Our Product experts, Matthé Smit and Frederick Bendzius-Drennan, break down what's new and upcoming in the inforcer platform in Q2 2026, and how these updates will help you deliver even more value to your customers.
Matthé Smit
Hello everyone. We will give it one more minute before we get started. I can still see people joining.
Welcome, good afternoon and good morning, wherever you are, to another roadmap update for inforcer Q2. We have a lot to cover today, and thank you so much for joining. Freddy and I will be hosting today and taking you through a couple of things. First, we will cover some things you might have missed, because a lot has been going on in the inforcer world. If you are not thinking and dreaming about inforcer every day, like we do, you may have blinked and missed something. Then we will talk about what else is coming this quarter.
As always, we want to do plenty of Q&A. This is a great opportunity to interact with us. It is not just Freddy and me on the call today; Roy is also handling some of the chat questions, and both of us will answer questions throughout and at the end. Please use the Q&A box for anything you want to know, and let us know what you think about what we are presenting.
Matthé Smit
For us, it is important to emphasise that everything we do in inforcer is based on your feedback. Every roadmap decision generally comes from what people ask for in our public feature request system, Featurebase, and from everyday conversations with you.
Our engineering team is remarkable. They are working incredibly hard to innovate quickly, and that lets us be responsive to your needs. Looking back over the past year, the velocity and trajectory have been remarkable. With the exception of August, every month has been filled with major features and new policies or settings.
That matters because there is no better indication of what is to come than looking at what has already been delivered. In the last couple of months, we have fleshed out the platform in many ways. We introduced the API, the scheduling engine, the new backup engine, user management, GDAP management and PSA integrations, including Autotask and other PSA systems. We have also added new policies and settings where you need them. None of that is going to slow down.
Matthé Smit
When we look at the roadmap, we are thinking about three major themes. The first is securing all your Microsoft 365 tenants. That is the heart of inforcer: standardising tenants, making them more secure and rolling changes out quickly. That is not going away, and there is still a lot of work to do to make it the best it can be.
The second theme is daily Microsoft management. More people are using inforcer every day to handle multi-tenant management because doing it through the Microsoft portals is difficult. We are building tools for support people, and sometimes salespeople, to get information and work efficiently.
The third theme is helping you on your AI journey. The world is moving quickly into uncharted territory. AI is changing the world, and many MSPs are trying to work out what to do, how to build a business around AI or Microsoft Copilot, and how to make it more than simply reselling a licence. We will go deeper into each of these areas and show some demos.
Matthé Smit
Let’s start with securing all your tenants. A lot changed in the last quarter. First, we introduced new licences. You might ask why that is a game changer, but the reality is we have had a lot of feedback from customers saying they want to deploy inforcer everywhere and have it on every tenant. Sometimes, though, it does not make sense to deploy the full inforcer product. If a customer only has Business Standard, for example, they may not need the full product because much of what inforcer does relates to Defender, Intune and other capabilities.
Sometimes you also have customers who are not yet paying for managed services. They may be prospects, or you may simply be reselling licences to them. For these different use cases, we developed the tenant assessment licence and tenant standard licence. These are now available in self-service, so you can buy or add new licences from within inforcer. The goal is to help you with all your tenants.
Matthé Smit
Another major game changer is the new inforcer Blueprint baselines. Many customers told us they needed help building baselines, because creating them is difficult, especially when you include areas like Intune. Microsoft changes all the time, and if you do not have your own team working on this for years, it can take months to get started.
We brought the best people we have together to build Blueprint baselines. They are inspired by CIS, but CIS can be rigid and is not always best practice for MSPs. With Blueprint baselines, you can subscribe to our baselines, pick and choose what you want, and use those best practices across your tenants.
One of the best examples is packaged projects. Many of you sell mobile application management or email protection as projects, rather than as part of your core offer. We have built policies for those projects and packaged them into baselines you can subscribe to. A tenant can align to multiple baselines, which means you can easily roll out those projects. We will keep investing in and updating these baselines as more policies and settings are added to inforcer, so you can stay on top of changes.
Matthé Smit
We also released the new backup and restore engine in March. If you have not checked this out, click into a tenant and look at Backup and Restore. We call it backup and restore, but it is really the ultimate drift management solution. You can go back through the timeline from when a tenant was enrolled, see changes, new policies, updated policies and deletions, and undo things if needed.
The new system is more sophisticated than the old nightly backups. Now, every time you click into a tenant in inforcer, we create a snapshot. Whenever you go to alignment or similar areas, we look for changes, and if there is a change, we immediately capture it as part of the backup. That makes it much more granular when undoing changes.
You can also save checkpoints, which are labels for a known good state, and return to them later. You can drill into individual policies and see exactly what changed, including assignments. We copied a lot of thinking from our alignment engine into this feature, and it is available now.
Matthé Smit
Policies and settings are the core of inforcer. We help you deploy them at scale, and internally we have made a lot of progress in how we handle policies. In the last month or so, we added critical, highly requested Intune policies. In April and beyond, there is a lot more coming.
In April, you should see more around Teams, Exchange and Intune, including Windows Store apps, Android apps and iOS apps that can be aligned. There is a lot more coming because we have done significant work on how policies are added to the system.
We also built technology to monitor Microsoft. Whenever Microsoft adds something to preview, we will know about it, and our engineering team can decide whether to work on it immediately so you are ready when Microsoft makes it broadly available. Please keep telling us what else you are missing, because the things you ask for in the community are being delivered quickly.
Matthé Smit
One new feature the team is working on is Intune assignment management. For those who do a lot with Intune, this will be a big deal. When you roll out policies such as disk encryption, you may not target everything immediately. Many of you use risk management strategies, deploying first to one group of devices or users, then expanding gradually. If you have five or 10 policies, that means changing assignments repeatedly. Doing that in the Intune portals is not a great experience.
We have built technology that lets you see all your policies in one view, select them and manage assignments. You can add assignments, merge assignments or remove existing assignments in bulk. This is an important feature for anyone managing Intune day to day, and it also supports other things we are planning soon.
Matthé Smit
We are also improving tagging. Tags drive a lot of things in inforcer, particularly policy tags and tenant tags, but managing and assigning tags can be cumbersome. The team has made changes to make tags easier to edit and see, including inline editing and bringing tags back to the policy alignment page.
A major improvement is the ability to copy tags from shared baselines. This comes up often from customers deploying from our baselines. Today, when you deploy from a baseline, the tags we set do not carry across. We will make that part of the deployment journey, so you can decide whether to bring the tags along or not. That should still be delivered in April.
Matthé Smit
Looking ahead, policy alignment is also evolving. We already launched new tenant alignment in December, where you can compare one tenant at a time against your baseline. But sometimes you want to look at one policy across all tenants. That is what we are building next. You will select a policy and see across your tenants whether something similar already exists, whether something is the same under a different name and whether action is needed.
This supports alignment per policy rather than one tenant at a time. It is useful when you are deploying new functionality to customers, and it is more refined than the deploy tool because it respects what is already in place.
Matthé Smit
Another popular request is the public onboarding link. This solves multiple needs, including prospecting. Sometimes you have a customer or prospect where you want to run a tenant assessment or Copilot readiness assessment. To get that tenant into inforcer today, you need to onboard it and normally need Global Administrator access. To run an assessment, you also currently need to request more permissions than are really necessary.
The public onboarding link solves both issues. In April, you will be able to create one or more onboarding links in inforcer. These links are permanent, so you can share them with your sales or implementation teams. When someone clicks the link, they see a branded page. You can explain that clicking the button will enrol the tenant into inforcer. The user fills in their own domain name and authorises the connection.
You can decide whether the link requests read-only permission or read-write permission. You can also decide whether the installed app is temporary, such as only two days, and whether it uses a free prospecting licence or a full read-write premium licence. This is useful for MSSPs that never see customer Global Administrator credentials or do not use GDAP. You can send the link to anyone, they can self-onboard, and you do not need to know a password.
Once onboarding is complete, you receive a notification so you can run assessments and build a report for the customer. We deliberately do not immediately show the report to the customer, because we want you to review it, interpret it and provide advice before presenting it. You do not need a tenant assessment licence to use the prospecting experience, although the tenant assessment licence still gives benefits such as keeping the tenant in inforcer and scheduling reports.
Matthé Smit
That covers my first section. Freddy, I will hand over to you to talk about what we have done and what we are doing around daily management.
Frederick Bendzius-Drennan
Thanks, Matthé. I spent the last 20 minutes replying to people in the chat because, as always, we have had a lot of engagement. Let’s talk about what we have recently shipped to help streamline daily management, and what is coming next.
The first recent release is PSA integration. A PSA is the powerhouse of your business, where you run everything. People only half-joke that if something is not in a ticket, it does not exist. This was a key capability we shipped early in Q1, with support for ConnectWise, Halo, Synchro and Autotask PSA.
If you have alerts configured in inforcer, such as drift alerts, those can now go straight into a PSA ticket with the specific board, queue, status and priority that match your operational workflow. We are also investigating ServiceNow support for the future.
Frederick Bendzius-Drennan
Scheduled reporting was another major update we released recently. Reporting matters for two main use cases: operational reporting for maintaining customer environments, and customer-facing reporting to show value.
inforcer has had valuable reports for some time, but previously generating them was manual. You had to go into the interface, generate the report and go through many clicks. We recently released a new scheduling engine as part of the broader platform architecture. Reports can now be scheduled daily, weekly, monthly or quarterly and delivered to the email addresses you specify.
We also added improvements behind the scenes, including targeting by tenant tags as your business scales, improvements to PDF exports, better customer value reporting, UX improvements and HTML export. HTML makes it easier to support automation workflows or make changes to report output.
Frederick Bendzius-Drennan
User management has been in the platform for a while, supporting key technician workflows like reviewing user information, checking configuration and resetting passwords. We have listened to feedback and are adding more.
Examples include more granular MFA management, improved offboarding capabilities, scheduled offboarding, smarter user creation through templates and licence management. I will show some of this from the development environment.
For a user such as Bobby West, we have had the ability to revoke all MFA methods and reset passwords. What we are adding very soon is a new tab where you can see all authentication methods in one place, such as password, phones, passkeys, Microsoft Authenticator and software tokens. You can review and revoke individual methods.
If the user needs to be terminated, you can offboard immediately today. Soon, you will also be able to schedule offboarding for a future time, such as the user’s final day at 17:30. This fits normal ticket workflows because you can schedule the action and close the ticket without needing to remember to come back later. It also uses the same scheduling architecture we built for scheduled reporting, and we are looking at other scheduled tasks to support in the future.
Matthé Smit
We have user management in the system now, and we have also added group management and policy management. The big missing entity is the device, and that is something we have been working on. We are effectively doing for devices what we did for user management.
You will be able to see a dashboard showing issues across devices, such as non-compliant devices, enrolment issues and security issues. If devices are non-compliant, you can drill in to see why. We will look across different policies to identify the reason.
From the dashboards and new devices page, you will be able to open a device page, similar to the user page Freddy showed. From there, you can take actions such as retrieving BitLocker keys, getting LAPS credentials, running a quick Defender scan or retiring the device from Intune. Everything will be logged and will respect RBAC permissions. This will open up a lot of new capabilities. We have more screenshots in the Discord community, and we would love feedback on what you want to see.
Matthé Smit
The next big area is application management. A lot of you have asked for this, although the customer base is probably split. Some say they already have another tool and do not need inforcer to do it. Others who manage applications through Intune want more help.
There are some things we will support in the policy engine very soon, such as mobile apps, Windows Store apps, web links and Office apps. Those behave more like settings and are easier to align across tenants.
Then there are Win32 apps, which are more complex to create and update. We want to make that easier. You will be able to pick applications from a library of pre-packaged apps, or add your own apps to that library, and deploy them across multiple tenants. If an app is already under management, you can decide whether inforcer should keep it up to date automatically through regular checks. If a new version is available, inforcer can update the managed app across existing tenants. This is a significant area we are working towards.
Matthé Smit
There is a lot more we are working on for daily management and security, but today we want to talk more about AI and Copilot. Freddy, what have we been cooking?
Frederick Bendzius-Drennan
We have been cooking a few bits and pieces. First, let’s level-set on the market. When we think about the AI journey MSPs are on, there are three broad buckets: readiness, adoption and custom agents.
Readiness is the rush to get customers ready for AI. A customer calls and says they are excited about Copilot and want to use it today. You look at their environment and need to understand where to start, what is healthy, what is not, what best practice looks like and how to get them onto the right footing to use Copilot safely, securely, scalably and sustainably.
Adoption and impact come once customers start using Copilot. You need to understand whether they are using it, whether they are getting ROI, what impact it is driving on the customer’s bottom line and how you prove that.
Custom agents are the more advanced area. We can see MSPs engaging more with Copilot Studio, the Power Platform, Fabric and Microsoft Foundry to build custom autonomous agents. This is a maturity spectrum. Most of the market is still focused on readiness, but MSPs are increasingly standardising services around AI and thinking about how to help customers succeed after the initial Copilot rollout, then move into opportunities such as custom agents.
Frederick Bendzius-Drennan
Copilot readiness was a major roadmap focus at the end of last year. I often use a pyramid inspired by Maslow’s hierarchy of needs. At the bottom are use cases. People are excited about AI, but it cannot just be shiny technology; it must solve identified real-world problems.
Security is next. Is the tenant secure enough for Copilot? Copilot amplifies any problems that already exist in the environment. If a threat actor gets access, they can use Copilot to identify sensitive data and exfiltrate it, so security must be top of mind.
Then there is data governance. Over the past 10 years, unless you were in a highly regulated industry, data governance was not always top of mind. Now everyone is asking whether permissions are configured correctly and whether SharePoint is healthy for AI.
Technical readiness also matters. Are users and devices technically ready? Do they have the right licences? Are they on the right version of Windows? Finally, there is rollout planning: who gets Copilot first, and what happens after the readiness boxes are ticked?
Frederick Bendzius-Drennan
Copilot readiness, which came out in Q4 last year, is a tool you can run against tenants. It identifies opportunity by looking at Microsoft 365 adoption across a customer base. It identifies potential candidates based on data in the tenant, such as job titles and departments, and suggests potential use cases, such as how a salesperson or marketing person could use Copilot.
It then looks across tenant configuration and SharePoint for data governance, security and technical readiness, and provides recommendations based on business best practice to help start the customer’s Copilot readiness journey.
Matthé Smit
One important point is that the reporting release had a major impact on Copilot readiness as well. Reports now have better-looking PDFs and HTML output. If you looked at this a while ago and decided it was not for you, check it again because we have done a lot of work on this area.
Frederick Bendzius-Drennan
We do not want to stop at Copilot readiness. Over the past couple of months, we have been running a closed alpha and beta with a set number of customers around Copilot adoption. Once you start rolling out Copilot to customers, you do not always have effective visibility into whether it is configured correctly, whether people are using it and what value they are getting.
This starts with per-customer dashboards where you can see whether licences are provisioned correctly, whether users are actually using Copilot and how usage is trending over time. We also produce a Copilot adoption score, segment users based on how much of Copilot they use and show trends around feature usage across the customer.
This enables account management teams to have data-driven discussions about opportunities for training, consultation and helping customers get more from their Copilot investment. It also supports upsell and cross-sell discussions, for example where other users in the organisation may benefit from a Copilot licence. Right now this is a dashboard, and we want to create customer-facing PDF reports soon.
Frederick Bendzius-Drennan
A similar area is Shadow AI. Most people know Shadow AI is a problem. Industry data suggests its use is almost universal in many organisations, whether people know it or not. People are using tools they probably should not be using.
We have built an integration into Defender Cloud Discovery, which is included with Business Premium. This lets us visualise Shadow AI usage within tenants. We can show who is using generative AI apps, how many sessions are occurring, how much data is being transferred and which apps are high risk by leveraging the Defender catalogue of more than 31,000 applications.
That gives you user, department and application views to help talk customers through the real Shadow AI risks in their environment and how usage is changing. It is a strong starting point for security and compliance conversations. It can also help sales teams kick-start a Copilot project by showing that people are using AI anyway, and that they should use something secure and well-governed rather than third-party tools. The open beta will be available to everyone tomorrow, with instructions and documentation so you can enable it in your account.
Matthé Smit
That is exciting. We have looked around and there is nothing quite like this focused on MSPs to help deliver Copilot as a service. We are still calling it a beta because we want to work with you and understand what other problems we can solve.
We also think it will help you sell the broader security story. We decided to include this in the regular product rather than make it an additional licence. You can use it for any tenant you have in inforcer. You can start Shadow AI detection and Copilot adoption monitoring immediately. For Shadow AI, the main requirement is that the tenant has Business Premium.
Frederick Bendzius-Drennan
We are not stopping there. Data governance is a major part of the Copilot readiness puzzle. Every AI conversation I have eventually becomes a SharePoint conversation. It is such a bottleneck for professional services engagements.
We want to build capability for scanning a SharePoint environment, including SharePoint, OneDrive, Microsoft 365 groups and Teams, to uncover insights around oversharing, sensitive information exposure, unique permissions that may need to be corrected and overall SharePoint configuration. We want to help determine whether SharePoint configuration matches best practice, your standard operating procedures and your customers’ requirements. We will show more on this in the coming weeks.
Frederick Bendzius-Drennan
Across everything we do, including AI, we are API-first. Since the last roadmap webinar, we have tripled the number of endpoints in the REST API. Recently added endpoints include alignment details, activity logs, users and groups, and roles. We will continue adding endpoints over the coming weeks and months, not only for retrieving information but also for making changes through the API.
Matthé Smit
I want to mention Roy Kloster’s PowerShell toolkit, which is a community project using our API. Roy has built some really useful things on top of the inforcer API. If you use PowerShell and want to grab policies from inforcer, or get users and check their licences, check out that toolkit on GitHub.
Frederick Bendzius-Drennan
That is a great call-out. It is all about helping people get the information they need. We also cannot talk about the REST API without talking about the MCP server. We recently had a hackathon where we built an MCP server, and we have been experimenting with that capability. As we build out the REST API, MCP capabilities on top of it can unlock workflows such as custom reporting, extracting reports, translating reports into a different language and using natural language to interact with the platform.
Matthé Smit
MCP is the interface to large language models, and we have done some interesting things with it. It is not necessarily birthday party conversation, but it is important.
Matthé Smit
That was a whirlwind tour. We covered a lot of ground. I started by talking about what we have done recently. The team and product are growing, we are partnering actively with many of you, and many new MSPs are joining inforcer. We showed a lot of things that are coming soon, including Copilot Manager, which is available tomorrow, and more coming in April.
If you have to drop off early or think of feedback later, click Feedback and Roadmap in the product. That takes you to our roadmap, where you can vote for items, suggest ideas and see what we are building.
Matthé Smit
Freddy has been answering a lot of questions, and I have not been monitoring everything. One question asks whether inforcer will add API access for Intune and device management functionality. Our view is that we still have some catching up to do. Many top requests have been added, but in the future, when we add new functionality, it should also be available in the API at launch. Before adding more sensitive workflows, such as creating users, we are adding more authentication options. Right now it is secret-based, and we are adding OAuth-style workflows for more sensitive actions.
Matthé Smit
Another question asks about avoiding policy drift. We have alerts today and the ability to remediate, but part of the new scheduling engine and recent work prepares us to automatically correct things when they drift. This will be tag-based because not everything should be remediated automatically. You will be able to tag certain policies and say that if they change, they should immediately be flipped back to the previous state.
Matthé Smit
There is a question about application management and whether it will pull through vulnerabilities. The initial focus is keeping the Intune app library up to date with the latest versions so you do not have to do that manually. That should already help with vulnerabilities.
There are two other areas we are considering. As part of device management, we will be able to look at asset information, including which applications are installed on a device. One of the biggest gaps is that you may have 10 applications in your Intune library but 1,000 in the field. Updating the apps in your library does not necessarily close vulnerabilities on every endpoint. We are also looking at Defender vulnerability information, though it is not part of V1.
Matthé Smit
Another timely topic is RBAC. We are seeing more users in the product every day, which creates more desire for nuanced security. We have engineer, admin and read-only levels, and you can layer them by tenant, but requests for custom RBAC come in regularly. We are investigating what controls you would want and how roles should be created. It is on our radar.
Matthé Smit
Someone asked whether the tenant report will be available in scheduled reporting. Yes. We did not include it in the new reporting engine initially because the way that report is currently generated is very different. We did not want to remove it, but the team is working to bring it into the new reporting engine so it can be scheduled. We are also looking at ways to make branding easier so it does not have to be configured report by report.
Matthé Smit
A question came in about custom policies where customers can write their own code or policy. There are no current plans for that, though I am interested in hearing what you would do with it. We are focused on adding more policies and settings, and ideally we should support the policies you need natively.
Matthé Smit
There is also a common question about the assessment engine and using your own baselines. We are doing a lot of work on the assessment engine, including new CIS assessments for Intune devices, support for the latest CIS version and new assessments such as NIS2, following the work we did for Australian customers with Essential Eight.
We have not yet found a good way to let you build custom assessments based on your own baseline. The technologies are different and the checks are different. The assessment engine is very much front-end: it helps you check what is out there and paint the picture around compliance. Alignment then deploys the policies. There is overlap, but quick assessments looking for outcomes are not the same as ensuring every policy is configured exactly with the right naming and settings. Some things can only be read, which works in assessments but not in alignment.
Matthé Smit
I think we have covered a lot of ground today. Thank you all for being customers and for sharing your feedback. It makes our lives easier and makes the product better. Thank you for taking the time today. Let us know how else we can help. As you can hopefully tell, we are passionate about building a better product. There is a lot we are working on, the velocity is high, and I am excited about the rest of the year. Thank you so much, and have a great day.