A new month always brings a new Microsoft Intune service release. The Microsoft Intune November 2025 (2511) service release introduces a range of enhancements for Android device management, making it easier than ever for IT administrators to fine-tune policies, streamline enrollment workflows, and enhance device security. From expanded settings in the Android Enterprise settings catalog to new controls for app management, this update empowers organizations to manage Android devices with greater precision and flexibility.
In this post, we’ll explore the most impactful Android-specific changes in the Microsoft Intune November 2025 (2511) service release and how they can benefit your Microsoft Intune environment.
Before you explore the new additions in Microsoft Intune for your Android Devices, verify and make sure your tenant is on the new 2511 service release.
Go to Tenant Administration | Tenant Status and in the Tenant details tab, check if Service release is on 2511.
App Management
Managed Home Screen
For the Android Enterprise dedicated and fully managed devices, there are new volume controls in the Managed Home Screen app. As an addition to the already available media volume control, there is now the option to show or hide controls for call, ring, notifications, and alarm volumes for your end-users.
All these settings can be enabled with App configuration policies in Microsoft Intune. Therefore, you need to go to the Microsoft Intune admin center | Apps | Manage apps | Configuration.
Managed Google Play
You can now easily switch the Managed Google Play store layout from Custom back to Basic directly in the Microsoft Intune admin center by navigating to Apps | All apps | Create Managed Google Play app.
In Basic mode, all approved apps are automatically shown to users. In Custom mode, newly approved apps must be manually added to collections before they appear in the store. The new Reset to Basic mode option enables admins to quickly revert to Basic mode without needing to contact support. When selected, Microsoft Intune removes all existing collections and immediately provides a success or failure notification.
Device Configuration
Settings Catalog
In the Microsoft Intune 2511 Service Release, there are some new Settings available in the Settings Catalog that previously were only available in Templates.
To create a Configuration Policy with Settings Catalog, you go to Devices | Android | Configuration and choose Create, and New Policy. Choose Android Enterprise as the Platform and Settings Catalog as the Profile type.
Overview
Let me give you an overview of all the new settings that are available know in Settings Catalog for all Android Enterprise devices.
General
- Block Contact sharing via Bluetooth (work profile level): Prevents work profile contacts from being shared over Bluetooth connections, ensuring corporate contact data stays secure.
- Block searching of work contacts and displaying work contact caller-id in personal profile: Stops users from searching work contacts in the personal profile and hides work contact caller ID when calls are received on the personal side.
- Data sharing between work and personal profiles: Controls whether data (such as files, clipboard, or app content) can be shared between work and personal profiles, helping maintain separation of corporate and personal information.
- Skip first use hints: Disables introductory tips or setup hints shown when a work profile or managed app is first launched, streamlining the user experience.
Work profile password
- Number of days until password expires: Defines how long a password can be used before the user must change it.
- Number of passwords required before user can reuse a password: Specifies how many unique passwords must be used before an old password can be reused.
- Number of sign-in failures before wiping device: Sets the maximum failed sign-in attempts allowed before the device is automatically wiped.
- Required password type: Determines the complexity level of the password (e.g., numeric, alphanumeric, complex).
- Required unlock frequency: Defines how often the user must unlock the device (e.g., after a set time or on every wake).
New Settings
For Android Enterprise corporate-owned devices with a work profile (work profile level), Android Enterprise corporate-owned fully managed, and Android Enterprise corporate-owned dedicated devices, there is a brand new setting in the Settings Catalog.
- Block assist content sharing with privileged apps: Prevents assist features (like screen readers or voice assistants) from sharing work profile content with apps that have elevated privileges, reducing the risk of sensitive data exposure.
INFORMATION: This setting is only available in Settings Catalog and is used to block content sharing from the work profile to any privileged application with an AI feature on your Android device.
Device Enrollment
If you had to set up your Managed Google Play connection with a Managed Google Play account at the time, you now have the option to opt in to upgrade to a Microsoft Entra ID account (this option has been available since August 2024).
If you previously used a personal Gmail account, you’re eligible for an upgrade. This update simplifies onboarding by removing the need for a separate Gmail account and instead using your work account. Upgrading is optional. For more details about this change, check the Microsoft links below.
- New onboarding flow to manage Android Enterprise devices with Microsoft Intune
- Connect your Intune account to your managed Google Play account
Device Management
The Device Management Type assignment filter property now supports Android enrollment scenarios for managed devices. In Intune, assignment filters let you target policies based on custom rules. One of these properties is deviceManagementType, which you can use to define rules for specific enrollment types.
For managed Android devices, the Device Management Type property includes support for the following all Android Enterprise and AOSP enrollment options.
IMPORTANT: The deviceManagementType is only available with the Managed apps filter. More information on supported filter properties can be found here.
Go to the Microsoft Intune admin center | Devices | Android | Assignment filters | Create a Managed Apps filter
Device Security
Microsoft Tunnel
Microsoft Tunnel relies on the Microsoft Defender client app to enable Android devices to connect through the tunnel. The latest version of the Defender for Endpoint client now includes the ability to detect rooted devices. When a device is identified as rooted, Microsoft Defender:
- Sets the device’s risk level to High
- Immediately terminates any active Tunnel connections
- Blocks further Tunnel access until the device is no longer rooted
- Sends a notification to the user about the device’s status
IMPORTANT: This functionality is part of the Microsoft Defender client on Android and does not replace Microsoft Intune compliance policies for Android, which should still be used to enforce settings such as Rooted devices, Play Integrity Verdict, and Device Threat Level requirements.
So, that was an overview of all the new features in the Microsoft Intune 2025 service release for Android. Want to stay up to date? Be sure to follow me on all social media channels and stay tuned!
