What's new in Microsoft Intune: March 2026

The Microsoft Intune service update for March 2026 includes some exciting updates and enhancements, including new recovery lock features for macOS, new DDM settings for macOS and iPadOS, support for Red Hat Enterprise Linux 9 and later. In addition, hotpatching is enabled by default in Windows Autopatch, improvements to device queries, removal of guided scenarios for Intune, and much more.

The Intune updates for March 2026 should be automatically rolled out to all the tenants across major regions such as APAC, NASA, and EMEA. In the Intune admin center, go to Tenant Administration and select the Tenant Status tab to see the current service release of your tenant. For more information on previously released updates, read the article on Intune monthly updates.

For more details, refer to Microsoft documentation on New Features and changes in Intune March 2026 Update.

The Intune release for March 2026 includes the following new features and enhancements.

1. Declarative Device Management for Apple line-of-business apps on iOS/iPadOS​

Microsoft Intune now integrates with Apple Declarative Device Management (DDM) to support required line-of-business apps on devices running iOS/iPadOS 18 or later. By switching the management type to DDM in the App Information settings, you can leverage Apple’s policy-based model to enhance app deployment and configuration. This approach boosts delivery efficiency, provides real-time app status updates, and expands per-app capabilities, such as configuring associated domains.

2. New Recovery lock features available for macOS devices​

On macOS devices, administrators can set up a recovery OS password to restrict users from booting company-owned devices into recovery mode, reinstalling macOS, or bypassing remote management. Additionally, this password can be rotated by administrators. This feature can be utilized in two distinct ways:

1. Settings catalog policy: In a settings catalog policy, you can use the Recovery Lock settings to: Turn on the recovery lock feature
Configure a password rotation schedule
2. Remote device action: Use the Recovery Lock device action to manually rotate the recovery lock password for a specific device.

The Recovery Lock password can be viewed in the per-setting status report > Passwords and keys. To view the Recovery Lock password, the signed-in administrator needs the Remote tasks/View macOS recovery lock password permission.

3. New settings in the Windows settings catalog​

In the March 2026 update of Intune, the following new settings are included in the Windows settings catalog

1. Connectivity > Disable Cross Device Resume.
2. Windows AI > Remove Microsoft Copilot App.

4. New Declarative Device Management (DDM) settings for macOS and iPadOS​

Microsoft has added the following new DDM settings in the Settings Catalog for macOS and iPadOS.

The table below lists all the DDM settings for iPadOS.

Declarative Device Management (DDM) Category N ame	Settings
External Intelligence Settings	Allow Sign In Allowed Workspace IDs
Intelligence Settings	Allow Apple Intelligence Report Allow Genmoji Allow Image Playground Allow Image Wand Allow Personalized Handwriting Results Allow Visual Intelligence Summary Allow Writing Tools Mail > Allow Smart Replies Mail > Allow Summary Notes > Allow Transcription Notes > Allow Transcription Summary Safari > Allow Summary Force On Device Only Dictation Force On Device Only Translation
Keyboard Settings	Allow Definition Lookup Allow Auto Correction Allow Dictation Allow Predictive Text Allow Slide To Type Allow Spell Check Allow Text Replacement Allow Math Keyboard Suggestions
Siri Settings	Allow User Generated Content Allow While Locked Force Profanity Filter

The table below lists all the DDM settings for macOS.

Declarative Device Management (DDM) Category Name	Settings
External Intelligence Settings	Allow Sign In Allowed Workspace IDs
Intelligence Settings	Allow Apple Intelligence Report Allow Genmoji Allow Image Playground Allow Writing Tools Mail > Allow Smart Replies Mail > Allow Summary Notes > Allow Transcription Notes > Allow Transcription Summary Safari > Allow Summary Force On Device Only Dictation
Keyboard Settings	Allow Definition Lookup Allow Dictation Allow Math Keyboard Suggestions
Siri Settings	Force Profanity Filter

5. Remote Help connectivity update for Windows devices​

Microsoft has improved connectivity when using the Launch Remote Help capability in the Intune admin center for Windows devices. For the best experience, Microsoft recommends updating firewall rules to include this new endpoint: *.trouter.communications.svc.cloud.microsoft

6. Support for Red Hat Enterprise Linux 9 and later​

Microsoft Intune now supports Red Hat Enterprise Linux (RHEL) 9 LTS and RHEL 10 LTS. While support for RHEL 8 LTS has ended, devices previously enrolled with RHEL 8 will remain enrolled. You can identify devices running RHEL 8 in the Intune admin center by going to Devices > All devices, filtering OS by Linux, and adding OS version columns.

7. Microsoft Intune for Linux now supports Microsoft Identity Broker​

The Microsoft Intune app for Linux now integrates with the Microsoft Identity Broker on supported Ubuntu and Red Hat Enterprise Linux (RHEL) distributions. Starting from Broker version 2.0.2, a significant architectural shift replaces the previous Java-based design. This update introduces enhanced single sign-on (SSO) capabilities, including phish-resistant multi-factor authentication (MFA), smart card authentication, and certificate-based authentication, all powered by Microsoft Entra ID.

8. Default Hotpatching Enabled in Windows Autopatch​

Starting with the May 2026 Windows security update, hotpatch updates are enabled by default for all eligible devices managed through Windows Autopatch. Hotpatch updates install faster and require fewer restarts, helping devices get secure sooner.

9. Improvements to device query for multiple devices​

Device queries for multiple devices now include new capabilities to help you work with query results more efficiently. You can use a search text box to search across all resulting rows of a query, use column headers to add filters for specific values, and create Microsoft Entra security groups directly from a query's device results.

10. Guided scenarios being removed from the Intune admin center​

All guided scenarios except Windows 365 Boot are removed from the Microsoft Intune admin center. You can no longer access the guided scenario wizards, but any Intune objects previously created by these wizards remain available and manageable.