives KRB_ERR_ETYPE_NOSUPP and authentication fails. There is no fallback.
msDS-SupportedEncryptionTypes attribute in Active Directory to tell DCs to issue only AES tickets regardless of what the requester asks for: Set-ADUser svc-legacy -KerberosEncryptionType AES128,AES256. Run this for each affected account, then re-run the Event 4769 query to confirm RC4 tickets stop appearing.
2. Windows Ready Print - Modern Print Platform renamed, July 2026 default changes
The Modern Print Platform has been renamed to Windows Ready Print. Starting July 2026, new printer installations will default to Windows Ready Print where the printer supports it - meaning IPP (Internet Printing Protocol), eSCL scanning, and Universal Print, with no third-party driver required. This is part of the same driver-light printing direction as Windows Protected Print.
For most managed estates this is a positive change - fewer drivers means a smaller attack surface and simpler update management. But if your environment has printers that only communicate via proprietary protocols, or if your print server topology relies on classic Windows print driver infrastructure, test the July change before it reaches production.
Get-Printer | Select Name, PortName, DriverName on print servers and correlate against the hardware manufacturer's IPP support documentation.
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureWindowsProtectedPrint - data type String, value <enabled/> or <disabled/>.
3. Intune Enterprise Application Management - Auto-updates now available
Intune Enterprise Application Management now supports automatic updates for managed applications in the Enterprise App Catalog. Previously, keeping an app at its latest point release required repackaging the new installer, creating a new app object in Intune, and managing the supersedence chain manually. Auto-updates handle incremental releases (such as 4.1 to 4.2) without any admin intervention after initial configuration.
This feature applies specifically to apps sourced from the Enterprise App Catalog - Microsoft-hosted, pre-packaged applications that EAM manages. It does not replace Win32 app packaging for custom or unlisted applications, and major version upgrades still require an explicit admin action.
4. IAKerb and LocalKDC - NTLM reduction is getting a proper solution
IAKerb and LocalKDC are two new Kerberos extensions now available in the Windows Insider Program, with a public preview coming for both client and server. They directly target the two scenarios where NTLM has always been the last resort despite years of Microsoft telling admins to turn it off.
LocalKDC brings a lightweight Key Distribution Center directly to the local machine. Local account authentication - workgroup scenarios, local administrator - can now use Kerberos rather than falling back to NTLM. This is the most common remaining source of NTLM in environments that have otherwise completed their Kerberos migration.
IAKerb (Initial and Pass-Through Authentication using Kerberos) allows Kerberos to flow through a proxy or intermediary when the device does not have direct DC connectivity. This solves the remote worker and DMZ host problem - VPN split tunnel scenarios, constrained network environments - where NTLM was the only option because the device could not reach a domain controller directly.
5. Point-in-time restore is generally available
Point-in-time restore for Windows 11 is now generally available across Enterprise, Pro, and Home editions. It allows a device to be rolled back to a previous state in minutes rather than hours, without a full reimaging workflow. For managed endpoints this matters most in ransomware response and accidental mass-deletion scenarios.
Before enabling this broadly in a managed estate, test it against your endpoint stack. The components most likely to show conflicts after a restore are BitLocker (verify recovery key escrow relationship survives the rollback), Intune co-management state and MDM certificate, EDR agents where rollback behaviour may trigger a tamper alert, and VPN client certificates issued after the restore target date.
6. DirectAccess is deprecated - Always On VPN is the migration path
Microsoft has formally deprecated DirectAccess and confirmed it will be removed in a future version of Windows Server. If you are still running DirectAccess infrastructure, the supported migration path is Always On VPN managed via Intune using the VPNv2 CSP.
Microsoft's official migration guidance covers side-by-side coexistence (both DA and AOVPN active simultaneously during transition), certificate migration from NPS/RRAS, and client profile deployment. The recommended approach runs DA and AOVPN in parallel until all clients have moved, then decommissions the DA infrastructure.
7. Windows 10 ESU - Personal devices get one more year, to October 2027
Microsoft is extending Windows 10 Extended Security Updates for personal-use devices by one additional year, pushing coverage to October 12, 2027. This is specifically for consumer devices purchased through the personal ESU program - it does not change the commercial ESU Year 2 and Year 3 timelines for business devices.
For enterprise environments the Windows 10 end-of-support date remains October 14, 2025. Commercial ESU continues under the existing pricing tiers. The personal extension does not change your corporate migration timeline.
8. Other June 2026 updates worth knowing
DNS over HTTPS is generally available on Windows Server 2025. Deploy encrypted client-to-resolver DNS within on-premises infrastructure without cloud dependency. Configure via DNS Manager or PowerShell: Set-DnsServerDoh. Certificates, client configuration, and split-horizon integration are all supported.
When Windows Hello face or fingerprint is set up, it is now the default sign-in method every time - even if the user last authenticated with a PIN or password. Ships with the June 2026 security update for Windows 11 25H2 and 24H2. No policy change needed; it applies automatically to devices with biometrics enrolled.
26H2 is available in the Windows Insider Program (Beta and Experimental channels). It shares the same servicing branch as 25H2 and 24H2 and can be updated via an enablement package. Note: 26H2 will default-enable Windows Backup for Organizations (renamed to "Windows settings backup and restore") on eligible devices where the policy is left Not Configured - plan your policy coverage before deployment.
Windows 365 now supports granular device and resource redirection controls based on contextual signals: device management state, compliance posture, group membership, and network conditions. In public preview. Relevant for organizations running W365 with mixed managed and unmanaged client device scenarios where clipboard and drive redirection need to be scoped differently by trust level.
Hotpatch update support for Windows Server 2022 Datacenter: Azure Edition has been extended through October 2027. If you run Azure Arc-connected WS2022 DE nodes that rely on hotpatch to minimize reboot cycles, no action is required - the support window is extended automatically with no configuration change needed.
From the July 2026 optional update preview: Widgets no longer open on hover and taskbar badges are minimized by default. Windows Search now finds files with as few as two characters typed - no minimum length. Shared Audio allows two users to listen from a single PC simultaneously. These are user experience defaults; the Widgets behavior can be managed via the Widgets CSP if needed.
Microsoft documentation references
- Windows news you can use: June 2026 - Microsoft Tech Community
- Kerberos RC4 encryption deprecation - Microsoft Learn
- Kerberos Authentication Overview - Microsoft Learn
- Enterprise app management in Microsoft Intune - Microsoft Learn
- DirectAccess to Always On VPN migration overview - Microsoft Learn
- DNS over HTTPS (DoH) support in Windows Server 2025 - Microsoft Learn
- What's new in Windows 11 - Microsoft Learn
- Windows Protected Print Mode - Microsoft Tech Community
9. Intune Compliance Policies — What they are and what changed in June 2026
If you are new to this area, here is the short version: a compliance policy in Intune is a set of rules that a device must pass before it is allowed to access company resources. Think of it as a health check that runs silently in the background. If a device fails — because BitLocker is off, the OS is out of date, or antivirus is disabled — Intune marks it as non-compliant, and your Conditional Access rules in Entra ID block that device from reaching email, SharePoint, or anything else you have protected.
The distinction between a compliance policy and a configuration policy trips up a lot of people. A configuration policy pushes a setting to a device — it turns BitLocker on. A compliance policy checks whether a setting is present — it asks whether BitLocker is on. They work together but they are separate things. You can configure BitLocker via a configuration policy and then verify it is actually running via a compliance policy.
What June 2026 changed — Ubuntu 24.04 and 26.04 LTS now supported for Linux compliance
Microsoft has added Ubuntu Desktop 24.04 LTS and 26.04 LTS to the list of supported Linux platforms for Intune device compliance. This matters if you manage Linux developer workstations or any Ubuntu endpoints. Previously only 22.04 was supported — devices running 24.04 would show as Not evaluated in your compliance dashboard, which is a different state to Non-compliant and often gets overlooked.
Here is how to create a Linux compliance policy from scratch. We will walk through each step so you know exactly what you are configuring and why.
Step 1 — Navigate to Compliance policies in the Intune admin centre
When you click Create policy, you will be asked to choose a platform. Choose Linux. You will then be taken through four tabs: Basics, Compliance settings, Actions for noncompliance, and Assignments.
Step 2 — Configure the compliance settings that actually matter for Linux
On the Compliance settings tab, you will see a list of checks Intune can run against a Linux device. Not all of these are equally important — here are the ones you should always enable and why:
| Setting | Recommended value | Why you need it |
|---|---|---|
| Microsoft Defender is running | Require | Verifies MDE is active — without this a device with Defender stopped will still pass compliance |
| Real-time protection | Require | A device with Defender installed but passive-mode enabled will not block threats — this catches that gap |
| Minimum OS version | 22.04 / 24.04 | Forces devices onto a supported LTS kernel — devices running unsupported distro versions will be blocked |
| Encryption of data storage | Require | Checks that disk encryption (LUKS or equivalent) is active — important if users take laptops home |
Step 3 — Set a grace period, not an instant block
On the Actions for noncompliance tab, the default action is to mark the device non-compliant immediately. That means the moment a check fails, access is blocked. For most settings that is too aggressive — you will flood your helpdesk with calls from users who got blocked because a scan ran at the wrong moment.
A better approach is to set a grace period of 1–3 days for most settings. This means the device is marked In grace period rather than Non-compliant immediately, and it has time to self-heal before access is cut. Only after the grace period expires does Conditional Access step in. Reserve immediate blocking for your most critical settings — things like Defender being completely off.
Verifying compliance status with PowerShell and Microsoft Graph
The Intune admin centre shows compliance status per-device, but if you want to audit across your whole estate — say, to find every non-compliant device before a security review — PowerShell against Microsoft Graph is much faster. Here is how to do it:
First, connect to Microsoft Graph with the permission scope that lets you read device compliance data:
What you are looking at when this runs:
10. Microsoft Defender for Endpoint via Intune — How the policy chain works and what changed in June 2026
A lot of IT admins manage Defender settings in two different places without realising it — the Microsoft Defender portal (security.microsoft.com) and the Intune admin centre. These two places can push conflicting settings to the same device. Understanding how they relate is one of the most practically important things you can learn for endpoint security management.
Here is the mental model: Intune is the management plane — it decides what policy gets deployed and to whom. Microsoft Defender for Endpoint (MDE) is the enforcement plane — the agent on the device that actually applies the settings and detects threats. When you create an Endpoint Security policy in Intune, Intune sends it to the MDE agent which applies it locally. Neither requires the other, but they work best together.
Controls Defender AV behaviour — real-time protection, scheduled scans, exclusions, cloud-delivered protection. This is your first line of defence configuration.
Manages BitLocker on Windows and FileVault on macOS. Separate from compliance — this actively configures encryption, not just checks for it.
Configures Windows Firewall rules and profiles (Domain, Private, Public). You can create granular allow/block rules here rather than via GPO.
The EDR profile onboards devices to MDE and controls telemetry. Every device needs this if you want threat hunting and incident response capability in the Defender portal.
ASR rules block specific attack techniques — macro execution from Office, process injection from JS, credential theft from LSASS. Each rule can be set to Audit, Block, or Off.
Covers Windows Hello for Business and Credential Guard. Controls how user credentials are protected on-device — relevant for pass-the-hash attack prevention.
New in June 2026 — Defender Antivirus gets two new Linux Server settings
Microsoft added two new settings to the existing Defender Antivirus endpoint security profile for Linux Server. These appear automatically in your existing profiles if you have Linux devices managed via Intune or via MDE security settings management — no new profile is needed. Both default to Not configured, so they are not active unless you explicitly set them.
| New setting | Default | What it controls and why you would enable it |
|---|---|---|
| Offline security intelligence update | Not configured | Controls how Defender updates its definitions when the device is not connected to the internet. Enable this if you have air-gapped or intermittently connected Linux servers — without it, definitions can go stale and real-time protection degrades silently. |
| Scheduled scan | Not configured | Manages when Defender runs full scans on Linux. By default Defender only does real-time scanning on file access. A weekly scheduled scan catches anything that slipped through. Set this to run during maintenance windows to avoid impacting server performance during business hours. |
These settings apply to two types of Linux devices: devices enrolled in Intune in the traditional sense, and devices that are managed via the MDE security settings management path — where the device is onboarded to Defender for Endpoint but not fully enrolled in Intune. The second scenario is common for Linux servers in Azure or on-premises where full MDM enrollment is not practical.
How to create your first Antivirus policy in Intune — step by step
If you have never created an Endpoint Security policy before, here is exactly what to do. We will create a basic Antivirus policy for Windows devices. The same flow applies to all other policy types — only the settings change.
Verify your Defender policies are actually applying — PowerShell check
After you assign a policy, give the device 15–20 minutes to check in and apply it. Then run this on the device to confirm the settings are in place:
11. Intune Security Baselines and Preview Policies — What updated in June 2026 and how baselines work
Security baselines in Intune are pre-built policy bundles that Microsoft has assembled based on the recommendations of the Microsoft security team and industry standards like CIS. Instead of you manually configuring 200 individual settings, a baseline gives you a tested starting point in one click.
The important thing to understand about baselines is that they are versioned. When Microsoft releases a new version, your existing baseline profiles do not update automatically. You have to actively choose to migrate to the new version. This is by design — an automatic update to a baseline could change a setting and break something in production without warning. You control when you adopt a new version.
What updated in June 2026 — two baselines changed
A new baseline version is available. This skips the previously released v2412 version. Three settings are not yet included because the Settings Catalog does not yet have the CSP nodes for them:
- Require macros to be signed by a trusted publisher
- Block certificates originating from the current user store only
- Require Extended Key Usage for code signing
These will be added in a future version when the CSP nodes are available. The VBA macro notification setting (Disable all except digitally signed macros) is still present and applied.
One new setting has been added to the existing 25H2 baseline version — this is an inline update, not a new version number:
This setting was excluded from the initial 25H2 baseline due to a known issue that has since been resolved. Enabling it prevents IE11 from being launched programmatically via COM — a technique used by some malware and legacy shortcuts to bypass Edge. The setting is now included and defaults to Enabled in the baseline.
How to migrate to a new baseline version — the safe approach
When a new baseline version appears, you have two choices: create a fresh profile from the new version, or use the built-in migration wizard. The wizard is easier — here is how to use it:
Multi Admin Approval now enforced on Graph API automation — what this means for your scripts
Multi Admin Approval (MAA) was previously only enforced on interactive admin actions in the Intune admin centre. As of June 2026, it now also applies to API calls made by automation scripts, service principals, and third-party tools. If your tenant has MAA enabled and your automation script tries to make a change without the required approval headers, it will receive an HTTP 403 response and the change will not apply.
This affects any PowerShell scripts using the Microsoft Graph SDK or direct REST calls that modify Intune resources covered by MAA (currently: Application management, Device wipe, Script assignments). If your automation started failing with 403 errors after the June 2026 service release, this is likely why.
Add the service principal or app registration used by your automation script to the Exclusions list. This exempts that application from MAA requirements while keeping the approval workflow active for interactive admin changes. Review your exclusions list quarterly — service principals tend to accumulate there and become a security debt.
12. Intune Suite features added to Microsoft 365 E3 and E5 — what you now have access to
This is probably the most impactful licensing change in June 2026 for most IT teams. Microsoft is moving several capabilities that previously required an Intune Suite add-on licence into the base Microsoft 365 E3 and E5 subscriptions at no extra cost. You may already have access to these features and not know it yet.
Rollout is gradual — eligible tenants are being provisioned automatically with 30 days advance notice appearing in the M365 admin centre. If you have not seen the notice yet, check the admin centre Message Centre for updates.
A helpdesk tool built into Intune. Support agents connect directly to a user's device from the Intune portal and can view or take over the screen. Compliant and non-compliant device state is visible to the agent during the session. Replaces the need for third-party remote support tools for Intune-managed devices.
Adds deeper insight into your Intune estate — device anomaly detection, startup performance analysis, battery health scoring across the fleet, and app reliability data. Useful for proactively identifying devices heading towards failure before users raise helpdesk tickets.
Allows standard users to run specific applications with elevated privileges without needing a full local admin account. Define which executables can be elevated, by which users, and with what approval workflow. The goal is to remove standing local admin rights while keeping users unblocked for legitimate tasks.
Pre-packaged, Microsoft-maintained application catalogue for Intune deployment. Applications are kept updated automatically (incremental versions) without repackaging. Covered earlier in this post — now included in M365 E5 at no add-on cost.
A fully cloud-hosted certificate authority managed from Intune. Issue device and user certificates for Wi-Fi, VPN, and email authentication without running your own on-premises PKI infrastructure. Particularly useful for organizations moving away from on-premises Active Directory Certificate Services.
Includes Microsoft Tunnel for MAM (mobile app VPN without device enrollment), specialty device management for ruggedized and IoT devices, and FOTA (firmware over the air) updates for frontline devices. If you manage mobile workers with unmanaged personal phones accessing corporate apps, Microsoft Tunnel for MAM is the relevant piece here.