Microsoft Intune Updates March 2026: What Matters From the Week of March 30
The Microsoft Intune updates March 2026 release for the week of March 30 is one of those updates that looks routine until you slow down and read it properly. On the surface it is another long weekly list. In practice, it pushes three areas forward at the same time: Apple management, Windows operations, and RBAC governance.
The Apple side is probably the headline for me. Microsoft added Declarative Device Management for required iOS and iPadOS line-of-business apps, expanded Apple settings catalog coverage in a big way, and finally brought Recovery Lock controls to macOS devices. If you spend any time managing corporate Apple fleets, that is not background noise.
Windows admins did not get ignored either. Hotpatching is about to become the default for eligible Windows Autopatch devices in May 2026, Remote Help picked up a new endpoint requirement plus a new IME log, and the Windows settings catalog added a targeted way to remove the Microsoft Copilot app. Then there is the governance piece. Scoped permissions for Intune RBAC is only in public preview for now, but it could end up being the most important long-term change in the whole batch.
One quick note before we get into it: I verified this against the live Microsoft Learn page on April 2, 2026. That matters because the live page currently includes a Support Assistant item that did not show up in the raw markdown mirror I use for change tracking. It is a small reminder that automation is helpful, but source verification still wins.
TL;DR
Apple management got the strongest set of updates this week, especially DDM for required iOS and iPadOS LOB apps and Recovery Lock for macOS.- Windows Autopatch hotpatching goes default-on for eligible devices with the May 2026 security update, so this is the right week to validate readiness.
- Linux support keeps maturing with RHEL 9 and 10 support and a new Microsoft Identity Broker path for stronger SSO and PRMFA scenarios.
- Scoped permissions for Intune RBAC is the governance story to watch because it fixes a real permission-merging problem and ships with a Permissions Assessment Report.
- There are also several practical smaller changes around analytics telemetry, Support Assistant access, protected apps, and device query results.
| Area | Main takeaway |
|---|---|
| Apple | DDM app management, Recovery Lock, and Apple Intelligence controls make this the strongest Apple-focused Intune week in a while. |
| Windows | Hotpatch default enablement is the big operational change, with smaller but useful additions around Remote Help and settings catalog controls. |
| Linux | RHEL 9 and 10 support plus the new broker path show Microsoft is still investing in Linux management and authentication. |
| Governance | Scoped permissions is the RBAC fix many tenants probably need, but it deserves careful review before anyone enables it. |
Apple Management Changes
DDM for in-house iPhone and iPad apps is a real step forward
The most interesting Apple app management change is that Intune now supports Apple Declarative Device Management for required line-of-business apps on iOS and iPadOS 18 and later. In the app record, admins can now choose Management type: DDM instead of sticking with classic MDM.
That is more than a label change. Microsoft says the DDM path gives more efficient app delivery, real-time app status reporting, and expanded app attribute options such as associated domains. If you have ever waited on stale app state and then had to guess whether an internal app actually landed on a device, that part alone should get your attention.
There is a practical catch, and it matters. Microsoft also notes that MAM-enabled apps stay on MDM, and app configuration policies still work only for MDM-based apps. So this is not a blanket move-everything-to-DDM story. If your internal app strategy depends on Intune app configuration policies, you need to test carefully before making the switch.
Recovery Lock gives Mac admins something they have been missing
Recovery Lock for macOS might be the most operationally useful Apple change in the release. Intune can now configure a recovery OS password that helps stop users from booting into recovery mode, reinstalling macOS, or bypassing remote management on company-owned Macs. Admins can enable it through the settings catalog, set a password rotation schedule, and rotate the password on demand through a remote device action.
That matters because this is not just another compliance flag. This is closer to a guardrail around device control. If a Mac can be taken into recovery and slipped around your management posture, the rest of your controls start to look thinner than you want.
Microsoft also filled in the details that security and operations teams will care about. The Recovery Lock password can be viewed in Passwords and keys, and the signed-in admin needs the specific permissions to view or rotate that password. On top of that, Microsoft says the feature is rolling out gradually and expects full availability by late April 2026.
Apple Intelligence controls keep getting more concrete
The Apple settings catalog additions are broad, but they point in one clear direction: Microsoft is trying to give admins much better control over Apple Intelligence-era behavior on managed devices.
On iOS and iPadOS, Microsoft added DDM settings for things like Allow Apple Intelligence Report, Allow Genmoji, Allow Image Playground, Allow Writing Tools, Mail > Allow Smart Replies, Mail > Allow Summary, and multiple dictation and transcription controls. macOS picked up a similar pattern, plus new File Provider controls and Allow Rosetta Usage Awareness.
I do not think the story here is just that AI showed up again. The real story is that these user-facing features are turning into admin decisions. Summaries, smart replies, transcription, and on-device-only controls all touch productivity, privacy, and data handling at the same time.
Windows Management And Security
The Windows settings catalog keeps getting more precise
Microsoft called out two new Windows settings catalog items this week, and one of them is more important than it might sound at first.
The first is Connectivity > Disable Cross Device Resume. This lets admins turn off the experience where Windows suggests picking up activity from another linked device. That is useful if you want managed corporate machines to feel more like work endpoints and less like consumer continuity hubs.
The second is Windows AI > Remove Microsoft Copilot App, and this is the one I expect more teams to care about. Microsoft says the policy can uninstall the Microsoft Copilot app in targeted cases where both Microsoft 365 Copilot and Microsoft Copilot are installed, the user did not install the Microsoft Copilot app themselves, and it has not been opened in the last 14 days.
That sounds narrow, but I like the direction. It is a cleanup policy, not a blunt hammer. For organizations trying to keep a clean Microsoft 365 Copilot rollout without every possible Copilot surface hanging around, that is a useful distinction.
Remote Help picked up a small change that could save a support call
Microsoft also improved connectivity for launching Remote Help from the Intune admin center on Windows devices. The practical action item is to allow the endpoint *.trouter.communications.svc.cloud.microsoft.
This is exactly the kind of change that gets missed until the help desk starts hearing “it worked yesterday” stories. If your network team tightly controls outbound access, this should go on the review list now, not after someone loses an hour troubleshooting it live.
Microsoft also added NotificationInfra.log to the Intune Management Extension logs. That is a nice little quality-of-life improvement for support teams because it gives one more concrete place to look when notification-driven behavior feels inconsistent.
Hotpatching is moving from optional idea to default behavior
The big Windows story is still hotpatching. Starting with the May 2026 Windows security update, hotpatch updates will be enabled by default for eligible devices managed through Windows Autopatch. Microsoft made the tenant-level opt-out available on April 1, 2026, and quality update policies can override behavior for specific device groups.
This is the moment where hotpatch stops being a feature you admire from a distance. It is about to become the default path for eligible devices unless you decide otherwise.
That does not mean it is risky by definition. The value proposition is obvious: faster security updates and fewer restarts. But I would still treat this as a test-and-decide change, not a “we will look at it later” change. Microsoft's own eligibility list is specific. Devices need Windows 11 version 24H2, the current baseline, an x64 CPU, VBS enabled, and a hotpatch-enabled Windows quality update policy managed through Intune.
Linux Platform Changes
Linux support in Intune still does not get the same attention as Windows or Apple, but the March 30 release is a good reminder that Microsoft is continuing to invest in it.
First, Intune now supports RHEL 9 LTS and RHEL 10 LTS. At the same time, Microsoft set an end date for RHEL 8 LTS support in July 2026. Existing RHEL 8 devices stay enrolled, which makes this a manageable transition rather than an emergency. Still, it puts a date on the calendar, and that matters.
Second, the Microsoft Intune app for Linux now supports Microsoft Identity Broker. According to Microsoft, broker version 2.0.2 introduces a major architectural change from the previous Java-based broker and enables stronger SSO experiences, including phish-resistant MFA, smart card authentication, and certificate-based authentication with Microsoft Entra ID.
I think that second point is the more strategic one. Linux in enterprise identity often gets stuck at the uncomfortable edge of the platform story. Strong auth, consistent broker behavior, and supportable SSO patterns are where a lot of the friction lives. Microsoft is clearly trying to close that gap.
If your Linux footprint is real, not experimental, there are two immediate follow-ups from this release. First, find your RHEL 8 devices and decide on an upgrade path before July 2026 becomes somebody else's crisis. Second, review whether the new broker path changes how you want to approach Linux authentication and PRMFA pilots.
RBAC And Governance
Scoped permissions for Intune RBAC is only in public preview, but I would not dismiss it as a future problem. This one has teeth.
Microsoft updated the scope tag documentation to spell out a behavior that has probably caused more confusion than many teams realized: when an admin belongs to multiple role assignments with different scope tags but the same permission category, Intune can merge permissions across those assignments. In plain language, that can give someone broader access than you intended.
Scoped permissions changes that behavior. Instead of merging permissions across role assignments, each assignment keeps its permissions inside its own scope tag context. Microsoft also added a Permissions Assessment Report so you can see the current state and preview what changes before you opt in.
That report is the difference between a scary governance feature and a usable one. It gives teams a way to inspect impact, clean up role assignments, and communicate the change before they flip the switch.
There is one catch you should not gloss over: enabling Scoped permissions is a one-way action. Microsoft says it cannot be undone. So the right posture here is not fear, but it definitely is caution.
Also Worth Noting
- Support Assistant is now available to all authenticated users in the Intune admin center for finding solutions and troubleshooting guidance. Creating or managing support tickets still requires the right Microsoft Entra permission.
- Devices behind system-level
WinHTTPproxy settings can now send telemetry to endpoint analytics and Advanced Analytics. That should help close reporting gaps in more locked-down network environments. - Device query for multiple devices got more usable with result searching, column filters, and the ability to create Microsoft Entra security groups directly from query results.
- Intune added new protected apps including DeepL for Intune and Foxit PDF Editor, which is more relevant than it sounds if your app protection strategy leans heavily on mobile productivity.
- Android Enterprise also picked up support for the Inventus OEMConfig app. That is a niche change for some teams, but it matters a lot if you use that hardware.
What I'd Test First This Week
- Review any iOS or iPadOS line-of-business apps and decide which ones are good candidates for DDM versus which ones still need MDM because of app configuration or MAM dependencies.
- Pilot Recovery Lock on a small supervised Apple silicon Mac group and verify both password rotation and role-based visibility.
- Check whether your Apple settings catalog baselines need an opinion on Apple Intelligence, summaries, dictation, transcription, and related user-facing features.
- Validate whether your Windows Autopatch devices actually meet the hotpatch prerequisites before May 2026 arrives.
- Add the new Remote Help endpoint to firewall reviews and update support runbooks to include
NotificationInfra.log. - Identify enrolled RHEL 8 devices and put an upgrade plan in place before July 2026.
- Run the Permissions Assessment Report before anyone gets excited and turns on Scoped permissions in production.
Closing Thoughts
If I had to summarize the week in one sentence, it would be this: Microsoft is making Intune more opinionated about modern platform management, and that is mostly a good thing.
Apple management is moving deeper into DDM. Windows update behavior is getting more automated and more operationally important. Linux is slowly becoming less of an awkward side path. RBAC is finally getting a cleaner model for scoped permissions. None of that is flashy. All of it matters.
The release also had one useful little lesson baked into it. The live Microsoft Learn page included one March 30 item that the raw markdown mirror did not. That does not make the automation useless. I am still going to use it. But it does mean I would not publish a weekly roundup without one last pass against the live page.
Official Microsoft Sources Used
- What's new in Microsoft Intune
- Add an iOS/iPadOS Line-of-Business App to Microsoft Intune
- Configure Recovery Lock on macOS devices in Microsoft Intune
- Use OEMConfig on Android Enterprise devices in Microsoft Intune
- Connectivity Policy CSP
- WindowsAI Policy CSP
- Network endpoints for Microsoft Intune
- Intune Management Extension for Windows
- Enrollment guide: Enroll Linux desktop devices in Microsoft Intune
- Microsoft single sign-on for Linux
- Frequently Asked Questions about Windows Autopatch
- Supported Microsoft Intune Apps
- How to get support in the Microsoft Intune admin center
- Advanced Analytics overview
- Device query for multiple devices
- Use role-based access control and scope tags for distributed IT
