What’s New from Microsoft Ignite 2025: Endpoint Management, Security, and More

After returning from San Francisco, I took some time to unwind and absorb everything from Microsoft Ignite, and enjoy American Thanksgiving with my family. Now, I’m excited to share a recap of the most notable announcements—especially those related to Endpoint Administration, along with a few other features that caught my attention.

This post is meant to provide a quick overview and link you to helpful resources. Over the coming months, I’ll dive deeper into many of these features and publish more detailed posts.

Security Copilot Coming to Microsoft 365 E5

Big news: Security Copilot is now included with Microsoft 365 E5 licensing. This means enterprises with E5 can leverage Copilot and its agents across multiple Microsoft platforms—including Intune.

Latency Improvements to Intune

Microsoft confirmed significant improvements:

• 99% of Intune devices check in within 25 minutes

• 50% check in within 5 minutes

Priority is given to scenarios like newly enrolled devices, device actions, compliance alerts, pending changes, and remediation status updates.

Inline Prompt Protections Within Edge With Purview

Organizations often block unauthorized AI tools like DeepSeek, GPT, and others via firewall or network policies. Microsoft is addressing this by introducing Purview-based DLP policies that prevent sensitive data from being entered into AI platforms via Microsoft Edge for Business, and extending protections to the network layer.

Learn more: Building layered protection: New Microsoft Purview data security controls for the browser & network | Microsoft Community Hub

Cross-Platform Policies for Edge on macOS, iOS, Android

You can now configure Edge for Business policies across macOS, iOS, and Android—on top of existing Windows configurations—using the Edge management service.

Microsoft Zero Trust Assessment Workshop

Microsoft introduced the Zero Trust Assessment Tool, which uses Microsoft Graph to connect to your tenant and perform essential checks for a strong security baseline.

Learn more: Microsoft Zero Trust Assessment | Microsoft Zero Trust Workshop

Admin Tasks Within Intune (Public Preview)

Identify and act on security and compliance priorities with Admin Tasks. This single pane shows multi-admin approvals, Endpoint Privilege Management elevation requests, and Defender for Endpoint tasks. Coming in Q1: agents and workflows will appear in Admin Tasks.

Learn more: Manage Admin Tasks - Microsoft Intune | Microsoft Learn

Windows Recovery and Backup with Intune

After last year’s CrowdStrike outage, Microsoft is making recovery easier—from single PCs to global incidents. Key updates include:

• Windows Recovery Environment (WinRE) now supports connectivity and automatically reuses Wi-Fi profiles.

• Quick Machine Recovery enables fast recovery for devices that fail to boot.
  Learn more: Quick Machine Recovery | Microsoft Learn

• Point-in-Time Restore (PITR) lets you roll back a device within minutes via OS, WinRE, or Intune.
  Learn more: Point-in-time restore for Windows | Microsoft Learn

• Cloud Rebuild for when all else fails, allows a fresh Windows 11 install from Windows Update. After rebuilding, Autopilot reconnects to Intune, apps are reinstalled, settings restored, and files synced via OneDrive.

Agent 365

Agent 365 is a centralized management platform for AI agents, integrated into the Microsoft 365 Admin Center.
Learn more: Microsoft Agent 365: The Control Plane for Agents

Intune Agents

Within Intune, new Copilot agents will assist admins:

• Policy Configuration Agent: Converts complex compliance standards into actionable Intune policies.

• Change Review Agent: Automates approval workflows based on risk and organizational rules.

• Device Offboarding Agent: Detects inactive devices and recommends proper offboarding steps.

• Conditional Access Optimization Agent: Suggests CA policies to enforce app protection.

• Vulnerability & Remediation Agent: Identifies and prioritizes vulnerabilities with step-by-step remediation guidance.

Learn more: Security Copilot Agents in Intune | Microsoft Learn

App Inventory (Announced)

Microsoft announced deeper inventory capabilities for Windows apps to support Zero Trust posture, providing visibility of installed apps across your endpoint estate and expanded app properties for better insights.

Phased Deployments

Phased deployments are coming to Intune—initially for applications and policies. These ring-based deployments enable secure, predictable rollouts at scale.

Automatically Allow Apps Deployed by a Managed Installer

With App Control for Business, you can automatically allow applications installed by a designated software distribution solution (such as Intune).

Learn more: Allow apps deployed with an App Control managed installer | Microsoft Learn

Explore Intune Data with Copilot

If you have Security Copilot, Copilot can help you create KQL device queries to analyze device data across your organization.

Learn more: Explore Intune data with natural language and take action - Microsoft Intune | Microsoft Learn

Autopilot Device Association (Preview)

If a device is not associated with a hardware hash, this feature provides an easier way to associate a device with your tenant from the OOBE screen.

Managed Windows Backup for Organizations

Windows Backup for Organizations, announced last year, is now available. It streamlines device transitions by securely preserving user settings and Microsoft Store app configurations, applying them when a user logs into a new PC.

Learn more: Windows Backup for Organizations Overview | Microsoft Learn

Unattended Sessions for Remote Help

Microsoft confirmed that Remote Help, part of the Intune Suite Bundle, will soon support unattended sessions—one of the most requested features.

Watermarking

Watermarking features help prevent users from taking screenshots of sensitive data. These can be applied via an Intune configuration profile.

Learn more: Watermarking in Windows 365 | Microsoft Learn

Hardware-Accelerated BitLocker

Hardware-accelerated BitLocker improves encryption and decryption performance.

Learn more: Windows 11 security book - Encryption and data protection | Microsoft Learn

Sysmon Functionality in Windows

Sysmon will be built into Windows by default starting in 2026. You’ll need to enable it to start system monitoring.

Windows Cloud I/O Protection

A new Windows 365 feature, in preview starting December 10th, introduces a kernel-level driver that securely routes keystrokes directly to the Cloud PC, bypassing OS layers vulnerable to malware. Devices cannot connect to a Cloud PC without this driver if policies are configured.

Learn more: Windows Cloud Input Protection | Microsoft Learn

Intune Managed Cloud Apps

Using Windows 365, you can now deliver access to line-of-business and custom apps without the full desktop experience.

Learn more: Windows 365 Cloud Apps | Microsoft Learn

Windows 365 Reserve

Windows 365 Reserve is now generally available, allowing users to connect to a temporary Cloud PC when their primary device is unavailable.

Learn more: Windows 365 Reserve Cloud PC | Microsoft

There are so many exciting new features to explore, and I’ll be doing deep dives on many of them in upcoming posts—so stay tuned! Which feature announced at Ignite is your favorite? Share your thoughts in the comments below!