Microsoft posted its Week of June 15, 2026 What’s New update with three significant announcements that went mostly under the radar: HTTPS enforcement for Win32 app delivery, enrollment time grouping going GA for Apple ADE, and the Android personally owned work profile migration to AMAPI going live.
None of these are flashy, but each carries real operational impact for IT teams. Here’s what you need to know.
Managed Win32 Apps Now Require HTTPS Delivery — Connected Cache Deadline Has Arrived
What Changed
As of June 16, 2026, Intune enforces HTTPS delivery for all managed Win32 app content. If you run Microsoft Connected Cache (MCC) for Enterprise and Education and haven’t configured HTTPS on your cache nodes, your clients will fall back to CDN delivery for Intune Win32 apps.
Content delivery still works — but without caching, you lose the bandwidth savings, provisioning speed improvements, and localized delivery that made MCC worth deploying in the first place. For organizations running Windows Autopilot at scale, this means slower provisioning times and increased internet egress costs.
The Scope
Only Intune Win32 apps are enforced via HTTPS in this change. Other content types — Windows feature and quality updates, Microsoft 365 Apps, Office Click-to-Run, Defender definition updates — continue to serve over HTTP through MCC.
However, note that Microsoft Teams content already requires HTTPS and won’t cache on HTTP-only MCC nodes either. So there are really two affected content families.
What’s Required
Each MCC node must be configured with a valid TLS certificate. The key requirements:
- Software version: Cache node software must be 2.0.0.2112 or higher
- Port 443: Must be free and available on the host
- Certificate format: Only unencrypted .crt files are supported. Password-protected .pfx or .p12 formats cannot be imported yet
- Subject/SAN: Must match exactly how client devices reach the node (FQDN or IP)
- TLS-inspection: Networks performing TLS inspection must exempt MCC traffic, or clients will reject the certificate
The Setup Process
- Generate a CSR on the MCC host using the provided scripts
- Sign with your internal CA or trusted certificate authority
- Import the .crt using the
importCertscript - Validate — first on the MCC server itself, then from a client device
For SCCM-integrated MCC (Configuration Manager distribution points with Connected Cache), the February 2026 update added HTTPS support there too. The process requires enabling TLS in IIS, downloading the updated DoincInstall.exe, and toggling the MCC checkbox off and back on.
What IT Teams Should Do Now
- Inventory: Check all MCC node software versions (must be ≥ 2.0.0.2112)
- Prioritize: If you haven’t configured HTTPS on MCC, move this up. Every day without it means lost caching for Win32 apps and Teams content
- Test: Validate in a non-production environment before rolling out to production nodes
- Document: Update your MCC operational procedures and helpdesk documentation
- Monitor: After configuration, verify cache hit rates are restored for Win32 app content
If you’ve already configured HTTPS for MCC (or you don’t use MCC at all), no action needed.
Enrollment Time Grouping for Apple ADE — Now Generally Available
What Changed
Enrollment time grouping is now generally available for Apple automated device enrollment (ADE) on iOS/iPadOS and macOS. Previously available only for Windows Autopilot and Android Enterprise, this capability lets admins tag a device’s Microsoft Entra ID security group directly in the enrollment policy.
When a device enrolls, it becomes a member of the specified security group during the enrollment process itself — not minutes or hours later after background syncs complete. This means apps, configuration policies, and compliance settings that target that group can begin deploying during Setup Assistant rather than after the user reaches the home screen.
Why This Matters
For zero-touch deployment workflows, the gap between “device enrolled” and “device fully configured” has been one of the biggest friction points. Without enrollment time grouping, policies assigned to dynamic or static groups only apply after the device syncs its membership to Entra ID — introducing a latency window that can frustrate users and delay productivity.
With this GA, Apple device deployments now benefit from the same fast provisioning that Windows Autopilot and Android Enterprise deployments have enjoyed.
Setup Requirements
- Create a static Microsoft Entra security group
- Add the Intune Provisioning Client service principal as an owner (AppId:
f1346770-5b25-470b-88bd-d5744ab7952c) - Configure the group in a new Apple ADE enrollment policy (existing profiles unaffected)
- Only one static group per enrollment profile
What IT Teams Should Do
- Create security groups now: Pre-create the static groups you’ll assign to enrollment profiles
- Verify service principal: Confirm the Intune Provisioning Client exists in your Entra ID tenant
- Test on a small set: Create a new ADE enrollment policy with enrollment time grouping and validate on test devices
- Plan for the 2606 release: Apple ADE enrollment policies are moving to a new infrastructure with the upcoming 2606 service release. Enrollment time grouping is part of this broader modernization — so getting familiar with it now will pay off
Android Personally Owned Work Profile Moves to AMAPI — Web Enrollment Goes Live
What Changed
This is the biggest operational shift of the three. Microsoft is transitioning personally owned work profile (BYOD Android) management from the legacy custom DPC / Google Play EMM API implementation to Google’s Android Management API (AMAPI).
Two things are rolling out:
1. Web-Based Enrollment — Users no longer need to install the Company Portal app to enroll their personal Android device. They start enrollment from a browser (Chrome or Edge):
- Via a direct URL:
aka.ms/enrollmyandroid - Via redirect from productivity apps (Teams, Outlook) when Conditional Access requires enrollment
- Via the Company Portal app (still works as an entry point)
Once enrolled, the Intune app and Android Device Policy app (hidden) install automatically.
2. AMAPI-Based Policy Delivery — Policy management for personally owned work profile devices now uses the same modern API that corporate-owned devices (COPE, COBO, COSU) already use. This means faster release of new features, consistent behavior across Android Enterprise management options, and support for capabilities unavailable with the legacy custom DPC.
How to Enable
For new enrollments — This is opt-in (for now) at the tenant level:
- Navigate to: Devices > Android tab > Device onboarding > Enrollment > Personally owned devices with a work profile
- Check: Use web enrollment for all users enrolling into Android personally-owned work profile management
- ⚠️ This change cannot be reversed
For existing enrolled devices — Create a “Move to Android Management API” device configuration profile:
- Devices > Manage devices > Configuration > Create > New policy
- Platform: Android Enterprise
- Profile type: Templates > Move to Android Management API
- Assign to device groups to migrate in phases
Timeline:
- Now (Late Q2 2026): Opt-in available for web enrollment and migration policy
- Later CY2026: Auto-migration for all remaining devices
Important Caveat
If your tenant uses passkeys as the only accepted authentication method, do not enable web enrollment yet. Passkey support for web enrollment is coming in a future update.
What IT Teams Should Do
- Test first: Enable web enrollment in a test tenant before production
- Phase the migration: Use the AMAPI configuration policy to migrate existing enrolled devices in targeted waves
- Update documentation: The user enrollment experience is changing — update your enrollment guides and helpdesk scripts
- Communicate to users: Inform BYOD Android users that the enrollment process is getting simpler (no app download needed)
- Review Conditional Access: Ensure CA policies that require enrollment are compatible with the web-based flow
This is a foundational change to how Intune manages BYOD Android. It aligns with Google’s deprecation of the legacy custom DPC API and positions HCL management for the next generation of Android platform capabilities.
Summary
| Change | Impact Level | Action Required |
|---|---|---|
| Win32 app content requires HTTPS on MCC | High (if you use MCC) | Configure HTTPS on MCC nodes |
| Apple ADE enrollment time grouping GA | Medium (Apple shops) | Pre-create Entra groups, update ADE policies |
| Android BYOD moves to AMAPI | High (Android shops) | Enable web enrollment, plan phased migration |
None of these are breaking changes — but ignoring the MCC HTTPS deadline, skipping enrollment time grouping adoption, or delaying AMAPI migration will create operational friction that could have been avoided with a few hours of planning.
As always, test in non-production first, update your documentation, and brief your helpdesk. If you need help planning any of these transitions, reach out — we’ve been through these migrations multiple times across different organizations and know where the pitfalls hide.
— Kevin