Microsoft's February 2024 update for Microsoft Intune delivers three significant governance and operational enhancements that address long-standing requests from enterprise IT administrators. The update focuses on strengthening security postures, improving administrative oversight, and providing finer-grained control over device management—key components for organizations implementing Zero Trust architectures. These features—multi-administrator approvals for critical actions, enhanced Mobile Device Query (MDQ) capabilities, and new assignment filters for Apple Declarative Device Management (DDM)—represent Microsoft's continued investment in making Intune a more robust, secure, and manageable enterprise mobility management (EMM) platform.

Multi-Administrator Approvals: Enforcing Critical Change Governance

The cornerstone of this update is the general availability of multi-administrator approvals (MAA) for critical Intune operations. This feature introduces a crucial layer of administrative governance, often referred to as "four-eyes approval" or dual control, directly into the Intune service workflow. Before this update, a single administrator with sufficient permissions could enact significant changes—such as deploying a new compliance policy, assigning a critical application, or modifying conditional access settings—without requiring a second review. This created a potential single point of failure and increased the risk of configuration errors or malicious changes going unchecked.

Now, Intune administrators can configure specific tasks to require approval from one or more additional administrators before the action is executed. According to official Microsoft documentation, this approval workflow can be enforced for a variety of sensitive operations, including:
- Creating, assigning, or deleting compliance policies
- Creating, assigning, or deleting configuration profiles
- Deploying or removing applications (particularly line-of-business or critical security apps)
- Modifying enrollment restrictions or terms of use
- Changing settings for endpoint security policies like antivirus or firewall rules

The approval process is integrated into the Microsoft Intune admin center. When a configured action is initiated, it enters a pending state. Notifications are sent to the designated approvers (who must have appropriate Intune roles like Intune Administrator or Global Administrator). The approver can review the details of the change—who requested it, what the change entails, and the target scope—before approving or denying the request. An audit trail is maintained for all requests and decisions, enhancing compliance and forensic capabilities. This feature is a direct response to enterprise security frameworks and regulations (like NIST, ISO 27001, or SOC 2) that mandate segregation of duties and controlled change management for critical IT systems.

Enhanced Mobile Device Query (MDQ) Controls for Advanced Analytics

The second major enhancement is the expansion of controls within the Mobile Device Query (MDQ) feature, which is part of Intune's advanced analytics and reporting capabilities. MDQ allows administrators to create complex, saved queries to filter and identify devices based on a wide array of properties and compliance states. This is particularly valuable for large-scale deployments where administrators need to quickly isolate devices with specific issues, such as those missing a particular security patch, running an unsupported OS version, or exhibiting non-compliant configurations.

The February update introduces deeper query controls and more powerful filtering logic. Based on search results from Microsoft's official tech community and documentation, key enhancements include:
- Support for nested query logic: Administrators can now build more sophisticated queries using AND/OR operators across multiple device properties, enabling precise targeting. For example, a query could find "All Windows 11 devices (Property A) that are NOT encrypted (Property B) OR are running a build older than 22H2 (Property C)."
- Expanded property library: The update adds more device and user properties to the queryable dataset, including richer details from endpoint security health reports and application inventory.
- Performance improvements for large datasets: Optimizations have been made to handle queries across tenants with hundreds of thousands of devices more efficiently, reducing load times in the admin console.
- Integration with proactive remediations and scripts: Query results can be more directly used to target PowerShell scripts or proactive remediation packages, allowing for automated corrective actions on precisely defined device groups.

These MDQ improvements transform raw device data into actionable intelligence. IT teams can move from reactive troubleshooting to proactive management by creating persistent queries that continuously monitor for risk conditions. For instance, a query could flag all newly enrolled devices that lack a required security baseline profile, triggering an automatic notification to the helpdesk.

Assignment Filters for Apple Declarative Device Management (DDM)

The third pillar of the update is the introduction of assignment filters specifically for Apple devices managed via Declarative Device Management. DDM is Apple's modern management framework that shifts device management from a transactional, server-driven model to a declarative, intent-based model. In DDM, the administrator declares the desired state of a device (security settings, apps, configurations), and the device itself is responsible for achieving and maintaining that state, even when offline. Intune added support for Apple DDM in 2023.

Prior to this update, applying DDM configurations in Intune was largely an all-or-nothing proposition for assigned device groups. The new assignment filters allow for much more granular targeting. Administrators can now use device properties—such as model type (iPad vs. iPhone), OS version, available storage, or even custom attributes—to create dynamic filters that determine which DDM declarations apply to which devices.

For example, a company could:
- Apply a restrictive DDM security declaration only to corporate-owned iPhones (filter: deviceOwnership -equals- Corporate), while applying a lighter-touch declaration to personally owned devices (BYOD).
- Deploy a memory-intensive DDM-managed app only to devices with more than 64GB of free storage (filter: freeStorageSpace -greaterThan- 64000).
- Roll out a new DDM configuration profile first to devices running iOS 17.4 (filter: osVersion -startsWith- "17.4") as a pilot group before broader deployment.

This brings Apple DDM management in Intune to parity with the granular filtering long available for Windows and Android device policies. It enables phased rollouts, A/B testing of configurations, and tailored management based on device capabilities—a critical requirement for organizations with diverse Apple device fleets.

The Zero Trust and Operational Security Context

Collectively, these three updates significantly advance Intune's capabilities within a Zero Trust security model. Zero Trust operates on the principle of "never trust, always verify," requiring strict identity verification, least-privilege access, and assumption of breach. Multi-admin approvals enforce verification and segregation of duties for administrative actions themselves. Enhanced MDQ provides the continuous visibility and analytics needed to verify device health and compliance. Granular Apple DDM filters enable the precise application of security configurations (least-privilege) based on device context and risk.

From an operational security (OpSec) perspective, multi-admin approvals mitigate insider threats—both malicious and accidental. By requiring a second set of eyes for critical changes, organizations can prevent a compromised admin account or a simple misconfiguration from causing widespread disruption or a security incident. The audit trail also supports post-incident investigations and compliance audits.

Implementation Considerations and Best Practices

For organizations planning to adopt these new features, several best practices emerge from common enterprise deployment patterns:

For Multi-Admin Approvals:
- Start with a Pilot: Begin by enabling MAA for a single, non-critical policy type with a small group of senior admins as approvers. This allows your team to familiarize themselves with the workflow.
- Define a Clear Policy: Document which actions require approval and the hierarchy of approvers. Consider requiring approvals for all actions that affect security baselines, conditional access, or broad device groups.
- Leverage Role-Based Access Control (RBAC): Ensure approvers have the necessary Intune roles (like Intune Administrator) but not necessarily the same high-level privileges as the initiators, maintaining separation of duties.
- Monitor the Audit Logs: Regularly review the approval request logs in the Intune audit section to ensure the process is working as intended and to identify any unusual patterns.

For Enhanced MDQ:
- Build Queries for Common Scenarios: Create and save queries for frequent tasks: devices non-compliant with the latest security update, devices with low disk space, or devices that have not checked in for over 7 days.
- Combine with Groups: Use dynamic Azure AD or Microsoft Intune groups that are populated based on MDQ results to automate policy assignments or script deployments.
- Train Helpdesk Staff: Empower frontline support with saved queries to quickly diagnose common user-reported issues without needing deep admin console access.

For Apple DDM Filters:
- Inventory Your Apple Estate First: Use Intune reporting to understand the distribution of models, OS versions, and ownership types in your Apple fleet before creating filters.
- Use Filters for Gradual Rollouts: Adopt a ring-based deployment strategy for new DDM declarations. Start with a filter targeting a small pilot group (e.g., model -contains- "iPhone15"), then expand to broader filters after validation.
- Test Filter Logic Thoroughly: Create test device groups to validate that your filter logic (e.g., for storage or OS version) correctly targets the intended devices before applying to production.

Looking Ahead: The Future of Intune Governance

The February 2024 update underscores Microsoft's strategic direction for Intune: evolving from a pure mobile device management tool into a comprehensive endpoint governance platform integral to a modern security stack. The introduction of native multi-admin approvals suggests future integrations with broader Microsoft Purview compliance solutions and Azure Active Directory Privileged Identity Management (PIM) for just-in-time admin elevation. The analytics and filtering enhancements point towards more AI-driven insights and automated remediation, potentially leveraging Microsoft Copilot for Security to interpret query results and recommend actions.

For IT administrators, these features represent powerful new tools to enhance security, reduce risk, and streamline operations. By implementing multi-admin approvals, organizations can harden their change management processes. By mastering enhanced MDQ, teams can gain unprecedented visibility into their endpoint landscape. And by utilizing granular DDM filters, they can achieve more intelligent and responsive management for their growing Apple device populations. As the boundary between work and personal devices continues to blur and cyber threats grow more sophisticated, these governance-focused capabilities in Microsoft Intune are not just convenient—they are essential for securing the modern, distributed workplace.