Endpoint Privilege Management elevation rule support for file arguments and parameters

Week of April 21, 2025 (Service release 2504)
Microsoft Intune Suite

Endpoint Privilege Management elevation rule support for file arguments and parameters
File elevation rules for Endpoint Privilege Manager (EPM) now support command line file arguments. When an elevation rule is configured to define one or more file arguments, EPM allows that file to run in an elevated request only when one of the defined arguments is used. EPM blocks elevation of the file should a command line argument be used that is not defined by the elevation rule. Use of file arguments in your file elevation rules can help you refine how and for what intent different files are successfully run in an elevated context by Endpoint Privilege Management.
EPM is available as an Intune Suite add-on-capability.

App management
Relationship viewer available for Intune apps
The relationship viewer provides a graphical depiction of the relationships between different applications in the system, including superseding and dependent applications. Admins can find relationship viewer in Intune by selecting Apps>All apps>a Win32 app > Relationship viewer. The relationship viewer supports both Win32 apps and Enterprise App Catalog apps. For more information, see App relationship viewer.

Microsoft Intune support for Apple AI features
Intune app protection policies have new standalone settings for Apple AI features (Genmojis, Writing tools, and screen capture). Note that these standalone settings are supported by apps that have updated to version 19.7.12 or later for Xcode 15, and 20.4.0 or later for Xcode 16 of the Intune App SDK and App Wrapping Tool. Currently, these Apple AI features are blocked when the app protection policy Send Org data to other apps setting is configured to a value other than All apps.

For more information about these features, see Microsoft Intune support for Apple Intelligence. For more information about Intune's related app protection policies, see iOS app protection policy settings and How to manage data transfer between iOS apps in Microsoft Intune.

Apple VPP using new API v2.0
Apple recently updated the API for their volume purchase program (VPP), which is used to manage apps and books. Apple's related API is now version 2.0. Version 1.0 is deprecated. To support the Apple updates, Microsoft Intune has updated to use the new API, which is faster and more scalable than the previous version.

Applies to:

iOS/iPadOS
macOS
Additional org data storage service options for Android and iOS apps
Intune now provides additional storage services options when saving copies of org data using an app protection policy for Android or iOS. In addition to the existing org data storage options, you can also select iManage and Egnyte as storage options. You must select these services as exemptions from your block list by setting Save copies of org data to Block, then selecting the allowed storage services next to the Allow user to save copies to selected services setting. Note that this setting does not apply to all applications.

For more information about data protection using app protection policies, see iOS app protection policy settings - Data protection and Android app protection policy settings - Data protection.

Applies to:
Android
iOS

Device configuration
Updated device configuration template for Windows Delivery Optimization
We’ve updated the device configuration template for Windows Delivery Optimization. The new template uses the settings format as found in the Settings Catalog, with settings that are taken directly from the Windows Configuration Service Providers (CSPs) for Windows Delivery Optimization, as documented by Windows at Policy CSP – DeliveryOptimization.

With this change you can no longer create new versions of the old profile. However, your pre-existing instances of the old profile remain available to use.

For more information about this change, see the Intune Customer Success blog at Support tip: Windows device configuration policies migrating to unified settings platform in Intune.

Applies to:
Windows 10
Windows 11

New settings available in the Apple settings catalog
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

We've added a new setting in the Settings Catalog. To see this settings, in the Microsoft Intune admin center, see Devices>Manage devices> Configuration>Create>New policy >macOS for platform > Settings catalog for profile type.

macOS
Login>Login Window:
Show Input Menu

Android settings in the Settings Catalog
The settings catalog supports Android Enterprise and Android Open Source Project (AOSP).

Currently, to configure Android settings, you use the built-in templates. The settings from these templates are also available in the settings catalog. More settings will continue to be added.

In the Intune admin center, when you create a device configuration profile, you select the Profile Type (Devices >Manage devices>Configuration >Create>New policy >select your Platform>Profile Type). All the profile types are moved to Profile Type>Templates.

This change:

Is a UI change with no impact on your existing policies. Your existing policies won't change. You can continue to create, edit, and assign these policies the same way.
provides the same UI experience as iOS/iPadOS, macOS, and Windows templates.
In the new settings catalog experience, the management mode associated with the setting is available in the tooltip. To get started with settings catalog, see Use the settings catalog to configure settings on your devices.

Applies to:

Android Enterprise
AOSP

Device enrollment
Custom device naming template for Android Enterprise corporate-owned devices
You can use a custom template for naming Android Enterprise corporate-owned devices when they enroll with Intune. The template is available to configure in the enrollment profile. It can contain a combination of custom text and predefined variables, such as device serial number, device type, and for user-affiliated devices, the owner's username. For more information, see:

Android Enterprise corporate-owned devices with work profile
Android Enterprise dedicated devices
Android Enterprise fully managed devices
Applies to:
Android

Enrollment-time grouping for Android Enterprise corporate devices
Now available for Android Enterprise corporate-owned devices, enrollment time grouping enables you to assign a static Microsoft Entra group to devices at enrollment time. When a targeted Android device enrolls, it receives all assigned policies, apps, and settings, typically by the time the user lands on the home screen. You can configure one static Microsoft Entra group per enrollment profile under the Device group tab in the Microsoft Intune admin center. For more information, see Enrollment time grouping.

Device management
Intune ending support for custom profiles for personally owned work profile devices
Starting in April 2025, Intune no longer supports custom profiles for Android Enterprise personally owned work profile devices. With this end of support:

Admins won’t be able to create new custom profiles for personally owned work profile devices. However, admins can still view and edit previously created custom profiles.

Personally-owned work profile devices that currently have a custom profile assigned won't experience any immediate change of functionality. Because these profiles are no longer supported, the functionality set by these profiles might change in the future.

Intune technical support no longer supports custom profiles for personally owned work profile devices.

All custom policies should be replaced with other policy types. Learn more about Intune ending support for personally owned work profile custom profiles

Device security
New settings added to the Windows security baseline version 24H2
The most recent Intune security baseline for Windows, version 24H2, is updated to include 16 new settings for managing the Windows Configuration Service Provider (CSP) for Lanman Server and Lanman Workstation, and one new setting for Defender. These settings were previously unavailable in the baseline due to missing CSP support. The addition of these settings provides better control and configuration options.

Because this is an update to an existing baseline version and not a new baseline version, the new settings aren’t visible in the baselines properties until you edit and save the baseline:

• Pre-existing baseline instances:
  Before the new settings are available in a pre-existing baseline instance, you must select and then Edit that baseline instance. To have the baseline deploy the new settings, you must then Save that baseline instance. When the baseline is opened for editing, each of the new settings becomes visible with its default security baseline configuration. Before saving, you can reconfigure one or more of the new settings or make no changes other than to save the current configuration which then uses the baseline defaults for each of the new settings.
• New baseline instances:
  When you create a new instance of a Windows security baseline version 24H2, that instance includes the new settings along with all the previously available settings.

Intune apps
Newly available protected apps for Intune
The following protected apps are now available for Microsoft Intune:

• FileOrbis for Intune by FileOrbis FZ LLC
• PagerDuty for Intune by PagerDuty, Inc.
• Outreach.io by Outreach Corporation

Tenant administration
Updates to Intune admin center home page
Microsoft Intune admin center's home page has been updated to include additional links to interactive demos, documentation, and training. To see these updates, navigate to the Microsoft Intune admin center.