Tech News

Intune: Vulnerability Management and App Updates, June 2026’s New Features

On June 25, 2026, Microsoft unveiled the latest Intune updates, with AI and vulnerability reduction at the forefront. On the menu: an AI agent capable of prioritizing CVEs on Windows endpoints, automatic app updates now generally available, Endpoint Privilege Management extended to shared devices, and a licensing shift to plan for before July 1, 2026. Here’s the key information you need to know.

Microsoft Intune strengthens its fight against security vulnerabilities

The first area Microsoft tackled in June 2026 was reducing the exposure window for vulnerabilities. The automatic updates feature in Enterprise Application Management (EAM) is now generally available. It keeps managed applications on the latest available minor version (for example, automatically moving from 4.1 to 4.2), without repackaging or administrator intervention.

According to Microsoft documentation, this applies to Enterprise App Catalog applications assigned in the “Required” mode on Windows 10 and Windows 11. Even if this is still far from the approach offered by Robopack, it is a welcome first step forward.

That still leaves the risk that appears between two update cycles. This is where an AI agent called Vulnerability Remediation Agent comes in, now available in public preview. Operating within Microsoft Security Copilot, it relies on Microsoft Defender Vulnerability Management to prioritize CVEs on Intune-managed Windows devices based on several criteria:

  • The vulnerability’s CVSS score,
  • Exposure impact,
  • The number of affected devices.

The recommendations appear in the Intune admin center, with a Copilot-assisted impact summary, exposed systems, and a remediation guide, and can then be marked as addressed. Two limitations are worth noting: in preview, the agent only covers Windows client editions (not Windows Server) and does not provide any automatic remediation. It is still up to the administrator to take action!

Another new feature in June 2026: the agent now runs under a dedicated Microsoft Entra agent identity, rather than under a user account tied to a human, which limits its scope and provides clear audit logging.

Expanded privileges, Apple enrollment, and M365 E5

The risk also comes from who gets privileges, and how. Two Endpoint Privilege Management (EPM) capabilities are now generally available for environments that do not follow the “one user per device” model (in other words, shared devices):

  • Approval requests for non-owner users, which extend elevation requests to any user on a device (useful on workstations shared by multiple teams).
  • System-level network configuration, which allows standard users to change certain network settings (IP address, gateway, DNS) without local administrator rights, where a support ticket or temporary admin rights were previously required.

“Administrators can now pre-authorize certain network changes through rules and no longer have to choose between productivity and control.”, Microsoft explains.

On the Apple side, Microsoft is revisiting Automated Device Enrollment (ADE), the mechanism that enrolls corporate iPhone, iPad, and Mac devices without user intervention from the very first startup. iOS/iPadOS and macOS profiles are moving to a new infrastructure, with a redesigned experience and more granular settings.

But the real benefit for IT teams is enrollment time grouping (ETG), now generally available across all platforms. Until now, a freshly enrolled Mac or iPhone could reach the employee before all security policies and business applications had been applied: the user waited, the device remained partially exposed, and support was flooded with “where are my apps?” tickets. With ETG, the device is assigned to its group as soon as it is enrolled: compliance and required applications are already in place when the employee unlocks the screen for the first time. Apple is thus catching up with the Zero Touch provisioning model administrators know on Windows with Autopilot.

One last point to note: EPM and EAM are joining the Microsoft 365 E5 offering as of July 1, 2026, in line with the Microsoft 365 feature and pricing changes announced in December 2025. More features in a license are always good news!

Find all the details in this article published by Microsoft.

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.