498899 – Microsoft Intune: Additional granular RBAC controls to manage Antivirus, Firewall, BitLocker, and Endpoint Detection and Response endpoint security workloads

Product:

Intune

Platform:

Android, iOS, Mac, US Instances, Windows Desktop, World tenant

Status:

In development

Change type:

Links:

Details:

Expanded granular RBAC controls to manage Endpoint Security workloads. The ‘Security baselines’ permission previously included all security policies and now all security workloads have their own permission set

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:
General Availability

Created:
2025-08-19

updated:
2025-10-02

Docu to Check

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Granular RBAC Controls Implementation
Without proper preparation, the implementation of granular RBAC controls may lead to misconfigurations, resulting in unauthorized access to sensitive security settings, which can compromise endpoint security.
   - roles: IT Security Manager, System Administrator
   - references: https://techcommunity.microsoft.com/t5/intune-customer-success/announcing-granular-role-based-access-control-for-endpoint/ba-p/3651230, https://www.microsoft.com/en-us/microsoft-365/blog/2021/06/24/introducing-granular-role-based-access-control-for-endpoint-security-in-intune/

User Experience Disruption
Changes in RBAC permissions without user training or communication can lead to confusion and frustration among users, as they may lose access to previously available security features or experience delays in security updates.
   - roles: End User, Help Desk Support
   - references: https://www.cio.com/article/243198/how-to-manage-user-experience-during-it-changes.html, https://www.forbes.com/sites/bernardmarr/2020/01/20/the-importance-of-user-experience-in-it-change-management/?sh=5c1c1e1e4b5e

Configutation Options**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Imagine managing a large office building. Previously, you had one master key that opened every door, from the janitor's closet to the CEO's office. This master key was convenient but risky because anyone with it could access areas they shouldn't.

Now, think of Microsoft Intune's new changes as replacing that master key with a set of keys, each tailored to specific rooms. This is what expanded granular Role-Based Access Control (RBAC) does for managing security features like Antivirus, Firewall, BitLocker, and Endpoint Detection and Response. Instead of having one broad permission that covers all security policies, each security workload now has its own specific set of permissions.

For instance, if you only need to manage the Antivirus settings, you get a key just for that, without the ability to alter Firewall or BitLocker settings. This approach minimizes risks by ensuring that only authorized personnel can access and modify specific security features. It’s like giving the janitor a key only to the cleaning supplies room, while the IT manager gets access to the server room.

This change is beneficial because it enhances security by limiting access to sensitive areas, ensuring that only the right people can make changes. It also makes managing these security features more efficient, as each person can focus on their specific responsibilities without being overwhelmed by unnecessary access.

Overall, these granular controls in Microsoft Intune help organizations better protect their digital assets, much like how a set of specific keys helps maintain order and security in a large office building.