Microsoft Intune – Wochenupdate KW 24 (08.06.2026)

Plattformübergreifend:

• Newly available protected apps for Intune: The following protected apps are now available for Microsoft Intune: For more information about protected apps, see Microsoft Intune protected apps.
• In-place renewal of Cloud PKI issuing certification authorities (CAs): Microsoft Intune now supports in-place renewal of eligible Cloud PKI issuing certification authorities (CAs). Previously, renewing an issuing CA required creating a new CA and manually updating dependent SCEP certificate profiles, which increased operational overhead and configuration risk.
• Vulnerability Remediation Agent now uses Microsoft Entra agentic identity (Public Preview): This feature is rolling out to tenants gradually and may take several weeks to become available in your environment. The Vulnerability Remediation Agent is now available to all customers in public preview.

Windows:

• New Microsoft Edge settings in the Windows settings catalog: There are new Microsoft Edge 148 settings in the Windows settings catalog. To see and configure these settings in Intune, create a Windows settings catalog profile (Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type).
• Detect and block Shadow AI using the properties catalog, device query, and a security baseline (Public Preview): Using Intune, you can detect and block a Local AI Agent, like OpenClaw, on Windows devices enrolled in Intune. Specifically, you can: This feature is in public preview.

Android:

• Managed Home Screen exit lock task mode password now requires a device configuration profile: You can no longer configure the Managed Home Screen exit lock task mode password by using an app configuration policy. To set or update the lock task mode password for Managed Home Screen, create or update a device configuration profile that defines the lock task mode password policy.
• New Block Bluetooth sharing setting in the Android Enterprise settings catalog: There’s a new Block Bluetooth sharing setting in the settings catalog (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Settings catalog for profile type > General). When set to True, the device can’t share content over Bluetooth.
• Silence apps on Managed Home Screen to prevent session PIN bypass: For devices using Managed Home Screen (MHS), you can now silence apps whenever MHS prompts the user for authentication, such as during sign-in or at the session PIN screen. When silenced, apps can’t start activities, display notifications, appear in recent apps, or trigger toasts, dialogs, or device ringing.
• Strict Tunnel Mode for Microsoft Tunnel on Android: Microsoft Tunnel now supports Strict Tunnel Mode on Android Enterprise devices. When Strict Tunnel Mode is enabled, all network traffic is forced through the VPN tunnel.
• Grant enhanced security permissions to a Mobile Threat Defense app on Android: A new Mobile Threat Defense role category is available on the Mobile Threat Defense connector configuration page in the Microsoft Intune admin center. The Grant MTD role permissions to on enrolled Android COBO and COPE devices toggle lets you grant enhanced security permissions to one Mobile Threat Defense partner app, such as Microsoft Defender for Endpoint or a supported third-party partner, on enrolled Android Enterprise corporate-owned fully managed (COBO) and Android Enterprise corporate-owned work profile (COPE) devices.

iOS/macOS:

• APP Multiple Managed Accounts: Microsoft Intune mobile application management now supports Multiple Managed Accounts, letting users add and manage more than one managed account within the same app. App protection policies apply separately to each account, so you can tailor protection based on the account’s organization or tenant.
• Disable MAC address randomization on macOS Wi-Fi profiles: On macOS devices, the Disable MAC address randomization setting is now available for Wi-Fi profiles. Use this setting to disable MAC address randomization on managed macOS devices.
• Use DDM to manage Apple Intelligence settings on devices running 26.4 and later: With the release of 26. 4, Apple deprecated several intelligence-related settings in the MDM restrictions payload.
• New Wired Networks device configuration profile for iOS/iPadOS: There’s a new 802. 1x Wired Networks device configuration profile for iOS/iPadOS devices.

Public Preview & Beta:

• Detect and block Shadow AI using the properties catalog, device query, and a security baseline (Public Preview): Using Intune, you can detect and block a Local AI Agent, like OpenClaw, on Windows devices enrolled in Intune. Specifically, you can: This feature is in public preview.
• Vulnerability Remediation Agent now uses Microsoft Entra agentic identity (Public Preview): This feature is rolling out to tenants gradually and may take several weeks to become available in your environment. The Vulnerability Remediation Agent is now available to all customers in public preview.

Fazit: