Support tip: Changes to Google Play strong integrity for Android 13 or above

By: Wayne Bennett – Sr. Product Manager | Microsoft Intune

Google recently implemented changes in May 2025 which require Android 13 or above devices to need hardware-backed security signals and a security patch released in the past 12 months to meet the strong integrity verdict.

To minimise the impact of the changes, app protection and compliance policies in Microsoft Intune have been adjusted in alignment with Google’s recommended backward compatibility guidance. However, Microsoft Intune will also enforce the strong integrity requirements by September 30, 2025. You’ll have received a notice in your Message center (MC1085670) if you have devices that won’t meet the new strong integrity standard after this change. Content from the Message center post is also available here: Plan for Change: Google Play strong integrity definition update for Android 13 or above.

Prior to this change, identify devices that don’t meet the new strong integrity verdict requirements. Configure APP or device compliance policy settings to either warn or block users that don’t meet the requirements:

Configure device compliance policy

For Intune enrolled Android devices, the Minimum security patch level setting can be configured within the Device properties section of compliance policies. You can either update an existing policy or create a new one:

1. 1. Navigate to the Microsoft Intune admin center.
   2. Select Devices > Compliance > Create policy, from the Platform list, select Android Enterprise, from the Profile type list, select either Fully managed, dedicated, and corporate-owned work profile or Personally-owned work profile and select Create.
      This image shows the creation of a Compliance policy, specifically an Android Enterprise Personally-owned work profile.
      
   3. Enter a suitable name for the compliance policy and select Next.
      This image shows the naming of the Device Compliance policy.
      
   4. On the Compliance settings page, depending on the profile type you selected, ‘Minimum security patch level’ is found under either the Device Health or System Security section. To ensure devices meet the Strong Integrity verdict, you should configure ‘Minimum security patch level’ to a date less than 12 months old, the date must be entered in the format YYYY-MM-DD.
      This image is the configuration of the Compliance settings, the minimum security patch settings show a date less than 1 year old.

       

   5. On the Actions for noncompliance page, the default action is to mark the device non-compliant immediately, update this by setting Schedule (days after noncompliance) to 90 or another value which will allow you time to monitor the devices which don’t meet the patch level requirements. Note: You may wish to configure additional settings such as sending an email to the user, for more details refer to Available actions for noncompliance.
      This image shows the actions for noncompliance, setting the device to be marked noncompliant after 90 days.

       

   6. On the Assignments page, target the policy to the required group of users or devices.
   7. On the Review and create page, save the policy by selecting Create.
      

      By configuring the setting Schedule (days after noncompliance), also known as a ‘grace period’, devices which don’t meet the minimum patch level won’t be blocked immediately. This gives you an opportunity to inform users they should update their devices before they’re blocked at a future date.  To review the in-grace period devices within the Intune admin center, under Devices > Compliance > Policies, select the newly created security patch level compliance policy and select Per-setting status.
      

      This image shows a clickable list of compliant and noncompliant devices for the Minimum security patch level - Grace period setting.

       

      Selecting the numerical value in the Noncompliant devices column shows a list of devices which are in the ‘Minimum security patch level’ grace period.  You can then reach out to the individual users, asking them to upgrade.

      This image shows an overview of the number of devices which don't meet the Per-setting status for Minimum security patch level - Grace period.
      

Configure APP conditional launch

You can also use the conditional launch settings within APP to require a minimum operating system and patch versions. Either update an existing policy or create a new one:

1. 1. Navigate to the Microsoft Intune admin center.
   2. Select Apps >  Protection  > Create, choose Android as the platform you want to target with APP. 
   3. On the Basics page, enter a name for the policy which makes it easily identifiable.
      This image shows the creation and naming of a App Protection Policy.

       

   4. Complete the Apps, Data protection and Access requirements pages with the Android app protection policy settings which meet your organization’s requirements.. Within the Device conditions section on the Conditional launch page configure the ‘Min OS version’ with a minimum required value, such as 13.0, configure Action to Block access, Wipe data, or Warn, as per the action required for your organization. Configure ‘Min patch version’ to a date less than 12 months old, the date must be entered in the format YYYY-MM-DD.
      This image shows the configuration of the Conditional Launch setting for Min patch version, configured for a date less than 1 year old.

       

   5. On the Assignments page, target the policy to the required group of users or devices.
   6. On the Review and create page, save the policy by selecting Create.
      

      With the configuration shown, when users launch a targeted app they are blocked if the device does not meet the Android 13.0 or above operating system requirements but will only receive a warning if their device doesn’t meet the minimum patch version requirements.

Monitoring

You can use the Platform version and Android security patch version columns within the App protection status report to view the current OS version and security patch level deployed to each device.  The app protection status report is accessed from the Intune admin center by selecting, Apps > Monitor > App Protection Status.  Within the report, you can search and filter for specific Android security patch versions.

For user-less Intune enrolled Android devices, use the devices view to check the OS version and security patch version level.  From the Intune admin center, select Devices > By platform > Android.  The OS version column is displayed by default, you will need to select Columns > Security patch level to view this information.

Conclusion

Using the examples in this blog post, you can update or implement new policies to identify devices which don’t meet the Play Integrity strong integrity verdict and  inform your users prior to the changes which will be enforced at the end of September 2025.

If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn.