Microsoft has confirmed the next annual feature update, Windows 11, version 26H2, and the headline for IT is a familiar one: this is an enablement package (eKB), not a full OS swap. If you have been through the 24H2 to 25H2 cycle, the playbook is almost identical – but there are a couple of new wrinkles worth planning around. This post walks through the supported upgrade paths, how you drive it with Windows Autopatch and Intune, and how to actually track the rollout from pilot to production.
What 26H2 actually is
26H2 shares the same servicing branch as 24H2 and 25H2. That means for devices already on those versions, the upgrade is delivered as a tiny enablement package – around 174 KB – that simply flips the version and build number (build 26300) after a single restart. No multi-gigabyte download, no long offline phase, no feature-update reboot marathon. The new capabilities ship continuously through monthly cumulative updates and are switched on by the eKB.
Microsoft frames it as “a predictable, low-disruption update experience for organizations and IT professionals,” and from a deployment standpoint that is exactly what it is – an update ring approval rather than a migration project. Expect general availability in the fall of 2026, in line with previous H2 releases.
Upgrade paths – know your starting point
The delivery method depends entirely on the version a device is sitting on today:
Windows 11 24H2 / 25H2 – direct eKB upgrade. ~174 KB, one restart. This is the easy 95% for most managed fleets.
Windows 11 23H2 and older – different servicing branch, so no eKB. These need the full feature-update media path (~6.5 GB download and the full upgrade experience).
The 26H1 caveat – 26H1 sits on a separate Windows core branch and does not roll forward to 26H2 via the standard enablement path. If you have any 26H1 (specialized/insider) devices, plan a different route for them.
Windows 10 – no shortcut here. These are full upgrades (or, frankly, replacements) and should already be on your end-of-support migration plan.
Upgrade paths to 26H2 depend on the version a device sits on today.
Action before fall: run an inventory split by OS version now. Anything not already on 24H2/25H2 is your long-tail – get those onto a current branch first so 26H2 becomes a one-restart eKB rather than a 6.5 GB project.
Driving it with Windows Autopatch
If you are on Autopatch, 26H2 is close to trivial to approve – it appears in the feature update flow like any other release, and because the payload is tiny, distribution can complete in a day rather than weeks.
The mechanics you already rely on still apply. Autopatch groups split your estate into deployment rings – Test, First, Fast, and Last. If you do not define extra rings, Test acts as your pilot and Last as production. Releases flow sequentially through the rings, and Autopatch monitors device telemetry the whole way – if failure or compatibility signals spike, it can automatically pause progression to the next ring.
Pilot: keep Test/First small but representative – mix hardware models, key line-of-business apps, and a few power users who will actually report friction.
Soak time: because the eKB is so small, the temptation is to rush. Resist it – the value of a pilot is the soak window, not the download time. Give each ring a real bake period to surface app and driver issues.
Safety net: you retain Pause, Resume, and Rollback for feature updates directly from Intune if a ring goes sideways.
Not on Autopatch? The same model is available with Intune Feature Update profiles plus Update Rings – you target 26H2 as the feature update version and stagger deferrals/rings manually. You lose the automatic ring progression and telemetry-driven pause, but the staged approach is the same.
Autopatch rings, the telemetry safety net, and what to watch as you promote from pilot to production.
Tracking pilot to production
This is where most rollouts get loose. “We deployed it” is not the same as “we can prove the estate moved.” Here is the reporting stack I lean on:
Reports > Windows Autopatch – the two Autopatch reports give you ring-level rollout status and quality/feature update health. This is your primary “where is each ring” view.
Reports > Device management > Windows Updates – the feature update report and readiness reporting validate which devices are eligible and which are blocked, before and during the push.
Email notifications – make sure your Autopatch admin contacts are current so you actually receive the proactive alerts rather than discovering issues in a dashboard.
A simple version-count KQL/report – track devices reporting build 26300 over time as your single “percentage on 26H2” number for management. Watch the curve per ring, not just the total.
Define your exit criteria before you start: e.g. pilot ring at >95% success with zero unresolved Sev-1 app issues for X days before releasing the next ring. Let the telemetry and your soak window – not the trivial download size – gate each promotion.
Support lifecycle
The usual split applies: Enterprise, Education, IoT Enterprise and Enterprise multi-session get 36 months of support, while Home, Pro, Pro Education and Pro for Workstations get 24 months (support running to roughly October 2028). Factor that into whether 26H2 is a “move now” or a “this fall” decision for each ring.
A short pre-flight checklist
Inventory by OS version – identify anything not on 24H2/25H2.
Get the long-tail (23H2 and older, Windows 10) onto a current branch first.
Flag any 26H1 devices for a separate path.
Confirm Autopatch groups / Intune feature update profiles and rings are sane.
Verify Autopatch admin contacts and reporting access.
Write down your per-ring exit criteria and soak windows.
Bottom line: 26H2 is an approval, not a migration – for the devices that are on a current branch. Spend your effort on the long-tail and on a disciplined pilot-to-production cadence, and the eKB itself will be the least interesting part of the project.
You manage a fleet of corporate iPhones through Microsoft Intune. Enrollment is automated through Apple Business Manager (ABM), apps deploy silently through the Volume Purchase Program (VPP), and users never see an App Store login. Then one day, your service desk starts getting tickets:
“Sign in to iTunes Store. Sign in to allow Contoso A/S to manage and install apps.”
A handful of devices show the prompt at first. A few days later, dozens. Users tap Cancel, the dialog disappears, and a few hours later it reappears. Some users sign in with personal Apple IDs to make it go away, which is exactly what you do not want on a corporate device.
This is one of those issues that looks like an Apple ID, ABM, or enrollment problem – but almost never is. In every case I have worked, the root cause was the same: somewhere in the tenant, an app was added as an iOS Store App when it should have been added as an iOS Volume Purchase Program app. This post walks through why those two app types behave so differently, how to confirm which one is causing the prompt, and how to fix the issue across a large device estate without disrupting users.
Why iOS Devices Ask for an Apple ID in the First Place
Intune offers several iOS app types in the admin center. Two of them install the same app from the same App Store listing, but they have completely different licensing and installation behavior:
iOS Store App – A direct link to a public App Store listing. The app installs into the user’s iCloud account. The device must be signed in to the App Store with a personal or managed Apple ID for the install to complete. There is no concept of device-based licensing.
iOS Volume Purchase Program app (VPP) – An app license that your organization owns through Apple Business Manager. With Device licensing, the license is assigned to the device itself – no Apple ID is required on the device for the install. The app simply appears.
The two app types look almost identical in the admin center. Both can point to the same App Store URL. Both can be assigned as Required, Available, or Uninstall. The difference is invisible until a device tries to install the app and discovers it has no Apple ID signed in.
When an iOS Store App is assigned as Required to a supervised device with no Apple ID, iOS does what it is told – it prompts the user to sign in so the install can proceed. That is the prompt your users are seeing.
Why You May Not Have Seen This Before
A fresh ABM enrollment with VPP apps assigned through Device licensing never triggers an Apple ID prompt because no app on the device needs one. The issue surfaces when somebody adds the same app a second time – as an iOS Store App – usually because they pasted the App Store URL into the wrong “Add app” wizard. The VPP version may still be present, but the iOS Store App duplicate is now competing for the same slot on the device, and only one of them can win.
How to Confirm This Is Your Issue
Before you start changing assignments, confirm the diagnosis. Three quick checks usually settle it.
Check 1: List All iOS Apps with Required Assignments
In the Intune admin center, go to Apps > iOS/iPadOS and filter the list. Look at every app where the App type column shows iOS store app. For each one, open the app and check Properties > Assignments.
Any iOS Store App with a Required assignment is a candidate for the prompt. iOS Store Apps assigned only as Available or Uninstall do not trigger the prompt – they sit quietly in the company portal or only act when the user actively removes the app.
Check 2: Cross-Reference with VPP
For each suspect iOS Store App, search for a VPP version of the same app. The naming will be similar but not identical – the VPP version typically shows the publisher and a different icon variant. If both versions exist, the iOS Store App is almost certainly redundant.
Check 3: Look at the Audit Log
Intune’s audit log will tell you exactly when each app was added and by which admin account. Go to Tenant administration > Audit logs and filter on the Mobile App category. Search for the app name and check the Create entries. In one recent case, an admin had bulk-added a dozen iOS Store App duplicates within a 20-minute window – clearly someone working through a list using the wrong wizard.
If checks 1 and 2 confirm the duplication and check 3 confirms when it happened, you have your root cause.
Why You Cannot Just Delete the iOS Store App
The natural reaction is to delete the iOS Store App duplicate and be done with it. Resist that urge until you have a rollout plan, because three things can go wrong:
Users still see the prompt until iOS finishes its install queue. iOS does not automatically discard a pending install when its source is removed. The user has to Cancel the prompt at least once – sometimes more than once – before the MDM channel processes the change.
Required and available install intent on a managed device is sticky. If the VPP version is not already assigned and licensed at the device level, removing the iOS Store App leaves users with no app at all.
Filters and groups can overlap in non-obvious ways. If the iOS Store App is assigned to a broad group and the VPP version is assigned to a different broad group, deleting one may pull the app from devices that should still have it.
The safe sequence is: assign the VPP version with Device licensing first, validate on a single device, then remove the iOS Store App.
The Pilot Approach: Validate on One Device Using Assignment Filters
Before you touch a production assignment, prove the fix on one device. Intune’s Assignment Filters make this clean.
Step 1: Create a Single-Device Filter
In the Intune admin center, go to Tenant administration > Filters > Create.
Platform: iOS/iPadOS
Name: Something obvious like Pilot-iPhone-XYZ123-only
Rule syntax:
(device.deviceName -eq "XYZ123")
Replace XYZ123 with the actual device name from Devices > iOS/iPadOS devices. Use Edit in advanced mode if you prefer to write the rule directly.
Step 2: Exclude the Pilot Device from the iOS Store App Assignment
Open the problematic iOS Store App in Intune. Go to Properties > Assignments > Edit. On the existing Required assignment, click Filter and set:
Filter mode: Exclude
Filter:Pilot-iPhone-XYZ123-only
This tells Intune to apply the iOS Store App’s Required assignment to everyone except the pilot device. The pilot device is now isolated from the prompt – existing prompts may still need to be dismissed once, but no new ones will queue.
Step 3: Assign the VPP Version with Device Licensing to the Pilot Device
Open the VPP version of the same app. If it does not yet have a Required assignment to the same target group, create one:
Assignment type: Required
Group: The same group the iOS Store App was assigned to
License type: Device
Filter:Pilot-iPhone-XYZ123-only
Filter mode: Include
This is the inverse of Step 2 – the VPP assignment now applies only to the pilot device. The rest of your estate still gets the (about to be removed) iOS Store App version; the pilot device gets the VPP version with a device-bound license.
Step 4: Have the Pilot User Dismiss the Prompt and Sync
Walk the pilot user through these exact steps:
When the iTunes sign-in prompt appears, tap Cancel.
Open Settings > General > VPN & Device Management > the MDM profile.
Tap Sync to force a check-in.
Within a minute or two, the VPP version of the app installs silently. No Apple ID prompt. The app shows the small organisation marker indicating it was installed by MDM.
If the install fails or the prompt comes back, stop and investigate before going further – usually the cause is a missing VPP license assignment or an expired VPP token (more on tokens below).
Rolling Out the Fix to the Rest of the Estate
Once the pilot is green, the rollout is mechanical. For each affected app:
On the VPP version, remove the Pilot-XYZ123-only filter so the Required + Device-licensing assignment applies to the full target group.
On the iOS Store App version, remove the existing Required assignment entirely. Do this before deleting the app to avoid an Intune sync that might re-prompt users.
Delete the iOS Store App entirely once no devices reference it. This also makes sure nobody re-uses it accidentally later.
If you have several apps to fix, work through them one at a time. iOS handles MDM commands serially, so a batch change can produce more prompts than you would expect.
What Users Should Expect
Communicate clearly to end users before you flip the assignment. A short email along these lines works well:
Over the next 24 hours, you may see a sign-in prompt on your work iPhone asking you to log in to iTunes or the App Store. Please tap Cancel. Do not enter any Apple ID. The app you are missing will install automatically within a few minutes after you cancel the prompt.
The behaviour is non-obvious: iOS only processes the next MDM command after the current prompt is dismissed. Until the user taps Cancel, the device is effectively stuck waiting for the user.
Cleanup: Filters, Duplicates, and Audit Trail
After the rollout is complete, do not leave the scaffolding in place:
Delete the pilot assignment filter (Pilot-iPhone-XYZ123-only) so it does not get reused accidentally.
Confirm both iOS Store App duplicates are deleted – keeping them around “just in case” invites the same mistake again next quarter.
Document what happened in your change log so future admins know the difference between iOS Store App and VPP and which to use.
Run a tenant-wide review of remaining iOS Store Apps. Any iOS Store App with only Uninstall or Available (without enrollment) assignments is safe. Any iOS Store App with a Required assignment to a device group should be evaluated.
A Quick Reference: iOS Store App vs VPP at a Glance
Aspect
iOS Store App
iOS VPP App (Device licensing)
Source
Public App Store URL
Apple Business Manager (purchased)
Requires Apple ID on device
Yes
No
Required-install on supervised devices
Triggers iTunes sign-in prompt
Installs silently
License consumed
None tracked by MDM
One per device
Revoke license
Not possible
Yes, from Intune
Update behavior
Same as App Store
Same as App Store
Cost
Free apps only (in practice)
Free and paid apps
Recommended for managed iOS
No
Yes
The short version: on a corporate-owned iOS device managed through Apple Business Manager, VPP with Device licensing is the only app type that should appear as Required for first-party and approved third-party apps.
How to Prevent This from Happening Again
The root cause is almost always procedural – an admin selected the wrong app type from the Intune wizard. A few controls reduce the chance of recurrence:
Document the standard. Add a one-line rule to your Intune operations doc: “All Required iOS apps must be added as iOS Volume Purchase Program apps. iOS Store Apps may only be used for Available or Uninstall assignments.”
Restrict app creation with RBAC. Use scope tags and Intune’s role-based access control to limit app creation to a small group of admins who know the difference. The principle of least privilege applies to MDM tenants too.
Use audit log alerts. Microsoft Graph + a small Logic App can email you whenever a new iOS Store App is created. Quick to set up, quick to react.
Check the VPP token expiry. A frequent secondary cause is an expired VPP token. When a token expires, Intune cannot create or renew Device licenses, and admins reach for “iOS Store App” as a workaround that turns into a permanent footgun. Renew the token annually and set a calendar reminder a month in advance.
Healthy VPP Token Practices
A VPP token has a 12-month validity. When it is close to expiry, Intune shows a banner in the Tenant administration > Connectors and tokens > Apple VPP Tokens view. After expiry:
Existing licensed apps continue to function.
New licenses cannot be assigned.
Token renewal requires a new .vpptoken file from Apple Business Manager.
If your token has just been renewed and apps are stuck in Failed state, revoke and re-assign licenses one app at a time. Bulk re-assignment occasionally fails for individual apps, and the only way to clear the failed state is a manual revoke + reassign cycle.
Troubleshooting: When the Prompt Will Not Go Away
If you have applied the fix and a specific device is still prompting, work through these in order:
Has the user tapped Cancel at least once? iOS sometimes queues multiple install commands – the user may need to dismiss two or three prompts before the queue drains.
Force a sync. From the device: Settings > General > VPN & Device Management > MDM profile > Sync. From Intune: Devices > select device > Sync.
Confirm the device is licensed for the VPP version. Open the VPP app in Intune > Device install status. The device should be listed with Installed or Pending. If it is Not applicable, the assignment is not reaching the device – check group membership and filters.
Check the VPP token health.Tenant administration > Connectors and tokens > Apple VPP Tokens. If the token shows any warning, address that first.
Reboot the device. Last resort, but occasionally clears a stuck MDM channel.
If you have exhausted these, look at the device’s Managed Apps report. An app that should be VPP-licensed but appears under iOS Store App lineage indicates the old assignment is still active somewhere – usually a forgotten filter or a duplicate group assignment.
FAQ
Will users lose any data when I switch from iOS Store App to VPP?
No. The App Store install and the VPP install are the same app binary from the same listing. Local data and settings are preserved across the transition because iOS treats them as the same bundle ID.
Do I need a managed Apple ID for VPP with Device licensing?
No. Device licensing is the entire point – the license is bound to the device hardware identity, not to any Apple ID. The device can have no Apple ID signed in at all, and VPP apps will still install.
Can I keep using iOS Store Apps for some apps?
For apps you want to make optionally available to users through the Company Portal, yes – assign them as Available. For Required deployment to corporate-owned devices, no. Switch them to VPP.
What about iPadOS devices?
The same rules apply. iPadOS uses the same MDM commands and the same VPP licensing model as iOS. If you have iPads in the same affected group, they will exhibit the same prompt behaviour and be fixed by the same approach.
My VPP token was renewed by someone else and now apps are failing – is this related?
It can be. A token renewal sometimes leaves individual app licenses in a Failed state until they are re-assigned. This is a separate issue from the iOS Store App vs VPP problem, but you may encounter both at once if the same admin tried to “work around” the failed VPP state by adding iOS Store App versions. Treat the VPP licensing failures as a separate workstream once the prompt is gone.
Summary
If iOS devices managed by Microsoft Intune are showing an iTunes or App Store sign-in prompt, do not start with Apple ID configuration, ABM enrollment, or DEP profiles. Start with your app inventory. Look for iOS Store Apps with Required assignments that overlap with VPP versions of the same app. Fix one device first using assignment filters, then roll the change out to the rest of the estate, and finish by deleting the iOS Store App duplicates entirely.
The technical fix is simple. The harder part is preventing the next admin from making the same selection in the same wizard – so document the standard, restrict who can add apps, and keep your VPP token healthy. Your users will never see another iTunes prompt, and your service desk will get its mornings back.
