Microsoft has released the Intune Service Release 2606 (late June 2026), bringing significant quality-of-life improvements that materially reduce administrative overhead and strengthen endpoint security postures. From Enterprise App Management reaching regulated clouds to new levels of Apple platform automation, here’s a breakdown of the critical updates and what they mean for IT admins.
1. Enterprise App Management Hits GCC High / DoD and Gets Auto-Updates
Enterprise App Management (EAM) is now officially supported in GCC High and DoD Intune environments.
For defense contractors and government entities, this closes a huge functionality gap. EAM provides curated packaging, patching, and lifecycle management for third-party apps. Previously, regulated tenants lacked this advanced capability and were forced to rely on complex, custom packaging workflows. With EAM in GCC High, organizations subject to CMMC, NIST 800-171, and DFARS can now automate third-party app updates natively within Azure Government, reducing the risk of non-compliance due to outdated software.
Additionally, Auto-Update for EAM apps is now a reality. Intune will detect when a newer version of a deployed application is available in the EAM catalog and automatically update it on targeted Windows devices, eliminating the manual supersedence grunt work.
2. macOS PKG Apps Update Automatically
Managing apps on macOS gets a major win in 2606. Intune now supports automatic updating of managed macOS PKG apps when you upload a newer version of the same app.
Instead of configuring manual version targeting, smart groups, or relying on complex bash scripts, the Intune service recognizes the updated package and orchestrates in-place upgrades on targeted macOS endpoints. This reduces configuration drift across Mac fleets and brings macOS closer to the zero-touch management experience that Windows admins have long enjoyed.
Admin Tip: Ensure your PKG identifiers and bundle IDs are stable across releases, and always use ring-based deployment (Pilot -> Broad Rollout) to catch any app regressions before they hit the whole company.
3. WPA3-Personal Support for iOS/iPadOS
Wi-Fi security takes a step forward with Intune now supporting WPA3-Personal in iOS/iPadOS Wi-Fi device configuration profiles.
This closes a legacy gap by bringing Apple mobile devices into alignment with modern secure campus networking. WPA3-Personal vastly improves resistance to offline dictionary attacks compared to WPA2. For organizations executing a Zero Trust architecture—or those in highly regulated industries—WPA3 ensures that devices handling sensitive or CUI data are protected by the strongest available wireless encryption.
Make sure your APs and wireless controllers are configured for WPA3 (or WPA2/WPA3 transition mode) before mass-deploying the new profiles!
4. Microsoft 365 Apps for Enterprise Security Baseline (v2512)
Intune has rolled out an updated security baseline for Microsoft 365 Apps for Enterprise (v2512).
As Office applications evolve with new AI integrations, collaboration tools, and macro security capabilities, the attack surface shifts. The v2512 baseline brings Office configurations up to speed with the current threat landscape and Microsoft’s latest hardening guidance. Using baselines rather than manual GPOs simplifies policy deployment and provides an auditable, standardized profile that maps to CIS and NIST frameworks.
Note: Applying the new baseline can override conflicting custom settings. Be sure to compare the v2512 settings with any specific macro allowances your finance or engineering departments require before moving to production.
Summary The 2606 Service Release is all about reducing friction for administrators while raising the security floor. By automating app lifecycles (EAM and macOS) and introducing stronger default protections (WPA3 and new M365 baselines), IT teams can spend less time packaging and more time engineering secure environments.