Not a user yet?
Log in Register for free Suggest a product
Update

Endpoint Privilege Management support on Azure Virtual Desktop

IntuneIntune
Microsoft

Week of February 9, 2026 (Service release 2601)

Microsoft Intune Suite
Endpoint Privilege Management support on Azure Virtual Desktop
Endpoint Privilege Management (EPM) elevation policies now support deployment to users on Azure Virtual Desktop (AVD) single-session virtual machines.

For information about using EPM, which is available as an Intune Suite add-on-capability, see Plan and Prepare for Endpoint Privilege Management Deployment.

App management
Lenovo Device Orchestration (LDO) link in the Intune admin center
Microsoft Intune now includes a direct link to Lenovo Device Orchestration (LDO) in the Intune admin center. This integration expands the Partner portals experience by giving IT admins a single, secure entry point to manage supported Lenovo devices.

From the Intune admin center, IT admins can open the Lenovo Device Orchestration portal directly to access Lenovo-specific device management capabilities.

Applies to:

  • Windows 11

Newly available protected apps for Intune
The following protected apps are now available for Microsoft Intune:

  • Clarity Express for Intune by Rego Consulting Corporation
  • Datadog by Datadog Inc.
  • Qlik Analytics by Qlik
  • Tier1 for Intune by SS & C Technologies, Inc. (iOS)

Device configuration
New settings in the Windows settings catalog
There are new settings in the Windows settings catalog. To see and configure these settings in Intune, create a Windows settings catalog profile (Devices > Configuration profiles > Create profile > Windows 10 and later > Settings catalog).

The new policies include:

  • Microsoft Edge - Includes the latest Microsoft Edge browser policies, up to version 143.0.3650.23, including:
  1. Allow sharing tenant-approved browsing history with Microsoft 365 Copilot Search
  2. Enable RAM (memory) resource controls
  3. Specifies whether to opt out of Local Network access restrictions

Due to differences in release cadences between Microsoft Edge and Intune, there can be a one-to-two-week delay in the settings catalog.

  • Experience >Disable Share App Promotions - This policy setting allows IT admins to control if promotional apps are shown in the Windows Share Sheet. If you enable this policy, Windows doesn't show promotional apps in the Share Sheet.
  • Licensing > Enable ESU Subscription Check: This policy is deprecated and only works on Windows 10. Setting this policy has no effect on other supported Windows versions. This policy enables or disables subscription check for Windows 10 Extended Security Updates. If enabled, the device check for the ESU subscription status of the signed-in Microsoft Entra ID user account.
  • Windows AI - Includes the following new settings that are available to Windows Insiders:
  1. Disable Agent Workspaces - Enables or disables Agent Workspaces.
  2. Disable Agent Connectors - Enables or disables Agent Connectors.
  3. Disable Remote Agent Connectors - Enables or disables remote Agent Connectors.
  4. Agent Connector Minimum Policy - Configures the minimum policy value that controls how agent connectors run on the machine.
  • Google Chrome - Includes the Google Chrome ADMX browser policies, up to version 141.0.7390.108.
  • Due to differences in release cadences between Chrome and Intune, Intune can be one to two versions behind the latest released Chrome version.
  • Firewall >Enable Audit Mode - If enabled, the target machine goes into Firewall audit mode.
    Microsoft Visual Studio>Copilot settings>Disable agent mode - This existing Copilot setting is updated to include localization. This setting prevents users from using GitHub Copilot agent mode.
    Windows Components > Internet Explorer> Internet Control Panel >Security Page:
  1. Turn on automatic detection of intranet - This policy setting enables intranet mapping rules to be applied automatically if the computer belongs to a domain. If you enable this policy setting, automatic detection of the intranet is turned on, and intranet mapping rules are applied automatically if the computer belongs to a domain.
  2. Intranet Sites: Include all sites that bypass the proxy server - This policy setting controls whether sites which bypass the proxy server are mapped into the local Intranet security zone. If you enable this policy setting, sites which bypass the proxy server are mapped into the Intranet Zone.

Applies to:

  • Windows

New supported OEMConfig apps for Android Enterprise
The following OEMConfig apps are available in Intune for Android Enterprise:

  • FCNT - Senior Care | com.fcnt.mobile_phone.seniorcareconfig
  • FCNT - Schema | com.fcnt.mobile_phone.schematest
  • Sonim | com.sonim.oemappconfig

Filter by Android management mode in the settings catalog
The settings catalog includes hundreds of settings that you can configure. There are built-in features that help filter the available settings.

When you create an Android settings catalog policy, there's a management mode filter option that filters the available settings by their enrollment type, including:

  • Fully managed
  • Corporate-owned work profile
  • Dedicated

New updates to the Apple settings catalog
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There is a new setting in the Settings Catalog. To see this setting, in the Microsoft Intune admin center, go to Devices> Manage devices > Configuration>Create>New policy>iOS/iPadOS for platform> Settings catalog for profile type.

iOS/iPadOS
Restrictions:

  • Rating Apps Exempted Bundle IDs: This setting lets admins specify apps that can bypass the 17 and older restriction.

For example, a device can have its content restricted to ages 9 and below. With this restriction, apps with an age-based rating of 17 and older are automatically blocked. Admins can use this setting to allow specific apps to bypass this restriction.

Apple rebranded Rapid Security Responses to Background Security Improvements. This change is updated in the settings catalog. For more information on Background Security Improvements, see Background Security Improvements on Apple devices (opens Apple's web site)

Device management
More options for assignment filters >Device Management Type property for managed apps on Android and iOS/iPadOS

When you create policies for your managed apps, you can use assignment filters to assign policies based on rules you create. In these rules, you can use different device and app properties, including the Device Management Type property on Android and iOS/iPadOS.

For Android, the Device Management Type property for managed apps is adding the following options:

  • Corporate-owned with work profile
  • Corporate-owned fully managed
  • Corporate-owned dedicated devices without Entra ID Shared mode

For iOS/iPadOS, the Device Management Type property for managed apps is adding the following options:

  • Automated Device Enrollment user-associated devices
  • Automated Device Enrollment userless devices
  • Account Driven User Enrollment
  • Device Enrollment with Company Portal and Web Enrollment

Applies to:

  • Android
  • iOS/iPadOS

Intune certificate inventory integration with Zimperium mobile threat defense
You can now configure the Zimperium Mobile Threat Defense (MTD) connector to synchronize certificate inventory from your managed iOS devices. This enhancement helps you identify when a device threat level is elevated due to approved but potentially malicious certificates on the device. The following settings are now available when configuring the connector:

  • Enable Certificate Sync for iOS/iPadOS devices - Allows this Mobile Threat Defense partner to request a list of installed certificates on iOS/iPadOS devices from Intune to use for threat analysis purposes.
  • Send full certificate inventory data on personally-owned iOS/iPadOS devices - This setting controls the certificate inventory data that Intune shares with this Mobile Threat Defense partner for personally-owned devices. Data is shared when the partner syncs certificate data and requests the certificate inventory list.

When certificate sync is enabled, the following data is shared:

  • Account ID
  • Entra ID Device ID
  • Device Owner
  • Certificate List
  1. Common Name
  2. Data
  3. Is Identity

Applies to:

  • iOS/iPadOS

Device security
Update firewall configurations for new Intune network endpoints
As part of Microsoft’s ongoing Secure Future Initiative (SFI), Microsoft Intune began using Azure Front Door (AFD) IP addresses in addition to the existing Intune service IPs in December 2025.

Customers that use IP-based allowlist, Azure service tags, or have strict outbound filtering in their firewall, VPN, proxy, or other network infrastructure may block this new traffic, causing degraded or failed device connectivity. This can affect core Intune functions including device and app management.

  • If your organization uses Fully Qualified Domain Name (FQDN)-based rules or does not restrict outbound traffic, no changes are typically required. However, you should verify that the appropriate wildcard rules are configured, specifically *.manage.microsoft.com, to ensure all Intune services remain reachable. Microsoft continues to recommend using FQDN-based wildcard rules whenever possible to reduce administrative overhead for organizations that require outbound filtering.
  • If your organization uses IP-based allowlists in your firewall, proxy, or VPN rules, you must add the Azure Front Door IP ranges below or use Azure service tag AzureFrontDoor.MicrosoftSecurity to avoid potential connectivity issues for managed devices.

Required IP addresses for commercial endpoints:

  • 13.107.219.0/24
  • 13.107.227.0/24
  • 13.107.228.0/23
  • 150.171.97.0/24
  • 2620:1ec:40::/48
  • 2620:1ec:49::/48
  • 2620:1ec:4a::/47

Required IP addresses for US government endpoints:

  • 51.54.53.136/29
  • 51.54.114.160/29
  • 62.11.173.176/29

Monitor and troubleshoot
Windows feature update reports support Windows 11, version 25H2
The Windows feature update compatibility risks report and Windows feature update device readiness report support Windows 11, version 25H2 as a selectable target OS. When you choose this version under Select target OS, the reports provide updated insights to help you assess device readiness and identify potential compatibility risks before deploying the feature update.

Applies to:

  • Windows

Tenant administration
Admin tasks in Microsoft Intune are now generally available

Admin tasks in the Intune admin center are out of public preview and now generally available. Admin tasks provide a centralized view where admins can discover, organize, and act on common tasks that are otherwise spread throughout the Intune admin center. Located under Tenant Administration, this unified experience supports search, filtering, and sorting to help you focus on what needs attention, without navigating across multiple nodes.

The following task types are supported:

  • Endpoint Privilege Management file elevation requests
  • Microsoft Defender security tasks
  • Multi Admin Approval requests
    Intune only shows tasks you have permission to manage. When you select a task, Intune opens the same interface and workflow you'd use if managing the task from its original location. This ensures a consistent experience whether you're working from the admin tasks node or directly within the source capability.
More updatesTo the product
Receive Important Update Messages Stay tuned for upcoming Microsoft updates

More from the Cloud Services section

Was the content helpful to you?

Advertisement Advertise here?
Udemy IT certification ad