The Intune May 2025 Update brings several new features & improvements that include cross-platform device inventory, multiple admin permissions for remote actions, a new endpoint security policy for Linux servers called global exclusions. The 2505 service release is being deployed throughout May 2025. Administrators should check the Tenant Status blade to confirm when their environment has been updated.
The following are the new features and enhancements included in Intune service release 2505 release in May 2025:
1. Cross-Platform Device Inventory
The device inventory is expanded to include Android, iOS, and Mac devices. Currently, Intune gathers a standard inventory of data, which comprises 32 Android properties and 74 Apple properties.
2. Multiple Administrator Approvals for Remote Actions
With the release of Intune 2505, a new feature has been added that enables organizations to create access policies that demand authorization from a different administrator before performing remote actions such as
retire,
wipe, or
delete. Requestors may be asked to include a business justification, and approvers may annotate their decisions during the approval process—all of which can help audits and investigations become more transparent.
3. Improved security for unattended Remote Help sessions on Android devices
Microsoft has enhanced security and user awareness for unattended Remote Help sessions on Android devices by introducing a screen-blocking feature that alerts users if they interact with the device. This functionality is specifically designed for Zebra and Samsung devices enrolled as Android Enterprise corporate-owned dedicated devices.
4. Secure Linux Servers with Global Exclusions
Global exclusions represent a new endpoint security policy introduced by Intune to help organizations enhance the protection of their Linux servers. These exclusions can also be applied to devices managed through Defender for Endpoint, even if they are not enrolled in Intune. The exclusion settings are available for both Microsoft Defender Antivirus and Defender for Endpoint detection and response (EDR), offering solutions to improve performance and reduce false positives.
5. Detect rooted corporate-owned Android Enterprise devices
Administrators using Intune can now configure compliance policies to identify if a corporate-owned Android Enterprise device is rooted. When Microsoft Intune detects a rooted device, it can automatically mark it as noncompliant. This functionality is available for devices enrolled as fully managed, dedicated, or corporate-owned with a work profile.
6. Endpoint Privilege Management rules explicitly deny elevation
Endpoint Privilege Management (EPM) elevation rules now feature a new file elevation type:
Deny. This rule prevents the specified file from running in an elevated context. While we encourage using file elevation rules to grant users the ability to elevate specific files, the Deny rule is a valuable tool for blocking certain files, such as known or potentially malicious software, from being executed with elevated privileges.
