What's New in Intune: Service Release 2504 Highlights

What's New in Intune: Service Release 2504 Highlights (Week of April 21, 2025)

Hey Intune admins! Another month, another wave of updates rolling into Microsoft Intune. Let's dive into the key changes and new features landing with Service Release 2504, covering the week of April 21st, 2025.

Microsoft Intune Suite

Endpoint Privilege Management elevation rule support for file arguments and parameters

File elevation rules for Endpoint Privilege Manager (EPM) now support command line file arguments. When an elevation rule is configured to define one or more file arguments, EPM allows that file to run in an elevated request only when one of the defined arguments is used. EPM blocks elevation of the file should a command line argument be used that is not defined by the elevation rule. Use of file arguments in your file elevation rules can help you refine how and for what intent different files are successfully run in an elevated context by Endpoint Privilege Management.

EPM is available as an Intune Suite add-on-capability.

App management

Relationship viewer available for Intune apps

The relationship viewer provides a graphical depiction of the relationships between different applications in the system, including superseding and dependent applications. Admins can find relationship viewer in Intune by selecting Apps > All apps > a Win32 app > Relationship viewer. The relationship viewer supports both Win32 apps and Enterprise App Catalog apps. For more information, see App relationship viewer.

Microsoft Intune support for Apple AI features

Intune app protection policies have new standalone settings for Apple AI features (Genmojis, Writing tools, and screen capture). Note that these standalone settings are supported by apps that have updated to version 19.7.12 or later for Xcode 15, and 20.4.0 or later for Xcode 16 of the Intune App SDK and App Wrapping Tool. Currently, these Apple AI features are blocked when the app protection policy Send Org data to other apps setting is configured to a value other than All apps.

For more information about these features, see Microsoft Intune support for Apple Intelligence. For more information about Intune's related app protection policies, see iOS app protection policy settings and How to manage data transfer between iOS apps in Microsoft Intune.

Apple VPP using new API v2.0

Apple recently updated the API for their volume purchase program (VPP), which is used to manage apps and books. Apple's related API is now version 2.0. Version 1.0 is deprecated. To support the Apple updates, Microsoft Intune has updated to use the new API, which is faster and more scalable than the previous version.

Applies to:

• iOS/iPadOS

• macOS

Additional org data storage service options for Android and iOS apps

Intune now provides additional storage services options when saving copies of org data using an app protection policy for Android or iOS. In addition to the existing org data storage options, you can also select iManage and Egnyte as storage options. You must select these services as exemptions from your block list by setting Save copies of org data to Block, then selecting the allowed storage services next to the Allow user to save copies to selected services setting. Note that this setting does not apply to all applications.

For more information about data protection using app protection policies, see iOS app protection policy settings - Data protection and Android app protection policy settings - Data protection.

Applies to:

• Android

• iOS

Device configuration

Updated device configuration template for Windows Delivery Optimization

We’ve updated the device configuration template for Windows Delivery Optimization. The new template uses the settings format as found in the Settings Catalog, with settings that are taken directly from the Windows Configuration Service Providers (CSPs) for Windows Delivery Optimization, as documented by Windows at Policy CSP – DeliveryOptimization.

With this change you can no longer create new versions of the old profile. However, your pre-existing instances of the old profile remain available to use.

For more information about this change, see the Intune Customer Success blog at Support tip: Windows device configuration policies migrating to unified settings platform in Intune.

Applies to:

• Windows 10

• Windows 11

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

We've added a new setting in the Settings Catalog. To see this settings, in the Microsoft Intune admin center, see Devices > Manage devices > Configuration > Create > New policy > macOS for platform > Settings catalog for profile type.

macOS

Login > Login Window:

• Show Input Menu

Android settings in the Settings Catalog

The settings catalog supports Android Enterprise and Android Open Source Project (AOSP).

Currently, to configure Android settings, you use the built-in templates. The settings from these templates are also available in the settings catalog. More settings will continue to be added.

In the Intune admin center, when you create a device configuration profile, you select the Profile Type (Devices > Manage devices > Configuration > Create > New policy > select your Platform > Profile Type). All the profile types are moved to Profile Type > Templates.

This change:

• Is a UI change with no impact on your existing policies. Your existing policies won't change. You can continue to create, edit, and assign these policies the same way.

• provides the same UI experience as iOS/iPadOS, macOS, and Windows templates.

In the new settings catalog experience, the management mode associated with the setting is available in the tooltip. To get started with settings catalog, see Use the settings catalog to configure settings on your devices.

Applies to:

• Android Enterprise

• AOSP

Device enrollment

Custom device naming template for Android Enterprise corporate-owned devices

You can use a custom template for naming Android Enterprise corporate-owned devices when they enroll with Intune. The template is available to configure in the enrollment profile. It can contain a combination of custom text and predefined variables, such as device serial number, device type, and for user-affiliated devices, the owner's username. For more information, see:

• Android Enterprise corporate-owned devices with work profile

• Android Enterprise dedicated devices

• Android Enterprise fully managed devices

Applies to:

• Android

Enrollment-time grouping for Android Enterprise corporate devices

Now available for Android Enterprise corporate-owned devices, enrollment time grouping enables you to assign a static Microsoft Entra group to devices at enrollment time. When a targeted Android device enrolls, it receives all assigned policies, apps, and settings, typically by the time the user lands on the home screen. You can configure one static Microsoft Entra group per enrollment profile under the Device group tab in the Microsoft Intune admin center. For more information, see Enrollment time grouping.

Device management

Intune ending support for custom profiles for personally owned work profile devices

Starting in April 2025, Intune no longer supports custom profiles for Android Enterprise personally owned work profile devices. With this end of support:

• Admins won’t be able to create new custom profiles for personally owned work profile devices. However, admins can still view and edit previously created custom profiles.

• Personally-owned work profile devices that currently have a custom profile assigned won't experience any immediate change of functionality. Because these profiles are no longer supported, the functionality set by these profiles might change in the future.

• Intune technical support no longer supports custom profiles for personally owned work profile devices.

All custom policies should be replaced with other policy types. Learn more about Intune ending support for personally owned work profile custom profiles

Device security

New settings added to the Windows security baseline version 24H2

The most recent Intune security baseline for Windows, version 24H2, is updated to include 16 new settings for managing the Windows Configuration Service Provider (CSP) for Lanman Server and Lanman Workstation, and one new setting for Defender. These settings were previously unavailable in the baseline due to missing CSP support. The addition of these settings provides better control and configuration options.

Because this is an update to an existing baseline version and not a new baseline version, the new settings aren’t visible in the baselines properties until you edit and save the baseline:

• Pre-existing baseline instances:
  Before the new settings are available in a pre-existing baseline instance, you must select and then Edit that baseline instance. To have the baseline deploy the new settings, you must then Save that baseline instance. When the baseline is opened for editing, each of the new settings becomes visible with its default security baseline configuration. Before saving, you can reconfigure one or more of the new settings or make no changes other than to save the current configuration which then uses the baseline defaults for each of the new settings.

• New baseline instances:
  When you create a new instance of a Windows security baseline version 24H2, that instance includes the new settings along with all the previously available settings.

Following are the new settings that are added to the version 24H2 baseline, and the baseline default for each: Lanman Server

• Audit Client Does Not Support Encryption – Baseline default: Enabled

• Audit Client Does Not Support Signing – Baseline default: Enabled

• Audit Insecure Guest Logon – Baseline default: Enabled

• Auth Rate Limiter Delay In Ms – Baseline default: 2000

• Enable Auth Rate Limiter – Baseline default: Enabled

• Max SMB 2 Dialect – Baseline default: SMB 3.1.1

• Min SMB 2 Dialect – Baseline default: SMB 3.0.0

• Enable Mailslots - Baseline default: Disabled

Lanman Workstation

• Audit Insecure Guest Logon – Baseline default: Enabled

• Audit Server Does Not Support Encryption – Baseline default: Enabled

• Audit Server Does Not Support Signing – Baseline default: Enabled

• Max SMB 2 Dialect – Baseline default: SMB 3.1.1

• Min SMB 2 Dialect – Baseline default: SMB 3.0.0

• Require Encryption – Baseline default: Disabled

• Enable Mailslots - Baseline default: Disabled

Defender

• Enable Dynamic Signature Dropped Event Reporting – Baseline default: Enabled

For more information, see Intune security baselines.

Intune apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

• FileOrbis for Intune by FileOrbis FZ LLC

• PagerDuty for Intune by PagerDuty, Inc.

• Outreach.io by Outreach Corporation

For more information about protected apps, see Microsoft Intune protected apps.

Tenant administration

Updates to Intune admin center home page

Microsoft Intune admin center's home page has been updated to include additional links to interactive demos, documentation, and training. To see these updates, navigate to the Microsoft Intune admin center.