Update

Endpoint Privilege Management support for wildcards in elevation rules

Week of July 21, 2025 (Service release 2507)

Microsoft Intune Suite
Endpoint Privilege Management support for wildcards in elevation rules
You can now use wildcards in the file name and file path of elevation rules you define for Endpoint Privilege Management (EPM). Wildcards allow for more flexible rule creation with broader matching capabilities, enabling file elevations for trusted files that have names that might change with subsequent revisions.
For file names, use of wildcards is supported only in the file name and not for the file extension. You can use a question mark ? to replace a single character at any point in the file name and an asterisk * to replace a string of characters at the end of the file name.
The following are a few examples of wildcard use for a Visual Studio setup file called VSCodeUserSetup-arm64-1.99.2.exe found in C:\\Users\\<username>\\Downloads\\:</username>

File name:

  • VSCodeUserSetup*.exe
  • VSCodeUserSetup-arm64-*.exe
  • VSCodeUserSetup-?????-1.??.?.exe
    File path:
  • C:\\Users\\*\\Downloads\\

App management
Newly available OEMConfig apps in Intune
The following OEMConfig app is now available in Intune for Android Enterprise:

  • RugGear

Device configuration
New settings available in the Apple settings catalog
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices>Manage devices>Configuration >Create>New policy>iOS/iPadOS or macOS for platform>Settings catalog for profile type.
iOS/iPadOS
Cellular Private Network:

  • Cellular Data Preferred
  • CSG Network Identifier
  • Data Set Name
  • Enable NR Standalone
  • Geofences
  • Network Identifier
  • Version Number

MacOS
Microsoft Edge:

  • The Microsoft Edge category is updated with new settings. Learn more about available macOS settings for Microsoft Edge at Microsoft Edge - Policies.

Device management
Platform support for Device Cleanup rules
Using cleanup rules, you can configure Intune to automatically clean up devices that appear to be inactive, stale, or unresponsive.

With this feature, you can:

  • Configure individual device cleanup rules per platform, like Windows, iOS/iPadOS, macOS, and Android.
  • Use the Audit logs to see the devices that the device cleanup rules conceal from the Intune reports.
  • Use role-based access control (RBAC) to customize the user roles that can create device cleanup rules.

Device security
macOS support for local administrator account configuration with LAPS (password solution) - GA
We’ve added support to the macOS automated device enrollment (ADE) profiles to configure newly enrolled macOS devices that run macOS 12 or later, with both a local administrator and local user account, along with support for the Microsoft Local Admin Password Solution (LAPS).

With this support:

  • You can use macOS automated device enrollment (ADE) profiles to configure the local administrator and user accounts for a device. When configured, this capability applies to all new macOS device enrollments and device re-enrollments assigned to that enrollment profile.
  • Intune creates a randomized, unique, and secure password for the device’s admin account. It's 15 alphanumeric characters.
  • Intune automatically rotates the password every six months by default.
  • Previously enrolled devices aren’t affected unless they re-enroll with Intune through an applicable ADE profile.
    For account creation, the following variables are supported by the profile:

Admin account username:

  • {{serialNumber}} - for example, F4KN99ZUG5V2
  • {{partialupn}} - for example, John
  • {{managedDeviceName}} - for example, F2AL10ZUG4W2_14_4/15/2025_12:45PM
  • {{onPremisesSamAccountName}} - for example, contoso\\John

Admin account full name:

  • {{username}} - for example, John@contoso.com
  • {{serialNumber}} - for example, F4KN99ZUG5V2
  • {{onPremisesSamAccountName}} - for example, contoso\\John

To support LAPS:

  • We’ve added two new role-based access control permissions for Enrollment program that can grant an administrative account permission to view a managed devices password, and to rotate that password.
  • By default, these permissions aren't part of any built-in Intune RBAC role, and must be explicitly assigned to admins through custom roles.
    To learn about all the details for this new capability, see Configure support for macOS ADE local account configuration with LAPS in Microsoft Intune.

Intune apps
Newly available protected apps for Intune
The following protected apps are now available for Microsoft Intune:

  • Vault CRM by Veeva Systems Inc. (iOS)
  • Workvivo by Workvivo
Version: Service release 2507 Link
Receive Important Update Messages Stay tuned for upcoming Microsoft Intune updates

More from the Cloud Services section

Was the content helpful to you?

Advertisement Advertise here?
Udemy IT certification ad