Microsoft Intune August 2025 Update (Service Release 2508)

The August 2025 Microsoft Intune Service Release (2508) introduces several impactful updates, including new ADMX-backed policies for the Edge browser, managed installer support for user and device groups, a variety of day-zero settings in the Apple settings catalog, compatibility with Ubuntu 22.04 and newer versions, and more.

The updates should be automatically rolled out to all the tenants across major regions such as APAC, NASA, and EMEA. For more information on previously released updates, read the article on Intune monthly updates.

For more details, refer to Microsoft documentation on New Features in Intune August 2025 Update.

The following are the new features and enhancements included in Intune service release 2508 released in August 2025:

1. Support for Ubuntu 22.04 and later​

Microsoft Intune, along with the Microsoft Intune app for Linux, now supports Ubuntu 22.04 LTS and Ubuntu 24.04 LTS, while support for Ubuntu 20.04 LTS has been discontinued. However, devices already enrolled with Ubuntu 20.04 LTS will stay enrolled despite the version no longer being supported.

2. Managed installer support for user and device groups​

Microsoft has enhanced the Managed Installer policy to allow targeting specific groups of users and devices with multiple individual policies. Previously, the Managed Installer policy was a tenant-wide configuration that applied universally to all Windows devices. This update introduces greater flexibility by enabling separate policies to be assigned to distinct device groups.

3. Android app configuration policies support new variable values​

Android Enterprise app configuration policies in Intune now offer expanded support for variable values. Newly supported values include account name, device name, employee ID, MEID, serial number, and the last four digits of the serial number.

4. New day zero settings available in the Apple settings catalog​

You will find the following new day zero settings within the Apple settings catalog. To view these, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS​

Declarative Device Management (DDM) > Audio Accessory Settings:

• Temporary Pairing Disabled
• Temporary Pairing Unpairing Time
• Unpairing Policy
• Unpairing Hour

Declarative Device Management (DDM) > Safari Settings:

• Accept Cookies
• Allow Disabling Fraud Warning
• Allow History Clearing
• Allow JavaScript
• Allow Private Browsing
• Allow Popups
• Allow Summary
• Page Type
• Homepage URL
• Extension Identifier

Restrictions:

• Allow Safari History Clearing
• Allow Safari Private Browsing
• Denied ICCIDs For iMessage And FaceTime
• Denied ICCIDs For RCS

macOS​

Authentication > Extensible Single Sign On Kerberos:

• Allow Platform SSO Auth Fallback

Declarative Device Management (DDM) > Safari Settings:

• Allow History Clearing
• Allow Private Browsing
• Allow Summary
• Page Type
• Homepage URL
• Extension Identifier

Restrictions:

• Allow Safari History Clearing
• Allow Safari Private Browsing

5. Wipe remote action supports multiple administrative approval (MAA)​

The multiple administrative approval (MAA) feature enhances security by requiring a second administrator's approval before implementing changes. This added layer of verification is supported by the Wipe remote action. Utilizing MAA with the Wipe action helps reduce the risk of unauthorized or compromised remote actions initiated by a single administrator account.

6. Configure Windows Backup for Organizations (public preview)​

Starting in the Intune 2508 service release, administrators can configure a new feature in public preview called Windows Backup for Organizations. This feature enables you to back up your organization's Windows 10 or Windows 11 settings and restore them on a Microsoft Entra-joined device. Backup configurations can be managed through the Microsoft Intune admin center's settings catalog, while a tenant-wide option for device restoration is accessible under Enrollment in the admin center. The backup functionality is now available in public preview, with the restore feature set to enter public preview on August 26th.

7. New resolution button improves compliance remediation experience​

Microsoft has improved the Just in Time (JIT) compliance remediation experience for device users in Microsoft Intune. Intune has collaborated with Microsoft Defender to:

• Remove user clicks required to view and learn remediation steps.
• Add a Resolve button to reduce time-to-remediation.

8. Declarative software update reports for Apple devices​

Apple devices now support several new software update reports, leveraging Apple's built-in declarative reporting infrastructure. This advanced infrastructure enables Intune to provide a near real-time view of the software update status for managed devices.

The list of new reports include:

1. A per-device software update report
2. Apple software update failures
3. Apple software update report
4. Apple software update summary report

Note that the above reports support the following devices: iOS 17 and later, iPadOS 17 and later, and macOS 14 and later.

9. Multi-administrator approval support for role-based access control​

Starting with Intune service release 2508, multi-administrator approval (MAA) now supports role-based access control. When enabled, any changes to roles, including modifications to role permissions, admin groups, or member group assignments, require a second administrator to approve the change before it's applied. This dual authorization process helps protect your organization from unauthorized or accidental role-based access control changes.

10. Platform SSO is generally available (GA) and also supports custom TGT​

Platform SSO is a feature in Microsoft Entra that enables single sign-on (SSO) using a Microsoft Entra ID on macOS devices. Using the Intune settings catalog, you can configure Platform SSO and use Intune to deploy the Platform SSO configuration to your macOS devices.