Microsoft Intune has been shipping updates steadily through June and early July, and several significant features arrived in service release 2605 and the weekly drops that followed the 2606 coverage we’ve already covered. If you’ve been heads-down on summer projects, here’s what you need to know about the latest changes hitting your tenant.
Let’s walk through the most impactful updates — from security posture improvements to Android management modernization and the new ability to detect and block unauthorized AI agents on Windows.
1. Multi Admin Approval Now Enforces on API Calls Made by Automation
This is arguably the most consequential change for Intune admins who rely on automation. Multi Admin Approval (MAA) now applies to Microsoft Graph API calls made by service principals, automation scripts, and DevOps pipelines — not just interactive admin actions in the portal.
If your tenant has MAA access policies configured and you use service principals, PowerShell scripts with Connect-MSGraph, or third-party tools to modify protected Intune resources, those calls are now subject to the same approval workflow as manual operations. Calls that lack the required approval headers return an HTTP 403 error.
Why this matters: Before this change, a compromised or over-permissioned service principal could perform high-impact Intune operations (app deployments, policy changes, configuration baselines) without any human check. This closes a critical security gap.
What you should do:
- Inventory all Graph-based automation touching Intune — scripts, CI/CD pipelines, integration tools
- Update scripts to include MAA approval headers in their API calls
- For applications using app-auth tokens where immediate code changes aren’t feasible, use the new Exclusions tab in the MAA access policy wizard to temporarily exclude specific apps while you remediate
- Communicate process changes to DevOps and automation teams — approvals will add latency to automated workflows
2. Android Enterprise Personally Owned Work Profile Moves to Android Management API (AMAPI)
The Android Enterprise personally owned work profile (BYOD) enrollment path is undergoing a significant modernization. Intune is moving these devices from legacy enrollment to the Android Management API (AMAPI), bringing two major improvements:
Web-based enrollment: Users no longer need to install the Intune Company Portal app to enroll. They can complete enrollment entirely through a web browser, which is tenant-wide and works seamlessly with identity portals and onboarding flows.
New policy delivery model: Intune is rolling out a modern implementation for how policies are delivered and monitored on BYOD work profile devices — aligning with the approach already used for COBO, COSU, and COPE devices. This means more consistent behavior and better long-term support across all Android enrollment types.
What you should do:
- Opt in through the Intune admin center: Devices > Device Onboarding > Enrollment > Android > Personally owned devices with a work profile
- Toggle on “Use web enrollment for all users enrolling into Android personally-owned work profile management”
- Create a new policy via Devices > Manage devices > Configuration > Create > New policy > Android Enterprise > Move to Android Management API
- Update user enrollment guides and communications
- Review compliance and configuration policy coverage in the new model
3. Windows 11 STIG SCAP Benchmark Audit Baseline (GCC High)
For government customers and defense contractors, this one is a big deal. Intune now includes a STIG audit baseline that assesses Windows devices against the Defense Information Systems Agency (DISA) Security Technical Implementation Guides.
The initial baseline audits against the Microsoft Windows 11 STIG SCAP Benchmark Version 2, Release 7 (benchmark date: January 5, 2026).
Key characteristics:
- Audit-only: Unlike other Intune security baselines, the STIG baseline doesn’t enforce or change settings. It evaluates the current device state and generates detailed reports.
- DISA compliance reporting: Audit results include documented mapping to NIST XCCDF result categories for formal compliance reporting.
- Graph API support: Enables programmatic data retrieval and cross-tenant assessment aggregation.
- Licensing: Available for GCC High tenants and requires Advanced Analytics licensing.
What you should do:
- Deploy the STIG baseline in report-only mode to a pilot group first
- Review generated audit reports and compare against existing GPO-based security configurations
- Identify remediation priorities based on gaps between current state and STIG requirements
- Document findings for audit evidence collection
4. APP Multiple Managed Accounts
App Protection Policies (APP) now support Multiple Managed Accounts, allowing users to add and manage more than one managed account within the same app. App protection policies apply separately to each account, so you can tailor protection based on the account’s organization or tenant.
The first supported app is Microsoft Teams on iOS/iPadOS (v8.10.0 or later). Support for additional apps and platforms is coming soon.
Why this matters: For consultants, MSP staff, and anyone who manages multiple tenants or organizations, this eliminates the need to constantly sign out and sign in — or run separate app instances — to access different work accounts.
What you should do:
- Verify that APP policies for each tenant are correctly scoped when multiple orgs exist in the same app
- Test data transfer restrictions — confirm “org data can’t be moved to other orgs” works as expected
- Provide guidance to multi-tenant users on how to add additional accounts
5. Detect and Block Shadow AI on Windows Devices (Public Preview)
Intune is getting proactive about Shadow AI — unauthorized local AI agents running on managed devices. With this new public preview feature, you can detect and block tools like OpenClaw on Windows devices using three complementary capabilities:
- Properties Catalog: Collect the Local AI Agent entity to identify devices where unauthorized AI agents are present or active
- Device Query: View devices with a Local AI Agent across your estate
- Local AI Agent Baseline - OpenClaw (Preview): A dedicated security baseline to block users from running OpenClaw on managed Windows devices
Why this matters: Shadow AI tools can exfiltrate sensitive data, run unapproved code, and bypass existing data loss prevention controls. As AI agents proliferate, IT and security teams need the ability to enforce policy — not just detect.
What you should do:
- Coordinate with security and legal teams to define your organization’s AI governance stance
- Deploy the Properties Catalog policy to inventory which devices have unauthorized AI agents
- Use Device Query to generate reports
- Consider deploying the OpenClaw baseline to block usage where appropriate
- Plan end-user communication about allowed vs. prohibited AI tools
6. In-Place Renewal of Cloud PKI Issuing Certification Authorities
If you’re using Intune’s Cloud PKI, this operational improvement will save you real time. In-place renewal lets you renew eligible issuing CAs without creating new CAs or updating SCEP certificate profiles.
Previously, renewing an issuing CA required creating a new CA and manually updating every dependent SCEP profile — introducing configuration risk and operational overhead. With in-place renewal, certificate issuance continues uninterrupted for Wi-Fi, VPN, and email scenarios. No changes to existing SCEP profiles or device assignments required.
7. Strict Tunnel Mode for Microsoft Tunnel on Android
Microsoft Tunnel now supports Strict Tunnel Mode on Android Enterprise devices. When enabled, all network traffic is forced through the VPN tunnel. If the VPN connection drops, all network traffic on the device is blocked until the VPN reconnects — preventing apps from accessing the public internet outside of the tunnel.
An app exclusion list lets you allow specific apps (like authentication helpers or trusted productivity tools) to bypass the tunnel and connect directly.
Strict Tunnel Mode is available when a Microsoft Tunnel VPN profile is configured with Always-on VPN. It requires devices enrolled through Android Management API, with support for MAM-enrolled devices via the Microsoft Edge app configuration policy.
8. Direct Android Line-of-Business App Management
You can now manage Android LOB apps directly in Microsoft Intune without publishing them to Managed Google Play. Simply upload APK files directly to Intune and deploy them to supported Android Enterprise enrollment types (COBO and COSU).
This is a significant simplification for organizations that:
- Develop and distribute internal Android apps
- Operate in environments where Google Play access is restricted
- Use kiosk or rugged devices without full Google Play Services
- Need rapid iteration cycles on private apps
Direct LOB apps also support app configuration policies, giving you the same configuration flexibility you’d have with Managed Google Play apps.
9. Vulnerability Remediation Agent Now Uses Microsoft Entra Agentic Identity
The Vulnerability Remediation Agent (in public preview) now uses Microsoft Entra agentic identity instead of a human user identity. When you set up a new agent instance, the setup process automatically provisions an agentic identity in your tenant’s Entra directory. The agent runs under permissions delegated to this agentic user.
Important timing note: If you already have an agent using a human user identity, your agent will continue working for now — but support expires 90 days after this release. You’ll need to transition to an agentic identity before the deadline. A banner on the agent page will notify you when agentic identity is available for transition.
10. Other Notable Updates
Managed Home Screen enhancements (June 8 week)
- Custom top bar elements: Display free-text strings (up to 63 chars) with dynamic variables like
{{SerialNumber}},{{DeviceName}}, and{{TenantName}} - Exit lock task mode password: Must now be configured via device configuration profile, not app configuration policy
- Silence apps during authentication: Prevent notifications, toasts, and ringing while MHS is locked — with configurable allowlist for critical apps
New Microsoft Edge 148 settings in Settings Catalog
A substantial batch of new Edge policies including Copilot new tab page controls, browsing with Copilot allow/block lists, M365 authentication pop-up behavior in work profiles, developer tools allow/block lists, and more. Available in the Windows settings catalog.
New Wired Networks profile for iOS/iPadOS
802.1x wired network profiles for M-series iPads using dock/monitor connections. Supports EAP-TLS, PEAP, and TTLS. Requires iOS/iPadOS 17+.
iOS/iPadOS Intune app version requirement
The Microsoft Intune app for Android now requires version 2025.11.01 or later. This change took effect May 1, 2026. Users on older versions may experience sign-in failures.
Summary and Recommended Actions
| Feature | Priority | Best For |
|---|---|---|
| MAA automation enforcement | High | All orgs with automation |
| Android AMAPI migration | High | BYOD Android orgs |
| STIG audit baseline | Medium | GCC High / DoD customers |
| APP Multiple Managed Accounts | Medium | Multi-tenant orgs |
| Shadow AI detection | Medium | Regulated industries |
| Cloud PKI in-place renewal | Low-Medium | Cloud PKI users |
| Strict Tunnel Mode | Low-Medium | Android + Tunnel orgs |
| Direct Android LOB | Low-Medium | Internal Android app devs |
The 2605 release and surrounding weekly updates continue the pattern we’ve seen throughout 2026: Intune is evolving from a device management tool into a comprehensive security operations platform. The addition of automation governance controls (MAA on API calls), formal compliance baselines (STIG), and AI agent governance (Shadow AI detection) are all signs of this trajectory.
As always, test these features in a staging environment before broad deployment, and watch for the gradual rollout pattern — some features may take several weeks to reach your tenant.
Follow Kevin on X/Twitter at https://x.com/kkaminski for more Intune and endpoint management content.