Download the full PDF →

Subscribe on LinkedIn → to get the next edition every Tuesday

Community shoutout

Florian Salzmann & Jannik Reinhard - CMTrace.dev - log viewer in your browser A free, zero-install log viewer for ConfigMgr, SCCM, and Intune. Open massive client logs, color-code severity, and chase down error codes - all in the browser, with files processed 100% locally so nothing leaves your machine. Read more

On the radar this week

• Kerberos RC4 Enforcement: 30-Day Remediation Deadline (Microsoft - Release Health) - July 2026 Windows security updates permanently remove Audit mode - any remaining RC4 dependencies will cause authentication failures the moment the update applies.
• KB5094126 Causing BSODs and Boot Failures on HP Devices (Reddit) - The June 2026 cumulative update is actively breaking HP ProBook/EliteBook fleets with boot failures, BitLocker recovery prompts, and EFI partition issues - admins should pause update rings for HP devices now.
• Intune Devices Blade Outage Across Multiple Regions (Reddit) - The Devices blade was confirmed unavailable on 16 June across UK, Austria, Netherlands, and Brazil - admins should monitor Service Health for an incident ID and verify console access is restored.
• Microsoft Tunnel v20260129.1 Stuck - Remediation Script Out (Blog - Customer Success) - Servers on this version are stalling mid-upgrade and need Microsoft's mstunnel-patch-2602 script or a full reinstall to restore tunnel functionality.
• Controlled Configuration for Defender Antivirus (Preview) (Microsoft - In Development) - This upcoming feature will override Group Policy, ConfigMgr, and local changes to Defender settings - co-managed environments need to review governance implications before it lands.

In this edition

Landing in your tenant soon

• Kerberos RC4 Enforcement Mode Arrives with July 2026 Windows Security Update
• Enrollment Time Grouping for Apple ADE Policies Goes GA
• Intune Data Warehouse (Beta) Power BI Connector Retirement Begins
• Scope Tags Now Respected in EPM Reports
• Device Control Policy Support Extends to MDE Security Settings Management
• Maintenance Window for Windows Update for Business Now GA

On the horizon

• Android Personally Owned Work Profile Devices Migrate to Android Management API (AMAPI)
• Controlled Configuration for Defender Antivirus Settings (Public Preview)
• Strict Tunnel Mode for Microsoft Tunnel on Android Enterprise
• Multiple Managed Accounts for App Protection Policies (iOS and Android)
• Client-Driven Compliance Evaluation for Windows Devices (Preview)
• In-Place Renewal for Cloud PKI Issuing Certification Authorities
• Agentic Identity for the Policy Configuration Agent (Public Preview)
• Custom Compliance Settings Coming to macOS
• Grant Enhanced MTD Security Permissions on Android Enterprise
• Silence Apps on Managed Home Screen During Authentication Prompts (Android)
• Block Bluetooth Sharing Setting Added to Android Enterprise Settings Catalog
• Disable MAC Address Randomization on macOS Wi-Fi Profiles
• 802.1x Wired Networks Profile Coming to iOS/iPadOS
• STIG Audit Security Baseline for GCC High Tenants

Action required

• Microsoft Tunnel Servers on Version 20260129.1 Are Stuck - Remediation Script Available
• Kerberos RC4 Enforcement Deadline: Remediate RC4 Dependencies Before July 2026 Update
• Intune Devices Blade Outage Reported Across Multiple Regions

What shipped

• June 2026 Windows Security Update (KB5094126) Now Available
• Enterprise App Management: Security Architecture Deep-Dive Published

From the field

• KB5094126 Causing Boot Failures, BSODs, BitLocker Recovery, and HP EFI Partition Issues
• HP EFI Partition (100 MB) Causing Recurring Windows Update Failures
• CanReset Value Randomly Flipping on Passwordless Cloud-Only Windows 11 Devices
• Secure Boot CA 2023 Rollout: Confidence Level Confusion and What "Under Observation" Actually Means
• Secure Boot CA 2023 Expiry Behaviour for Offline and Non-SB Devices Clarified by Community
• Browser-Based CMTrace Log Viewer (cmtrace.dev) Built for Autopilot ESP Troubleshooting
• Browser-Based Registry-to-Remediation Script Generator
• Edge Extension Inventory Script Sending Data to Azure Log Analytics
• Windows App (Remote Desktop) Update Notification Requiring User Interaction - No Silent Update Option Found
• WDAC and Adobe Acrobat Update Compatibility Causing Consistent Failures
• SCCM-to-Intune Migration: Real-World Gotchas from Admins Making the Switch
• Free Two-Part PowerShell Webinar Series for Intune/ConfigMgr Admins (June 23 and 30)

For the full story on every item, download the PDF. The PDF includes the radar, the upcoming-changes timeline, and the full body of each section.

Never miss an edition - subscribe to Intune Weekly on LinkedIn.

Download the full PDF →

Subscribe on LinkedIn → to get the next edition every Tuesday

Community shoutout

Simon Hartmann Eriksen & Roy Klooster - PPPC Builder for macOS A lightweight web-based tool that generates macOS PPPC (.mobileconfig) profiles tailored for Microsoft Intune. Select an app (or upload its Info.plist), choose the required privacy permissions (Screen Recording, Full Disk Access, Camera, Microphone, Accessibility), and download a ready-to-deploy .mobileconfig for Intune. No Jamf dependency; simple, fast, Intune-focused. Read more

On the radar this week

• WUfB Driver Policies Bypassed: 32 Drivers Force-Installed (Reddit) - A Microsoft-acknowledged service incident (MO1332784) caused declined driver policies to be ignored across multiple tenants, so admins should audit driver inventory and declined states immediately.
• ASR Rules Silently Disabled by Baseline + Policy Conflict (Reddit) - Conflicting ASR assignments between a Security Baseline and an Endpoint Security profile silently disable rules with no conflict alert, leaving endpoints potentially unprotected without any visible warning.
• Scripts & Remediations: Silent Failures and 8-Day Execution Gaps (Reddit) - A 900-upvote community thread documents widespread silent failures, missing logs, and multi-day execution delays in Scripts and Remediations, making any automation relying on these features unreliable right now.
• Secure Boot CA 2023: Manual Task Trigger Required for Update (Reddit) - BIOS updates alone do not trigger the Secure Boot CA 2023 certificate update, and the scheduled task must be manually invoked, so admins relying on passive rollout may miss the update entirely before compliance deadlines.
• MDOP End of Support: Migrate MBAM and App-V to Intune (Blog - Customer Success) - MDOP passed end of extended support on April 14, 2026, meaning any remaining MBAM or App-V workloads are now unpatched security risks and migration to Intune equivalents should be treated as urgent.

In this edition

Landing in your tenant soon

• MDE iOS In-App OS Update Notifications Retiring Mid-July 2026

On the horizon

• MDOP End of Support: Migration Path to Intune
• Windows 365 Developer-Focused Enhancements Announced at Build 2026
• macOS ADE: No Supported Method to Enforce Minimum OS Version Before Platform SSO Registration

Action required

• Secure Boot CA 2023 Certificate Update: Widespread Admin Confusion, Manual Trigger Available

From the field

• WUfB Driver Update Policies Bypassed: 32 Drivers Installed Across Multiple Tenants Simultaneously
• ASR Rules Silently Disabled When Security Baseline and Endpoint Security Profile Conflict
• Newly Created Entra Groups and App Deployments Not Reporting or Applying This Week
• Motherboard Replacement Breaks Entra/Intune Authentication Due to TPM/Hardware Hash Change
• Scripts and Remediations: Inconsistent Execution, No Logs, and 8-Day Gaps Draw Community Fury
• Intune App Inventory Graph API Returns 403 Despite GUI Access
• Autopilot v2 Device Rename Causes Unexpected OOBE Reboot Behaviour
• Remote Help Rollout: Edge Cases in Mixed Build Environments, SKU Confusion Persists
• Third-Party App Patching Tool Comparison: Robopack vs. Patch My PC vs. WAU
• Intune Naming Schemes: Community Tool nametune.vercel.app Gaining Traction
• Hybrid Joined Devices: Community Advises Against Managing via Both GPO and Intune Simultaneously

For the full story on every item, download the PDF. The PDF includes the radar, the upcoming-changes timeline, and the full body of each section.

Never miss an edition - subscribe to Intune Weekly on LinkedIn.

Download the full PDF →

Subscribe on LinkedIn → to get the next edition every Tuesday

On the radar this week

• Default Intune Settings Allow Users to Wipe Corporate Devices (Reddit) - Any enrolled user can unenroll and wipe their own corporate device via Company Portal by default - admins should hide remove/reset options in Tenant > Customization immediately.
• Autopatch Groups & Reporting Inaccessible - Multi-Region Outage (Reddit) - Admins in UK, Europe, and US lost access to Autopatch groups and update reports; validate configurations are intact now that access appears restored.
• Proactive Remediation Reporting Delayed Up to 7 Days (Reddit) - A confirmed service degradation means absence of remediation data should not be treated as success - do not make compliance or patching decisions based on reporting until resolved.
• mysignins.microsoft.com Down - New User MFA Registration Blocked (Reddit) - New users cannot register Microsoft Authenticator via the self-service portal; workaround is to manually add authentication methods in the Entra admin center.
• M365 Apps Policy Blade Leaving Intune Admin Center in June 2026 (Microsoft - Message Center) - Admins must migrate policy creation and editing workflows to the Microsoft 365 Apps admin center before the June 2026 service release removes the current blade.

In this edition

Landing in your tenant soon

• M365 Apps Policy Configuration Moves Out of Intune Admin Center

On the horizon

• Entra Device Soft Delete Now in Preview - BitLocker Keys and LAPS Preserved for 30 Days
• Secure Boot Certificate Expiry Hits in June - AMA Scheduled June 4

Action required

• Windows Autopatch Reporting and Groups Inaccessible Across Multiple Regions
• Proactive Remediation Reporting Delayed Up to 7 Days - Service Degradation Confirmed
• mysignins.microsoft.com Security Info Page Not Loading - New User MFA Setup Blocked

What shipped

• What's New in Microsoft Intune - May 2026
• Intune RBAC Roles Now Automatically Inherit Copilot in Intune Access
• Remote Help for Windows 5.2.1037.0 Released with Performance Improvements
• Windows Autopatch Hotpatch Now Default for Intune-Managed Devices; GCC Support Added
• May 2026 Windows 11 Non-Security Preview Update Now Available
• ConfigMgr 2603 Update Now Available
• Unpacking Endpoint Management Video Series Returns

From the field

• macOS WiFi Configuration Policies Returning InternalServerError via Graph - Inaccessible in Portal
• Company Portal (UWP) Showing Widespread Failure Rates Across Multiple Tenants
• Community Tool: Get-IntuneAssignments v1.0.15 Adds 7 New Policy Types
• Community Tool: IME Changelog Automation - What Changed Inside the Intune Management Extension
• Community Tool: Foundry OSD Now Supports Zero-Touch Autopilot Hardware Hash Upload
• Default Intune Settings Allow End Users to Self-Unenroll and Wipe Their Own Corporate Devices
• Edge "Sign in to sync your data" Splash Screen Persists Despite Intune Configuration Profile
• Microsoft Store App (New) Deployment Fails Reporting When Store Is Blocked by Policy
• macOS Platform SSO During ADE Failing 30–50% of the Time
• Secure Boot Enablement May Break Windows Hello When BitLocker Is Active
• On-Demand Script Execution in Intune: Remediation Scripts as the SCCM "Scripts" Replacement
• Autopilot v2 Supports Manufacturer + Model + Serial Registration Without Hardware Hash
• WinGet Auto-Update vs. Enterprise App Management vs. Patch My PC - Community Verdict

For the full story on every item, download the PDF. The PDF includes the radar, the upcoming-changes timeline, and the full body of each section.

Never miss an edition - subscribe to Intune Weekly on LinkedIn.

Download the full PDF →

Subscribe on LinkedIn → to get the next edition every Tuesday

Community shoutout

Sandy Zeng - IntuneDiff A diff/compare tool for Intune configurations that lets admins spot drift between policies, profiles, and tenants at a glance. Available as a website and now also as a PowerShell module on the PowerShell Gallery, so the same comparison logic can be scripted into reviews, audits, and CI checks. Read more

On the radar this week

• BitLocker Recovery Loop After May KB5089549 (Reddit) - Windows 11 devices are looping on the BitLocker recovery screen after every reboot post-patch - HP has a firmware workaround but admins need to act before wider deployment.
• Passkeys Not Blocking AiTM Session Token Theft (Reddit) - Confirmed compromises show phishing-resistant MFA alone doesn't stop session hijacking - admins should add token protection and Continuous Access Evaluation policies now.
• Remediation Script Reporting Still Stale Post-Outage (Reddit) - Console results are still showing May 16–17 timestamps days after recovery, so any compliance or operational decisions based on console data are unreliable until Microsoft closes the investigation.
• Low Telemetry Hides Devices from Secure Boot Report (Reddit) - Devices on 'Security' telemetry level are completely invisible to the Secure Boot certificate report, meaning admins may be miscounting compliance exposure ahead of the certificate rollout deadline.
• Remote Help & Advanced Analytics Rolling Into M365 Suites (Microsoft - Message Center) - Starting mid-June, these premium add-on features begin landing automatically in M365/EMS SKUs - admins should review licensing now to avoid surprise capacity or configuration gaps.

In this edition

Landing in your tenant soon

• Remote Help and Intune Advanced Analytics Coming to M365 / EMS Suites in Mid-June

On the horizon

• Admin Insights for Windows 365 Now in Public Preview

Action required

• Remediation and Platform Scripts Reporting Broken - Multi-Tenant Outage Now Resolved

What shipped

• Updated Secure Boot Status Report Now Live in Windows Autopatch
• Batch of In-Development Features Removed - Likely Shipped or Cancelled

From the field

• BitLocker Recovery Loop Returns After May KB5089549 - Worse Than April's KB5083769
• Telemetry Level Affects Secure Boot Certificate Report Visibility
• Passkeys Not Stopping Session Token Theft via AiTM Attacks
• Remediation Script Console Reporting Still Delayed Days After Outage Recovery
• Microsoft Store App Deployment Fails Reporting When Store Access Is Blocked by Policy
• SCCM-to-Intune Migration Framework Automates Autopilot Import - 6.5 Hours to 30 Minutes
• Driver Automation Tool v10 Seeking Community Feedback
• 94 Personal Devices Enrolled Despite BYOD Policy - Enforcement Gap Pattern
• Windows Hello for Business Cloud Kerberos Trust Fails on Hybrid-Joined Devices
• Dark Mode QR Code Bug: Enrollment Token QR Codes Won't Scan in Dark Mode
• LAPS for macOS Intermittently Failing - Username Case Sensitivity Is a Factor
• Dell BIOS/Firmware Management via Intune: DCU + Autopatch Approaches Compared

For the full story on every item, download the PDF. The PDF includes the radar, the upcoming-changes timeline, and the full body of each section.

Never miss an edition - subscribe to Intune Weekly on LinkedIn.

Download the full PDF →

Subscribe on LinkedIn → to get the next edition every Tuesday

Community shoutout

Simon Skotheimsvik - 1PhoneMirror A Windows-based screen-mirroring receiver built for Intune admins who need consistent, framed mobile screens for documentation and training. Supports iOS/macOS AirPlay (with optional PIN), Android wireless debugging via bundled adb/scrcpy, and experimental Miracast, with one-click screenshots or MP4/GIF recordings inside a device frame. Multiple devices stay paired and can be switched from a bottom bezel, with no app installs on the phones. Read more

On the radar this week

• YellowKey BitLocker Bypass - No Official Patch Yet (Microsoft - Learn) - Admins managing standalone Windows devices must evaluate disabling WinRE immediately as the only confirmed mitigation until Microsoft issues a fix; Entra-joined devices appear protected but should be verified.
• Hotpatch Silently Enabled Tenant-Wide from May 12 (Reddit) - Admins may be unaware devices are running hotpatch builds instead of the standard May CU, and those rolling out Secure Boot cert updates should expect additional unexpected reboots until the quarterly baseline CU applies.
• Intune Admin Center 'Access Denied' Outage on May 18 (Reddit) - Multiple admins lost access to the Intune admin center despite holding valid admin roles, and the Azure status page incorrectly showed all healthy - admins should know to open a support ticket rather than rely on the status page during future incidents.
• Secure Boot Certificates Expiring June 2026 - Rollout Planning Urgent (Microsoft - Release Health) - With expiry less than 13 months away and hotpatch now delaying certificate delivery to quarterly CU cycles, admins should use the updated Autopatch Secure Boot Status report now to identify unready devices and sequence rollouts.
• Intune Data Warehouse Beta Power BI Connector Retiring (Microsoft - In Development) - The gradual retirement began in late April 2026 and any Power BI reports built before November 2025 will lose data access if not migrated to connector v2 or the OData Feed connector immediately.

In this edition

Landing in your tenant soon - Platform SSO with Registration During Automated Device Enrollment Now GA for macOS - Intune Data Warehouse Beta Connector in Power BI Retiring - Transition Now - Hotpatch Now On by Default - Conflict with Secure Boot Cert Rollout - Enrollment Time Grouping for Apple ADE Policies Going GA - Updated Secure Boot Status Report in Windows Autopatch Now Available

On the horizon - Android Personally Owned Work Profile Devices Moving to Android Management API (AMAPI) - Controlled Configuration for Microsoft Defender Antivirus Settings Coming to Public Preview - Strict Tunnel Mode for Microsoft Tunnel on Android (AMAPI Devices) - Multiple Managed Accounts for App Protection Policies Coming to iOS and Android - Device Control Policy Support Extended to Defender for Endpoint Security Settings Management - Scope Tags to be Enforced on EPM Reports - In-Place Renewal for Cloud PKI Issuing Certificate Authorities - Custom Compliance Settings Coming to macOS - Client-Driven Compliance Evaluation for Windows Devices Coming to Preview - New STIG Audit Security Baseline for GCC High Tenants - New 802.1x Wired Networks Profile for iOS/iPadOS - Disable MAC Address Randomization Setting for macOS Wi-Fi Profiles - Block Bluetooth Sharing Setting Added to Android Enterprise Settings Catalog - Grant Enhanced Security Permissions to MTD App on Android Enterprise - Silence Apps on Managed Home Screen During Authentication Prompts - Agentic Identity for the Policy Configuration Agent Coming to Public Preview - Admin Insights for Windows 365 Now in Public Preview

Action required - Secure Boot Certificates Begin Expiring June 2026 - Plan Your Rollout Now - Intune Data Warehouse Beta Power BI Connector Retiring - Migrate Before Data Access Ends - YellowKey BitLocker Bypass - No Official Patch Yet, Evaluate Mitigations

What shipped - Multiple In-Development Features Removed from the List - Likely Shipped

From the field - Widespread "Access Denied" Errors Hit Intune Admin Center - Unacknowledged on Status Page - Hotpatch Silently Enabled by Default - Many Admins Unaware - YellowKey BitLocker Bypass: Field Testing Shows Entra-Joined Devices Appear Protected - Autopatch Upgrading Devices from 23H2 to 25H2 Takes 40+ Minutes - Not a Bug

For the full story on every item, download the PDF. The PDF includes the radar, the upcoming-changes timeline, and the full body of each section.

Never miss an edition - subscribe to Intune Weekly on LinkedIn.

Download the full PDF →

Subscribe on LinkedIn → to get the next edition every Tuesday

Community shoutout

Maurice Daly - Driver Automation Tool A PowerShell WPF desktop app that automates the full lifecycle of OEM driver and BIOS package management for ConfigMgr and Intune. It discovers vendor catalogs, downloads with resume-enabled curl, extracts, builds WIMs, and wraps packages as .intunewin for Win32 deployment. Multi-OEM support, BIOS update handling, hash verification, and configurable packaging (DISM/wimlib/7-Zip) collapse hours of manual driver work into a single signed workflow. Read more

On the radar this week

• Tunnel servers on v20260129.1 stuck - reinstall required (Blog - Customer Success) - Servers on the early-March Tunnel release are not functioning correctly and Microsoft has published a remediation script; admins must act now or deploy version 20260330.1 or later.
• Power BI Intune beta connector retiring - no grace period (Microsoft - In Development) - The two-week retirement window is already rolling out and once complete all data access stops, so any reports built before November 2025 must be migrated to connector v2 or OData Feed immediately.
• BYOD devices blocked from Windows 365 Cloud PC via CA (Microsoft - Message Center) - The Windows 365 Client app cannot be individually excluded in Conditional Access compliance policies, causing BYOD devices to be blocked from Cloud PC with no clean workaround yet from Microsoft.
• Enhanced App Inventory Graph API returning forbidden errors (Reddit) - Multiple admins confirm the /deviceInventories endpoint is inaccessible via Graph Explorer and PowerShell with no official workaround, blocking automation built around the newly shipped feature.
• M365 suites gaining Intune Plan 2 and Remote Help mid-June (Microsoft - Message Center) - Intune Remote Help, Advanced Analytics, and Plan 2 capabilities begin rolling into Microsoft 365, Office 365, and EMS suites from mid-June, requiring licensing and budget review before rollout completes August 1.

In this edition

Landing in your tenant soon

• Outlook for iOS/Android: Admins Can Allow Users to Override Default Compose Font
• Intune Data Warehouse Beta Connector Retiring in Power BI
• M365 2026 Packaging Update Brings Intune Remote Help, Advanced Analytics, and Plan 2 Features to More Suites

On the horizon

• Android Enterprise Personally Owned Work Profile Migrating to Android Management API (AMAPI)
• Controlled Configuration for Microsoft Defender Antivirus Settings (Public Preview)
• Strict Tunnel Mode for Microsoft Tunnel on Android Enterprise (AMAPI)
• Device Control Policy Support Extended to Defender for Endpoint Security Settings Management
• Multiple Managed Accounts for App Protection Policies (iOS/Android)
• Enrollment Time Grouping for Apple ADE Policies Going GA
• Platform SSO Registration During macOS Automated Device Enrollment
• Custom Compliance Settings Coming to macOS
• Client-Driven Compliance Evaluation for Windows (Preview)
• In-Place Renewal for Cloud PKI Issuing CAs
• STIG Audit Security Baseline for GCC High Tenants
• Scope Tags Support for Endpoint Privilege Management Reports
• Agentic Identity for the Intune Policy Configuration Agent (Public Preview)
• Grant Enhanced MTD Security Permissions on Android Enterprise
• Silence Apps on Managed Home Screen During Authentication Prompts
• New Wired Networks (802.1x) Profile for iOS/iPadOS
• Disable MAC Address Randomization on macOS Wi-Fi Profiles
• Block Bluetooth Sharing Setting Added to Android Enterprise Settings Catalog

Action required

• Microsoft Tunnel Servers on Version 20260129.1 Are Stuck - Reinstall or Run Patch Script
• Intune Data Warehouse Beta Connector in Power BI: Migrate Before Retirement Completes
• BYOD Devices Blocked from Windows 365 Cloud PC by Conditional Access - No Clean Exclusion Path

What shipped

• New Intune Device Page Now in Public Preview
• Enhanced App Inventory with Faster Data Updates Now Available
• Support Tip Published: Resolving Device Noncompliance with MTD Partner Apps
• Firewall and Proxy Configuration Guide for Windows Update Published
• Open Intune Baseline 3.8 Released

From the field

• Enhanced App Inventory Graph API Endpoint Returning Access Errors

For the full story on every item, download the PDF. The PDF includes the radar, the upcoming-changes timeline, and the full body of each section.

Never miss an edition - subscribe to Intune Weekly on LinkedIn.

Download the full PDF →

Subscribe on LinkedIn → to get the next edition every Tuesday

Community shoutout

Lewis Barry - Intune Settings Catalog Viewer Built intunesettings.app, a faster way to browse the Intune Settings Catalog with a dedicated page that tracks changes Microsoft makes to the catalog over time. Cuts the friction of digging through the admin center and surfaces silent additions or removals that would otherwise go unnoticed. Read more

On the radar this week

• Secure Boot Certs Expire June 2026 - Remediate Now (Reddit) - Unremediated devices will silently stop receiving boot manager updates and may trigger BitLocker recovery prompts - the June deadline leaves little runway for large inventories.
• Hotpatch Flipped On Tenant-Wide - May Is First Affected Month (Microsoft - Message Center) - Microsoft silently enabled Hotpatch for all tenants in April, meaning newly enrolled devices will receive hotpatch instead of a full CU starting in May - admins must configure exclusion groups now for any devices that should not receive hotpatches.
• Autopilot Pre-Provisioning Stalling at App Install Phase (Reddit) - Multiple admins are hitting this in production today with no config changes on their end, and the only unblock requires a force-reboot - active issue to watch before scheduling any provisioning runs this week.
• Conditional Access Filter Now Hitting Windows Server RDP Sessions (Blog - Discussions) - A backend CA evaluation change is causing policies that should exclude company-owned devices to incorrectly apply to Windows Server 2025 RDP sessions, forcing unexpected 8-hour reauthentication - admins with device-filter CA policies should audit scope immediately.
• April 2026 Non-Security Preview: Dynamic App Removal + Secure Boot Side-Effect (Microsoft - Release Health) - This update delivers the new dynamic MSIX/APPX removal capability but also carries the KB5082052 Secure Boot cert prompt side-effect - admins should read the known issue before pushing to pilot rings.

In this edition

Landing in your tenant soon - Hotpatch Enabled Tenant-Wide by Default - May Updates Are First Affected - April 2026 Windows Non-Security Preview Update Now Available

On the horizon - Dynamic App Removal for Managed Windows 11 Devices - Windows 365 for Agents Now in Public Preview - User-Initiated Provisioning for Windows 365 Reserve Now in Public Preview

Action required - Secure Boot Certificates Expire June 2026 - Intune-Managed Device Remediation Underway

What shipped - April 2026 Intune Service Update - Higher-Frequency App Inventory, Linux SSO, Apple Enrollment Expansion - New Windows Autopatch Overview Report Now Available for All Tenants - Multiple Features Drop Off In-Development List - Likely Shipped in April Service Update - Microsoft Confirms Intune Policy Sync Is Far Faster Than the "8-Hour" Myth - Frontline Device Migration Guidance: Stakeholder Alignment Before Testing

From the field - Conditional Access Filter Behavior Changing - Server Devices Now Getting Sign-In Policies They Shouldn't - Autopilot Pre-Provisioning Intermittently Stalling at App Install Phase - App Enforced Restrictions Not Enforcing on Chrome for BYOD macOS - Autopilot Profile Assignment Breaks When Moving from "All Devices" to Dynamic Group - Hybrid Join Producing Double Entra Entries After Device Reset - WinGet App Deployment via Intune Consistently Failing for Many Admins - Community Tool: PIM Multi-Role Activation GUI for Intune Admins - Community Tool: Central Intune Reporting Dashboard in Development - Feature Requests Wanted - Organisations Eyeing Mac Fleets as HP Laptop Prices Double - Intune Mac Management Considerations - Domain-to-Entra Migration Without Reformat - Community Shares Scalable Approaches

For the full story on every item, download the PDF. The PDF includes the radar, the upcoming-changes timeline, and the full body of each section.

Never miss an edition - subscribe to Intune Weekly on LinkedIn.

Download the full PDF →

Subscribe on LinkedIn → to get the next edition every Tuesday

Community shoutout

Janic Verboon - EAM-AutoUpdater Built EAM-AutoUpdater, a free PowerShell automation that watches the Intune Enterprise App Catalog for new app versions, deploys them, and migrates assignments, scope tags, and Enrollment Status Page references from the previous version. Turns a recurring manual chore into an Azure Automation runbook. Read more

On the radar this week

• Samsung Knox OEMConfig wipe-block bricks devices permanently (Reddit) - Deploying a KSP profile that blocks device reset enforces at firmware level with no recovery path - do not push to production without a validated recovery procedure.
• Autopatch 'Managed for quality updates' report showing zero devices (Reddit) - The report has been broken for weeks across multiple tenants, silently undermining compliance reporting - raise a support case now if affected.
• Microsoft Defender now assesses Secure Boot 2023 certificate readiness fleet-wide (Microsoft - Release Health) - New Defender capability auto-categorizes devices as exposed, compliant, or not applicable with remediation guidance attached - useful directly against the 'Under observation' pain admins are reporting.
• AI-speed CVE exploitation raises the bar for patch currency (Blog - Customer Success) - Microsoft's customer success team warns that AI-assisted exploit discovery collapses the safe response window, making proactive Autopatch ring configuration a baseline requirement now.

In this edition

Landing in your tenant soon - New IT admin policy: Remove Microsoft Copilot app

On the horizon - Keeping current is the new patching strategy as AI accelerates vulnerability discovery - Autopilot Device Preparation (v2) enterprise readiness still in question for large-scale deployments - EPM network adapter elevation support reportedly in development - "Unpacking Endpoint Management" series returns with engineering and product team involvement - Ask Microsoft Anything: Secure Boot certificate updates (April 23 and May 18)

Action required - Samsung Knox OEMConfig wipe-block policy renders devices unrecoverable - test before broad deployment

What shipped - Microsoft Defender now provides centralized Secure Boot 2023 certificate readiness assessment

From the field - Local admin removal project: EPM audit-first approach and change management are the consensus best practice - Secure Boot certificate update: "Under observation" status and UEFICA2023Status "Not started" on majority of fleet - Autopatch "Managed for quality updates" report showing zero devices for weeks - Windows Updates not applying at Device ESP phase during Autopilot pre-provisioning - Hotpatch on 24H2: ARM64 devices silently excluded without an additional config profile - Intune device list throwing "Unable to fetch any device" errors - transient but recurring - EntraMap: open-source visual relationship mapper for users, groups, apps, and Conditional Access - Logic App for proactive Apple certificate and token expiry alerting in Intune - Platform SSO on macOS requires ADE/ABM enrollment - user-driven Company Portal enrollment is not sufficient - GAL contacts not surfacing in iOS native dialer - no clean Intune-native solution exists - Autopatch UpdateDeferredVersions registry value behaviour under active investigation by community - Autopilot-only app deployment: defaultuser0 requirements script is the cleanest gate

For the full story on every item, download the PDF. The PDF includes the radar, the upcoming-changes timeline, and the full body of each section.

Never miss an edition - subscribe to Intune Weekly on LinkedIn.