Scope tag enforcement for Endpoint Privilege Management elevation requests

Week of November 10, 2025 (Service release 2511)

Microsoft Intune Suite
Scope tag enforcement for Endpoint Privilege Management elevation requests
When viewing Endpoint Privilege Management elevation requests, applicable scope tags are now enforced. This means administrators can view and manage only the requests for devices and users that fall within their assigned scope. This change helps maintain administrative boundaries and strengthen security. Previously, admins with permissions to manage elevation requests could view all elevation requests, regardless of scope.

App management
PowerShell script installer support for Win32 apps
When adding a Win32 app, you can upload a PowerShell script to serve as the installer instead of specifying a command line. Intune packages the script with the app content and runs it in the same context as the app installer, enabling richer setup workflows like prerequisite checks, configuration changes, and post-install actions. Installation results appear in the Intune admin center based on the script's return code.

Applies to:

• Windows

More volume options available in Managed Home Screen
Admins can now enable more volume controls in the Managed Home Screen (MHS) app for Android Enterprise dedicated and fully managed devices. In addition to the existing media volume control, this update introduces configuration settings to show or hide sliders for call, ring and notification, and alarm volumes.

Each new option can be independently enabled through app configuration policies. When turned on, users can adjust these specific volume levels directly from the Managed Settings page within MHS, without leaving kiosk mode. This enhancement provides task workers greater flexibility to manage sound levels for different environments while keeping the device securely locked down.

Applies to:

• Android Enterprise (dedicated and fully managed devices)

Reset Managed Google Play store mode to Basic
You can now reset the Managed Google Play store layout from Custom back to Basic in the Intune admin center (Apps>All apps>Create Managed Google Play app).

In Basic mode, all approved apps are automatically visible to users. In Custom mode, newly approved apps must be manually added to collections before they appear in the store. The new Reset to Basic button lets admins quickly revert to Basic mode without needing to contact support. When selected, Intune deletes all existing collections and immediately displays a success or failure message.

For more information about Managed Google Play store layout options, see Approve and deploy Android Enterprise apps in Intune.

Applies to:

• Android

Updated Service Level Objectives for Enterprise App Management
Service Level Objectives (SLOs) are now available in Enterprise App Management (EAM) to provide clearer expectations for when app updates become available in the Enterprise App Catalog. SLO processing timelines begin when Intune first receives the updated app package.

Most app updates complete automated validation within 24 hours. Updates that require manual vendor testing or approval typically complete within seven days.

Device configuration
Settings available in both Templates and Settings Catalog for Android Enterprise
Some settings that were only available in Templates are now also supported in the settings catalog.

The settings catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring settings catalog profiles in Intune, see Create a policy using settings catalog.

To create a new settings catalog policy, go to Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Settings catalog for profile type.

The following settings are available in the settings catalog:

General:
Block Contact sharing via Bluetooth (work profile level)
Block searching of work contacts and displaying work contact caller-id in personal profile
Data sharing between work and personal profiles
Skip first use hints

Work profile password:

• Number of days until password expires
• Number of passwords required before user can reuse a password
• Number of sign-in failures before wiping device
• Required password type

1. Minimum password length
2. Number of characters required
3. Number of lowercase characters required
4. Number of non-letter characters required
5. Number of numeric characters required
6. Number of symbol characters required
7. Number of uppercase characters required

• Required unlock frequency

Applies to:
Android Enterprise

New Assist Content Sharing setting in the Android Enterprise settings catalog
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings (Devices > Manage devices > Configuration > Create > New policy > Android Enterprise for platform > Settings catalog for profile type):

• Block assist content sharing with privileged apps: If True, this setting blocks assist content, like screenshots and app details, from being sent to a privileged app, like an assistant app. The setting can be used to block the Circle to Search AI feature.

Applies to:

• Android Enterprise corporate-owned devices with a work profile (COPE) > Work profile level
• Android Enterprise corporate owned fully managed (COBO)
• Android Enterprise corporate owned dedicated devices (COSU)

Device enrollment
New opt-in upgrade allows existing customers to move from managed Google Play accounts to Microsoft Entra ID accounts
Microsoft Intune offers a new opt-in upgrade that allows existing Android Enterprise customers to move from using managed Google Play accounts to using Microsoft Entra ID accounts for Android device management. You are eligible for upgrade if you previously used a consumer Gmail account. This change streamlines the onboarding process by eliminating the need for a separate Gmail account and by leveraging your work account. This change is not required. To learn more about this change, see:

• New onboarding flow to managing Android Enterprise devices with Microsoft Intune
• Connect your Intune account to your managed Google Play account

- Incomplete user enrollment report removed
The incomplete user enrollments report has been removed and is no longer functional in the Microsoft Intune admin center. The following corresponding APIs have also been removed from Microsoft Intune:

• getEnrollmentAbandonmentDetailsReport
• getEnrollmentAbandonmentSummaryReport
• getEnrollmentFailureDetailsReport
  Scripts or automation using these Graph APIs will stop working now that the report has been removed. In place of this report, we recommend using the enrollment failures report. For more information, see View enrollment reports.

New Setup Assistant screens now generally available for iOS/iPadOS and macOS automated device enrollment profiles
You can hide or show 12 new Setup Assistant screens during automated device enrollment (ADE). The default is to show these screens in Setup Assistant.

The screens you can skip during iOS/iPadOS enrollment, and the applicable versions, include:

• App Store (iOS/iPadOS 14.3+)
• Camera button (iOS/iPadOS 18+)
• Web content filtering (iOS/iPadOS 18.2+)
• Safety and handling (iOS/iPadOS 18.4+)
• Multitasking (iOS/iPadOS 26+)
• OS Showcase (iOS/iPadOS 26+)
  The screens you can skip during macOS enrollment include:
• App Store (macOS 11.1+)
• Get Started (macOS 15+)
• Software update (macOS 15.4+)
• Additional privacy settings (macOS 26+)
• OS Showcase (macOS 26.1+)
• Update completed (macOS 26.1+)
• Get Started (macOS 15+)

Device management

• Device Management Type assignment filter property supports Android enrollment options for Managed Devices
  When you create a policy in Intune, you can use assignment filters to assign a policy based on rules you create. You can create a rule using different properties, like deviceManagementType.

For managed devices, the Device Management Type property supports the following Android enrollment options:

• Corporate-owned dedicated devices with Entra ID Shared mode
• Corporate-owned dedicated devices without Entra ID Shared mode
• Corporate-owned with work profile
• Corporate-owned fully managed
• Personally-owned device with a work profile
• AOSP user-associated devices
• AOSP userless devices

Applies to:

• Android

New prompts available to explore your Intune data
You can use Security Copilot in Intune to explore new prompts related to your data using natural language. Use these new prompts to view data on:

• Users and groups
• Role based access control (RBAC)
• Audit logs
  When you start typing your request, a list of prompts that best match your request are shown. You can also continue typing for more suggestions.

Each query returns a Copilot summary to help you understand the results and offers suggestions. With this information, you can also:

• Add devices or users from the results to a group so you can target apps and policies to this group.
• Filter example queries to find or build requests that match your needs.

Device security
Microsoft Tunnel access by rooted Android devices is blocked by the Microsoft Defender client
Microsoft Tunnel uses the Microsoft Defender client app to provide Android devices access to tunnel. The latest version of the Defender for Endpoint client can now detect when a device is rooted. If a device is determined to be rooted, Defender:

• Marks the device's risk category as High
• Immediately drops active Tunnel connections
• Prevents further use of Tunnel until the device is determined to no longer be rooted
• Sends a notification to the device user about the device status
  This capability is a feature of the Defender client on Android and doesn’t replace the use of Intune compliance policies for Android to manage the settings like Rooted devices, Play Integrity Verdict, and Require the device to be at or under the Device Threat Level.

Tenant administration
Soft-deleted Microsoft Entra groups now visible in Intune
This feature is in public preview. For more information, see Public preview in Microsoft Intune.

Microsoft Intune now displays soft-deleted Microsoft Entra groups in the Intune admin center. When a group is soft-deleted, its assignments no longer apply. However, if the group is restored, its previous assignments are automatically reinstated.