Microsoft is rolling out a significant update to its Intune endpoint management platform, with June 2026 bringing general availability for automated application patching, expanded privilege management capabilities, and a smoother Apple device enrollment experience. The release, designated as the June 2026 service release, underscores the company’s aggressive push to unify device management across Windows, macOS, iOS, and Android under a single, cloud-first console. For IT administrators, the changes mean fewer manual workflows and tighter security postures without sacrificing end-user productivity.

Enterprise Application Management auto-updates reach general availability

The centerpiece of this release is the general availability of auto-update functionality within Enterprise Application Management (EAM), a feature first introduced in public preview last year. EAM allows organizations to discover, deploy, and now automatically update a curated catalog of third-party applications—such as Adobe Acrobat, Google Chrome, Zoom, and Notepad++—directly through the Intune admin center. Microsoft has partnered with a growing list of independent software vendors (ISVs) to provide these packaged apps, which are maintained and tested by the vendor or Microsoft itself.

Auto-updating marks a departure from traditional software distribution models where IT teams had to manually repackage and push new versions of applications via Win32 app deployments. With the GA release, administrators can set update rings and maintenance windows akin to Windows Update for Business, dictating how quickly apps receive the latest patches. The engine respects existing deployment rings, allowing a phased rollout: pilot devices can get updates immediately, while broad deployment lags by a configurable number of days. If an update introduces a critical issue, administrators can pause or roll back to the previous version from the Intune console.

Under the hood, EAM leverages the Intune Management Extension (IME) on Windows devices and a native agent on macOS to detect installed applications and orchestrate updates. Microsoft’s cloud service evaluates the installed version against the latest available package in the repository and triggers a silent installation during the next maintenance window. For apps running at the time, a user notification prompts for a save and restart, similar to how Windows Update handles feature updates. Early adopters in the preview program reported a 40% reduction in time spent on patch management, according to internal Microsoft telemetry shared in a technical community blog post.

The update also introduces compliance integration: if a critical security update for an EAM-managed app is available and not installed, the device can be marked non-compliant, triggering conditional access blocks. This closes a gap that previously left third-party apps as a blind spot in many zero-trust architectures. Microsoft has published a guidance document detailing how to migrate existing Win32 app deployments to EAM-managed apps, emphasizing that the transition can be done incrementally without disrupting current assignments.

Endpoint Privilege Management gains custom approval workflows and JIT elevation

Endpoint Privilege Management (EPM), which has been rapidly evolving since its initial release, receives a significant boost in this release. The headline addition is support for custom approval workflows when standard users request elevated privileges. Previously, EPM allowed elevation based solely on predefined rules—such as file hash or publisher certificate—with an option for automatic approval or denial. Now, organizations can route elevation requests to a manager or a designated IT security team via Microsoft Teams, email, or a web-based approval portal.

This workflow is powered by a new connector that integrates with Microsoft Power Automate, allowing organizations to design multi-step approvals. For example, a request to run a PowerShell script with administrative rights could automatically trigger a notification to the user’s direct manager and require a second approver from the security team for certain high-risk commands. The entire process is logged in the Intune audit log, providing a clear chain of custody for compliance purposes. Microsoft has also added the ability to set time-bound elevations: an approval can be granted for 15 minutes, 1 hour, or a custom duration, after which the elevated token is revoked.

Another key enhancement is just-in-time (JIT) elevation for specific Windows tasks, such as adding a printer or modifying network settings. Instead of granting blanket local admin rights, EPM can now elevate individual actions within the Windows Settings app or Control Panel. This granularity reduces the attack surface dramatically. In a demonstration at the Microsoft Management Summit, a support engineer showed how a user could add a Bluetooth device without ever entering admin credentials, while attempting to open an elevated command prompt from the same session would still trigger an elevation request.

Microsoft has also deepened integration with Defender for Endpoint. EPM events are now enriched with threat intelligence, so if an elevation request is associated with a known malicious binary or behavior, it can be automatically blocked regardless of policy. This aligns with the broader Copilot for Security initiative, where AI-driven insights surface high-risk elevation patterns across the estate. The June release also supports elevation policies on Windows 365 Cloud PCs and Azure Virtual Desktop, extending the benefits to virtualized environments.

Apple enrollment gets a streamlined, modern makeover

Apple device management has been a growing priority for Intune, and this release brings the most substantial enrollment improvements since the introduction of platform SSO. The headline change is support for the new “Account-Driven Device Enrollment” for iOS and iPadOS, which Apple introduced in its latest OS updates to simplify the BYOD experience. Users can now enroll a personal device by simply signing in with their managed Apple ID at the initial setup screen, without needing to navigate to a web portal or download a management profile manually. For organizations using federated Apple IDs, the experience mirrors the seamless sign-in of corporate Windows devices.

On macOS, the Automated Device Enrollment (ADE) flow now supports the configuration of Platform Single Sign-On (SSO) during the Setup Assistant phase, eliminating the extra steps previously required post-enrollment. When a user powers on a new Mac for the first time, the device connects to Apple’s activation servers, identifies the MDM server, and immediately configures SSO for local account login. This means users can authenticate with Azure AD credentials from the first moment, gaining immediate access to corporate resources without setting up a local password. Microsoft has worked closely with Apple to ensure that the Secure Enclave-backed tokens are provisioned correctly, a technical hurdle that delayed this feature in earlier Intune previews.

Also notable is the expansion of macOS software update management capabilities. Intune can now enforce a specific major macOS upgrade version—such as macOS 26—by a deadline, much like Windows feature update policies. If a Mac doesn’t update by the enforcement date, it can be marked non-compliant and restricted from corporate resources. The update rings feature, previously limited to minor updates, now covers major upgrades, giving IT full control over the upgrade cadence. For devices that are already on a newer version, Intune will detect and report compliance without forcing a downgrade.

Apple Watch management also graduates from preview for organizations deploying watchOS devices used for productivity or health monitoring. Administrators can now enforce compliance policies, push apps, and remotely wipe corporate data from managed Apple Watches paired with supervised iPhones. This is particularly relevant for frontline workers who use wearables for communication or safety applications.

Additional updates: Windows images, Linux support, and reporting

Beyond the flagship features, the June 2026 release includes several smaller but impactful enhancements. Windows Autopilot now supports pre-provisioned Windows 11 25H2 images directly from the cloud, reducing the need for on-premise imaging infrastructure. IT can choose from a library of Microsoft-maintained base images that include the latest cumulative updates, .NET Framework, and runtime libraries. This cuts deployment time by up to 30%, according to Microsoft’s internal testing, as the device no longer needs to download updates during the out-of-box experience.

Linux management also receives a notable update with the addition of full disk encryption policy enforcement across Ubuntu, Red Hat Enterprise Linux, and Debian distributions. Using the native dm-crypt and LUKS tools, Intune can now mandate encryption and escrow recovery keys to Azure AD, providing a unified recovery experience across Windows, macOS, and Linux. This closes a long-standing gap for organizations running mixed-OS environments.

On the reporting front, Microsoft has introduced a new “Endpoint Analytics: Application Reliability” report that correlates application crashes and hangs with update deployments. If an EAM auto-update rollout causes a spike in crashes for a specific app, IT can immediately pause the update and investigate. The report leverages the Windows Error Reporting data stream and the Intune data platform, offering near real-time insights.

Strategic implications and what’s next

The June 2026 update solidifies Intune’s position as a unifying layer across diverse endpoint ecosystems. By hardening application patch automation and privilege controls, Microsoft is directly addressing two of the most exploited vectors in ransomware attacks: unpatched software and excessive administrative privileges. The Apple enrollment improvements reflect the reality of hybrid workplaces where user choice often tilts toward Mac and iPhone devices. Microsoft’s willingness to invest in native Apple management tooling—rather than forcing users onto Windows—shows a pragmatic understanding of enterprise diversity.

For IT decision-makers, the immediate action items are clear: evaluate migrating existing third-party application deployments to EAM to leverage auto-updating, pilot the custom approval workflows for privilege management to reduce help desk tickets, and test the new Apple enrollment flows before the next hardware refresh cycle. Microsoft has stated that the previous Intune release’s features (June 2025) will remain supported for 12 months, so organizations have a comfortable transition window.

Looking ahead, the Intune roadmap teases deeper integration with Microsoft’s Copilot for Security, which will soon be able to generate elevation policies based on observed usage patterns and recommend application deployment rings using machine learning. While some of these capabilities are still in private preview, the June 2026 release lays the governance and automation foundation needed for AI-driven endpoint management. As one Microsoft program manager noted in a Tech Community AMA, “We’re not just closing the gap with competitors; we’re redefining what it means to manage endpoints in a zero-trust world.”