Intune’s June 2026 service release (2606) didn’t get a flashy announcement, but if you’re working on removing local admin rights, it’s one of the most useful releases in a while. Three features that address classic “we had to give them admin” scenarios reached general availability — and with Endpoint Privilege Management now included in M365 E5 as of July 1, more teams than ever can actually use two of them. If you’ve been maintaining a list of reasons your least-privilege project is stuck, it’s time to cross a few off.
1. Enterprise App Management auto-updates: the updater problem, addressed at the platform layer
The single most common reason teams quietly hand admin rights back to users isn’t the application — it’s the updater. Third-party apps that self-update from user context break the moment you remove admin, and IT ends up choosing between manual repackaging every few weeks or giving the rights back.
The June release moves Enterprise App Management auto-updates to general availability. Apps deployed from the EAM catalog can now be kept current automatically by Intune, in system context, with no user privilege involved. The user never sees an updater prompt; the app never has a reason to demand elevation.
What to check before you rely on it
- EAM requires the Intune Suite or standalone EAM licensing — confirm what your July 1 licensing change actually gave you before planning around it.
- Coverage is catalog-dependent. Audit which of your top 20 third-party apps are in the EAM catalog; for those that aren’t, you still need your existing packaging pipeline.
- Auto-update is opt-in per app. Decide your update ring behaviour (immediate vs. deferred) app by app — browsers and security tools first, line-of-business apps with more caution.
2. EPM approval requests for any signed-in user: shared devices stop being the exception
Until now, Endpoint Privilege Management’s user-driven approval flow had an awkward gap: elevation requests only worked properly for a device’s primary user. On shared devices — warehouse floors, labs, front-of-house PCs, shift-work environments — that gap was exactly where local admin accounts tended to survive, because “the approval flow doesn’t work there” was true.
As of June, approval requests work for any signed-in user. Whoever is at the keyboard can request elevation, the request routes through the same auditable approval workflow, and the approval is scoped to that user and that action. If shared devices were carved out of your EPM rollout scope last year, that carve-out is no longer justified.
3. Rules-based elevation for network settings: the field-worker exception closes
Changing network adapter settings has always been an admin-rights operation on Windows, and it’s the canonical justification for giving laptops to travelling staff with admin: “they need to fix Wi-Fi and VPN settings on the road.” The June release adds EPM support for system-level network configuration through rules-based policies — standard users can make defined network adjustments without holding local admin, and without a helpdesk call at 11pm from a hotel lobby.
Write the rule narrowly: scope it to the specific settings your mobile users legitimately touch, and leave everything else behind the approval workflow.
Also worth watching: the Vulnerability Remediation Agent (preview)
The same release puts the Vulnerability Remediation Agent into public preview — a Security Copilot agent that ranks CVEs across your Intune-managed estate by severity, exposure, and affected device count, and proposes remediations. It’s preview, so treat it as a read-only advisor for now rather than wiring it into change control. But given the pace of exploited-vulnerability disclosures this year, automated prioritisation across your fleet is a capability worth evaluating early.
What to do now
- Confirm your licensing position. Post-July 1, check whether your E3/E5 agreements now include EPM and EAM, and for how many users.
- Run the EAM catalog audit. List your most-deployed third-party apps, check catalog coverage, and enable auto-updates for the low-risk, high-churn ones (browsers, readers, media tools) first.
- Re-scope your EPM rollout to include shared devices. Pick one shared-device population, enable the non-primary-user approval flow, and run it for two weeks before widening.
- Draft one narrow network-settings elevation rule for your mobile users, pilot it with a travelling team, and use the audit logs to verify it’s used for what you expected.
- Revisit your local admin exception list. Any exception that cites self-updating apps, shared devices, or network settings on the road now has a supported alternative. Set a review date for each one — exceptions without review dates are just permanent admin rights with better paperwork.

