Configuration Policies MDE

Contents
Configure device settings

Overview
Device configuration overview
Quickstarts
Create an email device profile
Tutorials
Create an administrative template
How-to guides
Profiles - Get started
Settings catalog
Custom settings
Create custom profiles
HoloLens 2 example
Restrict device settings and features
Email
Configure email
Issues and resolutions
VPN
Configure VPN
Per-app VPN for Android
Per-App VPN for iOS/iPadOS
Wi-Fi
Configure Wi-Fi
Import Wi-Fi settings
Wi-Fi with a pre-shared key
Troubleshoot Wi-Fi
Group policy and Administrative templates
Group Policy analytics
Create administrative templates
Update Office using administrative templates
Create Microsoft Edge policy
BIOS settings on Windows
Domain Join on Windows
Update Windows
Upgrade Windows and S mode
Device features on iOS/iPadOS and macOS
Device features
Use Enterprise SSO plug-in
Extensions on macOS
Preference file on macOS
Wired networks on macOS
Mobility Extensions on Zebra devices
Configure MX on Android device administrator
StageNow logs and common issues
OEMConfig on Android Enterprise
Get started
Profiles on Zebra devices
Kiosks and dedicated devices
Shared multi-user devices
Network boundary on Windows
Windows health monitoring
Education Take a Test app
eSIM cellular on Windows
Telecom expenses on Android, iOS/iPadOS
Deploy and monitor
Assign profiles
Monitor profiles
Troubleshoot
Troubleshoot policies and profiles
Common questions and answers
Reference
Configuration profile settings
Configuration profile settings
Android device administrator
Custom
Custom settings
Allow/block apps for Samsung Knox Standard
Device restrictions
Email
VPN
Wi-Fi
Android Enterprise
Custom
Device restrictions
Email
VPN
Wi-Fi
iOS/iPadOS
Custom
Device features
Device restrictions
Email
VPN
Wi-Fi
Bundle IDs for built-in apps
macOS
Custom
Device features
Device restrictions
Endpoint protection
Extensions
VPN
Wi-Fi
Wired networks
Windows 10 and later
Custom
Delivery optimization
Device restrictions
Device restrictions (Windows 10 Team)
Edition upgrade and mode switch
Email
Endpoint protection
Identity protection
Kiosk
Secure assessment
Shared multi-user device
VPN
Wi-Fi
Windows Holographic for Business
Custom
Device restrictions
Kiosk
Windows 8.1
Device restrictions
VPN
Windows Phone 8.1
Custom
Device restrictions
Email
VPN
Apply features and settings on your devices using
device profiles in Microsoft Intune
4/15/2021 • 9 minutes to read • Edit Online
Microsoft Intune includes settings and features you can enable or disable on different devices within your
organization. These settings and features are added to "configuration profiles". You can create profiles for
different devices and different platforms, including iOS/iPadOS, Android device administrator, Android
Enterprise, and Windows. Then, use Intune to apply or "assign" the profile to the devices.
As part of your mobile device management (MDM) solution, use these configuration profiles to complete
different tasks. Intune has many templates that include groups of settings that are specific to a feature, such as
certificates, VPN, email, and more.
Some profile examples include:
On Windows 10 devices, use a profile template that blocks ActiveX controls in Internet Explorer.
On iOS/iPadOS and macOS devices, allow users to use AirPrint printers in your organization.
Allow or prevent access to bluetooth on the device.
Create a WiFi or VPN profile that gives different devices access to your corporate network.
Manage software updates, including when they're installed.
Run an Android device as dedicated kiosk device that can run one app, or run many apps.
This article gives an overview of the different types of profiles you can create. Use these profiles to allow or
prevent some features on the devices.
Administrative templates and Group policy

Administrative templates include hundreds of settings that you can configure for Internet Explorer, Microsoft
Edge, OneDrive, remote desktop, Word, Excel, and other Office programs. These templates give administrators a
simplified view of settings similar to group policy, and they're 100% cloud-based.
Group Policy analytics analyzes your on-premises GPOs, and shows which policy settings are supported,
deprecated, and more.
This feature supports:
Windows 10 and newer
Certificates
Certificates configure trusted, SCEP, and PKCS certificates that are assigned to devices. These certificates
authenticate WiFi, VPN, and email profiles.
Android Enterprise
iOS/iPadOS
macOS
Windows 8.1
Custom profile
Custom settings let administrators assign device settings that aren't built in to Intune. On Android devices, you
can enter OMA-URI values. For iOS/iPadOS devices, you can import a configuration file you created in the Apple
Configurator.
Android Enterprise
iOS/iPadOS
macOS
Delivery optimization
Delivery optimization provides a better experience to delivery software updates. These settings are replacing the
Software Updates > Windows 10 update ring settings.
Use these settings to control how software updates are downloaded to devices in your organization. For
example, you can let users get their own updates, or get updates using the delivery optimization cloud services
in a device profile.
Derived credential
Derived credentials are certificates on smart cards that can authenticate, sign, and encrypt. In Intune, you can
create profiles with these credentials to use in apps, email profiles, connecting to VPN, S/MIME, and Wi-Fi.
Android Enterprise
iOS/iPadOS
Device features
Device features controls features on iOS/iPadOS and macOS devices, such as AirPrint, notifications, and lock
screen messages.
iOS/iPadOS
macOS
Device firmware configuration interface

Device firmware configuration interface (DFCI) allows administrators to enable or disable UEFI (BIOS) settings
using Intune. Use these settings to enhance security at the firmware-level, which is typically more resilient to
malicious attacks.
Windows 10 1809 and newer on supported firmware
Device restrictions
Device restrictions controls security, hardware, data sharing, and more settings on the devices. For example,
create a device restriction profile that prevents iOS/iPadOS device users from using the device camera.
Android Enterprise
iOS/iPadOS
macOS
Windows 10 Team
Domain join
Domain join configures on-premises Active Directory domain information. This information is deployed to
hybrid Azure AD joined devices when provisioned using Windows Autopilot and Intune. This profile tells devices
which domain and OU to join.

Windows 10 edition upgrades automatically upgrades devices that run some versions of Windows 10 to a
newer edition.
Education
Education settings - Windows 10 configure options for the Windows Take a Test app. When you configure these
options, no other apps can run on the device until the test is complete.
Education settings - iOS/iPadOS uses the iOS/iPadOS Classroom app to guide learning, and control student
devices in the classroom. You can configure iPad devices so many students can share a single device.
Email
Email settings creates, assigns, and monitors Exchange ActiveSync email settings on the devices. Email profiles
help with consistency, reduce support calls, and let end-users access company email on their personal devices,
without any required setup on their part.
Android Enterprise
iOS/iPadOS
Endpoint protection
Endpoint protection configures BitLocker and Microsoft Defender settings for Windows 10 devices. On macOS
devices, you can also configure the firewall, gateway, and other resources.
To onboard Microsoft Defender for Endpoint with Microsoft Intune, see Configure endpoints using Mobile
Device Management (MDM) tools.
macOS
eSIM cellular - Public preview

eSIM cellular profiles lets administrators configure cellular data plans on your managed devices for internet and
data access. After getting activation codes from your mobile operator, use Intune to import these activation
codes, and then assign to your eSIM capable devices.
Windows 10 Fall Creators Update and newer
Extensions
macOS system extensions and kernel extensions allows administrators to add features or programs that extend
the native capabilities of the operating system. Configure these settings to trust all extensions from a specific
developer or partner, or allow specific extensions.
macOS
Identity protection
Identity protection controls the Windows Hello for Business experience on Windows 10 devices. Configure these
settings to make Windows Hello for Business available to users and devices, and to specify requirements for
device PINs and gestures.
Kiosk
Kiosk settings profile configures a device to run one app, or run many apps. You can also customize other
features on your kiosk, including a start menu and a web browser.
Kiosk settings also available as device restrictions for Android, Android Enterprise, and iOS/iPadOS.
MX profile (Zebra)
Mobility extensions (MX) expand on the built-in Intune settings to customize or add more settings specific to
Zebra devices. Zebra devices are commonly used on factory floors, and retail environments. If you have
hundreds or thousands of Zebra devices, you can use Intune to configure and manage these devices.
Microsoft Defender for Endpoint

Microsoft Defender for Endpoint integrates with Intune to monitor and help protect devices. You set risk levels,
and determine what happens if devices exceed that level. When combined with conditional access, you can help
prevent malicious activity in your organization.
Network boundary
Network boundary creates a list of sites that are trusted by your organization. This feature is used with
Microsoft Defender Application Guard and Microsoft Edge to help protect your devices.
OEMConfig
On Android Enterprise devices, OEMConfig is a standard. It allows OEMs (original equipment manufacturers)
and EMMs (enterprise mobility management) to build and support OEM-specific features in a standardized way.
With OEMConfig, an OEM creates a schema that defines OEM-specific management features, and embeds it in
an app uploaded to Google Play. Intune reads the schema from the app, and allows Intune administrators to
configure the settings in the schema.
Android Enterprise (OEMConfig)
PowerShell scripts
PowerShell scripts use the Intune Management Extension to upload your PowerShell scripts in Intune, and then
run these scripts on your devices. Also see what's required to use the extension, how to add them to Intune, and
other important information.
Preference file
Preference files on macOS devices include information about apps. For example, you can use preference files to
control web browser settings, customize apps, and more.
macOS
Settings catalog
The settings catalog lists the settings you can configure. It's not template, or a logical grouping of settings.
On Windows, there are thousands of settings available, including many settings not found in the templates.
When you want a complete list of all the settings, use the settings catalog to create your policy. If you want to
use a logical grouping of settings, then continue to use the templates.
On macOS, you can configure Microsoft Edge version 77 and newer using the settings catalog. In your policy,
you configure individual settings. It doesn't require a preference file.
macOS

Windows 10 and Windows Holographic for Business includes settings to manage devices with multiple users.
These devices are known as shared devices, or shared PCs. When a user signs in to the device, you choose if the
user can change the sleep options, or save files on the device. In another example, to save space, you can create
a profile that deletes inactive credentials from Windows HoloLens devices.
These shared multi-user device settings allow administrators to control some of the device features, and
manage these shared devices using Intune.
Update policies
iOS/iPadOS update policies shows you how to create and assign iOS/iPadOS policies to install software updates
on your iOS/iPadOS devices. You can also review the installation status.
For update policies on Windows devices, see Delivery optimization.
iOS/iPadOS
VPN
VPN settings assigns VPN profiles to users and devices in your organization, so they can easily and securely
connect to the network.
Virtual private networks (VPNs) give users secure remote access to your company network. Devices use a VPN
connection profile to start a connection with your VPN server.
Android Enterprise
iOS/iPadOS
macOS
Windows 8.1
Wi-Fi
Wi-Fi settings assigns wireless network settings to users and devices. When you assign a WiFi profile, users get
access to your corporate WiFi without having to configure it themselves.
Android Enterprise
iOS/iPadOS
macOS
Windows 8.1 (import only)

Windows health monitoring lets your data event be collected, and then analyzed by Endpoint Analytics. You can
use this data to get insights on your Windows devices, including software updates and startup performance.
Wired networks
Wired networks let you create and manage 802.1x wired connections for macOS desktop computers. In your
profile, you choose the network interface, select the accepted EAP types, and enter the server trust settings,
including PKCS and SCEP certificates.
When you assign the profile, macOS desktop users get access to your corporate wired network without having
to configure it themselves.
macOS
Zebra Mobility Extensions (MX)

Zebra Mobility Extensions (MX) allows administrators to use and manage Zebra devices in Intune. You create
StageNow profiles with your settings, and then use Intune to assign and deploy these profiles to your Zebra
devices. The StageNow logs and common issues is a great resource to troubleshoot profiles, and see some
potential issues when using StageNow.
Android device administrator (Mobility Extensions)
Manage and troubleshoot

Manage your profiles to check the status of devices, and the profiles assigned. Also help resolve conflicts by
seeing the settings that cause a conflict, and the profiles that include these settings. Common issues and
resolutions helps administrators work with profiles. It describes what happens when deleting a profile, what
causes notifications to be sent to devices, and more.
Next steps
Choose a profile, and get started.
Quickstart: Create an email device profile for
iOS/iPadOS
In this quickstart, you'll see how to create an email device profile for iOS/iPadOS devices. This profile specifies
the settings that are required for the built-in email app on the iOS/iPadOS device to connect to company email.
Email device profiles help standardize settings across devices, and they let end users access company email on
their personal devices without any required setup on their part. To further safeguard your email, you can use an
email profile to determine if devices are compliant, and then set up Conditional Access to allow only compliant
devices to access email. For details about email profiles, see How to configure email settings in Microsoft Intune
If you don't have an Intune subscription, sign up for a free trial account.
Sign in to Intune
Sign in to the Microsoft Endpoint Manager admin center as a Global Administrator or an Intune Service
Administrator. If you have created an Intune Trial subscription, the account you created the subscription with is
the Global administrator.
Create an iOS/iPadOS email profile

1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select and go to Devices > Configuration profiles > Create profile .
3. Enter the following properties:

Platform : Select iOS/iPadOS
Profile : Select Email
4. Select Create .
5. In Basics , enter the following properties:
Name : Enter a descriptive name for the new profile. For this example, enter iOS require work
email .
Description : Enter Require iOS/iPadOS devices to use work email
6. Select Next .
7. In Configuration settings , enter the following settings (leave the defaults for other settings):
Email ser ver : For this quickstart, enter outlook .office365.com . This setting specifies the Exchange
location (URL) of the email server that the iOS/iPadOS mail app will use to connect to email.
Account name : Enter Company Email .
Username attribute from AAD : This name is the attribute Intune gets from Azure Active Directory
(Azure AD). Intune dynamically generates the username for this profile using this name. For this
quickstart, we'll assume that we want the User Principal Name to be used as the username for the
profile (for example, user1@contoso.com).
Email address attribute from AAD : This setting is the email address from Azure AD that will be
used to sign in to Exchange. For this quickstart, select User Principal Name .
Authentication method : For this quickstart, select Username and password . (You can also choose
Cer tificate if you've already set up a certificate for Intune.)
8. Select Next .
9. In Scope tags (optional), Select Next . We won't use a scope tag for this profile.
10. In Assignments , use the drop-down for Assign to and select All users and all devices . Then, select
Next .
11. In Review + create , review your settings. When you select Create , your changes are saved, and the
profile is assigned.
Clean up resources
If you don't intend to use the profile you created for additional tutorials or testing, you can delete it now.
1. In Intune, selectDevices > Device configuration .
2. Select the test profile you created, iOS/iPadOS require work email , and then select Delete .
Next steps
In this quickstart, you created an email profile for iOS/iPadOS devices. Now you can use this profile to
determine whether an iOS/iPadOS device is compliant by creating a compliance policy that marks as
noncompliant any iOS/iPadOS devices that don't match the profile. For further protection, you can create a
Conditional Access policy that blocks noncompliant iOS/iPadOS devices from accessing email. For more
information about device compliance policies, see Get started with device compliance policies in Intune.
Tutorial: Protect Exchange Online email on managed devices
Tutorial: Use the cloud to configure group policy on
Windows 10 devices with ADMX templates and
Microsoft Intune
NOTE
This tutorial was created as a technical workshop for Microsoft Ignite. It has more prerequisites than typical tutorials, as it
compares using and configuring ADMX policies in Intune and on-premises.
Group policy administrative templates, also known as ADMX templates, include settings you can configure on
Windows 10 devices, including PCs. The ADMX template settings are available by different services. These
settings are used by Mobile Device Management (MDM) providers, including Microsoft Intune. For example, you
can turn on Design Ideas in PowerPoint, set a home page in Microsoft Edge, block ActiveX controls in Internet
Explorer, and more.
ADMX templates are available for the following services:
Microsoft Edge : Download at Microsoft Edge policy file.
Office : Download at Microsoft 365 Apps, Office 2019, and Office 2016.
Windows : Built in to the Windows 10 OS.
For more information on ADMX policies, see Understanding ADMX-backed policies.
These templates are built in to Microsoft Intune, and are available as Administrative templates profiles. In this
profile, you configure the settings you want to include, and then "assign" this profile to your devices.
In this tutorial, you will:
Get introduced to the Microsoft Endpoint Manager admin center.
Create user groups and create device groups.
Compare the settings in Intune with on-premises ADMX settings.
Create different administrative templates, and configure the settings that target the different groups.
By the end of this lab, you'll have the skills to start using Intune and Microsoft 365 to manage your users, and
deploy administrative templates.
This feature applies to:
Windows 10 version 1709 and newer
TIP
There are two ways to create an administrative template: Using a template, or using the Settings Catalog. This article
focuses on using the Administrative Templates template. The Settings Catalog has more Administrative Template
settings available. For the specific steps to use the Settings Catalog, see Use the settings catalog to configure settings.
Prerequisites
A Microsoft 365 E3 or E5 subscription, which includes Intune and Azure Active Directory (AD) premium. If
you don't have an E3 or E5 subscription, try it for free.
For more information on what you get with the different Microsoft 365 licenses, see Transform your
Enterprise with Microsoft 365.
Microsoft Intune is configured as the Intune MDM Authority . For more information, see Set the mobile
device management authority.
On an on-premises Active Directory domain controller (DC):

1. Copy the following Office and Microsoft Edge templates to the Central Store (sysvol folder):
Office administrative templates
Microsoft Edge administrative templates > Policy file
2. Create a group policy to push these templates to a Windows 10 Enterprise administrator computer
in the same domain as the DC. In this tutorial:
The group policy we created with these templates is called OfficeandEdge . You'll see this
name in the images.
The Windows 10 Enterprise administrator computer we use is called the Admin computer .
In some organizations, a domain administrator has two accounts:
A typical domain work account
A different domain administrator account used only for domain administrator tasks, such as
group policy
The purpose of this Admin computer is for administrators to sign in with their domain
administrator account, and access tools designed for managing group policy.
On this Admin computer :
Sign in with a Domain Administrator account.
Install the RSAT: Group Policy Management Tools :
1. Open the Settings app > Apps > Optional features > Add feature .
2. Select RSAT: Group Policy Management Tools > Install .
Wait while Windows installs the feature. When complete, it eventually shows in the
Windows Administrative Tools app.
Be sure you have internet access and administrator rights to the Microsoft 365 subscription, which
includes the Endpoint Manager admin center.
Open the Endpoint Manager admin center

1. Open a chromium web browser, such as Microsoft Edge version 77 and later.
2. Go to the Microsoft Endpoint Manager admin center. Sign in with the following account:
User : Enter the administrator account of your Microsoft 365 tenant subscription.
Password : Enter its password.
This admin center is focused on device management, and includes Azure services, such as Azure AD and Intune.
You might not see the Azure Active Director y and Intune branding, but you're using them.
You can also open the Endpoint Manager admin center from the Microsoft 365 admin center:
1. Go to https://admin.microsoft.com.
2. Sign in with the administrator account of your Microsoft 365 tenant subscription.
3. Select Show all > All admin centers > Endpoint management . The Endpoint Manager admin center
opens.
Create groups, and add users

On-premises policies are applied in the LSDOU order - local, site, domain, and organizational unit (OU). In this
hierarchy, OU policies overwrite local policies, domain policies overwrite site policies, and so on.
In Intune, policies are applied to users and groups you create. There isn't a hierarchy. For example:
If two policies update the same setting, then the setting shows as a conflict.
If two compliance policies are in conflict, then the most restrictive policy applies.
If two configuration profiles are in conflict, then the setting isn't applied.
For more information, see Common questions, issues, and resolutions with device policies and profiles.
In these next steps, you create security groups, and add users to these groups. You can add a user to multiple
groups. For example, it's normal for a user to have multiple devices, such as a Surface Pro for work, and an
Android mobile device for personal. And, it's normal for a person to access organizational resources from these
multiple devices.
1. In the Endpoint Manager admin center, select Groups > New group .
2. Enter the following settings:
Group type : Select Security .
Group name : Enter All Windows 10 student devices .
Membership type : Select Assigned .
3. Select Members , and add some devices.
Adding devices is optional. The goal is to practice creating groups, and knowing how to add devices. If
you're using this tutorial in a production environment, then be aware of what you're doing.
4. Select > Create to save your changes.
Don't see your group? Select Refresh .
5. Select New group , and enter the following settings:
Group name : Enter All Windows devices .
Membership type : Select Dynamic Device .
Dynamic device members : Select Add dynamic quer y , and configure your query:
Proper ty : Select deviceOSType .
Operator : Select Equals .
Value : Enter Windows .
a. Select Add expression . Your expression is shown in the Rule syntax :
When users or devices meet the criteria you enter, they're automatically added to the
dynamic groups. In this example, devices are automatically added to this group when the
operating system is Windows. If you're using this tutorial in a production environment, then
be careful. The goal is to practice creating dynamic groups.
b. Save > Create to save your changes.
6. Create the All Teachers group with the following settings:
Group name : Enter All Teachers .
Membership type : Select Dynamic User .
Dynamic user members : Select Add dynamic quer y , and configure your query:
Proper ty : Select depar tment .
Operator : Select Equals .
Value : Enter Teachers .
a. Select Add expression . Your expression is shown in the Rule syntax .
When users or devices meet the criteria you enter, they're automatically added to the
dynamic groups. In this example, users are automatically added to this group when
their department is Teachers. You can enter the department and other properties
when users are added to your organization. If you're using this tutorial in a
production environment, then be careful. The goal is to practice creating dynamic
groups.
b. Save > Create to save your changes.
Talking points
Dynamic groups are a feature in Azure AD Premium. If you don't have Azure AD Premium, then you're
licensed to only create assigned groups. For more information on dynamic groups, see:
Dynamic Group Membership in Azure Active Directory (Part 1)
Dynamic Group Membership in Azure Active Directory (Part 2)
Azure AD Premium includes other services that are commonly used when managing apps and devices,
including multi-factor authentication (MFA) and conditional access.
Many administrators ask when to use user groups and when to use device groups. For some guidance,
see User groups vs. device groups.
Remember, a user can belong to multiple groups. Consider some of the other dynamic user and device
groups you can create, such as:
All Students
All Android devices
All iOS/iPadOS devices
Marketing
Human Resources
All Charlotte employees
All Redmond employees
West coast IT administrators
East coast IT administrators
The users and groups created are also seen in the Microsoft 365 admin center, Azure AD in the Azure portal, and
Microsoft Intune in the Azure portal. You can create and manage groups in all these areas for your tenant
subscription. If your goal is device management, use the Microsoft Endpoint Manager admin center .
Review group membership
1. In the Endpoint Manager admin center, select Users > select the name of any existing user.
2. Review some of the information you can add or change. For example, look at the properties you can
configure, such as Job Title, Department, City, Office location, and more. You can use these properties in
your dynamic queries when creating dynamic groups.
3. Select Groups to see the membership of this user. You can also remove the user from a group.
4. Select some of the other options to see more information, and what you can do. For example, look at the
assigned license, the user's devices, and more.
What did I just do?
In the Endpoint Manager admin center, you created new security groups, and added existing users and devices
to these groups. We'll use these groups in later steps in this tutorial.
Create a template in Intune

In this section, we create an administrative template in Intune, look at some settings in Group Policy
Management , and compare the same setting in Intune. The goal is to show a setting in group policy, and show
the same setting in Intune.
1. In the Endpoint Manager admin center, select Devices > Configuration profiles > Create profile .
Platform : Select Windows 10 and later .
Profile : Select Administrative Templates .
3. Select Create .
Name : Enter a descriptive name for the profile. Name your profiles so you can easily identify them
later. For example, enter Admin template - Windows 10 student devices .
Description : Enter a description for the profile. This setting is optional, but recommended.
5. Select Next .
6. In Configuration settings , All settings show an alphabetical list of all the settings. You can also filter
settings that apply to devices (Computer configuration ), and settings that apply to users (User
configuration ):
7. Expand Computer configuration > Microsoft Edge > select Smar tScreen settings . Notice the path
to the policy, and all the available settings:
8. In search, enter download . Notice the policy settings are filtered:
Open Group Policy Management

In this section, we show a policy in Intune and its matching policy in Group Policy Management Editor.
Compare a device policy
1. On the Admin computer , open the Group Policy Management app.
This app gets installed with RSAT: Group Policy Management Tools , which is an optional feature you
install on Windows. Prerequisites (in this article) lists the steps to install it.
2. Expand Domains > select your domain. For example, select contoso.net .
3. Right-click the OfficeandEdge policy > Edit . The Group Policy Management Editor app opens.
OfficeandEdge is a group policy that includes the Office and Microsoft Edge ADMX templates. This
policy is described in prerequisites (in this article).
4. Expand Computer configuration > Policies > Administrative Templates > Control Panel >
Personalization . Notice the available settings.
Double-click Prevent enabling lock screen camera , and see the available options:
5. In the Endpoint Manager admin center, go to your Admin template - Windows 10 student devices
template.
6. Select Computer configuration > Control Panel > Personalization . Notice the available settings:
The setting type is Device , and the path is /Control Panel/Personalization . This path is similar to what
you just saw in Group Policy Management Editor. If you open the Prevent enabling lock screen
camera setting, you see the same Not configured , Enabled , and Disabled options you see in Group
Policy Management Editor.
Compare a user policy
1. In your admin template, select Computer configuration > All settings , and search for inprivate
browsing . Notice the path.
Do the same for User configuration . Select All settings , and search for inprivate browsing .
2. In Group Policy Management Editor , find the matching user and device settings:
Device: Expand Computer configuration > Policies > Administrative Templates > Windows
components > Internet Explorer > Privacy > Turn off InPrivate Browsing .
User: Expand User configuration > Policies > Administrative Templates > Windows
components > Internet Explorer > Privacy > Turn off InPrivate Browsing .
TIP
To see the built-in Windows policies, you can also use GPEdit (Edit group policy app).
Compare a Microsoft Edge policy

1. In the Endpoint Manager admin center, go to your Admin template - Windows 10 student devices
template.
2. Expand Computer configuration > Microsoft Edge > Star tup, homepage and new tab page .
Notice the available settings.
Do the same for User configuration .
3. In Group Policy Management Editor, find these settings:
Device: Expand Computer configuration > Policies > Administrative Templates > Microsoft
Edge > Star tup, homepage and new tab page .
User: Expand User configuration > Policies > Administrative Templates > Microsoft Edge >
Star tup, homepage and new tab page
What did I just do?
You created an administrative template in Intune. In this template, we looked at some ADMX settings, and looked
at the same ADMX settings in Group Policy Management.
Add settings to the Students admin template

In this template, we configure some Internet Explorer settings to lock down devices shared by multiple students.
1. In your Admin template - Windows 10 student devices , expand Computer configuration , select
All settings , and search for Turn off InPrivate Browsing :
2. Select the Turn off InPrivate Browsing setting. In this window, notice the description and values you
can set. These options are similar to what you see in group policy.
3. Select Enabled > OK to save your changes.
4. Also configure the following Internet Explorer settings. Be sure to select OK to save your changes.
Allow drag and drop or copy and paste files
Type : Device
Path : \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet
Zone
Value : Disabled
Prevent ignoring cer tificate errors
Type : Device
Path : \Windows Components\Internet Explorer\Internet Control Panel
Value : Enabled
Disable changing home page settings
Type : User
Path : \Windows Components\Internet Explorer
Value : Enabled
Home page : Enter a URL, such as contoso.com .
5. Clear your search filter. Notice the settings you configured are listed at the top:
Assign your template

1. In your template, select Next until you get to Assignments . Choose Select groups to include :
2. A list of existing users and groups is shown. Select the All Windows 10 student devices group you
created earlier > Select .
If you're using this tutorial in a production environment, then consider adding groups that are empty. The
goal is to practice assigning your template.
3. Select Next . In Review + create , select Create to save your changes.
As soon as the profile is saved, it applies to the devices when they check in with Intune. If the devices are
connected to the internet, it can happen immediately. For more information on policy refresh times, see How
long does it take for devices to get a policy, profile, or app.
When assigning strict or restrictive policies and profiles, don't lock yourself out. Consider creating a group that's
excluded from your policies and profiles. The idea is to have access to troubleshoot. Monitor this group to
confirm it's being used as intended.
What did I just do?
In the Endpoint Manager admin center, you created an administrative template device configuration profile, and
assigned this profile to a group you created.
Create a OneDrive template

In this section, you create a OneDrive admin template in Intune to control some settings. These specific settings
are chosen because they're commonly used by organizations.
1. Create another profile (Devices > Configuration profiles > Create profile ).
Profile : Select Administrative templates .
3. Select Create .
Name : Enter Admin template - OneDrive policies that apply to all Windows 10 users .
5. Select Next .
6. In Configuration settings , configure the following settings. Be sure to select OK to save your changes:
Computer configuration :
Silently sign in users to the OneDrive sync client with their Windows credentials
Type : Device
Value : Enabled
Use OneDrive Files On-Demand
Type : Device
Value : Enabled
User configuration :
Prevent users from syncing personal OneDrive accounts
Type : User
Value : Enabled
Your settings look similar to the following settings:
For more information on OneDrive client settings, see Use Group Policy to control OneDrive sync client settings.
Assign your template
1. In your template, select Next until you get to Assignments . Choose Select groups to include :
2. A list of existing users and groups is shown. Select the All Windows devices group you created earlier
> Select .
If you're using this tutorial in a production environment, then consider adding groups that are empty. The
goal is to practice assigning your template.
3. Select Next . In Review + create , select Create to save your changes.
At this point, you created some administrative templates, and assigned them to groups you created. The next
step is to create an administrative template using Windows PowerShell and the Microsoft Graph API for Intune.
Optional: Create a policy using PowerShell and Graph API

This section uses the following resources. We'll install these resources in this section.
Intune PowerShell SDK
Microsoft Graph API for Intune
1. On the Admin computer , open Windows PowerShell as administrator:
a. In your search bar, enter powershell .
b. Right-click Windows PowerShell > Run as administrator .
2. Get and set the execution policy.
a. Enter: get-ExecutionPolicy
Write down what it's set to, which may Restricted . When finished with the tutorial, set it back to
its original value.
b. Enter: Set-ExecutionPolicy -ExecutionPolicy Unrestricted
c. Enter Y to change it.

PowerShell's execution policy helps prevent executing malicious scripts. For more information, see About
Execution Policies.
3. Enter: Install-Module -Name Microsoft.Graph.Intune
Enter Y if:
Asked to install the NuGet provider
Asked to install the modules from an untrusted repo
It can take several minutes to complete. When finished, a prompt similar to the following prompt is
shown:
4. In your web browser, go to https://github.com/Microsoft/Intune-PowerShell-SDK/releases, and select the

Intune-PowerShell-SDK_v6.1907.00921.0001.zip file.
a. Select Save as , and select a folder you'll remember. c:\psscripts is a good choice.
b. Open your folder, right-click the .zip file > Extract all > Extract . Your folder structure looks similar
to the following folder:
5. On the View tab, check File name extensions :

6. In your folder, and go to
c:\psscripts\Intune-PowerShell-SDK_v6.1907.00921.0001\drop\outputs\build\Release\net471 . Right-click
every .dll > Proper ties > Unblock .
7. In your Windows PowerShell app, enter:
Import-Module c:\psscripts\Intune-PowerShell-
SDK_v6.1907.00921.0001\drop\outputs\build\Release\net471\Microsoft.Graph.Intune.psd1
Enter R if prompted to run from the untrusted publisher.

8. Intune administrative templates use the beta version of Graph:
a. Enter: Update-MSGraphEnvironment -SchemaVersion 'beta'
b. Enter: Connect-MSGraph -AdminConsent
c. When prompted, sign in with the same Microsoft 365 administrator account. These cmdlets create
the policy in your tenant organization.
User : Enter the administrator account of your Microsoft 365 tenant subscription.
Password : Enter its password.
d. Select Accept .
9. Create the Test Configuration configuration profile. Enter:
$configuration = Invoke-MSGraphRequest -Url

https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations -Content
'{"displayName":"Test Configuration","description":"A test configuration created through PS"}' -
HttpMethod POST
When these cmdlets succeed, the profile is created. To confirm, go to the Endpoint Manager admin center
> Configuration Profiles . Your Test Configuration profile should be listed.
10. Get all the SettingDefinitions. Enter:
$settingDefinitions = Invoke-MSGraphRequest -Url

https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions -HttpMethod GET
11. Find the definition ID using the setting display name. Enter:
$desiredSettingDefinition = $settingDefinitions.value | ? {$_.DisplayName -Match "Silently sign in

users to the OneDrive sync client with their Windows credentials"}
12. Configure a setting. Enter:

$configuredSetting = Invoke-MSGraphRequest -Url
"https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations('$($configuration.id)')/
definitionValues" -Content ("
{""enabled"":""true"",""configurationType"":""policy"",""definition@odata.bind"":""https://graph.micr
osoft.com/beta/deviceManagement/groupPolicyDefinitions('$($desiredSettingDefinition.id)')""}") -
HttpMethod POST
Invoke-MSGraphRequest -Url
definitionValues('$($configuredSetting.id)')" -Content ("{""enabled"":""false""}") -HttpMethod PATCH
$configuredSetting = Invoke-MSGraphRequest -Url

definitionValues('$($configuredSetting.id)')" -HttpMethod GET
See your policy

1. In the Endpoint Manager admin center > Configuration Profiles > Refresh .
2. Select your Test Configuration profile > Settings .
3. In the drop-down list, select All products .
You see the Silently sign in users to the OneDrive sync client with their Windows credentials setting
is configured.
Policy best practices

When creating policies and profiles in Intune, there are some recommendations and best practices to consider.
For more information, see policy and profile best practices.
Clean up resources
When no longer needed, you can:
Delete the groups you created:
All Windows 10 student devices
All Windows devices
All Teachers
Delete the admin templates you created:
Admin template - Windows 10 student devices
Admin template - OneDrive policies that apply to all Windows 10 users
Test Configuration
Set the Windows PowerShell execution policy back to its original value. The following example sets the
execution policy to Restricted:
Set-ExecutionPolicy -ExecutionPolicy Restricted
Next steps
In this tutorial, you got more familiar with the Microsoft Endpoint Manager admin center, used the query builder
to create dynamic groups, and created administrative templates in Intune to configure ADMX settings. You also
compared using ADMX templates on-premises and in the cloud with Intune. As a bonus, you used PowerShell
cmdlets to create an administrative template.
For more information on administrative templates in Intune, see:
Use Windows 10 templates to configure group policy settings in Intune
Create a device profile in Microsoft Intune
Device profiles allow you to add and configure settings, and then push these settings to devices in your
organization. You have some options when creating policies:
Administrative templates : On Windows 10 and newer devices, these templates are ADMX settings that
you configure. If you're familiar with ADMX policies or group policy objects (GPO), then using
administrative templates is a natural step to Microsoft Intune and Endpoint Manager.
For more information, see Administrative Templates
Baselines : On Windows 10 and newer devices, these baselines include preconfigured security settings. If
you want to create security policy using recommendations by Microsoft security teams, then security
baselines are for you.
For more information, see Security baselines.
Settings catalog : On Windows 10 and newer devices, use the settings catalog to see all the available
settings, and in one location. For example, you can see all the settings that apply to BitLocker, and create a
policy that just focuses on BitLocker. On macOS devices, use the settings catalog to configure Microsoft
Edge version 77 and newer settings.
For more information, see Settings catalog.
On macOS, continue using the preference file to:
Configure earlier versions of Microsoft Edge
Configure Edge browser settings that aren't in settings catalog
Templates : On Android, iOS/iPadOS, macOS, and Windows devices, the templates include a logical
grouping of settings that configure a feature or concept, such as VPN, email, kiosk devices, and more. If
you're familiar with creating device configuration policies in Microsoft Intune, then you're already using
these templates.
For more information, including the available templates, see Apply features and settings on your devices
using device profiles.
This article:
Lists the steps to create a profile.
Shows you how to add a scope tag to "filter" your policies.
Describes applicability rules on Windows 10 devices, and shows you how to create a rule.
Lists the check-in refresh cycle times when devices receive profiles and any profile updates.
Create the profile

Profiles are created in the Microsoft Endpoint Manager admin center. In this admin center, select Devices . You
have the following options:
Over view : Lists the status of your profiles, and provides more details on the profiles you assigned to users
and devices.
Monitor : Check the status of your profiles for success or failure, and also view logs on your profiles.
By platform : Create and view policies and profiles by your platform. This view may also show features
specific to the platform. For example, select Windows . You'll see Windows-specific features, such as
Windows 10 Update Rings and PowerShell scripts .
Policy : Create device profiles, upload custom PowerShell scripts to run on devices, and add data plans to
devices using eSIM.
When you create a profile (Configuration profiles > Create profile ), choose your platform:
Android Enterprise
iOS/iPadOS
macOS
Windows 8.1 and later
Then, choose the profile. Depending on the platform you choose, the settings you can configure are different.
The following articles describe the different profiles:
Administrative templates (Windows)
Custom
Delivery Optimization (Windows)
Derived credential (Android Enterprise, iOS, iPadOS)
Device features (macOS, iOS, iPadOS)
Device firmware (Windows)
Device restrictions
Domain join (Windows)
Edition upgrade and mode switch (Windows)
Education (iOS, iPadOS)
Email
Endpoint protection (macOS, Windows)
Extensions (macOS)
Identity protection (Windows)
Kiosk
Microsoft Defender for Endpoint (Windows)
Mobility Extensions (MX) profile (Android device administrator)
Network boundary (Windows)
OEMConfig (Android Enterprise)
PKCS certificate
PKCS imported certificate
Preference file (macOS)
SCEP certificate
Secure assessment (Education) (Windows)
Shared multi-user device (Windows)
Telecom expenses (Android device administrator, iOS, iPadOS)
Trusted certificate
VPN
Wi-Fi
Wired networks (macOS)
For example, if you select iOS/iPadOS for the platform, your options look similar to the following profile:
If you select Windows 10 and later for the platform, your options look similar to the following profile:
Scope tags
After you add the settings, you can also add a scope tag to the profile. Scope tags filter profiles to specific IT
groups, such as US-NC IT Team or JohnGlenn_ITDepartment . And, are used in distributed IT.
For more information about scope tags, and what you can do, see Use RBAC and scope tags for distributed IT.
Applicability rules
Applies to:
Applicability rules allow administrators to target devices in a group that meet specific criteria. For example, you
create a device restrictions profile that applies to the All Windows 10 devices group. And, you only want the
profile assigned to devices running Windows 10 Enterprise.
To do this task, create an applicability rule . These rules are great for the following scenarios:
You use Windows 10 Education (EDU). At Bellows College, you want to target all Windows 10 EDU devices
between RS3 and RS4.
You want to target all users in Human Resources at Contoso, but only want Windows 10 Professional or
Enterprise devices.
To approach these scenarios, you:
Create a devices group that includes all devices at Bellows College. In the profile, add an applicability rule
so it applies if the OS minimum version is 16299 and the maximum version is 17134 . Assign this profile
to the Bellows College devices group.
When it's assigned, the profile applies to devices between the minimum and maximum versions you
enter. For devices that aren't between the minimum and maximum versions you enter, their status shows
as Not applicable .
Create a users group that includes all users in Human Resources (HR) at Contoso. In the profile, add an
applicability rule so it applies to devices running Windows 10 Professional or Enterprise. Assign this
profile to the HR users group.
When it's assigned, the profile applies to devices running Windows 10 Professional or Enterprise. For
devices that aren't running these editions, their status shows as Not applicable .
If there are two profiles with the exact same settings, then the profile without an applicability rule is
applied.
For example, ProfileA targets the Windows 10 devices group, enables BitLocker, and doesn't have an
applicability rule. ProfileB targets the same Windows 10 devices group, enables BitLocker, and has an
applicability rule to only apply the profile to Windows 10 Enterprise.
When both profiles are assigned, ProfileA is applied because it doesn't have an applicability rule.
When you assign the profile to the groups, the applicability rules act as a filter, and only target the devices that
meet your criteria.
Add a rule
1. Select Applicability Rules . You can choose the Rule , and Proper ty :
2. In Rule , choose if you want to include or exclude users or groups. Your options:
Assign profile if : Includes users or groups that meet the criteria you enter.
Don't assign profile if : Excludes users or groups that meet the criteria you enter.
3. In Proper ty , choose your filter. Your options:
OS edition : In the list, check the Windows 10 editions you want to include (or exclude) in your
rule.
OS version : Enter the min and max Windows 10 version numbers of you want to include (or
exclude) in your rule. Both values are required.
For example, you can enter 10.0.16299.0 (RS3 or 1709) for minimum version and 10.0.17134.0
(RS4 or 1803) for maximum version. Or, you can be more granular and enter 10.0.16299.001 for
minimum version and 10.0.17134.319 for maximum version.
For more version numbers, see Windows 10 release information.
4. Select Add to save your changes.
Refresh cycle times

Intune uses different refresh cycles to check for updates to configuration profiles. If the device recently enrolled,
the check-in runs more frequently. Policy and profile refresh cycles lists the estimated refresh times.
At any time, users can open the Company Portal app, and sync the device to immediately check for profile
updates.
Recommendations
When creating profiles, consider the following recommendations:
Name your policies so you know what they are, and what they do. All compliance policies and
configuration profiles have an optional Description property. In Description , be specific and include
information so others know what the policy does.
Some configuration profile examples include:
Profile name : Admin template - OneDrive configuration profile for all Windows 10 users
Profile description : OneDrive admin template profile that includes the minimum and base settings for
all Windows 10 users. Created by user@contoso.com to prevent users from sharing organizational data
to personal OneDrive accounts.
Profile name : VPN profile for all iOS/iPadOS users
Profile description : VPN profile that includes the minimum and base settings for all iOS/iPadOS users
to connect to Contoso VPN. Created by user@contoso.com so users automatically authenticate to VPN,
instead of prompting users for their username and password.
Create your profile by its task, such as configure Microsoft Edge settings, enable Microsoft Defender anti-
virus settings, block iOS/iPadOS jailbroken devices, and so on.
Create profiles that apply to specific groups, such as Marketing, Sales, IT Administrators, or by location or
school system.
Separate user policies from device policies.
For example, Administrative Templates in Intune have thousands of ADMX settings. These templates show
if a setting applies to users or devices. When creating admin templates, assign your users settings to a
users group, and assign your device settings to a devices group.
The following image shows an example of a setting that can apply to users, apply to devices, or apply to
both:
Every time you create a restrictive policy, communicate this change to your users. For example, if you're
changing the passcode requirement from four (4) characters to six (6) characters, let your users know
before your assign the policy.
Next steps
Assign the profile and monitor its status.
Use the settings catalog to configure settings on
Windows and macOS devices - preview
Settings catalog lists all the settings you can configure, and all in one place. This feature simplifies how you
create a policy, and how you see all the available settings. More settings are continually being added.
When you create the policy, you start from scratch. You add only the settings you want to control and manage.
For example, you can use the settings catalog to create a BitLocker policy with all BitLocker settings, and all in
one place in Intune.
Use the settings catalog as part of your mobile device management (MDM) solution to manage and secure
devices in your organization.
macOS
Configure Microsoft Edge version 77 and newer. Previously, you had to use a property list (plist) file
(opens another Microsoft website). For a list of the settings you can configure, see Microsoft Edge -
Policies (opens another Microsoft website). Be sure macOS is listed as a supported platform. If some
settings aren't available in the settings catalog, then it's recommended to continue using the preference
file.
There are thousands of settings to choose, including settings that haven't been available before. These
settings are directly generated from the Windows configuration service providers (CSPs). You can also
configure Administrative Templates, and have more Administrative Template settings available. As
Windows adds or exposes more settings to MDM providers, these settings are added quicker to Microsoft
Intune for you to configure.
TIP
To see the Microsoft Edge policies you have configured, open Microsoft Edge, and go to edge://policy .
This article lists the steps to create a policy, and shows how to search and filter the settings in Intune. When you
create the policy, it creates a device configuration profile. You can then assign or deploy this profile to devices in
your organization.
Create the policy

2. Select Devices > Configuration profiles > Create profile .
Platform : Select macOS , or select Windows 10 and later .
Profile : Select Settings catalog (preview) .
4. Select Create .
later. For example, a good profile name is macOS: MSFT Edge v77 settings or Win10: BitLocker
settings for all Win10 devices .
6. Select Next .
7. In Configuration settings , select Add settings . In the settings picker, select a category to see all the
available settings.
For example, choose Windows 10 and later , then select Authentication to see all the settings in this
category:
For example, choose macOS . The Microsoft Edge - All category lists all the settings you can configure,
including any new settings. The other categories include settings that are obsolete, or settings that apply
to older versions:
TIP
On macOS, the categories are temporarily removed. To find a specific setting, use the Microsoft Edge -
All category, or search for the setting name. For a list of the setting names, go to Microsoft Edge - Policies.
Use the Learn more link in the tooltip to see if a setting is obsolete, and to see the supported versions.
8. Select any setting you want to configure. Or, choose Select all these settings :
After you add your settings, close the settings picker. All the settings are shown, and configured with a
default value, such as Block or Allow . These defaults values are the same default values in the OS. If you
don't want to configure a setting, then select the minus:
When you select the minus:

Intune doesn't change or update this setting. The minus is the same as Not configured . When set to
Not configured , the setting is no longer managed.
The setting is removed from the policy. The next time you open your policy, the setting isn't shown.
You can add it again.
The next time devices check in, the setting is no longer locked. It can be changed by another policy or
by the device user.
TIP
In the Windows setting tooltips, Learn more links to the CSP.
9. Select Next .
10. In Assignments , select the users or groups that will receive your profile. For more information on
assigning profiles, see Assign user and device profiles.
Select Next .
11. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or
JohnGlenn_ITDepartment . For more information about scope tags, see Use RBAC and scope tags for
distributed IT.
Select Next .
profile is assigned. The policy is also shown in the profiles list.
The next time the device checks for configuration updates, the settings you configured are applied.
Find some settings

There are thousands of settings available in the settings catalog. To make it easier to find specific settings, use
the built-in features:
In your policy, use Add settings > Search to find specific settings. You can search by category, such as
browser , search for a keyword, such as office , and search for specific settings.
For example, search for internet explorer . All the settings with internet explorer are shown. Select a
category to see the available settings:
In your policy, use Add settings > Add filter . Select the key, operator, and value. In value , you can filter
to only show the settings that apply to Holographic for Business, Windows Enterprise, and other editions:
Reporting and conflicts

You create the policy, and assign it to your groups. In the Endpoint Manager admin center, you can check the
status of your policy. The data refreshes automatically, and operates in near real time.
1. In the Endpoint Manager admin center, select Devices > Device configuration profiles . In the list,
select the policy you created using the Settings Catalog. The Profile type column shows Settings
Catalog :
2. When you select the policy, the device status shows. It shows a summary of your policy state and the
policy properties. You can also change or update your policy in the Configuration settings section:
3. Select View repor t . The report shows detailed information, including the device name, the policy status,
and more. You can also filter on the deployment status, and Expor t the report to a .csv file:
4. You can also look at the states of each setting using the per-setting status . This status shows the total
number of devices affected by each setting in the policy.
You can:
See the number of devices with the setting successfully applied, in conflict, or in error.
Select the number of devices in compliance, conflict, or error. And, see a list of users or devices in that
state.
Search, sort, filter, export, and go to the next and previous pages.
5. In the admin center, select Devices > Monitor > Assignment failures . If your Settings Catalog policy
failed to deploy because of an error or conflict, it will show in this list. You can also Expor t to a .csv file.
6. Select the policy to see the devices. Then, select a specific device to see the setting that failed, and a
possible error code.
TIP
Intune reports is a great resource, and describes all the reporting features you can use.
Conflicts
Conflicts happen when the same setting is updated to different values. Conflicts can also happen with policies
configured using the settings catalog. For more information on conflict resolution, see:
Monitor device profiles
Common questions and answers with device policies
Settings catalog vs. templates

When you create the policy, you have two policy types: Settings catalog and Templates :
The Templates include a logical group of settings, such as device restrictions, kiosk, and more. Use this option if
you want to use these groupings to configure your settings.
For Windows, the Settings catalog lists all the available settings. If you want to see all the available Firewall
settings, or all the available BitLocker settings, then use this option. Also, use this option if you're looking for
specific settings.
Next steps
Be sure to assign the profile, and monitor its status.
For more information on device configuration policies, see Device configuration overview and Create a
device profile.
For information on all the reporting data you can view, go to Intune reports.
Create a profile with custom settings in Intune
Microsoft Intune includes many built-in settings to control different features on a device. You can also create
custom profiles, which are created similar to built-in profiles. Custom profiles are great when you want to use
device settings and features that aren't built in to Intune. These profiles include features and settings for you to
control on devices in your organization. For example, you can create a custom profile that sets the same feature
for every iOS/iPadOS device.
Android Enterprise personally-owned devices with a work profile
iOS/iPadOS
macOS
Custom settings are configured differently for each platform. For example, to control features on Android and
Windows devices, you can enter Open Mobile Alliance Uniform Resource Identifier (OMA-URI) values. For Apple
devices, you can import a file you created with the Apple Configurator or Apple Profile Manager.
For more information on configuration profiles, see What are Microsoft Intune device profiles?.
This article shows you how to create a custom profile for Android device administrator, Android Enterprise,
iOS/iPadOS, macOS, and Windows. You can also see all the available settings for the different platforms.
Create the profile

Platform : Choose the platform of your devices. Your options:
Android Enterprise
iOS/iPadOS
macOS
Profile : Select Custom . Or, select Templates > Custom .
4. Select Create .
Name : Enter a descriptive name for the policy. Name your policies so you can easily identify them
later. For example, a good policy name is Windows 10: Custom profile that enables
AllowVPNOverCellular custom OMA-URI .
Description : Enter a description for the policy. This setting is optional, but recommended.
6. Select Next .
7. In Configuration settings , depending on the platform you chose, the settings you can configure are
different. Choose your platform for detailed settings:
Android Enterprise
iOS/iPadOS
macOS
Windows 10
8. Select Next .
distributed IT.
Select Next .
Select Next .
Example
In the following example, the Connectivity/AllowVPNOverCellular setting is enabled. This setting allows a
Windows 10 device to open a VPN connection when on a cellular network.
Next steps
The profile is created, but it may not be doing anything yet. Next, assign the profile and monitor its status.
Use WDAC and Windows PowerShell to allow or
blocks apps on HoloLens 2 devices with Microsoft
Intune
Microsoft HoloLens 2 devices support the Windows Defender Application Control (WDAC) CSP, which replaces
the AppLocker CSP.
Using Windows PowerShell and Microsoft Intune, you can use the WDAC CSP to allow or block specific apps
from opening on Microsoft HoloLens 2 devices. For example, you may want to allow or prevent the Cortana app
from opening on HoloLens 2 devices in your organization.
HoloLens 2 devices running Windows Holographic for Business
The WDAC CSP is based on the Windows Defender Application Control (WDAC) feature. You can also use
multiple WDAC policies.
This article shows you how to:
1. Use Windows PowerShell to create WDAC policies.
2. Use Windows PowerShell to convert the WDAC policy rules to XML, update the XML, and then convert the
XML to a binary file.
3. In Microsoft Intune, create a custom device configuration profile, add this WDAC policy binary file, and apply
the policy to your HoloLens 2 devices.
In Intune, you must create a custom configuration profile to use the Windows Defender Application Control
(WDAC) CSP.
Use the steps in this article as a template to allow or deny specific apps from opening on HoloLens 2 devices.
Prerequisites
Be familiar with Windows PowerShell.
Sign in to Intune as a member of:
Policy and Profile Manager or Intune Role Administrator Intune role
OR
Global Administrator or Intune Ser vice Administrator Azure AD role
Role-based access control (RBAC) with Intune has more information.
Create a user group or devices group with your HoloLens 2 devices. For more information, see User
groups vs. device groups.
Example
This example uses Windows PowerShell to create a Windows Defender Application Control (WDAC) policy. The
policy prevents specific apps from opening. Then, use Intune to deploy the policy to HoloLens 2 devices.
1. On your desktop computer, open the Windows PowerShell app.
2. Get information about the installed application package on your desktop computer and HoloLens:
$package1 = Get-AppxPackage -name *<applicationname>*
For example, enter:
$package1 = Get-AppxPackage -name Microsoft.MicrosoftEdge
Next, confirm the package has application attributes:
$package1
You'll see attributes similar to the following app details:
Name : Microsoft.MicrosoftEdge
Publisher : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Architecture : Neutral
ResourceId :
Version : 44.20190.1000.0
PackageFullName : Microsoft.MicrosoftEdge_44.20190.1000.0_neutral__8wekyb3d8bbwe
InstallLocation : C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
IsFramework : False
PackageFamilyName : Microsoft.MicrosoftEdge_8wekyb3d8bbwe
PublisherId : 8wekyb3d8bbwe
IsResourcePackage : False
IsBundle : False
IsDevelopmentMode : False
NonRemovable : True
IsPartiallyStaged : False
SignatureKind : System
Status : Ok
3. Create a WDAC policy, and add the app package to the DENY rule:
$rule = New-CIPolicyRule -Package $package1 -Deny
4. Repeat steps 2 and 3 for any other applications you want to DENY:
$rule += New-CIPolicyRule -Package $package<2..n> -Deny
For example, enter:
$package2 = Get-AppxPackage -name *windowsstore*

$rule += New-CIPolicyRule -Package $package<2..n> -Deny
5. Convert the WDAC policy to newPolicy.xml :
NOTE
You can block apps that are only installed on HoloLens devices. For more information, see package family names
for apps on HoloLens.
New-CIPolicy -rules $rule -f .\newPolicy.xml -UserPEs
To target all versions of an app, in newPolicy.xml, be sure PackageVersion="65535.65535.65535.65535" is in

Deny node:
<Deny ID="ID_DENY_D_1" FriendlyName="Microsoft.WindowsStore_8wekyb3d8bbwe FileRule"

PackageFamilyName="Microsoft.WindowsStore_8wekyb3d8bbwe" PackageVersion="65535.65535.65535.65535" />
For PackageFamilyNameRules , you can use the following versions:

Allow : Enter PackageVersion, 0.0.0.0 , which means "Allow this version and above".
Deny : Enter PackageVersion, 65535.65535.65535.65535 , which means "Deny this version and below".
6. Merge newPolicy.xml with the default policy that's on your desktop computer. This step creates
mergedPolicy.xml . For example, allow the Windows, WHQL signed drivers, and Store signed apps to
run:
Merge-CIPolicy -PolicyPaths
.\newPolicy.xml,C:\Windows\Schemas\codeintegrity\examplepolicies\DefaultWindows_Audit.xml -o
mergedPolicy.xml
7. Disable the Audit mode rule in mergedPolicy.xml . When you merge, audit mode is automatically
turned on:
Set-RuleOption -o 3 -Delete .\mergedPolicy.xml
8. Enable the InvalidateEAs on a reboot rule in mergedPolicy.xml :
Set-RuleOption -o 15 .\mergedPolicy.xml
For more information on these rules, see Understand WDAC policy rules and file rules.
9. Convert mergedPolicy.xml to binary format. This step creates compiledPolicy.bin . You'll add this
compiledPolicy.bin binary file to Intune.
ConvertFrom-CIPolicy .\mergedPolicy.xml .\compiledPolicy.bin
10. Create the custom device configuration profile in Intune:

a. In the Microsoft Endpoint Manager admin center, create a Windows 10 custom device
configuration profile.
For the specific steps, see Create a custom profile using OMA-URI in Intune.
b. When you create the profile, enter the following settings:
OMA-URI : Enter ./Vendor/MSFT/ApplicationControl/Policies/<PolicyGUID>/Policy . Replace
<PolicyGUID> with the PolicyTypeID node in the mergedPolicy.xml file you created in step 6.
Using our example, enter

./Vendor/MSFT/ApplicationControl/Policies/A244370E-44C9-4C06-B551-F6016E563076/Policy .
The policy GUID must match the PolicyTypeID node in the mergedPolicy.xml file (created in
step 6).
The OMA-URI uses the ApplicationControl CSP. For more information on the nodes in this CSP, go
to ApplicationControl CSP.
Data type : Set to Base64 file . It automatically converts the file from bin to base64.
Cer tificate file : Upload the compiledPolicy.bin binary file (created in step 9).
11. When the profile is assigned to your HoloLens 2 group, check the profile status. After the profile
successfully applies, reboot the HoloLens 2 devices.
Next steps
Assign the profile, and monitor its status.
Learn more about custom profiles in Intune.
Configure device restriction settings in Microsoft
Intune
Intune includes device restriction policies that help administrators control Android, iOS/iPadOS, macOS, and
Windows devices. These restrictions let you control a wide range of settings and features to protect your
organization's resources. For example, administrators can:
Allow or block the device camera.
Control access to Google Play, app stores, viewing documents, and gaming.
Block built-in apps, or create a list of apps that allowed or prohibited.
Allow or prevent backing up files to cloud and storage accounts.
Set a minimum password length, and block simple passwords.
These features are available in Intune, and are configurable by the administrator. Intune uses "configuration
profiles" to create and customize these settings for your organization's needs. After you add these features in a
profile, you can then push or deploy the profile to devices in your organization.
iOS/iPadOS
macOS
Windows 8.1 and newer
This article shows you how to create a device restrictions profile. You can also see all the available settings for
the different platforms.
Create the profile

Android Enterprise
iOS/iPadOS
macOS
Profile : Select Device restrictions . Or, select Templates > Device restrictions .
To create a device restrictions profile for Windows 10 Team devices, such as Surface Hub, then
choose Device restrictions (Windows 10 Team) .
4. Select Create .
later. For example, a good policy name is iOS/iPadOS: Block camera on devices .
6. Select Next .
Android Enterprise
iOS/iPadOS
macOS
Windows 8.1
Windows 10 Team
8. Select Next .
distributed IT.
Select Next .
Select Next .
Next steps
After the profile is created, it's ready to be assigned. Be sure to assign the profile and monitor its status.
Add email settings to devices using Intune
Microsoft Intune includes different email settings you can deploy to devices in your organization. An IT
administrator creates email profiles with specific settings to connect to a mail server, such as Microsoft 365 and
Gmail. End users then connect, authenticate, and synchronize their organizational email accounts on their
mobile devices. By creating and deploying an email profile, you can confirm settings are standard across many
devices. And, help reduce support calls from end users who don't know the correct email settings.
You can use email profiles to configure the built-in email settings for the following devices:
Android device administrator on Samsung Knox Standard 5.0 and newer
iOS 11.0 and newer
iPadOS 13.0 and newer
Windows 10 (desktop)
This article shows you how to create an email profile in Microsoft Intune. It also includes links to the different
platforms for more specific settings.
Create the profile

Android device administrator (Samsung Android Knox Standard only)
Android Enterprise personally owned work profiles
iOS/iPadOS
Profile : Select Email . Or, select Templates > Email .
4. Select Create .
later. For example, a good policy name is Windows 10: Email settings for all Windows 10
devices .
6. Select Next .
Android device administrator (Samsung Knox Standard)
Android Enterprise
iOS/iPadOS
Windows 10
8. Select Next .
distributed IT.
Select Next .
10. In Assignments , select the users or device groups that will receive your profile. For more information on
assigning profiles, see What you need to know (in this article). Assign user and device profiles also some
guidance.
Select Next .
What you need to know

Email profiles are deployed for the user who enrolled the device. To configure the email profile, Intune
uses the Azure Active Directory (AD) properties in the email profile of the user during enrollment.
Microsoft Outlook for iOS/iPadOS and Android devices don't support email profiles. Instead, deploy an
app configuration policy. For more information, see Outlook Configuration setting.
On Android Enterprise devices, deploy Gmail or Nine for Work using the managed Google Play Store.
Add Managed Google Play apps lists the steps.
Email is based on identity and user settings. Email profiles are typically assigned to user groups, not
device groups. Some considerations:
If the email profile includes user certificates, then assign the email profile to user groups. You may
have multiple user certificate profiles that are assigned. These multiple profiles create a chain of
profile deployments. Deploy this profile chain to user groups.
If one profile in this chain is deployed to a device group, users may be continuously prompted to
enter their password.
Device groups are typically used when there's not a primary user, or if you don't know who the
user will be. Email profiles targeted to device groups (not user groups) may not be delivered to the
device.
For example, your email profile targets an all iOS/iPadOS devices group. Be sure all these devices
have a user.
If any device doesn't have a user, then the email profile may not deploy. You limit the profile,
and could miss some devices.
If the device has a primary user, then deploying to device groups should work.
For more information on possible issues with using device groups, see Common issues with email
profiles.
Remove an email profile

There are different ways to remove an email profile from devices, even when there's only one email profile on
the device:
Option 1 : Open the email profile (Devices > Configuration profiles > select your profile), and choose
Assignments . The Include tab shows the groups that are assigned the profile. Right-click the group >
Remove . Be sure to Save your changes.
Option 2 : Wipe or retire the device. You can use these actions to selectively or fully remove data and
settings.
Secure email access

You can help secure email profiles using the following options:
Cer tificates : When you create the email profile, you choose a certificate profile previously created in
Intune. This certificate is known as the identity certificate. It authenticates against a trusted certificate
profile or a root certificate to confirm a user's device is allowed to connect. The trusted certificate is
assigned to the computer that authenticates the email connection. Typically, this computer is the native
mail server.
If you use certificate-based authentication for your email profile, then deploy the email profile, certificate
profile, and trusted root profile to the same groups. This deployment makes sure each device can
recognize the legitimacy of your certificate authority.
For more information about how to create and use certificate profiles in Intune, see How to configure
certificates with Intune.
User name and password : The end user authenticates to the native mail server by entering a user
name and password. The password doesn't exist in the email profile. So, the end user enters the password
when connecting to email.
How Intune handles existing email accounts

If the user already configured an email account, then the email profile is assigned differently, depending on the
platform.
Android device administrator Samsung Knox Standard : An existing, duplicate email profile is
detected based on the email address, and overwrites it with the Intune profile. Android doesn't use the
host name to identify the profile. Don't create multiple email profiles using the same email address on
different hosts. The profiles overwrite each other.
Android Enterprise personally owned work profiles : Intune provides two Android work email
profiles: Gmail app and Nine Work app. These apps are available in the Google Play Store, and install in
the personally owned work profile. These apps don't create duplicate profiles. Both apps support
connections to Exchange. To use email connectivity, deploy one of these email apps to your user devices.
Then, create and deploy the email profile.
You can also use certificate profiles on Gmail and Nine Work. Any Gmail or Nine Work device
configuration policies that you create continue to apply to the device. It's not necessary to move them to
app configuration policies. Email apps, such as Nine Work, may not be free. Review the app's licensing
details, or contact the app company with any questions.
On Android Enterprise Fully Managed, Dedicated, and Corporate-owned Work Profiles, use app
configuration policies. You can use email apps that support app configuration policies, including Gmail
and Nine Work.
iOS/iPadOS : An existing, duplicate email profile is detected based on host name and email address. The
duplicate email profile blocks the assignment of an Intune profile. In this case, the Company Portal app
notifies the user that they aren't compliant, and prompts the end user to manually remove the configured
profile. To help prevent this scenario, tell your end users to enroll before installing an email profile, which
allows Intune to set up the profile.
Windows: An existing, duplicate email profile is detected based on host name and email address. Intune
overwrites the existing email profile created by the end user.
Changes to assigned email profiles

If you make changes to an email profile you previously assigned, end users may see a message asking them to
approve the reconfiguration of their email settings.
Next steps
Once the profile is created, it isn't doing anything yet. Next, assign the profile and monitor its status.
Create VPN profiles to connect to VPN servers in
Intune
Virtual private networks (VPNs) give users secure remote access to your organization network. Devices use a
VPN connection profile to start a connection with the VPN server. VPN profiles in Microsoft Intune assign VPN
settings to users and devices in your organization. Use these settings so users can easily and securely connect to
your organizational network.
iOS/iPadOS
macOS
For example, you want to configure all iOS/iPadOS devices with the required settings to connect to a file share
on the organization network. You create a VPN profile that includes these settings. You assign this profile to all
users who have iOS/iPadOS devices. The users see the VPN connection in the list of available networks, and can
connect with minimal effort.
This article lists the VPN apps you can use, shows you how to create a VPN profile, and includes guidance on
securing your VPN profiles. You must deploy the VPN app before you create the VPN profile. If you need help
deploying apps using Microsoft Intune, see What is app management in Microsoft Intune?.
Before you begin

VPN profiles for a device tunnel are supported for Windows 10 Enterprise multi-session remote
desktops.
If you use certificate based authentication for your VPN profile, then deploy the VPN profile, certificate
profile, and trusted root profile to the same groups. This step makes sure that each device can recognize
the legitimacy of your certificate authority. For more information, see How to configure certificates with
Microsoft Intune.
User enrollment for iOS/iPadOS and macOS only support per-app VPN.
You can use Intune custom configuration policies to create VPN profiles for the following platforms:
Android 4 and later
Enrolled devices that run Windows 8.1 and later
Enrolled devices that run Windows 10 desktop
VPN connection types

IMPORTANT
Before you can use VPN profiles assigned to a device, you must install the VPN app for the profile. To help you assign the
app using Intune, see Add apps to Microsoft Intune.
You can create VPN profiles using the following connection types:
Automatic
Windows 10
Check Point Capsule VPN
Android Enterprise personally owned devices with a work profile
Android Enterprise fully managed and corporate-owned work profile: Use app configuration policy
iOS/iPadOS
macOS
Windows 10
Windows 8.1
Cisco AnyConnect
Android Enterprise fully managed and corporate-owned work profile
iOS/iPadOS
macOS
Windows 10
Cisco (IPSec)
iOS/iPadOS
Citrix SSO
Android Enterprise personally owned devices with a work profile: Use app configuration policy
Android Enterprise fully managed and corporate-owned work profiles: Use app configuration policy
iOS/iPadOS
Windows 10
Custom VPN
iOS/iPadOS
macOS
Create custom VPN profiles using URI settings in Create a profile with custom settings.
F5 Access
iOS/iPadOS
macOS
Windows 10
Windows 8.1
IKEv2
iOS/iPadOS
Windows 10
L2TP
Windows 10
Microsoft Tunnel (standalone client)
iOS/iPadOS
Microsoft Tunnel
IMPORTANT
Prior to support for using Microsoft Defender for Endpoint as the tunnel client app, a standalone tunnel client app
was available in preview and used a connection type of Microsoft Tunnel (standalone client) . As of June 14,
2021, both the standalone tunnel app and standalone client connection type are deprecated and drop from
support 60 days later after August 14, 2021.
NetMotion Mobility
iOS/iPadOS
macOS
Palo Alto Networks GlobalProtect
iOS/iPadOS
Windows 10
PPTP
Windows 10
Pulse Secure
iOS/iPadOS
Windows 10
Windows 8.1
SonicWall Mobile Connect
iOS/iPadOS
macOS
Windows 10
Windows 8.1
Zscaler
iOS/iPadOS
Create the profile

Android Enterprise > Fully Managed, Dedicated, and Corporate-Owned Work Profile
Android Enterprise > Personally-owned work profile
iOS/iPadOS
macOS
Profile : Select VPN . Or, select Templates > VPN .
4. Select Create .
later. For example, a good profile name is VPN profile for entire company .
6. Select Next .
different. Select your platform for detailed settings:
Android Enterprise
iOS/iPadOS
macOS
Windows 10 (including Windows Holographic for Business)
Windows 8.1
8. Select Next .
distributed IT.
Select Next .
10. In Assignments , select the user or groups that will receive your profile. For more information on
Select Next .
Secure your VPN profiles

VPN profiles can use many different connection types and protocols from different manufacturers. These
connections are typically secured through the following methods.
Certificates
When you create the VPN profile, you choose a SCEP or PKCS certificate profile that you previously created in
Intune. This profile is known as the identity certificate. It's used to authenticate against a trusted certificate
profile (or root certificate) that you create to allow the user's device to connect. The trusted certificate is
assigned to the computer that authenticates the VPN connection, typically, the VPN server.
If you use certificate-based authentication for your VPN profile, then deploy the VPN profile, certificate profile,
and trusted root profile to the same groups. This assignment makes sure each device recognizes the legitimacy
of your certificate authority.
For more information about how to create and use certificate profiles in Intune, see How to configure
certificates with Microsoft Intune.
NOTE
Certificates added using the PKCS impor ted cer tificate profile aren't supported for VPN authentication. Certificates
added using the PKCS cer tificates profile are supported for VPN authentication.
User name and password

The user authenticates to the VPN server by providing a user name and password, or derived credentials.
Next steps
You can also create and use per-app VPNs on Android device administrator/Android Enterprise and
iOS/iPadOS devices.
Use a Microsoft Intune custom profile to create a
per-app VPN profile for Android devices
You can create a per-app VPN profile for Android 6.0 and later devices that are managed by Intune. First, create a
VPN profile that uses either the Pulse Secure or Citrix connection type. Then, create a custom configuration
policy that associates the VPN profile with specific apps.
To use per-app VPN on Android Enterprise devices, use an app configuration policy. App configuration policies
support more VPN client apps. On Android Enterprise devices, you can use the steps in this article. But, it's not
recommended, and you're limited to only Pulse Secure and Citrix VPN connections.
After you assign the policy to your Android device or user groups, users should start the Pulse Secure or Citrix
VPN client. Then, the VPN client allows only traffic from the specified apps to use the open VPN connection.
NOTE
Only the Pulse Secure and Citrix connection types are supported for Android device administrator. On Android Enterprise
devices, use an app configuration policy.
Step 1: Create a VPN profile

Platform : Select Android device administrator .
Profile : Select VPN .
4. Select Create .
later. For example, a good profile name is Android DA per-app VPN profile for entire company .
6. Select Next .
7. In Configuration settings , configure the settings you want in the profile:
VPN settings for Android device administrator devices.
Take note of the Connection Name value you enter when creating the VPN profile. This name is needed
in the next step. In this example, the connection name is MyAppVpnProfile .
8. Select Next , and continue creating your profile. For more information, see Create a VPN profile.
Step 2: Create a custom configuration policy
Profile : Select Custom .
4. Select Create .
Name : Enter a descriptive name for the custom profile. Name your profiles so you can easily identify
them later. For example, a good profile name is Custom OMA-URI Android VPN profile for
entire company .
6. Select Next .
7. In Configuration settings > OMA-URI Settings , select Add . Enter the following OMA-URI values:
Name : Enter a name for your setting.
OMA-URI : Enter ./Vendor/MSFT/VPN/Profile/*Name*/PackageList , where Name is the connection name
you noted in Step 1. In this example, the string is
./Vendor/MSFT/VPN/Profile/MyAppVpnProfile/PackageList .
Data type : Enter String .
Value : Enter a semicolon-separated list of packages to associate with the profile. For example, if you
want Excel and the Google Chrome browser to use the VPN connection, enter
com.microsoft.office.excel;com.android.chrome .

Set your blocked and allowed app list (optional)
Use the BL ACKLIST value to enter a list of apps that cannot use the VPN connection. All other apps connect
through the VPN. Or, use the WHITELIST value to enter a list of apps that can use the VPN connection. Apps
that aren't on the list don't connect through the VPN.
1. On the Custom OMA-URI Settings pane, choose Add .
2. Enter a setting name.
3. In OMA-URI , enter ./Vendor/MSFT/VPN/Profile/*Name*/Mode , where Name is the VPN profile name you noted
in Step 1. In our example, the string is ./Vendor/MSFT/VPN/Profile/MyAppVpnProfile/Mode .
4. In Data type , enter String .
5. In Value , enter BL ACKLIST or WHITELIST .
Step 3: Assign both policies

Assign both device profiles to the required users or devices.
Next steps
For a list of all the Android device administrator VPN settings, see Android device settings to configure VPN.
To learn more about VPN settings and Intune, see configure VPN settings in Microsoft Intune.
Set up per-app Virtual Private Network (VPN) for
iOS/iPadOS devices in Intune
In Microsoft Intune, you can create and use Virtual Private Networks (VPNs) assigned to an app. This feature is
called "per-app VPN". You choose the managed apps that can use your VPN on devices managed by Intune.
When using per-app VPNs, end users automatically connect through the VPN, and get access to organizational
resources, such as documents.
iOS 9 and newer
Check your VPN provider's documentation to see if your VPN supports per-app VPN.
This article shows you how to create a per-app VPN profile, and assign this profile to your apps. Use these steps
to create a seamless per-app VPN experience for your end users. For most VPNs that support per-app VPN, the
user opens an app, and automatically connects to the VPN.
Some VPNs allow username and password authentication with per-app VPN. Meaning, users need to enter a
username and password to connect to the VPN.
IMPORTANT
There's a known issue in iOS/iPadOS 13. The issue prevents per-app VPN profiles from connecting in user enrollment
environments that use certificate-based authentication. Apple plans to fix this in a future release of iOS.
On iOS/iPadOS, per-app VPN isn't supported for IKEv2 VPN profiles.
Per-app VPN with Microsoft Tunnel or Zscaler

Microsoft Tunnel and Zscaler Private Access (ZPA) integrate with Azure Active Directory (Azure AD) for
authentication. When using Tunnel or ZPA, you don't need the trusted certificate or SCEP or PKCS certificate
profiles (described in this article).
If you have a per-app VPN profile set up for Zscaler, then opening one of the associated apps doesn't
automatically connect to ZPA. Instead, the user needs to sign into the Zscaler app. Then, remote access is limited
to the associated apps.
Prerequisites for per-app VPN

IMPORTANT
Your VPN vendor may have other requirements for per-app VPN, such as specific hardware or licensing. Be sure to check
with their documentation, and meet those prerequisites before setting up per-app VPN in Intune.
To prove its identity, the VPN server presents the certificate that must be accepted without a prompt by the
device. To confirm the automatic approval of the certificate, create a trusted certificate profile. This trusted
certificate profile must include the VPN server's root certificate issued by the Certification Authority (CA).
Export the certificate and add the CA
1. On your VPN server, open the administration console.
2. Confirm that your VPN server uses certificate-based authentication.
3. Export the trusted root certificate file. It has a .cer extension, and you add it when creating a trusted
certificate profile.
4. Add the name of the CA that issued the certificate for authentication to the VPN server.
If the CA presented by the device matches a CA in the Trusted CA list on the VPN server, then the VPN
server successfully authenticates the device.
Create a group for your VPN users

Create or choose an existing group in Azure Active Directory (Azure AD). This group must include the users or
devices that will use per-app VPN. To create a new group, see Add groups to organize users and devices.
Create a trusted certificate profile

Import the VPN server's root certificate issued by the CA into a profile created in Intune. The trusted certificate
profile instructs the iOS/iPadOS device to automatically trust the CA that the VPN server presents.
Platform : Select iOS/iPadOS .
Profile : Select Trusted cer tificate .
4. Select Create .
later. For example, a good profile name is iOS/iPadOS trusted cer tificate VPN profile for entire
company .
6. Select Next .
7. In Configuration settings , select the folder icon, and browse to your VPN certificate ( .cer file) that
you exported from your VPN administration console.
Create a SCEP or PKCS certificate profile
The trusted root certificate profile allows the device to automatically trust the VPN Server. The SCEP or PKCS
certificate provides credentials from the iOS/iPadOS VPN client to the VPN server. The certificate allows the
device to silently authenticate without prompting for a username and password.
To configure and assign the client authentication certificate, see one of the following articles:
Configure infrastructure to support SCEP with Intune
Configure and manage PKCS certificates with Intune
Be sure to configure the certificate for client authentication. You can set client authentication directly in SCEP
certificate profiles (Extended key usage list > Client authentication ). For PKCS, set client authentication in
the certificate template in the certificate authority (CA).
Create a per-app VPN profile
This VPN profile includes the SCEP or PKCS certificate that has the client credentials, the VPN connection
information, and the per-app VPN flag that enables the per-app VPN used by the iOS/iPadOS application.
1. In the Microsoft Endpoint Manager admin center, select Devices > Configuration profiles > Create
profile .
Platform : Select iOS/iPadOS .
Profile : Select VPN .
4. Select Create .
Name : Enter a descriptive name for the custom profile. Name your profiles so you can easily identify
them later. For example, a good profile name is iOS/iPadOS per-app VPN profile for myApp .
6. In Configuration settings , configure the following settings:
Connection type : Select your VPN client app.
Base VPN : Configure your settings. iOS/iPadOS VPN settings describes all the settings. When
using per-app VPN, be sure you configure the following properties as listed:
Authentication method : Select Cer tificates .
Authentication cer tificate : Select an existing SCEP or PKCS certificate > OK .
Split tunneling : Select Disable to force all traffic to use the VPN tunnel when the VPN
connection is active.
For information on the other settings, see iOS/iPadOS VPN settings.
Automatic VPN > Type of automatic VPN > Per-app VPN
Associate an app with the VPN profile

After adding your VPN profile, associate the app and Azure AD group to the profile.
1. In the Microsoft Endpoint Manager admin center, select Apps > All apps .
2. Select an app from the list > Proper ties > Assignments > Edit .
3. Go to the Required or Available for enrolled devices section.
4. Select Add group > Select the group you created (in this article) > Select .
5. In VPNs , select the per-app VPN profile you created (in this article).
6. Select OK > Save .
When all of the following conditions exist, an association between an app and a profile is removed during the
next device check-in:
The app was targeted with required install intent.
The profile and the app are assigned to the same group.
You remove the per-app VPN configuration from the app assignment.
When all of the following conditions exist, an association between an app and a profile remains until the user
requests a reinstall from the Company Portal app:
The app was targeted with available install intent.
The profile and the app are assigned to the same group.
The end user requested the app install in the Company Portal app. This request results in the app and profile
being installed on the device.
You remove or change the per-app VPN configuration from the app assignment.
Verify the connection on the iOS/iPadOS device

With your per-app VPN set-up and associated with your app, verify the connection works from a device.
Before you attempt to connect
Make sure you deploy all the policies described in this article to the same group. Otherwise, the per-app VPN
experience won't work.
If you're using the Pulse Secure VPN app or a custom VPN client app, then you can choose to use app-layer
or packet-layer tunneling. For app-layer tunneling, set the ProviderType value to app-proxy . For packet-
layer tunneling, set ProviderType value to packet-tunnel . Check your VPN provider's documentation to
make sure you're using the correct value.
Connect using the per-app VPN
Verify the zero-touch experience by connecting without having to select the VPN or type your credentials. The
zero-touch experience means:
The device doesn't ask you to trust the VPN server. Meaning, the user doesn't see the Dynamic Trust dialog
box.
The user doesn't have to enter credentials.
When the user opens one of the associated apps, the user's device is connected to the VPN.
Next steps
To review iOS/iPadOS settings, see VPN settings for iOS/iPadOS devices in Microsoft Intune.
To learn more about VPN setting and Intune, see configure VPN settings in Microsoft Intune.
Add and use Wi-Fi settings on your devices in
Microsoft Intune
Wi-Fi is a wireless network that's used by many mobile devices to get network access. Microsoft Intune includes
built-in Wi-Fi settings that can be deployed to users and devices in your organization. This group of settings is
called a "profile", and can be assigned to different users and groups. Once assigned, your users get access your
organization's Wi-Fi network without configuring it themselves.
For example, you install a new Wi-Fi network named Contoso Wi-Fi. You then want to set up all iOS/iPadOS
devices to connect to this network. Here's the process:
1. Create a Wi-Fi profile that includes the settings that connect to the Contoso Wi-Fi wireless network.
2. Assign the profile to a group that includes all users of iOS/iPadOS devices.
3. On their devices, users find the new Contoso Wi-Fi network in the list of wireless networks. They can then
connect to the network, using the authentication method of your choosing.
This article lists the steps to create a Wi-Fi profile. It also includes links that describe the different settings for
each platform.
Supported device platforms

Wi-Fi profiles support the following device platforms:
Android 5 and newer
Android Enterprise and kiosk
iOS 11.0 and newer
macOS X 10.12 and newer
Windows 10 and newer, and Windows Holographic for Business
NOTE
For devices running Windows 8.1, you can import a Wi-Fi configuration that was previously exported from another
device. For more information, see Import Wi-Fi settings for Windows devices.
Create the profile

Android Enterprise
iOS/iPadOS
macOS
Profile : Select Wi-Fi . Or, select Templates > Wi-Fi .
TIP
For Android Enterprise devices running as a dedicated device (kiosk), choose Fully Managed,
Dedicated, and Corporate-Owned Work Profile > Wi-Fi.
For Windows 8.1 and newer , you can choose Wi-Fi impor t . This option lets you import Wi-Fi
settings as an XML file that you previously exported from a different device.
4. Select Create .
later. For example, a good profile name is WiFi profile for entire company .
6. Select Next .
different. Select your platform for detailed settings:
Android Enterprise, including dedicated devices
iOS/iPadOS
macOS
Windows 8.1 and newer, including Windows Holographic for Business
8. Select Next .
distributed IT.
Select Next .
Select Next .
TIP
If you use certificate based authentication for your Wi-Fi profile, deploy the Wi-Fi profile, certificate profile, and trusted
root profile to the same groups to ensure that each device can recognize the legitimacy of your certificate authority. For
more information, see How to configure certificates with Microsoft Intune.
Next steps
The profile is created, but may not be doing anything. Be sure to assign the profile, and monitor its status..
Troubles Wi-Fi profiles in Intune.
Import Wi-Fi settings for Windows devices in Intune
On Windows devices, you can export Wi-Fi settings to an XML file, and then import these settings in Intune.
Using these imported settings, you can create a Wi-Fi profile, and then deploy it to your devices.
Windows 10 desktop or mobile
This article shows you how to export Wi-Fi settings from a Windows device, and then import these settings in to
Intune.
NOTE
On Windows 10 and newer, you can create a Wi-Fi profile directly in Intune. You don't have to import a file.
For Windows 8.1 devices, you must export and import Wi-Fi settings to create and deploy Wi-Fi profiles.
Export Wi-Fi settings from a Windows device

Use netsh wlan to export an existing Wi-Fi profile to an XML file readable by Intune. On a Windows computer
that has the WiFi profile, use the following steps:
1. Create a local folder for the exported Wi-Fi profiles, such as c:\WiFi .
2. Open a command prompt as an administrator.
3. Run the netsh wlan show profiles command. Note the name of the profile you'd like to export. In this
example, the profile name is ContosoWiFi .
4. Run the netsh wlan export profile name="ProfileName" folder=c:\Wifi command. This command creates a
Wi-Fi profile file named Wi-Fi- ProfileName .xml in your target folder. In our example, the file name is Wi-
Fi-ContosoWiFi.xml .
IMPORTANT
If you're exporting a Wi-Fi profile that includes a pre-shared key, you must add key=clear to the command. The
key must be exported in plain text to successfully use the profile. For example, enter:
netsh wlan export profile name="ProfileName" key=clear folder=c:\Wifi
Using a pre-shared key with Windows 10 causes a remediation error to show in Intune. When this happens, the
Wi-Fi profile is properly assigned to the device, and the profile works as expected.
If you export a Wi-Fi profile that includes a pre-shared key, be sure the file is protected. The key is in plain text. It's
your responsibility to protect the key.
Import the Wi-Fi settings into Intune

Platform : Select Windows 8.1 and later .
Even though you select Windows 8.1, this feature still applies to Windows 10 and Windows
Holographic.
Profile : Select Wi-Fi impor t .
4. Select Create .
Name : This setting is the profile name. You must enter the same name as the name attribute in the
Wi-Fi profile xml. If you enter a different name, the profile will fail.
Description : Enter a description for the profile. This setting is optional, but recommended. For
example, enter Imported Wi-Fi profile for Windows 10 Holographic devices .
6. Select Next .
7. In Configuration settings , enter the following properties:
Connection name : Enter a name for the Wi-Fi connection. This name is shown to users when they
browse available Wi-Fi networks. For example, enter ContosoWiFi .
Profile XML : Select the browse button, and select the XML file that contains the Wi-Fi profile settings
you want to import.
File contents : Shows the XML code for the XML file you selected.
8. Select Next .
distributed IT.
Select Next .
Select Next .
Next steps
The profile is created, but may not be doing anything. Be sure to assign the profile, and monitor its status..
See the Wi-Fi settings overview, including other available platforms.
Use a custom device profile to create a WiFi profile
with a pre-shared key in Intune
Pre-shared keys (PSK) are typically used to authenticate users in WiFi networks, or wireless LANs. With Intune,
you can create a WiFi profile using a pre-shared key. To create the profile, use the Custom device profiles
feature within Intune. This article also includes some examples of how to create an EAP-based Wi-Fi profile.
Windows
EAP-based Wi-Fi
IMPORTANT
Using a pre-shared key with Windows 10 causes a remediation error to show in Intune. When this happens, the Wi-Fi
profile is properly assigned to the device, and the profile works as expected.
If you export a Wi-Fi profile that includes a pre-shared key, be sure the file is protected. The key is in plain text, so it's
your responsibility to protect the key.
Before you begin

It may be easier to copy the code from a computer that connects to that network, as described later in this
article.
You can add multiple networks and keys by adding more OMA-URI settings.
For iOS/iPadOS, use Apple Configurator on a Mac station to set up the profile.
PSK requires a string of 64 hexadecimal digits, or a passphrase of 8 to 63 printable ASCII characters. Some
characters, such as asterisk ( * ), aren't supported.
Create a custom profile

Platform : Choose your platform.
Profile : Select Custom . Or, select Templates > Custom .
4. Select Create .
later. For example, a good policy name is Custom OMA-URI Wi-Fi profile for Android DA .
6. Select Next .
7. In Configuration settings , select Add . Enter a new OMA-URI setting with the following properties:
a. Name : Enter a name for the OMA-URI setting.
b. Description : Enter a description for the OMA-URI setting. This setting is optional, but
recommended.
c. OMA-URI : Enter one of the following options:
For Android : ./Vendor/MSFT/WiFi/Profile/SSID/Settings
For Windows : ./Vendor/MSFT/WiFi/Profile/SSID/WlanXml
NOTE
Be sure to include the dot character at the beginning.
SSID is the SSID for which you're creating the policy. For example, if the Wi-Fi is named Hotspot-1 ,
enter ./Vendor/MSFT/WiFi/Profile/Hotspot-1/Settings .
d. Data Type : Select String .
e. Value : Paste your XML code. See the examples in this article. Update each value to match your
network settings. The comments section of the code includes some pointers.
f. Select Add to save your changes.
8. Select Next .
distributed IT.
Select Next .
10. In Assignments , select the users or user group that will receive your profile. For more information on
NOTE
This policy can only be assigned to user groups.
Select Next .
The next time each device checks in, the policy is applied, and a Wi-Fi profile is created on the device. The device
can then connect to the network automatically.
Android or Windows Wi-Fi profile example

The following example includes the XML code for an Android or Windows Wi-Fi profile. The example is provided
to show proper format and provide more details. It's only an example, and isn't intended as a recommended
configuration for your environment.
<protected>false</protected>must be set to false . When true , it could cause the device to expect an
encrypted password, and then try to decrypt it; which may result in a failed connection.
<hex>53534944</hex>should be set to the hexadecimal value of <name><SSID of wifi profile></name> .
Windows 10 devices may return a false x87D1FDE8 Remediation failed error, but the device still contains
the profile.
XML has special characters, such as the & (ampersand). Using special characters may prevent the XML
from working as expected.
Example

<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name><Name of wifi profile></name>
<SSIDConfig>
<SSID>
<hex>53534944</hex>
<name><SSID of wifi profile></name>
</SSID>
<nonBroadcast>false</nonBroadcast>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<autoSwitch>false</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication><Type of authentication></authentication>
<encryption><Type of encryption></encryption>
<useOneX>false</useOneX>
</authEncryption>
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>password</keyMaterial>
</sharedKey>
<keyIndex>0</keyIndex>
</security>
</MSM>
</WLANProfile>
EAP-based Wi-Fi profile example

The following example includes the XML code for an EAP-based Wi-Fi profile: The example is provided to show
proper format and provide more details. It's only an example, and isn't intended as a recommended
configuration for your environment.
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>testcert</name>
<SSIDConfig>
<SSID>
<hex>7465737463657274</hex>
<name>testcert</name>
</SSID>
</SSID>
<nonBroadcast>true</nonBroadcast>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<autoSwitch>false</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication>WPA2</authentication>
<encryption>AES</encryption>
<useOneX>true</useOneX>
<FIPSMode xmlns="http://www.microsoft.com/networking/WLAN/profile/v2">false</FIPSMode>
</authEncryption>
<PMKCacheMode>disabled</PMKCacheMode>
<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
<cacheUserData>false</cacheUserData>
<authMode>user</authMode>
<EAPConfig>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
<ServerNames></ServerNames>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation>
<AcceptServerName
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
<TLSExtensions
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
<FilteringInfo
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
<AllPurposeEnabled>true</AllPurposeEnabled>
<CAHashList Enabled="true">
<IssuerHash>75 f5 06 9c a4 12 0e 9b db bc a1 d9 9d d0 f0 75 fa 3b b8 78
</IssuerHash>
</CAHashList>
<EKUMapping>
<EKUMap>
<EKUName>Client Authentication</EKUName>
<EKUOID>1.3.6.1.5.5.7.3.2</EKUOID>
</EKUMap>
</EKUMapping>
<ClientAuthEKUList Enabled="true"/>
<AnyPurposeEKUList Enabled="false">
<EKUMapInList>
<EKUName>Client Authentication</EKUName>
</EKUMapInList>
</AnyPurposeEKUList>
</FilteringInfo>
</TLSExtensions>
</EapType>
</Eap>
</Config>
</Config>
</EapHostConfig>
</EAPConfig>
</OneX>
</security>
</MSM>
</WLANProfile>
Create the XML file from an existing Wi-Fi connection

You can also create an XML file from an existing Wi-Fi connection. On a Windows computer, use the following
steps:
1. Create a local folder for the exported W-Fi- profiles, such as c:\WiFi.
2. Open up a command prompt as an administrator (right-click cmd > Run as administrator ).
3. Run netsh wlan show profiles . The names of all the profiles are listed.
4. Run netsh wlan export profile name="YourProfileName" folder=c:\Wifi . This command creates a file
named Wi-Fi-YourProfileName.xml in c:\Wifi.
If you're exporting a Wi-Fi profile that includes a pre-shared key, add key=clear to the command:
netsh wlan export profile name="YourProfileName" key=clear folder=c:\Wifi
key=clear exports the key in plain text, which is required to successfully use the profile.
If the exported Wi-Fi profile <name></name> element includes a space, then it might return a
ERROR CODE 0x87d101f4 ERROR DETAILS Syncml(500) error when assigned. When this issue happens,
the profile is listed in \ProgramData\Microsoft\Wlansvc\Profiles\Interfaces , and shows as a known
network. But, it doesn't successfully display as managed policy in the "Areas managed by..." URI.
To resolve this issue, remove the space.
After you have the XML file, copy and paste the XML syntax into OMA-URI settings > Data type . Create a
custom profile (in this article) lists the steps.
TIP
\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{guid} also includes all the profiles in XML format.
Best practices
Before you deploy a Wi-Fi profile with PSK, confirm that the device can connect to the endpoint directly.
When rotating keys (passwords or passphrases), expect downtime and plan your deployments. Consider
pushing new Wi-Fi profiles during non-working hours. Also, warn users that connectivity may be
affected.
For a smooth transition, be sure the end user's device has an alternate connection to the Internet. For
example, the end user can switch back to Guest WiFi (or some other WiFi network) or have cellular
connectivity to communicate with Intune. The extra connection allows the user to receive policy updates
when the corporate WiFi Profile is updated on the device.
Next steps
Be sure to assign the profile, and monitor its status.
Analyze your on-premises group policy objects
(GPO) using Group Policy analytics in Microsoft
Endpoint Manager - Preview
Group policy objects (GPOs) are used on-premises to configure settings on personal computers, and other on-
premises devices. In device management, GPOs help control security and features in the Windows OS, Internet
Explorer, Office apps, and more.
Many organizations are looking at cloud solutions to support the growing remote workforce. Group Policy
analytics is a tool and feature in Microsoft Endpoint Manager that analyzes your on-premises GPOs. It helps
you determine how your GPOs translate in the cloud. The output shows which settings are supported in MDM
providers, including Microsoft Intune. It also shows any deprecated settings, or settings not available to MDM
providers.
If your organization uses GPOs, and you want to move some workloads to Microsoft Endpoint Manager and
Intune, then Group Policy analytics will help.
This article shows you how export your GPOs, import the GPOs into Endpoint Manager, and review the analysis
and results.
Prerequisites
Sign in as the Intune administrator with a role that has the Security Baselines permission. For example, the
Endpoint Security Manager role has the Security Baselines permission. For more information on the built-
in roles, see role-based access control.
Export GPOs as an XML file

1. On your on-premises computer, open the Group Policy Management app (GPMC.msc).
2. Expand your domain to see all the GPOs.
3. Right-click any GPO > Save repor t :
4. Save the file to an easily accessible folder, and save it as an XML file. You'll add this file in Endpoint
Manager.
Be sure the file is less than 750 kB and has a proper unicode encoding. If the exported file is greater than 750 kB,
then include fewer GPOs when you save your report from the GPMC.msc tool.
Use Group Policy analytics

1. In the Microsoft Endpoint Manager admin center, select Devices > Group Policy analytics (preview) .
2. Select Impor t , and then select your saved XML file. When you select the XML file, Intune automatically
analyzes the GPO in the XML file.
Check the sizes of your individual GPO XML files. A single GPO can't be bigger than 750 kB. If a single
GPO is larger than 750 kB, then the import will fail. XML files without the appropriate unicode ending will
also fail.
3. After the analysis runs, the GPO you imported is listed with the following information:
Group Policy name : The name is automatically generated using information in the GPO.
Active Director y Target : The target is automatically generated using the organizational unit (OU)
target information in the GPO.
MDM Suppor t : Shows the percentage of group policy settings in the GPO that have the same setting
in Intune.
Targeted in AD : Yes means the GPO is linked to an OU in on-premises group policy. No means the
GPO isn't linked to an on-premises OU.
Last impor ted : Shows the date of the last import.
You can Impor t more GPOs for analysis, Refresh the page, and Filter the output. You can also Expor t
this view to a .csv file:
4. Select the MDM Suppor t percentage for a listed GPO. More detailed information about the GPO is
shown:
Setting Name : The name is automatically generated using information in the GPO setting.
Group Policy Setting Categor y : Shows the setting category for ADMX settings, such as Internet
Explorer and Microsoft Edge. Not all settings have a setting category.
ADMX Suppor t : Yes means there's an ADMX template for this setting. No means there isn't an
ADMX template for the specific setting.
For more information on ADMX templates, see Administrative Templates in Microsoft Intune.
MDM Suppor t : Yes means there's a matching setting available in Endpoint Manager. You can
configure this setting in a device configuration profile. Settings in device configuration profiles are
mapped to Windows CSPs.
No means there isn't a matching setting available to MDM providers, including Intune.
For more information on device configuration profiles, see Apply features and settings on your
devices using device profiles.
Value : Shows the value imported from the GPO. It shows different values, such true , 900 ,
Enabled , false , and so on.
Scope : Shows if the imported GPO targets users or targets devices.

Min OS Version : Shows the minimum Windows OS version build numbers that the GPO setting
applies. It may show 18362 (1903), 17130 (1803), and other Windows 10 versions.
For example, if a policy setting shows 18362 , then the setting supports build 18362 and newer
builds.
CSP Name : A Configuration Service Provider (CSP) exposes device configuration settings in
Windows 10. This column shows the CSP that includes the setting. For example, you may see
Policy, BitLocker, PassportforWork, and so on.
For more information on CSPs, see the CSP reference.
CSP Mapping : Shows the OMA-URI path for the on-premises policy. You can use the OMA-URI in
a custom device configuration profile. For example, you may see
./Device/Vendor/MSFT/BitLocker/RequireDeviceEnryption .
Supported CSPs
Group Policy analytics can parse the following CSPs:
Policy CSP
PassportForWork CSP
BitLocker CSP
Firewall CSP
AppLocker CSP
Group Policy migration readiness report

1. In the Microsoft Endpoint Manager admin center, select Repor ts > Group policy analytics (preview) :
2. In the Summar y tab, a summary of the GPO and its policies are shown. Use this information to
determine the status of the policies in your GPO:
Ready for migration : The policy has a matching setting in Intune, and is ready to be migrated to
Intune.
Not suppor ted : The policy doesn't have a matching setting. Typically, policy settings that show this
status aren't exposed to MDM providers, including Intune.
Deprecated : The policy may apply to older Windows versions, and no longer used in Windows 10
and newer.
3. Select the Repor ts tab > Group policy migration readiness . In this report, you can:
See the number of settings in your GPO that are available in a device configuration profile, if they can
be in a custom profile, aren't supported, or are deprecated.
Filter the report output using the Migration Readiness , Profile type , and CSP Name filters.
Select Generate repor t or Generate again to get current data.
See the list of settings in your GPO.
Use the search bar to find specific settings.
Get a time stamp of when the report was last generated.
NOTE
After you add or remove your imported GPOs, it can take about 20 minutes to update the Migration Readiness
reporting data.
Send product feedback

You can provide feedback on Group Policy Analytics when you select Got feedback . Examples of feedback
areas:
You received errors during GPO import or analytics, and you need more specific information.
How easy is it to use Group Policy analytics to find the supported group policies in Microsoft Intune?
Will this tool help you move some workloads to Endpoint Manager? If yes, what workloads are you
considering?
To get information on the customer experience, the feedback is aggregated, and sent to Microsoft. Entering an
email is optional, and may be used to get more information.
Privacy and security

Any use of customer data, such as which GPOs are used in your organization, is aggregated. It's not sold to any
third parties. This data might be used to make business decisions within Microsoft. Your customer data is stored
securely.
At any time, you can delete imported GPOs:
1. Go to Devices > Group Policy analytics (preview) .
2. Select the context menu > Delete :
Next steps
Use Windows 10 Administrative Templates to configure group policy settings in Microsoft Endpoint
Manager
Add endpoint protection settings in Microsoft Endpoint Manager
See also
Learn more about Configuration Service Providers (CSP).
Use Windows 10 templates to configure group
policy settings in Microsoft Intune
When managing devices in your organization, you want to create groups of settings that apply to different
device groups. For example, you have several device groups. For GroupA, you want to assign a specific set of
settings. For GroupB, you want to assign a different set of settings. You also want a simple view of the settings
you can configure.
You can complete this task using Administrative Templates in Microsoft Intune. The administrative templates
include thousands of settings that control features in Microsoft Edge version 77 and later, Internet Explorer,
Microsoft Office programs, remote desktop, OneDrive, passwords, PINs, and more. These settings allow group
administrators to manage group policies using the cloud.
The Windows settings are similar to group policy (GPO) settings in Active Directory (AD). These settings are built
in to Windows, and are ADMX-backed settings that use XML. The Office and Microsoft Edge settings are ADMX-
ingested, and use the ADMX settings in Office administrative template files and Microsoft Edge administrative
template files. And, the Intune templates are 100% cloud-based. They offer a simple and straight-forward way to
configure the settings, and find the settings you want.
Administrative Templates are built in to Intune, and don't require any customizations, including using OMA-
URI. As part of your mobile device management (MDM) solution, use these template settings as a one-stop shop
to manage your Windows 10 devices.
This article lists the steps to create a template for Windows 10 devices, and shows how to filter all the available
settings in Intune. When you create the template, it creates a device configuration profile. You can then assign or
deploy this profile to Windows 10 devices in your organization.
Before you begin

Some of these settings are available starting with Windows 10 version 1709 (RS2/build 15063). Some
settings aren't included in all the Windows editions. For the best experience, it's suggested to use
Windows 10 Enterprise version 1903 (19H1/build 18362) and newer.
The Windows settings use Windows policy CSPs. The CSPs work on different editions of Windows, such
as Home, Professional, Enterprise, and so on. To see if a CSP works on a specific edition, go to Windows
policy CSPs.
There are two ways to create an administrative template: Using a template, or using the Settings Catalog.
This article focuses on using the Administrative Templates template. The Settings Catalog has more
Administrative Template settings available. For the specific steps to use the Settings Catalog, see Use the
settings catalog to configure settings.
Create the template

Profile : To use a logical grouping of settings, select Templates > Administrative Templates . To see
all the settings, select Settings catalog .
4. Select Create .
later. For example, a good profile name is ADMX: Windows 10 admin template that configures
xyz settings in Microsoft Edge .
6. Select Next .
7. In Configuration settings , select All settings to see an alphabetical list of all the settings. Or, configure
settings that apply to devices (Computer configuration ), and settings that apply to users (User
configuration ):
NOTE
If you're using the Settings catalog , then select Add settings , and expand Administrative Templates . Select
any setting to see what you can configure.
For more information on creating policies using the Settings Catalog, see Use the settings catalog to configure
settings.
8. When you select All settings , every setting is listed. Scroll down to use the before and next arrows to
see more settings:
9. Select any setting. For example, filter on Office , and select Activate Restricted Browsing . A detailed
description of the setting is shown. Choose Enabled , Disabled , or leave the setting as Not configured
(default). The detailed description also explains what happens when you choose Enabled , Disabled , or
Not configured .
TIP
The Windows settings in Intune correlate to the on-premises group policy path you see in Local Group Policy
Editor ( gpedit )
10. When you select Computer configuration or User configuration , the setting categories are shown.
You can select any category to see the available settings.
For example, select Computer configuration > Windows components > Internet Explorer to see
all the device settings that apply to Internet Explorer:
11. Select OK to save your changes.

Continue to go through the list of settings, and configure the settings you want in your environment.
Here are some examples:
Use the VBA Macro Notification Settings setting to handle VBA macros in different Microsoft
Office programs, including Word and Excel.
Use the Allow file downloads setting to allow or prevent downloads from Internet Explorer.
Use Require a password when a computer wakes (plugged in) to prompt users for a password
when devices wake from sleep mode.
Use the Download unsigned ActiveX controls setting to block users from downloading unsigned
ActiveX controls from Internet Explorer.
Use the Turn off System Restore setting to allow or prevent users from running a system restore
on the device.
Use the Allow impor ting of favorites setting to allow or block users from importing favorites from
another browser into Microsoft Edge.
And much more...
12. Select Next .
distributed IT.
Select Next .
If the profile is assigned to user groups, then configured ADMX settings apply to any device that the user
enrolls, and signs in to. If the profile is assigned to device groups, then configured ADMX settings apply to
any user that signs into that device. This assignment happens if the ADMX setting is a computer
configuration ( HKEY_LOCAL_MACHINE ), or a user configuration ( HKEY_CURRENT_USER ). With some settings, a
computer setting assigned to a user may also impact the experience of other users on that device.
For more information, see User groups vs. device groups.
Select Next .
The next time the device checks for configuration updates, the settings you configured are applied.
Find some settings

There are thousands of settings available in these templates. To make it easier to find specific settings, use the
built-in features:
In your template, select the Settings , State , Setting type , or Path columns to sort the list. For example,
select the Path column, and use the next arrow to see the settings in the Microsoft Excel path.
In your template, use the Search box to find specific settings. You can search by setting, or path. For
example, select All settings , and search for copy . All the settings with copy are shown:
In another example, search for microsoft word . You see the settings you can set for the Microsoft Word
program. Search for explorer to see the Internet Explorer settings you can add to your template.
You can also narrow your search by only selecting Computer configuration or User configuration .
For example, to see all the available Internet Explorer user settings, select User configuration , and
search for Internet Explorer . Only the IE settings that apply to users are shown:
Next steps
The template is created, but may not be doing anything yet. Be sure to assign the template (also called a profile)
and monitor its status.
Update Microsoft 365 using administrative templates.
Tutorial: Use the cloud to configure group policy on Windows 10 devices with ADMX templates and Microsoft
Intune
Use Update Channel and Target Version settings to
update Microsoft 365 with Microsoft Intune
Administrative Templates
In Intune, you can use Windows 10 templates to configure group policy settings. This article shows you how to
update Microsoft 365 using an administrative template in Intune. It also gives guidance on confirming your
policies apply successfully. This information also helps when troubleshooting.
In this scenario, you create an administrative template in Intune that updates Microsoft 365 on your devices.
For more information on administrative templates, see Windows 10 templates to configure group policy
settings.
Applies to:
Microsoft 365
Prerequisites
Be sure to enable Microsoft 365 Apps Automatic Updates for your Office apps. You can do this using group
policy, or the Intune Office 2016 ADMX template:
Set the Update Channel in the Intune administrative template

1. In your Intune administrative template, go to the Update Channel setting, and enter the channel you
want. For example, choose Semi-Annual Channel :
NOTE
It's recommended to update more frequently. Semi-annually is only used as an example.
2. Be sure to assign the policy to your Windows 10 devices. To test your policy sooner, you can also sync the
policy:
Sync the policy in Intune
Manually sync the policy on the device
Check the Intune registry keys

After you assign the policy and the device syncs, you can confirm the policy is applied:
1. On the device, open the Registr y Editor app.
2. Go to the Intune policy path:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\<Provider
ID>\default\Device\office16~Policy~L_MicrosoftOfficemachine~L_Updates
.
TIP
The <Provider ID> in the registry key changes. To find the provider ID for your device, open the Registr y
Editor app, and go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled .
The provider ID is shown.
When the policy is applied, you see the following registry keys:
L_UpdateBranch
L_UpdateTargetVersion
Looking at the following example, you see L_UpdateBranch has a value similar to
<enabled /><data id="L_UpdateBranchID" value="Deferred" /> . This value means it's set to Semi-Annual
Channel:
TIP
Manage Microsoft 365 Apps with Configuration Manager lists the values, and what they mean. The registry
values are based on the distribution channel selected:
Monthly Channel - value="Current"
Monthly Channel (Targeted) - value="Current"
Semi-Annual Channel - value="Current"
Semi-Annual Channel (Targeted) - value="FirstReleaseDeferred"
Insider Fast - value="InsiderFast"
At this point, the Intune policy is successfully applied to the device.
Check the Office registry keys

1. On the device, open the Registr y Editor app.
2. Go to the Office policy path:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration .
You see the following registry keys:
UpdateChannel : A dynamic key that changes, depending on the configured settings.
CDNBaseUrl : Set when Microsoft 365 installs on the device.
3. Look at the UpdateChannel value. The value tells you how frequently Office is updated. Manage Microsoft
365 Apps with Configuration Manager lists the values, and what they're set to.
Looking at the following example, you see UpdateChannel is set to
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 , which is monthly :
This example means the policy isn't applied yet, as it's still set to monthly , instead of semi-annual .
This registry key is updated when the Task Scheduler > Office Automatic Updates 2.0 runs, or when a user
signs into the device. To confirm, open the Office Automatic Updates 2.0 task > Triggers . Depending on
your triggers, it can take at least a day and more before the UpdateChannel registry key is updated.
Force Office automatic updates to run

To test your policy, you can force the policy settings on the device. The following steps update the registry. As
always, be careful when updating the registry.
1. Clear the registry key:
a. Go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Updates .
b. Double-select the UpdateDetectionLastRunTime key, delete the value data > OK .
2. Run the Office Automatic Updates task:
a. Open the Task Scheduler app on the device.
b. Expand Task Scheduler Librar y > Microsoft > Office .
c. Select Office Automatic Updates 2.0 > Run :
Wait for the task to finish, which can take several minutes.
3. In the Registr y Editor app, go to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration . Check the
UpdateChannel value.
It should be updated with the value set in the policy. In our example, the value should be set to
http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114 .
At this point, the Office update channel is successfully changed on the device. You can open a Microsoft 365 app
for a user that receives this update to check status.
Force the Office synchronization to update account information

If you want to do more, you can force Office to get the latest version update. The following steps should only be
done as a confirmation, or if you need the devices to get the latest version update from that channel quickly.
Otherwise, let Office do its job, and update automatically.
Step 1: Force the Office version to update
1. Confirm the Office version supports the update channel you're choosing. Update history for Microsoft
365 Apps lists the build numbers that support the different update channels.
2. In your Intune administrative template, go to the Target Version setting, and enter the version you want.
Your Target version setting looks similar to the following setting:
IMPORTANT
Be sure to assign the policy.
If you change an existing policy, your changes affect all assigned users.
If you're testing this feature, it's recommended to create a test policy, and assign the policy to a test group of users.
Step 2: Check the Office version

Consider using the following steps to test your policy before deploying the policy to all users:
1. In the Registr y Editor app, go to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\<Provider
ID>\default\Device\office16~Policy~L_MicrosoftOfficemachine~L_Updates
.
2. Look at the L_UpdateTargetVersion value. Once the policy applies, the value is set to the version you
entered, such as <enabled /><data id="L_UpdateTargetVersionID" value="16.0.10730.20344" /> .
At this point, the Intune policy is successfully applied to the device.
3. Next, you can force Office to update. Open an Office app, such as Excel. Choose to update now (possibly
in the Account menu).
The update takes several minutes. You can confirm Office is trying to get the version you enter:
a. On the device, go to C:\Program Files (x86)\Microsoft Office\Updates\Detection\Version .
b. Open the VersionDescriptor.xml file, and go to the <Version> section. The available version
should be the same version you entered in the Intune policy, such as:
4. After the update is installed, the Office app should show the new version (for example, on the Account
menu)
Next steps
Update channel values for Microsoft 365 clients
Overview of the Office cloud policy service for Microsoft 365 Apps
Use Windows 10 templates to configure group policy settings (ADMX templates) in Microsoft Intune
Configure Microsoft Edge policy settings in
Microsoft Intune
Using Administrative Templates in Microsoft Intune, you can create and manage Microsoft Edge policy settings
on your Windows 10 devices. Administrative Templates use the ADMX templates for Microsoft Edge.
You can configure specific Microsoft Edge settings, such as adding download restrictions, using autofill, showing
the favorites bar, and more. These settings are created in an Intune policy, and then deployed to Windows 10
devices in your organization.
This article applies to:
Microsoft Edge version 77 and newer
For Microsoft Edge version 45 and earlier, see Microsoft Edge Browser device restrictions.
When you use Intune to manage and enforce policies, it's similar to using Active Directory group policy, or
configuring local Group Policy Object (GPO) settings on user devices. But, Intune is 100% cloud.
This article shows you how to configure Microsoft Edge policy settings using administrative templates in
Microsoft Intune.
TIP
For information on adding the Microsoft Edge version 77+ app on Windows 10, see Add Edge app on Windows 10
devices.
For information on adding and configuring Microsoft Edge version 77+ app on macOS, see Add Edge app, and
Configure Edge app using plist.
For a list of the Microsoft Edge updates, including new policies, see the Release notes for Microsoft Edge.
Prerequisites
Windows 10 with the following minimum system requirements:
Windows 10, version 1909
Windows 10, version 1903 with KB4512941 installed
Create a policy for Microsoft Edge

Profile : Select Templates > Administrative Templates .
4. Select Create .
later. For example, a good profile name is ADMX: Configure Edge on Windows 10 devices .
Your properties look similar to the following properties:
6. Select Next .
7. In Configuration settings , the Microsoft Edge settings are available in Computer configuration and
User configuration . Microsoft Edge is shown on the right pane:
Computer configuration : Settings apply to the computer, even if no one is signed in.
User configuration : Settings apply to all users signed in to the device.
8. Select Computer Configuration > Microsoft Edge > Allow download restrictions . The policy
description and values are shown:
NOTE
See Microsoft Edge – Policies and Microsoft Edge – Update policies for the list of the available settings.
9. Close the policy description. Use search to find a specific setting you want to configure. For example,
search for "home page":
10. Select Configure the home page URL > Enabled , and set its value to https://www.bing.com :
11. Select OK . The State now shows Enabled :
12. Select Next . In Scope tags , select Next .
Scope tags are optional, and this example doesn't use them. To learn more about scope tags, and what
they do, see Use role-based access control (RBAC) and scope tags for distributed IT.
13. In Assignments , select Next .
Assignments are optional, and this example doesn't use them. In production, select Add groups . Select
an Azure Active Directory (Azure AD) group that includes users or devices that should receive this policy.
For information and guidance on assigning policies, see Assign user and device profiles in Intune.
14. In Review + create , see the summary of your changes. Select Create .
When you create the profile, your policy is automatically assigned to the users or groups you chose. If
you didn't choose any users or groups, then your policy is created, but it's not deployed.
Your new Microsoft Edge policy is shown in the list:
For more information about ADMX administrative templates, see:
Use Windows 10 templates to configure group policy settings in Microsoft Intune.
Tutorial: Use the cloud to configure group policy on Windows 10 devices with ADMX templates and Microsoft
Intune
Next steps
Microsoft Edge Enterprise landing page
Manage web access by using Microsoft Edge with Microsoft Intune
Use Windows 10 templates to configure group policy settings in Microsoft Intune
Deploy Microsoft Edge using Microsoft Intune
Use Device Firmware Configuration Interface
profiles on Windows devices in Microsoft Intune
When you use Intune to manage Autopilot devices, you can manage UEFI (BIOS) settings after they're enrolled,
using the Device Firmware Configuration Interface (DFCI). For an overview of benefits, scenarios, and
prerequisites, see Overview of DFCI.
DFCI enables Windows to pass management commands from Intune to UEFI (Unified Extensible Firmware
Interface).
In Intune, use this feature to control BIOS settings. Typically, firmware is more resilient to malicious attacks. It
limits end users control over the BIOS, which is good in a compromised situation.
Windows 10 RS5 (1809) and later on supported UEFI
For example, you use Windows 10 devices in a secure environment, and want to disable the camera. You can
disable the camera at the firmware-layer, so it doesn't matter what the end user does. Reinstalling the OS or
wiping the computer won't turn the camera back on. In another example, lock down the boot options to prevent
users from booting up another OS, or an older version of Windows that doesn't have the same security features.
When you reinstall an older Windows version, install a separate OS, or format the hard drive, you can't override
DFCI management. This feature can prevent malware from communicating with OS processes, including
elevated OS processes. DFCI's trust chain uses public key cryptography, and doesn't depend on local UEFI (BIOS)
password security. This layer of security blocks local users from accessing managed settings from the device's
UEFI (BIOS) menus.
Before you begin

The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or
as a firmware update you install. Work with your device vendors to determine the manufacturers that
support DFCI, or the firmware version needed to use DFCI.
The device must be registered for Windows Autopilot by a Microsoft Cloud Solution Provider (CSP)
partner, or registered directly by the OEM.
Devices manually registered for Autopilot, such as imported from a csv file, aren't allowed to use DFCI. By
design, DFCI management requires external attestation of the device's commercial acquisition through an
OEM or a Microsoft CSP partner registration to Windows Autopilot.
Once your device is registered, its serial number is shown in the list of Windows Autopilot devices.
For more information on Autopilot, including any requirements, see Windows Autopilot registration
overview.
Create your Azure AD security groups

Autopilot deployment profiles are assigned to Azure AD security groups. Be sure to create groups that include
your DFCI-supported devices. For DFCI devices, most organization may create device groups, instead of user
groups. Consider the following scenarios:
Human Resources (HR) has different Windows devices. For security reasons, you don't want anyone in this
group to use the camera on the devices. In this scenario, you can create an HR security users group so the
policy applies to users in the HR group, whatever the device type.
On the manufacturing floor, you have 10 devices. On all devices, you want to prevent booting the devices
from a USB device. In this scenario, you can create a security devices group, and add these 10 devices to the
group.
For more information on creating groups in Intune, see Add groups to organize users and devices.
Create the profiles

To use DFCI, create the following profiles, and assign them to your group.
Create an Autopilot deployment profile
This profile sets up and pre-configures new devices. Autopilot deployment profile lists the steps to create the
profile.
Create an Enrollment State Page profile
This profile makes sure that devices are verified and enabled for DFCI during the Windows setup. It's highly
recommended to use this profile to block device use until all apps and profiles are installed. Enrollment State
Page profile lists the steps to create the profile.
Create the DFCI profile
This profile includes the DFCI settings you configure.
Platform : Choose Windows 10 and later .
Profile : Select Templates > Device Firmware Configuration Interface .
4. Select Create .
Name : Enter a descriptive name for the profile. Name your policies so you can easily identify them
later. For example, a good profile name is Windows: Configure DFCI settings on Windows
devices .
6. Select Next .
Allow local user to change UEFI (BIOS) settings : Your options:
Only not configured settings : The local user may change any setting except those settings
explicitly set to Enable or Disable by Intune.
None : The local user may not change any UEFI (BIOS) settings, including settings not shown in
the DFCI profile.
CPU and IO vir tualization : Your options:
Not configured : Intune doesn't change or update this setting.
Enabled : The BIOS enables the platform's CPU and IO virtualization capabilities for use by the
OS. It turns on Windows Virtualization Based Security and Device Guard technologies.
Cameras : Your options:
Enabled : All built-in cameras directly managed by UEFI (BIOS) are enabled. Peripherals, like
USB cameras, aren't affected.
Disabled : All built-in camera directly managed by UEFI (BIOS) are disabled. Peripherals, like
USB cameras, aren't affected.
Microphones and speakers : Your options:
Enabled : All built-in microphones and speakers directly managed by UEFI (BIOS) are enabled.
Peripherals, like USB devices, aren't affected.
Disabled : All built-in microphones and speakers directly managed by UEFI (BIOS) are disabled.
Peripherals, like USB devices, aren't affected.
Radios (Bluetooth, Wi-Fi, NFC, etc.) : Your options:
Enabled : All built-in radios directly managed by UEFI (BIOS) are enabled. Peripherals, like USB
devices, aren't affected.
Disabled : All built-in radios directly managed by UEFI (BIOS) are disabled. Peripherals, like USB
devices, aren't affected.
WARNING
If you disable the Radios setting, the device requires a wired network connection. Otherwise, the device
may be unmanageable.
Boot from external media (USB, SD) : Your options:

Enabled : UEFI (BIOS) allows booting from non-hard drive storage.
Disabled : UEFI (BIOS) doesn't allow booting from non-hard drive storage.
Boot from network adapters : Your options:
Enabled : UEFI (BIOS) allows booting from built-in network interfaces.
Disabled : UEFI (BIOS) doesn't allow booting built-in network interfaces.
8. Select Next .
distributed IT.
Select Next .
Select Next .
The next time each device checks in, the policy is applied.
Assign the profiles, and reboot
Be sure to assign the profiles to your Azure AD security groups that include your DFCI devices. The profile can
be assigned when it's created, or after.
When the device runs the Windows Autopilot, during the Enrollment Status page, DFCI may force a reboot. This
first reboot enrolls UEFI to Intune.
If you want to confirm the device is enrolled, you can reboot the device again, but it's not required. Use the
device manufacturer's instructions to open the UEFI menu, and confirm UEFI is now managed.
The next time the device syncs with Intune, Windows receives the DFCI settings. Reboot the device. This third
reboot is required for UEFI to receive the DFCI settings from Windows.
Update existing DFCI settings

If you want to change existing DFCI settings on devices that are in use, you can. In your existing DFCI profile,
change the settings, and save your changes. Since the profile is already assigned, the new DFCI settings take
effect when:
1. The device checks in with the Intune service to review profile updates. Check-ins happen at various times.
For more information, see when devices get a policy, profile, or app updates.
2. To enforce the new settings, reboot the device remotely or locally.
You can also signal devices to check in. After a successful sync, signal to reboot.
NOTE
Deleting the DFCI profile, or removing a device from the group assigned to the profile doesn't remove DFCI settings or
re-enable the UEFI (BIOS) menus. If you want to stop using DFCI, then update your existing DFCI profile. For more
information on the steps, see retire the device in this article.
Reuse, retire, or recover the device

Reuse
If you plan to reset Windows to repurpose the device, then wipe the device. Do not remove the Autopilot device
record.
After wiping the device, move the device to the group assigned the new DFCI and Autopilot profiles. Be sure to
reboot the device to rerun Windows setup.
Retire
When you're ready to retire the device and release it from management, update the DFCI profile to the UEFI
(BIOS) settings you want at the exit state. Typically, you want all settings enabled. For example:
1. Open your DFCI profile (Devices > Configuration profiles ).
2. Change the Allow local user to change UEFI (BIOS) settings to Only not configured settings .
3. Set all other settings to Not configured .
4. Save your settings.
These steps unlock the device's UEFI (BIOS) menus. The values remain the same as the profile (Enabled or
Disabled ), and aren't set back to any default OS values.
You're now ready to wipe the device. Once the device is wiped, delete the Autopilot record. Deleting the record
prevents the device from automatically re-enrolling when it reboots.
TIP
To remove Surface devices from DFCI enrollment, see removing DFCI management.
Recover
If you wipe a device, and delete the Autopilot record before unlocking the UEFI (BIOS) menus, then the menus
remain locked. Intune can't send profile updates to unlock it.
To unlock the device, open the UEFI (BIOS) menu, and refresh management from network. Recovery unlocks the
menus, but leaves all UEFI (BIOS) settings set to the values in the previous Intune DFCI profile.
End user impact

When the DFCI policy is applied, local users can't change settings configured by DFCI, even if the UEFI (BIOS)
menu is password protected. Depending on the settings you configure, end users may receive errors that
hardware components aren't found, or can't be diagnosed. Be sure to provide documentation to end users
explaining the options you've disabled.
Next steps
After the profile is assigned, monitor its status.
Configuration Domain Join settings for hybrid
Azure AD joined devices in Microsoft Intune
Many environments use on-premises Active Directory (AD). When AD domain-joined devices are also joined to
Azure AD, they're called hybrid Azure AD joined devices. Using Windows Autopilot, you can enroll hybrid Azure
AD joined devices in Intune. To enroll, you also need a Domain Join configuration profile.
A Domain Join configuration profile includes on-premises Active Directory domain information. When devices
are provisioning (and typically offline), this profile deploys the AD domain details so devices know which on-
premises domain to join. If you don't create a domain join profile, these devices might fail to deploy.
Hybrid Azure AD joined devices
Hybrid deployment with Autopilot + Intune
This article shows you how to create a domain join profile for a hybrid Autopilot deployment. You can also see
the available settings.
Create the profile

Profile : Select Templates > Domain Join .
4. Select Create .
later. For example, a good policy name is Windows 10: Windows Autopilot domain join .
Description : Enter a description for the policy. This setting is optional, but recommended. For
example, enter Windows 10: Domain join profile that includes on-premises domain
information to enroll hybrid AD joined devices with Windows Autopilot .
6. Select Next .
7. In Configuration settings , enter the following properties:
Computer name prefix : Enter a prefix for the device name. Computer names are 15 characters
long. After the prefix, the remaining 15 characters are randomly generated.
Domain name : Enter the Fully Qualified Domain Name (FQDN) the devices are to join. For
example, enter americas.corp.contoso.com.
Organizational unit (optional): Enter the full path (distinguished name) to the organizational unit
(OU) the computer accounts are to be created. For example, enter OU=Mine,DC=Contoso,DC=com .
Don't enter quotation marks. To use the well-known computer object container (CN=Computers,
DC=Contoso, DC=Com), leave this property blank.
For more information and advice on this setting, see Deploy hybrid Azure AD-joined devices.
8. Select Next .
distributed IT.
Select Next .
10. In Assignments , select the device groups that will receive your profile. For more information about
If you need to join devices to different domains or OUs, create different device groups.
Select Next .
It's now ready for you to deploy hybrid Azure AD-joined devices by using Intune and Windows Autopilot.
Next steps
Deploy hybrid Azure AD-joined devices by using Intune and Windows Autopilot.
Delivery Optimization settings in Microsoft Intune
With Intune, use Delivery Optimization settings for your Windows 10 devices to reduce bandwidth consumption
when those devices download applications and updates. Configure Delivery Optimization as part of your device
configuration profiles.
This article describes how to configure Delivery Optimization settings as part of a device configuration profile.
After you create a profile, you then assign or deploy that profile to your Windows 10 devices.
To view a list of the Delivery Optimization settings that Intune supports, see Delivery Optimization settings for
Intune.
To learn about Delivery Optimization on Windows 10, see Delivery Optimization updates in the Windows
documentation.
Create the profile

Profile : Select Templates > Deliver y Optimization .
4. Select Create .
Name : Enter a descriptive name for the new profile.
6. Select Next .
7. On the Configuration settings page, define how you want updates and apps to download. For
information about available settings, see Delivery Optimization settings for Intune.
When you're done configuring settings, select Next .
8. On the Scope (Tags) page, select Select scope tags to open the Select tags pane to assign scope tags
to the profile.
Select Next to continue.
9. On the Assignments page, select the groups that will receive this profile. For more information on
Select Next .
10. On the Applicability Rules page, use the Rule , Proper ty , and Value options to define how this profile
applies within assigned groups.
11. On the Review + create page, when you're done, choose Create . The profile is created and is shown in
the list.
Remove Delivery Optimization from Windows 10 Update Rings

Delivery Optimization was previously configured as part of Software Update Rings. Beginning in February of
2019, Delivery Optimization settings are configured as part of a Deliver Optimization device configuration
profile, which includes additional settings that affect more than Software Update delivery to devices. If you
haven't already, remove the Delivery Optimization setting from your Update Rings by setting it to Not
configured, and then use a Delivery Optimization profile to manage the larger range of available options.
1. Create a Delivery Optimization device configuration profile:
a. In the Microsoft Endpoint Manager admin center, select Devices > Configuration profiles >
Create profile .
b. Enter the following properties:
Profile : Select Templates > Deliver y Optimization .
c. Select Create .
d. In Basics , enter the following properties:
e. Select Next .
f. In Configuration settings > Download mode , choose the same mode that's used by the
existing software update ring unless you want to change the settings you apply to your devices.
Your options:
Not configured
HTTP only, no peering
HTTP blended with peering behind the same NAT
HTTP blended with peering across a private group
HTTP blended with Internet peering
Simple download mode with no peering
Bypass mode
g. Configure any additional settings you want to manage, and continue creating the profile.
In Assignments , assign this new profile to the same devices and users as the existing software
update ring. For more information, see assign the profile.
2. Unconfigure the existing software ring:
a. In the Microsoft Endpoint Manager admin center, go to Software updates > Windows 10 Update
Rings.
b. In the list, select your update ring.
c. In the settings, set Deliver y Optimization download mode to Not configured .
d. OK > Save your changes.
Next steps
After you assign the profile, monitor its status its status.
View the Delivery Optimization settings for Intune.
Upgrade Windows 10 editions or switch out of S
mode on devices using Microsoft Intune
As part of your mobile device management (MDM) solution, you may want to upgrade your Windows 10
devices. For example, you want to upgrade your Windows 10 Professional devices to Windows 10 Enterprise. Or,
you want the device to switch out of S mode.
Windows 10 S mode (opens another Microsoft web site) is designed for security and performance. You can use
Intune to switch out of S mode. Switching out of S mode is one way. And once you switch out of S mode, you
can't go back to Windows 10 S mode.
See some commonly-asked questions about S mode.
Windows 10 1809 and newer for S mode
These features are available in Intune, and are configurable by the administrator. Intune uses "configuration
profiles" to create and customize these settings for your organization's needs. After you add these features in a
profile, you can then push or deploy the profile to Windows 10 devices in your organization. When you deploy
the profile, Intune automatically upgrades the devices or switches out of S mode.
This article lists the supported upgrade paths, and shows you how to create the device configuration profile. You
can also see all the available upgrade and S mode settings for Windows 10.
NOTE
If you remove the policy assignment later, the version of Windows on the device isn't reverted. The device continues to
run normally.
Prerequisites
Before you upgrade devices, be sure you have the following prerequisites:
A valid product key to install the updated Windows version on all devices that you target with the policy (for
Windows 10 Desktop editions). You can use either Multiple Activation Keys (MAK) or Key Management
Server (KMS) keys.
For Windows 10 Holographic editions, you can use a Microsoft license file. The license file includes the
licensing information to install the updated edition on all devices that you target with the policy.
The Windows 10 devices you assign the policy are enrolled in Microsoft Intune.
Supported upgrade paths

The following table lists the supported upgrade paths for the Windows 10 edition upgrade profile.
UP GRA DE F RO M UP GRA DE TO
Windows 10 Pro Windows 10 Education

Windows 10 Enterprise
Windows 10 Pro Education
Windows 10 Pro N edition Windows 10 Education N edition

Windows 10 Enterprise N edition
Windows 10 Pro Education N edition
Windows 10 Pro Education Windows 10 Education
Windows 10 Pro Education N edition Windows 10 Education N edition
Windows 10 Cloud Windows 10 Education

Windows 10 Pro
Windows 10 Cloud N edition Windows 10 Education N edition

Windows 10 Pro N edition
Windows 10 Enterprise Windows 10 Education
Windows 10 Enterprise N edition Windows 10 Education N edition
Windows 10 Core Windows 10 Education

Windows 10 Core N edition Windows 10 Education N edition

Windows 10 Holographic Windows 10 Holographic for Business
Create the profile

Profile : Select Templates > Edition upgrade and mode switch .
4. Select Create .
Name : Enter a descriptive name for the new profile. For example, enter something like
Windows 10 edition upgrade profile or Windows 10 switch off S mode .
6. Select Next .
7. In Configuration settings , enter the settings you want to configure. For a list of all settings, and what
they do, see:
Windows 10 upgrade and S mode
8. Select Next .
distributed IT.
Select Next .
Select Next .
Next steps
See the upgrade and S mode settings for Windows 10 and Windows Holographic for Business devices.
Add iOS, iPadOS, or macOS device feature settings
in Intune
Intune includes many features and settings that help administrators control iOS, iPadOS, and macOS devices.
For example, administrators can:
Allow users access to AirPrint printers in your network
Add apps and folders to the home screen, including adding new pages
Choose if and how app notifications are shown
Configure the lock screen to show a message or the asset tag, especially for shared devices
Give users a secure single sign-on experience to share credentials between apps
Filter web sites that use adult language and allow or block specific web sites
Intune uses "configuration profiles" to create and customize these settings for your organization's needs. After
you add these features in a profile, you then push or deploy the profile to iOS/iPadOS and macOS devices in
your organization.
iOS/iPadOS
macOS
This article describes the different features you can configure, and shows you how to create a device
configuration profile. You can also see all the available settings for iOS/iPadOS and macOS devices.
Create the profile

Platform : Choose your platform:
iOS/iPadOS
macOS
Profile : Select Device features . Or, select Templates > Device features .
4. Select Create .
later. For example, a good policy name is macOS: Configures login screen .
6. Select Next .
iOS/iPadOS
macOS
8. Select Next .
distributed IT.
Select Next .
Select Next .
Airprint
Airprint is an Apple feature that allows devices to print to files over a wireless network. In Intune, you can add
AirPrint information to devices.
For a list of the settings you can configure in Intune, see AirPrint on iOS/iPadOS and AirPrint on macOS.
For more information on AirPrint, see About AirPrint on Apple's web site.
Applies to:
iOS 7.0 and newer
macOS 10.10 and newer
App notifications
Choose how apps on your iOS and iPadOS devices receive notifications. For example, send app notifications so
they show in the notification center, show on the lock screen, or play a sound.
For a list of the settings you can configure in Intune, see App notifications on iOS/iPadOS.
For more information on this feature, see Notifications on Apple's web site.
Applies to:
iOS 9.3 and newer
Associated domains
Associated domains allow you to create a relationship between your domains, such as contoso.com , and your
apps. This feature allows you to:
Share data and sign in credentials between apps and websites in your organization.
Use app features that are based on your website, such as single sign-on app extension, universal links,
and password autofill.
For example, create an associated domain to allow password autofill to recommend credentials, such as a
password, for websites associated with your app.
For a list of the settings you can configure in Intune, see Associated domains on macOS.
For more information on this feature, see Setting Up an App's Associated Domains on Apple's web site.
Applies to:
Home screen layout

These settings configure the app layout and folders on the home screen and dock. You can also see in real time
how most apps and their icons look. Specifically:
Use the Home screen settings to add apps and folders to the home screen on devices.
Use the Dock settings to add apps or folders to the dock on the screen. For example, show Safari and the
Mail app on the device dock.
For a list of the settings you can configure in Intune, see Home screen layout on iOS/iPadOS.
Applies to:
iOS 9.3 and newer
Lock screen message

Use these settings to show a custom message or text on the sign in window and lock screen. For example, you
can enter an "If lost, return to ..." message, and show asset tag information.
For a list of the settings you can configure in Intune, see Lock screen message settings on iOS/iPadOS.
For more information on Lock Screen Message, see LockScreenMessage on Apple's web site.
Applies to:
iOS 9.3 and newer
Login items
Use this feature to choose the apps, custom apps, files, and folders that open when users sign in to the devices.
For a list of the settings you can configure in Intune, see Login items on macOS.
Applies to:
Login window
Control the appearance of the login screen and functions available to users before they sign in. For example, add
a banner with a custom message, choose if the sleep button is shown, and more.
For a list of the settings you can configure in Intune, see Login window on macOS.
Applies to:
Single sign-on
Most Line of Business (LOB) apps require some level of user authentication to support security. In many cases,
the authentication requires users to enter the same credentials repeatedly. To improve the user experience,
developers can create apps that use single sign-on (SSO). Using single sign-on reduces the number of times a
user must enter credentials.
The single sign-on profile is based on Kerberos. Kerberos is a network authentication protocol that uses secret
key cryptography to authenticate client-server applications. The Intune settings define Kerberos account
information when accessing servers or specific apps, and handle Kerberos challenges for web pages and native
apps. Apple recommends you use the Kerberos SSO app extension (in this article) settings instead of the SSO
settings.
To use single sign-on, be sure you have:
An app that's coded to look for the user credential store in single sign-on on the device.
Intune configured for iOS/iPadOS device single sign-on.
For a list of the settings you can configure in Intune, see Single sign-on on iOS/iPadOS.
Applies to:
iOS 7.0 and newer
Single sign-on app extension

These settings configure an app extension that enables single sign-on (SSO) for your iOS, iPadOS, and macOS
devices. Most Line of Business (LOB) apps and organization websites require some level of secure user
authentication. In many cases, authentication requires users to enter the same credentials repeatedly. SSO gives
users access to apps and websites after entering their credentials once. SSO also provides a better
authentication experience for users, and reduces the number of repeated prompts for credentials.
In Intune, use these settings to configure an SSO app extension created by your organization, your identity
provider, Microsoft, or Apple. The SSO app extension handles authentication for your users. These settings
configure redirect-type and credential-type SSO app extensions.
The redirect type is designed for modern authentication protocols, such as OpenID Connect, OAuth, and
SAML2. You can choose between the Microsoft Azure AD SSO extension (Microsoft Enterprise SSO plug-
in) and a generic redirect extension.
IMPORTANT
The Microsoft Azure AD SSO extension is in public preview. This preview version is provided without a service level
agreement (SLA). It's not recommended to use in production. Certain features might not be supported, or might
have restricted behavior. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
The credential type is designed for challenge-and-response authentication flows. You can choose between
a Kerberos-specific credential extension provided by Apple, and a generic credential extension.
The Azure AD macOS SSO app extension should work with any third party or partner MDM. The
extension must be deployed as a kerberos SSO extension, or deployed as a custom configuration profile
with all the required properties configured.
For a list of the settings you can configure in Intune, see iOS/iPadOS SSO app extension and macOS SSO app
extension.
For more information on developing an SSO app extension, watch Extensible Enterprise SSO on Apple's web
site. To read Apple's description of the feature, visit Single Sign-On Extensions payload settings.
NOTE
The Single sign-on app extension feature is different than the Single sign-on feature:
The Single sign-on app extension settings apply to iPadOS 13.0 (and newer), iOS 13.0 (and newer), and
macOS 10.15 (and newer). Single sign-on settings apply to iPadOS 13.0 (and newer) and iOS 7.0 and newer.
The Single sign-on app extension settings define extensions for use by identity providers or organizations to
deliver a seamless enterprise sign-on experience. The Single sign-on settings define Kerberos account
information for when users access servers or apps.
The Single sign-on app extension uses the Apple operating system to authenticate. So, it might provide an
end-user experience that's better than Single sign-on .
From a development perspective, with Single sign-on app extension , you can use any type of redirect SSO or
credential SSO authentication. With Single sign-on , you can only use Kerberos SSO authentication.
The Kerberos Single sign-on app extension was developed by Apple and is built into the iOS/iPadOS 13.0+
and macOS 10.15+ platforms. The built-in Kerberos extension can be used to log users into native apps and
websites that support Kerberos authentication. Single sign-on is not an Apple implementation of Kerberos.
The built-in Kerberos Single sign-on app extension handles Kerberos challenges for web pages and apps just
like Single sign-on . However, the built-in Kerberos extension supports password changes and behaves better in
enterprise networks. When deciding between the Kerberos Single sign-on app extension and Single sign-on ,
we recommend using the extension due to improved performance and capabilities.
Applies to:
iOS 13.0 and newer
Wallpaper
Add a custom .png, .jpg, or .jpeg image to your supervised iOS/iPadOS devices. For example, use Intune to add a
company logo to the lock screen on your devices.
For a list of the settings you can configure in Intune, see Wallpaper on iOS/iPadOS.
Applies to:
iOS
Web content filter

These settings use Apple's built-in AutoFilter algorithm to evaluate web pages, and block adult content and adult
language. You can also create a list of allowed web links and restricted web links. For example, you can allow
only contoso web sites to open.
For a list of the settings you can configure in Intune, see Web content filter on iOS/iPadOS.
Applies to:
iOS 7.0 and newer
Next steps
The profile is created, but it may not be doing anything yet. Next, assign the profile and monitor its status.
View all the device feature settings for iOS/iPadOS and macOS devices.
Use the Microsoft Enterprise SSO plug-in on
iOS/iPadOS and macOS devices in Microsoft Intune
The Microsoft Enterprise SSO plug-in (preview) provides a single sign-on (SSO) to apps and websites that use
Microsoft Azure Active Directory (AD) for authentication, including Microsoft 365. This plug-in uses the Apple
single sign on app extension. It reduces the number of authentication prompts users get when using devices
managed by Mobile Device Management (MDM), including Microsoft Intune.
Once set up, apps that support the Microsoft Authentication Library (MSAL) automatically take advantage of the
Microsoft Enterprise SSO plug-in (preview). Apps that don't support MSAL can be allowed to use the extension.
Just add the application bundle ID or prefix to the extension configuration.
For example, to allow a Microsoft app that doesn't support MSAL, add com.microsoft. to the
AppPrefixAllowList property. Be careful with the apps you allow. They automatically use the user's credentials
to authenticate.
For more information, see Microsoft Enterprise SSO plug-in for Apple devices - apps that don't use MSAL.
iOS/iPadOS
macOS
This article shows how to deploy the Microsoft Enterprise SSO plug-in (preview) for Apple Devices with Intune.
IMPORTANT
The Microsoft Enterprise SSO plug-in for Apple Devices is in public preview. This preview version is provided without a
service level agreement (SLA). It's not recommended to use in production. Certain features might not be supported or
might have restricted behavior. For more information, seeSupplemental Terms of Use for Microsoft Azure Previews.
Prerequisites
To use the Microsoft Enterprise SSO plug-in for Apple devices:
The device must support the plug-in:
iOS/iPadOS 13.0 and newer
On iOS/iPadOS 13.0 and newer devices, install the Microsoft Authenticator app.
The Microsoft Authenticator app can be installed manually by users, or by deploying an app policy in
Intune. For information on how to install the Microsoft Authenticator app, see Manage Apple volume-
purchased apps.
On macOS 10.15 and newer devices, install the Company Portal app.
The Company Portal app can be installed manually by users, or by deploying an app policy in Intune. For
a list of options on how to install the Company Portal app, see Add the Company Portal for macOS app.
NOTE
On Apple devices, Apple requires that the SSO app extension and the app (Authenticator or Company Portal) be installed.
Users don't need to use the Authenticator or Company Portal apps; they just need to be installed on the device.
Microsoft Enterprise SSO plug-in vs. Kerberos SSO extension

In Intune, when you use the SSO app extension, you use Microsoft Azure AD or Kerberos for authentication.
The SSO app extension is designed to improve the sign-in experience for apps and websites that use these
authentication methods.
The Microsoft Enterprise SSO plug-in uses the SSO app extension with Microsoft Azure AD authentication.
The Microsoft Azure AD and Kerberos extension types can both be used on a device. Be sure to create separate
device profiles.
To determine the correct SSO extension type for your scenario, use the following table:
M IC RO SO F T EN T ERP RISE SSO P L UG- IN F O R A P P L E DEVIC ES SIN GL E SIGN - O N A P P EXT EN SIO N W IT H K ERB ERO S
Uses the Microsoft Azure AD SSO app extension type Uses the Kerberos SSO app extension type
Supports the following apps: Supports the following apps:
- Microsoft 365 - Apps, websites or services integrated with AD

- Apps, websites or services integrated with Azure AD
For more information on the single sign-on extension, see Single sign-on app extension.
Create a single sign-on app extension configuration profile

In theMicrosoft Endpoint Manager admin center, you create a device configuration profile. This profile includes
the settings to configure the SSO app extension on devices.
1. Sign in to theMicrosoft Endpoint Manager admin center.
Platform : Choose your platform:
iOS/iPadOS
macOS
Profile : Select Device features . Or, select Templates > Device features .
4. Select Create .
later. For example, a good policy name is iOS: Microsoft Enterprise SSO plug-in or macOS:
Microsoft Enterprise SSO plug-in .
6. Select Next .
7. In Configuration settings , select Single sign-on app extension , and configure the following
properties:
SSO app extension type : Select Microsoft Azure AD .
Enable shared device mode :
Not configured : Intune doesn't change or update this setting. For most scenarios, including
Shared iPad, personal devices, and devices with or without user affinity, select this option.
Yes : Select this option if the targeted devices are using Azure AD Shared device mode. For
more information, see Shared device mode overview.
App bundle ID : Enter a list of bundle IDs for apps that don't support MSAL and are allowed to
use SSO. For more information, see Applications that don't use MSAL.
Additional configuration : To customize the end user experience, you can add the following
properties.
K EY TYPE VA L UE
AppPrefixAllowList String Enter a list of prefixes for apps

that don't support MSAL and are
allowed to use SSO. For example,
enter com.microsoft. to allow
all Microsoft apps.
Be sure these apps meet the

allowlist requirements.
browser_sso_interaction_ena Integer When set to 1 , users can sign in

bled from Safari browser, and from
apps that don't support MSAL.
Enabling this setting allows users
to bootstrap the extension from
Safari or other apps.
browser_sso_disable_mfa Integer Set to 0 (default) to require the

Microsoft Enterprise SSO plug-in
use multi-factor authentication
(MFA) during bootstrap. Requiring
MFA during bootstrap reduces
prompts for MFA in apps that are
protected by conditional access
and require MFA. Microsoft
recommends MFA be enabled to
increase security and improve the
user experience.
Set to 1 to disable MFA in

bootstrap. Users are prompted by
individual apps that require MFA.
disable_explicit_app_prompt Integer Some apps might incorrectly

enforce end-user prompts at the
protocol layer. If you see this
problem, users are prompted to
sign in, even though the
Microsoft Enterprise SSO plug-in
works for other apps.
When set to 1 (one), you reduce

these prompts.
TIP
For more information on these properties, and other properties you can configure, see Microsoft
Enterprise SSO plug-in for Apple devices (preview).
8. Continue creating the profile, and assign the profile to the users or groups that will receive these settings.
For the specific steps, see Create the profile.
For guidance on assigning profiles, see Assign user and device profiles.
When the device checks in with the Intune service, it will receive this profile. For more information, see How
long does it take for devices to get a policy.
End user experience
If you're not deploying the Microsoft Authenticator or Company Portal app using an app policy, then
users must install these apps manually. Remember:
On iOS/iPadOS devices, users install the Microsoft Authenticator app.
On macOS devices, users install the Company Portal app.
On Apple devices, Apple requires the SSO app extension and the app (Authenticator or Company Portal)
be installed. Users don't need to use the Authenticator or Company Portal apps; they just need to be
installed on the device.
Users sign in to any supported app or website to bootstrap the extension. Bootstrap is the process of
signing in for the first time, which sets up the extension.
After users sign in successfully, the extension is automatically used to sign in to any other supported app
or website.
Next steps
For information about the Microsoft Enterprise SSO plug-in, see Microsoft Enterprise SSO plug-in for
Apple devices (preview).
For information from Apple on the single sign-on extension payload, seeSingle Sign-On Extensions
payload settings (opens Apple's web site).
Add macOS system and kernel extensions in Intune
NOTE
macOS kernel extensions are being replaced with system extensions. For more information, see Support Tip: Using system
extensions instead of kernel extensions for macOS Catalina 10.15 in Intune.
On macOS devices, you can add kernel extensions and system extensions. Both kernel extensions and system
extensions allow users to install app extensions that extend the native capabilities of the operating system.
Kernel extensions execute their code at the kernel level. System extensions run in a tightly controlled user-space.
To add extensions that are always allowed to load on your devices, use Microsoft Intune. Intune uses
"configuration profiles" to create and customize these settings for your organization's needs. After you add these
features in a profile, you then push or deploy the profile to macOS devices in your organization.
This article describes system extensions and kernel extensions. It also shows you how to create a device
configuration profile using extensions in Intune.
System extensions
System extensions run in the user space, and don’t access the kernel. The goal is to increase security, provide
more end user control, and limit kernel level attacks. These extensions can be:
Driver extensions, including drivers to USB, network interface cards (NIC), serial controllers, and human
interface devices (HID)
Network extensions, including content filters, DNS proxies, and VPN clients
Endpoint security extensions, including endpoint detection, endpoint response, and antivirus
System extensions are included in an app's bundle, and installed from the app.
For more information on system extensions, see system extensions (opens Apple's web site).
Kernel extensions
Kernel extensions add features at the kernel-level. These features access parts of the OS that regular programs
can't access. Your organization may have specific needs or requirements that aren't available in an app, a device
feature, and so on.
For example, you have a virus scanning program that scans your device for malicious content. You can add this
virus scanning program's kernel extension as an allowed kernel extension in Intune. Then, "assign" the extension
to your macOS devices.
With this feature, administrators can allow users to override kernel extensions, add team identifiers, and add
specific kernel extensions in Intune.
For more information on kernel extensions, see kernel extensions (opens Apple's web site).
IMPORTANT
Kernel extensions don't work on macOS devices with the M1 chip, which are macOS devices running on Apple silicon. This
behavior is a known issue, with no ETA. It's possible you can get them to work, but it's not recommended. For more
information, see Kernel extensions in macOS (opens Apple's web site).
For any macOS devices running 10.15 and newer, we recommend using system extensions (in this article). If you use the
kernel extensions settings, then consider excluding macOS devices with M1 chips from receiving the kernel extensions
profile.
Prerequisites
macOS 10.13.2 and newer (kernel extensions)
macOS 10.15 and newer (system extensions)
From macOS 10.15 to 10.15.4, kernel extensions and system extensions can run side by side.
To use this feature, devices must be:
Enrolled in Intune using Apple's Device Enrollment Program (DEP). Automatically enroll macOS
devices has more information.
OR
Enrolled in Intune with "user approved enrollment" (Apple's term). Prepare for changes to kernel
extensions in macOS High Sierra (opens Apple's web site) has more information.

Unsigned legacy kernel extensions and system extensions can be added.
Be sure to enter the correct team identifier and bundle ID of the extension. Intune doesn't validate the values
you enter. If you enter wrong information, the extension won't work on the device. A team identifier is exactly
10 alphanumeric characters long.
NOTE
Apple released information regarding signing and notarization for all software. On macOS 10.14.5 and newer, kernel
extensions deployed through Intune don't have to meet Apple's notarization policy.
For information on this notarization policy, and any updates or changes, see the following resources:
Notarizing your app before distribution (opens Apple's web site)
Prepare for changes to kernel extensions in macOS High Sierra (opens Apple's web site)
Create the profile

Platform : Select macOS
Profile : Select Templates > Extensions .
4. Select Create .
later. For example, a good policy name is macOS: Add AV scanning to kernel extensions on
devices .
6. Select Next .
7. In Configuration settings , configure your settings:
macOS
8. Select Next .
distributed IT.
Select Next .
Select Next .
Next steps
Be sure to assign the profile and monitor its status.
Add a property list file to macOS devices using
Microsoft Intune
Using Microsoft Intune, you can add a property list file (.plist) for macOS devices, or apps on macOS devices.
Property list files include information about macOS applications. For more information, see About Information
Property List Files (Apple's website) and Custom payload settings.
This article describes the different property list file settings you can add to macOS devices. As part of your
mobile device management (MDM) solution, use these settings to add the app bundle ID (
com.company.application ), and add the app's .plist file.
These settings are added to a device configuration profile in Intune, and then assigned or deployed to your
macOS devices.

These settings aren't validated. Be sure to test your changes before assigning the profile to your devices.
If you're not sure how to enter an app key, change the setting within the app. Then, review the app's
preference file using Xcode to see how the setting is configured. Apple recommends removing non-
manageable settings using Xcode before importing the file.
Only some apps work with managed preferences, and might not allow you to manage all settings.
Be sure you upload property list files that target device channel settings, not user channel settings.
Property list files target the entire device.
If you're configuring the Microsoft Edge version 77 and newer app, then use the Settings catalog. For a
list of the settings you can configure, see Microsoft Edge - Policies (opens another Microsoft website).
Be sure macOS is listed as a supported platform. If some settings aren't available in the settings catalog,
then it's recommended to continue using the preference file.
Create the profile

Platform : Select macOS
Profile : Select Templates > Preference file .
4. Select Create .
later. For example, a good policy name is macOS: Add preference file that configures Microsoft
Defender for Endpoint on devices .
6. Select Next .
7. In Configuration settings , configure your settings:
Preference domain name : Enter the bundle ID, such as com.company.application . For example,
enter com.Contoso.applicationName , com.Microsoft.Edge , or com.microsoft.wdav .
Property list files are typically used for web browsers (Microsoft Edge), Microsoft Defender for
Endpoint, and custom apps. When you create a preference domain, a bundle ID is also created.
TIP
For Microsoft Edge version 77 and newer, you can use the settings catalog. You don't have to use a
preference file. For more information, see Settings catalog.
Proper ty list file : Select the property list file associated with your app. Be sure it's a .plist or
.xml file. For example, upload a YourApp-Manifest.plist or YourApp-Manifest.xml file.
The key information in the property list file is shown. If you need to change the key information,
open the list file in another editor, and then reupload the file in Intune.
Be sure your file is formatted correctly. The file should only have key value pairs, and shouldn't be
wrapped in <dict> , <plist> , or <xml> tags. For example, your property list file should be similar to the
following file:
<key>SomeKey</key>
<string>someString</string>
<key>AnotherKey</key>
<false/>
...
To see some property list file examples, go to Set preferences for Microsoft Defender for Endpoint.
8. Select Next .
distributed IT.
Select Next .
Select Next .
Next steps
For more information on preference files for Microsoft Edge, see Configure Microsoft Edge policy settings on
macOS.
Add and use wired networks settings on your
macOS devices in Microsoft Intune
Wired networks are used by many organizations to give network access to desktop computers. Microsoft Intune
includes built-in settings that can be deployed to macOS users and devices in your organization. This group of
settings is called a "profile". In your profile, you can include common settings, such as the network interface,
accepted EAP types, and server trust settings.
When the profile is ready, it can be assigned to different users and groups. Once assigned, your users get access
your organization's wired network without configuring it themselves.
As part of your mobile device management (MDM) solution, use this feature to create 802.1x profiles to manage
wired networks. Then, deploy these wired networks to your macOS devices.
macOS
For example, you have a wired network named Contoso wired network . You want to set up all macOS
desktops to connect to this network. Here's the process:
1. Create a wired network profile that includes the settings that connect to the Contoso wired network .
2. Assign the profile to a group that includes all users macOS desktop computers. For recommendations on
using group types, see User groups vs. device groups.
3. On their desktops, users find the Contoso wired network in the list of networks. They can then connect to
the network, using the authentication method of your choosing.
This article lists the steps to create a wired network profile. It also includes a link that describes the different
settings.
Create the profile

Platform : Select macOS .
Profile : Select Templates > Wired Network .
4. Select Create .
later. For example, a good profile name is macOS: Wired network for entire company .
6. Select Next .
7. In Configuration settings , select the network interface of the network, and choose the Extensible
Authentication Protocol (EAP) type. For a list of all settings, and what they do, see:
macOS
8. Select Next .
9. In Assignments , select the user groups or device groups that will receive your profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next .
TIP
If you use certificate based authentication for your wired network profile, then deploy the wired network profile, certificate
profile, and trusted root profile to the same groups. This deployment makes sure that each device can recognize the
legitimacy of your certificate authority. For more information, see configure certificates with Microsoft Intune.
Next steps
The profile is created, but may not be doing anything. Be sure to assign this profile, and monitor its status.
Use and manage Zebra devices with Zebra Mobility
Extensions in Microsoft Intune
Intune includes a rich set of features, including managing apps and configuring device settings. These built-in
features and settings manage Android devices manufactured by Zebra Technologies, also known as "Zebra
devices".
On Android devices, use Zebra's Mobility Extensions (MX) profiles to customize or add more Zebra-specific
settings.
For Android Enterprise devices, use OEMConfig.
Your company may use Zebra devices for retail, on the factory floor, and more. For example, you're a retailer and
your environment includes thousands of Zebra mobile devices used by sales associates. Intune can help manage
these devices as part of your mobile device management (MDM) solution.
Using Intune, you can enroll Zebra devices to deploy your line-of-business apps to the devices. "Device
configuration" profiles let you create MX profiles to manage your Zebra-specific settings.
This article shows you how to use Zebra Mobility Extensions (MX) on Zebra devices in Microsoft Intune.
NOTE
By default, the Zebra MX APIs aren't locked down on devices. Before a device enrolls in Intune, it's possible the device can
be compromised in a malicious manner. When the device is in a clean state, we suggest you lock down MX APIs using
Access Manager (AccessMgr). For example, you can choose that only the Company Portal app and apps you trust are
allowed to call MX APIs.
For more information, see Locking down your device on Zebra's web site.
Before you begin

Be sure you have the latest version of the StageNow desktop app from Zebra Technologies.
Be sure to check Zebra's full MX feature matrix (opens Zebra's web site). Confirm the profiles you create are
compatible with the device's MX version, OS version, and model.
Certain devices, such as TC20/25 devices, don't support all of the available MX features in StageNow. Be sure
to check Zebra's feature matrix (opens Zebra's web site) for updated support info.
Step 1: Install the latest Company Portal app

On the device, open the Google Play store. Download and install the Intune Company Portal app from Microsoft.
When installed from Google Play, the Company Portal app gets updates and fixes automatically.
If Google Play isn't available, download the Microsoft Intune Company Portal for Android (opens another
Microsoft website), and sideload it (in this article). When installed this way, the app doesn't receive updates or
fixes automatically. Be sure to regularly update and patch the app manually.
Sideload the Company Portal app
"Sideloading" is when you don't use Google Play to install an app. To sideload the Company Portal app, use
StageNow.
The following steps provide an overview. For specific details, see Zebra's documentation. Enroll in an MDM
using StageNow (opens Zebra's web site) may be a good resource.
1. In StageNow, create a profile for Enroll in an MDM .
2. In Deployment , choose to download the MDM agent file.
3. Set the Suppor t App and Download Configuration steps to No .
4. In Download MDM , select Transfer/Copy File . Add the source and destination of the Company Portal
Android package (APK).
5. In Launch MDM , leave the default values as-is. Add the following details:
Package Name : com.microsoft.windowsintune.companyportal
Class Name : com.microsoft.windowsintune.companyportal.views.SplashActivity
Continue to publish the profile, and consume it with the StageNow app on the device. The Company Portal app
is installed and opened on the device.
TIP
For more information on StageNow, and what it does, see StageNow Android device staging (opens Zebra's web site).
Step 2: Confirm the Company Portal app has device administrator role
The Company Portal app requires Device Administrator to manage Android devices. To activate the Device
Administrator role, some Zebra devices include a user interface (UI) on the device. If the device includes a UI, the
Company Portal app prompts the end user to grant Device Administrator during enrollment (in this article).
If a UI isn't available, use the DevAdmin Manager in StageNow to create a profile that manually grants Device
Administrator to the Company Portal app.
The following steps provide an overview. For specific details, see Zebra's documentation. Set battery swap mode
as device administrator (opens Zebra's website) may be a good resource.
1. In StageNow, create a profile and select Xper t Mode .
2. Add DevAdmin Manager to the profile.
3. Set Device Administration Action to Turn On as Device Administrator .
4. Set Device Admin Package Name to com.microsoft.windowsintune.companyportal .
5. Set Device Admin Class Name to com.microsoft.omadm.client.PolicyManagerReceiver .
Continue to publish the profile, and consume it with the StageNow app on the device. The Company Portal app
is granted the Device Administrator role.
Step 3: Enroll the device in to Intune

After completing the first two steps, the Company Portal app is installed on the device. The device is ready to be
enrolled in to Intune.
Enroll Android devices lists the steps. If you have many Zebra devices, you may want to use a device enrollment
manager (DEM) account. Using a DEM account also removes the option to unenroll from the Company Portal
app, so that users can't unenroll the device as easily.
Step 4: Create a device management profile in StageNow
Use StageNow to create a profile that configures the settings you want to manage on the device. For specific
details, see Zebra's documentation. Profiles (opens Zebra's website) may be a good resource.
When you create the profile in StageNow, on the last step, select Expor t to MDM . This step generates an XML
file. Save this file. You need it in a later step.
It's recommended to test the profile before you deploy it to devices in your organization. To test, in the
last step when creating profiles with StageNow on your computer, use the Test options. Then, consume
the StageNow-generated file with the StageNow app on the device.
The StageNow app on the device shows logs generated when you test the profile. Use StageNow logs on
Zebra devices running Android in Intune has information on using StageNow logs to understand errors.
If you reference apps, update packages, or update other files in your StageNow profile, you want the
device to get these updates. To get the updates, the device must connect to the StageNow deployment
server when the profile is applied.
Or, you can use built-in features in Intune to get these changes, including:
App management features to add, deploy, update, and monitor apps.
Manage system and app updates on devices running Android Enterprise
After you test the file, the next step is to deploy the profile to devices using Intune.
You can deploy one or multiple MX profiles to a device.
You can also export multiple StageNow profiles, and combine the settings into a single XML file. Then,
upload the XML file to Intune to deploy to your devices.
WARNING
If multiple MX profiles are targeted to the same group, and configure the same property, there will be conflicts
on the device.
If the same property is configured multiple times in a single MX profile, the last configuration wins.
Step 5: Create a profile in Intune

In Intune, create a device configuration profile:
Profile : Select MX profile (Zebra only) .
4. Select Create .
6. Select Next .
7. In Configuration settings > Choose a valid Zebra MX XML file , add the XML profile file you
exported from StageNow (in this article).
When done, select Next .
TIP
For security reasons, you won't see the profile XML text after you save it. The text is encrypted, and you only see
asterisks ( **** ). For your reference, it's recommended to save copies of the MX profiles before you add them to
Intune.
8. In Scope tags (optional) > Select scope tags , choose your scope tags to assign to the profile. For more
information, see Use RBAC and scope tags for distributed IT.
Select Next .
9. In Assignments , select the groups that will receive this profile. For more information on assigning
profiles, see Assign user and device profiles.
Select Next .
10. In Review + create , when you're done, choose Create . The profile is created, and shown in the list.
You can also monitor its status.
The next time the device checks for configuration updates, the MX profile is deployed to the device. Devices sync
with Intune when devices enroll, and then approximately every 8 hours. You can also force a sync in Intune. Or,
on the device, open the Company Por tal app > Settings > Sync .
Update a Zebra MX configuration after it's assigned

To update the MX-specific configuration of a Zebra device, you can:
Create an updated StageNow XML file, edit the existing Intune MX profile, and upload the new StageNow
XML file. This new file overwrites the previous policy in the profile, and replaces the previous configuration.
Create a new StageNow XML file that configures different settings, create a new Intune MX profile, upload the
new StageNow XML file, and assign it to the same group. Multiple profiles are deployed. If the new profile
configures settings that already exist in existing profiles, conflicts will occur.
Next steps
Use StageNow logs to troubleshoot Zebra devices.
Troubleshoot and see potential issues on Android
Zebra devices in Microsoft Intune
In Microsoft Intune, you can use Zebra Mobility Extensions (MX) to manage Android Zebra devices. When using
Zebra devices, you create profiles in StageNow to manage settings, and upload them to Intune. Intune uses the
StageNow app to apply the settings on the devices. The StageNow app also creates a detailed log file on the
device that's used to troubleshoot.
For example, you create a profile in StageNow to configure a device. When you create the StageNow profile, the
last step generates a file for you test the profile. You consume this file with the StageNow app on the device.
In another example, you create a profile in StageNow, and test it. In Intune, you add the StageNow profile, and
then assign it to your Zebra devices. When checking the status of the assigned profile, the profile shows a high-
level status.
In both these cases, you can get more details from the StageNow log file, which is saved on the device every
time a StageNow profile applies.
Some issues aren't related to the contents of the StageNow profile, and aren't reflected in the logs.
This article shows you how to read the StageNow logs. It also lists some potential issues with Zebra devices that
may not be reflected in the logs.
Use and manage Zebra devices with Zebra Mobility Extensions has more information on this feature.
Get the logs

Use the StageNow app on the device
You don't have to use Intune to deploy the profile. Instead, you can test a profile directly using StageNow on
your computer. The StageNow app on the device saves the logs from the test. To get the log file, use the More
(...) option in the StageNow app on the device.
Get logs using Android Debug Bridge
To get logs after the profile is deployed with Intune, connect the device to a computer with Android Debug
Bridge (adb) (opens Android's web site).
On the device, logs are saved in /sdcard/Android/data/com.microsoft.windowsintune.companyportal/files .
Get logs from email
To get logs after the profile is deployed with Intune, end users can email you the logs using an email app on the
device. On the Zebra device, open the Company Portal app, and send the logs. Using the send logs feature also
creates a PowerLift incident ID, which you can reference if contacting Microsoft support.
Read the logs

When looking at the logs, there's an error whenever you see the <characteristic-error> tag. Error details are
written to the <parm-error> tag > desc property.
Error types
Zebra devices include different error reporting levels:
The CSP isn't supported on device. For example, the device isn't a cellular device and doesn't have a cellular
manager.
The MX or OSX version is mismatched. Each CSP is versioned. For a full support matrix, see Zebra's
documentation (opens Zebra's web site).
The device reports another issue or error.
Examples
For example, you have the following input profile:
<wap-provisioningdoc>
<characteristic type="Clock">
<parm name="AutoTime" value="false"/>
<parm name="TimeZone" value="GMT-5"/>
<parm name="Date" value="2014-12-03"/>
<parm name="Time" value="11:11:11"/>
</characteristic>
</wap-provisioningdoc>
In the log, the XML is identical to the input. This matching output means the profile successfully applied to the
device with no errors:
<characteristic type="Clock" version="6.0">
<parm name="AutoTime" value="false"/>
<parm name="TimeZone" value="GMT-5"/>
<parm name="Date" value="2014-12-03"/>
<parm name="Time" value="11:11:11"/>
</characteristic>
In another example, you have the following input:
<characteristic type="XmlMgr" version="4.2" >
<parm name="ProcessingMode" value="1"/>
</characteristic>
<characteristic type="AppMgr" version="4.2" >
<parm name="Action" value="Install"/>
<parm name="APK" value="/sdcard/test.apk"/>
</characteristic>
The log shows an error, as it contains a <characteristic-error> tag. In this scenario, the profile tried to install an
Android package (APK) that doesn't exist in the given path:
<characteristic type="XmlMgr" version="4.2">
<parm name="ProcessingMode" value="1"/>
</characteristic>
<characteristic-error type="AppMgr" version="5.1" desc="missing">
<parm-error name="Action" value="Install" desc="apk doesnot exist in the path"/>
<parm name="APK" value="/sdcard/test.apk"/>
</characteristic-error>
Other potential issues with Zebra devices

This section lists other possible issues you may see when using Zebra devices with Device Administrator. These
issues aren't reported in the StageNow logs.
Android System WebView is out of date
When older devices sign in using the Company Portal app, users may see a message that the System WebView
component is out of date, and needs upgraded:
If the device has Google Play installed, then connect the device to the internet, and check for updates.
If the device doesn't have Google Play installed, then get the updated version of the component, and apply it
to the devices. Or, update to the latest device OS issued by Zebra.
Management actions take a long time
If Google Play services aren't available, then some tasks take up to 8 hours to finish. Limitations of Intune
Company Portal app for Android (opens another Microsoft web site) may be a good resource.
"Device spoofing suspected" shows in Intune
This error means that Intune suspects a non-Zebra Android device is reporting its model and manufacturer as a
Zebra device.
Company Portal app is older than minimum required version
Intune may update the minimum required version of the Company Portal app. If Google Play isn't installed on
the device, then the Company Portal app doesn't get automatically updated. If the minimum required version is
newer than the installed version, then the Company Portal app stops working. Update to the latest Company
Portal app using sideloading on Zebra devices.
Next steps
Zebra discussion boards (opens Zebra's web site)
Use and manage Zebra devices with Zebra Mobility Extensions in Intune
Use and manage Android Enterprise devices with
OEMConfig in Microsoft Intune
In Microsoft Intune, you can use OEMConfig to add, create, and customize OEM-specific settings for Android
Enterprise devices. OEMConfig is typically used to configure settings that aren't built in to Intune. Different
original equipment manufacturers (OEM) include different settings. The available settings depend on what the
OEM includes in their OEMConfig app.
Android Enterprise
To manage Zebra Technologies devices using Android device administrator, use Zebra Mobile Extensions (MX).
This article describes OEMConfig, lists the prerequisites, shows how to create a configuration profile, and lists
the supported OEMConfig apps in Intune.
Overview
OEMConfig policies are a special type of device configuration policy similar to app configuration policy.
OEMConfig is a standard defined by Google that uses app configuration in Android to send device settings to
apps written by OEMs (original equipment manufacturers). This standard allows OEMs and EMMs (enterprise
mobility management) to build and support OEM-specific features in a standardized way. Learn more about
OEMConfig (opens Google's web site).
Historically, EMMs, such as Intune, manually build support for OEM-specific features after they're introduced by
the OEM. This approach leads to duplicated efforts and slow adoption.
With OEMConfig, an OEM creates a schema that defines OEM-specific management features. The OEM embeds
the schema into an app, and then puts this app on Google Play. The EMM reads the schema from the app, and
exposes the schema in the EMM administrator console. The console allows Intune administrators to configure
the settings in the schema.
When the OEMConfig app installs on a device, it uses the settings configured in the EMM administrator console
to manage the device. Device settings are executed by the OEMConfig app, instead of an MDM agent built by the
EMM.
When the OEM adds and improves management features, the OEM also updates the app in Google Play. As an
administrator, you get these new features and updates (including fixes) without waiting for EMMs to include
these updates.
TIP
You can only use OEMConfig with devices that support this feature and have a corresponding OEMConfig app. Consult
your OEM for specific details.
Before you begin

When using OEMConfig, be aware of the following information:
Intune exposes the OEMConfig app's schema so you can configure it. Intune doesn't validate or change
the schema provided by the app. So if the schema is incorrect, or has inaccurate data, then this data is still
sent to devices. If you find a problem that originates in the schema, contact the OEM for guidance.
Intune doesn't influence or control the content of the app schema. For example, Intune doesn't have any
control over strings, language, the actions allowed, and so on. We recommend contacting the OEM for
more information on managing their devices with OEMConfig.
At any time, OEMs can update their supported features and schemas, and upload a new app to Google
Play. Intune always syncs the latest version of the OEMConfig app from Google Play. Intune doesn't
maintain older versions of the schema or the app. If you run into version conflicts, we recommend
contacting the OEM for more information.
On Zebra devices, you can create multiple profiles, and assign them to the same device. For more
information, see OEMConfig on Zebra devices.
The OEMConfig model on non-Zebra devices only supports a single policy per device. If multiple profiles
are assigned to the same device, you may see inconsistent behavior.
Prerequisites
To use OEMConfig on your devices, you need the following requirements:
An Android Enterprise device enrolled in Intune.
An OEMConfig app built by the OEM, and uploaded to Google Play. If it's not on Google Play, contact the
OEM for more information.
The Intune administrator has role-based access control (RBAC) permissions for Mobile apps , Device
Configurations , and the "read" permission under Android for Work . These permissions are required
because OEMConfig profiles use managed app configurations to manage device configurations.
Prepare the OEMConfig app

Be sure the device supports OEMConfig, the correct OEMConfig app is added to Intune, and the app is installed
on the device. Contact the OEM for this information.
TIP
OEMConfig apps are specific to the OEM. For example, a Sony OEMConfig app installed on a Zebra Technologies device
doesn't do anything.
1. Get the OEMConfig app from the Managed Google Play Store. Add Managed Google Play apps to Android
enterprise devices lists the steps.
2. Some OEMs may ship devices with the OEMConfig app pre-installed. If the app isn't preinstalled, use Intune
to add and deploy the app to devices.
Create an OEMConfig profile

Platform : Select Android Enterprise .
Profile : Select OEMConfig .
4. Select Create .
OEMConfig app : Choose Select an OEMConfig app .
6. In Associated app , select an existing OEMConfig app you previously added > Select . Be sure to choose
the correct OEMConfig app for the devices you're assigning the policy to.
If you don't see any apps listed, then set up Managed Google Play, and get apps from the Managed
Google Play store. Add Managed Google Play apps to Android Enterprise devices lists the steps.
IMPORTANT
If you added an OEMConfig app and synced it to Google Play, but it's not listed as an Associated app , you may
have to contact Intune to onboard the app. See adding a new app (in this article).
7. Select Next .
8. In Configure settings , select the Configuration designer or JSON editor :
TIP
Read the OEM documentation to make sure you're configuring the properties correctly. These app properties are
included by the OEM, not Intune. Intune does minimal validation of the properties, or what you enter. For
example, if you enter abcd for a port number, the profile saves as-is, and is deployed to your devices with the
values you configure. Be sure you enter the correct information.
Configuration designer : When you select this option, the properties available within the app
schema are shown for you to configure.
Context menus in the configuration designer indicate that more options are available. For
example, the context menu might let you add, delete, and reorder settings. These options
are included by the OEM. Be sure to read the OEM app documentation to learn how these
options should be used to create profiles.
Many settings have default values supplied by the OEM. To see if there's a default value,
hover over the info icon next to the setting. A tooltip shows the default values for that
setting (if applicable), and more details provided by the OEM.
Clicking Clear deletes a setting from the profile. If a setting isn't in the profile, its value on
the device won't change when the profile is applied.
Use the Locate button to look for settings. In the side panel, type in a keyword to see all the
relevant settings and their descriptions. Select any setting to automatically add the setting
to the configuration designer tree, if it's not there already. It also automatically opens the
tree so you can see the setting.
If you create an empty (unconfigured) bundle in the configuration designer, it's deleted
when switching to the JSON editor.
JSON editor : When you select this option, a JSON editor opens with a template for the full
configuration schema embedded in the app. In the editor, customize the template with values for
the different settings. If you use the Configuration designer to change your values, the JSON
editor overwrites the template with values from the configuration designer.
If you're updating an existing profile, the JSON editor shows the settings that were last
saved with the profile.
OEMConfig schemas can be large and complex. If you prefer to update these settings using
a different editor, select the Download JSON template button. Use an editor of your
choice to add your configuration values to the template. Then, copy and paste your updated
JSON in to the JSON editor property.
You can use the JSON editor to create a backup of your configuration. After you configure
your settings, use this feature to get the JSON settings with your values. Copy and paste the
JSON to a file, and save it. Now you have a backup file.
Any changes made in the configuration designer are also made automatically in the JSON editor.
Likewise, any changes made in the JSON editor are automatically made in the configuration designer. If
your input contains invalid values, you can't switch between the configuration designer and JSON editor
until you fix the issues.
9. Select Next .
distributed IT.
Select Next .
11. In Assignments , select the users or groups that will receive your profile. Assign one profile to each
device. The OEMConfig model only supports one policy per device.
For more information on assigning profiles, see Assign user and device profiles.
Select Next .
The next time the device checks for configuration updates, the OEM-specific settings you configured are applied
to the OEMConfig app.
Reporting and deployment status

After your profile is deployed, you can check its status:
1. In the Microsoft Endpoint Manager admin center, select Devices > Configuration profiles . A list of all
your profiles is shown.
2. Select your OEMConfig profile. You can get more information on your profile, including successful and
failed deployments:
Over view : Shows the profile assignment statuses. For more information on what the statuses mean,
see Monitor device profiles in Microsoft Intune.
Proper ties : Shows the settings you configured when you created the profile. You can change the
profile name, or update any existing settings.
Device status : The devices assigned to the profile are listed, and it shows if the profile successfully
deployed. You can select a specific device to get more details.
User status : Lists the user names with devices affected by this profile, and if the profile successfully
deployed. You can select a specific user to get more details.
3. You can also see if individual settings in a profile sccessfully applied. To see the per-setting status of an
OEMConfig profile, select Devices > All devices , and choose a device from the list. Then, go to App
configuration , and select your OEMConfig profile. Select an individual setting status to get more
information.
NOTE
For Zebra devices, only a single setting row is shown. Selecting the row shows details for all settings in the policy.
Supported OEMConfig apps

Compared to standard apps, OEMConfig apps expand the managed configurations privileges granted by Google
to support more complex schemas and functions. OEMs must register their OEMConfig apps with Google. If you
don't register, these features may not work as expected. Intune currently supports the following OEMConfig
apps:
O EM DO C UM EN TAT IO N ( IF
O EM B UN DL E ID AVA IL A B L E)
Archos com.archos.oemconfig
Ascom com.ascom.myco.oemconfig
Bartec com.bartec.oemconfig
Bluebird com.bluebird.android.oemconfig
Cipherlab com.cipherlab.oemconfig.common
Datalogic com.datalogic.settings.oemconfig
Ecom - Ex-Handy 10 com.ecom.econfig
Ecom - Smart-Ex 02 com.ecom.econfig.smart
Honeywell com.honeywell.oemconfig
Honeywell - Scanpal EDA com.honeywell.oemconfig.scanpal
HMDGlobal - 7.2 com.hmdglobal.app.oemconfig.n7_2
imotion com.iwaylink.oemconfig
Janam com.janam.oemconfig
Kyocera jp.kyocera.enterprisedeviceconfig
Lenovo com.lenovo.oemconfig.rel
LG com.lge.android.oemconfig
O EM DO C UM EN TAT IO N ( IF
O EM B UN DL E ID AVA IL A B L E)
Motorola com.motorolasolutions.lexoemconfig
Panasonic com.panasonic.mobile.oemconfig
Point Mobile device.apps.emkitagent
Samsung com.samsung.android.knox.kpu Knox Service Plugin Admin Guide
Seuic com.seuic.seuicoemconfig
Social Mobile com.rhinomobility.oemconfig
Spectralink - Barcodes com.spectralink.barcode.service
Spectralink - Buttons com.spectralink.buttons
Spectralink - Device com.spectralink.slnkdevicesettings
Spectralink - Logging com.spectralink.slnklogger
Spectralink - VQO com.spectralink.slnkvqo
Unitech Electronics com.unitech.oemconfig
Zebra Technologies com.zebra.oemconfig.common Zebra OEMConfig overview
If you represent an OEM, and an OEMConfig application exists for your devices, but isn't in the table above,
email IntuneOEMConfig@microsoft.com for onboarding help. OEMs must also register their OEMConfig apps with
Google.
NOTE
OEMConfig apps must on-boarded by Google and Intune before they can be configured with OEMConfig profiles. Once
an app is supported, you don't need to contact Microsoft about setting it up in your tenant. Just follow the instructions in
this article.
If you experience settings within an OEMConfig app behaving incorrectly, then contact the developers of the OEMConfig
app. Intune isn't responsible for technical issues with the individual OEMConfig apps.
Next steps
Monitor the profile status.
Deploy multiple OEMConfig profiles to Zebra
devices in Microsoft Intune
In Microsoft Intune, use OEMConfig to customize OEM-specific settings for Android Enterprise devices. These
settings are specific to the device manufacturer, and deployed using configuration profiles in Intune.
On Zebra devices, you can deploy or assign multiple profiles to the same device. Existing OEMConfig profiles
can use this feature the next time the devices sync with Intune.
Zebra devices running Android Enterprise
To learn more about OEMConfig, including what it does, and how to use it, see OEMConfig configuration profile.
This article describes deploying OEMConfig multiple profiles to Zebra devices, describes ordering, and using the
reporting features in Microsoft Intune.
Prerequisites
Create an OEMConfig configuration profile.
Use multiple profiles

On Zebra devices, you can have many profiles on each device simultaneously. This feature allows you to split
your Zebra OEMConfig settings into smaller profiles. For example, create a baseline profile that affects all
devices. Then, create more profiles that configure settings specific to a device.
Zebra’s OEMConfig schema also uses Actions . Actions are operations that run on the device. They don’t
configure any settings. Use these actions to trigger a file download, clear the clipboard, and more. For a full list
of the supported actions, see Zebra’s documentation (opens Zebra's web site).
For example, you create a Zebra OEMConfig profile that applies some settings to the device. Another Zebra
OEMConfig profile includes an action that clears the clipboard. You assign the first profile to a Zebra devices
group. Later, you need to clear the clipboard on those devices. You assign the second profile to the same devices
group, without changing the first profile. The device clipboard gets cleared without resending or affecting the
configuration settings created in the first profile.
In another example, you assigned an OEMConfig profile that configured some Zebra device settings. Recently,
users are reporting issues with a specific application, and you want to clear the app's cache. Create a new
OEMConfig profile that includes only the “clear cache” action. Assign the profile to the devices that need it.
Ordering
With multiple profiles on each device, the order that profiles are deployed isn’t guaranteed. This behavior is a
Google Play limitation. To run operations in sequence, you can use Zebra's Transaction Step feature (opens
Zebra's web site).
To summarize, if order matters, use Zebra's Transaction Step feature (opens Zebra's web site). If order doesn't
matter, use multiple Intune profiles.
Let's look at some examples:
You want to turn on Bluetooth for all newly-enrolled Zebra devices before configuring any other setting
on these devices. To run operations in sequence, use the Steps feature in Zebra’s schema.
Create one Intune profile that has two Transaction Steps. The first step includes Bluetooth settings, and
the second step configures the other setting. When Zebra’s OEMConfig app receives the profile, it runs
the steps in order.
For more information, see Zebra's transaction steps (opens Zebra's web site).
You want all Zebra devices to display time in 24-hour format. For some of these devices, you want to turn
the camera off. The time and camera settings don't depend on each other.
Create two Intune profiles:
Profile 1 : Displays the time in 24-hour format. On Monday, this profile is assigned to the All Zebra
AE devices group.
Profile 2 : Turns off the camera. On Tuesday, this profile is assigned to the Zebra AE factor y devices
group.
On Wednesday, you enroll 10 new Zebra devices with Intune. Profile 1 and Profile 2 are assigned. After
the new devices sync with Intune, they receive the profiles. The devices may get Profile 2 before getting
Profile 1.
Enhanced reporting
You deploy a profile, and it’s executed by the Zebra OEMConfig app on the device. The Zebra OEMConfig app
reports the profile status to Intune. In the Endpoint Manager admin center, you can see the status of deployed
OEMConfig profiles, and any errors or warnings.
1. Open the Microsoft Endpoint Manager admin center.
2. Select your Zebra OEMConfig profile > Monitor > Device status . This option shows the devices that
have your OEMConfig profile assigned.
3. Select a device > Device configuration > Select your Zebra OEMConfig profile. This option shows the
profile settings that succeeded or failed.
Select a failed row. Details are shown that have more information on why it failed.
Next steps
Learn more about OEMConfig configuration profiles.
On Android device administrator, configure Mobility Extensions (MX).
Monitor the profile status.
Windows 10 and Windows Holographic for Business
device settings to run as a dedicated kiosk using
Intune
On Windows 10 devices, use Intune to run devices as a kiosk, sometimes known as a dedicated device. A device
in kiosk mode can run one app, or run many apps. You can show and customize a start menu, add different
apps, including Win32 apps, add a specific home page to a web browser, and more.
To create kiosk profiles for other platforms, see Android device administrator, Android Enterprise, and
iOS/iPadOS.
Intune supports one kiosk profile per device. If you need multiple kiosk profiles on a single device, you can use a
Custom OMA-URI.
Intune uses "configuration profiles" to create and customize these settings for your organization's needs. After
you add these features in a profile, push or deploy these settings to groups in your organization.
This article shows you how to create a device configuration profile. For a list of all the settings, and what they do,
see Windows 10 kiosk settings and Windows Holographic for Business kiosk settings.
Create the profile

Profile : Select Templates > Kiosk .
4. Select Create .
6. Select Next .
7. In Configuration settings > Select a kiosk mode , choose the type of kiosk mode supported by the
policy. Options include:
Not Configured (default): Intune doesn't change or update this setting. The policy doesn't enable
kiosk mode.
Single app, full-screen kiosk : The device runs as a single user account, and locks it to a single
web browser or app. So when the user signs in, a specific app starts. This mode also restricts users
from opening new apps, or changing the running app.
For example, you can run the Microsoft Edge browser, and only show one site, such as
Contoso.com . Or, you can run a Store app, and have the device locked on this app.
Multi app kiosk : The device runs multiple Store apps, Win32 apps, web browsers, or inbox
Windows apps by using the Application User Model ID (AUMID). Only the apps you add are
available on the device.
The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand
experience for users by only accessing apps they need. And, also removing from their view the
apps they don't need.
For a list of all settings, and what they do, see:
Windows 10 kiosk settings
Windows Holographic for Business kiosk settings
8. Select Next .
distributed IT.
Select Next .
Select Next .
Next steps
You can also create kiosk profiles for devices that run the following platforms:
Android Enterprise
Control access, accounts, and power features on
shared PC or multi-user devices using Intune
Devices that have multiple users are called shared devices, and are a common part of mobile device
management (MDM) solutions. Using Microsoft Intune, you can customize shared devices running the following
platforms:
Windows 10 Professional and newer
Windows 10 Enterprise and newer
Windows Holographic for Business, such as the HoloLens
For example, schools have devices that are typically used by many students. With this setting, the school Intune
administrator can turn on the Shared PC feature to allow one user at a time. Students can't switch between
different signed-in accounts on the device. When the student signs out, you also choose to remove all user-
specific settings.
End users can sign in to these shared devices with a guest account. After users sign in, the credentials are
cached. As they use the device, end-users only get access to features you allow. For example, you choose when
the device goes in to sleep mode, if users can see and save files locally, enable or disable power management
settings, and more. You also control if the guest account deletes when the user signs-off, or delete inactive
accounts when a threshold is reached.
This article shows you how to create a configuration profile, and includes links to the available settings with
their descriptions.
When the profile is created in Intune, you deploy or assign the profile to device groups in your organization. You
can also assign this profile to device groups with mixed device types and operating system (OS) versions.
Create the profile

Profile : Select Templates > Shared multi-user device .
4. Select Create .
6. Select Next .
8. Select Next .
distributed IT.
Select Next .
10. In Assignments , select the devices group that will receive your profile. For more information on
Select Next .
NOTE
Be sure to assign the profile to device groups in your organization.
Next steps
See all the settings for Windows 10 and newer and Windows Holographic for Business.
Use a network boundary to add trusted sites on
Windows devices in Microsoft Intune
When using Microsoft Defender Application Guard and Microsoft Edge, you can protect your environment from
sites that aren't trusted by your organization. This feature is called a network boundary. It allows you to add
network domains, IPV4 and IPv6 ranges, proxy servers, and more to your network boundary. Items in this
boundary are trusted.
In Intune, you can create a network boundary profile, and deploy the profile to your devices.
For more information on using Microsoft Defender Application Guard in Intune, see Windows 10 settings to
protect devices using Intune.
Windows 10 and newer devices enrolled in Intune
This article shows you how to create the profile, and add trusted sites.
Before you begin

This feature uses the NetworkIsolation CSP.
Create the profile

Profile : Select Templates > Network boundar y .
4. Select Create .
later. For example, a good profile name is Windows devices: Network boundar y profile .
6. Select Next .
Boundar y type : This setting creates an isolated network boundary. Sites in this boundary are
considered trusted by Microsoft Defender Application Guard. Your options:
IPv4 range : Enter a comma-separated list of IPv4 ranges of devices in your network. Data
from these devices is considered part of your organization, and is protected. These locations
are considered a safe destination for organization data to be shared to.
IPv6 range : Enter a comma-separated list of IPv6 ranges of devices in your network. Data
from these devices is considered part of your organization, and is protected. These locations
are considered a safe destination for organization data to be shared to.
Cloud resources : Enter a pipe-separated list of organization resource domains hosted in the
cloud that you want protected.
Network domains : Enter a comma-separated list of domains that create the boundaries. Data
from any of these domains is sent to a device, is considered organization data, and is protected.
These locations are considered a safe destination for organization data to be shared to. For
example, enter contoso.sharepoint.com, contoso.com .
Proxy ser vers : Enter a comma-separated list of proxy servers. Any proxy server in this list is at
the internet-level, and not internal to the organization. For example, enter
157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59 .
Internal proxy ser vers : Enter a comma-separated list of internal proxy servers. The proxies
are used when adding Cloud resources . They force traffic to the matched cloud resources. For
example, enter 157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59 .
Neutral resources : Enter a list of domain names that can be used for work resources or
personal resources.
Value : Enter your list.
Auto detection of other enterprise proxy ser vers : Disable prevents devices from
automatically detecting proxy servers that aren't in the list. The devices accept the configured list
of proxies. When set to Not configured (default), Intune doesn't change or update this setting.
Auto detection of other enterprise IP ranges : Disable prevents devices from automatically
detecting IP ranges that aren't in the list. The devices accept the configured list of IP ranges. When
set to Not configured (default), Intune doesn't change or update this setting.
8. Select Next .
distributed IT.
Select Next .
Select Next .
Next steps
After the profile is assigned, be sure to monitor its status.
Microsoft Defender Application Guard overview
Use Windows Health Monitoring profile on
Windows devices in Microsoft Intune
Microsoft can collect event data, and provide recommendations to improve performance on your Windows
devices. Endpoint Analytics analyzes this data, and can recommend software, help improve startup performance,
and fix common support issues.
In Intune, you can create a Windows Health Monitoring device configuration profile to enable this data
collection, and then deploy this profile to your devices.
Use this profile as part of your mobile device management (MDM) solution to optimize your Windows devices.
Windows 10 version 1903 and newer devices enrolled in Intune
This article shows you how to create the profile, and enable the monitoring.
Create the profile

Platform : Choose Windows 10 and later .
Profile : Select Templates > Windows health monitoring .
NOTE
If you don't see Windows health monitoring in the list, then:
1. Go to Repor ts > Endpoint Analytics > Settings .
2. Select Intune data collection policy .
4. Select Create .
later. For example, a good profile name is Windows devices: Windows Health Monitoring
profile .
6. Select Next .
Health monitoring : This setting turns on health monitoring to track Windows updates and
events. Your options:
Enable : Event information is collected from the devices, and sent to Microsoft for analytics and
insights.
Disable : Event information isn't collected from the devices.
DeviceHealthMonitoring/AllowDeviceHealthMonitoring CSP
Scope : Choose the event information you want collected and evaluated. Your options:
Windows updates : This option configures devices to send Windows Update data to Intune.
This data is then used in a compliance policy that reports on Windows updates.
Endpoint analytics
DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope CSP
8. Select Next .
distributed IT.
Select Next .
Select Next .
11. In Applicability Rules , use the Rule , Proper ty , and Value options to define how this profile applies
within assigned groups. Intune applies the profile to devices that meet the rules you enter. For more
information about applicability rules, see Applicability rules.
Select Next .
Next steps
After the profile is assigned, be sure to monitor its status.
What is Endpoint analytics
Use the Take a Test app on Windows 10 devices in
Microsoft Intune
Education profiles in Intune are designed for students to take a test or exam on devices. This feature includes the
Take a Test app and settings to add a test URL, choose how end-users sign in to the test, and more. This feature
supports the following platform:
When the user signs in, the Take a Test app automatically opens with the test you entered. No other apps can run
on the device while the test is in progress. Take tests in Windows 10 provides more details on the Take a Test
app.
This article lists the steps to create a device configuration profile in Microsoft Intune. It also includes information
to read and learn about the available education settings for your Windows 10 devices.
Create a device profile

Profile : Select Templates > Secure assessment (Education) .
4. Select Create .
6. Select Next .
7. In Configuration settings , enter the settings you want to configure:
8. Select Next .
distributed IT.
Select Next .
Select Next .
Next steps
See a list of the Windows 10 education settings and their descriptions.
Configure eSIM cellular profiles in Intune (public
preview)
eSIM is an embedded SIM chip, and lets you connect to the Internet over a cellular data connection on an eSIM-
capable device, such as the Surface LTE Pro. With an eSIM, you don't need to get a SIM card from your mobile
operator. As a global traveler, you can also switch between mobile operators and data plans to always stay
connected.
For example, you have a cellular data plan for work, and another data plan with a different mobile operator for
personal use. When traveling, you can get Internet access by finding mobile operators with data plans in that
area.
In Intune, you can import one time use activation codes provided by your mobile operator. To configure cellular
data plans on the eSIM module, deploy those activation codes to your eSIM-capable devices. When Intune
installs the activation code, the eSIM hardware module uses the data in the activation code to contact the mobile
operator. Once complete, the eSIM profile is downloaded on the device, and configured for cellular activation.
To deploy eSIM to your devices using Intune, the following are needed:
eSIM capable devices , such as the Surface LTE: See if your device supports eSIM. Or, see a list of some of
the known eSIM capable devices (in this article).
Windows 10 Fall creators update PC (1709 or later) that is enrolled and MDM managed by Intune
Activation codes provided by your mobile operator. These one time-use activation codes are added to
Intune, and deployed to your eSIM capable devices. Contact your mobile operator to acquire eSIM activation
codes.
NOTE
You can create a custom OMA-URI profile using the eUICCs CSP. Be sure to deploy one custom profile for each device.
The profile must include the device ICCID and matching activation code from the carrier for each device.
Deploy eSIM to devices - overview

To deploy eSIM to devices, an Administrator completes the following tasks:
1. Import activation codes provided by your mobile operator
2. Create an Azure Active Directory (Azure AD) device group that includes your eSIM capable devices
3. Assign the Azure AD group to your imported subscription pool
4. Monitor the deployment
This article guides you through these steps.
eSIM capable devices

If you’re unsure if your devices support eSIM, then contact your device manufacturer. On Windows devices, you
can confirm eSIM supportability. For more information, see Use an eSIM to get a cellular data connection on
your Windows 10 PC.
Step 1: Add cellular activation codes

Cellular activation codes are provided by your mobile operator in a comma-separated file (csv). When you have
this file, add it to Intune using the following steps:
2. Select Devices > eSIM cellular profiles > Add .
3. Select the CSV file that has your activation codes.
4. Select OK to save your changes.
CSV file requirements
When working with the csv file with the activation codes, be sure you or your mobile operator follows the
requirements:
The file must be in csv format (filename.csv).
The file structure must adhere to a strict format. Otherwise, the import fail. Intune checks the file on import,
and fails if errors are found.
Activation codes are used one time. It's not recommended to import activation codes that you previously
imported, as it may cause problems when you deploy to the same or different device.
Each file should be specific to a single mobile operator, and all activation codes specific to the same billing
plan. Intune randomly distributes the activation codes to targeted devices. There isn't any guarantee which
device gets a specific activation code.
A maximum of 1000 activation codes can be imported in one csv file.
CSV file example
1. The first row and first cell of the csv is the URL of the mobile operator eSIM activation service, which is
called SM-DP+ (Subscription Manager Data Preparation server). The URL should be a fully qualified
domain name (FQDN) without any commas.
2. The second and all later rows are unique one-time use activation codes that include two values:
a. First column is the unique ICCID (the identifier of the SIM chip)
b. Second column is the Matching ID with only a comma separating them (no comma at the end).
See the following example:
3. The csv file name becomes the cellular subscription pool name in the Endpoint Manager admin center. In
the previous image, the file name is UnlimitedDataSkynet.csv . So, Intune names the subscription pool
UnlimitedDataSkynet.csv :
Step 2: Create an Azure AD device group
Create a Device group that includes the eSIM capable devices. Add groups lists the steps.
NOTE
Only devices are targeted, users aren't targeted.
We recommend creating a static Azure AD device group that includes your eSIM devices. Using a group confirms you
target only eSIM devices.
Step 3: Assign eSIM activation codes to devices

Assign the profile to the Azure AD group that includes your eSIM devices.
2. Select Devices > eSIM cellular profiles .
3. In the list of profiles, select the eSIM cellular subscription pool you want to assign, and then select
Assignments .
4. Choose to Include groups or Exclude groups, and then select the groups.
5. When you select your groups, you're choosing an Azure AD group. To select multiple groups, use the Ctrl
key, and select the groups.
6. When done, Save your changes.
eSIM activation codes are used once. After Intune installs an activation code on a device, the eSIM module
contacts the mobile operator to download the cellular profile. This contact finishes registering the device with
mobile operator network.
Step 4: Monitor deployment

Review the deployment status
After you assign the profile, you can monitor the deployment status of a subscription pool.
2. Select Devices > eSIM cellular profiles . All of your existing eSIM cellular subscription pools are listed.
3. Select a subscription, and review the Deployment Status .
Check the profile status
After you create your device profile, Intune provides graphical charts. These charts display the status of a profile,
such as it being successfully assigned to devices, or if the profile shows a conflict.
1. Select Devices > eSIM cellular profiles > Select an existing subscription.
2. In the Over view tab, the top graphical chart shows the number of devices assigned to the specific eSIM
cellular subscription pool deployment.
It also shows the number of devices for other platforms that are assigned the same device profile.
Intune shows the delivery and installation status for the activation code targeted to devices.
Device not synced : The targeted device hasn't contacted Intune since the eSIM deployment policy
was created
Activation pending : A transient state when Intune is actively installing the activation code on the
device
Active : Activation code installation successful
Activation fail : Activation code installation failed – see troubleshooting guide.
View the detailed device status
You can monitor and view a detailed list of devices you can view in Device Status.**
1. Select Devices > eSIM cellular profiles > Select an existing subscription.
2. Select Device Status . Intune shows additional details about the device:
Device Name : Name of the device that is targeted
User : User of the enrolled device
ICCID : Unique code provided by the mobile operate within the activation code installed on the device
Activation Status : Intune delivery and installation status of the activation code on the device
Cellular status : State provided by the mobile operator. Follow up with mobile operator to
troubleshoot.
Last Check-In : Date the device last communicated with Intune
Monitor eSIM profile details on the actual device
1. On your device, open Settings > go to Network & Internet .
2. Select Cellular > Manage eSIM profiles
3. The eSIM profiles are listed:
Remove the eSIM profile from device

When you remove the device from the Azure AD group, the eSIM profile is also removed. Be sure to:
1. Confirm you're using the eSIM devices Azure AD group.
2. Go to the Azure AD group, and remove the device from the group.
3. When the removed device contacts Intune, the updated policy is evaluated, and the eSIM profile removed.
The eSIM profile is also removed when the device is retired or unenrolled by the user, or when the reset device
remote action runs on the device.
NOTE
Removing the profile may not stop billing. Contact your mobile operator to check the billing status for your device.
Best practices & troubleshooting

Be sure your csv file is properly formatted. Confirm the file doesn't include duplicate codes, doesn't include
multiple mobile operators, or doesn't include different data plans. Remember, each file must be unique to a
mobile operator and cellular data plan.
Create a static device Azure AD group that only includes the eSIM devices that are targeted.
If there's an issue with the deployment status, check the following:
File format not proper : See Step 1: Add cellular activation codes (in this article) on how to
properly format your file.
Cellular activation failure, contact mobile operator : The activation code may not be activated
within their network. Or, the profile download and cellular activation failed.
Next steps
Configure device profiles
Set up a telecom expense management service in
Intune
Using Intune, you can manage telecom expenses from data usage on organization-owned mobile devices.
Intune integrates with Saaswedo's Datalert telecom expense management. Datalert is a real-time telecom
expense management solution that manages telecom data usage. It can help avoid unexpected data and
roaming charges for your Intune-managed devices.
The integration with Datalert can set, monitor, and enforce roaming and domestic data usage limits. When the
limits exceed your thresholds, alerts are automatically triggered. You can also configure the service to apply
different actions to users or groups, such as disable roaming or exceed the threshold. The Datalert management
console includes reports that show data usage and monitoring information.
The following image shows how Intune integrates with Datalert:
To use the Datalert service with Intune, there are some configuration settings in Datalert and Intune. This article
shows you how to:
Configure settings in the Datalert console to connect the Datalert service to Intune.
Confirm this connection is active and enabled in Intune.
Use Intune to add the Datalert app to your devices.
Turn off the Datalert service and for Intune (optional).
Supported platforms
Android device administrator 4.4 and newer devices that are Knox capable (Samsung)
iOS 8.0 and newer
Prerequisites
A subscription to Microsoft Intune, and access to the Microsoft Endpoint Manager admin center
A subscription to Datalert (opens Datalert's web site)
Telecom expense management providers

Intune integrates with the following telecom expense management provider:
Saaswedo Datalert telecom expense management service (opens Datalert's web site)
Deploy the Intune and Datalert solution

Step 1: Connect the Datalert service to Intune
1. Sign in to the Datalert management console with administrator credentials.
2. In the console, go to the Settings tab > MDM configuration .
3. Select Unblock . Unblock allows you to change or update the settings on the page.
4. In Intune / Dataler t Connection > Ser ver MDM , select Microsoft Intune .
5. For Azure AD domain , enter your Azure tenant ID. Select Connection .
When you select Connection , the Datalert service checks in with Intune. It confirms there aren't any
existing Datalert connections. After a few moments, a Microsoft sign in page appears, followed by the
Datalert Azure authentication.
6. On the Microsoft authentication page, select Accept .
You're redirected to a Datalert thank you page that closes after a few moments. Datalert validates the
connection, and shows green check marks next to the items that validated. If validation fails, you see a
message in red. Contact Datalert support for help.
The following image shows the green check marks when the connection succeeds:
7. In Dataler t App / ADAL Consent , set the switch to On . On the Microsoft authentication page, select
Accept .
8. In MDM Profiles management (optional) , set the switch to On . This setting allows Datalert to read
the available profiles in Intune to help you set up policies.
On the Microsoft authentication page, select Accept .
Step 2: Confirm telecom expense management is active in Intune

After you complete Step 1, your connection is automatically enabled. In Intune, the connection status shows
Active . To confirm the status is active, use the following steps:
2. Select Tenant administration > Connectors and tokens > Telecom Expense Management . Look
for the Active connection status:
Step 3: Deploy the Datalert app to devices

To confirm that data usage from only organization-owned lines is collected, be sure to:
Create device categories in Intune.
Target the Datalert app to only organizational phones.
This section lists these steps.
Create device categories and device groups mapped to your categories
Depending on your organizational needs, create at least two device categories, such as Corporate and Personal.
Then, create dynamic device groups for each category. You can create more categories for your organization, as
needed.
To create device categories in Intune, see map devices to groups.
These categories are shown to users during enrollment (enroll Android devices). Depending on the category
users choose, the enrolled device is moved to the corresponding device group.
Add the Datalert app to Intune

The following steps add the Datalert app. As an example, iOS/iPadOS is used. Add apps and use scope tags have
more specific information on these steps.
1. In the Microsoft Endpoint Manager admin center, select Apps > All apps > Add .
2. Select your App type . For example, for iOS/iPadOS, select Store App - iOS/iPadOS .
3. In Search the App Store , type Dataler t to find the Datalert app.
4. Choose the Dataler t app > Select :
5. Enter any additional properties, such as app information and scope tags:
6. Select OK > Add to save your changes. The Datalert app is shown in the list.
Assign the Datalert app to the corporate device group
1. In Apps > All apps , select the Datalert app you added in the previous step.
2. Select Assignments > Add group . Choose how the app is assigned. Assign apps to groups in Intune
has more details on these settings.
In these steps, you'll choose to make the app installation required or optional for the group. The following
example shows the installation as required. When required, users must install the Datalert app after
enrolling their device.
Step 4: Add organization phone lines to the Datalert console

Intune and Datalert services are now configured to communicate with each other. Next, add your organization
paid phone lines to the Datalert console. Enter thresholds and actions for any cellular or roaming usage
violations. You can manually add corporate paid phone lines to the Datalert console, or automatically add them
after the device is enrolled in Intune.
To set these items, go to the Datalert setup for Microsoft Intune (opens Datalert's web site). Under the Settings
tab, follow the steps in the setup wizard.
The Datalert service is now active. It starts monitoring data usage, and disabling cellular and roaming data on
devices that exceed the configured usage limits.
End user enrollment

For the end-user experience, the following articles may help:
Enroll your iOS/iPadOS device in telecom expense management
Enroll your Android device in telecom expense management
Turn off the Datalert service

1. In the Microsoft Endpoint Manager admin center, select Tenant administration > Connectors and
tokens > Telecom Expense Management .
2. Set Enable Telecom Expense Management and block cellular or roaming data on devices that
exceed usage quotas you configure to Disable .
3. Save your changes.
IMPORTANT
If you disable the Datalert service in Intune:
All the actions that are applied to devices due to past violations of the usage limits, are undone.
Users are no longer blocked from data access and roaming.
Intune still receives the signals coming from the service, but Intune ignores the signals.
Next steps
Data usage reporting is available in Saaswedo's Datalert management console.
Assign user and device profiles in Microsoft Intune
You create a profile, and it includes all the settings you entered. The next step is to deploy or "assign" the profile
to your user or device groups. When it's assigned, the users and devices receive your profile, and the settings
you entered are applied.
This article shows you how to assign a profile, and includes some information on using scope tags on your
profiles.
NOTE
When a profile is removed or no longer assigned to a device, different things can happen, depending on the settings in
the profile. The settings are based on CSPs, and each CSP can handle the profile removal differently. For example, a setting
might keep the existing value, and not revert back to a default value. The behavior is controlled by each CSP in the
operating system. For a list of Windows CSPs, see configuration service provider (CSP) reference.
To change a setting to a different value, create a new profile, configure the setting to Not configured , and assign the
profile. Once applied to the device, users should have control to change the setting to their preferred value.
When configuring these settings, we suggest deploying to a pilot group. For more Intune rollout advice, see create a
rollout plan.
Before you begin

Be sure you have the correct role to assign profiles. For more information, see Role-based access control (RBAC)
with Microsoft Intune.
Assign a device profile

2. Select Devices > Configuration profiles . All the profiles are listed.
3. Select the profile you want to assign > Proper ties > Assignments > Edit :
4. Select Included groups or Excluded groups , and then choose Select groups to include . When you
select your groups, you're choosing an Azure AD group. To select multiple groups, hold down the Ctrl
key, and select your groups.
5. Select Review + Save . This step doesn't assign your profile.

6. Select Save . When you save, your profile is assigned. Your groups will receive your profile settings when
the devices check in with the Intune service.
Use scope tags or applicability rules

When you create or update a profile, you can also add scope tags and applicability rules to the profile.
Scope tags are a great way to filter profiles to specific groups, such as US-NC IT Team or
JohnGlenn_ITDepartment . Use RBAC and scope tags for distributed IT has more information.
On Windows 10 devices, you can add applicability rules so the profile only applies to a specific OS version or
a specific Windows edition. Applicability rules has more information.
User groups vs. device groups

Many users ask when to use user groups and when to use device groups. The answer depends on your goal.
Here's some guidance to get you started.
Device groups
If you want to apply settings on a device, regardless of who's signed in, then assign your profiles to a devices
group. Settings applied to device groups always go with the device, not the user.
For example:
Device groups are useful for managing devices that don't have a dedicated user. For example, you have
devices that print tickets, scan inventory, are shared by shift workers, are assigned to a specific
warehouse, and so on. Put these devices in a devices group, and assign your profiles to this devices
group.
You create a Device Firmware Configuration Interface (DFCI) Intune profile that updates settings in the
BIOS. For example, you configure this profile to disable the device camera, or lock down the boot options
to prevent users from booting up another OS. This profile is a good scenario to assign to a devices group.
On some specific Windows devices, you always want to control some Microsoft Edge settings, regardless
of who's using the device. For example, you want to block all downloads, limit all cookies to the current
browsing session, and delete the browsing history. For this scenario, put these specific Windows devices
in a devices group. Then, create an Administrative Template in Intune, add these device settings, and then
assign this profile to the devices group.
To summarize, use device groups when you don't care who's signed in on the device, or if anyone signs in. You
want your settings to always be on the device.
User groups
Profile settings applied to user groups always go with the user, and go with the user when signed in to their
many devices. It's normal for users to have many devices, such as a Surface Pro for work, and a personal
iOS/iPadOS device. And, it's normal for a person to access email and other organization resources from these
devices.
Follow this general rule: If a feature belongs to a user, such as email or user certificates, then assign to user
groups.
For example:
You want to put a Help Desk icon for all users on all their devices. In this scenario, put these users in a
users group, and assign your Help Desk icon profile to this users group.
A user receives a new organization-owned device. The user signs in to the device with their domain
account. The device is automatically registered in Azure AD, and automatically managed by Intune. This
profile is a good scenario to assign to a users group.
Whenever a user signs in to a device, you want to control features in apps, such as OneDrive or Office. In
this scenario, assign your OneDrive or Office profile settings to a users group.
For example, you want to block untrusted ActiveX controls in your Office apps. You can create an
Administrative Template in Intune, configure this setting, and then assign this profile to a users group.
To summarize, use user groups when you want your settings and rules to always go with the user, whatever
device they use.
Exclude groups from a profile assignment

Intune device configuration profiles let you include and exclude groups from profile assignment.
As a best practice, create and assign profiles specifically for your user groups. And, create and assign different
profiles specifically for your device groups. For more information on groups, see Add groups to organize users
and devices.
When you assign your profiles, use the following table when including and excluding groups. A checkmark
means that assignment is supported:
What you should know

Exclusion takes precedence over inclusion in the following same group type scenarios:
Including user groups and excluding user groups
Including device groups and excluding device group
For example, you assign a device profile to the All corporate users user group, but exclude members in
the Senior Management Staff user group. Since both groups are user groups, All corporate users
except the Senior Management staff get the profile.
Intune doesn't evaluate user-to-device group relationships. If you assign profiles to mixed groups, the
results may not be what you want or expect.
For example, you assign a device profile to the All Users user group, but exclude an All personal
devices device group. In this mixed group profile assignment, All users get the profile. The exclusion
does not apply.
As a result, it's not recommended to assign profiles to mixed groups.
NOTE
Use caution when excluding dynamic device groups from any policy assignment. Consider the latency associated with an
Azure AD dynamic device group calculation.
For example, you have a device policy that's assigned to All devices . Later, you have a requirement that new marketing
devices don't receive this policy. So, you create a dynamic device group called Marketing devices based on the
enrollmentProfilename property ( device.enrollmentProfileName -eq "Marketing_devices" ). In the policy, you add
the Marketing devices dynamic group as an excluded group.
A new marketing device enrolls in Intune for the first time, and a new Azure AD device object is created. The dynamic
grouping process puts the device into the Marketing device s group with a possible delayed calculation. In parallel, the
device enrolls into Intune, and starts receiving all applicable policies. The Intune policy may be deployed before the device
is put in the exclusion group. This behavior results in an unwanted policy (or app) being deployed to the Marketing
devices group.
As a result, it's not recommended to use dynamic device groups for exclusions in latency sensitive scenarios.
Next steps
See monitor device profiles for guidance on monitoring your profiles, and the devices running your profiles.
Monitor device profiles in Microsoft Intune
Intune includes some features to help monitor and manage your device configuration profiles. For example, you
can check the status of a profile, see which devices are assigned, and update the properties of a profile.
View existing profiles

2. Select Devices > Configuration profiles .
All of your profiles are shown. You also see the platform, the type of profile, and if the profile is assigned.
View details on a profile

After you create your device profile, Intune provides graphical charts. These charts display the status of a profile,
such as it being successfully assigned to devices, or if the profile shows a conflict.
1. Select an existing profile. For example, select a macOS profile.
2. Select the Over view tab. In this view, the policy assignment includes the following statuses:
Succeeded : Policy is applied
Error : The policy failed to apply. The message typically displays with an error code that links to an
explanation.
Conflict : Two settings are applied to the same device, and Intune can't sort out the conflict. An
administrator should review.
Pending : The device hasn't checked in with Intune to receive the policy yet.
Not applicable : The device can't receive the policy. For example, the policy updates a setting specific
to iOS 11.1, but the device is using iOS 10.
3. The top graphical chart shows the number of devices assigned to the device profile. For example, if the
configuration device profile applies to macOS devices, the chart lists the count of the macOS devices.
It also shows the number of devices for other platforms that are assigned the same device profile. For
example, it shows the count of the non-macOS devices.
The bottom graphical chart shows the number of users assigned to the device profile. For example, if the
configuration device profile applies to macOS users, the chart lists the count of the macOS users.
4. Select the top graphical chart. Device status opens.
The devices assigned to the profile are listed, and it shows if the profile is successfully deployed. Also note
that it only lists the devices with the specific platform (for example, macOS).
Close the Device status details.
5. Select the circle in the bottom graphical chart. User status opens.
The users assigned to the profile are listed, and it shows if the profile is successfully deployed. Also note
that it only lists the users with the specific platform (for example, macOS).
Close the User status details.
6. Back in the Profiles list, select a specific profile.
Proper ties : Change the name, or update any existing settings.
Assignments : Include or exclude devices that the policy should apply. Choose Selected Groups to
choose specific groups.
Device status : The devices assigned to the profile are listed, and it shows if the profile is successfully
deployed. You can select a specific device to get even more details, including the installed apps.
User status : Lists the user names with devices affected by this profile, and if the profile successfully
deployed. You can select a specific user to get even more details.
Per-setting status : Filters the output by showing the individual settings within the profile, and shows
if the setting is successfully applied.
TIP
Intune reports is a great resource, and describes all the reporting features you can use.
View conflicts
In Devices > All devices , you can see any settings that are causing a conflict. When there's a conflict, you also
see all the configuration profiles that contain this setting. Administrators can use this feature to help
troubleshoot, and fix any discrepancies with the profiles.
1. In Intune, select Devices > All Devices > select an existing device in the list. An end user can get the device
name from their Company Portal app.
2. Select Device configuration . All configuration policies that apply to the device are listed.
3. Select the policy. It shows you all the settings in that policy that apply to the device. If a device has a Conflict
state, select that row. In the new window, you see all the profiles, and the profile names that have the setting
causing the conflict.
Now that you know the conflicting setting, and the policies that include that setting, it should be easier to
resolve the conflict.
TIP
In Devices > Monitor , a list of all policies are shown, and how many devices have errors, conflicts, and more. For more
information on the available reporting data, see Intune reports.
Device Firmware Configuration Interface profile reporting

WARNING
Monitoring DFCI profiles is currently being created. While DFCI is in public preview, monitoring data may be missing or
incomplete.
DFCI profiles are reported on a per-setting basis, just like other device configuration profiles. Depending on the
manufacturer's support of DFCI, some settings may not apply.
With your DFCI profile settings, you may see the following states:
Compliant : This state shows when a setting value in the profile matches the setting on the device. This
state can happen in the following scenarios:
The DFCI profile successful configured the setting in the profile.
The device doesn't have the hardware feature controlled by the setting, and the profile setting is
Disabled .
UEFI doesn't allow DFCI to disable the feature, and the profile setting is Enabled .
The device lacks the hardware to disable the feature, and the profile setting is Enabled .
Not Applicable : This state shows when a setting value in the profile is Enabled or Allowed , and the
matching setting on the device isn't found. This state can happen if the device hardware doesn't have the
feature.
Noncompliant : This state shows when a setting value in the profile doesn't match the setting on the
device. This state can happen in the following scenarios:
UEFI doesn't allow DFCI to disable a setting, and the profile setting is Disabled .
The device lacks the hardware to disable the feature, and the profile setting is Disabled .
The device doesn't have the latest DFCI firmware version.
DFCI was disabled before being enrolled in Intune using a local "opt-out" control in the UEFI menu.
The device was enrolled to Intune outside of Autopilot enrollment.
The device wasn't registered to Autopilot by a Microsoft CSP, or registered directly by the OEM.
Next steps
Common questions, issues, and resolutions with device profiles
Troubleshoot policies and profiles and in Intune
Common questions and answers with device
policies and profiles in Microsoft Intune
Get answers to common questions when working with device profiles and policies in Intune. This article also
lists the check-in time intervals, provides more detains on conflicts, and more.
How long does it take for devices to get a policy, profile, or app after
they are assigned?
Intune notifies the device to check in with the Intune service. The notification times vary, including immediately
up to a few hours. These notification times also vary between platforms.
If a device doesn't check in to get the policy or profile after the first notification, Intune makes three more
attempts. An offline device, such as turned off, or not connected to a network, may not receive the notifications.
In this case, the device gets the policy or profile on its next scheduled check-in with the Intune service. The same
applies to checks for non-compliance, including devices that move from a compliant to a non-compliant state.
Estimated frequencies:
P L AT F O RM REF RESH C Y C L E
iOS/iPadOS About every 8 hours
macOS About every 8 hours
Android About every 8 hours
Windows 10 PCs enrolled as devices About every 8 hours
Windows Phone About every 8 hours
Windows 8.1 About every 8 hours
If devices recently enroll, then the compliance, non-compliance, and configuration check-in runs more
frequently. The check-ins are estimated at:
P L AT F O RM F REQ UEN C Y
iOS/iPadOS Every 15 minutes for 1 hour, and then around every 8 hours
macOS Every 15 minutes for 1 hour, and then around every 8 hours
Android Every 3 minutes for 15 minutes, then every 15 minutes for 2

hours, and then around every 8 hours
Windows 10 PCs enrolled as devices Every 3 minutes for 15 minutes, then every 15 minutes for 2
P L AT F O RM F REQ UEN C Y
Windows Phone Every 5 minutes for 15 minutes, then every 15 minutes for 2
Windows 8.1 Every 5 minutes for 15 minutes, then every 15 minutes for 2
At any time, users can open the Company Portal app, Settings > Sync to immediately check for policy or
profile updates.
What actions cause Intune to immediately send a notification to a

device?
There are different actions that trigger a notification. For example, when a policy, profile, or app is assigned (or
unassigned), updated, deleted, and so on. These action times vary between platforms.
Devices check in with Intune when they receive a notification to check in, or during the scheduled check-in.
When you target a device or user with an action, then Intune immediately notifies the device to check in to
receive these updates. For example, when a lock, passcode reset, app, or policy assignment action runs.
Other changes, such as revising the contact information in the Company Portal app, don't cause an immediate
notification to devices.
The settings in the policy or profile are applied at every check-in. A Windows 10 MDM policy refresh customer
blog post may be a good resource.
If multiple policies are assigned to the same user or device, how do I

know which settings gets applied?
When two or more policies are assigned to the same user or device, then the setting that's applied happens at
the individual setting level:
Compliance policy settings always have precedence over configuration profile settings.
If a compliance policy evaluates against the same setting in another compliance policy, then the most
restrictive compliance policy setting applies.
If a configuration policy setting conflicts with a setting in another configuration policy, this conflict is
shown in Intune. Manually resolve these conflicts.
What happens when app protection policies conflict with each other?
Which one is applied to the app?
Conflict values are the most restrictive settings available in an app protection policy except for the number entry
fields, such as PIN attempts before reset. The number entry fields are set the same as the values, as if you
created a MAM policy using the recommended settings option.
Conflicts happen when two profile settings are the same. For example, you configured two MAM policies that
are identical except for the copy/paste setting. In this scenario, the copy/paste setting is set to the most
restrictive value, but the rest of the settings are applied as configured.
A policy is deployed to the app and takes effect. A second policy is deployed. In this scenario, the first policy
takes precedence, and stays applied. The second policy shows a conflict. If both are applied at the same time,
meaning that there isn't preceding policy, then both are in conflict. Any conflicting settings are set to the most
restrictive values.
What happens when iOS/iPadOS custom policies conflict?

Intune doesn't evaluate the payload of Apple Configuration files or a custom Open Mobile Alliance Uniform
Resource Identifier (OMA-URI) policy. It merely serves as the delivery mechanism.
When you assign a custom policy, confirm that the configured settings don't conflict with compliance,
configuration, or other custom policies. If a custom policy and its settings conflict, then the settings are applied
randomly.
What happens when a profile is deleted or no longer applicable?

When you delete a profile, or remove a device from a group that's assigned the profile, then the profile and
settings are removed from the device as described:
Wi-Fi, VPN, certificate, and email profiles: These profiles are removed from all supported enrolled
devices.
All other profile types:
Android devices : Settings aren't removed from the device
iOS/iPadOS : All settings are removed, except:
Allow voice roaming
Allow data roaming
Allow automatic synchronization while roaming
Windows devices : Intune settings are based on the Windows configuration service provider
(CSPs). The behavior depends on the CSP. Some CSPs remove the setting, and some CSPs keep the
setting, also called tattooing.
A profile applies to a user group. Later, a user is removed from the group. For the settings to be removed
from that user, it can take up to 7 hours + the platform-specific policy refresh cycle (in this article).
I changed a device restriction profile, but the changes haven't taken

effect
To apply a less restrictive profile, some devices, such as Android, iOS/iPadOS, and Windows 10, may need to be
retired and re-enrolled in to Intune.
Some settings in a Windows 10 profile return "Not Applicable"

Some settings on Windows 10 devices may show as "Not Applicable". When this situation happens, that specific
setting isn't supported on the Windows version or edition running on the device. This message can occur for the
following reasons:
The setting is only available for newer versions of Windows, and not the current operating system (OS)
version on the device.
The setting is only available for specific Windows editions or specific SKUs, such as Home, Professional,
Enterprise, and Education.
To learn more about the version and SKU requirements for the different settings, see the Configuration Service
Provider (CSP) reference.
Next steps
Need extra help? See How to get support in Microsoft Endpoint Manager.
Use custom settings for Android devices in
Microsoft Intune
Using Microsoft Intune, you can add or create custom settings for your Android devices using a "custom profile".
Custom profiles are a feature in Intune. They are designed to add device settings and features that aren't built in
to Intune.
Android device administrator (DA)
Android custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings to configure
different features on Android devices. These settings are typically used by mobile device manufacturers to
control these features.
Using a custom profile, you can configure and assign the following Android settings. The following settings
aren't built in to Intune:
Create a Wi-Fi profile with a pre-shared key
Create a per-app VPN profile
Allow and block apps for Samsung Knox Standard devices
Configure web protection in Microsoft Defender for Endpoint for Android
IMPORTANT
Only the settings listed can be configured by in a custom profile. Android devices don't expose a complete list of OMA-
URI settings you can configure. If you'd like to see more settings, then vote for more settings at the Intune Uservoice site.
This article shows you how to create a custom profile for Android devices.
Create the profile

4. Select Create .
later. For example, a good profile name is Android DA custom profile .
6. Select Next .
7. In Configuration settings > OMA-URI Settings , select Add . Enter the following settings:
Name : Enter a unique name for the OMA-URI setting so you can easily find it.
Description : Enter a description that gives an overview of the setting, and any other important
details.
OMA-URI : Enter the OMA-URI you want to use as a setting.
Data type : Select the data type you'll use for this OMA-URI setting. Your options:
String
String (XML file)
Date and time
Integer
Floating point
Boolean
Base64 (file)
Value : Enter the data value you want to associate with the OMA-URI you entered. The value
depends on the data type you selected. For example, if you select Date and time , select the value
from a date picker.
8. Select Save to save your changes. Continue to add more settings as needed. After you add some settings,
you can select Expor t . Expor t creates a list of all the values you added in a comma-separated values
(.csv) file.
Select Next .
Select Next .
Select Next .
Next steps
Create a custom profile on Android Enterprise devices.
Use custom policies in Microsoft Intune to allow and
block apps for Samsung Knox Standard devices
Use the steps in this article to create a Microsoft Intune custom policy that creates one of the following lists:
A list of apps that are blocked from running on the device. Apps in this list are blocked from being run, even
if they were already installed when the policy was applied.
A list of apps that users of the device are allowed to install from the Google Play store. Only the apps you list
can be installed. No other apps can be installed from the store.
These settings can only be used by devices that run Samsung Knox Standard.
Create an allowed or blocked app list

4. Select Create .
later. For example, a good profile name is Android Samsung Knox custom profile - blocks apps .
details. This setting is optional, but recommended.
6. Select Next .
7. In Configuration settings , select Add . Enter the following custom OMA-URI settings:
For a list of apps that are blocked from running on the device:
Name : Enter PreventStar tPackages .
Description : Enter a description that gives an overview of the setting, and any other relevant
information to help you locate the profile. For example, enter List of apps that are blocked from
running .
OMA-URI (case sensitive): Enter
./Vendor/MSFT/PolicyManager/My/ApplicationManagement/PreventStartPackages .
Data type : Select String .
Value : Enter a list of the app package names you want to block. You can use ; , : , or | as a
delimiter. For example, enter package1;package2; .
For a list of apps that users are allowed to install from the Google Play store while excluding all other
apps:
Name : Enter AllowInstallPackages .
information to help you locate the profile. For example, enter List of apps that users can install
from Google Play .
OMA-URI (case sensitive): Enter
./Vendor/MSFT/PolicyManager/My/ApplicationManagement/AllowInstallPackages .
Data type : Select String .
Value : Enter a list of the app package names you want to allow. You can use ; , : , or | as a
delimiter. For example, enter package1;package2; .
8. Save your changes > Next .
distributed IT.
Select Next .
10. In Assignments , select the users or device groups that will receive your profile. For more information on
assigning profiles, see assign user and device profiles.
Select Next .
TIP
You can find the package ID of an app by browsing to the app on the Google Play store. The package ID is contained in
the URL of the app's page. For example, the package ID of the Microsoft Word app is com.microsoft.office.word .
The next time each targeted device checks in, the app settings are applied.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
Android and Samsung Knox Standard device
restriction settings lists in Intune
This article shows you all the Microsoft Intune device restrictions settings that you can configure for devices
running Android. As part of your mobile device management (MDM) solution, use these settings to allow or
disable features, set password requirements, control security, and more.
TIP
If the settings you want are not available, you might be able to configure your devices using a custom profile.
Before you begin

Create an Android device administrator device restrictions configuration profile.
General
Camera : Block prevents access to the device camera. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow access to the device camera.
Intune only manages access to the device camera. It doesn't have access to pictures or videos.
Copy and paste (Samsung Knox only) : Block prevents copy-and-paste. Not configured allows copy
and paste functions on devices.
Clipboard sharing between apps (Samsung Knox only) : Block prevents using the clipboard to
copy-and-paste between apps. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow copy and paste functions on devices.
Diagnostic data submission (Samsung Knox only) : Block stops users from submitting bug reports
from devices. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow users to submit the data.
Wipe (Samsung Knox only) : Allows users to run a wipe action on devices. When set to Not
configured (default), Intune doesn't change or update this setting.
Geolocation (Samsung Knox only) : Block disables devices from using location information. When set
to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow
devices to use the location information.
Power off (Samsung Knox only) : Block prevents users from powering off device. It also prevents the
Number of sign-in failures before wiping device setting from being configured, and from working.
When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS
might allow users to power off devices.
Screen capture (Samsung Knox only) : Block prevents screenshots. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might let users capture the
screen contents as an image.
Voice assistant (Samsung Knox only) : Block disables the S Voice service. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow using
the S Voice service and app on devices. This setting doesn't apply to Bixby or the voice assistant for
accessibility that reads the screen content aloud.
YouTube (Samsung Knox only) : Block prevents users from using the YouTube app. When set to Not
the YouTube app on devices.
Shared devices (Samsung Knox only) : Configure a managed Samsung Knox Standard device as
shared. Allow lets users sign in and out of devices with their Azure AD credentials. Devices stay
managed, whether they're in use or not.
When used in with a SCEP certificate profile, this feature allows users to share a device with the same
apps for all users. But, each user has their own SCEP user certificate. When users sign out, all app data is
cleared. This feature is limited to LOB apps only.
might prevent multiple users from signing in to the Company Portal app on devices using their Azure AD
credentials.
Block date and time changes (Samsung Knox) : Block prevents users from changing the date and
time settings on devices. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow users to change the date and time settings.
Password
Encr yption : Select Require so that files on the device are encrypted. Not all devices support encryption.
When set to Not configured (default), Intune doesn't change or update this setting. To configure this
setting, and correctly report compliance, also configure:
1. Password : Set to Require .
2. Required password type : Set to At least numeric .
3. Minimum password length : Set to at least 4 .
NOTE
If an encryption policy is enforced, Samsung Knox devices require users to set a 6-character complex password as
the device passcode.
All Android devices

These settings apply to Android 4.0 and newer, and Knox 4.0 and newer.
Maximum minutes of inactivity until screen locks : Enter the length of time a device must be idle
before the screen is automatically locked. For example, enter 5 to lock devices after 5 minutes of being
idle. When the value is blank or set to Not configured , Intune doesn't change or update this setting.
On a device, users can't set a time value greater than the configured time in the profile. Users can set a
lower time value. For example, if the profile is set to 15 minutes, users can set the value to 5 minutes.
Users can't set the value to 30 minutes.
Number of sign-in failures before wiping device : Enter the number of wrong passwords allowed
before devices are wiped, from 4-11. 0 (zero) might disable device wipe functionality. When the value is
blank, Intune doesn't change or update this setting.
Password : Require users to enter a password to access devices. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow users to access devices
without entering a password.
NOTE
Samsung Knox devices automatically require a 4-digit PIN during MDM enrollment. Native Android devices may
automatically require a PIN to become compliant with Conditional Access.
Android 10 and later

Password complexity : Enter the required password complexity. Your options:
None (default): No password required.
Low : The password satisfies one of the following conditions:
Pattern
Numeric PIN has a repeating (4444) or ordered (1234, 4321, 2468) sequence.
Medium : The password satisfies one of the following conditions:
Numeric PIN doesn’t have a repeating (4444) or ordered (1234, 4321, 2468) sequence, and has
minimum length of 4.
Alphabetic, with a minimum length of 4.
Alphanumeric, with a minimum length of 4.
High : The password satisfies one of the following conditions:
Numeric PIN doesn’t have a repeating (4444) or ordered (1234, 4321, 2468) sequence, and has
minimum length of 8.
Alphabetic, with a minimum length of 6.
Alphanumeric, with a minimum length of 6.
This setting applies to:
Android 10 and newer, but not on Samsung Knox.
IMPORTANT
The Password complexity setting is a work in progress. In late October 2020, Password complexity will take
effect on devices.
If you set Password complexity to something other than None , then also set the Password setting to
Require , which is found under the All Android devices section. Users with passwords that don't meet your
complexity requirements receive a warning to update their password. If you don’t set the Password setting to
Require , users with weak passwords won’t receive the warning.
Android 9 and earlier, or Samsung Knox (any version)

Minimum password length : Enter the minimum number of characters required, from 4-16. For
example, enter 6 to require at least six numbers or characters in the password length.
Password expiration (days) : Enter the number of days, until the device password must be changed,
from 1-365. For example, enter 90 to expire the password after 90 days. When the password expires,
users are prompted to create a new password. When the value is blank, Intune doesn't change or update
this setting.
Required password type : Enter the required password complexity level, and whether biometric devices
can be used. Your options:
Device default
Low security biometric : Strong vs. weak biometrics (opens Android's web site)
At least numeric : Includes numeric characters, such as 123456789 .
Numeric complex : Repeated or consecutive numbers, such as "1111" or "1234", aren't allowed.
Before you assign this setting to devices, be sure to update the Company Portal app to the latest
version on those devices.
When set to Numeric complex , and you assign the setting to devices running an Android version
earlier than 5.0, then the following behavior applies:
If the Company Portal app is running a version earlier than 1704, no PIN policy applies to
devices, and an error shows in the Microsoft Endpoint Manager admin center.
If the Company Portal app runs the 1704 version or later, only a simple PIN can be applied.
Android version earlier than 5.0 don't support this setting. No error is shown in the Microsoft
Endpoint Manager admin center.
At least alphabetic : Includes letters in the alphabet. Numbers and symbols aren't required.
At least alphanumeric : Includes uppercase letters, lowercase letters, and numeric characters.
At least alphanumeric with symbols : Includes uppercase letters, lowercase letters, numeric
characters, punctuation marks, and symbols.
Prevent reuse of previous passwords : Use this setting to restrict users from creating previously used
passwords. Enter the number of previously used passwords that can't be used, from 1-24. For example,
enter 5 so users can't set a new password to their current password or any of their previous four
passwords. When the value is blank, Intune doesn't change or update this setting.
Fingerprint unlock (Samsung Knox only) : Block prevents using a fingerprint to unlock devices.
When set to Not configured (default), Intune doesn't change or update this setting.By default, the OS
might allow users to unlock devices using a fingerprint.
Smar t Lock and other trust agents : Block prevents Smart Lock or other trust agents from adjusting
lock screen settings. If the device is in a trusted location, then this feature, also known as a trust agent, lets
you disable or bypass the device lock screen password. For example, use this feature when devices are
connected to a specific Bluetooth device, or when devices are close to an NFC tag. You can use this setting
to prevent users from configuring Smart Lock.
When set to Not configured (default), Intune doesn't change or update this setting.
Samsung KNOX Standard 5.0 and newer
Google Play Store

Google Play store (Samsung Knox only) : Block prevents users from using the Google Play store. When
set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow
users to access the Google Play store on devices.
Restricted apps
This feature is supported on Android and Samsung Knox Standard devices.
Type of restricted apps list : Create a list of apps to allow or block on devices. This feature is supported
on Android and Samsung Knox Standard devices. Your options:
Not configured (default): Intune doesn't change or update this setting.
Prohibited apps : List the apps (not managed by Intune) that users aren't allowed to install and run. If
a user installs an app from this list, you're notified by Intune.
Approved apps : List the apps that users are allowed to install. To stay compliant, users must not
install other apps. Apps that are managed by Intune are automatically allowed, including the Company
Portal app.
Apps list : Add your app:
App store URL : Enter the Google Play Store URL of the app you want. For example, to add the
Microsoft Remote Desktop app for Android, enter
https://play.google.com/store/apps/details?id=com.microsoft.rdc.android .
To find the URL of an app, open the Google Play store, and search for the app. For example, search
for Microsoft Remote Desktop Play Store or Microsoft Planner . Select the app, and copy the URL.
App bundle ID : Enter the app bundle ID.
App name : Enter the name you want. This name is shown to users.
Publisher (optional): Enter the publisher of the app, such as Microsoft .
You can also Impor t a CSV file with details about the app, including the URL. Use the <app url>, <app name>,
<app publisher> format. Or, Expor t an existing list that includes the restricted apps list in the same format.
IMPORTANT
Device profiles that use the restricted app settings must be assigned to user groups, not device groups.
Browser
Web browser (Samsung Knox only) : Block prevents the default web browser from being used on
devices. When set to Not configured (default), Intune doesn't change or update this setting. By default, the
OS might allow the device's default web browser to be used.
Autofill (Samsung Knox only) : Block prevents the browser from automatically filling in text. When set to
Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow
Autofill.
Cookies (Samsung Knox only) : Choose how to handle cookies from websites on devices. Your options:
Allow
Block all cookies
Allow cookies from visited web sites
Allow cookies from current web site
JavaScript (Samsung Knox only) : Block prevents JavaScript from running in the browser. When set to
Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow these
scripts.
Pop-ups (Samsung Knox only) : Block turns on Pop-up Blocker to prevent pop-ups in the web browser.
When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might
allow pop-ups.
Allow or Block apps

Use these settings to allow, block, or hide specific apps on Samsung Knox Standard devices. Apps that are
hidden can't be opened or ran by users.
Your options:
Apps allowed to be installed (Samsung Knox Standard only) : Add apps that users can install. Users
can't install apps that aren't on the list.
Apps blocked from launching (Samsung Knox Standard only) : Enter the apps that users can't run on
their device.
Apps hidden from user (Samsung Knox Standard only) : Enter the apps that are hidden on devices.
Users can't discover or run these apps.
For each setting, add your apps:
Add apps by package name : Enter the app name, and the name of the app package. Primarily used for
line-of-business apps.
Add apps by URL : Enter the app name, and its URL in the Google Play store.
Add store app : Select an app from the existing list of apps you manage in Intune.
Cloud and Storage

Google backup (Samsung Knox only) : Block prevents devices from syncing to Google backup. When set
using Google backup.
Google account auto sync (Samsung Knox only) : Block prevents the Google account auto sync feature
on devices. When set to Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow Google account settings to be automatically synchronized.
Removable storage (Samsung Knox only) : Block prevents devices from using removable storage. When
devices to use removable storage, like an SD card.
Encr yption on storage cards (Samsung Knox only) : Require enforces that storage cards must be
encrypted. When set to Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow unencrypted storage cards to be used. Not all devices support storage card encryption.
To confirm, check with the device manufacturer.
Cellular and Connectivity

Data roaming (Samsung Knox only) : Block prevents data roaming over the cellular network. When set
data roaming.
SMS/MMS messaging (Samsung Knox only) : Block prevents text messaging on devices. When set to
Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using
SMS and MMS messaging.
Voice dialing (Samsung Knox only) : Block prevents users from using the voice dialing feature on
devices. When set to Not configured (default), Intune doesn't change or update this setting. By default, the
OS might allow voice dialing.
Voice roaming (Samsung Knox only) : Block prevents voice roaming over the cellular network. When set
voice roaming.
Bluetooth (Samsung Knox only) : Block prevents using Bluetooth on devices. When set to Not
Bluetooth.
NFC (Samsung Knox only) : Block disables operations that use near field communication (NFC) on devices
that support it. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow NFC operations.
Wi-Fi (Samsung Knox only) : Block prevents using Wi-Fi on devices. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow using Wi-Fi.
Wi-Fi tethering (Samsung Knox only) : Block prevents using Wi-Fi tethering on devices. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow using Wi-
Fi tethering.
Kiosk
Kiosk settings apply only to Samsung Knox Standard devices, and only to apps you manage using Intune.
Add apps you want to run when the device is in kiosk mode. In kiosk mode, only the apps you add run;
apps not added don't run. Pre-installed browsers don't run as an app when the device is in kiosk mode. If
a browser is required, consider using the Managed Browser.
Your app options:
Add apps by package name : Primarily used for line-of-business apps. Enter the app name, and the
name of the app package.
Add apps by URL : Enter the app name, and its URL in the Google Play store.
Add store app : Select an app from the existing list of apps you manage in Intune.
Screen sleep button : Block prevents or hides the screen sleep button. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow the screen sleep
wake button on devices.
Volume buttons : Block prevents users from adjusting the volume by disabling the volume buttons.
might allow using the volume buttons on devices.
Next steps
You can also create kiosk profiles for Android Enterprise and Windows 10 devices.
Android device settings to configure email,
authentication, and synchronization in Intune
This article describes the different email settings you can control on Android Samsung Knox devices in Intune.
As part of your mobile device management (MDM) solution, use these settings to configure an email server, use
SSL to encrypt emails, and more.
As an Intune administrator, you can create and assign email settings to Android Samsung Knox Standard
devices. To learn more about email profiles in Intune, see configure email settings.
Before you begin

Create an Android device administrator Email device configuration profile.
Android (Samsung Knox)

Email ser ver : Enter the host name of your Exchange server. For example, enter outlook.office365.com .
Account name : Enter the display name for the email account. This name is shown to users on their
devices.
(Azure AD). Intune dynamically generates the username that's used by this profile. Your options:
User Principal Name : Gets the name, such as user1 or user1@contoso.com .
User name : Gets only the name, such as user1 .
sAM Account Name : Requires the domain, such as domain\user1 . sAM account name is only used
with Android devices. Also enter:
User domain name source : Choose AAD (Azure Active Directory) or Custom .
When choosing to get the attributes from AAD , enter:
User domain name attribute from AAD : Choose to get the Full domain name or
the NetBIOS name attribute of the user.
When choosing to use Custom attributes, enter:
Custom domain name to use : Enter a value that Intune uses for the domain name,
such as contoso.com or contoso .
Email address attribute from AAD : This name is the email attribute Intune gets from Azure AD. Intune
dynamically generates the email address that's used by this profile. Your options:
User principal name : Uses the full principal name, such as user1@contoso.com or user1 , as the
email address.
Primar y SMTP address : Uses the primary SMTP address, such as user1@contoso.com , to sign in to
Exchange.
Authentication method : Select either Username and Password or Cer tificates as the
authentication method used by the email profile.
If you select Cer tificate , select a client SCEP or PKCS certificate profile that you previously created to
authenticate the Exchange connection.
Security settings
SSL : Use Secure Sockets Layer (SSL) communication when sending emails, receiving emails, and
communicating with the Exchange server.
S/MIME : Send outgoing email using S/MIME encryption.
Synchronization settings
Amount of email to synchronize : Choose the number of days of email that you want to synchronize, or
select Unlimited to synchronize all available email.
Sync schedule : Select the schedule for devices to synchronize data from the Exchange server. You can also
select As Messages arrive , which synchronizes data when it arrives, or Manual , where the user of the
device must initiate the synchronization.
Content sync settings
Content type to sync : Select the content types that you want to synchronize on the devices. Not
configured disables this setting. When set to Not configured , if an end user enables synchronization
on the device, synchronization is disabled again when the device syncs with Intune, as the policy is
reinforced.
You can sync the following content:
Contacts : Choose Enable to allow end users to sync contacts to their devices.
Calendar : Choose Enable to allow end users to sync the calendar to their devices.
Tasks : Choose Enable to allow end users to sync any tasks to their devices.
Next steps
You can also create email profiles for Android Enterprise, iOS/iPadOS, and Windows 10 and later.
Android device settings to configure VPN in Intune
This article describes the different VPN connection settings you can control on Android devices. As part of your
mobile device management (MDM) solution, use these settings to create a VPN connection, choose how the
VPN authenticates, select a VPN server type, and more.
As an Intune administrator, you can create and assign VPN settings to Android devices. To learn more about VPN
profiles in Intune, see VPN profiles.
Before you begin

Create an Android device administrator VPN device configuration profile.
Base VPN
Connection name : Enter a name for this connection. End users see this name when they browse their
device for the available VPN connections. For example, enter Contoso VPN .
VPN ser ver address : Enter the IP address or fully qualified domain name (FQDN) of the VPN server
that devices connect. For example, enter 192.168.1.1 or vpn.contoso.com .
Authentication method : Choose how devices authenticate to the VPN server. Your options:
Cer tificates : Select an existing SCEP or PKCS certificate profile to authenticate the connection.
Configure certificates lists the steps to create a certificate profile.
Username and password : When signing into the VPN server, end users are prompted to enter
their user name and password.
Derived credential : Use a certificate that's derived from a user's smart card. If no derived
credential issuer is configured, Intune prompts you to add one.
For more information, see Use derived credentials in Intune.
Connection type : Select the VPN connection type. Your options:
Cisco AnyConnect
F5 Access
Pulse Secure
Citrix SSO
Fingerprint (Check Point Capsule VPN only): Enter the fingerprint string given to you by the VPN vendor,
such as Contoso Fingerprint Code . This fingerprint verifies that the VPN server can be trusted.
When authenticating, a fingerprint is sent to the client so the client knows to trust any server that has the
same fingerprint. If the device doesn't have the fingerprint, it prompts the user to trust the VPN server
while showing the fingerprint. The user manually verifies the fingerprint, and chooses to trust to connect.
Next steps
You can also create VPN profiles for Android Enterprise, iOS/iPadOS, macOS, Windows 10 and later, and
Windows 8.1 devices.
Add Wi-Fi settings for devices running Android
device administrator in Microsoft Intune
You can create a profile with specific WiFi settings, and then deploy this profile to your Android devices.
Microsoft Intune offers many features, including authenticating to your network, adding a PKCS or SCEP
certificate, and more.
These Wi-Fi settings are separated in to two categories: Basic settings and Enterprise-level settings. This article
describes these settings.
Before you begin

Create an Android device administrator Wi-Fi device configuration profile.
Basic
Wi-Fi type : Choose Basic .
SSID : Enter the ser vice set identifier , which is the real name of the wireless network that devices connect
to. However, users only see the network name you configured when they choose the connection.
Hidden network : Choose Enable to hide this network from the list of available networks on the device. The
SSID isn't broadcasted. Choose Disable to show this network in the list of available networks on the device.
Enterprise
Wi-Fi type : Choose Enterprise .
SSID : Enter the ser vice set identifier , which is the real name of the wireless network that devices
connect to. However, users only see the network name you configured when they choose the
connection.
Hidden network : Choose Enable to hide this network from the list of available networks on the device.
The SSID isn't broadcasted. Choose Disable to show this network in the list of available networks on the
device.
EAP type : Choose the Extensible Authentication Protocol (EAP) type used to authenticate secured
wireless connections. Your options:
EAP-TLS : Also enter:
Ser ver Trust - Root cer tificate for ser ver validation : Choose an existing trusted root
certificate profile. This certificate is presented to the server when the client connects to the
network. It authenticates the connection.
Client Authentication - Client cer tificate for client authentication (Identity
cer tificate) : Choose the SCEP or PKCS client certificate profile that is also deployed to the
device. This certificate is the identity presented by the device to the server to authenticate
the connection.
Identity privacy (outer identity) : Enter the text sent in the response to an EAP identity
request. This text can be any value, such as anonymous . During authentication, this
anonymous identity is initially sent, and then followed by the real identification sent in a
secure tunnel.
EAP-TTLS : Also enter:
Client Authentication : Choose an Authentication method . Your options:
Username and Password : Prompt the user for a user name and password to
authenticate the connection. Also enter:
Non-EAP method (inner identity) : Choose how you authenticate the
connection. Be sure you choose the same protocol that's configured on your
Wi-Fi network. Your options:
Unencr ypted password (PAP)
Challenge Handshake Authentication Protocol (CHAP)
Microsoft CHAP (MS-CHAP)
Microsoft CHAP Version 2 (MS-CHAP v2)
Cer tificates : Choose the SCEP or PKCS client certificate profile that is also deployed
to the device. This certificate is the identity presented by the device to the server to
authenticate the connection.
Identity privacy (outer identity) : Enter the text sent in the response to an EAP
identity request. This text can be any value, such as anonymous . During
authentication, this anonymous identity is initially sent, and then followed by the real
identification sent in a secure tunnel.
PEAP : Also enter:
Client Authentication : Choose an Authentication method . Your options:
Non-EAP method for authentication (inner identity) : Choose how you
authenticate the connection. Be sure you choose the same protocol that's
configured on your Wi-Fi network. Your options:
None
Cer tificates : Choose the SCEP or PKCS client certificate profile that is also deployed
Next steps
The profile is created, but it's not doing anything. Next, assign this profile.
More resources
Wi-Fi settings overview, including other platforms.
Using Android Enterprise or Android Kiosk devices? If yes, then look at Wi-Fi settings for devices running
Android Enterprise and dedicated devices.
Use custom settings for Android Enterprise devices
in Microsoft Intune
Using Microsoft Intune, you can add or create custom settings for your Android Enterprise personally owned
devices with a work profile using a "custom profile". Custom profiles are a feature in Intune. They are designed
to add device settings and features that aren't built in to Intune.
Android Enterprise personally owned devices with a work profile (BYOD)
Android Enterprise custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings to
control features on Android Enterprise devices. These settings are typically used by mobile device manufacturers
to control these features.
Intune supports the following limited number of Android Enterprise custom profiles:
./Vendor/MSFT/WiFi/Profile/SSID/Settings: Create a Wi-Fi profile with a pre-shared key has some examples.
./Vendor/MSFT/VPN/Profile/Name/PackageList: Create a per-app VPN profile has some examples.
./Vendor/MSFT/WorkProfile/DisallowCrossProfileCopyPaste: See the example in this article. This setting is
also available in the user interface. For more information, see Android Enterprise device settings to allow or
restrict features.
If you need additional settings, see OEMConfig for Android Enterprise.
This article shows you how to create a custom profile for Android Enterprise devices. It also provides an example
of a custom profile that blocks copy-and-paste.
Create the profile

Profile : Select Personally-owned work profile > Custom .
4. Select Create .
later. For example, a good profile name is Android Enterprise custom profile .
6. Select Next .
Name : Enter a unique name for the OMA-URI setting so you can easily find it.
details.
OMA-URI : Enter the OMA-URI you want to use as a setting.
String
String (XML file)
Date and time
Integer
Floating point
Boolean
Base64 (file)
from a date picker.
After you add some settings, you can select Expor t . Expor t creates a list of all the values you added in a
comma-separated values (.csv) file.
8. Select Save to save your changes. Continue to add more settings as needed.
Select Next .
Select Next .
Select Next .
Example
In this example, you create a custom profile that restricts copy and paste actions between work and personal
apps on Android Enterprise devices.
Profile : Select Personally-owned work profile > Custom .
later. For example, enter AE block copy paste custom profile .
5. Select Next .
Name : Enter something like Block copy and paste .
Description : Enter something like Blocks copy/paste between work and personal apps .
OMA-URI : Enter ./Vendor/MSFT/WorkProfile/DisallowCrossProfileCopyPaste .
Data type : Select Boolean so the value for this OMA-URI is True or False .
Value : Select True .
Your settings look similar to the following image:
7. Select Save to save your changes. Continue to add more settings as needed. After you add some settings,
you can select Expor t . Expor t creates a list of all the values you added in a comma-separated values
(.csv) file.
After you enter the settings, your environment looks similar to the following image:
8. Select Next .
Select Next .
Select Next .
11. In Review + create , when you're done, choose Create . The profile is created and is shown in the list.
When you assign this profile to Android Enterprise devices you manage, copy and paste is blocked
between apps in the work and personal profiles.
Next steps
Create a custom profile on Android device administrator devices.
Android Enterprise device settings to allow or
restrict features using Intune
This article describes the different settings you can control on Android Enterprise devices. As part of your
mobile device management (MDM) solution, use these settings to allow or disable features, run apps on
dedicated devices, control security, and more.
Android Enterprise corporate-owned work profile (COPE)
Android Enterprise corporate owned fully managed (COBO)
Android Enterprise corporate owned dedicated devices (COSU)
For Android device administrator, see Android and Samsung Knox Standard device restrictions.
Before you begin

Create an Android Enterprise device restrictions profile:
Fully managed, dedicated, and corporate-owned work profile
Personally owned devices with a work profile
Fully Managed, Dedicated, and Corporate-Owned Work Profile

These settings apply to Android Enterprise enrollment types where Intune controls the entire device, such as
Android Enterprise fully managed, dedicated, and corporate-owned work profile devices.
Some settings are not supported by all enrollment types. To see which settings are supported by which
enrollment types, see the user interface. Each setting is under a heading that indicates the enrollment types that
can use the setting.
For corporate-owned devices with a work profile, some settings only apply in the work profile. These settings
have (work profile-level) in the setting name. For fully managed and dedicated devices, these settings apply
device-wide.
General
Fully managed, dedicated, and corporate-owned work profile devices
Screen capture (work profile-level) : Block prevents screenshots or screen captures on the device. It
also prevents the content from being shown on display devices that don't have a secure video output.
might let users capture the screen contents as an image.
Camera (work profile-level) : Block prevents access to the camera on the device. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow access
to the camera.
Default permission policy (work profile-level) : This setting defines the default permission policy for
requests for runtime permissions. Your options
Device default (default): Use the device's default setting.
Prompt : Users are prompted to approve the permission.
Auto grant : Permissions are automatically granted.
Auto deny : Permissions are automatically denied.
Date and Time changes : Block prevents users from manually setting the date and time. When set to
users to the set date and time on the device.
Safe boot : Block prevents users from rebooting the device into safe mode. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow users
to reboot the device in safe mode.
Roaming data ser vices : Block prevents data roaming over the cellular network. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow data
roaming when the device is on a cellular network.
Wi-Fi access point configuration : Block prevents users from creating or changing any Wi-Fi
configurations. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow users to change the Wi-Fi settings on the device.
Bluetooth configuration : Block prevents users from configuring Bluetooth on the device. When set to
using Bluetooth on the device.
Tethering and access to hotspots : Block prevents tethering and access to portable hotspots. When
set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might
allow tethering and access to portable hotspots.
USB file transfer : Block prevents transferring files over USB. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow transferring files.
External media : Block prevents using or connecting any external media on the device. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow
external media on the device.
Beam data using NFC (work-profile level) : Block prevents using the Near Field Communication
(NFC) technology to beam data from apps. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might allow using NFC to share data between devices.
Debugging features : Choose Allow to let users use debugging features on the device. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might prevent
users from using the debugging features on the device.
Microphone adjustment : Block prevents users from unmuting the microphone and adjusting the
microphone volume. When set to Not configured (default), Intune doesn't change or update this setting.
By default, the OS might allow users to use and adjust the volume of the microphone on the device.
Factor y reset protection emails : Choose Google account email addresses . Enter the email
addresses of device administrators that can unlock the device after it's wiped. Be sure to separate the
email addresses with a semi-colon, such as admin1@gmail.com;admin2@gmail.com . If an email isn't entered,
anyone can unlock the device after it's restored to the factory settings. These emails only apply when a
non-user factory reset is run, such as running a factory reset using the recovery menu.
System update : Choose an option to define how the device handles over-the-air updates. Your options
Device Default (default): Use the device's default setting.
Automatic : Updates are automatically installed without user interaction. Setting this policy
immediately installs any pending updates.
Postponed : Updates are postponed for 30 days. At the end of the 30 days, Android prompts users to
install the update. It's possible for device manufacturers or carriers to prevent (exempt) important
security updates from being postponed. An exempted update shows a system notification to users on
the device.
Maintenance window : Installs updates automatically during a daily maintenance window that you
set in Intune. Installation tries daily for 30 days, and can fail if there's insufficient space or battery
levels. After 30 days, Android prompts users to install. This window is also used to install updates for
Play apps. Use this option for dedicated devices, such as kiosks, as single-app dedicated device
foreground apps can be updated.
Fully managed and dedicated devices
Volume changes : Block prevents users from changing the device's volume, and also mutes the main
volume. When set to Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow using the volume settings on the device.
Factor y reset : Block prevents users from using the factory reset option in the device's settings. When
allow users to use this setting on the device.
Status bar : Block prevents access to the status bar, including notifications and quick settings. When set
users access to the status bar.
Wi-Fi setting changes : Block prevents users from changing Wi-Fi settings created by the device owner.
Users can create their own Wi-Fi configurations. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow users to change the Wi-Fi settings on the
device.
USB storage : Choose Allow to access USB storage on the device. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might prevent access to USB
storage.
Network escape hatch : Enable allows users to turn on the network escape hatch feature. If a network
connection isn't made when the device boots, then the escape hatch asks to temporarily connect to a
network and refresh the device policy. After applying the policy, the temporary network is forgotten and
the device continues booting. This feature connects devices to a network if:
There isn't a suitable network in the last policy.
The device boots into an app in lock task mode.
Users are unable to reach the device settings.
might prevent users from turning on the network escape hatch feature on the device.
Notification windows : When set to Disable , window notifications, including toasts, incoming calls,
outgoing calls, system alerts, and system errors aren't shown on the device. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might show
notifications.
Skip first use hints : Enable hides or skips suggestions from apps that step through tutorials, or hints
when the app starts. When set to Not configured (default), Intune doesn't change or update this setting.
By default, the OS might show these suggestions when the app starts.
Dedicated devices
Power button menu : Block hides the power options when users hold down the power button when in
kiosk mode. Hiding these options prevents users from accidentally or intentionally shutting down
devices. When set to Not configured (default), Intune doesn't change or update this setting. By default,
when users hold down the power button on a device, they're shown power options, such as Restart and
Power off.
Android 9.0 and newer
System error warnings : Allow shows system warnings on the screen when in kiosk mode, including
unresponsive apps and system warnings. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might hide these warnings. When one of these events occurs,
the system forces the app to close.
Enabled system navigation features : Allow users to access the device home and overview buttons
when in kiosk mode. Your options:
Not configured (default): Intune doesn't change or update this setting. By default, the OS might
disable the device home and overview buttons.
Home button only : Users can see and select the home button. They can't see or select the overview
buttons.
Home and over view buttons : Users can see and select the home and overview buttons.
System notifications and information : Allow users to access the device status bar, and receive
notifications from the status bar when in kiosk mode. Your options:
disable the status bar, and disable notifications on the status bar.
Show system information in device's status bar : Users can see system information on the status
bar. Users can't see or receive notifications from the status bar.
Show system notifications and information in device's status bar : Users can see the system
information, and receive notifications from the status bar. To see notifications, enable the device home
button using the Enabled system navigation features setting.
End-user access to device settings : Block prevents users from accessing the Settings app. When set
users to access the Settings app.
System security
Threat scan on apps : Require (default) enables Google Play Protect to scan apps before and after they're
installed. If it detects a threat, it may warn users to remove the app from the device. When set to Not
configured , Intune doesn't change or update this setting. By default, the OS might not enable or run Google
Play Protect to scan apps.
Device experience
Use these settings to configure a kiosk-style experience on your dedicated devices, or to customize the home
screen experiences on your fully managed devices. You can configure devices to run one app, or run many apps.
When a device is set with kiosk mode, only the apps you add are available.
Enrollment profile type : Select an enrollment profile type to start configuring Microsoft Launcher or the
Microsoft Managed Home Screen on your devices. Your options:
Not configured : Intune doesn't change or update this setting. By default, users might see the device's
default home screen experience.
Dedicated device : Configure a kiosk-style experience on your dedicated devices. Before you configure
these settings, be sure to add and assign the apps you want on the devices.
Kiosk mode : Choose if the device runs one app or runs multiple apps. Your options:
Single app : Users can only access a single app on the device. When the device starts, only
the specific app starts. Users are restricted from opening new apps or from changing the
running app.
Select an app to use for kiosk mode : Select the managed Google Play app from the
list.
IMPORTANT
When using single-app kiosk mode, to use dialer/phone apps, then enable system notifications.
This feature is available on Android devices running 9.0 and newer. To enable system notifications,
see General settings for dedicated devices (in this article).
Multi-app : Users can access a limited set of apps on the device. When the device starts,
only the apps you add start. You can also add some web links that users can open. When
the policy is applied, users see icons for the allowed apps on the home screen.
IMPORTANT
For multi-app dedicated devices, the Managed Home Screen app from Google Play must be :
Added in Intune
Assigned to the device group created for your dedicated devices
The Managed Home Screen app isn't required to be in the configuration profile, but it's required
to be added as an app. When the Managed Home Screen app is added, any other apps you
add in the configuration profile are shown as icons on the Managed Home Screen app.
When using multi-app kiosk mode, to use dialer/phone apps, then enable system notifications.
This feature is available on Android devices running 9.0 and newer. To enable system notifications,
see General settings for dedicated devices (in this article).
For more information on the Managed Home screen, see setup Microsoft Managed Home Screen
on Dedicated devices in multi-app kiosk mode.
Custom app layout : Enable lets you put apps and folders in different places on the
Managed Home Screen. When set to Not configured , Intune doesn't change or
update this setting. By default, the apps and folders you add are shown on the home
screen in alphabetical order.
Grid size : Select the size of your home screen. An app or folder takes one
place on the grid.
Home screen : Select the add button, and select an app from the list. Select
the Folder option to create a folder, enter the Folder name , and add apps
from your list to the folder.
When you add items, select the context menu to remove items, or move them
to different positions:
Add : Select your apps from the list.

If the Managed Home Screen app isn't listed, then add it from Google Play. Be sure
to assign the app to the device group created for your dedicated devices.
You can also add other Android apps and web apps created by your organization to
the device. Be sure to assign the app to the device group created for your dedicated
devices.
IMPORTANT
When using multi-app mode, every app in the policy must be a required app, and must be
assigned to the devices. If an app isn't required, or isn't assigned, then the devices may lock
out users, and show a Contact your IT admin. This phone will be erased. message.
Lock home screen : Enable prevents users from moving app icons and folders.
They're locked, and can't be dragged-and-dropped to different places on the grid.
When set to Not configured , Intune doesn't change or update this setting. By
default, users can move these items.
Folder icon : Select the color and shape of the folder icon that's shown on the
Managed Home Screen. Your options:
Not configured
Dark theme rectangle
Dark theme circle
Light theme rectangle
Light theme circle
App and Folder icon size : Select the size of the folder icon that's shown on the
Managed Home Screen. Your options:
Not configured
Extra small
Small
Average
Large
Extra large
Depending on the screen size, the actual icon size may be different.
Screen orientation : Select the direction the Managed Home Screen is shown on
devices. Your options:
Not configured
Portrait
Landscape
Autorotate
App notification badges : Enable shows the number of new and unread
notifications on app icons. When set to Not configured , Intune doesn't change or
update this setting.
Vir tual home button : A soft-key button that returns users to the Managed Home
Screen so users can switch between apps. Your options:
Not configured (default): A home button isn't shown. Users must use the back
button to switch between apps.
Swipe-up : A home button shows when a user swipes up on the device.
Floating : Shows a persistent, floating home button on the device.
Leave kiosk mode : Enable allows Administrators to temporarily pause kiosk mode
to update the device. To use this feature, the administrator:
1. Continues to select the back button until the Exit kiosk button shows.
2. Selects the Exit kiosk button, and enters the Leave kiosk mode code PIN.
3. When finished, select the Managed Home Screen app. This step relocks the
device into multi-app kiosk mode.
By default, the OS might prevent administrators from pausing kiosk mode. If the
administrator keeps selecting the back button, and selects the Exit kiosk button,
then a message states that a passcode is required.
Leave kiosk mode code : Enter a 4-6 digit numeric PIN. The administrator uses this
PIN to temporarily pause kiosk mode.
Set custom URL background : Enter a URL to customize the background screen on
the dedicated device. For example, enter http://contoso.com/backgroundimage.jpg .
NOTE
For most cases, we recommend starting with images of at least the following sizes:
Phone: 1080x1920 px
Tablet: 1920x1080 px
For the best experience and crisp details, it's suggested that per device image assets be
created to the display specifications.
Modern displays have higher pixel densities and can display equivalent 2K/4K definition
images.
Shor tcut to settings menu : Disable hides the Managed Settings shortcut on the
Managed Home Screen. Users can still swipe down to access the settings. When set
to Not configured (default), Intune doesn't change or update this setting. By
default, the Managed Settings shortcut is shown on devices. Users can also swipe
down to access these settings.
Quick access to debug menu : This setting controls how users access the debug
menu. Your options:
Enable : Users can access the debug menu easier. Specifically, they can swipe
down, or use the Managed Settings shortcut. As always, they can continue to
select the back button 15 times.
Not configured (default): Intune doesn't change or update this setting. By
default, easy access to the debug menu is turned off. Users must select the back
button 15 times to open the debug menu.
Using the debug menu, users can:
See and upload Managed Home Screen logs
Open Google's Android Device Policy Manager app
Open the Microsoft Intune app
Exit kiosk mode
Wi-Fi configuration : Enable shows the Wi-Fi control on the Managed Home
Screen, and allows users to connect the device to different WiFi networks. Enabling
this feature also turns on device location. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might not show the
Wi-Fi control on the Managed Home Screen. It prevents users from connecting to
Wi-Fi networks while using the Managed Home Screen.
Wi-Fi allow list : Create a list of valid wireless network names, also known as
the service set identifier (SSID). Managed Home Screen users can only
connect to the SSIDs you enter.
When left blank, Intune doesn't change or update this setting. By default, all
available Wi-Fi networks are allowed.
Impor t a .csv file that includes a list of valid SSIDs.
Expor t your current list to a .csv file.
SSID : You can also enter the Wi-Fi network names (SSID) that Managed Home
Screen users can connect to. Be sure to enter valid SSIDs.
IMPORTANT
In the October 2020 release, the Managed Home Screen API was updated to be compliant
with the Google Play Store requirements. The following changes impact Wi-Fi configuration
policies in the Managed Home Screen:
Users can't enable or disable Wi-Fi connections on devices. Users can switch
between Wi-Fi networks, but can't turn Wi-Fi on or off.
If a Wi-Fi network is password protected, then users must enter the password. After
they enter the password, the configured network automatically connects. If they
disconnect and then reconnect to the Wi-Fi network, then users may need to enter
the password again.
On Android 11 devices, when users connect to a network using the Managed
Home Screen, they're prompted to consent. This prompt comes from Android, and
isn't specific to the Managed Home Screen.
On Android 10 devices, when users connect to a network using the Managed
Home Screen, a notification prompts them to consent. So, users need access to the
status bar and notifications to consent. To enable system notifications, see General
settings for dedicated devices (in this article).
On Android 10 devices, when users connect to a password protected Wi-Fi network
using the Managed Home Screen, they're prompted for the password. If the device
is connected to an unstable network, then the Wi-Fi network changes. This
behavaior happens even when users enter the correct password.
Bluetooth configuration : Enable shows the Bluetooth control on the Managed

Home Screen, and allows users to pair devices over Bluetooth. Enabling this feature
also turns on device location. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might not show the Bluetooth
control on the Managed Home Screen. It prevents users from configuring Bluetooth
and pairing devices while using the Managed Home Screen.
Flashlight access : Enable shows the flashlight control on the Managed Home
Screen, and allows users to turn the flashlight on or off. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS
might not show the flashlight control on Managed Home Screen. It prevents users
from using the flashlight while using the Managed Home Screen.
Media volume control : Enable shows the media volume control on the Managed
Home Screen, and allows users to adjust the device's media volume using a slider.
By default, the OS might not show the media volume control on Managed Home
Screen. It prevents users from adjusting the device's media volume while using the
Managed Home Screen, unless their hardware buttons support it.
Quick access to device information : Enable allows users to swipe down to see
the device information on the Managed Home Screen, such as the serial number,
make and model number, and SDK level. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the device information might
not be shown.
Screen saver mode : Enable shows a screensaver on the Managed Home Screen
when the device is locked or times out. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might not show a
screensaver on the Managed Home Screen.
When enabled, also configure:
Set custom screen saver image : Enter the URL to a custom PNG, JPG,
JPEG, GIF, BMP, WebP, or ICOimage. If you don't enter a URL, then the device's
default image is used, if there's a default image.
For example, enter:
http://www.contoso.com/image.jpg
www.contoso.com/image.bmp
https://www.contoso.com/image.webp
TIP
Any file resource URL that can be turned into a bitmap is supported.
Number of seconds the device shows screen saver before turning

off screen : Choose how long the device shows the screensaver. Enter a value
between 0-9999999 seconds. Default is 0 seconds. When left blank, or set to
zero ( 0 ), the screen saver is active until a user interacts with the device.
Number of seconds the device is inactive before showing screen
saver : Choose how long the device is idle before showing the screensaver.
Enter a value between 1-9999999 seconds. Default is 30 seconds. You must
enter a number greater than zero ( 0 ).
Detect media before star ting screen saver : Enable (default) doesn't
show the screen saver if audio or video is playing on the device. When set to
Not configured (default), Intune doesn't change or update this setting. By
default, the OS might show the screen saver, even if audio or video is playing.
Fully managed : Configures the Microsoft Launcher app on fully managed devices.
Make Microsoft Launcher the default launcher : Enable sets Microsoft Launcher as the
default launcher on the home screen. If you make Launcher the default, users can't use another
launcher. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the Microsoft Launcher isn't forced as the default launcher.
Configure custom wallpaper : In the Microsoft Launcher app, Enable lets you apply your own
image as the home screen wallpaper, and choose if users can change the image. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the device keeps its
current wallpaper.
Enter URL of wallpaper image : Enter the URL of your wallpaper image. This image shows
on the device home screen. For example, enter http://www.contoso.com/image.jpg .
Allow user to modify wallpaper : Enable allows users to change the wallpaper image. When
set to Not configured (default), Intune doesn't change or update this setting. By default, users
are prevented from changing the wallpaper.
Enable launcher feed : Enable turns on the launcher feed, which shows calendars, documents,
and recent activities. When set to Not configured (default), Intune doesn't change or update this
setting. By default, this feed isn't shown.
Allow user to enable/disable feed : Enable lets users enable or disable the launcher feed.
Enable only forces this setting the first time the profile is assigned. Any future profile
assignments don't force this setting. When set to Not configured (default), Intune doesn't
change or update this setting. By default, users are prevented from changing the launcher feed
settings.
Dock presence : The dock gives users quick access to their apps and tools. Your options:
Show : The dock is shown on devices.
Hide : The dock is hidden. Users must swipe up to access the dock.
Disabled : The dock isn't shown on devices, and users are prevented from showing it.
Allow user to change dock presence : Enable allows users to show or hide the dock. Enable
only forces this setting the first time the profile is assigned. Any future profile assignments don't
force this setting. When set to Not configured (default), Intune doesn't change or update this
setting. By default, users aren't allowed to change the device dock configuration.
Search bar replacement : Choose where to put the search bar. Your options:
Top : Search bar is shown at the top of devices.
Bottom : Search bar is shown at the bottom of devices.
Hide : Search bar is hidden.
Device password
Device default (default): Most devices don't require a password when set to Device default . If
you want to require users to set up a passcode on their devices, configure this setting to
something more secure than Device default .
Password required, no restrictions
Weak biometric : Strong vs. weak biometrics (opens Android's web site)
Numeric : Password must only be numbers, such as 123456789 . Also enter:
Minimum password length : Enter the minimum length the password must have, between 4
and 16 characters.
Also enter:
and 16 characters.
Alphabetic : Letters in the alphabet are required. Numbers and symbols aren't required. Also
enter:
and 16 characters.
Alphanumeric : Includes uppercase letters, lowercase letters, and numeric characters. Also enter:
and 16 characters.
Alphanumeric with symbols : Includes uppercase letters, lowercase letters, numeric characters,
punctuation marks, and symbols. Also enter:
and 16 characters.
Number of characters required : Enter the number of characters the password must have,
between 0 and 16 characters.
Number of lowercase characters required : Enter the number of lowercase characters the
password must have, between 0 and 16 characters.
Number of uppercase characters required : Enter the number of uppercase characters the
Number of non-letter characters required : Enter the number of non-letters (anything
other than letters in the alphabet) the password must have, between 0 and 16 characters.
Number of numeric characters required : Enter the number of numeric characters ( 1 , 2 ,
3 , and so on) the password must have, between 0 and 16 characters.
Number of symbol characters required : Enter the number of symbol characters ( & , # ,
% , and so on) the password must have, between 0 and 16 characters.
Number of days until password expires : Enter the number of days, until the device password must
be changed, from 1-365. For example, enter 90 to expire the password after 90 days. When the
password expires, users are prompted to create a new password. When the value is blank, Intune doesn't
change or update this setting.
Number of passwords required before user can reuse a password : Use this setting to restrict
users from creating previously used passwords. Enter the number of previously used passwords that
can't be used, from 1-24. For example, enter 5 so users can't set a new password to their current
password or any of their previous four passwords. When the value is blank, Intune doesn't change or
before the device is wiped, from 4-11. When the value is blank, Intune doesn't change or update this
setting.
NOTE
Users on fully managed, and corporate-owned work profile devices are not prompted to set a password. The
settings are required, but users might not be notified. Users need to set the password manually. The policy
reports as failed until the user sets a password that meets your requirements.
On dedicated devices running OS 9 and newer, users are prompted to set a password if the device is set up with
single or multi-app kiosk mode. Screens force and guide users to create a compliant password before they can
continue using the device.
On dedicated devices running OS 8 and older, or dedicated devices that are not using kiosk mode, users are not
notified of any password requirement. Users need to set the password manually. The policy reports as failed until
the user sets a password that meets your requirements.
Disabled lock screen features : When the device is locked, choose the features that can't be used. For
example, when Secure camera is checked, the camera feature is disabled on the device. Any features not
checked are enabled on the device.
These features are available to users when the device is locked. Users won't see or access features that
are checked.
On corporate-owned work profile devices, only Unredacted notifications , Trust agents , and
Fingerprint unlock can be disabled.
If users turn off the Use one lock setting on their device, then disabling Fingerprint unlock and
disabling Trust agents apply at the corporate-owned work profile-level. If users turn on the Use one
lock setting, then disabling Fingerprint unlock and disabling Trust agents apply at the device-
level.
Disable lock screen : Disable blocks all Keyguard lock screen features from being used. When set to Not
configured (default), Intune doesn't change or update this setting. By default, when the device is in lock
screen, the OS might allow all the Keyguard features, such as camera, fingerprint unlock, and more.
Power settings
Time to lock screen (work profile-level) : Enter the maximum time a user can set until the device locks.
For example, if you set this setting to 10 minutes , then users can set the time from 15 seconds up to 10
minutes. When set to Not configured (default), Intune doesn't change or update this setting.
Screen on while device plugged in : Choose which power sources cause the device's screen to stay on
when plugged in.
Users and Accounts
Add new users : Block prevents users from adding new users. Each user has a personal space on the device
for custom Home screens, accounts, apps, and settings. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow users to add other users to the device.
User removal : Block prevents users from removing users. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow users to remove other users from the
device.
Personal Google Accounts : Block prevents users from adding their personal Google account to the
device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the
OS might allow users to add their personal Google account.
User can configure credentials : Block prevents users from configuring certificates assigned to devices,
even devices that aren't associated with a user account. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might make it possible for users to configure or
change their credentials when they access them in the keystore.
Dedicated devices
Account changes : Block prevents users from updating or changing accounts when in kiosk mode. When
users to update user accounts on the device.
Applications
Allow installation from unknown sources : Allow lets users turn on Unknown sources . This setting
allows apps to install from unknown sources, including sources other than the Google Play Store. It
allows users to side-load apps on the device using means other than the Google Play Store. When set to
Not configured (default), Intune doesn't change or update this setting. By default, the OS might prevent
users from turning on Unknown sources .
App auto-updates (work profile-level) : Devices check for app updates daily. Choose when automatic
updates are installed. Your options:
User choice : The OS might default to this option. Users can set their preferences in the managed
Google Play app.
Never : Updates are never installed. This option isn't recommended.
Wi-Fi only : Updates are installed only when the device is connected to a Wi-Fi network.
Always : Updates are installed when they're available.
Allow access to all apps in Google Play store : When set to Allow , users get access to all apps in
Google Play store. They can't access client apps that aren't assigned to them. For more information on
excluding users and groups from specific apps, see Include and exclude app assignments.
might:
Only show apps in the managed Google Play store that are approved, or apps that are required.
Uninstall apps that were installed outside of the managed Google Play store.
If you want to enable side-loading, set the Allow installation from unknown sources and Allow access to
all apps in Google Play store settings to Allow .
Connectivity
Always-on VPN (work profile-level) : Enable sets the VPN client to automatically connect and
reconnect to the VPN. Always-on VPN connections stay connected. Or, immediately connect when users
lock their device, the device restarts, or the wireless network changes.
Choose Not configured to disable always-on VPN for all VPN clients.
IMPORTANT
Be sure to deploy only one Always-on VPN policy to a single device. Deploying multiple Always-on VPN policies to
a single device isn't supported.
VPN client : Choose a VPN client that supports Always On. Your options:
Cisco AnyConnect
F5 Access
Pulse Secure
Custom
Package ID : Enter the package ID of the app in the Google Play store. For example, if the URL
for the app in the Play store is
https://play.google.com/store/details?id=com.contosovpn.android.prod , then the package ID is
com.contosovpn.android.prod .
IMPORTANT
The VPN client you choose must be installed on the device, and it must support per-app VPN in corporate-
owned work profiles. Otherwise, an error occurs.
You do need to approve the VPN client app in the Managed Google Play Store , sync the app to Intune,
and deploy the app to the device. After you do this, then the app is installed in the user's corporate-owned
work profile.
You still need to configure the VPN client with a VPN profile, or through an app configuration profile.
There may be known issues when using per-app VPN with F5 Access for Android 3.0.4. For more information,
see F5's release notes for F5 Access for Android 3.0.4.
Lockdown mode : Enable forces all network traffic to use the VPN tunnel. If a connection to the VPN
isn't established, then the device won't have network access. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow traffic to flow through the
VPN tunnel or through the mobile network.
Recommended global proxy : Enable adds a global proxy to the devices. When enabled, HTTP and
HTTPS traffic, including some apps on the device, use the proxy you enter. This proxy is only a
recommendation. It's possible some apps won't use the proxy. Not configured (default) doesn't add a
recommended global proxy.
For more information on this feature, see setRecommendedGlobalProxy (opens an Android site).
When enabled, also enter the Type of proxy. Your options:
Direct : Manually enter the proxy server details, including:
Host : Enter the hostname or IP address of your proxy server. For example, enter
proxy.contoso.com or 127.0.0.1 .
Por t number : Enter the TCP port number used by the proxy server. For example, enter 8080 .
Excluded hosts : Enter a list of host names or IP addresses that won't use the proxy. This list
can include an asterisk ( * ) wildcard and multiple hosts separated by semicolons ( ; ) with no
spaces. For example, enter 127.0.0.1;web.contoso.com;*.microsoft.com .
Proxy Auto-Config : Enter the PAC URL to a proxy autoconfiguration script. For example, enter
https://proxy.contoso.com/proxy.pac .
For more information on PAC files, see Proxy Auto-Configuration (PAC) file (opens a non-Microsoft
site).
For more information on this feature, see setRecommendedGlobalProxy (opens an Android site).
Work profile password
These settings apply to corporate-owned work profiles.
Device default
Password required, no restrictions
Weak biometric : Strong vs. weak biometrics (opens Android's web site)
Numeric : Password must only be numbers, such as 123456789 . Also enter:
and 16 characters.
Also enter:
and 16 characters.
Alphabetic : Letters in the alphabet are required. Numbers and symbols aren't required. Also
enter:
and 16 characters.
Alphanumeric : Includes uppercase letters, lowercase letters, and numeric characters. Also enter:
and 16 characters.
Alphanumeric with symbols : Includes uppercase letters, lowercase letters, numeric characters,
punctuation marks, and symbols. Also enter:
and 16 characters.
Number of characters required : Enter the number of characters the password must have,
between 0 and 16 characters.
Number of lowercase characters required : Enter the number of lowercase characters the
Number of uppercase characters required : Enter the number of uppercase characters the
Number of non-letter characters required : Enter the number of non-letters (anything
other than letters in the alphabet) the password must have, between 0 and 16 characters.
Number of numeric characters required : Enter the number of numeric characters ( 1 , 2 ,
3 , and so on) the password must have, between 0 and 16 characters.
Number of symbol characters required : Enter the number of symbol characters ( & , # ,
% , and so on) the password must have, between 0 and 16 characters.
Number of days until password expires : Enter the number of days, until the device password must
be changed, from 1-365. For example, enter 90 to expire the password after 90 days. When the
password expires, users are prompted to create a new password. When the value is blank, Intune doesn't
Number of passwords required before user can reuse a password : Use this setting to restrict
users from creating previously used passwords. Enter the number of previously used passwords that
password or any of their previous four passwords. When the value is blank, Intune doesn't change or
before the device is wiped, from 4-11. 0 (zero) might disable the device wipe functionality. When the
value is blank, Intune doesn't change or update this setting.
NOTE
Fully managed, dedicated, and corporate-owned work profile devices are not prompted to set a password. The
settings are required, but users might not be notified. Users need to set the password manually. The policy
reports as failed until the user sets a password that meets your requirements.
Personal profile
Camera : Block prevents access to the camera during personal use. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow using the camera in the personal
profile.
Screen capture : Block prevents screen captures during personal use. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow users to get screen
captures or screenshots in the personal profile.
Allow users to enable app installation from unknown sources in the personal profile : Select
Allow so users can install apps from unknown sources in the personal profile. It allows users to install apps
from sources other than the Google Play Store. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might prevent users from installing apps from unknown
sources in the personal profile.
Personally owned devices with a work profile

These settings apply to Android Enterprise personally owned devices with a work profile (BYOD).
Personally owned devices with a work profile settings
Copy and paste between work and personal profiles : Block prevents copy-and-paste between
work and personal apps. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow users to share data using copy-and-paste with apps in the
personal profile.
Data sharing between work and personal profiles : Choose if apps in the personally owned work
profile can share with apps in the personal profile. For example, you can control sharing actions within
applications, such as the Share… option in the Chrome browser app. This setting doesn't apply to
copy/paste clipboard behavior. Your options:
Device default : The default sharing behavior of the device varies depending on the Android version:
On devices running Android 6.0 and newer, sharing from the personally owned work profile to
the personal profile is blocked. Sharing from the personal profile to the personally owned work
profile is allowed.
On devices running Android 6.0 and older, sharing between the personally owned work profile
and the personal profile is blocked in both directions.
Apps in work profile can handle sharing request from personal profile : Enables the built-in
Android feature that allows sharing from the personal to the personally owned work profile. When
enabled, a sharing request from an app in the personal profile can share with apps in the personally
owned work profile. This setting is the default behavior for Android devices running versions earlier
than 6.0.
No restrictions on sharing : Enables sharing across the personally owned work profile boundary in
both directions. When you select this setting, apps in the personally owned work profile can share
data with unbadged apps in the personal profile. This setting allows managed apps in the personally
owned work profile to share with apps on the unmanaged side of the device. So, use this setting
carefully.
Work profile notifications while device locked : Block prevents window notifications, including
toasts, incoming calls, outgoing calls, system alerts, and system errors from showing on locked devices.
might show notifications.
Default app permissions : Sets the default permission policy for all apps in the personally owned work
profile. Starting with Android 6, users are prompted to grant certain permissions required by apps when
the app is launched. This policy setting lets you decide if users are prompted to grant permissions for all
apps in the personally owned work profile. For example, you assign an app to the personally owned work
profile that requires location access. Normally that app prompts users to approve or deny location access
to the app. Use this policy to automatically grant permissions without a prompt, automatically deny
permissions without a prompt, or let users decide. Your options:
Device default
Prompt
Auto grant
Auto deny
You can also use an app configuration policy to grant permissions for individual apps (Apps > App
configuration policies ).
Add and remove accounts : Block prevents users from manually adding or removing accounts in the
personally owned work profile. For example, when you deploy the Gmail app into an Android personally
owned work profile, you can prevent users from adding or removing accounts in this personally owned
work profile. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow adding accounts in the personally owned work profile.
NOTE
Google accounts can't be added to personally owned devices with a work profile.
Contact sharing via Bluetooth : Enable allows sharing and access to personally owned devices with a
work profile contacts from another device, including a car, that's paired using Bluetooth. Enabling this
setting may allow certain Bluetooth devices to cache work contacts upon first connection. Disabling this
policy after an initial pairing/sync may not remove work contacts from a Bluetooth device.
might not share work contacts.
Android 6.0 and newer personally owned devices with a work profile
Screen capture : Block prevents screenshots or screen captures on the device in the personally owned
work profile. It also prevents the content from being shown on display devices that don't have a secure
video output. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow getting screenshots.
Display work contact caller-id in personal profile : Block doesn't show the work contact caller
number in the personal profile. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might show work contact caller details.
Search work contacts from personal profile : Block prevents users from searching for work contacts
in apps in the personal profile. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow searching for work contacts in the personal profile.
Camera : Block prevents access to the camera on the device in the personally owned work profile. The
camera on the personal side is not affected by the setting. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow access to the camera.
Allow widgets from work profile apps : Enable allows users to put widgets exposed by apps on the
home screen. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might disable this feature.
For example, Outlook is installed on your users' personally owned work profiles. When set to Enable ,
users can put the agenda widget on the device home screen.
Require Work Profile Password : Require forces a passcode policy that only applies to apps in the
personally owned work profile. By default, users can use the two separately defined PINs. Or, users can
combine the PINs into the stronger of the two PINs. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow users to use work apps without
entering a password.
Also configure:
Minimum password length : Enter the minimum length the password must have, between 4 and
16 characters.
Maximum minutes of inactivity until work profile locks : Enter the length of time devices
must be idle before the screen is automatically locked. Users must enter their credentials to regain
access. For example, enter 5 to lock the device after 5 minutes of being idle. When the value is
blank or set to Not configured , Intune doesn't change or update this setting.
On devices, users can't set a time value greater than the configured time in the profile. Users can
set a lower time value. For example, if the profile is set to 15 minutes, users can set the value to 5
minutes. Users can't set the value to 30 minutes.
Number of sign-in failures before wiping device : Enter the number of wrong passwords
allowed before the personally owned work profile in the device is wiped, from 4-11. 0 (zero)
might disable the device wipe functionality. When the value is blank, Intune doesn't change or
Password expiration (days) : Enter the number of days until user passwords must be changed
(from 1 -365 ).
Required password type : Enter the required password complexity level, and whether biometric
devices can be used. Your options:
Device default
Required
Numeric complex : Repeated or consecutive numbers, such as 1111 or 1234 , aren't allowed.
Prevent reuse of previous passwords : Use this setting to restrict users from creating
previously used passwords. Enter the number of previously used passwords that can't be used,
from 1-24. For example, enter 5 so users can't set a new password to their current password or
any of their previous four passwords. When the value is blank, Intune doesn't change or update
this setting.
Face unlock : Block prevents users from using the device's facial recognition to unlock the
personally owned work profile. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to unlock the device using facial
recognition.
Fingerprint unlock : Block prevents users from using the device's fingerprint scanner to unlock
the personally owned work profile. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might allow users to unlock the device using a fingerprint.
Iris unlock : Block prevents users from using the device's iris scanner to unlock the personally
owned work profile. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow users to unlock the device using the iris scanner.
Smar t Lock and other trust agents : Block prevents Smart Lock or other trust agents from
adjusting lock screen settings on compatible devices. If devices are in a trusted location, then this
feature, also known as a trust agent, lets you disable or bypass the device lock screen password.
For example, bypass the personally owned work profile password when devices are connected to a
specific Bluetooth device, or when devices are close to an NFC tag. Use this setting to prevent
users from configuring Smart Lock.
Password
These password settings apply to personally owned devices with a work profile.
Minimum password length : Enter the minimum length the password must have, between 4 and 16
characters.
Maximum minutes of inactivity until screen locks : Enter the length of time devices must be idle
before the screen is automatically locked. Users must enter their credentials to regain access. For
example, enter 5 to lock the device after 5 minutes of being idle. When the value is blank or set to Not
configured , Intune doesn't change or update this setting.
On devices, users can't set a time value greater than the configured time in the profile. Users can set a
lower time value. For example, if the profile is set to 15 minutes, users can set the value to 5 minutes.
Users can't set the value to 30 minutes.
before the personally owned work profile in the device is wiped, from 4-11. 0 (zero) might disable the
device wipe functionality. When the value is blank, Intune doesn't change or update this setting.
Password expiration (days) : Enter the number of days, until the device password must be changed,
from 1-365. For example, enter 90 to expire the password after 90 days. When the password expires,
users are prompted to create a new password. When the value is blank, Intune doesn't change or update
this setting.
Device default
Required
Numeric complex : Repeated or consecutive numbers, such as 1111 or 1234 , aren't allowed.
Prevent reuse of previous passwords : Use this setting to restrict users from creating previously used
passwords. Enter the number of previously used passwords that can't be used, from 1-24. For example,
enter 5 so users can't set a new password to their current password or any of their previous four
Fingerprint unlock : Block prevents users from using the device's fingerprint scanner to unlock the
device. When set to Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow users to unlock the device using a fingerprint.
Face unlock : Block prevents users from using the device's facial recognition to unlock the device. When
allow users to unlock the device using facial recognition.
Iris unlock : Block prevents users from using the device's iris scanner to unlock the device. When set to
users to unlock the device using the iris scanner.
Smar t Lock and other trust agents : Block prevents Smart Lock or other trust agents from adjusting
lock screen settings on compatible devices. If devices are in a trusted location, then this feature, also
known as a trust agent, lets you disable or bypass the device lock screen password. For example, bypass
the personally owned work profile password when devices are connected to a specific Bluetooth device,
or when devices are close to an NFC tag. Use this setting to prevent users from configuring Smart Lock.
System security
Threat scan on apps : Require enforces that the Verify Apps setting is enabled for work and personal
profiles. When set to Not configured (default), Intune doesn't change or update this setting.
Android 8 (Oreo) and newer personally owned devices with a work profile
Prevent app installations from unknown sources in the personal profile : By design, Android
Enterprise personally owned devices with a work profile can't install apps from sources other than the
Play Store. This setting allows administrators more control of app installations from unknown sources.
Block prevents app installations from sources other than the Google Play Store in the personal profile.
might allow app installations from unknown sources in the personal profile. By nature, personally owned
devices with a work profile are intended to be dual-profile:
A personally owned devices with a work profile managed using MDM.
A personal profile that's isolated from MDM management.
Connectivity
Always-on VPN : Enable sets a VPN client to automatically connect and reconnect to the VPN. Always-
on VPN connections stay connected. Or, immediately connect when users lock their device, the device
restarts, or the wireless network changes.
might disable always-on VPN for all VPN clients.
IMPORTANT
Be sure to deploy only one Always On VPN policy to a single device. Deploying multiple Always VPN policies to a
single device isn't supported.
VPN client : Choose a VPN client that supports Always On. Your options:
Cisco AnyConnect
F5 Access
Pulse Secure
Custom
Package ID : Enter the package ID of the app in the Google Play store. For example, if the URL
for the app in the Play store is
https://play.google.com/store/details?id=com.contosovpn.android.prod , then the package ID is
com.contosovpn.android.prod .
IMPORTANT
The VPN client you choose must be installed on the device. It must also support per-app VPN in personally
owned devices with a work profile. Otherwise, an error occurs.
You do need to approve the VPN client app in the Managed Google Play Store , sync the app to Intune,
and deploy the app to the device. After you do this, then the app is installed in the user's personally owned
devices with a work profile.
There may be known issues when using per-app VPN with F5 Access for Android 3.0.4. For more information,
see F5's release notes for F5 Access for Android 3.0.4.
Lockdown mode : Enable forces all network traffic to use the VPN tunnel. If a connection to the VPN
isn't established, then the device won't have network access.
might allow traffic to flow through the VPN tunnel or through the mobile network.
Next steps
You can also create dedicated device kiosk profiles for Android and Windows 10 devices.
Configure and troubleshoot Android enterprise devices in Microsoft Intune.
Android Enterprise device settings to configure
email, authentication, and synchronization in Intune
This article describes the different email settings you can control on Android Enterprise personally owned
devices with a work profile. As part of your mobile device management (MDM) solution, use these settings to
configure an email server, use SSL to encrypt emails, and more.
On Android Enterprise Fully Managed, Dedicated, and Corporate-owned Work Profiles, use app configuration
policies. For Android device administrator, see Android device settings to configure email.
As an Intune administrator, you can create and assign email settings to Android Enterprise personally owned
devices with a work profile. To learn more about email profiles in Intune, see configure email settings.
Before you begin

Create an Android Enterprise email device configuration profile > Personally-owned work profile .
Or, create an app configuration policy.
Android Enterprise
Email app : Select Gmail or Nine Work .
(Azure AD). Intune dynamically generates the username that's used by this profile. Your options:
User name : Gets only the name, such as user1 .
Email address attribute from AAD : This name is the email attribute Intune gets from Azure AD. Intune
dynamically generates the email address that's used by this profile. Your options:
User principal name : Uses the full principal name, such as user1@contoso.com or user1 , as the
email address.
Primar y SMTP address : Uses the primary SMTP address, such as user1@contoso.com , to sign in to
Exchange.
Authentication method : Select Username and Password or Cer tificates as the authentication
method used by the email profile.
SSL : Choose Enable to use Secure Sockets Layer (SSL) communication when sending emails, receiving
emails, and communicating with the Exchange server.
Amount of email to synchronize : Choose the amount of time of email you want to synchronize. Or,
select Unlimited to synchronize all available email.
Content type to sync (Nine Work only): Choose which data you want to synchronize on the devices.
Your options:
Contacts : Choose Enable to allow end users to sync contacts to their devices.
Calendar : Choose Enable to allow end users to sync the calendar to their devices.
Tasks : Choose Enable to allow end users to sync any tasks to their devices.
Next steps
You can also create email profiles for Android Samsung Knox, iOS/iPadOS, and Windows 10 and later devices.
Android Enterprise device settings to configure VPN
in Intune
This article describes the different VPN connection settings you can control on Android Enterprise devices. As
part of your mobile device management (MDM) solution, use these settings to create a VPN connection, choose
how the VPN authenticates, select a VPN server type, and more.
As an Intune administrator, you can create and assign VPN settings to Android Enterprise devices. To learn more
about VPN profiles in Intune, see VPN profiles.
NOTE
To configure always-on VPN, you need to create a VPN profile, and also create a device restrictions profile with the
Always-on VPN setting configured.
Before you begin

Create an Android Enterprise VPN device configuration profile:
Personally-owned work profile

Cisco AnyConnect
F5 Access
Pulse Secure
Microsoft Tunnel (Not supported on Android Enterprise dedicated devices.)
IMPORTANT
Prior to support for using Microsoft Defender for Endpoint as the tunnel client app, a standalone tunnel
client app was available in preview and used a connection type of Microsoft Tunnel (standalone
client) . As of June 14 2021, both the standalone tunnel app and standalone client connection type are
deprecated and drop from support 60 days later after August 14, 2021.
The available settings depend on the VPN client you choose. Some settings are only available for specific VPN
clients.
Base VPN
VPN ser ver address or FQDN : Enter the IP address or fully qualified domain name (FQDN) of the VPN
server that devices connect. For example, enter 192.168.1.1 or vpn.contoso.com .
Enter key and value pairs for the NetMotion Mobility VPN attributes : Add or import Keys and
Values that customize your VPN connection. These values are typically supplied by your VPN provider.
Microsoft Tunnel site (Microsoft Tunnel only): Select an existing site. The VPN client connects to the
public IP address or FQDN of this site.
For more information, see Microsoft Tunnel for Intune.
Per-app VPN
Add : Select managed apps from the list. When users start the apps you add, traffic automatically routes
through the VPN connection.
For more information, see Use a VPN and per-app VPN policy on Android Enterprise devices.
Always-on VPN
Always-on VPN : Enable turns on always-on VPN so VPN clients automatically connect and reconnect
to the VPN when possible. When set to Not configured , Intune doesn't change or update this setting. By
default, always-on VPN might be disabled for all VPN clients.
Only one VPN client can be configured for always-on VPN on a device. Be sure to have no more than one
always-on VPN policy deployed to a single device.
Proxy
Automatic configuration script : Use a file to configure the proxy server. Enter the proxy server URL that
includes the configuration file. For example, enter http://proxy.contoso.com/pac .
Address : Enter the IP address or fully qualified host name of the proxy server. For example, enter 10.0.0.3
or vpn.contoso.com .
Por t number : Enter the port number associated with the proxy server. For example, enter 8080 .

Cisco AnyConnect
F5 Access
Pulse Secure
NetMotion Mobility
Microsoft Tunnel
IMPORTANT
Prior to support for using Microsoft Defender for Endpoint as the tunnel client app, a standalone tunnel
client app was available in preview and used a connection type of Microsoft Tunnel (standalone
client) . As of June 14, 2021, both the standalone tunnel app and standalone client connection type are
deprecated and drop from support 60 days later after August 14, 2021.
clients.
Base VPN
VPN ser ver address : Enter the IP address or fully qualified domain name (FQDN) of the VPN server
that devices connect. For example, enter 192.168.1.1 or vpn.contoso.com .
Fingerprint (Check Point Capsule VPN only): Enter the fingerprint string given to you by the VPN vendor,
such as Contoso Fingerprint Code . This fingerprint verifies that the VPN server can be trusted.
When authenticating, a fingerprint is sent to the client so the client knows to trust any server that has the
same fingerprint. If the device doesn't have the fingerprint, it prompts the user to trust the VPN server
while showing the fingerprint. The user manually verifies the fingerprint, and chooses to trust to connect.
Enter key and value pairs for the NetMotion Mobility VPN attributes : Add or import Keys and
Values that customize your VPN connection. These values are typically supplied by your VPN provider.
Per-app VPN
Add : Select managed apps from the list. When users start the apps you add, traffic automatically routes
through the VPN connection.
For more information, see Use a VPN and per-app VPN policy on Android Enterprise devices.
Always-on VPN
Always-on VPN : Enable turns on always-on VPN so VPN clients automatically connect and reconnect
to the VPN when possible. When set to Not configured , Intune doesn't change or update this setting. By
default, always-on VPN might be disabled for all VPN clients.
Only one VPN client can be configured for always-on VPN on a device. Be sure to have no more than one
always-on VPN policy deployed to a single device.
Proxy
Next steps
You can also create VPN profiles for Android device administrator, iOS/iPadOS, macOS, Windows 10 and later,
and Windows 8.1.
Add Wi-Fi settings for Android Enterprise dedicated
and fully managed devices in Microsoft Intune
You can create a profile with specific Wi-Fi settings, and then deploy this profile to your Android Enterprise fully
managed and dedicated devices. Microsoft Intune offers many features, including authenticating to your
network, using a pre-shared key, and more.
This article describes these settings. Use Wi-Fi on your devices includes more information about the Wi-Fi
feature in Microsoft Intune.
Before you begin

Create an Android Enterprise Wi-Fi device configuration profile:

Select this option if you're deploying to an Android Enterprise dedicated, corporate-owned work profile, or fully
managed device.
Basic
Wi-Fi type : Select Basic .
Network name : Enter a name for this Wi-Fi connection. End users see this name when they browse their
device for available Wi-Fi connections. For example, enter Contoso WiFi .
connection.
Connect automatically : Enable automatically connects to your Wi-Fi network when devices are in
range. Select Disable to prevent or block this automatic connection.
When devices are connected to another preferred Wi-Fi connection, then they won't automatically
connect to this Wi-Fi network. If devices fail to connect automatically when this setting is enabled, then
disconnect the devices from any existing Wi-Fi connections.
Hidden network : Select Enable to hide this network from the list of available networks on the device.
The SSID isn't broadcasted. Select Disable to show this network in the list of available networks on the
device.
Wi-Fi type : Select the security protocol to authenticate to the Wi-Fi network. Your options:
Open (no authentication) : Only use this option if the network is unsecured.
WEP-Pre-shared key : Enter the password in Pre-shared key . When your organization's network is
set up or configured, a password or network key is also configured. Enter this password or network
key for the PSK value.
WPA-Pre-shared key : Enter the password in Pre-shared key . When your organization's network is
set up or configured, a password or network key is also configured. Enter this password or network
Enterprise
Wi-Fi type : Select Enterprise .
connection.
device.
EAP type : Select the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless
connections. Your options:
EAP-TLS : To authenticate, the Extensible Authentication Protocol (EAP) Transport Layer Security
(TLS) uses a digital certificate on the server, and a digital certificate on the client. Both certificates
are signed by a certificate authority (CA) that the server and client trust.
Also enter:
Root cer tificate for ser ver validation : Select an existing trusted root certificate profile.
When the client connects to the network, this certificate is presented to the server, and
authenticates the connection.
Authentication method : Select the authentication method used by your device clients.
Your options:
Derived credential : Use a certificate that's derived from a user's smart card. If no
derived credential issuer is configured, Intune prompts you to add one. For more
information, see Use derived credentials in Microsoft Intune.
Cer tificates : Select the SCEP or PKCS client certificate profile that is also deployed to
the device. This certificate is the identity presented by the device to the server to
secure tunnel.
EAP-TTLS : To authenticate, the Extensible Authentication Protocol (EAP) Tunneled Transport Layer
Security (TTLS) uses a digital certificate on the server. When the client makes the authentication
request, the server uses the tunnel, which is a secure connection, to complete the authentication
request.
Also enter:
Your options:
connection. Be sure you select the same protocol that's configured on your
Cer tificates : Select the SCEP or PKCS client certificate profile that is also deployed
PEAP : Protected Extensible Authentication Protocol (PEAP) encrypts and authenticates using a
protected tunnel. Also enter:
Your options:
authenticate the connection. Be sure you select the same protocol that's
None
Basic
SSID : Enter the ser vice set identifier , which is the real name of the wireless network that devices connect
to. However, users only see the network name you configured when they choose the connection.
Hidden network : Select Enable to hide this network from the list of available networks on the device. The
SSID isn't broadcasted. Select Disable to show this network in the list of available networks on the device.
Enterprise
connection.
device.
Cer tificates : Select the SCEP or PKCS client certificate profile that is also deployed to the
the connection.
secure tunnel.
Your options:
connection. Be sure you select the same protocol that's configured on your
PEAP : Also enter:
Your options:
authenticate the connection. Be sure you select the same protocol that's
None
Proxy settings : Select a proxy configuration. Your options:
None : No proxy settings are configured.
Automatic : Use a file to configure the proxy server. Enter the Proxy ser ver URL that contains the
configuration file. For example, enter http://proxy.contoso.com , 10.0.0.11 , or
http://proxy.contoso.com/proxy.pac .
site).
Next steps
The profile is created, but might not be doing anything. Be sure to assign this profile and monitor its status..
You can also create Wi-Fi profiles for Android, iOS/iPadOS, macOS, Windows 10, and Windows 8.1 devices.
Troubleshoot common issues with Wi-Fi profiles.
Use custom settings for iOS and iPadOS devices in
Microsoft Intune
IMPORTANT
Custom configuration profiles shouldn't be used for sensitive information, such as WiFi connections or authenticating
apps, sites, and more. Instead, use the built-in profiles for sensitive information, as they're designed and configured to
handle sensitive information.
For example, use the built-in Wi-Fi profile to deploy a Wi-Fi connection. Use the built-in certificates profile for
authentication.
Using Microsoft Intune, you can add or create custom settings for your iOS/iPadOS devices using "custom
profiles". Custom profiles are a feature in Intune. They're designed to add device settings and features that aren't
built in to Intune.
When using iOS/iPadOS devices, there are two ways to get custom settings into Intune:
Apple Configurator
Apple Profile Manager
You can use these tools to export settings to a configuration profile. In Intune, you import this file, and then
assign the profile to your iOS/iPadOS users and devices. Once assigned, the settings are distributed. They also
create a baseline or standard for iOS/iPadOS in your organization.
This article provides some guidance on using Apple Configurator and Apple Profile Manager, and describes the
properties you can configure.
Before you begin

Create an iOS/iPadOS custom device configuration profile.

When using Apple Configurator to create the configuration profile, be sure the settings you export are
compatible with the iOS/iPadOS version on the devices. For information on resolving incompatible
settings, search for Configuration Profile Reference and Mobile Device Management Protocol
Reference on the Apple Developer website.
When using Apple Profile Manager , be sure to:
Enable mobile device management in Profile Manager.
Add iOS/iPadOS devices in Profile Manager.
After you add a device in Profile Manager, go to Under the Librar y > Devices > select your
device > Settings . Enter the general settings for the device.
Download and save this file. You'll enter this file in the Intune profile.
Be sure the settings you export from the Apple Profile Manager are compatible with the
iOS/iPadOS version on the devices. For information on resolving incompatible settings, search for
Configuration Profile Reference and Mobile Device Management Protocol Reference on
the Apple Developer website.
Custom configuration profile settings

Custom configuration profile name : Enter a name for the policy. This name is shown on the device,
and in the Intune status.
Configuration profile file : Browse to the configuration profile you created using the Apple
Configurator or Apple Profile Manager. The max file size is 1000000 bytes ( just under 1MB). The file you
imported is shown in the File contents area.
You can also add device tokens to your custom configuration files. Device tokens are used to add device-
specific information. For example, to show the serial number, enter {{serialnumber}} . On the device, the
text shows similar to 123456789ABC , which is unique to each device. When entering variables, be sure to
use curly brackets {{ }} . App configuration tokens includes a list of variables that can be used. You can
also use deviceid or any other device-specific value.
NOTE
Variables aren't validated in the UI, and are case sensitive. As a result, you may see profiles saved with incorrect
input. For example, if you enter {{DeviceID}} instead of {{deviceid}} , then the literal string is shown instead
of the device's unique ID. Be sure to enter the correct information.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile.
See how to create the profile on macOS devices.
iOS and iPadOS device settings to use common
iOS/iPadOS features in Intune
Intune includes some built-in settings to allow iOS/iPadOS users to use different Apple features on their devices.
For example, you can control AirPrint printers, add apps and folders to the dock and home screen pages, show
app notifications, show asset tag details on the lock screen, use single sign-on authentication, and use certificate
authentication.
Use these features to control iOS/iPadOS devices as part of your mobile device management (MDM) solution.
This article lists these settings, and describes what each setting does. For more information on these features, go
to Add iOS/iPadOS or macOS device feature settings.
Before you begin

Create an iOS/iPadOS device features configuration profile.
NOTE
These settings apply to different enrollment types, with some settings applying to all enrollment options. For more
information on the different enrollment types, see iOS/iPadOS enrollment.
AirPrint
Settings apply to: All enrollment types
NOTE
Be sure to add all printers to the same profile. Apple prevents multiple AirPrint profiles from targeting the same device.
IP address : Enter the IPv4 or IPv6 address of the printer. If you use hostnames to identify printers, you can
get the IP address by pinging the printer in the terminal. Get the IP address and path (in this article) provides
more details.
Path : The path is typically ipp/print for printers on your network. Get the IP address and path (in this
article) provides more details.
Por t : Enter the listening port of the AirPrint destination. If you leave this property blank, AirPrint uses the
default port. Available on iOS 11.0+, and iPadOS 13.0+.
TLS : Enable secures AirPrint connections with Transport Layer Security (TLS). Available on iOS 11.0+, and
iPadOS 13.0+.
To add AirPrint servers, you can:
Add adds the AirPrint server to the list. Many AirPrint servers can be added.
Impor t a comma-separated file (.csv) with this information. Or, Expor t to create a list of the AirPrint servers
you added.
Get server IP address, resource path, and port
To add AirPrinter servers, you need the IP address of the printer, the resource path, and the port. The following
steps show you how to get this information.
1. On a Mac that's connected to the same local network (subnet) as the AirPrint printers, open Terminal
(from /Applications/Utilities ).
2. In the Terminal, type ippfind , and select enter.
Note the printer information. For example, it may return something similar to
ipp://myprinter.local.:631/ipp/port1 . The first part is the name of the printer. The last part ( ipp/port1 )
is the resource path.
3. In the Terminal, type ping myprinter.local , and select enter.
Note the IP address. For example, it may return something similar to PING myprinter.local (10.50.25.21) .
4. Use the IP address and resource path values. In this example, the IP address is 10.50.25.21 , and the
resource path is /ipp/port1 .
Home screen layout

iOS 9.3 or newer
Automated device enrollment (supervised)
NOTE
Only add an app once to the dock, page, folder on a page, or folder in the dock. Adding the same app in any two
places prevents the app from showing on devices, and may show reporting errors.
For example, if you add the camera app to a dock and a page, the camera app isn't shown, and reporting might
show an error for the policy. To add the camera app to the home screen layout, choose only the dock or a page,
not both.
When you apply a home screen layout, it overwrites any user-defined layout. So, it's recommended to use home
screen layouts on userless devices.
Home screen
Use this feature to add apps. And, see how these apps look on pages, the dock, and within folders. It also shows
you the app icons. Volume Purchase Program (VPP) apps, line-of business apps, and web link apps (web app
URLs) are populated from the client apps you add.
+ : Select the add button to add apps.
Create folder or add apps : Add an App or a Folder :
App : Select existing apps from the list. This option adds apps to the home screen on devices. If you
don't have any apps, then Add apps to Intune.
You can also search for apps by the app name, such as authenticator or drive . Or, search by the
app publisher, such as Microsoft or Apple .
Folder : Adds a folder to the home screen. Enter the Folder name , and select existing apps from
the list to go in the folder. This folder name is shown to users on their devices.
Apps are arranged from left to right, and in the same order as shown. Apps can be moved to other
positions. You can only have one page in a folder. As a work around, add nine (9) or more apps to
the folder. Apps are automatically moved to the next page. You can add any combination of VPP
apps, web links (web apps), store apps, line-of-business apps, and system apps.
Dock
Add up to four (4) items for iPhones, and up to six (6) items for iPads (apps and folders combined) to the dock
on the screen. Many devices support fewer items. For example, iPhone devices support up to four items. So,
only the first four items you add are shown.
+ : Select the add button to add apps or folders to the dock.
Create folder or add apps : Add an App or a Folder :
App : Select existing apps from the list. This option adds apps to the dock on the screen. If you
don't have any apps, then Add apps to Intune.
Folder : Adds a folder to the dock on the screen. Enter the Folder name , and select existing apps
from the list to go in the folder. This folder name is shown to users on their devices.
Apps are arranged from left to right, and in the same order as shown. Apps can be moved to other
positions. If you add more apps than can fit on a page, then the apps are automatically moved to
another page. You can add up to 20 pages in a folder on the dock. You can add any combination of
VPP apps, web links (web apps), store apps, line-of-business apps, and system apps.
NOTE
When you use the Home Screen Layout settings to add pages, or add pages and apps to the dock, the icons on the
Home Screen and pages are locked. They can't be moved or deleted. This behavior might be by design with iOS/iPadOS
and Apple's MDM policies.
Example
In the following example, the dock screen shows the Safari, Mail, and Stocks apps. The Stocks app is selected to
show its properties:
When you assign the policy to an iPhone, the dock looks similar to the following image:
App notifications
Settings apply to: Automated device enrollment (supervised)
Add : Add notifications for apps:
App bundle ID : Enter the App Bundle ID of the app you want to add. See Bundle IDs for built-in
iOS/iPadOS apps for some examples.
App name : Enter the name of the app you want to add. This name is used for your reference in the
Microsoft Endpoint Manager admin center. It isn't shown on devices.
Publisher : Enter the publisher of the app you're adding. This name is used for your reference in the
Microsoft Endpoint Manager admin center. It isn't shown on devices.
Notifications : Enable or Disable the app from sending notifications to devices.
Show in Notification Center : Enable allows the app to show notifications in the device
Notification Center. Disable prevents the app from showing notifications in the Notification
Center.
Show in Lock Screen : Enable shows app notifications on the device lock screen. Disable
prevents the app from showing notifications on the lock screen.
Aler t type : When devices are unlocked, choose how the notification is shown. Your options:
None : No notification is shown.
Banner : A banner is briefly shown with the notification.
Modal : The notification is shown and users must manually dismiss it before continuing
to use the device.
Badge on app icon : Select Enable to add a badge to the app icon. The badge means the
app sent a notification.
Sounds : Select Enable to play a sound when a notification is delivered.
Show previews : Shows a preview of recent app notifications. Select when to show the
preview. The value you choose overrides the user configured value on the device (Settings
> Notifications > Show Previews). Your options:
When unlocked : The preview only shows when the device is unlocked.
Always : The preview always shows on the lock screen.
Never : The preview never shows.
Lock screen message

iOS 9.3 and later
Asset tag information : Enter information about the asset tag of the device. For example, enter
Owned by Contoso Corp or Serial Number: {{serialnumber}} .
The text you enter is shown on the sign in window and lock screen on devices.
Lock screen footnote : If devices are lost or stolen, enter a note that might help get the device returned.
You can enter any text you want. For example, enter something like If found, call Contoso at ... .
Device tokens can also be used to add device-specific information to these fields. For example, to show
the serial number, enter Serial Number: {{serialnumber}} or Device ID: {{DEVICEID}} . On the lock
screen, the text shows similar to Serial Number 123456789ABC . When entering variables, be sure to use
curly brackets {{ }} . App configuration tokens includes a list of variables that can be used. You can also
use DEVICENAME or any other device-specific value.
NOTE
input. For example, if you enter {{DeviceID}} instead of {{deviceid}} or '{{DEVICEID}}', then the literal string
is shown instead of the device's unique ID. Be sure to enter the correct information. All lowercase or all uppercase
variables are supported, but not a mix.
Single sign-on
Settings apply to: Device enrollment, Automated device enrollment (supervised)
Realm : Enter the domain part of the URL. For example, enter contoso.com .
Kerberos principal name : Intune looks for this attribute for each user in Azure AD. Intune then
populates the respective field (such as UPN) before generating the XML that gets installed on devices.
Your options:
Not configured : Intune doesn't change or update this setting. By default, the OS will prompt
users for a Kerberos principal name when the profile is deployed to devices. A principal name is
required for MDMs to install SSO profiles.
User principal name : The user principal name (UPN) is parsed in the following way:
You can also overwrite the realm with the text you enter in the Realm text box.
For example, Contoso has several regions, including Europe, Asia, and North America. Contoso
wants their Asia users to use SSO, and the app requires the UPN in the username@asia.contoso.com
format. When you select User Principal Name , the realm for each user is taken from Azure AD,
which is contoso.com . So for users in Asia, select User Principal Name , and enter
asia.contoso.com . The user's UPN becomes username@asia.contoso.com , instead of
username@contoso.com .
Intune device ID : Intune automatically selects the Intune Device ID.

By default, apps only need to use the device ID. But if your app uses the realm and the device ID,
you can type the realm in the Realm text box.
NOTE
By default, keep the realm empty if you use device ID.
Azure AD device ID
SAM account name : Intune populates the on-premises Security Accounts Manager (SAM)
account name.
Apps : Add apps on users devices that can use single sign-on.
The AppIdentifierMatches array must include strings that match app bundle IDs. These strings may be
exact matches, such as com.contoso.myapp , or enter a prefix match on the bundle ID using the * wildcard
character. The wildcard character must appear after a period character (.), and may appear only once, at
the end of the string, such as com.contoso.* . When a wildcard is included, any app whose bundle ID
begins with the prefix is granted access to the account.
Use App Name to enter a user-friendly name to help you identify the bundle ID.
URL prefixes : Add any URLs in your organization that require user single sign-on authentication.
For example, when a user connects to any of these sites, the iOS/iPadOS device uses the single sign-on
credentials. Users don't need to enter any additional credentials. If multi-factor authentication is enabled,
then users are required to enter the second authentication.
NOTE
These URLs must be properly formatted FQDN. Apple requires these to be in the http://<yourURL.domain>
format.
The URL matching patterns must begin with either http:// or https:// . A simple string match is run, so
the http://www.contoso.com/ URL prefix doesn't match http://www.contoso.com:80/ . With iOS 10.0+ and
iPadOS 13.0+, a single wildcard * may be used to enter all matching values. For example,
http://*.contoso.com/ matches both http://store.contoso.com/ and http://www.contoso.com .
The http://.com and https://.com patterns match all HTTP and HTTPS URLs, respectively.
Renewal cer tificate : If using certificates for authentication (not passwords), select the existing SCEP or
PFX certificate as the authentication certificate. Typically, this certificate is the same certificate that's
deployed to users for other profiles, such as VPN, Wi-Fi, or email.
Web content filter

Filter Type : Choose to allow specific web sites. Your options:
Configure URLs : Use Apple's built-in web filter that looks for adult terms, including profanity and
sexually explicit language. This feature evaluates each web page as it's loaded, and identifies and
blocks unsuitable content. You can also add URLs that you don't want checked by the filter. Or,
block specific URLs, regardless of Apple's filter settings.
Permitted URLs : Add the URLs you want to allow. These URLs bypass Apple's web filter.
NOTE
The URLs you enter are the URLs you don't want evauluated by the Apple web filter. These URLs
aren't a list of allowed web sites. To create a list of allowed websites, set the Filter Type to
Specific websites only .
Blocked URLs : Add the URLs you want to stop from opening, regardless of the Apple web
filter settings.
Specific websites only (for the Safari web browser only): These URLs are added to the Safari
browser's bookmarks. Users are only allowed to visit these sites; no other sites can be opened.
Use this option only if you know the exact list of URLs that users can access.
URL : Enter the URL of the website you want to allow. For example, enter
https://www.contoso.com .
Bookmark Path : Apple changed this setting. All bookmarks go into the Approved Sites
folder. Bookmarks don't go in to the bookmark path you enter.
Title : Enter a descriptive title for the bookmark.
If you don't enter any URLs, then users can't access any websites except for microsoft.com ,
microsoft.net , and apple.com . These URLs are automatically allowed by Intune.

iOS 13.0 and later
iPadOS 13.0 and later
SSO app extension type : Choose the type of SSO app extension. Your options:
Not configured : Intune doesn't change or update this setting. By default, the OS doesn't use app
extensions. To disable an app extension, you can switch the SSO app extension type to Not
configured .
Microsoft Azure AD : Uses the Microsoft Enterprise SSO plug-in, which is a redirect-type SSO
app extension. This plug-in provides SSO for Active Directory accounts across all applications that
support Apple's Enterprise Single Sign-On feature. Use this SSO app extension type to enable SSO
on Microsoft apps, organization apps, and websites that authenticate using Azure AD.
IMPORTANT
The Microsoft Azure AD SSO extension is in public preview. This preview version is provided without a
service level agreement (SLA). It's not recommended to use in production. Certain features might not be
supported, or might have restricted behavior. For more information, see Supplemental Terms of Use for
Microsoft Azure Previews.
The SSO plug-in acts as an advanced authentication broker that offers security and user
experience improvements. All apps that use the Microsoft Authenticator app for authentication
continue to get SSO with the Microsoft Enterprise SSO plug-in for Apple devices.
IMPORTANT
To achieve SSO with the Microsoft Azure AD SSO app extension type, first install the iOS/iPadOS Microsoft
Authenticator app on devices. The Authenticator app delivers the Microsoft Enterprise SSO plug-in to
devices, and the MDM SSO app extension settings activate the plug-in. Once Authenticator and the SSO
app extension profile are installed on devices, users must enter their credentials to sign in, and establish a
session on their devices. This session is then used across different applications without requiring users to
authenticate again. For more information about Authenticator, see What is the Microsoft Authenticator
app.
Redirect : Use a generic, customizable redirect app extension to use SSO with modern
authentication flows. Be sure you know the extension ID for your organization's app extension.
Credential : Use a generic, customizable credential app extension to use SSO with challenge-and-
response authentication flows. Be sure you know the extension ID for your organization's app
extension.
Kerberos : Use Apple's built-in Kerberos extension, which is included on iOS 13.0+ and iPadOS
13.0+. This option is a Kerberos-specific version of the Credential app extension.
TIP
With the Redirect and Credential types, you add your own configuration values to pass through the extension.
If you're using Credential, consider using built-in configuration settings provided by Apple in the Kerberos type.
After users successfully sign in to the Authenticator app, they aren't prompted to sign in to other apps
that use the SSO extension. The first time users open managed apps that don't use the SSO extension,
they're prompted to select the account that's signed in.
Shared device mode (Microsoft Azure AD only): Choose Enable if you're deploying the Microsoft
Enterprise SSO plug-in to iOS/iPadOS devices configured for Azure AD's shared device mode feature.
Devices in shared mode allow many users to globally sign in and out of applications that support shared
device mode. When set to Not configured , Intune doesn't change or update this setting. By default,
iOS/iPadOS devices aren't intended to be shared among multiple users.
For more information about shared device mode and how to enable it, see Overview of shared device
mode and Shared device mode for iOS devices.
Extension ID (Redirect and Credential): Enter the bundle identifier that identifies your SSO app
extension, such as com.apple.extensiblesso .
Team ID (Redirect and Credential): Enter the team identifier of your SSO app extension. A team identifier
is a 10-character alphanumerical (numbers and letters) string generated by Apple, such as ABCDE12345 .
The team ID isn't required.
Locate your Team ID (opens Apple's website) has more information.
Realm (Credential and Kerberos): Enter the name of your authentication realm. The realm name should
be capitalized, such as CONTOSO.COM . Typically, your realm name is the same as your DNS domain name,
but in all uppercase.
Domains (Credential and Kerberos): Enter the domain or host names of the sites that can authenticate
through SSO. For example, if your website is mysite.contoso.com , then mysite is the host name, and
.contoso.com is the domain name. When users connect to any of these sites, the app extension handles
the authentication challenge. This authentication allows users to use Face ID, Touch ID, or Apple
pincode/passcode to sign in.
All the domains in your single sign-on app extension Intune profiles must be unique. You can't repeat
a domain in any sign-on app extension profile, even if you're using different types of SSO app
extensions.
These domains aren't case-sensitive.
The domain must begin with a period ( . ).
URLs (Redirect only): Enter the URL prefixes of your identity providers on whose behalf the redirect app
extension uses SSO. When users are redirected to these URLs, the SSO app extension intervenes and
prompts SSO.
All the URLs in your Intune single sign-on app extension profiles must be unique. You can't repeat a
domain in any SSO app extension profile, even if you're using different types of SSO app extensions.
The URLs must begin with http:// or https:// .
Additional configuration (Microsoft Azure AD, Redirect, and Credential): Enter additional extension-
specific data to pass to the SSO app extension:
Key : Enter the name of the item you want to add, such as user name or 'AppAllowList'.
Type : Enter the type of data. Your options:
String
Boolean: In Configuration value , enter True or False .
Integer: In Configuration value , enter a number.
Value : Enter the data.
Add : Select to add your configuration keys.
Keychain usage (Kerberos only): Block prevents passwords from being saved and stored in the
keychain. If blocked, users aren't prompted to save their password, and need to reenter the password
when the Kerberos ticket expires. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow passwords to be saved and stored in the keychain.
Users aren't prompted to reenter their password when the ticket expires.
Face ID, Touch ID, or passcode (Kerberos only): Require forces users to enter their Face ID, Touch ID,
or device passcode when the credential is needed to refresh the Kerberos ticket. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might not require
users to use biometrics or device passcode to refresh the Kerberos ticket. If Keychain usage is blocked,
then this setting doesn't apply.
Default realm (Kerberos only): Enable sets the Realm value you entered as the default realm. When set
to Not configured (default), Intune doesn't change or update this setting. By default, the OS might not
set a default realm.
TIP
Enable this setting if you're configuring multiple Kerberos SSO app extensions in your organization.
Enable this setting if you're using multiple realms. It sets the Realm value you entered as the default realm.
If you only have one realm, leave it Not configured (default).
Principal name (Kerberos only): Enter the username of the Kerberos principal. You don't need to include
the realm name. For example, in user@contoso.com , user is the principal name, and contoso.com is the
realm name.
TIP
You can also use variables in the principal name by entering curly brackets {{ }} . For example, to show the
username, enter Username: {{username}} .
However, be careful with variable substitution because variables aren't validated in the UI and they are case
sensitive. Be sure to enter the correct information.
Active Director y site code (Kerberos only): Enter the name of the Active Directory site that the
Kerberos extension should use. You may not need to change this value, as the Kerberos extension may
automatically find the Active Directory site code.
Cache name (Kerberos only): Enter the Generic Security Services (GSS) name of the Kerberos cache. You
most likely don't need to set this value.
App bundle IDs (Microsoft Azure AD, Kerberos): Enter the bundle IDs of the additional apps that should
get single sign-on through an extension on your devices.
If you use the Microsoft Azure AD SSO app extension type, then:
These apps use the Microsoft Enterprise SSO plug-in to authenticate the user without requiring a
sign-in.
The app bundle IDs you enter have permission to use the Microsoft Azure AD SSO app extension if
they don't use any Microsoft libraries, such as Microsoft Authentication Library (MSAL).
The experience for these apps may not be as seamless compared to the Microsoft libraries. Older
apps that use MSAL authentication, or apps that don't use the newest Microsoft libraries, must be
added to this list to work properly with the Microsoft Azure SSO app extension.
If you use the Kerberos SSO app extension type, then these apps:
Have access to the Kerberos Ticket Granting Ticket
Have access to the authentication ticket
Authenticate users to services they’re authorized to access
Domain realm mapping (Kerberos only): Add the domain DNS suffixes that should map to your realm.
Use this setting when the DNS names of the hosts don't match the realm name. You most likely don't
need to create this custom domain-to-realm mapping.
PKINIT cer tificate (Kerberos only): Select the Public Key Cryptography for Initial Authentication
(PKINIT) certificate that can be used for Kerberos authentication. You can choose from PKCS or SCEP
certificates that you've added in Intune. For more information about certificates, see Use certificates for
authentication in Microsoft Intune.
Wallpaper
You can experience unexpected behavior when a profile with no image is assigned to devices with an existing
image. For example, you create a profile without an image. This profile is assigned to devices that already have
an image. In this scenario, the image may change to the device default, or the original image may stay on the
device. This behavior is controlled and limited by Apple's MDM platform.
Wallpaper Display Location : Choose a location on devices to show the image. Your options:
Not configured : Intune doesn't change or update this setting. A custom image isn't added to devices.
By default, the OS might set its own image.
Lock screen : Adds the image to the lock screen.
Home screen : Adds the image to the home screen.
Lock screen and Home screen : Uses the same image on the lock screen and home screen.
Wallpaper Image : Upload an existing .png, .jpg, or .jpeg image you want to use. Be sure the file size is less
than 750 KB. You can also remove an image that you added.
TIP
When configuring a wallpaper policy, Microsoft recommends enabling the Block modification of Wallpaper setting. This
setting prevents users from changing the wallpaper.
To display different images on the lock screen and home screen, create a profile with the lock screen image. Create
another profile with the home screen image. Assign both profiles to your iOS/iPadOS user or device groups.
Next steps
You can also create device feature profiles for macOS devices.
iOS and iPadOS device settings to allow or restrict
features using Intune
This article describes the different settings you can control on iOS and iPadOS devices. As part of your mobile
device management (MDM) solution, use these settings to allow or disable features, set password rules, allow or
restrict specific apps, and more.
iOS/iPadOS devices.
TIP
These settings use Apple's MDM settings. For more information on these settings, see Apple's mobile device management
settings (opens Apple's web site).
Before you begin

Create an iOS/iPadOS device restrictions configuration profile.
NOTE
information on the different enrollment types, see iOS/iPadOS enrollment.
App Store, Doc Viewing, Gaming

Block viewing corporate documents in unmanaged apps : Yes prevents viewing corporate
documents in unmanaged apps. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow corporate documents to be viewed in any app.
For example, you want to prevent users from saving files from the OneDrive app to Dropbox. Configure
this setting as Yes . After devices receive the policy (for example, after a restart), it no longer allows saving.
NOTE
When this setting is blocked (set to Yes ), third party keyboards installed from the App Store are also blocked.
Allow unmanaged apps to read from managed contacts accounts : Yes lets unmanaged
apps, such as the built-in iOS/iPadOS Contacts app, to read and access contact information from
managed apps, including the Outlook mobile app. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might prevent reading from the built-in
Contacts app on devices.
This setting allows or prevents reading contact information. It doesn't control syncing contacts
between the apps.
To use this setting, set the Block viewing corporate documents in unmanaged apps setting
to Yes .
For more information about these two settings, and their impact on Outlook for iOS/iPadOS contact
export synchronization, see Support Tip: Use Intune custom profile settings with the iOS/iPadOS Native
Contacts App.
Treat AirDrop as an unmanaged destination : Yes forces AirDrop to be considered an unmanaged
drop target. It stops managed apps from sending data using Airdrop. When set to Not configured
(default), Intune doesn't change or update this setting.
Block viewing non-corporate documents in corporate apps : Yes prevents viewing non-corporate
documents in corporate apps. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow any document to be viewed in corporate managed apps.
Yes also prevents contact export synchronization in Outlook for iOS/iPadOS. For more information, see
Support Tip: Enabling Outlook iOS/iPadOS Contact Sync with iOS12 MDM Controls.
Require iTunes Store password for all purchases : Yes forces users to enter the Apple ID password
for each in-app or ITunes purchase. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow purchases without prompting for a password every
time.
Block in-app purchases : Yes prevents in-app purchases from the store. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow store purchases
within a running app.
Block download of explicit sexual content in Apple Books : Yes prevents users from downloading
media from the iBook store that's tagged as erotica. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow users to download books with the
"Erotica" category.
Allow managed apps to write contacts to unmanaged contacts accounts : Yes lets managed
apps, such as the Outlook mobile app, save or sync contact information, including business and corporate
contacts, to the built-in iOS/iPadOS Contacts app. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might prevent managed apps from saving or syncing
contact information to the built-in iOS/iPadOS Contacts app on devices.
To use this setting, set the Block viewing corporate documents in unmanaged apps setting to Yes .
Ratings region : Select the ratings region you want to use for allowed downloads. And then select the
allowed ratings for Movies , TV Shows , and Apps .
Block App store : Yes prevents access to the app store on supervised devices. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow access.
Starting with iOS/iPadOS 13.0, this setting requires supervised devices.
Block installing apps using App Store : Yes doesn't show the app store on the device home screen.
Users can continue to use iTunes or the Apple Configurator to install apps. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow the
app store on the home screen.
Block automatic app downloads : Yes prevents automatic downloading of apps bought on other
devices and automatic updates to new apps. It doesn't affect updates to existing apps. When set to
Not configured (default), Intune doesn't change or update this setting. By default, the OS might
allow apps bought on other iOS/iPadOS devices to download and update on the device.
Block playback of explicit music, podcast, and iTunes U : Yes prevents explicit iTunes music,
podcast, or news content. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow the device to access content rated as adult from the store.
Block adding Game Center friends : Yes prevents users from adding Game Center friends. When set
users to add friends in Game Center.
Block Game Center : Yes prevents using the Game Center app. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow using the Game Center app
on devices.
Block multiplayer gaming : Yes prevents multiplayer gaming. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow users to play multiplayer
games on devices.
Block access to network drive in Files app : Using the Server Message Block (SMB) protocol, devices
can access files or other resources on a network server. Yes prevents accessing files on a network SMB
drive. When set to Not configured (default), Intune doesn't change or update this setting. By default, the
OS might allow access.
iOS 13.0 and newer
Autonomous single app mode (ASAM)

Use these settings to configure iOS/iPadOS devices to run specific apps in autonomous single app mode
(ASAM). When ASAM is configured, and users start one of the configured apps, then the device is locked to that
app. App/task switching is disabled until users exit the allowed app.
For the ASAM configuration to apply, users must manually open the specific app. This task also applies to the
Company Portal app.
For example, in a school or university environment, add an app that lets users take a test on the device.
Or, lock the device into the Company Portal app until the user authenticates. When the apps actions are
completed by users, or you remove this policy, the device returns to its normal state.
Not all apps support autonomous single app mode. To put an app in ASAM, a bundle ID or a key value
pair delivered by an app config policy are typically required. For more information, see the
autonomousSingleAppModePermittedAppIDs restriction in Apple's MDM documentation. For more
information on the specific settings required for the app you're configuring, see the vendor
documentation.
For example, to configure Zoom Rooms in autonomous single app mode, Zoom says to use the
us.zoom.zpcontroller bundle ID. In this instance, you also make a change in the Zoom web portal. For
more information, see the Zoom help center.
On iOS/iPadOS devices, the Company Portal app supports ASAM. When the Company Portal app is in
ASAM, users must manually open the Company Portal app. Then the device is locked in the Company
Portal app until the user authenticates. When users sign in to the Company Portal app, they can use other
apps and the Home screen button on the device. When they sign out of the Company Portal app, the
device returns to single app mode, and locks on the Company Portal app.
To turn the Company Portal app into a 'sign in/sign out' app (enable ASAM), enter the Company Portal
app name, such as Microsoft Intune Company Portal , and the bundle ID ( com.microsoft.CompanyPortal ) in
these settings. After this profile is assigned, you must open the Company Portal app to lock the app so
users can sign in and sign out of it. For the ASAM configuration to apply, users must manually open the
Company Portal app.
When the device configuration profile is removed, and the user signs out, the device isn't locked in the
Company Portal app.
App name : Enter the name of the app you want.
App Bundle ID : Enter the bundle ID of the app you want.
You can also Impor t a CSV file with the list of app names and their bundle IDs. Or, Expor t an existing list that
includes the apps.
Built-in Apps
Block Siri : Yes prevents access to Siri. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow using the Siri voice assistant on devices.
Block Siri while device is locked : Yes prevents access to Siri when devices are locked. When set to
Not configured (default), Intune doesn't change or update this setting. By default, the OS might
allow using the Siri voice assistant on devices when they're locked.
Require Safari fraud warnings : Yes requires fraud warnings to be shown in the web browser on
the OS might not show these warnings.
Block internet search results from Spotlight : Yes stops Spotlight from returning any results from an
Internet search. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow Spotlight search connect to the Internet to provide search results.
Safari cookies : By default, Apple allows all cookies, and blocks cross site tracking. Use this setting to
allow users to enable or disable these features. Your options:
Not configured (default): Intune doesn't change or update this setting. By default, the OS allows all
cookies and blocks cross site tracking, and might allow users to enable and disable these features.
Allow all cookies, and allow cross site tracking : Cookies are allowed, and can be disabled by
users. By default, cross site tracking is blocked, and can be enabled by users.
Block all cookies, and block cross site tracking : Cookies and cross site tracking are both blocked.
Users can't enable or disable either setting.
Allow all cookies, and block cross site tracking : Cookies are allowed, and can be disabled by
users. By default, cross site tracking is blocked, and can't be enabled or disabled by users.
Block Safari JavaScript : Yes prevents Java scripts in the browser from running on devices. When set to
Java scripts.
Block Safari Pop-ups : Yes blocks all pop-ups in the Safari web browser. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow the pop-up blocker.
Block Siri for dictation : Yes prevents connections to Siri servers. Users can't use Siri to dictate text.
might allow Siri to be used for dictation.
Block camera : Yes prevents access to the camera on the device. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow access to the device's camera.
Block FaceTime : Yes prevents access to the FaceTime app. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow access to the
FaceTime app on devices.
Require Siri profanity filter : Yes turns on the filter, and prevents Siri from dictating, or speaking
profane language. When set to Not configured (default), Intune doesn't change or update this setting.
To use this setting, set the Block Siri setting to Not configured .
iOS 11.0 and newer
Block user-generated content in Siri : Yes prevents Siri from accessing websites to answer questions.
might allow Siri to access user-generated content from the internet.
To use this setting, set the Block Siri setting to Not configured .
Block Apple News : Yes prevents access to the Apple News app on devices. When set to Not
the Apple News app.
Block Apple Books : Yes prevents access to the iBooks store. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow users to browse and buy
books from the iBooks store.
Block iMessage : Yes prevents using the Messages app for iMessage. If devices support text messaging,
then users can still send and receive text messages using SMS. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow using the Messages app to
send and read messages over the internet.
Block Podcasts : Yes prevents using the Podcasts app. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow using the Podcasts app.
Music ser vice : Yes disables the Music Service, and reverts the Music app to classic mode. When set to
using the Apple Music app.
Block iTunes Radio : Yes prevents using the iTunes Radio app. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow using the iTunes Radio app.
Block iTunes store : Yes prevents using iTunes on devices. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow iTunes.
iOS 4.0 and newer
Block Find My iPhone : Yes prevents this feature in the Find My app. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow using this Find My
app feature to get the approximate location of the device.
iOS 13.0 and newer
Block Find My Friends : Yes prevents this feature in the Find My app. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow using this Find My
app feature to find family and friends from an Apple device or iCloud.com.
iOS 13.0 and newer
Block user modification to the Find My Friends settings : Yes prevents changes to the Find My
Friends app settings. When set to Not configured (default), Intune doesn't change or update this setting.
By default, the OS might allow users to change settings for the Find My Friends app.
Block removal of system apps from device : Yes prevents removing system apps from devices.
might allow users to remove system apps.
Block Safari : Yes prevents using the Safari browser on devices. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow users to use the Safari
browser.
Block Safari Autofill : Yes disables the autofill feature in Safari on devices. When set to Not
to change autocomplete settings in the web browser.
Cloud and Storage

Force encr ypted backup : Yes requires device backups be encrypted. When set to Not configured
Block managed apps from storing data in iCloud : Yes prevents Intune-managed apps to sync data to
the user's iCloud account. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow this data sync to iCloud.
Block backup of enterprise books : Yes prevents backing up enterprise books. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to
back up these books.
Block notes and highlights sync for enterprise books : Yes prevents syncing notes and highlights in
enterprise books. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow the syncing.
Block iCloud Photos sync : Yes prevents photo stream syncing to iCloud. Blocking this feature may cause
data loss. When set to Not configured (default), Intune doesn't change or update this setting. By default, the
OS might let users enable My Photo Stream on their device to sync to iCloud, and have photos available on
all the user's devices.
Block iCloud Photo Librar y : Yes disables using iCloud photo library to store photos and videos in the
cloud. Any photos not fully downloaded from iCloud Photo Library to devices are removed from the device.
allow using the iCloud photo library.
Block My Photo Stream : Yes disables iCloud Photo Sharing on devices. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow shared photo
streaming.
Block Handoff : Yes prevents users from starting work on an iOS/iPadOS device, and then continuing the
work on another iOS/iPadOS or macOS device. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow this handoff.
Block iCloud backup : Yes stops users from backing up devices to iCloud. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow users to back up
devices to iCloud.
Block iCloud document and data sync : Yes prevents iCloud from syncing documents and data. When
allow document and key-value synchronization to your iCloud storage space.
Block iCloud Keychain sync : Yes disables syncing credentials stored in the Keychain to iCloud. When
allow users to sync these credentials.
Connected Devices
Force Apple Watch wrist detection : Yes forces a paired Apple watch to use wrist detection. When
required, the Apple Watch won't display notifications when it's not being worn. When set to Not configured
Require AirPlay outgoing requests pairing password : Yes requires a pairing password when using
AirPlay to stream content to other Apple devices. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow users to stream content using AirPlay
Block Apple Watch auto unlock : Yes prevents users from unlocking their device with Apple Watch.
might allow Apple Watch to auto unlock a device.
Block AirDrop : Yes prevents using AirDrop on devices. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow using the AirDrop feature to
exchange content with nearby devices.
Block pairing with Apple Watch : Yes prevents pairing with an Apple Watch. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow devices
to pair with an Apple Watch.
Block modifying Bluetooth settings : Yes stops users from changing Bluetooth settings on devices.
might allow users to change these settings.
Block pairing with non-Configurator hosts : Yes prevents host pairing. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow host pairing to let
the administrator control which devices an iOS/iPadOS device can pair with.
Block AirPrint : Yes prevents using the AirPrint feature on devices. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow users to use
AirPrint.
Block storage of AirPrint credentials in Keychain : Block prevents using Keychain storage for
username and password on devices. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow storing the AirPrint username and password in the
Keychain app.
Require AirPrint to destinations with trusted cer tificates : Yes forces devices to use trusted
certificates for TLS printing communication. When set to Not configured (default), Intune doesn't
Block iBeacon discover y of AirPrint printers : Yes prevents malicious AirPrint Bluetooth beacons
from phishing for network traffic. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow advertising AirPrint printers on devices.
Block setting up new nearby devices : Yes disables the prompt to set up new devices that are nearby.
might allow prompts for users to connect to other nearby Apple devices.
iOS 11.0 and newer
Block access to USB drive in Files app : Devices can connect and open files on a USB drive. Yes
prevents device access to the USB drive in the Files app when a USB is connected to the device. Blocking
this feature also blocks users from transferring files onto a USB drive connected to an iPad. When set to
access to a USB drive in the Files app.
iOS 13.0 and newer
Disable near-field communication (NFC) : Yes disables NFC, and prevents devices from pairing with
other NFC-enabled devices. When set to Not configured (default), Intune doesn't change or update this
setting. By default, users might be allowed to use NFC, and connect to other NFC-enabled devices.
iOS 14.2 and newer
Allow users to boot devices into recover y mode with unpaired devices : Yes lets a user boot a
device into recovery mode with an unpaired device. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might prevent users from booting devices into
recovery mode with an unpaired device.
Domains
Unmarked email domains : Add one or more domain URLs to the list. When users receive an email
from a domain other than the domains you enter, the email is marked as untrusted in the iOS/iPadOS
Mail app.
Managed Safari web domains : Add one or more web domain URLs to the list. When documents are
downloaded from the domains you enter, they're considered managed. This setting applies only to
documents downloaded using the Safari browser.
Safari password domains : Add one or more domain URLs to the list. Users can only save web
passwords from URLs in this list. This setting applies only to the Safari browser, and devices in supervised
mode. If you don't enter any URLs, then passwords can be saved from all web sites.
iOS 9.3 and newer
General
Block sending diagnostic and usage data to Apple : Yes prevents devices from sending diagnostic
and usage data to Apple. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow this data to be sent.
Block screenshots and screen recording : Yes prevents screenshots or screen captures on devices. In
iOS/iPadOS 9.0 and newer, it also blocks screen recordings. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might let users capture the screen
contents as an image or as a video.
Block Untrusted TLS cer tificates : Yes prevents untrusted Transport Layer Security (TLS) certificates
on devices. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow TLS certificates.
Block over-the-air PKI updates : Yes prevents your users from receiving software updates unless
devices are connected to a computer. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow a device to receive software updates without being
connected to a computer.
Force limited ad tracking : Yes disables the device advertising identifier. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might keep it enabled.
Block trusting new enterprise app authors : Yes removes the Trust Enterprise Developer button
in Settings > General > Profiles & Device Management on devices. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might let users choose to trust
apps that aren't downloaded from the app store.
Block app clips : Yes blocks App Clips on managed devices. Specifically, setting to Yes :
Prevents users from adding App Clips on devices.
Removes existing App Clips on devices.
might allow adding and removing App Clips on devices.
iOS 14.0 and newer
Limit Apple personalized adver tising : Yes limits Apple's personalized advertising in the App Store,
Apple News, and Stocks apps. On the device, the Settings > Privacy > Apple Adver tising is toggled
off. This setting only impacts personalized ads in these apps. It doesn't impact non-personalized ads, and
may not reduce ads. When set to Not configured (default), Intune doesn't change or update this setting.
By default, the OS might turn on personalized ads.
For more information on Apple's policy, see Apple Advertising & Privacy (opens Apple's web site).
iOS 14.0 and newer
Block modification of diagnostics settings : Yes prevents users from changing the diagnostic
submission and app analytics settings in Diagnostics and Usage (device Settings). When set to Not
to change these device settings.
To use this setting, set the Block sending diagnostic and usage data to Apple setting to Not
configured .
iOS 9.3.2 and newer
Block remote AirPlay, view screen by Classroom app, and screen sharing : Yes prevents the
Classroom app from remotely viewing the screen on devices. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow the Apple Classroom app to
view the screen.
To use this setting, set the Block screenshots and screen recording setting to Not configured .
iOS 9.3 - iOS 12.x: Requires supervised devices
iOS 13.0 and newer: Doesn't require supervised devices
iPadOS 13.0 and newer: Devices must be enrolled using Device Enrollment or Automated Device
Enrollment (ADE)
Allow Classroom app to perform AirPlay and view screen without prompting : Yes lets teachers
silently observe students' iOS/iPadOS screens using the Classroom app without the students knowing.
Student devices enrolled in a class using the Classroom app automatically give permission to that
course's teacher. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might prevent this feature.
To use this setting, set the Block screenshots and screen recording setting to Not configured .
Block modification of account settings : Yes prevents users from updating device-specific settings
from the iOS/iPadOS settings app. For example, users can't create new device accounts, or change the
user name or password. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow users to change these settings.
This feature also applies to settings in the iOS/iPadOS settings app, such as Mail, Contacts, Calendar,
Twitter, and more. This feature doesn't apply to apps with account settings that aren't configurable in the
iOS/iPadOS settings app, such as the Microsoft Outlook app.
Block Screen time : Yes prevents users from setting their own restrictions in Screen Time (device
settings). When set to Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow users to configure device restrictions (such as parental controls or content, and
privacy restrictions) on devices.
This setting was renamed from Enabling restrictions in the device settings . Impact of this change:
iOS 11.4.1 and older: Yes prevents users from setting their own restrictions in the device settings. The
behavior is the same; and there are no changes for users.
iOS 12.0 and newer: Yes prevents users from setting their own Screen Time in the device settings
(Settings > General > Screen Time), including content and privacy restrictions. Devices upgraded to
iOS 12.0 won't see the restrictions tab in the device settings anymore (Settings > General > Device
Management > Management Profile > Restrictions). These settings are in Screen Time .
Block use of erase all content and settings : Yes prevents using the erase all content and settings
option on devices. When set to Not configured (default), Intune doesn't change or update this setting.
By default, the OS might give users access to these settings.
Block modification of device name : Yes prevents changing the device name locally. When set to Yes ,
you can remotely rename a device with a remote device action. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow users to change the name of
devices.
Block modification of notifications settings : Yes prevents changing the notification settings. When
allow users to change the device notification settings.
Block modification of Wallpaper : Yes prevents the wallpaper from being changed. When set to Not
to change the wallpaper on devices.
Block configuration profile changes : Yes prevents configuration profile changes on devices. When
allow users to install configuration profiles.
Allow activation Lock : Yes enables Activation Lock on supervised iOS/iPadOS devices. Activation Lock
makes it harder for a lost or stolen device to be reactivated. When set to Not configured (default),
Intune doesn't change or update this setting.
Block removing apps : Yes prevents removing apps. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow users to remove apps from devices.
Allow USB accessories while device is locked : Yes lets USB accessories exchange data with devices
that are locked for over an hour. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might not update USB Restricted mode on devices, and USB accessories
are blocked from transferring data from devices if locked for over an hour.
iOS/iPadOS 11.4.1 and newer
Force automatic date and time : Yes forces supervised devices to set the Date & Time automatically.
The device's time zone is updated when the device has cellular connections or has Wi-Fi with location
services enabled. When set to Not configured (default), Intune doesn't change or update this setting.
Require teacher permission to leave Classroom app unmanaged classes : Yes forces students
enrolled in an unmanaged course using the Classroom app to request permission from the teacher to
leave the course. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might not force the student to ask for permission.
iOS 11.3 and newer
Allow Classroom to lock to an app and lock the device without prompting : Yes allows teacher
to lock apps or lock devices using the Classroom app without prompting the student. Locking apps
means devices can only access teacher specified apps. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might prevent teachers from locking apps or
devices using the Classroom app without prompting the student.
iOS 11.0 and newer
Allow students to automatically join Classroom classes without prompting : Yes automatically
allows students to join a class that's in the Classroom app without prompting the teacher. When set to
Not configured (default), Intune doesn't change or update this setting. By default, the OS might prompt
the teacher that students want to join a class that's in the Classroom app.
iOS 11.0 and newer
Block VPN creation : Yes prevents users from creating VPN configuration settings. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might let users
create VPNs on devices.
Block modification of eSIM settings : Yes prevents removing or adding a cellular plan to the eSIM on
the OS might allow users to change these settings.
iOS 12.1 and newer
Defer software updates : Enable allows you to delay when software updates are shown on devices,
from 1-90 days. This setting doesn't control when updates are or aren't installed.
might show software updates on devices as Apple releases them. For example, if an iOS/iPadOS update
gets released by Apple on a specific date, then that update naturally shows up on devices around the
release date.
Delay visibility of software updates : Enter a value from 1-90 days. When the delay expires,
users get notified to update to the earliest OS version available when the delay is triggered. Don't
set this value to zero ( 0 ) days.
For example, if iOS 12.a is available on Januar y 1 , and Delay visibility is set to 5 days , then iOS
12.a isn't shown as an available update on user devices. On the sixth day following the release,
that update is available, and users can install it.
iOS 11.3 and newer
Keyboard and Dictionary

Block word definition lookup : Yes prevents highlighting a word, and then looking up its definition.
might allow access to the definition lookup feature.
Block predictive keyboards : Yes prevents using predictive keyboards to suggest words users might
want. When set to Not configured (default), Intune doesn't change or update this setting. By default, the
OS might allow this feature.
Block auto-correction : Yes prevents using autocorrection. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow devices to automatically
correct misspelled words.
Block spell-check : Yes prevents spell checker. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow using spellchecker.
Block keyboard shor tcuts : Yes stops users from using keyboard shortcuts. When set to Not
keyboard shortcuts on devices.
Block dictation : Yes stops users from using voice input to enter text. When set to Not configured
dictation input.
Block QuickPath : Yes prevents users from using QuickPath. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow users to use QuickPath, which
allows a continuous input on the device's keyboard. Users can type by swiping across the keys to create
words.
iOS 13.0 and newer
Kiosk
Single App Mode (opens Apple's web site) is referred to as Kiosk mode in Intune.
App to run in kiosk mode : Select the type of apps you want to run in kiosk mode. Your options:
Not configured (default): Intune doesn't change or update this setting. By default, the OS might not
apply kiosk settings. The device doesn't run in kiosk-mode.
Store App : Enter the URL to an app in the iTunes App store.
Managed App : Select an app you previously added to Intune.
Built-In App : Enter the bundle ID of the built-in app.
Require Assistive touch : Yes requires the Assistive Touch accessibility setting be on devices. This
feature helps users with on-screen gestures that might be difficult for them. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might not run or
enable this feature in kiosk mode.
Require inver t colors : Yes requires the Invert Colors accessibility setting so users with visual
impairments can change the display screen. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might not run or enable this feature in kiosk mode.
Require mono audio : Yes requires the Mono audio accessibility setting be on devices. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might not run or
enable this feature in kiosk mode.
Require Voice control : Yes enables voice control on devices, and allows users to fully control the OS
using Siri commands. Users can't turn it off. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might disable voice control.
iOS 13.0 and newer
TIP
If you have LOB apps available for your organization, and they're not Voice Control ready on day 0 when iOS
13.0 releases, then we recommend you leave this setting as Not configured .
Require VoiceOver : Yes requires the VoiceOver accessibility setting to read text on the screen out loud.
might not run or enable this feature in kiosk mode.
Require zoom : Yes requires the zoom setting so users can touch to zoom in on the screen. When set to
Not configured (default), Intune doesn't change or update this setting. By default, the OS might not run
or enable this feature in kiosk mode.
Block auto lock : Yes prevents automatic locking of devices. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow this feature.
Block ringer switch : Yes disables the ringer (mute) switch on devices. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow this feature.
Block screen rotation : Yes prevents changing the screen orientation when users rotate the device.
might allow this feature.
Block screen sleep button : Yes disables the screen sleep wake button on devices. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow this
feature.
Block touch : Yes disables the touchscreen on devices. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow users to use the touchscreen.
Block volume buttons : Yes prevents using the volume buttons on devices. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow the
volume buttons.
Allow Assistive touch control : Yes lets users use the assistive touch function. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might disable this
feature.
Allow inver t colors control : Yes inverts color changes to let users adjust the invert colors function.
might disable this feature.
Speak on selected text : Yes allows the Speak Selection accessibility settings be on devices. This feature
reads text out loud that users select. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might disable this feature.
Allow Voice Control : Yes allows users to change the state of voice control on their devices. When set to
Not configured (default), Intune doesn't change or update this setting. By default, the OS might block
users from changing the state of voice control on their devices.
iOS 13.0 and newer
Allow VoiceOver control : Yes allows voiceover changes to let users update the VoiceOver function,
such as how fast on-screen text is read out loud. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might prevent voiceover changes.
Allow zoom control : Yes allows zoom changes by users. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might prevent zoom changes.
NOTE
Before you can configure an iOS/iPadOS device for kiosk mode, you must use the Apple Configurator tool or the Apple
Device Enrollment Program to put devices into supervised mode. See Apple's guide on using the Apple Configurator tool.
If the iOS/iPadOS app you enter is installed after you assign the profile, then the device doesn't enter kiosk mode until the
device is restarted.
Locked Screen Experience

Block Control Center access in lock screen : Yes prevents access to the Control Center app while device
is locked. When set to Not configured (default), Intune doesn't change or update this setting. By default, the
OS might allow access to the Control Center app when devices are locked.
Block Notifications Center access in lock screen : Yes prevents access to notifications when devices are
locked. When set to Not configured (default), Intune doesn't change or update this setting. By default, the
OS might allow access to notifications without unlocking devices.
Block Today view in lock screen : Yes prevents access to the Today view when devices are locked. When
users to see the Today view when devices are locked.
Block Wallet notifications in lock screen : Yes prevents access to the Wallet app when devices are locked.
allow access to the Wallet app while devices are locked.
Password
Require password : Yes requires users to enter a password to access devices. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow users to access devices
IMPORTANT
On user-enrolled devices, if you configure any password setting, then the Simple passwords settings is automatically
set to Yes , and a 6 digit PIN is enforced.
For example, you configure the Password expiration setting, and push this policy to user-enrolled devices. On the
devices, the following happens:
The Password expiration setting is ignored.
Simple passwords, such as 1111 or 1234 , aren't allowed.
A 6 digit pin is enforced.
Block simple passwords : Yes blocks simple passwords, and requires more complex passwords. When
allow simple passwords, such as 0000 and 1234 .
Required password type : Enter the required password complexity level your organization requires.
Your options:
Device default
Numeric : Can be alphabetic characters, such as abcdef, and numeric characters, such as 123456789.
Alphanumeric : Includes uppercase letters, lowercase letters, and numeric characters.
NOTE
Selecting alphanumeric can impact a paired Apple Watch. For more information, see Set passcode restrictions for
an Apple Watch (opens Apple's web site).
Number of non-alphanumeric characters in password : Enter the number of symbol characters,

such as # or @ , that must be included in the password, from 1-4. When set to Not configured
Minimum password length : Enter the minimum length the password must have, from 4-16 characters.
On user enrolled devices, enter a length between 4 and 6 characters.
NOTE
For devices that are user enrolled, users can set a PIN greater than 6 digits. But, no more than 6 digits are
enforced on devices. For example, an administrator sets the minimum length to 8 . On user-enrolled devices,
users are only required to set a 6 digit PIN. Intune doesn't force a PIN greater than 6 digits on user-enrolled
devices.
Number of sign-in failures before wiping device : Enter the number of failed sign-ins before the
device is wiped, from 2-11. It's not recommended to set this value to 2 or 3 . It's common to enter the
wrong password. Wiping the device after two or three incorrect password attempts happens often. It's
recommended to set this value to at least 4 .
iOS/iPadOS has built-in security that can impact this setting. For example, iOS/iPadOS may delay
triggering the policy depending on the number of sign in failures. It may also consider repeatedly
entering the same passcode as one attempt. Apple's iOS/iPadOS security guide (opens Apple's web site) is
a good resource, and provides more specific details on passcodes.
Maximum minutes after screen lock before password is required 1: Enter how long devices stay
idle before users must reenter their password. If the time you enter is longer than what's currently set on
the device, then the device ignores the time you enter.
iOS 8.0+
iPadOS 13.0+
Maximum minutes of inactivity until screen locks 1: Enter the maximum number of minutes of
inactivity allowed on devices until the screen locks.
iOS/iPadOS options :
Not configured (Default): Intune doesn't change or update this setting.
Immediately : Screen locks after 30 seconds of inactivity.
1 : Screen locks after 1 minute of inactivity.
2 : Screen locks after 2 minutes of inactivity.
iPadOS options :
Not configured (Default): Intune doesn't change or update this setting.
Immediately : Screen locks after 2 minutes of inactivity.
If a value doesn't apply to iOS and iPadOS, then Apple uses the closest lowest value. For example, if you
enter 4 minutes, then iPadOS devices use 2 minutes. If you enter 10 minutes, then iOS devices use 5
minutes. This behavior is an Apple limitation.
NOTE
The Intune UI for this setting doesn't separate the iOS and iPadOS supported values. The UI might be updated in
a future release.
Password expiration (days) : Enter the number of days before the device password must be changed,
from 1-65535.
Prevent reuse of previous passwords : Restrict users from creating previous passwords. Enter the
number of previously used passwords that can't be used, from 1-24. For example, enter 5 so users can't
set a new password to their current password or any of their previous four passwords. When the value is
Block Touch ID and Face ID unlock : Yes prevents using a fingerprint or face to unlock devices. When
allow users to unlock devices using biometrics.
Setting to Yes also prevents using FaceID authentication to unlock devices.
Face ID applies to:
iOS 11.0 and newer
Block passcode modification : Yes stops the passcode from being changed, added, or removed. After
blocking this feature, changes to passcode restrictions are ignored on supervised devices. This setting is
ignored on Shared iPads. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow passcodes to be added, changed, or removed.
Block modification of Touch ID fingerprints and Face ID faces : Yes stops users from
changing, adding, or removing TouchID fingerprints and Face ID. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow users to
update the TouchID fingerprints and Face ID on devices.
Blocking this setting also stops users from changing, adding, or removing FaceID authentication.
Face ID applies to:
iOS 11.0 and newer
Block password AutoFill : Yes prevents using the AutoFill Passwords feature. Choosing Yes also has the
following impact:
Users aren't prompted to use a saved password in Safari or in any apps.
Automatic Strong Passwords are disabled, and strong passwords aren't suggested to users.
might allow these features.
Block password proximity requests : Yes prevents devices from requesting passwords from nearby
the OS might allow these password requests.
Block password sharing : Yes prevents sharing passwords between devices using AirDrop. When set to
passwords to be shared.
Require Touch ID or Face ID authentication for AutoFill of password or credit card
information : Yes forces users to authenticate using TouchID or FaceID before passwords or credit card
information can be auto filled in Safari and other apps. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow users to control this feature in the
device settings.
iOS 11.0 and newer
1 When you configure the Maximum minutes of inactivity until screen locks and Maximum minutes
after screen lock before password is required settings, they're applied in sequence. For example, if you set
the value for both settings to 5 minutes, then the screen turns off automatically after five minutes, and devices
are locked after an another five minutes. However, if users turn off the screen manually, then the second setting
is immediately applied. In the same example, after users turn off the screen, the device locks five minutes later.
Restricted apps
Type of restricted apps list : Create a list of apps that users aren't allowed to install or use. Your
options:
allow access to apps you assign, and built-in apps.
Prohibited apps : List the apps (not managed by Intune) that users aren't allowed to install and run.
Users aren't prevented from installing a prohibited app. If a user installs an app from this list, then the
device is reported in the Devices with restricted apps report (Endpoint Manager admin center >
Devices > Monitor > Devices with restricted apps ).
Portal app. Users aren't prevented from installing an app that isn't on the approved list. But if they do,
it's reported in Intune.
To add apps to these lists, you can:
Enter the iTunes App store URL of the app you want. For example, to add the Microsoft Work Folders app,
enter https://itunes.apple.com/us/app/work-folders/id950878067?mt=8 or
https://apps.apple.com/us/app/work-folders/id950878067?mt=8 .
To find the URL of an app, open the iTunes App Store, and search for the app. For example, search for
Microsoft Remote Desktop or Microsoft Word . Select the app, and copy the URL.
You can also use iTunes to find the app, and then use the Copy Link task to get the app URL.
Impor t a CSV file with details about the app, including the URL. Use the
<app url>, <app name>, <app publisher> format. Or, Expor t an existing list that includes the restricted
apps list in the same format.
IMPORTANT
Device profiles that use the restricted app settings must be assigned to user groups, not device groups.
Shared iPad
Shared iPad
Block Shared iPad temporar y sessions : Temporary sessions allow users to sign in as Guest, and
users aren't required to enter a Managed Apple ID or password.
When set to Yes :
Shared iPad users can't use temporary sessions.
Users must sign in to the device with their Managed Apple ID and password.
The Guest account option isn't shown on the lock screen on the devices.
allows a Shared iPad user to sign in to the device with the Guest account. When the user signs out, none
of the user’s data is saved or synced to iCloud.
Show or hide apps

iOS 9.3 and newer
Type of apps list : Create a list of apps to show or hide. You can show or hide built-in apps and line-of-
business apps. Apple's web site has a list of built-in Apple apps. Your options:
Hidden apps : Enter a list of apps that are hidden from users. Users can't view, or open these apps.
Apple prevents hiding some native apps. For example, you can't hide the Settings app on the
device. Delete built-in Apple apps lists the apps that can be hidden.
Visible apps : Enter a list of apps that users can view and launch. No other apps can be viewed or
launched.
App URL : Enter the store app URL of the app you want to show or hide. For example:
To add the Microsoft Work Folders app, enter
https://itunes.apple.com/us/app/work-folders/id950878067?mt=8 or
https://apps.apple.com/us/app/work-folders/id950878067?mt=8 .
To add the Microsoft Word app, enter https://itunes.apple.com/de/app/microsoft-word/id586447913
or https://apps.apple.com/de/app/microsoft-word/id586447913 .
To find the URL of an app, open the iTunes App Store, and search for the app. For example, search for
Microsoft Remote Desktop or Microsoft Word . Select the app, and copy the URL.
You can also use iTunes to find the app, and then use the Copy Link task to get the app URL.
App Bundle ID : Enter the app bundle ID of the app you want. You can show or hide built-in apps and
line-of-business apps. Apple's web site has a list of built-in Apple apps.
App name : Enter the app name of the app you want. You can show or hide built-in apps and line-of-
business apps. Apple's web site has a list of built-in Apple apps.
Publisher : Enter the publisher of the app you want.
You can also:
<app url>, <app name>, <app publisher> format. Or, Expor t to create a list of the restricted apps you added,
in the same format.
Wireless
Block data roaming : Yes prevents data roaming over the cellular network. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow data
roaming when the device is on a cellular network.
IMPORTANT
This setting is treated as a remote device action. So, this setting isn't shown in the management profile on devices.
Every time the data roaming status changes on the device, Data roaming is blocked by the Intune service. In
Intune, if the reporting status shows a success, then know that it's working, even though the setting isn't shown
in the management profile on the device.
Block global background fetch while roaming : Yes prevents using the global background fetch
feature when roaming over the cellular network. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow devices to fetch data, such as email, when
it's roaming on a cellular network.
Block voice dialing while device is locked : Yes prevents using the voice dialing feature on devices.
might allow voice dialing on devices.
Block voice roaming : Yes prevents voice roaming over the cellular network. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow voice
roaming when devices are on a cellular network.
Block personal Hotspot : Yes turns off the personal hotspot on devices with every device sync. This
setting might not be compatible with some carriers. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might keep the personal hotspot configuration
as the default set by users.
IMPORTANT
This setting is treated as a remote device action. So, this setting isn't shown in the management profile on devices.
Every time the personal hotspot status changes on the device, Personal Hotspot is blocked by the Intune
service. In Intune, if the reporting status shows a success, then know that it's working, even though the setting
isn't shown in the management profile on the device.
Cellular usage rules (managed apps only) : Allow defines the data types that managed apps can use
when on cellular networks. When set to Not configured (default), Intune doesn't change or update this
setting. Your options:
Block use of cellular data : Choose the apps that can't use cellular data. Your options:
All managed apps
Choose specific apps : Add the app bundle ID, app name, and publisher.
Block use of cellular data when roaming : Choose the apps that can't use cellular data when
roaming. Your options:
All managed apps
Choose specific apps : Add the app bundle ID, app name, and publisher.
Block changes to app cellular data usage settings : Yes prevents changes to the app cellular data
usage settings. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow users to control which apps are allowed to use cellular data.
Block changes to cellular plan settings : Yes prevents changing any settings in the cellular plan.
might allow users to make changes.
iOS 11.0 and newer
Block modification of personal hotspot : Yes prevents changing the personal hotspot setting. When
allow users to enable or disable their personal hotspot.
If you set this setting and the Block personal Hotspot setting to Yes , then the personal hotspot is
turned off.
iOS 12.2 and newer
Require joining Wi-Fi networks only using configuration profiles : Yes forces devices to use only
Wi-Fi networks set up through Intune configuration profiles. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow devices to use other Wi-Fi
networks.
This setting is available for iOS/iPadOS 14.4 and older devices. On iOS/iPadOS 14.5 and newer
devices, create a Custom configuration profile to deploy this setting.
When set to Yes , be sure the device has a Wi-Fi profile. If you don't assign a Wi-Fi profile, then this
setting can prevent devices from connecting to the internet. For example, if this device restrictions
profile is assigned before a Wi-Fi profile, then the device might be blocked from connecting to the
internet.
If the device can't connect, then unenroll the device, and re-enroll with a Wi-Fi profile. Then, set this
setting to Yes in a device restrictions profile, and assign the profile to the device.
iOS/iPadOS 14.4 and older
Require Wi-Fi always on : Yes keeps Wi-Fi on in the Settings app. It can't be turned off in Settings or in
the Control Center, even when the device is in airplane mode. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow users to turn on or turn off
Wi-Fi.
Configuring this setting doesn't prevent users from selecting a Wi-Fi network.
iOS 13.0 and newer
Settings that require supervised mode

iOS/iPadOS supervised mode can only be enabled during initial device setup through Apple's Device Enrollment
Program, or by using Apple Configurator. Once supervised mode is enabled, Intune can configure a device with
the following functionality:
Kiosk Mode (Single App Mode): Referred to as "app lock" in the Apple developer documentation.
Disable Activation Lock
Autonomous Single App Mode
Web Content Filter
Set background and lock screen
Silent App Push
Always-On VPN
Allow managed app installation exclusively
iBookstore
iMessages
Game Center
AirDrop
AirPlay
Host pairing
Cloud Sync
Spotlight search
Handoff
Erase device
Restrictions UI
Installation of configuration profiles by UI
News
Keyboard shortcuts
Passcode modifications
Device name changes
Automatic app downloads
Apple Music
Mail Drop
Pair with Apple Watch
NOTE
Apple confirmed that certain settings move to supervised-only in 2019. We recommend taking this into consideration
when using these settings, instead of waiting for Apple to migrate them to supervised-only:
App installation by end users
App removal
FaceTime
Safari
iTunes
Explicit content
iCloud documents and data
Multiplayer gaming
Add Game Center friends
Siri
Next steps
You can also restrict device features and settings on macOS devices.
Add e-mail settings for iOS and iPadOS devices in
Microsoft Intune
In Microsoft Intune, you can create and configure email to connect to an email server, choose how users
authenticate, use S/MIME for encryption, and more.
This article describes all the email settings available for devices running iOS/iPadOS. You can create a device
configuration profile to push or deploy these email settings to your iOS/iPadOS devices.
Before you begin

Create an iOS/iPadOS e-mail device configuration profile.
NOTE
These settings are available for all enrollment types. For more information on the enrollment types, see iOS/iPadOS
enrollment.
These settings use the Apple ExchangeActiveSync payload (opens Apple's web site).
Exchange ActiveSync account settings

Email ser ver : Enter the host name of your Exchange server.
devices.
Username attribute from AAD : This name is the attribute Intune gets from Azure Active Directory.
Intune dynamically generates the username that's used by this profile. Your options:
User Principal Name : Gets the name, such as user1 or user1@contoso.com
Primar y SMTP address : Gets the name in email address format, such as user1@contoso.com
sAM Account Name : Requires the domain, such as domain\user1 . Also enter:
User domain name source : Choose AAD (Azure Active Directory) or Custom .
AAD : Get the attributes from Azure AD. Also enter:
User domain name attribute from AAD : Choose to get the Full domain
name ( contoso.com ) or the NetBIOS name ( contoso ) attribute of the user.
Custom : Get the attributes from a custom domain name. Also enter:
Custom domain name to use : Enter a value that Intune uses for the domain
name, such as contoso.com or contoso .
Email address attribute from AAD : Choose how the email address for the user is generated. Your
options:
User principal name : Use the full principal name as the email address, such as user1@contoso.com
or user1 .
Primar y SMTP address : Use the primary SMTP address to sign in to Exchange, such as
user1@contoso.com .
Authentication method : Choose how users to authenticate to the email server. Your options:
Cer tificate : Select a client SCEP or PKCS certificate profile you previously created to authenticate the
Exchange connection. This option provides the most secure and seamless experience for your users.
Username and Password : Users are prompted to enter their user name and password.
Derived credential : Use a certificate that's derived from a user's smart card. For more information,
see Use derived credentials in Microsoft Intune.
NOTE
Azure multi-factor authentication isn't supported.
SSL : Enable uses Secure Sockets Layer (SSL) communication when sending emails, receiving emails, and
communicating with the Exchange server.
OAuth : Enable uses Open Authorization (OAuth) communication when sending emails, receiving emails,
and communicating with Exchange. If your OAuth server uses certificate authentication, choose
Cer tificate as the Authentication method , and include the certificate with the profile. Otherwise,
choose Username and password as the Authentication method . When using OAuth, be sure to:
Confirm your email solution supports OAuth before targeting this profile to your users. Microsoft
365 Exchange Online supports OAuth. On-premises Exchange and other partner or third-party
solutions may not support OAuth. On-premises Exchange can be configured for Modern
Authentication. For more information, see Hybrid modern authentication overview and
prerequisites for on-premises Skype for Business and Exchange servers.
If the email profile uses Oauth, and the email service doesn't support it, then the Re-Enter
password option appears broken. For example, nothing happens when the user selects Re-Enter
password in Apple's device settings.
When OAuth is enabled, end users have a different "Modern Authentication" email sign-in
experience that supports multi-factor authentication (MFA).
Some organizations disable the end user's ability to do self-service application access. In this
scenario, the Modern Authentication sign-in may fail until an Administrator creates the "iOS
Accounts" enterprise app, and grant users access to the app in Azure AD.
The default action is to add an application using the Application Access Panel Add App feature
without business approval . For more information, see assign users to applications.
NOTE
When you enable OAuth, the following happens:
1. Devices that are already targeted are issued a new profile.
2. End users are prompted to enter their credentials again.
Exchange ActiveSync profile configuration

IMPORTANT
Configuring these settings deploys a new profile to the device, even when an existing email profile is updated to include
these settings. Users are prompted to enter their Exchange ActiveSync account password. These settings take affect when
the password is entered.
Exchange data to sync : When using Exchange ActiveSync, choose the Exchange services that are
synced on the device: Calendar, Contacts, Reminders, Notes, and Email. Your options:
All data (default): Sync is enabled for all services.
Email only : Sync is enabled for Email only. Sync is disabled for the other services.
Calendar only : Sync is enabled for Calendar only. Sync is disabled for the other services.
Calendar and Contacts only : Sync is enabled for Calendar and Contacts only. Sync is disabled for
the other services.
Contacts only : Sync is enabled for Contacts only. Sync is disabled for the other services.
iOS 13.0 and newer
Allow users to change sync settings : Choose if users can change the Exchange ActiveSync settings
for the Exchange services on the device: Calendar, Contacts, Reminders, Notes, and Email. Your options:
Yes (default): Users can change the sync behavior of all services. Choosing Yes allows changes to all
services.
No : Users can't change the sync settings of all the services. Choosing No blocks changes to all
services.
TIP
If you configured the Exchange data to sync setting to sync only some services, we recommend selecting No
for this setting. Choosing No prevents users from changing the Exchange service that's synced.

iOS 13.0 and newer
Exchange ActiveSync email settings

S/MIME : S/MIME uses email certificates that provide extra security to your email communications by
signing, encrypting, and decrypting. When you use S/MIME with an email message, you confirm the
authenticity of the sender, and the integrity and confidentiality of the message.
Your options:
Disable S/MIME (default): Doesn't use an S/MIME email certificate to sign, encrypt, or decrypt
emails.
Enable S/MIME : Allows users to sign and/or encrypt email in the iOS/iPadOS native mail
application. Also enter:
S/MIME signing enabled : Disable (default) doesn't allow users to digitally sign the
message. Enable allows users to digitally sign outgoing email for the account you entered.
Signing helps users who receive messages be certain that the message came from the
specific sender, and not from someone pretending to be the sender.
Allow user to change setting : Enable allows users to change the signing options.
Disable (default) prevents users from changing the signing, and forces users to use
the signing you configured.
Signing cer tificate type : Your options:
Not configured : Intune doesn't update or change this setting.
None : As an administrator, you don't force a specific certificate. Select this option
so users can choose their own certificate.
Derived credential : Use a certificate that's derived from a user's smart card. For
more information, see Use derived credentials in Microsoft Intune.
Cer tificates : Select an existing PKCS or SCEP certificate profile that's used for
signing email messages.
Allow user to change setting : Enable allows users to change the signing
certificate. Disable (default) prevents users from changing the signing certificate,
and forces users to use the certificate you configured.
iOS 12 and newer
iPadOS 12 and newer
Encr ypt by default : Enable encrypts all messages as the default behavior. Disable
(default) doesn't encrypt all messages as the default behavior.
Allow user to change setting : Enable allows users to change the default
encryption behavior. Disable prevents users from changing the encryption default
behavior, and forces users to use the encryption you configured.
iOS 12 and newer
iPadOS 12 and newer
Force per-message encr yption : Per-message encryption allows users to choose which
emails are encrypted before being sent.
Enable shows the per-message encryption option when creating a new email. Users can
then choose to opt-in or opt-out of per-message encryption. If the Encr ypt by default
setting is also enabled, enabling per-message encryption allows users to opt out of
encryption per message.
Disable (default) prevents the per-message encryption option from showing. If the
Encr ypt by default setting is also disabled, enabling per-message encryption allows users
to opt in to encryption per message.
Encr yption cer tificate type : Your options:
Not configured : Intune doesn't update or change this setting.
None : As an administrator, you don't force a specific certificate. Select this option
so users can choose their own certificate.
Cer tificates : Select an existing PKCS or SCEP certificate profile that's used for
signing email messages.
Allow user to change setting : Enable allow users to change the encryption
certificate. Disable (default) prevents users from changing the encryption certificate,
and forces users to use the certificate you configured.
iOS 12 and newer
iPadOS 12 and newer
Amount of email to synchronize : Choose the number of days of email that you want to synchronize.
Or select Unlimited to synchronize all available email.
Allow messages to be moved to other email accounts : Enable (default) allows users to move
email messages between different accounts the users configured on their devices.
Allow email to be sent from third-par ty applications : Enable (default) allows users to select this
profile as the default account for sending email. It allows third-party applications to open email in the
native email app, such as attaching files to email.
Synchronize recently used email addresses : Enable (default) allows users to synchronize the list of
email addresses that have been recently used on the device with the server.
VPN profile for per account VPN : Starting in iOS/iPadOS 14, email traffic for the native Mail app can
be routed through a VPN based on the account the user is using. When set to None , Intune doesn't
enable per-account VPN for this e-mail profile.
Per-app VPN connections you create are shown in this list. If you select a VPN profile from the list, any
email that's sent to and from this account in the Mail app uses the VPN tunnel. The per-app VPN
connection automatically turns on when users use their organization account in the Mail app.
iOS 14 and newer
iPadOS 14 and newer
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
Configure email settings on Android, Android Enterprise, and Windows 10 devices.
Add VPN settings on iOS and iPadOS devices in
Microsoft Intune
Microsoft Intune includes many VPN settings that can be deployed to your iOS/iPadOS devices. These settings
are used to create and configure VPN connections to your organization's network. This article describes these
settings. Some settings are only available for some VPN clients, such as Citrix, Zscaler, and more.
Before you begin

Create an iOS/iPadOS VPN device configuration profile.
NOTE
These settings are available for all enrollment types except user enrollment. User enrollment is limited to per-app
VPN. For more information on the enrollment types, see iOS/iPadOS enrollment.
clients.
These settings use the Apple VPN payload (opens Apple's web site).
Connection type
Select the VPN connection type from the following list of vendors:
Cisco Legacy AnyConnect : Applicable to Cisco Legacy AnyConnect app version 4.0.5x and earlier.
Cisco AnyConnect : Applicable to Cisco AnyConnect app version 4.0.7x and later.
F5 Access Legacy : Applicable to F5 Access app version 2.1 and earlier.
F5 Access : Applicable to F5 Access app version 3.0 and later.
Palo Alto Networks GlobalProtect (Legacy) : Applicable to Palo Alto Networks GlobalProtect app version
4.1 and earlier.
Palo Alto Networks GlobalProtect : Applicable to Palo Alto Networks GlobalProtect app version 5.0 and
later.
Pulse Secure
Cisco (IPSec)
Citrix VPN
Citrix SSO
Zscaler : To use Conditional Access, or allow users to bypass the Zscaler sign in screen, then you must
integrate Zscaler Private Access (ZPA) with your Azure AD account. For detailed steps, see the Zscaler
documentation.
NetMotion Mobility
IKEv2 : IKEv2 settings (in this article) describes the properties.
Microsoft Tunnel
Custom VPN
NOTE
Cisco, Citrix, F5, and Palo Alto have announced that their legacy clients don't work on iOS 12. You should migrate to the
new apps as soon as possible. For more information, see the Microsoft Intune Support Team Blog.
Base VPN settings

Connection name : End users see this name when they browse their device for a list of available VPN
connections.
Custom domain name (Zscaler only): Prepopulate the Zscaler app's sign in field with the domain your
users belong to. For example, if a username is Joe@contoso.net , then the contoso.net domain statically
appears in the field when the app opens. If you don't enter a domain name, then the domain portion of
the UPN in Azure Active Directory (AD) is used.
VPN ser ver address : The IP address or fully qualified domain name (FQDN) of the VPN server that
devices connect with. For example, enter 192.168.1.1 or vpn.contoso.com .
Organization's cloud name (Zscaler only): Enter the cloud name where your organization is
provisioned. The URL you use to sign in to Zscaler has the name.
Authentication method : Choose how devices authenticate to the VPN server.
Cer tificates : Under Authentication cer tificate , select an existing SCEP or PKCS certificate
profile to authenticate the connection. Configure certificates provides some guidance about
certificate profiles.
Username and password : End users must enter a username and password to sign in to the VPN
server.
NOTE
If username and password are used as the authentication method for Cisco IPsec VPN, they must deliver
the SharedSecret through a custom Apple Configurator profile.
credential issuer is configured, Intune prompts you to add one. For more information, see Use
derived credentials in Microsoft Intune.
Excluded URLs (Zscaler only): When connected to the Zscaler VPN, the listed URLs are accessible
outside the Zscaler cloud.
Split tunneling : Enable or Disable to let devices decide which connection to use, depending on the
traffic. For example, a user in a hotel uses the VPN connection to access work files, but uses the hotel's
standard network for regular web browsing.
VPN identifier (Custom VPN, Zscaler, and Citrix): An identifier for the VPN app you're using, and is
supplied by your VPN provider.
Enter key/value pairs for your organization's custom VPN attributes (Custom VPN, Zscaler, and
Citrix): Add or import Keys and Values that customize your VPN connection. Remember, these values are
typically supplied by your VPN provider.
Enable network access control (NAC) (Cisco AnyConnect, Citrix SSO, F5 Access): When you choose I
agree , the device ID is included in the VPN profile. This ID can be used for authentication to the VPN to
allow or prevent network access.
When using Cisco AnyConnect with ISE , be sure to:
If you haven't already, integrate ISE with Intune for NAC as described at Configure Microsoft
Intune as an MDM Ser ver in the Cisco Identity Services Engine Administrator Guide.
Enable NAC in the VPN profile.
When using Citrix SSO with Gateway , be sure to:
Confirm you're using Citrix Gateway 12.0.59 or higher.
Confirm your users have Citrix SSO 1.1.6 or later installed on their devices.
Integrate Citrix Gateway with Intune for NAC. See the Integrating Microsoft Intune/Enterprise Mobility
Suite with NetScaler (LDAP+OTP Scenario) Citrix deployment guide.
When using F5 Access , be sure to:
Confirm you're using F5 BIG-IP 13.1.1.5 or later.
Integrate BIG-IP with Intune for NAC. See the Overview: Configuring APM for device posture checks
with endpoint management systems F5 guide.
For the VPN partners that support device ID, the VPN client, such as Citrix SSO, can get the ID. Then, it can
query Intune to confirm the device is enrolled, and if the VPN profile is compliant or not compliant.
To remove this setting, recreate the profile, and don't select I agree . Then, reassign the profile.
Enter key and value pairs for the NetMotion Mobility VPN attributes (NetMotion Mobility only):
Enter or import key and value pairs. These values may be supplied by your VPN provider.
IKEv2 settings
These settings apply when you choose Connection type > IKEv2 .
Always-on VPN : Enable sets a VPN client to automatically connect and reconnect to the VPN. Always-
on VPN connections stay connected or immediately connect when the user locks their device, the device
restarts, or the wireless network changes. When set to Disable (default), always-on VPN for all VPN
clients is disabled. When enabled, also configure:
Network interface : All IKEv2 settings only apply to the network interface you choose. Your
options:
Wi-Fi and Cellular (default): The IKEv2 settings apply to the Wi-Fi and cellular interfaces on
the device.
Cellular : The IKEv2 settings only apply to the cellular interface on the device. Select this option
if you're deploying to devices with the Wi-Fi interface disabled or removed.
Wi-Fi : The IKEv2 settings only apply to the Wi-Fi interface on the device.
User to disable VPN configuration : Enable lets users turn off always-on VPN. Disable
(default) prevents users from turning it off. The default value for this setting is the most secure
option.
Voicemail : Choose what happens with voicemail traffic when always-on VPN is enabled. Your
options:
Force network traffic through VPN (default): This setting is the most secure option.
Allow network traffic to pass outside VPN
Drop network traffic
AirPrint : Choose what happens with AirPrint traffic when always-on VPN is enabled. Your options:
Cellular ser vices : On iOS 13.0+, choose what happens with cellular traffic when always-on VPN
is enabled. Your options:
Allow traffic from non-native captive networking apps to pass outside VPN : A captive
network refers to Wi-Fi hotspots typically found in restaurants and hotels. Your options:
No : Forces all Captive Networking (CN) app traffic through the VPN tunnel.
Yes, all apps : Allows all CN app traffic to bypass the VPN.
Yes, specific apps : Add a list of CN apps whose traffic can bypass the VPN. Enter the bundle
identifiers of CN app. For example, enter com.contoso.app.id.package .
Traffic from Captive Websheet app to pass outside VPN : Captive WebSheet is a built-in web
browser that handles captive sign on. Enable allows the browser app traffic to bypass the VPN.
Disable (default) forces WebSheet traffic to use the always-on VPN. The default value is the most
secure option.
Network address translation (NAT) keepalive inter val (seconds) : To stay connected to the
VPN, the device sends network packets to remain active. Enter a value in seconds on how often
these packets are sent, from 20-1440. For example, enter a value of 60 to send the network
packets to the VPN every 60 seconds. By default, this value is set to 110 seconds.
Offload NAT keepalive to hardware when device is asleep : When a device is asleep, Enable
(default) has NAT continuously send keep-alive packets so the device stays connected to the VPN.
Disable turns off this feature.
Remote identifier : Enter the network IP address, FQDN, UserFQDN, or ASN1DN of the IKEv2 server. For
example, enter 10.0.0.3 or vpn.contoso.com . Typically, you enter the same value as the Connection
name (in this article). But, it does depend on your IKEv2 server settings.
Local identifier : Enter the device FQDN or subject common name of the IKEv2 VPN client on the device.
Or, you can leave this value empty (default). Typically, the local identifier should match the user or device
certificate’s identity. The IKEv2 server may require the values to match so it can validate the client’s
identity.
Client Authentication type : Choose how the VPN client authenticates to the VPN. Your options:
User authentication (default): User credentials authenticate to the VPN.
Machine authentication : Device credentials authenticate to the VPN.
Authentication method : Choose the type of client credentials to send to the server. Your options:
Cer tificates : Uses an existing certificate profile to authenticate to the VPN. Be sure this certificate
profile is already assigned to the user or device. Otherwise, the VPN connection fails.
Cer tificate type : Select the type of encryption used by the certificate. Be sure the VPN server
is configured to accept this type of certificate. Your options:
RSA (default)
ECDSA256
ECDSA384
ECDSA521
Username and password (User authentication only): When users connect to the VPN, they're
prompted for their username and password.
Shared secret (Machine authentication only): Allows you to enter a shared secret to send to the
VPN server.
Shared secret : Enter the shared secret, also known as the pre-shared key (PSK). Be sure the
value matches the shared secret configured on the VPN server.
Ser ver cer tificate issuer common name : Allows the VPN server to authenticate to the VPN client.
Enter the certificate issuer common name (CN) of the VPN server certificate that's sent to the VPN client
on the device. Be sure the CN value matches the configuration on the VPN server. Otherwise, the VPN
connection fails.
Ser ver cer tificate common name : Enter the CN for the certificate itself. If left blank, the remote
identifier value is used.
Dead peer detection rate : Choose how often the VPN client checks if the VPN tunnel is active. Your
options:
Not configured : Uses the iOS/iPadOS system default, which may be the same as choosing Medium .
None : Disables dead peer detection.
Low : Sends a keepalive message every 30 minutes.
Medium (default): Sends a keepalive message every 10 minutes.
High : Sends a keepalive message every 60 seconds.
TLS version range minimum : Enter the minimum TLS version to use. Enter 1.0 , 1.1 , or 1.2 . If left
blank, the default value of 1.0 is used. When using user authentication and certificates, you must
configure this setting.
TLS version range maximum : Enter the maximum TLS version to use. Enter 1.0 , 1.1 , or 1.2 . If left
blank, the default value of 1.2 is used. When using user authentication and certificates, you must
configure this setting.
Perfect for ward secrecy : Select Enable to turn on perfect forward secrecy (PFS). PFS is an IP security
feature that reduces the impact if a session key is compromised. Disable (default) doesn't use PFS.
Cer tificate revocation check : Select Enable to make sure the certificates aren't revoked before
allowing the VPN connection to succeed. This check is best-effort. If the VPN server times out before
determining if the certificate is revoked, access is granted. Disable (default) doesn't check for revoked
certificates.
Use IPv4/IPv6 internal subnet attributes : Some IKEv2 servers use the INTERNAL_IP4_SUBNET or
INTERNAL_IP6_SUBNET attributes. Enable forces the VPN connection to use these attributes. Disable
(default) doesn't force the VPN connection to use these subnet attributes.
Mobility and multihoming (MOBIKE) : MOBIKE allows VPN clients to change their IP address without
recreating a security association with the VPN server. Enable (default) turns on MOBIKE, which can
improve VPN connections when traveling between networks. Disable turns off MOBIKE.
Redirect : Enable (default) redirects the IKEv2 connection if a redirect request is received from the VPN
server. Disable prevents the IKEv2 connection from redirecting if a redirect request is received from the
VPN server.
Maximum transmission unit : Enter the maximum transmission unit (MTU) in bytes, from 1-65536.
When set to Not configured or left blank, Intune doesn't change or update this setting. By default, Apple
may set this value to 1280.
iOS/iPadOS 14 and newer
Security association parameters : Enter the parameters to use when creating security associations
with the VPN server:
Encr yption algorithm : Select the algorithm you want:
DES
3DES
AES-128
AES-256 (default)
AES-128-GCM
AES-256-GCM
NOTE
If you set the encryption algorithm to AES-128-GCM or AES-256-GCM , then the AES-256 default is
used. This is a known issue, and will be fixed in a future release. There is no ETA.
Integrity algorithm : Select the algorithm you want:

SHA1-96
SHA1-160
SHA2-256 (default)
SHA2-384
SHA2-512
Diffie-Hellman group : Select the group you want. Default is group 2 .
Lifetime (minutes): Enter how long the security association stays active until the keys are rotated.
Enter a whole value between 10 and 1440 (1440 minutes is 24 hours). Default is 1440 .
Child security association parameters : iOS/iPadOS allows you to configure separate parameters for
the IKE connection, and any child connections. Enter the parameters used when creating child security
associations with the VPN server:
Encr yption algorithm : Select the algorithm you want:
DES
3DES
AES-128
AES-256 (default)
AES-128-GCM
AES-256-GCM
NOTE
If you set the encryption algorithm to AES-128-GCM or AES-256-GCM , then the AES-256 default is
used. This is a known issue, and will be fixed in a future release. There is no ETA.
Integrity algorithm : Select the algorithm you want:

SHA1-96
SHA1-160
SHA2-256 (default)
SHA2-384
SHA2-512
Diffie-Hellman group : Select the group you want. Default is group 2 .
Lifetime (minutes): Enter how long the security association stays active until the keys are rotated.
Enter a whole value between 10 and 1440 (1440 minutes is 24 hours). Default is 1440 .
Automatic VPN
On-demand VPN : On-demand VPN uses rules to automatically connect or disconnect the VPN
connection. When your devices attempt to connect to the VPN, it looks for matches in the parameters and
rules you create, such as a matching IP address or domain name. If there's a match, then the action you
choose runs.
For example, create a condition where the VPN connection is only used when a device isn't connected to a
company Wi-Fi network. Or, if a device can't access a DNS search domain you enter, then the VPN
connection isn't started.
Add : Select this option to add a rule.
I want to do the following : If there's a match between the device value and your on-demand
rule, then select the action. Your options:
Establish VPN
Disconnect VPN
Evaluate each connection attempt
Ignore
I want to restrict to : Select the condition that the rule must meet. Your options:
Specific SSIDs : Enter one or more wireless network names that the rule will apply. This
network name is the Service Set Identifier (SSID). For example, enter Contoso VPN .
Specific DNS domains : Enter one or more DNS domains that the rule will apply. For example,
enter contoso.com .
All domains : Select this option to apply your rule to all domains in your organization.
But only if this URL probe succeeds : Optional. Enter a URL that the rule uses as a test. If the
device accesses this URL without redirection, then the VPN connection is started. And, the device
connects to the target URL. The user doesn't see the URL string probe site.
For example, a URL string probe is an auditing Web server URL that checks device compliance
before connecting the VPN. Or, the URL tests the VPNs ability to connect to a site before the device
connects to the target URL through the VPN.
Prevent users from disabling automatic VPN : Your options:
Yes : Prevents users from turning off automatic VPN. It forces users to keep the automatic VPN
enabled and running.
No : Allows users to turn off automatic VPN.
iOS 14 and newer
iPadOS 14 and newer
Per-app VPN : Enables per-app VPN by associating this VPN connection with an iOS/iPadOS app. When
the app runs, the VPN connection starts. You can associate the VPN profile with an app when you assign
the software. For more information, see How to assign and monitor apps.
Per-app VPN isn't supported on IKEv2. For more information, see set up per-app VPN for iOS/iPadOS
devices.
Provider Type : Only available for Pulse Secure and Custom VPN.
When using iOS/iPadOS per-app VPN profiles with Pulse Secure or a Custom VPN, choose app-
layer tunneling (app-proxy) or packet-level tunneling (packet-tunnel). Set the ProviderType value
to app-proxy for app-layer tunneling, or packet-tunnel for packet-layer tunneling. If you're not
sure which value to use, check your VPN provider's documentation.
Safari URLs that will trigger this VPN : Add one or more web site URLs. When these URLs are
visited using the Safari browser on the device, the VPN connection is automatically established.
Associated Domains : Enter associated domains in the VPN profile to use with this VPN
connection.
For more information, see associated domains.
Excluded Domains : Enter domains that can bypass the VPN connection when per-app VPN is
connected. For example, enter contoso.com . Traffic to the contoso.com domain will use the public
Internet even if the VPN is connected.
Yes : Prevents users from turning off the Connect On Demand toggle within the VPN profile
settings. It forces users to keep per-app VPN or on-demand rules enabled and running.
No : Allows users to turn off the Connect On Demand toggle, which disables per-app VPN and
on-demand rules.
iOS 14 and newer
iPadOS 14 and newer
Per-app VPN
These settings apply when you choose Connection type > Microsoft Tunnel (standalone client) .
Per-app VPN : Enable associates a specific to this VPN connection. When the app runs, traffic
automatically routes through the VPN connection. You can associate the VPN profile with an app when
you assign the software. For more information, see How to assign and monitor apps.
IMPORTANT
In preparation for the public preview of Tunnel client functionality in the Microsoft Defender for Endpoint app, the VPN
profile connection type for the Microsoft Tunnel client app has been renamed to Microsoft Tunnel (standalone
client) . At this time, you should use the Microsoft Tunnel (standalone client) connection type, not the Microsoft
Tunnel connection type.
Proxy
If you use a proxy, then configure the following settings.
Next steps
The profile is created, but may not doing anything yet. Be sure to assign the profile and monitor its status.
Configure VPN settings on Android, Android Enterprise, macOS, and Windows 10 devices.
Add Wi-Fi settings for iOS and iPadOS devices in
Microsoft Intune
You can create a profile with specific WiFi settings, and then deploy this profile to your iOS/iPadOS devices.
These Wi-Fi settings are separated in to two categories: Basic settings and Enterprise-level settings.
This article describes these settings.
Before you begin

Create an iOS/iPadOS Wi-Fi device configuration profile.
NOTE
These settings are available for all enrollment types. For more information on the enrollment types, see iOS/iPadOS
enrollment.
These settings use the Apple Wi-Fi payload (opens Apple's web site).
Basic profiles
Network name : Enter a name for this Wi-Fi connection. This value is the name that users see when they
browse the list of available connections on their device.
SSID : Short for ser vice set identifier . This property is the real name of the wireless network that
devices connect to. However, users only see the network name you configured when they choose the
connection.
Connect automatically : Enable automatically connects to this network when the device is in range.
Disable prevents devices from automatically connecting.
Hidden network : Enable matches this device setting with the setting on the router Wi-Fi configuration.
So if the network is set to hidden, then it's also hidden in the Wi-Fi profile. Select Disable if the network
SSID is broadcasted and visible.
Security type : Select the security protocol to authenticate to the Wi-Fi network. Your options:
WPA/WPA2 - Personal : Enter the password in Pre-shared key . When your organization's network
is set up or configured, a password or network key is also configured. Enter this password or network
WEP
Proxy settings : Your options:
Manual : Enter the Proxy ser ver address as an IP address, and its Por t number .
site).
Disable MAC address randomization : Starting with iOS/iPadOS 14, devices present a randomized
MAC address instead of the physical MAC address when connecting to a network. Using randomized
MAC addresses is recommended for privacy, as it's harder to track a device by its MAC address. However,
randomized MAC addresses break functionality that relies on a static MAC address, including network
access control (NAC).
Your options:
Not configured : Intune doesn't change or update this setting. By default, when connecting to a
network, devices will present a randomized MAC address instead of the physical MAC address when
connecting to a new network.
Yes : Forces devices to present their actual Wi-Fi MAC address instead of a random MAC address. Yes
allows devices to be tracked by their MAC address. Only disable MAC address randomization when
necessary, such as for network access control (NAC) support.
No : Enables MAC address randomization on devices. Users can't turn it off. When connecting to a new
network, devices present a randomized MAC address, instead of the physical MAC address.
iOS 14.0 and newer
Enterprise profiles
Network name : Enter a name for this Wi-Fi connection. This value is the name that users see when they
browse the list of available connections on their device.
connection.
Connect automatically : Enable automatically connects to this network when the device is in range.
Disable prevents devices from automatically connecting.
Hidden network : Enable matches this device setting with the setting on the router Wi-Fi configuration.
So if the network is set to hidden, then it's also hidden in the Wi-Fi profile. Select Disable if the network
SSID is broadcasted and visible.
WPA - Enterprise
WPA/WPA2 - Enterprise
EAP-FAST : Enter the Protected Access Credential (PAC) Settings . This option uses protected
access credentials to create an authenticated tunnel between the client and the authentication
server. Your options:
Do not use (PAC)
Use (PAC) : If an existing PAC file exists, use it.
Use and Provision PAC : Create and add the PAC file to your devices.
Use and Provision PAC Anonymously : Create and add the PAC file to your devices without
authenticating to the server.
EAP-SIM
Cer tificate ser ver names : Add one or more common names used in the certificates
issued by your trusted certificate authority (CA) to your wireless network access servers.
For example, add mywirelessserver.contoso.com or mywirelessserver . When you enter this
information, you can bypass the dynamic trust window displayed on user's devices when
they connect to this Wi-Fi network.
This certificate allows the client to trust the wireless network access server's certificate.
Your options:
Your options:
Wi-Fi network.
Your options: Unencr ypted password (PAP) , Challenge Handshake
Authentication Protocol (CHAP) , Microsoft CHAP (MS-CHAP) , or
LEAP
PEAP : Also enter:
Your options:
site).
Disable MAC address randomization : Starting with iOS/iPadOS 14, devices present a randomized
MAC address instead of the physical MAC address when connecting to a network. Using randomized
MAC addresses is recommended for privacy, as it's harder to track a device by its MAC address.
Randomized MAC addresses also break functionality that relies on a static MAC address, including
network access control (NAC).
Your options:
Not configured : Intune doesn't change or update this setting. By default, when connecting to a
network, devices may present a randomized MAC address instead of the physical MAC address.
Yes : Forces devices to present their actual Wi-Fi MAC address instead of a random MAC address. Yes
allows devices to be tracked by their MAC address. Only disable MAC address randomization when
necessary, such as for network access control (NAC) support.
No : Enables MAC address randomization on devices. Users can't turn it off. When connecting to a
network, devices present a randomized MAC address, instead of the physical MAC address.
iOS 14.0 and newer
Next steps
The profile is created, but may not be doing anything. Be sure to assign this profile, and monitor its status.
Configure Wi-Fi settings on Android, Android Enterprise, macOS, and Windows 10 devices.
Bundle IDs for built-in iOS and iPadOS apps you
can use in Intune
When you configure features on iOS/iPadOS devices, you can also add the built-in apps on iOS/iPadOS devices.
This article lists the bundle IDs of some common built-in iOS/iPadOS apps. To find the bundle ID of other apps,
contact your software vendor. See Apple's list of iOS/iPadOS bundle IDs (opens Apple's web site).
Bundle IDs
B UN DL E ID APP NAME P UB L ISH ER
com.apple.AppStore App Store Apple
com.apple.store.Jolly Apple Store Apple
com.apple.calculator Calculator Apple
com.apple.mobilecal Calendar Apple
com.apple.camera Camera Apple
com.apple.mobiletimer Clock Apple
com.apple.clips Clips Apple
com.apple.compass Compass Apple
com.apple.MobileAddressBook Contacts Apple
com.apple.facetime FaceTime Apple
com.apple.DocumentsApp Files Apple
com.apple.mobileme.fmf1 Find Friends Apple
com.apple.mobileme.fmip1 Find iPhone Apple
com.apple.gamecenter Game Center Apple
com.apple.mobilegarageband GarageBand Apple
com.apple.Health Health Apple
com.apple.Home Home Apple
com.apple.iBooks iBooks Apple

com.apple.iMovie iMovie Apple
com.apple.itunesconnect.mobile iTunes Connect Apple
com.apple.MobileStore iTunes Store Apple
com.apple.itunesu iTunes U Apple
com.apple.Keynote Keynote Apple
com.apple.mobilemail Mail Apple
com.apple.Maps Maps Apple
com.apple.measure Measure Apple
com.apple.MobileSMS Messages Apple
com.apple.Music Music Apple
com.apple.news News Apple
com.apple.mobilenotes Notes Apple
com.apple.Numbers Numbers Apple
com.apple.Pages Pages Apple
com.apple.mobilephone Phone Apple
com.apple.Photo-Booth Photo Booth Apple
com.apple.mobileslideshow Photos Apple
com.apple.podcasts Podcasts Apple
com.apple.reminders Reminders Apple
com.apple.mobilesafari Safari Apple
com.apple.Preferences Settings Apple
com.apple.shortcuts Shortcuts Apple
com.apple.SiriViewService Siri Apple
com.apple.stocks Stocks Apple
com.apple.tips Tips Apple

com.apple.tv TV Apple
com.apple.videos Videos Apple
com.apple.VoiceMemos VoiceMemos Apple
com.apple.Passbook Wallet Apple
com.apple.Bridge Watch Apple
com.apple.weather Weather Apple
com.apple.barcodesupport.qrcode QR Code Reader Apple
Next steps
Use these bundle IDs to configure device features and to allow or restrict some settings on iOS/iPadOS devices.
Use custom settings for macOS devices in Microsoft
Intune
IMPORTANT
Custom configuration profiles shouldn't be used for sensitive information, such as WiFi connections or authenticating
apps, sites, and more. Instead, use the built-in profiles for sensitive information, as they're designed and configured to
handle sensitive information.
For example, use the built-in Wi-Fi profile to deploy a Wi-Fi connection. Use the built-in certificates profile for
authentication.
Using Microsoft Intune, you can add or create custom settings for your macOS devices using a "custom profile".
Custom profiles are a feature in Intune. They're designed to add device settings and features that aren't built in
to Intune.
When using macOS devices, there are two ways to get custom settings into Intune:
Apple Configurator
Apple Profile Manager
You can use these tools to export settings to a configuration profile. In Intune, you import this file, and then
assign the profile to your macOS users and devices. Once assigned, the settings are distributed. They also create
a baseline or standard for macOS in your organization.
This article provides some guidance on using Apple Configurator and Apple Profile Manager, and describes the
properties you can configure.
Before you begin

Create a macOS custom device configuration profile.

When using Apple Configurator to create the configuration profile, be sure the settings you export are
compatible with the macOS version on the devices. For information on resolving incompatible settings,
search for Configuration Profile Reference and Mobile Device Management Protocol Reference
on the Apple Developer website.
When using Apple Profile Manager , be sure to:
Enable mobile device management in Profile Manager.
Add macOS devices in Profile Manager.
After you add a device in Profile Manager, go to Under the Librar y > Devices > select your
device > Settings . Enter the general, security, privacy, directory, and certificate settings for the
device.
Download and save this file. You'll enter this file in the Intune profile.
Be sure the settings you export from the Apple Profile Manager are compatible with the macOS
version on the devices. For information on resolving incompatible settings, search for
Configuration Profile Reference and Mobile Device Management Protocol Reference on
the Apple Developer website.
Custom configuration profile settings

Configuration profile name : Enter a name for the policy. This name is shown on the device, and in the
Intune status.
Configuration profile file : Browse to the .xml or .mobileconfig file you created using the Apple
Configurator or Apple Profile Manager. The max file size is 1000000 bytes ( just under 1 MB). The file you
import is shown. You can also Remove a file after it's been added.
You can also add device tokens to your .mobileconfig files. Device tokens are used to add device-specific
information. For example, to show the serial number, enter {{serialnumber}} . On the device, the text
shows similar to 123456789ABC , which is unique to each device. When entering variables, be sure to use
curly brackets {{ }} . App configuration tokens includes a list of variables that can be used. You can also
use deviceid or any other device-specific value.
NOTE
input. For example, if you enter {{DeviceID}} instead of {{deviceid}} , then the literal string is shown instead
of the device's unique ID. Be sure to enter the correct information.
Next steps
Create a custom profile on iOS/iPadOS devices.
macOS device feature settings in Intune
Intune includes built-in settings to customize features on your macOS devices. For example, administrators can
add AirPrint printers, choose how users sign in, configure the power controls, use single sign-on authentication,
and more.
Use these features to control macOS devices as part of your mobile device management (MDM) solution.
This article describes these settings. It also lists the steps to get the IP address, path, and port of AirPrint printers
using the Terminal app (emulator). For more information on device features, go to Add iOS/iPadOS or macOS
device feature settings.
NOTE
The user interface may not match the enrollment types in this article. The information in this article is correct. The user
interface is being updated in an upcoming release.
Before you begin

Create a macOS device features configuration profile.
NOTE
information on the different enrollment types, see macOS enrollment.
AirPrint
AirPrint destinations : Add one or more AirPrint printers users can print from their devices. Also enter:
Por t (iOS 11.0+, iPadOS 13.0+): Enter the listening port of the AirPrint destination. If you leave this
property blank, AirPrint uses the default port.
IP address : Enter the IPv4 or IPv6 address of the printer. For example, enter 10.0.0.1 . If you use host
names to identify printers, you can get the IP address by pinging the printer in the Terminal app. Get
the IP address and path (in this article) has more details.
Path : Enter the resource path of the printer. The path is typically ipp/print for printers on your
network. Get the IP address and path (in this article) has more details.
TLS (iOS 11.0+, iPadOS 13.0+): Your options:
No (default): Transport Layer Security (TLS) isn't enforced when connecting to AirPrint printers.
Yes : Secures AirPrint connections with Transport Layer Security (TLS).
Impor t a comma-separated file (.csv) that includes a list of AirPrint printers. Also, after you add AirPrint
printers in Intune, you can Expor t this list.
Get the IP address and path
To add AirPrinter servers, you need the IP address of the printer, the resource path, and the port. The following
steps show you how to get this information.
1. On a Mac that's connected to the same local network (subnet) as the AirPrint printers, open Terminal
(from /Applications/Utilities ).
2. In the Terminal app, type ippfind , and select enter.
Note the printer information. For example, it may return something similar to
ipp://myprinter.local.:631/ipp/port1 . The first part is the name of the printer. The last part ( ipp/port1 )
is the resource path.
3. In the Terminal, type ping myprinter.local , and select enter.
Note the IP address. For example, it may return something similar to PING myprinter.local (10.50.25.21) .
4. Use the IP address and resource path values. In this example, the IP address is 10.50.25.21 , and the
resource path is /ipp/port1 .
Associated domains
In Intune, you can:
Add many app-to-domain associations.
Associate many domains with the same app.
Settings apply to: User approved device enrollment, and Automated device enrollment
These settings use the AssociatedDomains.ConfigurationItem payload (opens Apple's web site).
Associated domains : Add an association between your domain and an app. This feature shares sign on
credentials between a Contoso app and a Contoso website. Also enter:
App ID : Enter the app identifier of the app to associate with a website. The app identifier includes
the team ID and a bundle ID: TeamID.BundleID .
The team ID is a 10-character alphanumerical (letters and numbers) string generated by Apple for
your app developers, such as ABCDE12345 . Locate your Team ID(opens Apple's web site) has more
information.
The bundle ID uniquely identifies the app, and typically is formatted in reverse domain name
notation. For example, the bundle ID of Finder is com.apple.finder . To find the bundle ID, use the
AppleScript in Terminal:
osascript -e 'id of app "ExampleApp"'
Domains : Enter the website domain to associate with an app. The domain includes a service type
and fully qualified hostname, such as webcredentials:www.contoso.com .
You can match all subdomains of an associated domain by entering *. (an asterisk wildcard and
a period) before the beginning of the domain. The period is required. Exact domains have a higher
priority than wildcard domains. So, patterns from parent domains are matched if a match isn't
found at the fully qualified subdomain.
The service type can be:
authsr v : Single sign-on app extension
applink : Universal link
webcredentials : Password autofill
Enable direct download : Yes downloads the domain data directly from the device, instead of
going through Apple's content delivery network (CDN). When set to Not configured , Intune
doesn't change or update this setting. By default, the OS might download data through Apple's
CDN dedicated to Associated Domains.
macOS 11 and newer
TIP
To troubleshoot, on your macOS device, open System Preferences > Profiles . Confirm the profile you created is in the
device profiles list. If it's listed, be sure the Associated Domains Configuration is in the profile, and it includes the
correct app ID and domains.
Content caching
Content caching saves a local copy of content. This information can be retrieved by other Apple devices without
connecting to the Internet. This caching accelerates downloads by saving software updates, apps, photos, and
other content the first time they're downloaded. Since apps are downloaded once and shared to other devices,
schools and organization with many devices save bandwidth.
NOTE
Only use one profile for these settings. If you assign multiple profiles with these settings, an error occurs.
For more information on monitoring content caching, see View content caching logs and statistics (opens Apple's web
site).

macOS 10.13.4 and newer
For more information on these settings, see Content Caching payload settings (opens Apple's web site).
Enable content caching : Yes turns on content caching, and users can't disable it. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might turn it off.
Type of content to cache : Your options:
All content : Caches iCloud content and shared content.
User content only : Caches user's iCloud content, including photos and documents.
Shared content only : Caches apps and software updates.
Maximum cache size : Enter the maximum amount of disk space (in bytes) that's used to cache content.
When left blank (default), Intune doesn't change or update this setting. By default, the OS might set this
value to zero ( 0 ) bytes, which gives unlimited disk space to the cache.
Be sure you don't exceed the space available on the devices. For more information on device storage
capacity, see How iOS and macOS report storage capacity (opens Apple's web site).
Cache location : Enter the path to store the cached content. The default location is
/Library/Application Support/Apple/AssetCache/Data . It's recommended that you don't change this
location.
If you change this setting, your cached content isn't moved to the new location. To move it automatically,
users need to change the location on the device (System Preferences > Sharing > Content Caching ).
Por t : Enter the TCP port number on devices for the cache to accept download and upload requests, from
0-65535. Enter zero ( 0 ) (default) to use whatever port is available.
Block internet connection and cache content sharing : Also known as tethered caching. Yes
prevents Internet connection sharing, and prevents sharing cached content with iOS/iPadOS devices USB-
connected to their Mac. Users can't enable this feature. When set to Not configured (default), Intune
doesn't change or update this setting.
Enable internet connection sharing : Also known as tethered caching. Yes allows Internet connection
sharing, and allows sharing cached content with iOS/iPadOS devices USB-connected to their Mac. Users
can't disable this feature. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might turn this off.
Enable cache to log client details : Yes logs the IP address and port number of the devices that
request content.If you're troubleshooting device issues, this log file may help. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might not log this
information.
Always keep content from the cache, even when the system needs disk space for other apps :
Yes keeps the cache content, and makes sure nothing is deleted, even when disk space is low. When set to
Not configured (default), Intune doesn't change or update this setting. By default, the OS might purge
content from the cache automatically when it needs storage space for other apps.
Show status aler ts : Yes shows as alerts as system notifications. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might not show these alerts as system
notifications.
Prevent the device from sleeping while caching is turned on : Yes prevents the computer from
going to sleep when caching is on. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow the device to sleep.
Devices to cache : Choose the devices that can cache content. Your options:
Devices using the same local network : The content cache offers content to devices on the same
immediate local network. No content is offered to devices on other networks, including devices
reachable by the content cache.
Devices using the same public IP address : The content cache offers content to devices using the
same public IP address. No content is offered to devices on other networks, including devices
reachable by the content cache.
Devices using custom local networks : The content cache provides content to devices in theIP
ranges you enter.
Client listen ranges : Enter the range of IP addresses that can receive the content cache.
Devices using custom local networks with fallback : The content cache provides content to
devices in the listen ranges, peer listen ranges, and parents IP addresses.
Client listen ranges : Enter the range of IP addresses that can receive the content cache.
Custom public IP addresses : Enter a range of public IP addresses. The cloud servers use this range to
match client devices to caches.
Share content with other caches : When your network has more than one content cache, the content
caches on other devices automatically become peers. These devices can consult and share cached
software.
When a requested item isn’t available on one content cache, it checks its peers for the item. If the item is
available, it’s downloaded from the content cache on the peer device. If it’s still not available, the content
cache downloads the item from:
A parent IP address, if any are configured
OR,
From Apple through the Internet
When more than one content cache is available, devices automatically select the right content cache.
Your options:
Content caches using the same local networks : Content cache only peers with other content
caches on the same immediate local network.
Content caches using the same public IP address : Content cache only peers with other
content caches on the same public IP address.
Content caches using custom local networks : Content cache only peers with other content
caches in the IP address listen range you enter:
Peer listen ranges : Enter the IPv4 or IPv6 start and ending IP addresses for your range. The
content cache responds only to peer cache requests from content caches in the IP address
ranges you enter.
Peer filter ranges : Enter the IPv4 or IPv6 start and ending IP addresses for your range. The
content cache filters its list of peers using the IP address ranges you enter.
Parent IP addresses : Enter the local IP address of another content cache to add as a parent cache. Your
cache uploads and downloads content to these caches, instead of uploading/downloading directly with
Apple. Only add a parent IP address once.
Parent selection policy : When there are many parent caches, select how the parent IP address is
chosen. Your options:
Round robin : Use the parent IP addresses in order. This option is good for load-balancing scenarios.
First available : Always use the first available IP address in the list.
Hash : Creates a hash value for the path portion of the requested URL. This option makes sure the
same parent IP address is always used for the same URL.
Random : Randomly use an IP address in the list. This option is good for load-balancing scenarios.
Sticky available : Always use the first IP address in the list. If it's not available, then use the second IP
address in the list. Continue to use the second IP address until it's not available, and so on.
Login items
Add the files, folders, and custom apps that will launch at login : Add the path of a file, folder,
custom app, or system app that opens when users sign in to their devices. Also enter:
Path of item : Enter the path to the file, folder, or app. System apps, or apps built or customized for
your organization are typically in the Applications folder, with a path similar to
/Applications/AppName.app .
You can add many files, folders, and apps. For example, enter:
/Applications/Calculator.app
/Applications
/Applications/Microsoft Office/root/Office16/winword.exe
/Users/UserName/music/itunes.app
When adding any app, folder, or file, be sure to enter the correct path. Not all items are in the
Applications folder. If users move an item from one location to another, then the path changes.
This moved item won't be opened when the user signs in.
Hide : Choose to show or hide the app. Your options:
Not configured (default): Intune doesn't change or update this setting. By default, the OS
might show items in the Users & Groups login items list with the hide option unchecked.
Yes : Hides the app in the Users & Groups login items list.
Login window
Show additional information in the menu bar : When the time area on the menu bar is selected, Yes
shows the host name and macOS version. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might not show this information on the menu bar.
Banner : Enter a message that's shown on the sign in screen on devices. For example, enter your
organization information, a welcome message, lost and found information, and so on.
Require username and password text fields : Choose how users sign in to devices. Yes requires
users to enter a username and password. When set to Not configured , Intune doesn't change or update
this setting. By default, the OS may require users to select their username from a list, and then type their
password.
Also enter:
Hide local users : Yes hides the local user accounts in the user list, which may include the standard
and admin accounts. Only the network and system user accounts are shown. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might show the
local user accounts in the user list.
Hide mobile accounts : Yes hides mobile accounts in the user list. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might show the mobile
accounts in the user list. Some mobile accounts may show as network users.
Show network users : Select Yes to list the network users in the user list. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might not show
the network user accounts in the user list.
Hide computer's administrators : Yes hides the administrator user accounts in the user list. When
set to Not configured (default), Intune doesn't change or update this setting. By default, the OS
might show the administrator user accounts in the user list.
Show other users : Select Yes to list Other... users in the user list. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might not show the other
user accounts in the user list.
Hide shut down button : Yes hides the shutdown button on the sign in screen. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might show the
shutdown button.
Hide restar t button : Yes hides the restart button on the sign in screen. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might show the restart button.
Hide sleep button : Yes hides the sleep button on the sign in screen. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might show the sleep button.
Disable user login from Console : Yes hides the macOS command line used to sign in. For typical
users, set this setting to Yes . When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow advanced users to sign in using the macOS command line. To
enter console mode, users enter >console in the Username field, and must authenticate in the console
window.
Disable Shut Down while logged in : Yes prevents users from selecting the Shutdown option after
they sign in. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow users to select the Shutdown menu item on devices.
Disable Restar t while logged in : Yes prevents users from selecting the Restar t option after they sign
in. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS
might allow users to select the Restar t menu item on devices.
Disable Power Off while logged in : Yes prevents users from selecting the Power off option after
they sign in. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow users to select the Power off menu item on devices.
Disable Log Out while logged in (macOS 10.13 and later): Yes prevents users from selecting the Log
out option after they sign in. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow users to select the Log out menu item on devices.
Disable Lock Screen while logged in (macOS 10.13 and later): Yes prevents users from selecting the
Lock screen option after they sign in. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to select the Lock screen menu item on devices.

Settings apply to: User approved device enrollment, and Automated device enrollment
SSO app extension type : Choose the type of SSO app extension. Your options:
Not configured : App extensions aren't used. To disable an app extension, switch the SSO app
extension type to Not configured .
Microsoft Azure AD : Uses the Microsoft Enterprise SSO plug-in, which is a redirect-type SSO
app extension. This plug-in provides SSO for Active Directory accounts across all macOS
applications that support Apple’s Enterprise Single Sign-On feature. Use this SSO app extension
type to enable SSO on Microsoft apps, organization apps, and websites that authenticate using
Azure AD.
The SSO plug-in acts as an advanced authentication broker that offers security and user
experience improvements.
IMPORTANT
The Microsoft Azure AD SSO extension is in public preview. This preview version is provided
without a service level agreement (SLA). It's not recommended to use in production. Certain
features might not be supported, or might have restricted behavior. For more information, see
Supplemental Terms of Use for Microsoft Azure Previews.
To achieve SSO with the Microsoft Azure AD SSO app extension type, install the macOS Company
Portal app on devices. The Company Portal app delivers the Microsoft Enterprise SSO plug-in to
devices. The MDM SSO app extension settings activate the plug-in. After the Company Portal app
and the SSO app extension profile are installed on devices, users sign in with their credentials, and
create a session on their devices. This session is used across different applications without requiring
users to authenticate again.
For more information about the Company Portal app, see What happens if you install the
Company Portal app and enroll your macOS device in Intune.
You can also download the Company Portal app.
Redirect : Use a generic, customizable redirect app extension to use SSO with modern
authentication flows. Be sure you know the extension and team ID for your organization's app
extension.
Credential : Use a generic, customizable credential app extension to use SSO with challenge-and-
response authentication flows. Be sure you know the extension ID and team ID for your
organization's SSO app extension.
Kerberos : Use Apple's built-in Kerberos extension, which is included on macOS Catalina 10.15 and
newer. This option is a Kerberos-specific version of the Credential app extension.
TIP
With the Redirect and Credential types, you add your own configuration values to pass through the extension.
If you're using Credential, consider using built-in configuration settings provided by Apple in the the Kerberos
type.
Extension ID (Redirect, Credential): Enter the bundle identifier that identifies your SSO app extension,
such as com.apple.ssoexample .
Team ID (Redirect, Credential): Enter the team identifier of your SSO app extension. A team identifier is a
10-character alphanumerical (numbers and letters) string generated by Apple, such as ABCDE12345 .
Locate your Team ID (opens Apple's website) has more information.
Realm (Credential, Kerberos): Enter the name of your authentication realm. The realm name should be
capitalized, such as CONTOSO.COM . Typically, your realm name is the same as your DNS domain name, but
in all uppercase.
Domains (Credential, Kerberos): Enter the domain or host names of the sites that can authenticate
through SSO. For example, if your website is mysite.contoso.com , then mysite is the host name, and
.contoso.com is the domain name. When users connect to any of these sites, the app extension handles
the authentication challenge. This authentication allows users to use Face ID, Touch ID, or Apple
pincode/passcode to sign in.
All the domains in your single sign-on app extension Intune profiles must be unique. You can't repeat
a domain in any sign-on app extension profile, even if you're using different types of SSO app
extensions.
These domains aren't case-sensitive.
The domain must start with a period ( . ).
URLs (Redirect only): Enter the URL prefixes of your identity providers on whose behalf the redirect app
extension uses SSO. When users are redirected to these URLs, the SSO app extension intervenes, and
prompts for SSO.
All the URLs in your Intune single sign-on app extension profiles must be unique. You can't repeat a
domain in any SSO app extension profile, even if you're using different types of SSO app extensions.
The URLs must begin with http:// or https:// .
Additional configuration (Microsoft Azure AD, Redirect, Credential): Enter additional extension-specific
data to pass to the SSO app extension:
Key : Enter the name of the item you want to add, such as user name .
Type : Enter the type of data. Your options:
String
Boolean: In Configuration value , enter True or False .
Integer: In Configuration value , enter a number.
Value : Enter the data.
Add : Select to add your configuration keys.
Keychain usage (Kerberos only): Choose Block to prevent passwords from being saved and stored in
the keychain. If blocked, users aren't prompted to save their password, and need to reenter the password
when the Kerberos ticket expires. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow passwords to be saved and stored in the keychain.
Users aren't prompted to reenter their password when the ticket expires.
Face ID, Touch ID, or passcode (Kerberos only): Require forces users to enter their Face ID, Touch ID,
or device passcode when the credential is needed to refresh the Kerberos ticket. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might not require
users to use biometrics or device passcode to refresh the Kerberos ticket. If Keychain usage is blocked,
then this setting doesn't apply.
Default realm (Kerberos only): Choose Enable to set the Realm value you entered as the default realm.
might not set a default realm.
TIP
Enable this setting if you're configuring multiple Kerberos SSO app extensions in your organization.
Enable this setting if you're using multiple realms. It sets the Realm value you entered as the default realm.
If you only have one realm, leave it Not configured (default).
Autodiscover (Kerberos only): When set to Block , the Kerberos extension doesn't automatically use
LDAP and DNS to determine its Active Directory site name. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow the extension to
automatically find the Active Directory site name.
Password changes (Kerberos only): Block prevents users from changing the passwords they use to
sign in to the domains you entered. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow password changes.
Password sync (Kerberos only): Choose Enable to sync your users' local passwords to Azure AD. When
disable password sync to Azure AD. Use this setting as an alternative or backup to SSO. This setting
doesn't work if users are signed in with an Apple mobile account.
Windows Ser ver Active Director y password complexity (Kerberos only): Choose Require to force
user passwords to meet Active Directory's password complexity requirements. On devices, this setting
shows a pop-up window with check boxes so users see they're completing the password requirements. It
helps users know what they need to enter for the password. For more information, see Password must
meet complexity requirements. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might not require users to meet Active Directory's password requirement.
Minimum password length (Kerberos only): Enter the minimum number of characters that can make
up users passwords. When set to Not configured (default), Intune doesn't change or update this setting.
By default, the OS might not enforce a minimum password length on the users.
Password reuse limit (Kerberos only): Enter the number of new passwords, from 1-24, that are used
until a previous password can be reused on the domain. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might not enforce a password reuse limit.
Minimum password age (Kerberos only): Enter the number of days that a password is used on the
domain before users can change it. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might not enforce a minimum age of passwords before they can be
changed.
Password expiration notification (Kerberos only): Enter the number of days before a password
expires that users get notified that their password will expire. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might use 15 days.
Password expiration (Kerberos only): Enter the number of days before the device password must
change. When set to Not configured (default), Intune doesn't change or update this setting. By default,
the OS might never expire passwords.
Password change URL (Kerberos only): Enter the URL that opens when users start a Kerberos
password change.
Principal name (Kerberos only): Enter the username of the Kerberos principal. You don't need to include
the realm name. For example, in user@contoso.com , user is the principal name, and contoso.com is the
realm name.
TIP
You can also use variables in the principal name by entering curly brackets {{ }} . For example, to show the
username, enter Username: {{username}} .
However, be careful with variable substitution because variables aren't validated in the UI and they are case
sensitive. Be sure to enter the correct information.
Active Director y site code (Kerberos only): Enter the name of the Active Directory site that the
Kerberos extension should use. You may not need to change this value, as the Kerberos extension may
automatically find the Active Directory site code.
Cache name (Kerberos only): Enter the Generic Security Services (GSS) name of the Kerberos cache. You
most likely don't need to set this value.
Password requirements message (Kerberos only): Enter a text version of your organization's
password requirements that's shown to users. The message shows if you don't require Active Directory's
password complexity requirements, or don't enter a minimum password length.
Enable shared device mode (Microsoft Azure AD only): Select Yes if you're deploying the Microsoft
Enterprise SSO plug-in to macOS devices configured for Azure AD's shared device mode feature. Devices
in shared mode allow many users to globally sign in and out of applications that support shared device
mode. When set to Not configured , Intune doesn't change or update this setting.
When set to Yes , all existing user accounts are wiped from the devices. To avoid data loss, or prevent a
factory reset, make sure you understand how this setting changes your devices.
For more information about shared device mode, see Overview of shared device mode.
App bundle IDs (Microsoft Azure AD, Kerberos): Add the app bundle identifiers that should use single
sign-on on your devices. These apps are granted access to the Kerberos Ticket Granting Ticket and the
authentication ticket. The apps also authenticate users to services they're authorized to access.
Domain realm mapping (Kerberos only): Add the domain DNS suffixes that should map to your realm.
Use this setting when the DNS names of the hosts don't match the realm name. You most likely don't
need to create this custom domain-to-realm mapping.
PKINIT cer tificate (Kerberos only): Select the Public Key Cryptography for Initial Authentication
(PKINIT) certificate that can be used for Kerberos authentication. You can choose from PKCS or SCEP
certificates that you've added in Intune. For more information about certificates, see Use certificates for
authentication in Microsoft Intune.
Next steps
You can also configure device features on iOS/iPadOS.
macOS device settings to allow or restrict features
using Intune
This article describes the settings you can control and restrict on macOS devices. As part of your mobile device
management (MDM) solution, use these settings to allow or disable features, set password rules, allow or
restrict specific apps, and more.
macOS devices.
NOTE
The user interface may not match the enrollment types in this article. The information in this article is correct. The user
interface is being updated in an upcoming release.
Before you begin

Create a macOS device restrictions configuration profile.
NOTE
These settings apply to different enrollment types. For more information on the different enrollment types, see macOS
enrollment.
Built-in Apps
Block Safari AutoFill : Yes disables the autofill feature in Safari on devices. When set to Not
to change autocomplete settings in the web browser.
Block use of camera : Yes prevents access to the camera on devices. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow access to the device
camera.
Block Apple Music : Yes reverts the Music app to classic mode, and disables the Music service. When set
using the Apple Music app.
Block spotlight suggestions : Yes stops Spotlight from returning any results from an Internet search.
might allow Spotlight search to connect to the Internet, and get search results.
Block file transfer using Finder or iTunes : Yes disables application file sharing services. When set to
application file sharing services.
Cloud and storage

Block iCloud Keychain sync : Yes disables syncing credentials stored in the Keychain to iCloud. When
allow users to sync these credentials.
Block iCloud Desktop and Document Sync : Yes prevents iCloud from syncing documents and data.
might allow document and key-value synchronization to your iCloud storage space.
Block iCloud Mail Backup : Yes prevents iCloud from syncing to the macOS Mail app. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow Mail
synchronization to iCloud.
Block iCloud Contact Backup : Yes prevents iCloud from syncing the device contacts. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow contact
sync using iCloud.
Block iCloud Calendar Backup : Yes prevents iCloud from syncing to the macOS Calendar app. When
allow Calendar synchronization to iCloud.
Block iCloud Reminder Backup : Yes prevents iCloud from syncing to the macOS Reminders app.
might allow Reminders synchronization to iCloud.
Block iCloud Bookmark Backup : Yes prevents iCloud from syncing the device Bookmarks. When set
Bookmark synchronization to iCloud.
Block iCloud Notes Backup : Yes prevents iCloud from syncing the device Notes. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow Notes
synchronization to iCloud.
Block iCloud Photos backup : Yes disables iCloud Photo Library, and prevents iCloud from syncing the
device photos. Any photos not fully downloaded from iCloud Photo Library are removed from local
storage on devices. When set to Not configured (default), Intune doesn't change or update this setting.
By default, the OS might allow syncing photos between the device and the iCloud Photo Library.
Block Handoff : This feature allows users to start work on a macOS device, and then continue the work
they started on another iOS/iPadOS or macOS device. Yes prevents the Handoff feature on devices.
might allow this feature on devices.
Connected devices
Block AirDrop : Yes prevents using AirDrop on devices. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow using the AirDrop feature to exchange
content with nearby devices.
Block Apple Watch auto unlock : Yes prevents users from unlocking their macOS device with their Apple
Watch. When set to Not configured (default), Intune doesn't change or update this setting. By default, the
OS might allow users to unlock their macOS device with their Apple Watch.
Domains
Unmarked Email Domains : Enter one or more Email domain URLs to the list. When users send or
receive an email from a domain other than the domains you added, the email is marked as untrusted in the
macOS Mail app.
General
Block Lookup : Yes prevents user from highlighting a word, and then looking up its definition on the
the OS might allow the definition lookup feature.
Block dictation : Yes stops users from using voice input to enter text. When set to Not configured
dictation input.
Block content caching : Yes prevents content caching. Content caching stores app data, web browser
data, downloads, and more locally on devices. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might enable content caching.
For more information on content caching on macOS, see Manage content caching on Mac (opens another
website).
Block screenshots and screen recording : Device must be enrolled in Apple's Automated Device
Enrollment (DEP). Yes prevents users from saving screenshots of the display. It also prevents the
Classroom app from observing remote screens. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow users to capture screenshots, and allows the
Classroom app to view remote screens.
Settings apply to: User approved device enrollment, Automated device enrollment (supervised)
Defer software updates : Yes allows you to delay when OS updates and non-OS updates are shown on
devices. This setting doesn't control when updates are or aren't installed. When nothing is selected, Intune
By default, the OS might show updates on devices as Apple releases them. By default, software updates
aren't delayed. If you configure this setting, then OS and non-OS software updates are delayed,
depending on the options you select. The drop-down does exactly what you choose. It can delay both,
delay neither, or delay one of them.
For example, if a macOS update gets released by Apple on a specific date, then that update naturally
shows on devices around the release date. Seed build updates are allowed without delay.
Delay visibility of software updates : Enter a value from 0-90 days. By default, updates are
delayed for 30 days. This value applies to the Defer software updates options you select. If you
only select Operating system updates , then only OS updates are delayed for 30 days. If you
select Operating system updates and Non operating system updates , then both are
delayed for 30 days.
When the delay expires, users get a notification to update to the earliest version available when the
delay was triggered.
For example, if a macOS update is available on Januar y 1 , and Delay visibility is set to 5 days ,
then the update isn't shown as an available update. On the sixth day following the release, that
update is available, and users can install it.
Settings apply to: Automated device enrollment
Disable AirPlay, view screen by Classroom app, and screen sharing : Yes blocks AirPlay, and
prevents screen sharing to other devices. It also prevents teachers from using the Classroom app to see
their students' screens. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow teachers to see their students' screens.
To use this setting, set the Block screenshots and screen recording setting to Not configured
(screenshots are allowed).
Allow Classroom app to perform AirPlay and view screen without prompting : Yes lets teachers
see their students' screens without requiring students to agree. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might require students to agree before
teachers can see the screens.
To use this setting, set the Block screenshots and screen recording setting to Not configured
(screenshots are allowed).
Require teacher permission to leave Classroom app unmanaged classes : Yes forces students
enrolled in an unmanaged Classroom course to get teacher approval to leave the course. When set to
students to leave the course whenever the student chooses.
Allow Classroom to lock the device without prompting : Yes lets teachers lock a student's device or
app without the student's approval. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might require students agree before teachers can lock the device or
app.
Students can automatically join Classroom class without prompting : Yes lets students join a
class without prompting the teacher. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might require teacher approval to join a class.
Password
These settings use the Passcode payload (opens Apple's web site).
IMPORTANT
On macOS devices running 10.14.2 to 11.x (except all versions of macOS 10.15 Catalina), users are prompted to
change the device password when the device updates to a new major OS version. This password update happens
once. After users update the password, any other password policies are enforced. If a passcode is required in at
least one policy, then this behavior only occurs for the local machine user.
Any time the password policy is updated, all users running these macOS versions must change the password, even
if the current password is compliant with the new requirements. For example, when your macOS device turns on
after upgrading to Big Sur (macOS 11), users need to change the device password before they can sign in.

Require password : Yes requires users to enter a password to access devices. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might not require a
password. It also doesn't force any restrictions, such as blocking simple passwords or setting a minimum
length.
Required password type : Enter the required password complexity level your organization
requires. When left blank, Intune doesn't change or update this setting. Your options:
Not configured : Uses the device default.
Alphanumeric : Includes uppercase letters, lowercase letters, and numeric characters.
Numeric : Password must only be numbers, such as 123456789.
Number of non-alphanumeric characters in password : Enter the number of complex
characters required in the password, from 0-4. A complex character is a symbol, such as ? . When
left blank or set to Not configured , Intune doesn't change or update this setting.
Minimum password length : Enter the minimum length the password must have, from 4-16
characters. When left blank, Intune doesn't change or update this setting.
Block simple passwords : Yes prevents using simple passwords, such as 0000 or 1234 . When
the value is blank or set to Not configured , Intune doesn't change or update this setting. By
default, the OS might allow simple passwords.
Maximum minutes of inactivity until screen locks : Enter the length of time devices must be
idle before the screen is automatically locked. For example, enter 5 to lock devices after 5
minutes of being idle. When the value is blank or set to Not configured , Intune doesn't change or
Maximum minutes after screen lock before password is required : Enter the length of time
devices must be inactive before a password is required to unlock it. When the value is blank or set
to Not configured , Intune doesn't change or update this setting.
Password expiration (days) : Enter the number of days until the device password must be
changed, from 1-65535. For example, enter 90 to expire the password after 90 days. When the
password expires, users are prompted to create a new password. When the value is blank or set to
Not configured , Intune doesn't change or update this setting.
Prevent reuse of previous passwords : Restrict users from creating previously used passwords.
Enter the number of previously used passwords that can't be used, from 1-24. For example, enter 5
so users can't set a new password to their current password or any of their previous four
Maximum allowed sign-in attempts : Enter the maximum number of times that users can
consecutively try to sign in before the device locks users out, from 2-11. When this number is
exceeded, the device is locked. We recommend not setting this value to a low number, such as 2
or 3 . It's common for users to enter the wrong password. We recommend setting to a higher
value.
For example, enter 5 so users can enter the wrong password up to five times. After the fifth
attempt, the device is locked. If you leave this value blank, or don't change it, then 11 is used by
default.
After six failed attempts, macOS automatically forces a time delay before a passcode can be
entered again. The delay increases with each attempt. Set the Lockout duration to add a delay
before the next passcode can be entered.
Lockout duration : Enter the number of minutes a lockout lasts, from 0-10000. During a
device lockout, the sign in screen is inactive, and users can't sign in. When the lockout ends,
user can try to sign in again.
If you leave this value blank, or don't change it, then 30 minutes is used by default.
Block user from modifying passcode : Yes stops the passcode from being changed, added, or
removed. When set to Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow passcodes to be added, changed, or removed.
Block Touch ID to unlock device : Yes prevents using fingerprints to unlock devices. When set to Not
to unlock the device using a fingerprint.
Block password AutoFill : Yes prevents using the AutoFill Passwords feature on macOS. Choosing Yes
also has the following impact:
Users aren't prompted to use a saved password in Safari or in any apps.
Automatic Strong Passwords are disabled, and strong passwords aren't suggested to users.
might allow these features.
Block password proximity requests : Yes prevents devices from requesting passwords from nearby
the OS might allow these password requests.
Block password sharing : Yes prevents sharing passwords between devices using AirDrop. When set to
passwords to be shared.
Privacy preferences
On macOS devices, apps and processes often prompt users to allow or deny access to device features, such as
the camera, microphone, calendar, Documents folder, and more. These settings allow administrators to pre-
approve or pre-deny access to these device features. When you configure these settings, you manage data
access consent on behalf of your users. Your settings override their previous decisions.
The goal of these settings is to reduce the number of prompts by apps and processes.
Some settings apply to macOS 10.15 and newer.
These settings only apply on devices that have the privacy preferences profile installed before being
upgraded.
Settings apply to: User approved device enrollment, Automated device enrollment
Apps and processes : Add apps or processes to configure access. Also enter:
Name : Enter a name for your app or process. For example, enter Microsoft Remote Desktop or
Microsoft 365 .
Identifier type : Your options:

Bundle ID : Select this option for apps.
Path : Select this option for non-bundled binaries, which is a process or executable.
Helper tools embedded within an application bundle automatically inherit the permissions of their
enclosing application bundle.
Identifier : Enter the app bundle ID, or the installation file path of the process or executable. For
example, enter com.contoso.appname .
To get the app bundle ID, open the Terminal app, and run the codesign command. This command
identifies the code signature. So you can get the bundle ID and the code signature simultaneously.
Code requirement : Enter the code signature for the application or process.
A code signature is created when an app or binary is signed by a developer certificate. To find the
designation, run the codesign command manually in the Terminal app:
codesign --display -r - /path/to/app/binary . The code signature is everything that appears after
=> .
Enable static code validation : Choose Yes for the app or process to statically validate the code
requirement. When set to Not configured , Intune doesn't change or update this setting.
Enable this setting only if the process invalidates its dynamic code signature. Otherwise, use Not
configured .
Block Camera : Yes prevents the app from accessing the system camera. You can't allow access to
the camera. When set to Not configured , Intune doesn't change or update this setting.
Block Microphone : Yes prevents the app from accessing the system microphone. You can't allow
access to the microphone. When set to Not configured , Intune doesn't change or update this
setting.
Block screen recording : Yes blocks the app from capturing the contents of the system display.
You can't allow access to screen recording and screen capture. When set to Not configured ,
Requires macOS 10.15 and newer.
Block input monitoring : Yes blocks the app from using CoreGraphics and HID APIs to listen to
CGEvents and HID events from all processes. Yes also denies apps and processes from listening to
and collecting data from input devices, such as a mouse, keyboard, or trackpad. You can't allow
access to the CoreGraphics and HID APIs.
When set to Not configured , Intune doesn't change or update this setting.
Speech recognition : Your options:
Allow : Allows the app to access the system speech recognition, and allows sending speech data
to Apple.
Block : Prevents the app from accessing the system speech recognition, and prevents sending
speech data to Apple.
Accessibility : Your options:
Allow : Allows the app to access to the system Accessibility app. This app includes closed
captions, hover text, and voice control.
Block : Prevents the app from accessing the system Accessibility app.
Contacts : Your options:
Allow : Allows the app to access contact information managed by the system Contacts app.
Block : Prevents the app from accessing this contact information.
Calendar : Your options:
Allow : Allows the app to access calendar information managed by the system Calendar app.
Block : Prevents the app from accessing this calendar information.
Reminders : Your options:
Allow : Allows the app to access reminder information managed by the system Reminders app.
Block : Prevents the app from accessing this reminder information.
Photos : Your options:
Allow : Allows the app to access the pictures managed by the system Photos app in
~/Pictures/.photoslibrary .
Block : Prevents the app from accessing these pictures.
Media librar y : Your options:
Allow : Allows the app to access Apple Music, music and video activity, and the media library.
Block : Prevents the app from accessing this media.
File provider presence : Your options:
Allow : Allows the app to access the File Provider app, and know when users are using files
managed by the File Provider. A File Provider app allows other File Provider apps to access the
documents and directories stored and managed by the containing app.
Block : Prevents the app from accessing the File Provider app.
Full disk access : Your options:
Allow : Allows the app to access all protected files, including system administration files. Apply
this setting with caution.
Block : Prevents the app from accessing these protected files.
System admin files : Your options:
Allow : Allows the app to access some files used in system administration.
Block : Prevents the app from accessing these files.
Desktop folder : Your options:
Allow : Allows the app to access files in the user’s Desktop folder.
Documents folder : Your options:
Allow : Allows the app to access files in the user’s Documents folder.
Downloads folder : Your options:
Allow : Allows the app to access files in the user’s Downloads folder.
Network volumes : Your options:
Allow : Allows the app to access files on network volumes.
Removable volumes : Your options:
Allow : Allows the app to access files on removable volumes, such as a hard disk.
System events : Your options:
Allow : Allows the app to use CoreGraphics APIs to send CGEvents to the system event stream.
Block : Prevents the app from using CoreGraphics APIs to send CGEvents to the system event
stream.
Apple events : This setting allows apps to send a restricted Apple event to another app or process.
Select Add to add a receiving app or process. Enter the following information of the receiving app
or process:
Identifier type : Select Bundle ID if the receiving identifier is an application. Select Path if
the receiving identifier is a process or executable.
Identifier : Enter the app bundle ID, or the installation path of the process receiving an
Apple event.
Code requirement : Enter the code signature for the receiving application or process.
A code signature is created when an app or binary is signed by a developer certificate. To
find the designation, run the codesign command manually in the Terminal app:
codesign --display -r -/path/to/app/binary . The code signature is everything that appears
after => .
Access : Allow a macOS Apple Event to be sent to the receiving app or process. Your
options:
Allow : Allows the app or process to send the restricted Apple event to the receiving app
or process.
Block : Prevents the app or process from sending a restricted Apple event to the
receiving app or process.
Save your changes.
Restricted apps
Type of restricted apps list : Create a list of apps that users aren't allowed to install or use. Your
options:
Not configured (default): Intune doesn't change or update this setting. By default, users might have
access to apps you assign, and built-in apps.
Portal app. Users aren't prevented from installing an app that isn't on the approved list. But if they do,
it's reported in Intune.
Prohibited apps : List the apps (not managed by Intune) that users aren't allowed to install and run.
Users aren't prevented from installing a prohibited app. If a user installs an app from this list, it's
reported in Intune.
Apps list : Add apps to your list:
App Bundle ID : Enter the bundle ID of the app. You can add built-in apps and line-of-business
apps. Apple's web site has a list of built-in Apple apps.
To find the URL of an app, open the iTunes App Store, and search for the app. For example, search
for Microsoft Remote Desktop or Microsoft Word . Select the app, and copy the URL. You can also
use iTunes to find the app, and then use the Copy Link task to get the app URL.
App name : Enter a user-friendly name to help you identify the bundle ID. For example, enter
Intune Company Portal app .
Publisher : Enter the publisher of the app.

<app bundle ID>, <app name>, <app publisher> format. Or, Expor t to create a list of apps you added, in
the same format.
Next steps
You can also restrict device features and settings on iOS/iPadOS devices.
macOS endpoint protection settings in Intune
This article shows you the endpoint protection settings that you can configure for devices that run macOS. You
configure these settings by using a macOS device configuration profile for endpoint protection in Intune.
Before you begin

Create a macOS endpoint protection profile.
FileVault
For more information about Apple FileVault settings, see FDEFileVault in the Apple developer content.
IMPORTANT
As of macOS 10.15, FileVault configuration requires user approved MDM enrollment.
Enable FileVault
You can enable Full Disk Encryption using XTS-AES 128 with FileVault on devices that run macOS 10.13
and later.
Not configured (default)
Yes
When Enable FileVault is set to Yes, a personal recovery key is generated for the device during encryption
and the following settings apply to that key:
Escrow location description of personal recover y key
Specify a short message to the user that explains how and where they can retrieve their personal
recovery key. This text is inserted into the message the user sees on their sign in screen when
prompted to enter their personal recovery key if a password is forgotten.
Personal recover y key rotation
Specify how frequently the personal recovery key for a device will rotate. You can select the default
of Not configured , or a value of 1 to 12 months.
Hide recover y key
Choose to hide the personal key from a device user during FileVault 2 encryption.
Not configured (default) – The personal key is visible to the device user during encryption.
Yes - The personal key is hidden from the device user during encryption.
After encryption, device users can view their personal recovery key for an encrypted macOS
device from the following locations:
iOS/iPadOS company portal app
Intune app
company portal website
Android company portal app
To view the key, from the app or website, go to device details of the encrypted macOS device and
select get recovery key.
Disable prompt at sign out
Prevent the prompt to the user that requests they enable FileVault when they sign out. When set to
Disable, the prompt at sign-out is disabled and instead, the user is prompted when they sign in.
Yes - Disable the prompt at sign-out.
Number of times allowed to bypass
Set the number of times a user can ignore prompts to enable FileVault before FileVault is required
for the user to sign in.
Not configured - Encryption on the device is required before the next sign-in is allowed.
0 - Require devices to encrypt the next time a user signs in to the device.
1 to 10 - Allow a user to ignore the prompt from 1 to 10 times before requiring encryption on
the device.
No limit, always prompt - The user is prompted to enable FileVault but encryption is never
required.
The default for this setting depends on the configuration of Disable prompt at sign out. When
Disable prompt at sign out is set to Not configured , this setting defaults to Not configured .
When Disable prompt at sign out is set to Yes , this setting defaults to 1 and a value of Not
configured isn't an option.
Firewall
Use the firewall to control connections per-application, rather than per-port. Using per-application settings
makes it easier to get the benefits of firewall protection. It also helps prevent undesirable apps from taking
control of network ports that are open for legitimate apps.
Enable Firewall
Turn use of Firewall on macOS and then configure how incoming connections are handled in your
environment.
Yes
Block all incoming connections
Block all incoming connections except the connections required for basic Internet services, such as DHCP,
Bonjour, and IPSec. This feature also blocks all sharing services, such as File Sharing and Screen Sharing.
If you're using sharing services, then keep this setting as Not configured.
Yes
When you set Block all incoming connections to Not configured, you can then configure which apps can
or can't receive incoming connections.
Apps allowed : Configure a list of apps that are allowed to receive incoming connections.
Add apps by bundle ID : Enter the bundle ID of the app. Apple's web site has a list of built-in Apple
apps.
Add store app : Select a store app you previously added in Intune. For more information, see Add
apps to Microsoft Intune.
Apps blocked : Configure a list of apps that have incoming connections blocked.
Add apps by bundle ID : Enter the bundle ID of the app. Apple's web site has a list of built-in Apple
apps.
Add store app : Select a store app you previously added in Intune. For more information, see Add
apps to Microsoft Intune.
Enable stealth mode
To prevent the computer from responding to probing requests, enable stealth mode. The device continues
to answer incoming requests for authorized apps. Unexpected requests, such as ICMP (ping), are ignored.
Yes
Gatekeeper
Allow apps downloaded from these locations
Limit the apps a device can launch, depending on where the apps were downloaded from. The intent is to
protect devices from malware, and allow apps from only the sources you trust.
Mac App Store
Mac App Store and identified developers
Anywhere
Do not allow user to override Gatekeeper
Prevents users from overriding the Gatekeeper setting, and prevents users from Control clicking to install
an app. When enabled, users can Control-click any app, and install it.
Not configured (default) - Users can Control-click to install apps.
Yes - Prevents users from using Control-click to install apps.
Next steps
You can also configure endpoint protection on Windows 10 and newer devices.
macOS device settings to configure and use kernel
and system extensions in Intune
NOTE
macOS kernel extensions are being replaced with system extensions. For more information, see Support Tip: Using system
extensions instead of kernel extensions for macOS Catalina 10.15 in Intune.
This article describes the different kernel and system extension settings you can control on macOS devices. As
part of your mobile device management (MDM) solution, use these settings to add and manage extensions on
your devices.
To learn more about extensions in Intune, and any prerequisites, see add macOS extensions.
macOS devices.
Before you begin

Create a macOS extensions device configuration profile.
NOTE
These settings apply to different enrollment types. For more information on the different enrollment types, see macOS
enrollment.
Kernel extensions
User approved device enrollment is required
IMPORTANT
Kernel extensions don't work on macOS devices with the M1 chip, which are macOS devices running on Apple silicon. This
behavior is a known issue, with no ETA.
For any macOS devices running 10.15 and newer, we recommend using system extensions (in this article). If you use the
kernel extensions settings, then consider excluding macOS devices with M1 chips from receiving the kernel extensions
profile.
Allow User Overrides : Yes lets users approve kernel extensions not included in the configuration
profile. When set to Not configured (default), Intune doesn't change or update this setting. By default,
the OS might prevent users from allowing extensions not included in the configuration profile. Meaning,
only extensions included in the configuration profile are allowed.
For more information on this feature, see user-approved kernel extension loading (opens Apple's web
site).
Allowed Team Identifiers : Use this setting to allow one or many team IDs. Any kernel extensions
signed with the team IDs you enter are allowed and trusted. In other words, use this option to allow all
kernel extensions within the same team ID, which may be a specific developer or partner.
Add a team identifier of valid and signed kernel extensions to load. You can add multiple team identifiers.
The team identifier must be alphanumeric (letters and numbers) and have 10 characters. For example,
enter ABCDE12345 .
After you add a team identifier, it can also be deleted.
Locate your Team ID (opens Apple's web site) has more information.
TIP
The Team ID is stored on the local KextPolicy database. You can get the Team ID using the sqlite3 command
from a macOS device that has the same app installed:
1. On the macOS device, open the Terminal app, and run the following script:
sudo /Volumes/Macintosh\ HD/usr/bin/sqlite3 /Volumes/Macintosh\
HD/var/db/SystemPolicyConfiguration/KextPolicy "SELECT * from kext_policy"
In our example, the volume name is Macintosh HD . Update the script with your volume name.
Be sure you have root access, and can run a SUDO command on the device.
2. Review the output. The first entry is the Team ID. In our example, the Team ID is PXPZ95SK77 :
PXPZ95SK77|com.paloaltonetworks.kext.pangpd|1|Palo Alto Networks|5
Allowed Kernel Extensions : Use this setting to allow specific kernel extensions. Only the kernel
extensions you enter are allowed or trusted.
Add the bundle identifier and team identifier of a kernel extension to load. For unsigned legacy kernel
extensions, use an empty team identifier. You can add multiple kernel extensions. The team identifier must
be alphanumeric (letters and numbers) and have 10 characters. For example, enter
com.contoso.appname.macos for Bundle ID , and ABCDE12345 for Team identifier .
TIP
To get the Bundle ID of a kernel extension (Kext) on a macOS device, you can:
1. In the Terminal, run kextstat | grep -v com.apple , and note the output. Install the software or Kext
that you want. Run kextstat | grep -v com.apple again, and look for changes.
In the Terminal, kextstat lists all the kernel extensions on the OS.
2. On the device, open the Information Property List file (Info.plist) for a Kext. The bundle ID is shown. Each
Kext has an Info.plist file stored inside.
NOTE
You don't have to add team identifiers and kernel extensions. You can configure one or the other.
System extensions
User approved device enrollment is required
Block User Overrides : Yes prevents users from approving system extensions that aren't in the allowed
list. When set to Not configured (default), Intune doesn't change or update this setting. By default, the
OS might allow users to approve unknown extensions not included in the configuration profile. Meaning,
extensions not included in the configuration profile are allowed.
Allowed team identifiers : Use this setting to allow one or many team IDs. Any system extensions
signed with the team IDs you enter are always allowed and trusted. In other words, use this option to
allow all system extensions within the same team ID, which may be a specific developer or partner.
Add a Team identifier of valid and signed system extensions to load. You can add multiple team
identifiers. The team identifier must be alphanumeric (letters and numbers) and have 10 characters. For
example, enter ABCDE12345 .
After you add a team identifier, it can also be deleted.
Locate your Team ID (opens Apple's web site) has more information.
TIP
You can also get the Team ID from a mac where the application is installed
In the Terminal, run:
systemextensionsctl list
and note the output:

E.g.
UBF8T346G9 com.microsoft.wdav.netext (101.04.48/101.04.48) Microsoft Defender for Endpoint Network
Extension
The first entry is the Team ID you need. UBF8T346G9 in our example
Allowed system extensions : Use this setting to always allow specific system extensions. Only the
system extensions you enter are allowed or trusted.
Add the Bundle identifier and Team identifier of a system extension to load. For unsigned legacy
system extensions, use an empty team identifier. You can add multiple system extensions. The team
identifier must be alphanumeric (letters and numbers) and have 10 characters. For example, enter
com.contoso.appname.macos for Bundle ID , and ABCDE12345 for Team identifier .
Allowed system extension types : Enter the Team ID, and system extension types to allow for that Team
ID:
Team identifier : Enter the Team ID of another system extension you want to allow specific
extension types. Or, enter a Team ID you added to Allowed system extensions .
Allowed system extension types : Select the system extension types to allow for each Team ID.
Your options:
Select all
Driver extensions
Network extensions
Endpoint security extensions
For more information on these extension types, see System Extensions (opens Apple's web site).
You can add a team ID from the Allowed system extensions list, and allow a specific extension
type. If the extension is a type that isn't allowed, then the extension might not run.
To allow all extension types for a Team ID, add the Team ID to the Allowed system extensions
list. Don't add the Team ID to the Allowed system extension types list. In other words, if a team
ID is in the Allowed system extensions list, and not in the Allowed system extension types
list, then all extension types are allowed for that team ID.
NOTE
Adding the same Team ID for Allowed system extensions and Allowed team identifiers can result in an error and
the profile failing. Don't add the same exact Team Identifier to both settings.
Next steps
Add VPN settings on macOS devices in Microsoft
Intune
This article shows you the Intune settings you can use to configure VPN connections on devices running macOS.
Depending on the settings you choose, not all values in the following list are configurable.
Before you begin

Create a macOS VPN device configuration profile.
NOTE
These settings are available for all enrollment types. For more information on the enrollment types, see macOS
enrollment.
Base VPN
Connection name : Enter a name for this connection. End users see this name when they browse their device
for the list of available VPN connections.
VPN ser ver address : Enter the IP address or fully qualified domain name of the VPN server that
devices connect to. For example, enter 192.168.1.1 or vpn.contoso.com .
Cer tificates : Under Authentication cer tificate , select a SCEP or PKCS certificate profile you
previously created to authenticate the connection. For more information about certificate profiles, see
How to configure certificates.
Username and password : End users must supply a username and password to log into the VPN
server.
Connection type : Select the VPN connection type from the following list of vendors:
Cisco AnyConnect
F5 Edge Client
NetMotion Mobility
Custom VPN : Select this option if your VPN vendor isn't listed. Also configure:
VPN identifier : Enter an identifier for the VPN app you're using. This identifier is supplied by
your VPN provider.
Enter key and value pairs for the custom VPN attributes : Add or import Keys and
Values that customize your VPN connection. These values are typically supplied by your VPN
provider.
Split tunneling : Enable or Disable this option that lets devices decide which connection to use
depending on the traffic. For example, a user in a hotel uses the VPN connection to access work files, but
use the hotel's standard network for regular web browsing.
Automatic VPN
Select the type of automatic VPN you want: On-demand VPN or Per-app VPN:
On-demand VPN : On-demand VPN uses rules to automatically connect or disconnect the VPN
connection. When your devices attempt to connect to the VPN, it looks for matches in the parameters and
rules you create, such as a matching IP address or domain name. If there's a match, then the action you
choose runs.
For example, create a condition where the VPN connection is only used when a device isn't connected to a
company Wi-Fi network. Or, if a device can't access a DNS search domain you enter, then the VPN
connection isn't started.
Add : Select this option to add a rule.
I want to do the following : If there's a match between the device value and your on-demand
rule, then select the action. Your options:
Establish VPN
Disconnect VPN
Evaluate each connection attempt
Ignore
I want to restrict to : Select the condition that the rule must meet. Your options:
Specific SSIDs : Enter one or more wireless network names that the rule will apply. This
network name is the Service Set Identifier (SSID). For example, enter Contoso VPN .
Specific DNS domains : Enter one or more DNS domains that the rule will apply. For example,
enter contoso.com .
All domains : Select this option to apply your rule to all domains in your organization.
But only if this URL probe succeeds : Optional. Enter a URL that the rule uses as a test. If the
device accesses this URL without redirection, then the VPN connection is started. And, the device
connects to the target URL. The user doesn't see the URL string probe site.
For example, a URL string probe is an auditing Web server URL that checks device compliance
before connecting the VPN. Or, the URL tests the VPNs ability to connect to a site before the device
connects to the target URL through the VPN.
macOS 11 and newer (Big Sur)
Per-app VPN : Enables per-app VPN by associating this VPN connection with a macOS app. When the
app runs, the VPN connection starts. You can associate the VPN profile with an app when you assign the
software. For more information, see How to assign and monitor apps.
Safari URLs that will trigger this VPN : Add one or more web site URLs. When these URLs are
visited using the Safari browser on the device, the VPN connection is automatically established.
Associated Domains : Enter associated domains in the VPN profile that automatically start the
VPN connection. For example, enter contoso.com . Devices in the contoso.com domain
automatically start the VPN connection.
For more information, see associated domains.
Excluded Domains : Enter domains that can bypass the VPN connection when per-app VPN is
connected. For example, enter contoso.com . Devices in the contoso.com domain won't start or use
the per-app VPN connection. Devices in the contoso.com domain will use the public Internet.
macOS 11 and newer (Big Sur)
Proxy
Next steps
The profile is created, but it may not be doing anything yet. Be sure to assign the profile, and monitor its status.
Configure VPN settings on Android, Android Enterprise, iOS/iPadOS, and Windows 10 devices.
Add Wi-Fi settings for macOS devices in Microsoft
Intune
You can create a profile with specific Wi-Fi settings, and then deploy this profile to your macOS devices.
These Wi-Fi settings are separated in to two categories: Basic settings and Enterprise settings.
This article describes these settings.
Before you begin

Create a macOS Wi-Fi device configuration profile.
NOTE
enrollment.
Basic profiles
Basic or personal profiles use WPA/WPA2 to secure the Wi-Fi connection on devices. Typically, WPA/WPA2 is
used on home networks or personal networks. You can also add a pre-shared key to authenticate the
connection.
connection.
Connect automatically : Select Enable to automatically connect to this network when the device is in
range. Select Disable to prevent devices from automatically connecting.
device.
WPA/WPA2 - Personal : Enter the password in Pre-shared key . When your organization's network
is set up or configured, a password or network key is also configured. Enter this password or network
WEP
Proxy settings : Your options:
site).
Enterprise profiles
Enterprise profiles use Extensible Authentication Protocol (EAP) to authenticate Wi-Fi connections. EAP is often
used by enterprises, as you can use certificates to authenticate and secure connections, and configure more
security options.
connection.
Connect automatically : Select Enable to automatically connect to this network when the device is in
range. Select Disable to prevent devices from automatically connecting.
device.
Do not use (PAC)
EAP-SIM
issued by your trusted certificate authority (CA). When you enter this information, you can
bypass the dynamic trust window displayed on user's devices when they connect to this Wi-
Fi network.
Root cer tificate for ser ver validation : Select one or more existing trusted root
certificate profiles. When the client connects to the network, these certificates are presented
to the server. They authenticate the connection.
Cer tificates : Select the SCEP or PKCS client certificate profile that is also deployed to the
the connection.
secure tunnel.
Fi network.
Root cer tificates for ser ver validation : Select one or more existing trusted root
Your options:
Wi-Fi network.
Authentication Protocol (CHAP) , Microsoft CHAP (MS-CHAP) , or
LEAP
PEAP : Also enter:
Fi network.
Root cer tificate for ser ver validation : Select one or more existing trusted root
Your options:
site).
Next steps
The profile is created, but may not be doing anything. Be sure to assign the profile and monitor its status.
Configure Wi-Fi settings on Android, Android Enterprise, iOS/iPadOS, and Windows 10 devices.
Add wired network settings for macOS devices in
Microsoft Intune
You can create a profile with specific wired network settings, and then deploy this profile to your macOS devices.
Microsoft Intune offers many features, including authenticating to your network, adding a SCEP certificate, and
more.
This article describes the settings you can configure.
Before you begin

Create a macOS wired network device configuration profile.
NOTE
enrollment.
Wired Network
Network Interface : Select the network interfaces on the device the profile applies to, based on service-
order priority. Your options:
First active Ethernet (default)
Second active Ethernet
Third active Ethernet
First Ethernet
Second Ethernet
Third Ethernet
Any Ethernet
Options that have "active" in the title use interfaces that are actively working on the device. If there are no
active interfaces, the next interface in service-order priority is configured. By default, First active
Ethernet is selected, which is also the default setting configured by macOS.
EAP type : Select the Extensible Authentication Protocol (EAP) type to authenticate secured wired
Do not use (PAC)
Ser ver Trust - Cer tificate ser ver names : Add one or more common names used in the
certificates issued by your trusted certificate authority (CA). When you enter this information,
you can bypass the dynamic trust window shown on user devices when they connect to this
network.
When the client connects to the network, this certificate is presented to the server. It's used to
Client Authentication - Cer tificates : Select the SCEP client certificate profile that's also
deployed to the device. This certificate is the identity presented by the device to the server to
authenticate the connection. PKCS certificates aren't supported.
request. This text can be any value, such as anonymous . During authentication, this anonymous
identity is initially sent, and then followed by the real identification sent in a secure tunnel.
network.
Client Authentication : Select an Authentication method . Your options:
Username and Password : Prompts the user for a user name and password to
Non-EAP method (inner identity) : Select how you authenticate the
network. Your options:
Challenge Handshake Authentication Protocol (CHAP)
Cer tificates : Select the SCEP client certificate profile that's also deployed to the device.
This certificate is the identity presented by the device to the server to authenticate the
connection. PKCS certificates aren't supported.
identity request. This text can be any value, such as anonymous . During authentication,
this anonymous identity is initially sent, and then followed by the real identification sent
in a secure tunnel.
LEAP
PEAP : Also enter:
network.
Client Authentication : Select an Authentication method . Your options:
Username and Password : Prompts the user for a user name and password to
Cer tificates : Select the SCEP client certificate profile that's also deployed to the device.
This certificate is the identity presented by the device to the server to authenticate the
connection. PKCS certificates aren't supported.
identity request. This text can be any value, such as anonymous . During authentication,
this anonymous identity is initially sent, and then followed by the real identification sent
in a secure tunnel.
Next steps
The profile is created, but it may not be doing anything. Be sure to assign this profile, and monitor its status.
Use custom settings for Windows 10 devices in
Intune
NOTE
Intune may support more settings than the settings listed in this article. Not all settings are documented, and won’t be
documented. To see the settings you can configure, create a device configuration profile, and select Settings Catalog .
This article describes some of the different custom settings you can control on Windows 10 and newer devices.
As part of your mobile device management (MDM) solution, use these settings to configure settings that aren't
built-in to Intune.
For more information on custom profiles, see Create a profile with custom settings.
Windows 10 devices.
Windows 10 custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings to
configure different features. These settings are typically used by mobile device manufacturers to control features
on the device.
Windows 10 makes many Configuration Service Provider (CSP) settings available, such as Policy Configuration
Service Provider (Policy CSP).
If you're looking for a specific setting, remember that the Windows 10 device restriction profile includes many
built-in settings. So, you may not need to enter custom values.
Before you begin

Create a Windows 10 custom profile.
OMA-URI settings
Add : Enter the following settings:
Name : Enter a unique name for the OMA-URI setting to help you identify it in the list of settings.
Description : Enter a description that gives an overview of the setting, and any other important details.
OMA-URI (case sensitive): Enter the OMA-URI you want to use as a setting.
Base64 (file)
Boolean
String (XML file)
Date and time
String
Floating point
Integer
Value : Enter the data value you want to associate with the OMA-URI you entered. The value depends on
the data type you selected. For example, if you select Date and time , select the value from a date picker.
Find the policies you can configure

There's a complete list of all configuration service providers (CSPs) that Windows 10 supports in the
Configuration service provider reference.
Not all settings are compatible with all Windows 10 versions. Configuration service provider reference tells you
which versions are supported for each CSP.
Additionally, Intune doesn't support all the settings listed in Configuration service provider reference. To find out
if Intune supports the setting you want, open the article for that setting. Each setting page shows its supported
operation. To work with Intune, the setting must support the Add , Replace , and Get operations. If the value
returned by the Get operation doesn't match the value supplied by the Add or Replace operations, then Intune
reports a compliance error.
Next steps
Delivery Optimization settings for Windows 10
devices in Intune
NOTE
This article lists some of the settings for Delivery Optimization that Intune supports for devices that run
Windows 10 or later.
Most options in the Intune console directly map to Delivery Optimization settings that are covered in-depth in
the Windows documentation. These options include links to relevant content. Settings or options that are
specific to Intune don't contain links to additional content.
The following tables include:
Setting : The setting as it appears in Intune. Settings that are links open the relevant entry in Configure
Delivery Optimization for Windows 10 updates in the Windows documentation where you can learn
more about the setting.
Windows version : The minimum version of Windows 10 that includes support for this setting.
Details : A brief description of how Intune implements the setting, including the Intune default. When
available, there are links to Delivery Optimization Policy configuration service provider (CSP) entries.
To configure Intune to use these settings, see Deliver updates.
Before you begin

Create a Windows 10 Delivery Optimization profile.
Delivery Optimization
SET T IN G W IN DO W S VERSIO N DETA IL S
Download mode 1511 Specify the download method that

Delivery Optimization uses to
download content.
Not configured : End users
update their devices using their
own methods, which may be to
use the Windows Updates or
Delivery Optimization settings
available with the operating
system.
HTTP only, no peering (0) :
Get updates only from the
internet. Don't get updates
from other computers on your
network (peer-to-peer).
HTTP blended with peering
behind the same NAT (1) :
Get updates from the internet
and from other computers on
your network that are behind
the same Network Address
Translation (NAT) IP addresses.
HTTP blended with peering
across a private group (2) :
Peering occurs on devices in
the same Active Directory Site
(if it exists) or the same domain.
When this option is selected,
peering crosses your NAT IP
addresses.
HTTP blended with Internet
peering (3) : Get updates from
the internet and from other
computers on your network.
Simple download mode
with no peering (99) : Gets
updates from the internet,
directly from the update owner,
such as Microsoft. It doesn't
contact the Delivery
Optimization cloud services.
Bypass mode (100) : Use
Background Intelligent Transfer
Service (BITS) to get updates.
Don't use Delivery
Optimization.
Default : Not configured
Policy CSP: DODownloadMode

Restrict Peer Selection 1803 Requires Download mode be set to

HTTP blended with peering behind the
same NAT (1) or HTTP blended with
peering across a private group (2).
Restricts peer selection to a specific

group of devices.
Policy CSP: DORestrictPeerSelectionBy
Group ID source 1803 Requires Download mode be set to

HTTP blended with peering across a
private group.
Restricts peer selection to a specific

group of devices by source.
If you select Custom , you then

configure Group ID (as GUID) . Use
a GUID as the Group ID if you need to
create a single group for Local
Network Peering for branches that are
on different domains or aren't on the
same LAN.
Policy CSP: DOGroupId
Bandwidth
Bandwidth optimization type See details Select how Intune determines the
maximum bandwidth that Delivery
Optimization can use across all
concurrent download activities.
Options include:
Not configured
Absolute – Specify the

Maximum download bandwidth
(in KB/s) and the Maximum
upload bandwidth (in KB/s) that
a device can use across all its
concurrent Delivery
Optimization downloads
activities.
Requires Windows 1607
Policy CSP:
DOMaxDownloadBandwidth
and DOMaxUploadBandwidth
Percent – Specify the

Maximum foreground
download bandwidth (in %) and
Maximum background
download bandwidth (in %)
that a device can use across all
its concurrent Delivery
Optimization downloads
activities.
Policy CSP:
DOPercentageMaxForegroundB
andwidth and
DOPercentageMaxBackground
Bandwidth
Percent with business

hours – For a maximum
foreground download
bandwidth, and a maximum
background download
bandwidth, configure business
hours start and end times, and
then the percentage of
bandwidth to use during and
outside your business hours.
Policy CSP:
DOSetHoursToLimitBackground
DownloadBandwidth and
DOSetHoursToLimitForeground
DownloadBandwidth
Delay background HTTP download (in 1803 Use this setting to configure a
seconds) maximum time to delay a background
download of content over HTTP. This
configuration applies only to
downloads that support a peer-to-
peer download source. During this
delay, the device searches for a peer
with the content available. While
waiting for a peer source, the
download appears to be stuck for the
end user.
Default : No value is configured
Recommended : 60 seconds
Policy CSP:
DODelayBackgroundDownloadFromHt
tp
Delay foreground HTTP download (in 1803 Configure a maximum time to delay a
seconds) foreground (interactive) download of
content over HTTP. This configuration
applies only to downloads that
support a peer-to-peer download
source. During this delay, the device
searches for a peer with the content
available. While waiting for a peer
source, the download appears to be
stuck for the end user.
Recommended : 60 seconds
Policy CSP:
DODelayForegroundDownloadFromHt
tp
Caching
Minimum RAM required for peer 1709 Specify the minimum RAM size in GBs
caching (in GB) that a device must have to use peer
caching.
Recommended : 4 GB
Policy CSP: DOMinRAMAllowedToPeer

Minimum disk size required for peer 1709 Specify the minimum disk size in GBs
caching (in GB) that a device must have to use peer
caching.
Recommended : 32 GB
Policy CSP:
DOMinDiskSizeAllowedToPeer
Minimum content file size for peer 1709 Specify the minimum size in MB that a
caching (in MB) file must meet or exceeded to use peer
caching.
Recommended : 10 MB
Policy CSP: DOMinFileSizeToCache
Minimum battery level required to 1709 Specify as a percent, the minimum

upload (in %) battery level that a device must have
to upload data to peers. If the battery
level drops to the specified value, any
active uploads automatically pause.
Recommended : 40%
Policy CSP:
DOMinBatteryPercentageAllowedToUpl
oad
Modify cache drive 1607 Specify the drive that Delivery

Optimization uses for its cache. You
can use an environment variable, drive
letter, or a full path.
Default : %SystemDrive%
Policy CSP: DOModifyCacheDrive

Maximum cache age (in days) 1511 Specify for how long after each file
successfully downloads that the file is
held in the Delivery Optimization
cache on a device.
With Intune, you configure the cache

age in days. The number of days you
define is converted into the applicable
number of seconds, which is how
Windows defines this setting. For
example, an Intune configuration of 3
days is converted on the device to
259200 seconds (3 days).
Recommended : 7
Policy CSP: DOMaxCacheAge

Maximum cache size type See details Select how to manage the amount of
disk space on a device that is used by
Delivery Optimization. When not
configured, cache size defaults to 20%
of the free disk space available.
Not configured (Default)
Absolute – Specify the

Absolute maximum cache size
(in GB) to configure the
maximum amount of drive
space a device can use for
Delivery Optimization. When
set to 0 (zero), the cache size is
unlimited, although Delivery
Optimization will clear the
cache when the device is low
on disk space.
Policy CSP:
DOAbsoluteMaxCacheSize
Percentage – Specify the

Maximum cache size (in %) to
configure the maximum
amount of drive space a device
can use for Delivery
Optimization. The percentage is
of the available drive space, and
Delivery Optimization
constantly assesses the
available drive space and will
clear the cache to keep the
maximum cache size under the
set percentage.
Policy CSP: DOMaxCacheSize
VPN peer caching 1709 Select Enabled to configure a device

to participate in Peer Caching while
connected by VPN to the domain
network. Devices that are enabled can
download from or upload to other
domain network devices, either on
VPN or on the corporate domain
network.
Policy CSP: DOAllowVPNPeerCaching
Local Server Caching

Cache server host names 1809 Specify the IP address or FQDN of

Network Cache servers that will be
used by your devices for Delivery
Optimization, and then select Add to
add that entry to the list.
Policy CSP: DOCacheHost
Delay foreground download Cache 1903 Specify a time in seconds (0-2592000)

Server fallback (in seconds) to delay the fallback from a Cache
server to the HTTP source for a
foreground content download. When
the Bandwidth setting for Delay
background HTTP download (in
seconds) is configured, that setting
applies first to allow downloads from
peers. (0-2592000).
Default : 0
Policy CSP
DODelayCacheServerFallbackForegrou
nd
Delay background download Cache 1903 Specify a time in seconds (0-2592000)

Server fallback (in seconds) to delay the fallback from a Cache
server to the HTTP source for a
background content download. When
the Bandwidth setting for Delay
background HTTP download (in
seconds) is configured, that setting
applies first to allow downloads from
peers. (0-2592000)
Default : 0
Policy CSP:
DODelayCacheServerFallbackBackgrou
nd
NOTE
When you install a Microsoft Connected Cache on a Configuration Manager distribution point, cloud-managed devices
can use the on-premises cache. As long as the device can communicate with the server, the cache is available to deliver
content to these devices. For more information, see Microsoft Connected Cache in Configuration Manager.
Next steps
Learn more about Delivery Optimization in Intune.
Windows 10 (and newer) device settings to allow or
restrict features using Intune
NOTE
This article describes some of the settings you can control on Windows 10 and newer devices. As part of your
mobile device management (MDM) solution, use these settings to allow or disable features, set password rules,
customize the lock screen, use Microsoft Defender, and more.
Windows 10 devices.
NOTE
Some settings are only available on specific Windows editions, such as Enterprise. To see the supported editions, refer to
the policy CSPs (opens another Microsoft web site).
In a Windows 10 device restrictions profile, most configurable settings are deployed at the device level using device
groups. Policies deployed to user groups apply to targeted users. The policies also apply to users who have an Intune
license, and users that sign in to that device.
Before you begin

Create a Windows 10 device restrictions profile.
App Store
These settings use the ApplicationManagement policy CSP, which also lists the supported Windows editions.
App store (mobile only) : Block prevents users from accessing the app store on mobile devices. When
allow users access to the app store.
Auto-update apps from store : Block prevents updates from being automatically installed from the
Microsoft Store. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow apps installed from the Microsoft Store to be automatically updated.
ApplicationManagement/AllowAppStoreAutoUpdate CSP
Trusted app installation : Choose if non-Microsoft Store apps can be installed, also known as
sideloading. Sideloading is installing, and then running or testing an app that isn't certified by the
Microsoft Store. For example, an app that is internal to your company only. Your options:
Block : Prevents sideloading. Non-Microsoft Store apps can't be installed.
Allow : Allows sideloading. Non-Microsoft Store apps can be installed.
Developer unlock : Allow Windows developer settings, such as allowing sideloaded apps to be modified
by users. Your options:
Block : Prevents developer mode and sideloading apps.
Allow : Allows developer mode and sideloading apps.
Enable your device for development has more information on this feature.
ApplicationManagement/AllowAllTrustedApps CSP
Shared user app data : Choose Allow to share application data between different users on the same
device and with other instances of that app. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might prevent sharing data with other users and other
instances of the same app.
ApplicationManagement/AllowSharedUserAppData CSP
Use private store only : Allow only allows apps to be downloaded from a private store, and not
downloaded from the public store, including a retail catalog. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow apps to be downloaded from
a private store and a public store.
ApplicationManagement/RequirePrivateStoreOnly CSP
Store originated app launch : Block disables all apps that were pre-installed on the device, or
downloaded from the Microsoft Store. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow these apps to open.
ApplicationManagement/DisableStoreOriginatedApps CSP
Install app data on system volume : Block stops apps from storing data on the system volume of the
the OS might allow apps to store data on the system disk volume.
ApplicationManagement/RestrictAppDataToSystemVolume CSP
Install apps on system drive : Block prevents apps from installing on the system drive on the device.
might allow apps to install on the system drive.
ApplicationManagement/RestrictAppToSystemVolume CSP
Game DVR (desktop only) : Block disables Windows Game recording and broadcasting. When set to
recording and broadcasting of games.
ApplicationManagement/AllowGameDVR CSP
Apps from store only : This setting determines the user experience when users install apps from places
other than the Microsoft Store. It doesn't prevent installation of content from USB devices, network
shares, or other non-internet sources. Use a trustworthy browser to help make sure these protections
work as expected.
Your options:
allow users to install apps from places other than the Microsoft Store, including apps defined in other
policy settings.
Anywhere : Turns off app recommendations, and allows users to install apps from any location.
Store Only : Intent is to prevent malicious content from affecting your user devices when
downloading executable content from the internet. When users try to install apps from the internet,
the installation is blocked. Users see a message recommending they download apps from the
Microsoft Store.
Recommendations : When installing an app from the web that's available in the Microsoft Store,
users see a message recommending they download it from the store.
Prefer Store : Warns users when they install apps from places other than the Microsoft Store.
SmartScreen/EnableAppInstallControl CSP
User control over installations : Block prevents users from changing the installation options typically
reserved for system administrators, such as entering the directory to install the files. When set to Not
configured (default), Intune doesn't change or update this setting. By default, Windows Installer might
prevent users from changing these installation options, and some of the Windows Installer security
features are bypassed.
ApplicationManagement/MSIAllowUserControlOverInstall CSP
Install apps with elevated privileges : Block directs Windows Installer to use elevated permissions
when it installs any program on the system. These privileges are extended to all programs. When set to
Not configured (default), Intune doesn't change or update this setting. By default, the system might
apply the current user's permissions when it installs programs that a system administrator doesn't deploy
or offer.
ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges CSP
Star tup apps : Enter a list of apps to open after a user signs in to the device. Be sure to use a semi-colon
delimited list of Package Family Names (PFN) of Windows applications. For this policy to work, the
manifest in the Windows apps must use a startup task.
ApplicationManagement/LaunchAppAfterLogOn CSP

These settings use the connectivity policy and Wi-Fi policy CSPs, which also list the supported Windows
editions.
Cellular data channel : Choose if users can use data, like browsing the web, when connected to a
cellular network. Your options:
Not configured (default): Intune doesn't change or update this setting. users can turn it off.
Block : Don't allow the cellular data channel. Users can't turn it on.
Allow (not editable) : Allows the cellular data channel. Users can't turn it off.
Data roaming : Block prevents cellular data roaming on the device. When set to Not configured
(default), Intune doesn't change or update this setting. By default, when accessing data, roaming between
networks might be allowed.
VPN over the cellular network : Block prevents the device from accessing VPN connections when
connected to a cellular network. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow VPN to use any connection, including cellular.
VPN roaming over the cellular network : Block stops the device from accessing VPN connections
when roaming on a cellular network. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow VPN connections when roaming.
Connected devices ser vice : Block disables the Connected Devices Platform (CDP) component. CDP
enables discovery and connection to other devices (through Bluetooth/LAN or the cloud) to support
remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
might allow the connected devices service, which enables discovery and connection to other Bluetooth
devices.
NFC : Block prevents near field communications (NFC) capabilities. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow users to enable and
configure NFC features on the device.
Wi-Fi : Block prevents users from and enabling, configuring, and using Wi-Fi connections on the device.
might allow Wi-Fi connections.
Automatically connect to Wi-Fi hotspots : Block prevents devices from automatically connecting to
Wi-Fi hotspots. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might let devices automatically connect to free Wi-Fi hotspots, and automatically accept
any terms and conditions for the connection.
Manual Wi-Fi configuration : Block prevents devices from connecting to Wi-Fi outside of MDM
server-installed networks. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow users to add and configure their own Wi-Fi connections network
SSIDs.
Wi-Fi scan inter val : Enter how often devices scan for Wi-Fi networks. Enter a value from 1 (most
frequent) to 500 (least frequent). Default is 0 (zero).
Bluetooth
These settings use the Bluetooth policy CSP, which also lists the supported Windows editions.
Bluetooth : Block prevents users from enabling Bluetooth. Not configured (default) allows Bluetooth
on the device.
Bluetooth discoverability : Block prevents the device from being discoverable by other Bluetooth-
enabled devices. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow other Bluetooth-enabled devices, such as a headset, to discover the device.
Bluetooth/AllowDiscoverableMode CSP
Bluetooth pre-pairing : Block prevents specific Bluetooth devices to automatically pair with a host
the OS might allow automatic pairing with the host device.
Bluetooth/AllowPrepairing CSP
Bluetooth adver tising : Block prevents the device from sending out Bluetooth advertisements. When
allow the device to send out Bluetooth advertisements.
Bluetooth/AllowAdvertising CSP
Bluetooth proximal connections : Block prevents a device user from using Swift Pair and other
proximity based scenarios. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow the device to send out Bluetooth advertisements.
Bluetooth/AllowPromptedProximalConnections CSP
Bluetooth allowed ser vices : Add a list of allowed Bluetooth services and profiles as hex strings, such
as {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF} .
ServicesAllowedList usage guide has more information on the service list.
Bluetooth/ServicesAllowedList CSP
Cloud and Storage

These settings use the accounts policy CSP, which also lists the supported Windows editions.
IMPORTANT
Blocking or disabling these Microsoft account settings can impact enrollment scenarios that require users to sign in to
Azure AD. For example, you're using AutoPilot pre-provisioned (previously called white glove). Typically, users are shown
an Azure AD sign in window. When these settings are set to Block or Disable , the Azure AD sign in option may not
show. Instead, users are asked to accept the EULA, and create a local account, which may not be what you want.
Microsoft account : Block prevents users from associating a Microsoft account with the device. Block may
also affect some enrollment scenarios that rely on users to complete the enrollment process. When set to
adding and using a Microsoft account.
Non-Microsoft account : Block prevents users from adding non-Microsoft accounts using the user
interface. When set to Not configured (default), Intune doesn't change or update this setting. By default, the
OS might allow users to add email accounts that aren't associated with a Microsoft account.
Settings synchronization for Microsoft account : Block prevents device and app settings associated
with a Microsoft account to synchronize between devices. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow this synchronization.
Microsoft Account sign-in assistant : This OS service allows users to sign in to their Microsoft account. By
default, the OS might allow users to start and stop the Microsoft Account Sign-In Assistant (wlidsvc)
service.
allow users to start and stop the Microsoft Account Sign-In Assistant (wlidsvc) service.
Disabled : Sets the Microsoft Sign-in Assistant service (wlidsvc) to Disabled, and prevents users
from manually starting it.
Disable may also affect some enrollment scenarios that rely on users to complete the enrollment.
For example, you're using AutoPilot pre-provisioned. Typically, users are shown an Azure AD sign
in window. When set to Disable , the Azure AD sign in option may not show. Instead, users are
asked to accept the EULA, and create a local account, which may not be what you want.
Cloud Printer
These settings use the EnterpriseCloudPrint policy CSP, which also lists the supported Windows editions.
Printer discover y URL : Enter the URL for finding cloud printers. For example, enter
https://cloudprinterdiscovery.contoso.com .
Printer access authority URL : Enter the authentication endpoint URL to get OAuth tokens. For example,
enter https://azuretenant.contoso.com/adfs .
Azure native client app GUID : Enter the GUID of a client application allowed to get OAuth tokens from the
OAuthAuthority. For example, enter E1CF1107-FF90-4228-93BF-26052DD2C714 .
Print ser vice resource URI : Enter the OAuth resource URI for print service configured in the Azure portal.
For example, enter http://MicrosoftEnterpriseCloudPrint/CloudPrint .
Maximum printers to quer y : Enter the maximum number of printers that you want to be queried. The
default value is 20 .
Printer discover y ser vice resource URI : Enter the OAuth resource URI for printer discovery service
configured in the Azure portal. For example, enter http://MopriaDiscoveryService/CloudPrint .
TIP
After you setup a Windows Server Hybrid Cloud Print, you can configure these settings, and then deploy to your
Windows devices.
Control Panel and Settings

Settings app : Block prevents users from accessing to the Windows settings app. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to
open the Settings app on the device.
System : Block prevents access to the System area of the Settings app. When set to Not
Power and sleep settings modification (desktop only): Block prevents users from
changing the power and sleep settings on the device. Not configured (default) allows users to
change power and sleep settings.
Devices : Block prevents access to the Devices area of the Settings app on the device. When set to
Not configured (default), Intune doesn't change or update this setting.
Network Internet : Block prevents access to the Network & Internet area of the Settings app on
the device. When set to Not configured (default), Intune doesn't change or update this setting.
Personalization : Block prevents access to the Personalization area of the Settings app on the
device. When set to Not configured (default), Intune doesn't change or update this setting.
Apps : Block prevents access to the Apps area of the Settings app on the device. When set to Not
Accounts : Block prevents access to the Accounts area of the Settings app on the device. When set
to Not configured (default), Intune doesn't change or update this setting.
Time and Language : Block prevents access to the Time & Language area of the Settings app on
the device. When set to Not configured (default), Intune doesn't change or update this setting.
System Time modification : Block prevents users from changing the date and time
settings on the device. When set to Not configured (default), Intune doesn't change or
update this setting. Users can change these settings.
Region settings modification (desktop only): Block prevents users from changing the
region settings on the device. When set to Not configured (default), Intune doesn't change
or update this setting. Users can change these settings.
Language settings modification (desktop only) : Block prevents users from changing
the language settings on the device. When set to Not configured (default), Intune doesn't
change or update this setting. Users can change these settings.
Settings policy CSP
Gaming : Block prevents access to the Gaming area of the Settings app on the device. When set to
Settings/PageVisibilityList CSP
Ease of Access : Block prevents access to the Ease of Access area of the Settings app on the
Privacy : Block prevents access to the Privacy area of the Settings app on the device. When set to
Update and Security : Block prevents access to the Update & Security area of the Settings app
on the device. When set to Not configured (default), Intune doesn't change or update this setting.
Display
These settings use the display policy CSP, which also lists the supported Windows editions.
GDI DPI scaling enables applications that aren't DPI aware to become per monitor DPI aware.
Turn on GDI scaling for apps : Add the legacy apps that you want GDI DPI scaling turned on. For
example, enter filename.exe or %ProgramFiles%\Path\Filename.exe .
GDI DPI scaling is turned on for all legacy applications in your list.
Turn off GDI scaling for apps : Add the legacy apps that you want GDI DPI scaling turned off. For
example, enter filename.exe or %ProgramFiles%\Path\Filename.exe .
GDI DPI scaling is turned off for all legacy applications in your list.
You can also Impor t a .csv file with the list of apps.
General
These settings use the experience policy CSP, which also lists the supported Windows editions.
Screen capture (mobile only): Block prevents users from getting screenshots on the device. When set
to Not configured (default), Intune doesn't change or update this setting.
Copy and paste (mobile only) : Block prevents users from using copy-and-paste between apps on the
Manual unenrollment : Block prevents users from deleting the workplace account using the workplace
control panel on the device. When set to Not configured (default), Intune doesn't change or update this
setting.
This policy setting doesn't apply if the computer is Azure AD joined and auto-enrollment is enabled.
Manual root cer tificate installation (mobile only): Block prevents users from manually installing
root certificates, and intermediate CAP certificates. When set to Not configured (default), Intune doesn't
Camera : Block prevents users from using the camera on the device. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow access to the device
camera.
Camera CSP
OneDrive file sync : Block prevents users from synchronizing files to OneDrive from the device. When
System/DisableOneDriveFileSync CSP
Removable storage : Block prevents users from using external storage devices, like USB drives or SD
cards with the device. When set to Not configured (default), Intune doesn't change or update this
setting.
System/AllowStorageCard CSP
Geolocation : Block prevents users from turning on location services on the device. When set to Not
System/AllowLocation CSP
Internet sharing : Block prevents Internet connection sharing on the device. When set to Not
Phone reset : Block prevents users from wiping or doing a factory reset on the device. When set to Not
USB connection : Block prevents access to syncing files through a USB connection or using developer
tools on an HoloLens device. Changing this policy doesn't affect USB charging. When set to Not
configured (default), Intune doesn't change or update this setting. USB charging isn't affected by this
setting.
Connectivity/AllowUSBConnection CSP
AntiTheft mode (mobile only): Block prevents users from selecting AntiTheft mode preference on the
Cor tana : Block disable the Cortana voice assistant on the device. When Cortana is off, users can still
search to find items on the device. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow Cortana.
Experience/AllowCortana CSP
Voice recording (mobile only): Block prevents users from using the device voice recorder on the
the OS might allow voice recording for apps.
Device name modification (mobile only): Block prevents users from changing the name of the device.
Add provisioning packages : Block prevents the run time configuration agent that installs provisioning
packages on the device. When set to Not configured (default), Intune doesn't change or update this
setting.
Remove provisioning packages : Block prevents the run time configuration agent that removes
provisioning packages from the device. When set to Not configured (default), Intune doesn't change or
Device discover y : Block prevents the device from being discovered by other devices. When set to Not
Experience/AllowDeviceDiscovery
Task Switcher (mobile only): Block prevents task switching on the device. When set to Not configured
SIM card error dialog (mobile only): Block error messages from showing on the device if no SIM card
is detected. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might show the error messages.
Ink Workspace : Choose if and how user access the ink workspace. Your options:
Not configured (default): Intune doesn't change or update this setting. By default, the OS might turn
on the ink workspace, and users are allowed to use it above the lock screen.
Disabled on lock screen : The ink workspace is enabled and feature is turned on. But, users can't
access it above the lock screen.
Disabled : Access to ink workspace is disabled. The feature is turned off.
WindowsInkWorkspace policy CSP
Autopilot Reset : Choose Allow so users with administrative rights can delete all user data and settings
using CTRL + Win + R at the device lock screen. The device is automatically reconfigured and re-
enrolled into management. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might prevent this feature.
Require users to connect to network during device setup : Choose Require so the device connects
to a network before going past the Network page during Windows setup. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow users to go past the
Network page, even if it's not connected to a network.
The setting becomes effective the next time the device is wiped or reset. Like any other Intune
configuration, the device must be enrolled and managed by Intune to receive configuration settings. But
once it's enrolled, and receiving policies, then resetting the device enforces the setting during the next
Windows setup.
TenantLockdown CSP
Direct Memor y Access : Block prevents direct memory access (DMA) for all hot pluggable PCI
downstream ports until a user signs into Windows. Enabled (default) allows access to DMA, even when a
user isn't signed in.
DataProtection/AllowDirectMemoryAccess CSP
End processes from Task Manager : This setting determines whether non-administrators can use Task
Manager to end tasks. Block prevents standard users (non-administrators) from using Task Manager to
end a process or task on the device. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow standard users to end a process or task using Task
Manager.
TaskManager/AllowEndTask CSP
Locked screen experience

Action center notifications (mobile only) : Block prevents Action Center notifications from showing
on the device lock screen. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow users to choose which apps show notifications on the lock screen.
AboveLock/AllowActionCenterNotifications CSP
Locked screen picture URL (desktop only) : Enter the URL to a picture in JPG, JPEG, or PNG format
that's used as the Windows lock screen wallpaper. For example, enter https://contoso.com/image.png . This
setting locks the image, and can't be changed afterwards.
Personalization/LockScreenImageUrl CSP
User configurable screen timeout (mobile only) : Allow lets users configure the screen timeout.
might not give users this option.
DeviceLock/AllowScreenTimeoutWhileLockedUserConfig CSP
Cor tana on locked screen (desktop only): Block prevents users from interacting with Cortana when
the device is on the lock screen. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow interaction with Cortana.
AboveLock/AllowCortanaAboveLock CSP
Toast notifications on locked screen : Block prevents toast notifications from showing on the device
lock screen. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow these notifications.
AboveLock/AllowToasts CSP
Screen timeout (mobile only) : Set the duration (in seconds) from the screen locking to the screen
turning off. Supported values are 11-1800. For example, enter 300 to set this timeout to 5 minutes.
DeviceLock/ScreenTimeoutWhileLocked CSP
Messaging
These settings use the messaging policy CSP, which also lists the supported Windows editions.
Message sync (mobile only) : Block disables text messages from being backed up and restored, and from
syncing messages between Windows devices. Disabling helps avoid information being stored on servers
outside of the organization's control. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow users to change these settings, and sync their messages.
MMS (mobile only) : Block disables MMS send and receive functionality on the device. For enterprises, use
this policy to disable MMS on devices as part of the auditing or management requirement. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow MMS send
and receive.
RCS (mobile only) : Block disables Rich Communication Services (RCS) send and receive functionality on
the device. For enterprises, use this policy to disable RCS on devices as part of the auditing or management
requirement. When set to Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow RCS send and receive.
Microsoft Edge Legacy (Version 45 and older)

These settings use the browser policy CSP, which also lists the supported Windows editions.
NOTE
Using the browser policy CSP applies to Microsoft Edge version 45 and older. For Microsoft Edge version 77 and newer,
see Configure Microsoft Edge policy settings in Microsoft Intune.
Use Microsoft Edge kiosk mode

The available settings change depending on what you choose. Your options:
No (default): Microsoft Edge isn't running in kiosk mode. All Microsoft Edge settings are available for you to
change and configure.
Digital/Interactive signage (single app kiosk) : Filters Microsoft Edge settings that are applicable for
Digital/Interactive signage Microsoft Edge Kiosk mode for use only on Windows 10 single-app kiosks.
Choose this setting to open a URL full screen, and only show the content on that website. Set up digital signs
provides more information on this feature.
InPrivate Public browsing (single app kiosk) : Filters Microsoft Edge settings that are applicable for
InPrivate Public Browsing Microsoft Edge Kiosk mode for use on Windows 10 single-app kiosks. Runs a
multi-tab version of Microsoft Edge.
Normal mode (multi-app kiosk) : Filters Microsoft Edge settings that are applicable for Normal Microsoft
Edge Kiosk mode. Runs a full-version of Microsoft Edge with all browsing features.
Public browsing (multi-app kiosk) : Filters Microsoft Edge settings that are applicable for Public browsing
on a Windows 10 multi-app kiosk. Runs a multi-tab version of Microsoft Edge InPrivate.
TIP
For more information on what these options do, see Microsoft Edge kiosk mode configuration types.
This device restrictions profile is directly related to the kiosk profile you create using the Windows kiosk settings.
To summarize:
1. Create the Windows kiosk settings profile to run the device in kiosk mode. Select Microsoft Edge as the
application and set the Microsoft Edge Kiosk Mode in the Kiosk profile.
2. Create the device restrictions profile described in this article, and configure specific features and settings
allowed in Microsoft Edge. Be sure to choose the same Microsoft Edge kiosk mode type as selected in
your kiosk profile (Windows kiosk settings).
Supported kiosk mode settings is a great resource.
IMPORTANT
Be sure to assign this Microsoft Edge profile to the same devices as your kiosk profile (Windows kiosk settings).
ConfigureKioskMode CSP
Start experience
Star t Microsoft Edge with : Choose which pages open when Microsoft Edge starts. Your options:
Custom star t pages : Enter the start pages, such as http://www.contoso.com . Microsoft Edge loads
the start pages you enter.
New Tab page : Microsoft Edge load whatever is entered in the New Tab URL setting.
Last session's page : Microsoft Edge loads the last session page.
Star t pages in local app settings : Microsoft Edge start with the default start page defined by the
OS.
Allow user to change star t pages : Yes (default) lets users change the start pages. Administrators can
use the EdgeHomepageUrls to enter the start pages that users see by default when open Microsoft Edge.
No blocks users from changing the start pages.
Allow web content on new tab page : When set to Yes (default), Microsoft Edge opens the URL
entered in the New Tab URL setting. If the New Tab URL setting is blank, Microsoft Edge opens the new
tab page listed in Microsoft Edge settings. Users can change it. When set to No , Microsoft Edge opens a
new tab with a blank page. Users can't change it.
New Tab URL : Enter the URL to open on the New Tab page. For example, enter https://www.bing.com or
Home button : Choose what happens when the home button is selected. Your options:
Star t pages : Opens the option you chose in the Star t Microsoft Edge with setting
New Tab page : Opens the URL you entered in the New Tab URL setting.
Home button URL : Enter the URL to open. For example, enter https://www.bing.com or
Hide Home button : Hides the home button
Allow users to change home button : Yes lets users change the home button. User changes override
any administrator settings to the home button. No (default) blocks users from changing how the
administrator configured the home button.
Show First Run Experience page (Mobile only) : Yes (default) shows the first use introduction page
in Microsoft Edge. No stops the introduction page from showing the first time you run Microsoft Edge.
This feature allows enterprises, such as organizations enrolled in zero emissions configurations, to block
this page.
First Run Experience URL list location (Windows 10 Mobile only): Enter the URL that points to the
XML file containing the first run page URL(s). For example, enter https://www.contoso.com/sites.xml .
Refresh browser after idle time : Enter the number of idle minutes until the browser is refreshed, from
0-1440 minutes. Default is 5 minutes. When set to 0 (zero), the browser doesn't refresh after being
idle.
This setting is only available when running in InPrivate Public browsing (single-app kiosk).
Allow pop-ups (desktop only): Yes (default) allows pop-ups in the web browser. No prevents pop-up
windows in the browser.
Send intranet traffic to Internet Explorer (Desktop only): Yes lets users open intranet websites in
Internet Explorer instead of Microsoft Edge. This setting is for backwards compatibility. No (default)
allows users to use Microsoft Edge.
Enterprise mode site list location (Desktop only): Enter the URL that points to the XML file containing
a list of web sites that open in Enterprise mode. Users can't change this list. For example, enter
https://www.contoso.com/sites.xml .
Message when opening sites in Internet Explorer : Use this setting to configure Microsoft Edge to
show a notification before a site opens in Internet Explorer 11. Your options:
Don't show message : The OS default behavior is used, which may not show a message.
Show message that site is opened in Internet Explorer 11 : Show the message when opening
sites in IE. Sites open in IE.
Show message with option to open sites in Microsoft Edge : Show the message when opening
sites in Microsoft Edge. The message includes a Keep going in Microsoft Edge link so users can
choose Microsoft Edge instead of IE.
IMPORTANT
This setting requires you to use the Enterprise mode site list location setting, the Send intranet traffic to
Internet Explorer setting, or both settings.
Allow Microsoft compatibility list : Yes (default) allows using a Microsoft compatibility list. No
prevents the Microsoft compatibility list in Microsoft Edge. This list from Microsoft helps Microsoft Edge
properly display sites with known compatibility issues.
Preload star t pages and New Tab page : Yes (default) uses the OS default behavior, which may be to
preload these pages. Preloading minimizes the time to start Microsoft Edge, and load new tabs. No
prevents Microsoft Edge from preloading start pages and the new tab page.
Prelaunch Star t pages and New Tab page : Yes (default) uses the OS default behavior, which may be
to prelaunch these pages. Pre-launching helps the performance of Microsoft Edge, and minimizes the
time required to start Microsoft Edge. No prevents Microsoft Edge from pre-launching the start pages
and new tab page.
Favorites and search
Show Favorites bar : Choose what happens to the favorites bar on any Microsoft Edge page. Your
options:
On Star t and new Tab pages : Shows the favorites bar when Microsoft Edge starts, and on all Tab
pages. Users can change this setting.
On all pages : Shows the favorites bar on all pages. Users can't change this setting.
Hidden : Hides the favorites bar on all pages. Users can't change this setting.
Allow changes to favorites : Yes (default) uses the OS default, which allows users to change the list.
No prevents users from adding, importing, sorting, or editing the Favorites list.
Favorites List : Add a list of URLs to the favorites file. For example, add
http://contoso.com/favorites.html .
Sync favorites between Microsoft browsers (Desktop only): Yes forces Windows to synchronize
favorites between Internet Explorer and Microsoft Edge. Additions, deletions, modifications, and order
changes to favorites are shared between browsers. No (default) uses the OS default, which may give
users the choice to sync favorites between the browsers.
Default search engine : Choose the default search engine on the device. Users can change this value at
any time. Your options:
Search engine in client Microsoft Edge settings
Bing
Google
Yahoo
Custom value: In OpenSearch Xml URL , enter an HTTPS URL with the XML file that includes the
short name and the URL to the search engine, at minimum. For example, enter
https://www.contoso.com/opensearch.xml .
Show search suggestions : Yes (default) lets your search engine suggest sites as you type search
phrases in the address bar. No prevents this feature.
Allow changes to search engine : Yes (default) allows users to add new search engines, or change the
default search engine in Microsoft Edge. Choose No to prevent users from customizing the search
engine.
This setting is only available when running in Normal mode (multi-app kiosk).
Privacy and security
Allow InPrivate browsing : Yes (default) allows InPrivate browsing in Microsoft Edge. After closing all
InPrivate tabs, Microsoft Edge deletes the browsing data from the device. No prevents users from opening
InPrivate browsing sessions.
Save browsing histor y : Yes (default) allow saving the browsing history in Microsoft Edge. No prevents
saving the browsing history.
Clear browsing data on exit (desktop only): Yes clears the history, and browsing data when users exit
Microsoft Edge. No (default) uses the OS default, which may cache the browsing data.
Sync browser settings between user's devices : Choose how you want to sync browser settings
between devices. Your options:
Allow : Allow syncing of Microsoft Edge browser settings between user's devices
Block and enable user override : Block syncing of Microsoft Edge browser settings between user's
devices. Users can override this setting.
Block : Block syncing of Microsoft Edge browser setting between users devices. Users can't override
this setting.
When "block and enable user override" is selected, user can override admin designation.
Allow Password Manager : Yes (default) allows Microsoft Edge to automatically use Password Manager,
which allows users to save and manage passwords on the device. No prevents Microsoft Edge from using
Password Manager.
Cookies : Choose how cookies are handled in the web browser. Your options:
Allow : Cookies are stored on the device.
Block all cookies : Cookies aren't stored on the device.
Block only third par ty cookies : Third party or partner cookies aren't stored on the device.
Allow Autofill in forms : Yes (default) allows users to change autocomplete settings in the browser, and
populate form fields automatically. No disables the Autofill feature in Microsoft Edge.
Send do-not-track headers : Yes sends do-not-track headers to websites requesting tracking info
(recommended). No (default) doesn't send headers that allow websites to track the user. Users can configure
this setting.
Show WebRTC localhost IP address : Yes (default) allows users' localhost IP address to be shown when
making phone calls using this protocol. No prevents users' localhost IP address from being shown.
Allow live tile data collection : Yes (default) allows Microsoft Edge to collect information from Live Tiles
pinned to the start menu. No prevents collecting this information, which may provide users with a limited
experience.
User can override cer tificate errors : Yes (default) allows users to access websites that have Secure
Sockets Layer/Transport Layer Security (SSL/TLS) errors. No (recommended for increased security) prevents
users from accessing websites with SSL or TLS errors.
Additional
Allow Microsoft Edge browser (mobile only): Yes (default) allows using the Microsoft Edge web
browser on the mobile device. No prevents using Microsoft Edge on devices. If you choose No , the other
individual settings only apply to desktop.
Allow address bar dropdown : Yes (default) allows Microsoft Edge to show the address bar drop-down
with a list of suggestions. No stops Microsoft Edge from showing a list of suggestions in a drop-down list
when you type. When set to No , you:
Help minimize network bandwidth between Microsoft Edge and Microsoft services.
Disable the Show search and site suggestions as I type in Microsoft Edge > Settings.
Allow full screen mode : Yes (default) allows Microsoft Edge to use fullscreen mode, which shows only
the web content and hides the Microsoft Edge UI. No prevents fullscreen mode in Microsoft Edge.
Allow about flags page : Yes (default) uses the OS default, which may allow accessing the about:flags
page. The about:flags page allows users to change developer settings and enable experimental features.
No prevents users from accessing the about:flags page in Microsoft Edge.
Allow developer tools : Yes (default) allows users to use the F12 developer tools to build and debug
web pages by default. No prevents users from using the F12 developer tools.
Allow JavaScript : Yes (default) allows scripts, such as JavaScript, to run in the Microsoft Edge browser.
No prevents Java scripts in the browser from running.
User can install extensions : Yes (default) allows users to install Microsoft Edge extensions on devices.
No prevents the installation.
Allow sideloading of developer extensions : Yes (default) uses the OS default, which may allow
sideloading. Sideloading installs and runs unverified extensions. No prevents Microsoft Edge from
sideloading using the Load extensions feature. It doesn't prevent sideloading extensions using other
ways, such as PowerShell.
Required extensions : Choose which extensions can't be turned off by users in Microsoft Edge. Enter the
package family names, and select Add . Find a package family name (PFN) for per app VPN provides
some guidance.
You can also Impor t a CSV file that includes the package family names. Or, Expor t the package family
names you enter.
Network proxy
These settings use the NetworkProxy policy CSP, which also lists the supported Windows editions.
Automatically detect proxy settings : Block disables devices from automatically detecting a proxy auto
config (PAC) script. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might enable this feature, and devices try to find the path to a PAC script.
Use proxy script : Choose Allow to enter a path to your PAC script to configure the proxy server. When set
to Not configured (default), Intune doesn't change or update this setting. By default, the OS might not let
you enter the URL to a PAC script.
Setup script address URL : Enter the URL of a PAC script you want to use to configure the proxy
server.
Use manual proxy ser ver : Choose Allow to manually enter the name or IP address, and TCP port number
of a proxy server. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might not let you manually enter details of a proxy server.
Address : Enter the name, or IP address of the proxy server.
Por t number : Enter the port number of your proxy server.
Proxy exceptions : Enter any URLs that must not use the proxy server. Use a semicolon ( ; ) to
separate each item.
Bypass proxy ser ver for local address : Allow doesn't use the proxy server for local intranet
addresses. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might use a proxy server for local addresses on your intranet.
Password
These settings use the DeviceLock policy CSP, which also lists the supported Windows editions.
Password : Require forces users to enter a password to access the device. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow access to devices
without a password. Applies to local accounts only. Domain account passwords remain configured by
Active Directory (AD) and Azure AD.
DeviceLock/DevicePasswordEnabled CSP
Required password type : Choose the type of password. Your options:
Not configured : Intune doesn't change or update this setting. By default, the OS might allow
the password to include numbers and letters.
Alphanumeric : Password must be a mix of numbers and letters.
Numeric : Password must only be numbers.
DeviceLock/AlphanumericDevicePasswordRequired CSP
example, enter 6 to require at least six characters in the password length. By default, the OS
might set it to 4 .
DeviceLock/MinDevicePasswordLength CSP
IMPORTANT
When the password requirement is changed on a Windows desktop, users are impacted the next time
they sign in, as that's when devices goes from idle to active. Users with passwords that meet the
requirement are still prompted to change their passwords.
allowed before the device is wiped, up to 11. The valid number you enter depends on the edition.
DeviceLock/MaxDevicePasswordFailedAttempts CSP lists the supported values. 0 (zero) may
disable the device wipe functionality.
This setting also has a different impact depending on the edition. For specific details on this
setting, see the DeviceLock/MaxDevicePasswordFailedAttempts CSP.
Maximum minutes of inactivity until screen locks : Enter the length of time a device must be
idle before the screen is locked. For example, enter 5 to lock devices after 5 minutes of being idle.
When set to Not configured , Intune doesn't change or update this setting. By default, the OS
might set it to 0 (zero), which is no timeout.
DeviceLock/MaxInactivityTimeDeviceLock CSP
Password expiration (days) : Enter the length of time in days when the device password must be
changed, from 1-365. For example, enter 90 to expire the password after 90 days. When the value
is blank, Intune doesn't change or update this setting. By default, the OS might set it to 0 (zero),
which is no expiration.
DeviceLock/DevicePasswordExpiration CSP
Prevent reuse of previous passwords : Enter the number of previously used passwords that
password or any of their previous four passwords. When the value is blank, Intune doesn't change
or update this setting.
DeviceLock/DevicePasswordHistory CSP
Require password when device returns from idle state (Mobile and Holographic): Require
forces users to enter a password to unlock the device after being idle. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might not
require a PIN or password after being idle.
DeviceLock/AllowIdleReturnWithoutPassword CSP
Simple passwords : Block prevents users from creating simple passwords, such as 1234 or
1111 . When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might let users create simple passwords. This setting also blocks using picture
passwords.
DeviceLock/AllowSimpleDevicePassword CSP
Automatic encr yption during AADJ : Block prevents automatic BitLocker device encryption when
devices are prepared for first use, and when devices are Azure AD joined. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might enable encryption.
More on BitLocker device encryption.
Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices CSP
Federal Information Processing Standard (FIPS) policy : Allow uses the Federal Information
Processing Standard (FIPS) policy, which is a U.S. government standard for encryption, hashing, and
signing. When set to Not configured (default), Intune doesn't change or update this setting. By default,
the OS might not allow FIPS.
Cryptography/AllowFipsAlgorithmPolicy CSP
Windows Hello device authentication : Allow users to use a Windows Hello companion device, such
as a phone, fitness band, or IoT device, to sign in to a Windows 10 computer. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might prevent
Windows Hello companion devices from authenticating.
Authentication/AllowSecondaryAuthenticationDevice CSP
Preferred Azure AD tenant domain : Enter an existing domain name in your Azure AD organization.
When users in this domain sign in, they don't have to type the domain name. For example, enter
contoso.com . Users in the contoso.com domain can sign in using their user name, such as abby , instead
of abby@contoso.com .
Authentication/PreferredAadTenantDomainName CSP
Per-app privacy exceptions

Add apps that should have a different privacy behavior from what you define in "Default privacy".
Package Name : App package family name.
App Name : The name of the app.
Exceptions
Account information : Define whether this app can access the user name, picture, and other contact info.
Background apps : Define whether this app can run in the background.
Calendar : Define whether this app can access the calendar.
Call histor y : Define whether this app can access my call history.
Camera : Define whether this app can access the camera.
Contacts : Define whether this app can access contacts.
Email : Define whether this app can access and send email.
Location : Define whether this app can access location information.
Messaging : Define whether this app can read or send text or MMS messages.
Microphone : Define whether this app can use the microphone.
Motion : Define whether this app can access device motion information.
Notifications : Define whether this app can access notifications.
Phone : Define whether this app can access the phone.
Radios : Some apps use radios (for example, Bluetooth) in your device to send and receive data and need to
turn these radios on or off. Define whether this app can control these radios.
Tasks : Define whether this app can access your tasks.
Trusted devices : Choose if this app can use trusted devices. Trusted devices are hardware you've already
connected, or hardware that comes with device. For example, use TVs, projectors, and so on, as trusted
devices.
Feedback and diagnostics : Define whether this app can access diagnostic information.
Sync with devices : Choose if this app can automatically share and sync information with wireless devices
that don't explicitly pair with the device.
Personalization
These settings use the personalization policy CSP, which also lists the supported Windows editions.
Desktop background picture URL (Desktop only) : Enter the URL to a picture in .jpg, .jpeg or .png
format that you want to use as the Windows desktop wallpaper. Users can't change the picture. For
example, enter https://contoso.com/logo.png .
When left blank, Intune doesn't change or update this setting.
Printer
Printers : Add printers using their network host names (DNS name). The OS searches and installs
matching printer drivers for each printer on the device. If you don't enter a value, Intune doesn't change
Education/PrinterNames CSP
Default printer : Enter the network host name (DNS name) of an installed printer to use as the default
printer. If you don't enter a value, Intune doesn't change or update this setting.
Education/DefaultPrinterName CSP
Add new printers : Block prevents users from adding new printers. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow adding new
printers.
Education/PreventAddingNewPrinters CSP
Privacy
These settings use the privacy policy CSP, which also lists the supported Windows editions.
Privacy experience : Block prevents the privacy experience from opening when users sign in, and from
opening for new and upgraded users. When set to Not configured (default), Intune doesn't change or
Privacy/DisablePrivacyExperience
Input personalization : Block prevents using voice for dictation and to talk to Cortana and other apps
that use Microsoft cloud-based speech recognition. It's disabled and users can't enable online speech
recognition using settings. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might let users choose. If you allow these services, Microsoft might collect
voice data to improve the service.
Privacy/AllowInputPersonalization CSP
Automatic acceptance of the pairing and privacy user consent prompts : Choose Allow so
Windows can automatically accept pairing and privacy consent messages when running apps. When set
to Not configured (default), Intune doesn't change or update this setting. By default, the OS might
prevent the automatic acceptance.
Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts CSP
Publish user activities : Block prevents apps and the OS from publishing user activities. It also prevents
shared experiences and discovery of recently used resources in the activity feed. User Activities track the
state of a user's tasks in an app or the OS. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might enable this feature so apps can publish user activities.
Privacy/PublishUserActivities CSP
Local activities only : Block prevents shared experiences and the discovery of recently used resources
in task switcher, based only on local activity. When set to Not configured (default), Intune doesn't
You can configure information that all apps on the device can access. Also, define exceptions on a per-app basis
using Per-app privacy exceptions .
Exceptions
Account information : Define whether this app can access the user name, picture, and other contact info.
Background apps : Define whether this app can run in the background.
Calendar : Define whether this app can access the calendar.
Call histor y : Define whether this app can access my call history.
Camera : Define whether this app can access the camera.
Contacts : Define whether this app can access contacts.
Email : Define whether this app can access and send email.
Location : Define whether this app can access location information.
Messaging : Define whether this app can read or send text or MMS messages.
Microphone : Define whether this app can use the microphone.
Motion : Define whether this app can access device motion information.
Notifications : Define whether this app can access notifications.
Phone : Define whether this app can access the phone.
Radios : Some apps use radios (for example, Bluetooth) in your device to send and receive data and need to
turn these radios on or off. Define whether this app can control these radios.
Tasks : Define whether this app can access your tasks.
Trusted devices : Choose if this app can use trusted devices. Trusted devices are hardware you've already
connected, or hardware that comes with the device. For example, use TVs, projectors, and so on, as trusted
devices.
Feedback and diagnostics : Choose if this app can access diagnostic information.
Sync with devices -Define whether this app can automatically share and sync info with wireless devices
that don't explicitly pair with this PC, tablet, or phone.
Projection
These settings use the WirelessDisplay policy CSP, which also lists the supported Windows editions.
User input from wireless display receivers : Block prevents user input from wireless display
receivers. When set to Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow a wireless display to send keyboard, mouse, pen, and touch input back to the source
device.
WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver CSP
Projection to this PC : Block prevents other devices from finding the device for projection, and
prevents projecting to other devices. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow devices to be discoverable, and can project to the
device above the lock screen.
WirelessDisplay/AllowProjectionFromPC CSP
Require PIN for pairing : Require always prompts for a PIN when connecting to a projection device.
might not require a PIN to pair the device.
WirelessDisplay/RequirePinForPairing CSP
Reporting and telemetry

For information about recent changes for Windows Telemetry, see Changes to Windows diagnostic data
collection.
Share usage data : Choose the level of diagnostic data that's submitted. Your options:
Not configured : (default): Intune doesn't change or update this setting. No setting is forced. Users
choose the level that's submitted. By default, the OS might not share any data.
Diagnostic data off : (Not recommended). Review the CSP System/AllowTelemetry for details about
this setting.
Required : Sends basic device information, including quality-related data, app compatibility, and other
similar data to keep the device secure and up-to-date.
Enhanced (1903 and earlier) : Additional insights, including how Windows, Windows Server,
System Center, and apps are used, how they perform, advanced reliability data, and data from the
Required level. When this option is deployed to a device that run Windows 1909 and later, the device
is set to Required.
Optional : All data necessary to identify and help to fix problems, plus data from the Required and
Enhanced level.
System/AllowTelemetry CSP
Send Microsoft Edge browsing data to Microsoft 365 Analytics : To use this feature, set the Share
usage data settings to Enhanced or Full . This feature controls what data Microsoft Edge sends to
Microsoft 365 Analytics for enterprise devices with a configured commercial ID. Your options:
Not configured : Intune doesn't change or update this setting. By default, the OS might not collect or
send any browsing history data.
Only send intranet data : Allows the administrator to send intranet data history.
Only send internet data : Allows the administrator to send internet data history.
Send intranet and internet data : Allows the administrator to send intranet and internet data
history.
Browser/ConfigureTelemetryForMicrosoft365Analytics CSP
Telemetr y proxy ser ver : Enter the fully qualified domain name (FQDN) or IP address of a proxy server
to forward Connected User Experiences and Telemetry requests, using a Secure Sockets Layer (SSL)
connection. The format for this setting is server:port. If the named proxy fails, or if a proxy isn't entered,
then the Connected User Experiences and Telemetry data isn't sent. It stays on the local device.
If you don't enter a value, Intune doesn't change or update this setting. By default, the OS might send the
Connected User Experiences and Telemetry data to Microsoft using the default proxy configuration.
Example formats:
IPv4: 192.246.246.106:100
IPv6: [2001:4898:4010:4013:95c1:a8b2:953c:c633]:100
FQDN: www.contoso.com:345
System/TelemetryProxy CSP
Search
These settings use the search policy CSP, which also lists the supported Windows editions.
Safe Search (mobile only) : Control how Cortana filters adult content in search results. Your options:
User defined : Intune doesn't change or update this setting. No setting is forced. Users choose their
own settings.
Strict : Highest filtering against adult content
Moderate : Moderate filtering against adult content. Valid search results aren't filtered.
Display web results in search : Block prevents users from using Windows Search to search the
internet, and web results aren't shown in Search. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow users to search the web, and the results are
shown on the device.
Diacritics : Block prevents diacritics from being shown in Windows Search. When set to Not
diacritics.
Search/AllowUsingDiacritics CSP
Automatic language detection : Block prevents Windows Search from automatically detecting the
language when indexing content or properties. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow this feature.
Search/AlwaysUseAutoLangDetection CSP
Search location : Block prevents Windows Search from using the location. When set to Not
feature.
Search/AllowSearchToUseLocation CSP
Indexer backoff : Block disables the search indexer backoff feature. Indexing continues at full speed,
even if the system activity is high. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might use backoff logic to throttle back indexing activity when
system activity is high.
Search/DisableBackoff CSP
Removable drive indexing : Block prevents locations on removable drives from being added to
libraries, and from being indexed. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow this feature.
Search/DisableRemovableDriveIndexing CSP
Low disk space indexing : Enable allows automatic indexing, even when disk space is low. When set to
Not configured (default), Intune doesn't change or update this setting. By default, the OS might turn off
automatic indexing when the hard disk space is 600 MB or less. If devices in your organization have
limited hard drive space, then set it to Not configured .
Search/PreventIndexingLowDiskSpaceMB CSP
Remote queries : Enable allows remote queries of the device's index. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might prevent users from
querying the device's index remotely.
Search/PreventRemoteQueries CSP
Start
These settings use the start policy CSP, which also lists the supported Windows editions.
Star t menu layout : Upload an XML file that includes your customizations, including the order the apps
are listed, and more. The XML file overrides the default start layout. Users can't change the start menu
layout you enter.
Start/StartLayout CSP
Pin websites to tiles in Star t menu : Import images from Microsoft Edge. These images are shown as
links in the Windows Start menu for desktop devices. When set to Not configured (default), Intune
Start/ImportEdgeAssets CSP
Unpin apps from task bar : Block prevents users from unpinning apps from the task bar. When set to
users to unpin apps from the task bar.
Start/NoPinningToTaskbar CSP
Fast user switching : Block prevents switching between users that are logged on simultaneously
without logging off. When set to Not configured (default), Intune doesn't change or update this setting.
By default, the OS might show the Switch user on the user tile.
Start/HideSwitchAccount CSP
Most used apps : Block hides the most used apps from showing on the start menu. It also disables the
corresponding toggle in the Settings app. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might show the most used apps.
Start/HideFrequentlyUsedApps CSP
Recently added apps : Block hides recently added apps on the start menu. It also disables the
corresponding toggle in the Settings app. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might show the recently added apps on the start menu.
Start/HideRecentlyAddedApps CSP
Star t screen mode : Choose the size of the start screen. Your options:
User defined : Intune doesn't change or update this setting. No setting is forced. Users can set the
size.
Full screen : Forces a fullscreen size of Start.
Non-full screen : Force a non-fullscreen size of Start.
Start/ForceStartSize CSP
Recently opened items in Jump Lists : Block hides recent jump lists from being shown on the start
menu and taskbar. It also disables the corresponding toggle in the Settings app. When set to Not
recently opened items in the jumplists.
Start/HideRecentJumplists CSP
App list : Choose how the all apps lists are shown. Your options:
User defined : Intune doesn't change or update this setting. No setting is forced. Users choose how
the app list is shown.
Collapse : Hides the all apps list.
Collapse and disable the Settings app : Hides the all apps list, and disables Show app list in
Star t menu in the Settings app.
Removes and disables the Settings app : Hides the all apps list, removes all apps button, and
disables Show app list in Star t menu in the Settings app.
Start/HideAppList CSP
Power button : Block hides the power button in the start menu. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might show the power button.
Start/HidePowerButton CSP
User Tile : Block hides the user tile in the start menu. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might show the user tile. Configure the following
settings:
Lock : Block hides the Lock option in the user tile in the start menu. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might show the Lock option.
Sign out : Block hides the Sign out option in the user tile in the start menu. Not configured
(default) shows the Sign out option.
Start/HideUserTile CSP
Shut Down : Block hides the Update and shut down and Shut down options in the power button in
the start menu. When set to Not configured (default), Intune doesn't change or update this setting.
Start/HideShutDown CSP
Sleep : Block hides the Sleep option in the power button in the start menu. When set to Not
Start/HideSleep CSP
Hibernate : Block hides the Hibernate option in the power button in the start menu. When set to Not
Start/HideHibernate CSP
Switch Account : Block hides the Switch account in the user tile in the start menu. When set to Not
Start/HideSwitchAccount CSP
Restar t Options : Block hides the Update and restar t and Restar t options in the power button in the
start menu. When set to Not configured (default), Intune doesn't change or update this setting.
Start/HideRestart CSP
Documents on Star t : Hide or show the Documents folder in the Windows Start menu. Your options:
Not configured (default): Intune doesn't change or update this setting. No setting is forced. Users
choose to show or hide the shortcut.
Hide : The shortcut is hidden, and setting is disabled in the Settings app.
Show : The shortcut is shown, and setting is disabled in the Settings app.
Start/AllowPinnedFolderDocuments CSP
Downloads on Star t : Hide or show the Downloads folder in the Windows Start menu. Your options:
Start/AllowPinnedFolderDownloads CSP
File Explorer on Star t : Hide or show File Explorer in the Windows Start menu. Your options:
Start/AllowPinnedFolderFileExplorer CSP
HomeGroup on Star t : Hide or show the HomeGroup shortcut in the Windows Start menu. Your
options:
Start/AllowPinnedFolderHomeGroup CSP
Music on Star t : Hide or show the Music folder in the Windows Start menu. Your options:
Start/AllowPinnedFolderMusic CSP
Network on Star t : Hide or show Network in the Windows Start menu. Your options:
Start/AllowPinnedFolderNetwork CSP
Personal folder on Star t : Hide or show Personal folder in the Windows Start menu. Your options:
Start/AllowPinnedFolderPersonalFolder CSP
Pictures on Star t : Hide or show the folder for pictures in the Windows Start menu. Your options:
Start/AllowPinnedFolderPictures CSP
Settings on Star t : Hide or show the Settings shortcut in the Windows Start menu. Your options:
Start/AllowPinnedFolderSettings CSP
Videos on Star t : Hide or show the folder for videos in the Windows Start menu. Your options:
Start/AllowPinnedFolderVideos CSP
Microsoft Defender SmartScreen

Smar tScreen for Microsoft Edge : Require turns on Microsoft Defender SmartScreen, and prevents
users from turning it off. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might turn on SmartScreen, and allow users to turn it on and off.
Microsoft Edge uses Microsoft Defender SmartScreen (turned on) to protect users from potential
phishing scams and malicious software.
Browser/AllowSmartScreen CSP
Malicious site access : Block prevents users from ignoring the Microsoft Defender SmartScreen Filter
warnings, and blocks them from going to the site. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow users to ignore the warnings, and continue
to the site.
Browser/PreventSmartScreenPromptOverride CSP
Unverified file download : Block prevents users from ignoring the Microsoft Defender SmartScreen
Filter warnings, and blocks them from downloading unverified files. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow users to ignore the
warnings, and continue to download the unverified files.
Browser/PreventSmartScreenPromptOverrideForFiles CSP
Windows Spotlight
These settings use the experience policy CSP, which also lists the supported Windows editions.
Windows Spotlight : Block turns off Windows spotlight on the lock screen, Windows Tips, Microsoft
consumer features, and other related features. If your goal is to minimize network traffic from devices,
then select Yes . When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow Windows spotlight features, and might be controlled by users.
Experience/AllowWindowsSpotlight CSP
When set to Not configured , you can also allow or block the following settings:
Windows Spotlight on lock screen : Block stops Windows Spotlight from showing information
on the device lock screen. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might show Windows spotlight information on the lock screen.
Experience/ConfigureWindowsSpotlightOnLockScreen CSP
Third-par ty suggestions in Windows Spotlight : Block stops Windows Spotlight from
suggesting content that isn't published by Microsoft. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow app and content
suggestions from partners, and show suggested apps in the Start menu, and Windows tips.
Experience/AllowThirdPartySuggestionsInWindowsSpotlight CSP
Consumer Features : Block turns off experiences that are typically for consumers, such as start
suggestions, membership notifications, post-out of box experience app installation, and redirect
tiles. When set to Not configured (default), Intune doesn't change or update this setting.
Experience/AllowWindowsConsumerFeatures CSP
Windows Tips : Block disables pop-up Windows Tips. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow the Windows Tips to
show.
Experience/AllowWindowsTips CSP
Windows Spotlight in action center : Block prevents Windows spotlight notifications from
showing in the Action Center. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might show notifications in the Action Center that suggest
apps or features to help users be more productive on Windows.
Experience/AllowWindowsSpotlightOnActionCenter CSP
Windows Spotlight personalization : Block prevents Windows from using diagnostic data to
provide customized experiences to users. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow Microsoft to use diagnostic data to
provide personalized recommendations, tips, and offers to tailor Windows for the user's needs.
Experience/AllowTailoredExperiencesWithDiagnosticData CSP
Windows welcome experience : Block turns off the Windows spotlight Windows welcome
experience feature. The Windows welcome experience won't show when there are updates and
changes to Windows and its apps. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might allow Windows welcome experience that shows
users information about new, or updated features.
Experience/AllowWindowsSpotlightWindowsWelcomeExperience CSP
Microsoft Defender Antivirus

These settings use the defender policy CSP, which also lists the supported Windows editions.
Real-time monitoring : Enable turns on real-time scanning for malware, spyware, and other unwanted
software. Users can't turn it off. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS turns on this feature, and allows users to change it.
If you enable this setting, and then change it back to Not configured , then Intune leaves the setting in its
previously configured state.
Intune doesn't turn off this feature. To disable it, use a custom URI.
Defender/AllowRealtimeMonitoring CSP
Behavior monitoring : Enable turns on behavior monitoring, and checks for certain known patterns of
suspicious activity on devices. Users can't turn behavior monitoring off. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might turn on Behavior
Monitoring, and allow users to change it.
If you enable the setting, and then change it back to Not configured , then Intune leaves the setting in its
Defender/AllowBehaviorMonitoring CSP
Network Inspection System (NIS) : NIS helps to protect devices against network-based exploits. It uses
the signatures of known vulnerabilities from the Microsoft Endpoint Protection Center to help detect and
block malicious traffic.
Enable : Turns on network protection and network blocking. Users can't turn it off. When enabled,
users are blocked from connecting to known vulnerabilities.
Not configured (default): Intune doesn't change or update this setting. By default, the OS turns
on NIS, and allows users to change it.
Defender/EnableNetworkProtection CSP
Scan all downloads : Enable turns on this setting, and Defender scans all files downloaded from the
Internet. Users can't turn off this setting. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might turn on this setting, and allow users to change it.
Defender/AllowIOAVProtection CSP
Scan scripts loaded in Microsoft web browsers : Enable allows Defender to scan scripts that are
used in Internet Explorer. Users can't turn off this setting. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might turn on this setting, and allow users to
change it.
Defender/AllowScriptScanning CSP
End user access to Defender : Block hides the Microsoft Defender user interface from users. All
Microsoft Defender notifications are also suppressed. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow user access to the Microsoft
Defender UI, and allow users to change it.
If you block the setting, and then change it back to Not configured , then Intune leaves the setting in its
When this setting is changed, it takes effect the next time the device is restarted.
Defender/AllowUserUIAccess CSP
Security intelligence update inter val (in hours) : Enter the interval that Defender checks for new
security intelligence, from 0-24. Your options:
Not configured (default): Intune doesn't change or update this setting. The operating system default
may check for updates every 8 hours.
Do not check : Defender doesn't check for new security intelligence updates.
1-24 : 1 checks every hour, 2 checks every two hours, 24 checks every day, and so on.
Defender/SignatureUpdateInterval CSP
Monitor file and program activity : Allows Defender to monitor file and program activity on devices.
Your options:
may monitor all files.
Monitoring disabled
Monitor all files
Monitor incoming files only
Monitor outgoing files only
Defender/RealTimeScanDirection CSP
Days before deleting quarantined malware : Continue tracking resolved malware for the number of
days you enter so you can manually check previously affected devices.
If you don't configure this setting, or set it to 0 days, malware stays in the Quarantine folder, and isn't
automatically removed. When set to 90 , quarantine items are stored for 90 days on the system, and then
removed.
Defender/DaysToRetainCleanedMalware CSP
CPU usage limit during a scan : Limit the amount of CPU that scans are allowed to use, from 0 to
100 percent. By default, the OS might set it to 50%.
Scan archive files : Enable turns on Defender so it scans archive files, such as Zip or Cab files. Users
can't turn off this setting. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might turn on this scanning, and allow users to change it.
Defender/AllowArchiveScanning CSP
Scan incoming mail messages : Enable allows Defender to scan email messages as they arrive on
devices. When enabled, the engine parses the mailbox and mail files to analyze the mail body and
attachments. You can scan .pst (Outlook), .dbx, .mbx, MIME (Outlook Express), and BinHex (Mac) formats.
turns off this scanning, and allows users to change it.
Defender/AllowEmailScanning CSP
Scan removable drives during a full scan : Enable turns on Defender removable drive scans during
a full scan. Users can't turn off this setting. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might let Defender scan removable drives, such as USB sticks,
and allow users to change this setting.
During a quick scan, removable drives may still be scanned.
Defender/AllowFullScanRemovableDriveScanning CSP
Scan mapped network drives during a full scan : Enable has Defender scan files on mapped
network drives. If the files on the drive are read-only, Defender can't remove any malware found in them.
Users can't turn off this setting.
turns on this feature, and allows users to change it.
During a quick scan, mapped network drives may still be scanned.
Defender/AllowFullScanOnMappedNetworkDrives CSP
Scan files opened from network folders : Enable has Defender scans files opened from network
folders or shared network drives, such as files accessed from a UNC path. Users can't turn off this setting.
If the files on the drive are read-only, Defender can't remove any malware found in them.
scans files opened from network folders, and allows users to change it.
Defender/AllowScanningNetworkFiles CSP
Cloud protection : Enable turns on the Microsoft Active Protection Service to receive information about
malware activity from devices that you manage. Users can't change this setting.
allows the Microsoft Active Protection Service to receive information, and allows users to change this
setting.
Defender/AllowCloudProtection CSP
Prompt users before sample submission : Controls whether potentially malicious files that might
require further analysis are automatically sent to Microsoft. Your options:
may send safe samples automatically.
Always prompt
Prompt before sending personal data
Never send data
Send all data without prompting : Data is sent automatically.
Defender/SubmitSamplesConsent CSP
Time to perform a daily quick scan : Choose the hour to run a daily quick scan. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might run this scan
at 2 AM.
If you want more customization, then configure the Type of system scan to perform setting.
Defender/ScheduleQuickScanTime CSP
Type of system scan to perform : Schedule a system scan, including the level of scanning, and the day
and time to run the scan. Your options:
Not configured : Intune doesn't change or update this setting. No setting is forced. Users can
manually run scans as needed or wanted on their devices.
Disable : Disables any system scanning on devices. Choose this option if you're using a partner anti-
virus solution that scans devices.
Quick scan : Looks at common locations where there could be malware registered, such as registry
keys and known Windows startup folders.
Day scheduled : Choose the day to run the scan.
Time scheduled : Choose the hour to run the scan.
Full scan : Looks at common locations where there could be malware registered, and also scans every
file and folder on the device.
Day scheduled : Choose the day to run the scan.
Time scheduled : Choose the hour to run the scan.
TIP
This setting may conflict with the Time to perform a daily quick scan setting. Some recommendations:
If you want to schedule a daily quick scan, and a weekly full scan, then:
1. Configure the Time to perform a daily quick scan setting.
2. Configure the Type of system scan to perform to do a full scan.
If you only want one quick scan daily (no full scan), then use either setting: Time to perform a daily
quick scan or Type of system scan to perform . For example, to run a quick scan every Tuesday at 6
AM, configure the Type of system scan to perform setting.
Don't configure the Time to perform a daily quick scan setting simultaneously with the Type of
system scan to perform set to Quick scan . These settings may conflict, and a scan may not run.
Defender/ScanParameter CSP
Defender/ScheduleScanDay CSP
Defender/ScheduleScanTime CSP
Detect potentially unwanted applications : This feature identifies and blocks potentially unwanted
applications (PUA) from downloading and installing in your network. These applications aren't
considered viruses, malware, or other types of threats. But, they can run actions on endpoints that might
affect their performance or use. Choose the level of protection when Windows detects PUAs. Your
options:
Not configured (default): Intune doesn't change or update this setting. By default, Microsoft
Defender might disable this feature.
Off : PUA Protection off.
Enable : Microsoft Defender detects PUAs, and detected items are blocked. These items show in
history along with other threats.
Audit : Microsoft Defender detects PUAs, but takes no action. You can review information about the
applications Microsoft Defender would take action against. For example, search for events created by
Microsoft Defender in the Event Viewer.
For more information about potentially unwanted apps, see Detect and block potentially unwanted
applications.
Defender/PUAProtection CSP
Submit samples consent : Currently, this setting has no impact. Don't use this setting. It may be
removed in a future release.
On Access Protection : Block prevents scanning files that have been accessed or downloaded. Users
can't turn it on. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might enable this feature, and allows users to change it.
If you block the setting, and then change it back to Not configured , then Intune leaves the setting in its
previously OS-configured state.
Intune doesn't turn on this feature. To enable it, use a custom URI.
Defender/AllowOnAccessProtection CSP
Actions on detected malware threats : Select Enable to choose the actions you want Defender to take
for each threat level it detects: low, moderate, high, and severe. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might let Microsoft Defender choose the
best option.
When set to Enable , select the action:
Clean
Quarantine
Remove
Allow
User defined
Block
If your action isn't possible, then Microsoft Defender chooses the best option to ensure the threat is
remediated.
Defender/ThreatSeverityDefaultAction CSP
Microsoft Defender Antivirus Exclusions
You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. Generally,
you shouldn't need to apply exclusions . Microsoft Defender Antivirus includes a number of automatic
exclusions based on known OS behaviors and typical management files, such as those used in enterprise
management, database management, and other enterprise scenarios and situations.
WARNING
Defining exclusions lowers the protection offered by Microsoft Defender Antivirus . Always evaluate the risks
that are associated with implementing exclusions. Only exclude files you know aren't malicious.
Files and folders to exclude from scans and real-time protection : Adds one or more files and folders
like C:\Path or %ProgramFiles%\Path\filename.exe to the exclusions list. These files and folders aren't
included in any real-time or scheduled scans.
File extensions to exclude from scans and real-time protection : Add one or more file extensions like
jpg or txt to the exclusions list. Any files with these extensions aren't included in any real-time or scheduled
scans.
Processes to exclude from scans and real-time protection : Add one or more processes of the type
.exe , .com , or .scr to the exclusions list. These processes aren't included in any real-time, or scheduled scans.
Power settings
These settings use the power policy CSP, which also lists the supported Windows editions.
Battery
Batter y level to turn Energy Saver on : When the device is using battery power, enter the battery
charge level to turn on Energy Saver, from 0-100. Enter a percentage value that indicates the battery
charge level. For example, when set to 80 , Energy Saver turns on when the battery has 80% charge or
less available.
If you don't enter a value, Intune doesn't change or update this setting. By default, the OS might set it to
70%.
Power/EnergySaverBatteryThresholdOnBattery CSP
Lid close (mobile only) : When the device is using battery power, choose what happens when the lid is
closed. Your options:
allow users to control this setting.
No action : The device stays on, and continues to use battery power.
Sleep : The device goes into sleep mode, and uses a small amount of battery charge. The computer is
still on, and opened apps and files are stored in random access memory (RAM).
Hibernate : The device goes into hibernate mode. Opened apps and files are stored on the hard disk,
and the device turns off.
Shutdown : The device shuts down. Opened apps and files are closed without saving.
Power/SelectLidCloseActionOnBattery CSP
Power button : When the device is using battery power, choose what happens when the Power button is
selected. Your options:
Sleep : The device goes into sleep mode, and uses a small amount of battery charge. The computer is
Power/SelectPowerButtonActionOnBattery CSP
Sleep button : When the device is using battery power, choose what happens when the Sleep button is
selected. Your options:
Sleep : The device goes into sleep mode and uses a small amount of battery charge. The computer is
Power/SelectSleepButtonActionOnBattery CSP
Hybrid sleep : When the device is using battery power, choose to allow or disable hybrid sleep mode.
Enable : Devices can go into hybrid sleep mode. Opened apps and files are stored in random access
memory (RAM), and on the hard disk. It uses a small amount of battery charge.
Disable : Prevents devices from going into hybrid sleep mode.
Power/TurnOffHybridSleepOnBattery CSP
PluggedIn
Batter y level to turn Energy Saver on : When the device is plugged in, enter the battery charge level
to turn on Energy Saver from 0-100. Enter a percentage value that indicates the battery charge level. For
example, when set to 80 , Energy Saver turns on when the battery has 80% charge or less available.
If you don't enter a value, Intune doesn't change or update this setting. By default, the OS might set it to
70%.
Power/EnergySaverBatteryThresholdPluggedIn CSP
Lid close (mobile only) : When the device is plugged in, choose what happens when the lid is closed.
Your options:
No action : The device stays on.
Sleep : The device goes into sleep mode. The computer is still on, and opened apps and files are
stored in random access memory (RAM).
Hibernate : The device goes into hibernate mode. Opened apps and files are stored on the hard
disk, and the device turns off.
Power/SelectLidCloseActionPluggedIn CSP
Power button : When the device is plugged in, choose what happens when the Power button is selected.
Your options:
Sleep : The device goes into sleep mode. The computer is still on, and opened apps and files are stored
in random access memory (RAM).
Power/SelectPowerButtonActionPluggedIn CSP
Sleep button : When the device is plugged in, choose what happens when the Sleep button is selected.
Your options:
Sleep : The device goes into sleep mode. The computer is still on, and opened apps and files are stored
in random access memory (RAM).
Power/SelectSleepButtonActionPluggedIn CSP
Hybrid sleep : When the device is plugged in, choose to allow or disable hybrid sleep mode.
Enable : Devices can go into hybrid sleep mode. Opened apps and files are stored in random access
memory (RAM), and on the hard disk.
Disable : Prevents devices from going into hybrid sleep mode.
Power/TurnOffHybridSleepPluggedIn CSP
Next steps
For additional technical details on each setting and what editions of Windows are supported, see Windows 10
Policy CSP Reference
Windows 10 Team settings to allow or restrict
features on Surface Hub devices using Intune
NOTE
This article describes some of the Microsoft Intune device restrictions settings that you can configure for devices
running Windows 10 Team, including the Surface Hub devices.
Before you begin

Create a Windows 10 Teams device restrictions configuration profile.
Apps and experience

These settings use the SurfaceHub CSP.
Wake screen when someone in room : Block prevents the screen from waking automatically when its
sensor detects someone in the room. When set to Not configured (default), Intune doesn't change or
Meeting information displayed on welcome screen : Choose the information that's shown on the
Meetings tile of the Welcome screen. Your options:
Organizer and time only
Organizer, time, and subject (subject hidden for private meetings)
Welcome screen background image URL : Enter the URL of a .png image that you want as a custom
background on the Welcome screen on Windows 10 Team devices. The image must be in PNG format, and
the URL must begin with https:// .
Auto-launch Connect : Block prevents the Connect app from automatically opening when a projection is
started. If blocked, users can manually launch the Connect app from the Hub's settings. When set to Not
Sign-in suggestions : Block disables autofilling the sign-in dialog with invitees from scheduled meetings.
My meetings and files : Block disables the My meetings and files feature in the Start menu. This feature
shows the signed-in user's meetings and files from Microsoft 365. When set to Not configured (default),
Azure operational insights

Azure Operational Insights : Enable collects, stores, and analyzes log data from Windows 10 Team
devices with Azure Operational Insights. Azure Operational Insights is part of the Microsoft Operations
Manager suite. Enter the Workspace ID and Workspace Key to connect to Azure Operational insights.
might not collect this data.
Maintenance
Maintenance window for updates : Enable creates a maintenance window when updates can be
installed. Enter the maintenance window Star t time , and the Duration in hours , from 1-5 hours.
Session
Volume : Enter the default volume value for a new session, from 0-100. When left blank, Intune doesn't
change or update this setting. By default, the OS might set the volume to 45.
Screen timeout : Enter the number of minutes until the Hub screen turns off.
Session timeout : Enter the number of minutes until the session times out.
Sleep timeout : Enter the number of minutes until the Hub enters sleep mode.
Session resume : Block prevents users from resuming a session when the session times out. When set to
Wireless projection
PIN for wireless projection : Require forces users to enter a PIN before using the wireless projection
features on the device. When set to Not configured (default), Intune doesn't change or update this setting.
Miracast wireless projection : Block prevents using Miracast-enabled devices to project. When set to Not
Miracast wireless projection channel : Select the Miracast channel to establish the connection.
Next steps
For more information, see How to configure device restriction settings.
Windows 10 (and newer) device settings to upgrade
editions or enable S mode in Intune
NOTE
Microsoft Intune includes many settings to help manage and protect your devices. This article describes some of
the settings to upgrade editions or enable S mode on Windows 10 devices. These settings are created in an
upgrade configuration profile in Intune that are pushed or deployed to devices.
As part of your mobile device management (MDM) solution, use these settings to control the edition and S
mode options for your Windows 10 devices.
For more information on this feature, see Upgrade Windows 10 editions or enable S mode.
Before you begin

Create a Windows 10 edition upgrade and mode switch device configuration profile.
Edition upgrade
Edition to upgrade to : Select the Windows 10 edition that you're upgrading to. The devices targeted by
this policy are upgraded to the edition you choose.
Product Key : Enter the product key that you received from Microsoft. After you create the policy with the
product key, the key can't be updated, and is hidden for security reasons. To change the product key, enter the
entire key again.
License File : For Windows 10 Holographic for Business , choose Browse to select the license file you
received from Microsoft. This license file includes license information for the editions you're upgrading the
devices to.
Mode switch
Switch out of S mode : Switches the device out of S mode. Your options:
No configuration : Intune doesn't change or update this setting. By default, the S mode device might
stay in S mode. User can switch the device out of S mode.
Keep in S mode : Prevents users from switching the device out of S mode.
Switch : Allows users to switch the device out of S mode.
Next steps
You can also create edition upgrade profiles for Windows Holographic for Business devices.
Email profile settings for devices running Windows
10 in Microsoft Intune
NOTE
Use the email profile settings to configure the Mail app on your devices running Windows 10 and newer. This
article describes some of the settings you can configure.
Before you begin

Create a Windows 10 Email device configuration profile.
Email settings
devices.
(AAD). Intune dynamically generates the username that's used by this profile. Your options:
Primar y SMTP address : Gets the name in email address format, such as user1@contoso.com .
User domain name source : Select AAD (Azure Active Directory) or Custom .
When getting the attributes from AAD , also enter:
User domain name attribute from AAD : Choose to get the Full domain name or
the NetBIOS name attribute of the user.
When using Custom attributes, also enter:
Custom domain name to use : Enter a value that Intune uses for the domain name,
such as contoso.com or contoso .
Email address attribute from AAD : Intune gets this attribute from Azure Active Directory (AAD).
Choose how the email address for the user is generated. Your options:
User principal name : Uses the full principal name as the email address, such as user1@contoso.com
or user1 .
Primar y SMTP address : Uses the primary SMTP address to sign in to Exchange, such as
user1@contoso.com .
Security
communicating with the Exchange server. Disable doesn't require SSL.
Synchronization
Amount of email to synchronize : Select the number of days of email that you want to synchronize.
When set to Not configured (default), Intune doesn't change or update this setting. Select Unlimited to
synchronize all available email.
Sync schedule : Select the schedule for devices to synchronize data from the Exchange server. You can
also select As Messages arrive , which synchronizes data as soon as it arrives. Or, select Manual so the
device user starts the synchronization.
Content sync
Content type to sync : Select the content types that you want to synchronize to devices. Your options:
Contacts : On syncs the contacts. Off doesn't automatically sync the contacts. Users manually sync.
Calendar : On syncs the calendar. Off doesn't automatically sync the contacts. Users manually sync.
Tasks : On syncs the tasks. Off doesn't automatically sync the tasks. Users manually sync.
Next steps
You can also configure the email settings on Android, Android Enterprise, and iOS/iPadOS.
Learn more about the email settings in Intune.
Windows 10 (and later) settings to protect devices
using Intune
NOTE
Microsoft Intune includes many settings to help protect your devices. This article describes some of the settings
you can enable and configure in Windows 10 and newer devices. These settings are created in an endpoint
protection configuration profile in Intune to control security, including BitLocker and Microsoft Defender.
To configure Microsoft Defender Antivirus, see Windows 10 device restrictions.
Before you begin

Create an endpoint protection device configuration profile.
For more information about configuration service providers (CSPs), see Configuration service provider
reference.
Microsoft Defender Application Guard

While using Microsoft Edge, Microsoft Defender Application Guard protects your environment from sites that
aren't trusted by your organization. When users visit sites that aren't listed in your isolated network boundary,
the sites open in a Hyper-V virtual browsing session. Trusted sites are defined by a network boundary, which are
configured in Device Configuration. For more information, see Create a network boundary on Windows devices.
Application Guard is only available for Windows 10 (64-bit) devices. Using this profile installs a Win32
component to activate Application Guard.
Application Guard
Application Guard CSP: Settings/AllowWindowsDefenderApplicationGuard
Enabled for Edge - Turns on this feature, which opens untrusted sites in a Hyper-V virtualized
browsing container.
Not configured - Any site (trusted and untrusted) can open on the device.
Clipboard behavior
Application Guard CSP: Settings/ClipboardSettings
Choose what copy and paste actions are allowed between the local PC and the Application Guard virtual
browser.
Not configured
Allow copy and paste from PC to browser only
Allow copy and paste from browser to PC only
Allow copy and paste between PC and browser
Block copy and paste between PC and browser
Clipboard content
This setting is available only when Clipboard behavior is set to one of the allow settings.
Application Guard CSP: Settings/ClipboardFileType
Select the allowed clipboard content.
Not configured
Text
Images
Text and images
External content on enterprise sites
Application Guard CSP: Settings/BlockNonEnterpriseContent
Block - Block content from unapproved websites from loading.
Not configured - Non-enterprise sites can open on the device.
Print from vir tual browser
Application Guard CSP: Settings/PrintingSettings
Allow - Allows the printing of selected content from the virtual browser.
Not configured Disable all print features.
When you Allow printing, you then can configure the following setting:
Printing type(s) Select one or more of the following options:
PDF
XPS
Local printers
Network printers
Collect logs
Application Guard CSP: Audit/AuditApplicationGuard
Allow - Collect logs for events that occur within an Application Guard browsing session.
Not configured - Don't collect any logs within the browsing session.
Retain user-generated browser data
Application Guard CSP: Settings/AllowPersistence
Allow Save user data (such as passwords, favorites, and cookies) that's created during an Application
Guard virtual browsing session.
Not configured Discard user-downloaded files and data when the device restarts, or when a user
signs out.
Graphics acceleration
Application Guard CSP: Settings/AllowVirtualGPU
Enable - Load graphic-intensive websites and video faster by getting access to a virtual graphics
processing unit.
Not configured Use the device's CPU for graphics; Don't use the virtual graphics processing unit.
Download files to host file system
Application Guard CSP: Settings/SaveFilesToHost
Enable - Users can download files from the virtualized browser onto the host operating system.
Not configured - Keeps the files local on the device, and doesn't download files to the host file
system.
Microsoft Defender Firewall

Global settings
These settings are applicable to all network types.
File Transfer Protocol
Firewall CSP: MdmStore/Global/DisableStatefulFtp
Block - Disable stateful FTP.
Not configured - The firewall does stateful FTP filtering to allow secondary connections.
Security association idle time before deletion
Firewall CSP: MdmStore/Global/SaIdleTime
Specify an idle time in seconds, after which security associations are deleted.
Pre-shared key encoding
Firewall CSP: MdmStore/Global/PresharedKeyEncoding
Enable - Encode presheared keys using UTF-8.
Not configured - Encode presheared keys using the local store value.
IPsec exemptions
Default : 0 selected
Firewall CSP: MdmStore/Global/IPsecExempt
Select one or more of the following types of traffic to be exempt from IPsec:
Neighbor discover IPv6 ICMP type-codes
ICMP
Router discover IPv6 ICMP type-codes
Both IPv4 and IPv6 DHCP network traffic
Cer tificate revocation list verification
Firewall CSP: MdmStore/Global/CRLcheck
Choose how the device verifies the certificate revocation list. Options include:
Disable CRL verification
Fail CRL verification on revoked cer tificate only
Fail CRL verification on any error encountered .
Oppor tunistically match authentication set per keying module
Firewall CSP: MdmStore/Global/OpportunisticallyMatchAuthSetPerKM
Enable Keying modules must ignore only the authentication suites that they don't support.
Not configured , Keying modules must ignore the entire authentication set if they don't support all of
the authentication suites specified in the set.
Packet queuing
Firewall CSP: MdmStore/Global/EnablePacketQueue
Specify how software scaling on the receive side is enabled for the encrypted receive and clear text
forward for the IPsec tunnel gateway scenario. This setting confirms the packet order is preserved.
Options include:
Not configured
Disable all packet queuing
Queue inbound encr ypted packets only
Queue packets after decr yption is performed for for warding only
Configure both inbound and outbound packets
Network settings
The following settings are each listed in this article a single time, but all apply to the three specific network
types:
Domain (workplace) network
Private (discoverable) network
Public (non-discoverable) network
General settings
Microsoft Defender Firewall
Firewall CSP: EnableFirewall
Enable - Turn on the firewall, and advanced security.
Not configured Allows all network traffic, regardless of any other policy settings.
Stealth mode
Firewall CSP: DisableStealthMode
Not configured
Block - Firewall is blocked from operating in stealth mode. Blocking stealth mode allows you to also
block IPsec secured packet exemption .
Allow - The firewall operates in stealth mode, which helps prevent responses to probing requests.
IPsec secured packet exemption with Stealth Mode
Firewall CSP: DisableStealthModeIpsecSecuredPacketExemption
This option is ignored if Stealth mode is set to Block.
Not configured
Block - IPSec secured packets do not receive exemptions.
Allow - Enable exemptions. The firewall's stealth mode MUST NOT prevent the host computer from
responding to unsolicited network traffic that is secured by IPsec.
Shielded
Firewall CSP: Shielded
Not configured
Block - When the Microsoft Defender Firewall is on and this setting is set to Block, all incoming traffic
is blocked, regardless of other policy settings.
Allow - When set to Allow , this setting is turned off - and incoming traffic is allowed based on other
policy settings.
Unicast responses to multicast broadcasts
Firewall CSP: DisableUnicastResponsesToMulticastBroadcast
Typically, you don't want to receive unicast responses to multicast or broadcast messages. These
responses can indicate a denial of service (DOS) attack, or an attacker trying to probe a known live
computer.
Not configured
Block - Disable unicast responses to multicast broadcasts.
Allow - Allow unicast responses to multicast broadcasts.
Inbound notifications
Firewall CSP: DisableInboundNotifications
Not configured
Block - Hide notifications to uses when an app is blocked from listening on a port.
Allow - Enables this setting, and may show a notification to users when an app is blocked from
listening on a port.
Default action for outbound connections
Firewall CSP: DefaultOutboundAction
Configure the default action firewall performs on outbound connections. This setting will get applied to
Windows version 1809 and above.
Not configured
Block - The default firewall action isn't run on outbound traffic unless it's explicitly specified not to
block.
Allow - Default firewall actions run on outbound connections.
Default action for inbound connections
Firewall CSP: DefaultInboundAction
Not configured
Block - The default firewall action isn't run on inbound connections.
Allow - Default firewall actions run on inbound connections.
Rule merging
Authorized application Microsoft Defender Firewall rules from the local store
Firewall CSP: AuthAppsAllowUserPrefMerge
Not configured
Block - The authorized application firewall rules in the local store are ignored and not enforced.
Allow - Choose Enable Applies firewall rules in the local store so they're recognized and enforced.
Global por t Microsoft Defender Firewall rules from the local store
Firewall CSP: GlobalPortsAllowUserPrefMerge
Not configured
Block - The global port firewall rules in the local store are ignored and not enforced.
Allow - Apply global port firewall rules in the local store to be recognized and enforced.
Microsoft Defender Firewall rules from the local store
Firewall CSP: AllowLocalPolicyMerge
Not configured
Block - Firewall rules from the local store are ignored and not enforced.
Allow - Apply firewall rules in the local store to be recognized and enforced.
IPsec rules from the local store
Firewall CSP: AllowLocalIpsecPolicyMerge
Not configured
Block - The connection security rules from the local store are ignored and not enforced, regardless of
the schema version and connection security rule version.
Allow - Apply connection security rules from the local store, regardless of schema or connection
security rule versions.
Firewall rules
You can Add one or more custom Firewall rules. For more information, see Add custom firewall rules for
Windows 10 devices.
Custom Firewall rules support the following options:
General settings:
Name
Default : No name
Specify a friendly name for your rule. This name will appear in the list of rules to help you identify it.
Description
Default : No description
Provide a description of the rule.
Direction
Firewall CSP: FirewallRules/FirewallRuleName/Direction
Specify if this rule applies to Inbound , or Outbound traffic. When set as Not configured , the rule
automatically applies to Outbound traffic.
Action
Firewall CSP: FirewallRules/FirewallRuleName/Action, and FirewallRules/FirewallRuleName/Action/Type
Select from Allow or Block . When set as Not configured , the rule defaults to allow traffic.
Network type
Firewall CSP: FirewallRules/FirewallRuleName/Profiles
Select up to three types of network types to which this rule belongs. Options include Domain , Private ,
and Public . If no network types are selected, the rule applies to all three network types.
Application settings
Application(s)
Default : All
Control connections for an app or program. Select one of the following options, and then complete the
additional configuration:
Package family name – Specify a package family name. To find the package family name, use the
PowerShell command Get-AppxPackage .
Firewall CSP: FirewallRules/FirewallRuleName/App/PackageFamilyName
File path – You must specify a file path to an app on the client device, which can be an absolute
path, or a relative path. For example: C:\Windows\System\Notepad.exe or
%WINDIR%\Notepad.exe.
Firewall CSP: FirewallRules/FirewallRuleName/App/FilePath
Windows ser vice – Specify the Windows service short name if it's a service and not an
application that sends or receives traffic. To find the service short name, use the PowerShell
command Get-Ser vice .
Firewall CSP: FirewallRules/FirewallRuleName/App/ServiceName
All – No additional configuration is available.
IP address settings
Specify the local and remote addresses to which this rule applies.
Local addresses
Default : Any address
Firewall CSP: FirewallRules/FirewallRuleName/LocalPortRanges
Select Any address or Specified address .
When you use Specified address, you add one or more addresses as a comma-separated list of local
addresses that are covered by the rule. Valid tokens include:
Use an asterisk "*" for any local address. If you use an asterisk, it must be the only token you use.
To specify a subnet use either the subnet mask or network prefix notation. If neither a subnet mask nor
a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
Remote addresses
Default : Any address
Firewall CSP: FirewallRules/FirewallRuleName/RemoteAddressRanges
Select Any address or Specified address .
When you use Specified address, you add one or more addresses as a comma-separated list of remote
addresses that are covered by the rule. Tokens aren't case-sensitive. Valid tokens include:
Use an asterisk "*" for any remote address. If you use an asterisk, it must be the only token you use.
"Defaultgateway"
"DHCP"
"DNS"
"WINS"
"Intranet" (supported on Windows versions 1809 and later)
"RmtIntranet" (supported on Windows versions 1809 and later)
"Internet" (supported on Windows versions 1809 and later)
"Ply2Renders" (supported on Windows versions 1809 and later)
"LocalSubnet" indicates any local address on the local subnet.
To specify a subnet use either the subnet mask or network prefix notation. If neither a subnet mask nor
a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
Port and protocol settings
Specify the local and remote ports to which this rule applies.
Protocol
Default : Any
Firewall CSP: FirewallRules/FirewallRuleName/Protocol
Select from the following, and complete any required configurations:
All – No additional configuration is available.
TCP – Configure local and remote ports. Both options support All ports or Specified ports. Enter
Specified ports by using a comma-separated list.
Local por ts - Firewall CSP: FirewallRules/FirewallRuleName/LocalPortRanges
Remote por ts - Firewall CSP: FirewallRules/FirewallRuleName/RemotePortRanges
UDP – Configure local and remote ports. Both options support All ports or Specified ports. Enter
Specified ports by using a comma-separated list.
Local por ts - Firewall CSP: FirewallRules/FirewallRuleName/LocalPortRanges
Remote por ts - Firewall CSP: FirewallRules/FirewallRuleName/RemotePortRanges
Custom – Specify a custom protocol number from 0 to 255.
Advanced configuration
Interface types
Firewall CSP: FirewallRules/FirewallRuleName/InterfaceTypes
Select from the following options:
Remote access
Wireless
Local area network
Only allow connections from these users
Default : All users (Defaults to all uses when no list is specified)
Firewall CSP: FirewallRules/FirewallRuleName/LocalUserAuthorizationList
Specify a list of authorized local users for this rule. A list of authorized users can't be specified if this rule
applies to a Windows service.
Microsoft Defender SmartScreen settings

Microsoft Edge must be installed on the device.
Smar tScreen for apps and files
SmartScreen CSP: SmartScreen/EnableSmartScreenInShell
Not configured - Disables use of SmartScreen.
Enable - Enable Windows SmartScreen for file execution, and running apps. SmartScreen is a cloud-
based anti-phishing and anti-malware component.
Unverified files execution
SmartScreen CSP: SmartScreen/PreventOverrideForFilesInShell
Not configured - Disables this feature, and allows end users to run files that haven't been verified.
Block - Prevent end users from running files that haven't been verified by Windows SmartScreen.
Windows Encryption
Windows Settings
Encr ypt devices
BitLocker CSP: RequireDeviceEncryption
Require - Prompt users to enable device encryption. Depending on the Windows edition and system
configuration, users may be asked:
To confirm that encryption from another provider isn't enabled.
Be required to turn off BitLocker Drive Encryption, and then turn BitLocker back on.
Not configured
If Windows encryption is turned on while another encryption method is active, the device might become
unstable.
BitLocker base settings
Base settings are universal BitLocker settings for all types of data drives. These settings manage what drive
encryption tasks or configuration options the end user can modify across all types of data drives.
Warning for other disk encr yption
BitLocker CSP: AllowWarningForOtherDiskEncryption
Block - Disable the warning prompt if another disk encryption service is on the device.
Not configured - Allow the warning for other disk encryption to be shown.
TIP
To install BitLocker automatically and silently on a device that's Azure AD joined and runs Windows 1809 or later,
this setting must be set to Block. For more information, see Silently enable BitLocker on devices.
When set to Block, you can then configure the following setting:
Allow standard users to enable encr yption during Azure AD Join
This setting only applies to Azure Active Directory Joined (Azure ADJ) devices, and depends on the
previous setting, Warning for other disk encryption .
BitLocker CSP: AllowStandardUserEncryption
Allow - Standard users (non-administrators) can enable BitLocker encryption when signed in.
Not configured only Administrators can enable BitLocker encryption on the device.
TIP
To install BitLocker automatically and silently on a device that's Azure AD joined and runs Windows 1809 or later,
this setting must be set to Allow. For more information, see Silently enable BitLocker on devices.
Configure encr yption methods

BitLocker CSP: EncryptionMethodByDriveType
Enable - Configure encryption algorithms for operating system, data, and removable drives.
Not configured - BitLocker uses XTS-AES 128 bit as the default encryption method, or uses the
encryption method specified by any setup script.
When set to Enable, you can configure the following settings:
Encr yption for operating system drives
Default : XTS-AES 128-bit
Choose the encryption method for operating system drives. We recommend you use the XTS-AES
algorithm.
AES-CBC 128-bit
AES-CBC 256-bit
XTS-AES 128-bit
XTS-AES 256-bit
Encr yption for fixed data-drives
Default : AES-CBC 128-bit
Choose the encryption method for fixed (built-in) data drives. We recommend you use the XTS-
AES algorithm.
AES-CBC 128-bit
AES-CBC 256-bit
XTS-AES 128-bit
XTS-AES 256-bit
Encr yption for removable data-drives
Default : AES-CBC 128-bit
Choose the encryption method for removable data drives. If the removable drive is used with
devices that aren't running Windows 10, then we recommend you use the AES-CBC algorithm.
AES-CBC 128-bit
AES-CBC 256-bit
XTS-AES 128-bit
XTS-AES 256-bit
BitLocker OS drive settings
These settings apply specifically to operating system data drives.
Additional authentication at star tup
BitLocker CSP: SystemDrivesRequireStartupAuthentication
Require - Configure the authentication requirements for computer startup, including the use of
Trusted Platform Module (TPM).
Not configured - Configure only basic options on devices with a TPM.
When set to Require, you can configure the following settings:
BitLocker with non-compatible TPM chip
Block - Disable use of BitLocker when a device doesn't have a compatible TPM chip.
Not configured - Users can use BitLocker without a compatible TPM chip. BitLocker may
require a password or a startup key.
Compatible TPM star tup
Default : Allow TPM
Configure if TPM is allowed, required, or not allowed.
Allow TPM
Do not allow TPM
Require TPM
Compatible TPM star tup PIN
Default : Allow startup PIN with TPM
Choose to allow, not allow, or require using a startup PIN with the TPM chip. Enabling a startup
PIN requires interaction from the end user.
Allow star tup PIN with TPM
Do not allow star tup PIN with TPM
Require star tup PIN with TPM
TIP
To install BitLocker automatically and silently on a device that's Azure AD joined and runs Windows 1809
or later, this setting must not be set to Require startup PIN with TPM. For more information, see Silently
enable BitLocker on devices.
Compatible TPM star tup key

Default : Allow startup key with TPM
Choose to allow, not allow, or require using a startup key with the TPM chip. Enabling a startup key
requires interaction from the end user.
Allow star tup key with TPM
Do not allow star tup key with TPM
Require star tup key with TPM
TIP
or later, this setting must not be set to Require startup key with TPM. For more information, see Silently
enable BitLocker on devices.
Compatible TPM star tup key and PIN

Default : Allow startup key and PIN with TPM
Choose to allow, not allow, or require using a startup key and PIN with the TPM chip. Enabling
startup key and PIN requires interaction from the end user.
Allow star tup key and PIN with TPM
Do not allow star tup key and PIN with TPM
Require star tup key and PIN with TPM
TIP
or later, this setting must not be set to Require startup key and PIN with TPM. For more information, see
Silently enable BitLocker on devices.
Minimum PIN Length

BitLocker CSP: SystemDrivesMinimumPINLength
Enable Configure a minimum length for the TPM startup PIN.
Not configured - Users can configure a startup PIN of any length between 6 and 20 digits.
When set to Enable, you can configure the following setting:
Minimum characters
Default : Not configured BitLocker CSP: SystemDrivesMinimumPINLength
Enter the number of characters required for the startup PIN from 4 -20 .
OS drive recover y
BitLocker CSP: SystemDrivesRecoveryOptions
Enable - Control how BitLocker-protected operating system drives recover when the required start-
up information isn't available.
Not configured - Default recovery options are supported for BitLocker recovery. By default, a DRA is
allowed, the recovery options are chosen by the user, including the recovery password and recovery
key, and recovery information isn't backed up to AD DS.
Cer tificate-based data recover y agent
Block - Prevent use of data recovery agent with BitLocker-protected OS drives.
Not configured - Allow data recovery agents to be used with BitLocker-protected operating
system drives.
User creation of recover y password
Default : Allow 48-digit recovery password
Choose if users are allowed, required, or not allowed to generate a 48-digit recovery password.
Allow 48-digit recover y password
Do not allow 48-digit recover y password
Require 48-digit recover y password
User creation of recover y key
Default : Allow 256-bit recovery key
Choose if users are allowed, required, or not allowed to generate a 256-bit recovery key.
Allow 256-bit recover y key
Do not allow 256-bit recover y key
Require 256-bit recover y key
Recover y options in the BitLocker setup wizard
Block - Users can't see and change the recovery options. When set to
Not configured - Users can see and change the recovery options when they turn on BitLocker.
Save BitLocker recover y information to Azure Active Director y
Enable - Store the BitLocker recovery information to Azure Active Directory (Azure AD).
Not configured - BitLocker recovery information isn't stored in Azure AD.
BitLocker recover y Information stored to Azure Active Director y
Default : Backup recovery passwords and key packages
Configure what parts of BitLocker recovery information are stored in Azure AD. Choose from:
Backup recover y passwords and key packages
Backup recover y passwords only
Client-driven recover y password rotation
Default : Key rotation enabled for Azure AD-joined devices
BitLocker CSP: ConfigureRecoveryPasswordRotation
This setting initiates a client-driven recovery password rotation after an OS drive recovery (either
by using bootmgr or WinRE).
Not configured
Key rotation disabled
Key rotation enabled for Azure AD-joined deices
Key rotation enabled for Azure AD and Hybrid-joined devices
Store recover y information in Azure Active Director y before enabling BitLocker
Prevent users from enabling BitLocker unless the computer successfully backs up the BitLocker
recovery information to Azure Active Directory.
Require - Stop users from turning on BitLocker unless the BitLocker recovery information is
successfully stored in Azure AD.
Not configured - Users can turn on BitLocker, even if recovery information isn't successfully
stored in Azure AD.
Pre-boot recover y message and URL
BitLocker CSP: SystemDrivesRecoveryMessage
Enable - Configure the message and URL that display on the pre-boot key recovery screen.
Not configured - Disable this feature.
Pre-boot recover y message
Default : Use default recovery message and URL
Configure how the pre-boot recovery message displays to users. Choose from:
Use default recover y message and URL
Use empty recover y message and URL
Use custom recover y message
Use custom recover y URL
BitLocker fixed data-drive settings
These settings apply specifically to fixed data drives.
Write access to fixed data-drive not protected by BitLocker
BitLocker CSP: FixedDrivesRequireEncryption
Block - Give read-only access to data drives that aren't BitLocker-protected.
Not configured - By default, read and write access to data drives that aren't encrypted.
Fixed drive recover y
BitLocker CSP: FixedDrivesRecoveryOptions
Enable - Control how BitLocker-protected fixed drives recover when the required start-up information
isn't available.
Not configured - Disable this feature.
Data recover y agent
Block - Prevent use of the data recovery agent with BitLocker-protected fixed drives Policy
Editor.
Not configured - Enables use of data recovery agents with BitLocker-protected fixed drives.
User creation of recover y password
Default : Allow 48-digit recovery password
Choose if users are allowed, required, or not allowed to generate a 48-digit recovery password.
Allow 48-digit recover y password
Do not allow 48-digit recover y password
Require 48-digit recover y password
User creation of recover y key
Default : Allow 256-bit recovery key
Choose if users are allowed, required, or not allowed to generate a 256-bit recovery key.
Allow 256-bit recover y key
Do not allow 256-bit recover y key
Require 256-bit recover y key
Recover y options in the BitLocker setup wizard
Block - Users can't see and change the recovery options. When set to
Not configured - Users can see and change the recovery options when they turn on BitLocker.
Save BitLocker recover y information to Azure Active Director y
Enable - Store the BitLocker recovery information to Azure Active Directory (Azure AD).
Not configured - BitLocker recovery information isn't stored in Azure AD.
BitLocker recover y Information stored to Azure Active Director y
Default : Backup recovery passwords and key packages
Configure what parts of BitLocker recovery information are stored in Azure AD. Choose from:
Backup recover y passwords and key packages
Backup recover y passwords only
Store recover y information in Azure Active Director y before enabling BitLocker
Prevent users from enabling BitLocker unless the computer successfully backs up the BitLocker
recovery information to Azure Active Directory.
Require - Stop users from turning on BitLocker unless the BitLocker recovery information is
successfully stored in Azure AD.
Not configured - Users can turn on BitLocker, even if recovery information isn't successfully
stored in Azure AD.
BitLocker removable data-drive settings
These settings apply specifically to removable data drives.
Write access to removable data-drive not protected by BitLocker
BitLocker CSP: RemovableDrivesRequireEncryption
Block - Give read-only access to data drives that aren't BitLocker-protected.
Not configured - By default, read and write access to data drives that aren't encrypted.
Write access to devices configured in another organization
Block - Block write access to devices configured in another organization.
Not configured - Deny write access.
Microsoft Defender Exploit Guard

Use exploit protection to manage and reduce the attack surface of apps used by your employees.
Attack Surface Reduction
Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious
code.
Attack Surface Reduction rules
To learn more, see Attack surface reduction rules in the Microsoft Defender for Endpoint documentation.
Merge behavior for Attack surface reduction rules in Intune :
Attack surface reduction rules support a merger of settings from different policies, to create a superset of policy
for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not
added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were
flagged as being in conflict, and no settings from either profile would be deployed.
Attack surface reduction rule merge behavior is as follows:
Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to:
Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard >
Attack Surface Reduction
Endpoint security > Attack surface reduction policy > Attack surface reduction rules
Endpoint security > Security baselines > Microsoft Defender for Endpoint Baseline > Attack Surface
Reduction Rules .
Settings that do not have conflicts are added to a superset of policy for the device.
When two or more policies have conflicting settings, the conflicting settings are not added to the combined
policy, while settings that don’t conflict are added to the superset policy that applies to a device.
Only the configurations for conflicting settings are held back.
Settings in this profile :
Flag credential stealing from the Windows local security authority subsystem
Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Help prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Not configured
Enable - Flag credential stealing from the Windows local security authority subsystem (lsass.exe).
Audit only
Process creation from Adobe Reader (beta)
Rule: Block Adobe Reader from creating child processes
Not configured
Enable - Block child processes that are created from Adobe Reader.
Audit only
Rules to prevent Office Macro threats
Block Office apps from taking the following actions:
Office apps injecting into other processes (no exceptions)
Rule: Block Office applications from injecting code into other processes
Not configured
Block - Block Office apps from injecting into other processes.
Audit only
Office apps/macros creating executable content
Rule: Block Office applications from creating executable content
Not configured
Block - Block Office apps and macros from creating executable content.
Audit only
Office apps launching child processes
Rule: Block all Office applications from creating child processes
Not configured
Block - Block Office apps from launching child processes.
Audit only
Win32 impor ts from Office macro code
Rule: Block Win32 API calls from Office macros
Not configured
Block - Block Win32 imports from macro code in Office.
Audit only
Process creation from Office communication products
Rule: Block Office communication application from creating child processes
Not configured
Enable - Block child process creation from Office communications apps.
Audit only
Rules to prevent script threats
Block the following to help prevent against script threats:
Obfuscated js/vbs/ps/macro code
Rule: Block execution of potentially obfuscated scripts
Not configured
Block - Block any obfuscated js/vbs/ps/macro code.
Audit only
js/vbs executing payload downloaded from Internet (no exceptions)
Rule: Block JavaScript or VBScript from launching downloaded executable content
Not configured
Block - Block js/vbs from executing payload downloaded from Internet.
Audit only
Process creation from PSExec and WMI commands
Rule: Block process creations originating from PSExec and WMI commands
Not configured
Block - Block process creations originating from PSExec and WMI commands.
Audit only
Untrusted and unsigned processes that run from USB
Rule: Block untrusted and unsigned processes that run from USB
Not configured
Block - Block untrusted and unsigned processes that run from USB.
Audit only
Executables that don't meet a prevalence, age, or trusted list criteria
Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Not configured
Block - Block executable files from running unless they meet a prevalence, age, or trusted list criteria.
Audit only
Rules to prevent email threats
Block the following to help prevent email threats:
Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail
client) (no exceptions)
Rule: Block executable content from email client and webmail
Not configured
Block - Block execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email
(webmail/mail-client).
Audit only
Rules to protect against ransomware
Advanced ransomware protection
Default: Not configured
Rule: Use advanced protection against ransomware
Not configured
Enable - Use aggressive ransomware protection.
Audit only
Attack Surface Reduction exceptions
Files and folder to exclude from attack surface reduction rules
Defender CSP: AttackSurfaceReductionOnlyExclusions
Impor t a .csv file that contains files and folders to exclude from attack surface reduction rules.
Add local files or folders manually.
IMPORTANT
To allow proper installation and execution of LOB Win32 apps, anti-malware settings should exclude the following
directories from being scanned:
On X64 client machines :
C:\Program Files (x86)\Microsoft Intune Management Extension\Content
C:\windows\IMECache
On X86 client machines :
C:\Program Files\Microsoft Intune Management Extension\Content
C:\windows\IMECache
For more information, see Virus scanning recommendations for Enterprise computers that are running currently
supported versions of Windows.
Controlled folder access

Help protect valuable data from malicious apps and threats, such as ransomware.
Folder protection
Defender CSP: EnableControlledFolderAccess
Protect files and folders from unauthorized changes by unfriendly apps.
Not configured
Enable
Audit only
Block disk modification
Audit disk modification
When you select a configuration other than Not configured, you can then configure:
List of apps that have access to protected folders
Defender CSP: ControlledFolderAccessAllowedApplications
Impor t a .csv file that contains an app list.
Add apps to this list manually.
List of additional folders that need to be protected
Defender CSP: ControlledFolderAccessProtectedFolders
Impor t a .csv file that contains a folder list.
Add folders to this list manually.
Network filtering
Block outbound connections from any app to IP addresses or domains with low reputations. Network filtering is
supported in both Audit and Block mode.
Network protection
Defender CSP: EnableNetworkProtection
The intent of this setting is to protect end users from apps with access to phishing scams, exploit-hosting
sites, and malicious content on the Internet. It also prevents third-party browsers from connecting to
dangerous sites.
Not configured - Disable this feature. Users and apps aren't blocked from connecting to dangerous
domains. Administrators can't see this activity in Microsoft Defender Security Center.
Enable - Turn on network protection, and block users and apps from connecting to dangerous
domains. Administrators can see this activity in Microsoft Defender Security Center.
Audit only : - Users and apps aren't blocked from connecting to dangerous domains. Administrators
can see this activity in Microsoft Defender Security Center.
Exploit protection
Upload XML
To use exploit protection to protect devices from exploits, create an XML file that includes the system and
application mitigation settings you want. There are two methods to create the XML file:
PowerShell - Use one or more of the Get-ProcessMitigation, Set-ProcessMitigation, and ConvertTo-
ProcessMitigationPolicy PowerShell cmdlets. The cmdlets configure mitigation settings, and export
an XML representation of them.
Microsoft Defender Security Center UI - In the Microsoft Defender Security Center, click on App &
browser control and then scroll to the bottom of the resulting screen to find Exploit Protection.
First, use the System settings and Program settings tabs to configure mitigation settings. Then,
find the Export settings link at the bottom of the screen to export an XML representation of them.
User editing of the exploit protection interface
ExploitGuard CSP: ExploitProtectionSettings
Block - Upload an XML file that allows you to configure memory, control flow, and policy restrictions.
The settings in the XML file can be used to block an application from exploits.
Not configured - No custom configuration is used.
Microsoft Defender Application Control

Choose additional apps that either need to be audited by, or can be trusted to run by Microsoft Defender
Application Control. Windows components and all apps from Windows store are automatically trusted to run.
Application control code integrity policies
CSP: AppLocker CSP
Enforce - Choose the application control code integrity policies for your users' devices.
After being enabled on a device, Application Control can only be disabled by changing the mode
from Enforce to Audit only. Changing the mode from Enforce to Not Configured results in
Application Control continuing to be enforced on assigned devices.
Not Configured - Application Control is not added to devices. However, settings that were
previously added continue to be enforced on assigned devices.
Audit only - Applications aren't blocked. All events are logged in the local client's logs.
NOTE
If you use this setting, AppLocker CSP behaviour currently prompts end user to reboot their machine
when a policy is deployed.
Microsoft Defender Credential Guard

Microsoft Defender Credential Guard protects against credential theft attacks. It isolates secrets so that only
privileged system software can access them.
Credential Guard
Default : Disable
DeviceGuard CSP
Disable - Turn off Credential Guard remotely, if it was previously turned on with the Enabled
without UEFI lock option.
Enable with UEFI lock - Credential Guard can't be disabled remotely by using a registry key or
group policy.
NOTE
If you use this setting, and then later want to disable Credential Guard, you must set the Group Policy to
Disabled . And, physically clear the UEFI configuration information from each computer. As long as the
UEFI configuration persists, Credential Guard is enabled.
Enable without UEFI lock - Allows Credential Guard to be disabled remotely by using Group
Policy. The devices that use this setting must be running Windows 10 version 1511 and newer.
When you enable Credential Guard, the following required features are also enabled:
Vir tualization-based Security (VBS)
Turns on during the next reboot. Virtualization-based security uses the Windows Hypervisor to
provide support for security services.
Secure Boot with Director y Memor y Access
Turns on VBS with Secure Boot and direct memory access (DMA) protections. DMA protections require
hardware support, and are only enabled on correctly configured devices.
Microsoft Defender Security Center

Microsoft Defender Security Center operates as a separate app or process from each of the individual features. It
displays notifications through the Action Center. It acts as a collector or single place to see the status and run
some configuration for each of the features. Find out more in the Microsoft Defender docs.
Microsoft Defender Security Center app and notifications
Block end-user access to the various areas of the Microsoft Defender Security Center app. Hiding a section also
blocks related notifications.
Virus and threat protection
WindowsDefenderSecurityCenter CSP: DisableVirusUI
Configure if end users can view the Virus and threat protection area in the Microsoft Defender Security
Center. Hiding this section will also block all notifications related to Virus and threat protection.
Not configured
Hide
Ransomware protection
WindowsDefenderSecurityCenter CSP: HideRansomwareDataRecovery
Configure if end users can view the Ransomware protection area in the Microsoft Defender Security
Center. Hiding this section will also block all notifications related to Ransomware protection.
Not configured
Hide
Account protection
WindowsDefenderSecurityCenter CSP: DisableAccountProtectionUI
Configure if end users can view the Account protection area in the Microsoft Defender Security Center.
Hiding this section will also block all notifications related to Account protection.
Not configured
Hide
Firewall and network protection
WindowsDefenderSecurityCenter CSP: DisableNetworkUI
Configure if end users can view the Firewall and network protection area in the Microsoft Defender
Security center. Hiding this section will also block all notifications related to Firewall and network
protection.
Not configured
Hide
App and browser Control
WindowsDefenderSecurityCenter CSP: DisableAppBrowserUI
Configure if end users can view the App and browser control area in the Microsoft Defender Security
center. Hiding this section will also block all notifications related to App and browser control.
Not configured
Hide
Hardware protection
WindowsDefenderSecurityCenter CSP: DisableDeviceSecurityUI
Configure if end users can view the Hardware protection area in the Microsoft Defender Security Center.
Hiding this section will also block all notifications related to Hardware protection.
Not configured
Hide
Device performance and health
WindowsDefenderSecurityCenter CSP: DisableHealthUI
Configure if end users can view the Device performance and health area in the Microsoft Defender
Security center. Hiding this section will also block all notifications related to Device performance and
health.
Not configured
Hide
Family options
WindowsDefenderSecurityCenter CSP: DisableFamilyUI
Configure if end users can view the Family options area in the Microsoft Defender Security center. Hiding
this section will also block all notifications-related to Family options.
Not configured
Hide
Notifications from the displayed areas of app
WindowsDefenderSecurityCenter CSP: DisableNotifications
Choose which notifications to display to end users. Non-critical notifications include summaries of
Microsoft Defender Antivirus activity, including notifications when scans have completed. All other
notifications are considered critical.
Not configured
Block non-critical notifications
Block all notifications
Windows Security Center icon in the system tray
Configure the display of the notification area control. The user needs to either sign out and sign in or
reboot the computer for this setting to take effect.
Not configured
Hide
Clear TPM button
Configure the display of the Clear TPM button.
Not configured
Disable
TPM firmware update warning
Configure the display of update TPM Firmware when a vulnerable firmware is detected.
Not configured
Hide
Tamper Protection
Turn Tamper Protection on or off on devices. To use Tamper Protection, you must integrate Microsoft
Defender for Endpoint with Intune, and have Enterprise Mobility + Security E5 Licenses.
Not configured - No change is made to device settings.
Enabled - Tamper Protection is turned on and restrictions are enforced on devices.
Disabled - Tamper Protection is turned off and restrictions are not enforced.
IT contact Information
Provide IT contact information to appear in the Microsoft Defender Security Center app and the app
notifications.
You can choose to Display in app and in notifications , Display only in app , Display only in
notifications , or Don't display . Enter the IT organization name , and at least one of the following contact
options:
IT contact information
Default : Don't display
WindowsDefenderSecurityCenter CSP: EnableCustomizedToasts
Configure where to display IT contact information to end users.
Display in app and in notifications
Display only in app
Display only in notifications
Don't display
When configured to display, you can configure the following settings:
IT organization name
WindowsDefenderSecurityCenter CSP: CompanyName
IT depar tment phone number or Skype ID
WindowsDefenderSecurityCenter CSP: Phone
IT depar tment email address
WindowsDefenderSecurityCenter CSP: Email
IT suppor t website URL
WindowsDefenderSecurityCenter CSP: URL
Local device security options

Use these options to configure the local security settings on Windows 10 devices.
Accounts
Add new Microsoft accounts
LocalPoliciesSecurityOptions CSP: Accounts_BlockMicrosoftAccounts
Block Prevent users from adding new Microsoft accounts to the device.
Not configured - Users can use Microsoft accounts on the device.
Remote log on without password
LocalPoliciesSecurityOptions CSP:
Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
Block - Allow only local accounts with blank passwords to sign in using the device's keyboard.
Not configured - Allow local accounts with blank passwords to sign in from locations other than the
physical device.
Admin
Local admin account
Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
Block Prevent use of a local admin account.
Not configured
Rename admin account
LocalPoliciesSecurityOptions CSP: Accounts_RenameAdministratorAccount
Define a different account name to be associated with the security identifier (SID) for the account
"Administrator".
Guest
Guest account
LocalPoliciesSecurityOptions CSP: LocalPoliciesSecurityOptions
Block - Prevent use of a Guest account.
Not configured
Rename guest account
LocalPoliciesSecurityOptions CSP: Accounts_RenameGuestAccount
Define a different account name to be associated with the security identifier (SID) for the account "Guest".
Devices
Undock device without logon
LocalPoliciesSecurityOptions CSP: Devices_AllowUndockWithoutHavingToLogon
Block - A user must sign in to the device, and receive permission to undock the device.
Not configured - Users can press a docked portable device's physical eject button to safely undock
the device.
Install printer drivers for shared printers
Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
Enabled - Any user can install a printer driver as part of connecting to a shared printer.
Not configured - Only Administrators can install a printer driver as part of connecting to a shared
printer.
Restrict CD-ROM access to local active user
CSP: Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
Enabled - Only the interactively logged-on user can use the CD-ROM media. If this policy is enabled,
and no one is logged on interactively, then the CD-ROM is accessed over the network.
Not configured - Anyone has access to the CD-ROM.
Format and eject removable media
Default : Administrators
CSP: Devices_AllowedToFormatAndEjectRemovableMedia
Define who is allowed to format and eject removable NTFS media:
Not configured
Administrators
Administrators and Power Users
Administrators and Interactive Users
Interactive Logon
Minutes of lock screen inactivity until screen saver activates
LocalPoliciesSecurityOptions CSP: InteractiveLogon_MachineInactivityLimit
Enter the maximum minutes of inactivity until the screensaver activates. (0 - 99999 )
Require CTRL+ALT+DEL to log on
LocalPoliciesSecurityOptions CSP: InteractiveLogon_DoNotRequireCTRLALTDEL
Enable - Require users to press CTRL+ALT+DEL before logging on to Windows.
Not configured - Pressing CTRL+ALT+DEL isn't required for users to sign in.
Smar t card removal behavior
Default : Lock workstation
LocalPoliciesSecurityOptions CSP: InteractiveLogon_SmartCardRemovalBehavior
Determines what happens when the smart card for a logged-on user is removed from the smart card
reader. Your options:
Lock Workstation - The workstation is locked when the smart card is removed. This option allows
users to leave the area, take their smart card with them, and still maintain a protected session.
No action
Force Logoff - The user is automatically logged off when the smart card is removed.
Disconnect if a Remote Desktop Ser vices session - Removal of the smart card disconnects the
session without logging off the user. This option allows the user to insert the smart card and resume
the session later, or at another smart card reader-equipped computer, without having to sign in again.
If the session is local, this policy functions identically to Lock Workstation.
Display
User information on lock screen
LocalPoliciesSecurityOptions CSP: InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
Configure the user information that is displayed when the session is locked. If not configured, user
display name, domain, and username are shown.
Not configured
User display name, domain, and user name
User display name only
Do not display user information
Hide last signed-in user
LocalPoliciesSecurityOptions CSP: InteractiveLogon_DoNotDisplayLastSignedIn
Enable - Hide the username.
Not configured - Show the last username.
Hide username at sign-in Default : Not Configured
LocalPoliciesSecurityOptions CSP: InteractiveLogon_DoNotDisplayUsernameAtSignIn
Enable - Hide the username.
Not configured - Show the last username.
Logon message title
LocalPoliciesSecurityOptions CSP: InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
Set the message title for users signing in.
Logon message text
LocalPoliciesSecurityOptions CSP: InteractiveLogon_MessageTextForUsersAttemptingToLogOn
Set the message text for users signing in.
Network access and security
Anonymous access to Named Pipes and Shares
LocalPoliciesSecurityOptions CSP: NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
Not configured - Restrict anonymous access to share and Named Pipe settings. Applies to the
settings that can be accessed anonymously.
Block - Disable this policy, making anonymous access available.
Anonymous enumeration of SAM accounts
LocalPoliciesSecurityOptions CSP: NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
Not configured - Anonymous users can enumerate SAM accounts.
Block - Prevent anonymous enumeration of SAM accounts.
Anonymous enumeration of SAM accounts and shares
NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
Not configured - Anonymous users can enumerate the names of domain accounts and network
shares.
Block - Prevent anonymous enumeration of SAM accounts and shares.
L AN Manager hash value stored on password change
NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
Determine if the hash value for passwords is stored the next time the password is changed.
Not configured - The hash value isn't stored
Block - The LAN Manager (LM) stores the hash value for the new password.
PKU2U authentication requests
LocalPoliciesSecurityOptions CSP: NetworkSecurity_AllowPKU2UAuthenticationRequests
Not configured - Allow PU2U requests.
Block - Block PKU2U authentication requests to the device.
Restrict remote RPC connections to SAM
LocalPoliciesSecurityOptions CSP: NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
Not configured - Use the default security descriptor, which may allow users and groups to make
remote RPC calls to the SAM.
Allow - Deny users and groups from making remote RPC calls to the Security Accounts Manager
(SAM), which stores user accounts and passwords. Allow also lets you change the default Security
Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make
these remote calls.
Security descriptor
Minimum Session Security For NTLM SSP Based Clients
Default : None
LocalPoliciesSecurityOptions CSP: NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2
session security.
None
Require NTLMv2 session security
Require 128-bit encr yption
NTLMv2 and 128-bit encr yption
Minimum Session Security For NTLM SSP Based Ser ver
Default : None
LocalPoliciesSecurityOptions CSP: NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
This security setting determines which challenge/response authentication protocol is used for network
logons.
None
Require NTLMv2 session security
Require 128-bit encr yption
NTLMv2 and 128-bit encr yption
L AN Manager Authentication Level
Default : LM and NTLM
LocalPoliciesSecurityOptions CSP: NetworkSecurity_LANManagerAuthenticationLevel
LM and NTLM
LM, NTLM and NTLMv2
NTLM
NTLMv2
NTLMv2 and not LM
NTLMv2 and not LM or NTLM
Insecure Guest Logons
LanmanWorkstation CSP: LanmanWorkstation
If you enable this setting, the SMB client will reject insecure guest logons.
Not configured
Block - The SMB client rejects insecure guest logons.
Recovery console and shutdown
Clear vir tual memor y pagefile when shutting down
LocalPoliciesSecurityOptions CSP: Shutdown_ClearVirtualMemoryPageFile
Enable - Clear the virtual memory pagefile when the device is powered down.
Not configured - Doesn't clear the virtual memory.
Shut down without log on
LocalPoliciesSecurityOptions CSP: Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
Block - Hide the shutdown option on the Windows sign in screen. Users must sign in to the device,
and then shut down.
Not configured - Allow users to shut down the device from the Windows sign in screen.
User account control
UIA integrity without secure location
Default : Not Configured
UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
Block - Apps that are in a secure location in the file system will run only with UIAccess integrity.
Not configured - Enables apps to run with UIAccess integrity, even if the apps aren't in a secure
location in the file system.
Vir tualize file and registr y write failures to per-user locations
UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
Enabled - Applications that write data to protected locations fail.
Not configured - Application write failures are redirected at run time to defined user locations for
the file system and registry.
Only elevate executable files that are signed and validated
UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
Enabled - Enforce the PKI certification path validation for an executable file before it can run.
Not configured - Don't enforce PKI certification path validation before an executable file can run.
UIA elevation prompt behavior
Elevation prompt for admins
Default : Prompt for consent for non-Windows binaries
LocalPoliciesSecurityOptions CSP: UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
Define the behavior of the elevation prompt for admins in Admin Approval Mode.
Not configured
Elevate without prompting
Prompt for credentials on the secure desktop
Prompt for credentials
Prompt for consent
Prompt for consent for non-Windows binaries
Elevation prompt for standard users
Default : Prompt for credentials
LocalPoliciesSecurityOptions CSP: UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
Define the behavior of the elevation prompt for standard users.
Not configured
Automatically deny elevation requests
Prompt for credentials on the secure desktop
Prompt for credentials
Route elevation prompts to user's interactive desktop
UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
Enabled - All elevation requests to go to the interactive user's desktop rather than the secure desktop.
Any prompt behavior policy settings for administrators and standard users are used.
Not configured - Force all elevation requests go to the secure desktop, regardless of any prompt
behavior policy settings for administrators and standard users.
Elevated prompt for app installations
UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
Enabled - Application installation packages aren't detected or prompted for elevation.
Not configured - Users are prompted for an administrative user name and password when an
application installation package requires elevated privileges.
UIA elevation prompt without secure desktop
LocalPoliciesSecurityOptions CSP: UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
Enable - Allow UIAccess apps to prompt for elevation, without using the secure desktop.
Not configured - Elevation prompts use a secure desktop.
Admin Approval Mode
Admin Approval Mode For Built-in Administrator
LocalPoliciesSecurityOptions CSP: UserAccountControl_UseAdminApprovalMode
Enabled - Allow the built-in Administrator account to use Admin Approval Mode. Any operation that
requires elevation of privilege prompts the user to approve the operation.
Not configured - runs all apps with full admin privileges.
Run all admins in Admin Approval Mode
LocalPoliciesSecurityOptions CSP: UserAccountControl_RunAllAdministratorsInAdminApprovalMode
Enabled - Enable Admin Approval Mode.
Not configured - Disable Admin Approval Mode and all related UAC policy settings.
Microsoft Network Client
Digitally sign communications (if ser ver agrees)
LocalPoliciesSecurityOptions CSP: MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
Determines if the SMB client negotiates SMB packet signing.
Block - The SMB client never negotiates SMB packet signing.
Not configured - The Microsoft network client asks the server to run SMB packet signing upon
session setup. If packet signing is enabled on the server, packet signing is negotiated.
Send unencr ypted password to third-par ty SMB ser vers
MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
Block - The Server Message Block (SMB) redirector can send plaintext passwords to non-Microsoft
SMB servers that don't support password encryption during authentication.
Not configured - Block sending of plaintext passwords. The passwords are encrypted.
Digitally sign communications (always)
LocalPoliciesSecurityOptions CSP: MicrosoftNetworkClient_DigitallySignCommunicationsAlways
Enable - The Microsoft network client doesn't communicate with a Microsoft network server unless
that server agrees to SMB packet signing.
Not configured - SMB packet signing is negotiated between the client and server.
Microsoft Network Server
Digitally sign communications (if client agrees)
CSP: MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
Enable - The Microsoft network server negotiates SMB packet signing as requested by the client. That
is, if packet signing is enabled on the client, packet signing is negotiated.
Not configured - The SMB client never negotiates SMB packet signing.
Digitally sign communications (always)
CSP: MicrosoftNetworkServer_DigitallySignCommunicationsAlways
Enable - The Microsoft network server doesn't communicate with a Microsoft network client unless
that client agrees to SMB packet signing.
Not configured - SMB packet signing is negotiated between the client and server.
Xbox services
Xbox Game Save Task
CSP: TaskScheduler/EnableXboxGameSaveTask
This setting determines whether the Xbox Game Save Task is Enabled or Disabled.
Enabled
Not configured
Xbox Accessor y Management Ser vice
Default : Manual
CSP: SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
This setting determines the Accessory Management Service's start type.
Manual
Automatic
Disabled
Xbox Live Auth Manager Ser vice
Default : Manual
CSP: SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
This setting determines the Live Auth Manager Service's start type.
Manual
Automatic
Disabled
Xbox Live Game Save Ser vice
Default : Manual
CSP: SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
This setting determines the Live Game Save Service's start type.
Manual
Automatic
Disabled
Xbox Live Networking Ser vice
Default : Manual
CSP: SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
This setting determines the Networking Service's start type.
Manual
Automatic
Disabled
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile, and monitor its status.
Configure endpoint protections settings on macOS devices.
Identity protection profile settings in Intune for
Windows Hello for Business
NOTE
This article describes Windows Hello for Business settings you can configure in an Identity protection profile.
Identity protection profiles are part of device configuration policy in Microsoft Intune. With an Identity
protection profile, you can configure settings on discrete groups of Windows 10 devices. To configure Windows
Hello for Business tenant-wide, as part of device enrollment, see the section Create a Windows Hello for
Business policy in Integrate Windows Hello for Business with Microsoft Intune. This section not only describes
how to create a tenant-wide configuration policy, but also describes the settings for the enrollment policy.
You can find additional information about these settings in Configure Windows Hello for Business Policy
settings, in the Windows Hello documentation.
To learn more about identity protection profiles in Intune, see configure identity protection.
Before you begin

Create a configuration profile.
Windows Hello for Business

Configure Windows Hello for Business :
Not configured - Select this setting if you don't want to use Intune to control Windows Hello for
Business settings. Any existing Windows Hello for Business settings on Windows 10 devices is not
changed. All other settings on the pane are unavailable.
Disabled - If you don't want to use Windows Hello for Business, select this setting. All other
settings on the screen are then unavailable.
Enabled - Select this setting if you want to configure Windows Hello for Business settings.
When set to Enabled, the following settings are available:
Minimum PIN length
Specify a minimum PIN length for devices, to help secure sign-in. Windows device defaults are six
characters, but this setting can enforce a minimum of four to 127 characters.
Maximum PIN length
Specify a maximum PIN length for devices, to help secure sign-in. Windows device defaults are six
characters, but this setting can enforce a minimum of four to 127 characters.
Lowercase letters in PIN
You can enforce a stronger PIN by requiring end users include lowercase letters. Your options:
Not allowed - Block users from using lowercase letters in the PIN. This behavior also occurs if
the setting isn't configured.
Allowed - Allow users to use lowercase letters in the PIN, but it's not required.
Required - Users must include at least one lowercase letter in the PIN. For example, it's
common practice to require at least one uppercase letter and one special character.
Uppercase letters in PIN
You can enforce a stronger PIN by requiring end users include uppercase letters. Your options:
Not allowed - Block users from using uppercase letters in the PIN. This behavior also occurs if
Allowed - Allow users to use uppercase letters in the PIN, but it's not required.
Required - Users must include at least one uppercase letter in the PIN. For example, it's
Special characters in PIN
You can enforce a stronger PIN by requiring end users include special characters. Special
characters include:
! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
Your options:
Not allowed - Block users from using special characters in the PIN. This behavior also occurs if
Allowed - Allow users to use uppercase letters in the PIN, but it's not required.
Required - Users must include at least one uppercase letter in the PIN. For example, it's
Default : Not allowed
PIN expiration (days)
It's a good practice to specify an expiration period for a PIN, after which users must change it.
Windows device defaults are 41 days.
Remember PIN histor y
Restricts the reuse of previously used PINs. Windows devices default to preventing reuse of the
last five PINs.
Enable PIN recover y
Allows user to use the Windows Hello for Business PIN recovery service.
Enabled - The PIN recovery secret is stored on the device and the user can change their PIN if
needed.
Disabled - The recovery secret isn't created or stored.
Use a Trusted Platform Module (TPM)
A TPM chip provides an additional layer of data security.
Enabled - Only devices with an accessible TPM can provision Windows Hello for Business.
Not configured - Devices first attempt to use a TPM. If a TPM isn't available, they can use
software encryption.
Allow biometric authentication
Enables biometric authentication, such as facial recognition or fingerprint, as an alternative to a
PIN for Windows Hello for Business. Users must still configure a work PIN in case biometric
authentication fails. Choose from:
Enable - Windows Hello for Business allows biometric authentication.
Not configured - Windows Hello for Business prevents biometric authentication (for all
account types).
Use enhanced anti-spoofing, when available
Configures whether the anti-spoofing features of Windows Hello are used on devices that support
it (for example, detecting a photograph of a face instead of a real face).
Enable - Windows requires all users to use anti-spoofing for facial features when that is
supported.
Not configured - Windows honors the anti-spoofing configurations on the device.
Cer tificate for on-premise resources
Enable - Allows Windows Hello for Business to use certificates to authenticate to resources on-
premises.
Not configured - Prevents Windows Hello for Business from using certificates to authenticate
to resources on-premises. Instead, devices use the default behavior of key-trust on-premises
authentication. For more information, see User certificate for on-premises authentication in the
Windows Hello documentation.
Use security keys for sign-in
This setting is available for devices that run Windows 10 version 1903 or later. Use it to manage support
for using Windows Hello security keys for sign-in.
Enabled - Users can use a Windows Hello security key as a logon credential for PCs targeted with this
policy.
Disabled - Security keys are disabled and users cannot use them to sign in to PCs.
Next steps
Windows 10 and newer device settings to run as a
kiosk in Intune
NOTE
On Windows 10 and newer devices, you can configure these devices to run in single-app kiosk mode, or multi-
app kiosk mode.
This article describes some of the settings you can control on Windows 10 and newer devices. As part of your
mobile device management (MDM) solution, use these settings to configure your Windows 10 and newer
devices to run in kiosk mode.
As an Intune administrator, you can create and assign these settings to your devices.
To learn more about the Windows kiosk feature in Intune, see configure kiosk settings.
Before you begin

Create a Windows 10 kiosk device configuration profile.
This kiosk profile is directly related to the device restrictions profile you create using the Microsoft Edge
kiosk settings. To summarize:
1. Create this kiosk profile to run the device in kiosk mode.
2. Create the device restrictions profile, and configure specific features and settings allowed in Microsoft
Edge.
Be sure that any files, scripts, and shortcuts are on the local system. For more information, including
other Windows requirements, see Customize and export Start layout.
IMPORTANT
Be sure to assign this kiosk profile to the same devices as your Microsoft Edge profile.
Single app, full-screen kiosk

Runs only one app on the device, such as a web browser or Store app.
Select a kiosk mode : Choose Single app, full-screen kiosk .
User logon type : Select the account type that runs the app. Your options:
Auto logon (Windows 10 version 1803 and newer) : Use on kiosks in public-facing
environments that don't require the user to sign in, similar to a guest account. This setting uses the
AssignedAccess CSP.
Local user account : Enter the local (to the device) user account. The account you enter signs in to the
kiosk.
Application type : Select the application type. Your options:
Add Microsoft Edge browser : Select this option for Microsoft Edge version 87 and newer.
NOTE
These settings enable the Microsoft Edge browser on the device. To configure Microsoft Edge settings, use
the Settings Catalog, or create an Administrative template.
Edge Kiosk URL : Enter a default webpage that opens when Microsoft Edge browser opens
and restarts. For example, enter https://www.contoso.com or http://bing.com .
Microsoft Edge kiosk mode type : Select the kiosk mode type. Both options help protect
user data.
Public Browsing (InPrivate) : Runs a limited multi-tab version of Microsoft Edge.
Users can browse publicly, or end their browsing session.
Digital/Interactive Signage (InPrivate) : Opens a URL full screen, and only shows the
content on that website. Set up digital signs provides more information on this feature.
For more information on these options, see Support policies for kiosk mode.
Refresh browser after idle time : Enter the idle time when the browser should restart, from
0-1440 minutes. The idle time is the user's last interaction.
Add Microsoft Edge Legacy browser : Select this option for Microsoft Edge version 77, and
version 45 and older.
NOTE
This setting enables the Microsoft Edge browser on the device.
To configure Microsoft Edge version 77 and newer settings, use the Settings Catalog, or create an
Administrative template.
To configure Microsoft Edge version 45 and older, create a device restrictions profile, and configure the
settings.
Microsoft Edge kiosk mode type : Select the kiosk mode type. Both options help protect
user data.
Digital/Interactive signage : Opens a URL full screen, and only shows the content on
that website. Set up digital signs provides more information on this feature.
Public browsing (InPrivate) : Runs a limited multi-tab version of Microsoft Edge.
Users can browse publicly, or end their browsing session.
For more information on these options, see Deploy Microsoft Edge kiosk mode.
Add Kiosk browser : Select Kiosk browser settings . These settings control a web browser app
on the kiosk. Be sure you get the Kiosk browser app from the Store, add it to Intune as a Client
App. Then, assign the app to the kiosk devices.
Enter the following settings:
Default home page URL : Enter the default URL shown when the kiosk browser opens, or
when the browser restarts. For example, enter http://bing.com or http://www.contoso.com .
Home button : Show or hide the kiosk browser's home button. By default, the button isn't
shown.
Navigation buttons : Show or hide the forward and back buttons. By default, the
navigation buttons aren't shown.
End session button : Show or hide the end session button. When shown, the user selects
the button, and the app prompts to end the session. When confirmed, the browser clears all
browsing data (cookies, cache, and so on), and then opens the default URL. By default, the
button isn't shown.
Refresh browser after idle time : Enter the amount of idle time, from 1-1440 minutes,
until the kiosk browser restarts in a fresh state. Idle time is the number of minutes since the
user's last interaction. By default, the value is empty or blank, which means there isn't any
idle timeout.
Allowed websites : Use this setting to allow specific websites to open. In other words, use
this feature to restrict or prevent websites on the device. For example, you can allow all
websites at http://contoso.com to open. By default, all websites are allowed.
To allow specific websites, upload a file that includes a list of the allowed websites on
separate lines. If you don't add a file, all websites are allowed. By default, Intune allows all
subdomains of the website. For example, you enter the sharepoint.com domain. Intune
automatically allows all subdomains, such as contoso.sharepoint.com , my.sharepoint.com ,
and so on. Don't enter wildcards, such as the asterisk ( * ).
Your sample file should look similar to the following list:
http://bing.com
https://bing.com
http://contoso.com
https://contoso.com
office.com
NOTE
Windows 10 Kiosks with Autologon enabled using Microsoft Kiosk Browser must use an offline license
from the Microsoft Store for Business. This requirement is because Autologon uses a local user account
with no Azure Active Directory (AD) credentials. So, online licenses can't be evaluated. For more
information, see Distribute offline apps.
Add Store app : Select Add a store app , and choose an app from the list.
Don't have any apps listed? Add some using the steps at Client Apps.
Specify Maintenance Window for App Restar ts : Some apps require a restart to complete the app
installation, or complete the installation of updates. Require creates a maintenance window. If the app
requires a restart, then it's restarted during this window.
Also enter:
Maintenance Window Star t Time : Select the date and time of day to begin checking clients for
any app updates that require restart. The default start time is midnight, or zero minutes. If blank,
then apps restart at an unscheduled time 3 days after an app update is installed.
Maintenance Window Recurrence : Default is daily. Select how often Maintenance windows for
app updates take place. To avoid unscheduled app restarts, the recommendation is Daily .
ApplicationManagement/ScheduleForceRestartForUpdateFailures CSP
Multi-app kiosk
Runs multiple app on the device. Apps in this mode are available on the start menu. These apps are the only
apps the user can open. If an app has a dependency on another app, then add both apps to the allowed apps list.
For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit. So, you must allow
C:\Program Files\internet explorer\iexplore.exe and C:\Program Files (x86)\Internet Explorer\iexplore.exe .
Select a kiosk mode : Select Multi app kiosk .

Target Windows 10 in S mode devices :
Yes : Allows store apps and AUMID apps in the kiosk profile. It excludes Win32 apps.
No : Allows store apps, Win32 apps, and AUMID apps in the kiosk profile. This kiosk profile isn't
deployed to S-mode devices.
User logon type : Select the account type that runs your apps. Your options:
Auto logon (Windows 10 version 1803 and later) : Use on kiosks in public-facing environments
that don't require the user to sign in, similar to a guest account. This setting uses the AssignedAccess
CSP.
Local user account : Add the local (to the device) user account. The account you enter signs in to the
kiosk.
Azure AD user or group (Windows 10 version 1803 and later) : Select Add , and choose Azure
AD users or groups from the list. You can select multiple users and groups. Choose Select to save
your changes.
HoloLens visitor : The visitor account is a guest account that doesn't require any user credentials or
authentication, as described in shared PC mode concepts.
Browser and Applications : Add the apps to run on the kiosk device. Remember, you can add several
apps.
Browsers
Add Microsoft Edge Legacy : Select this option for Microsoft Edge version 77, and
version 45 and older. Microsoft Edge is added to the app grid, and all applications can run
on this kiosk. Select the Microsoft Edge kiosk mode type :
Normal mode (full version of Microsoft Edge) : Runs a full-version of Microsoft
Edge with all browsing features. User data and state are saved between sessions.
Public browsing (InPrivate) : Runs a multi-tab version of Microsoft Edge InPrivate
with a tailored experience for kiosks that run in full-screen mode.
NOTE
This setting enables the Microsoft Edge browser on the device.
To configure Microsoft Edge version 77 and newer settings, use the Settings Catalog, or create
an Administrative template.
To configure Microsoft Edge version 45 and older, create a device restrictions profile, and
configure the settings.
Add Kiosk browser : These settings control a web browser app on the kiosk. Be sure you
deploy a web browser app to the kiosk devices using Client Apps.
Enter the following settings:
Default home page URL : Enter the default URL shown when the kiosk browser
opens, or when the browser restarts. For example, enter http://bing.com or
http://www.contoso.com .
Home button : Show or hide the kiosk browser's home button. By default, the
button isn't shown.
Navigation buttons : Show or hide the forward and back buttons. By default, the
navigation buttons aren't shown.
End session button : Show or hide the end session button. When shown, the user
selects the button, and the app prompts to end the session. When confirmed, the
browser clears all browsing data (cookies, cache, and so on), and then opens the
default URL. By default, the button isn't shown.
Refresh browser after idle time : Enter the amount of idle time (1-1440 minutes)
until the kiosk browser restarts in a fresh state. Idle time is the number of minutes
since the user's last interaction. By default, the value is empty or blank, which means
there isn't any idle timeout.
Allowed websites : Use this setting to allow specific websites to open. In other
words, use this feature to restrict or prevent websites on the device. For example, you
can allow all websites at contoso.com* to open. By default, all websites are allowed.
To allow specific websites, upload a .csv file that includes a list of the allowed
websites. If you don't add a .csv file, all websites are allowed.
NOTE
Windows 10 Kiosks with Autologon enabled using Microsoft Kiosk Browser must use an offline
license from the Microsoft Store for Business. This requirement is because Autologon uses a local
user account with no Azure Active Directory (AD) credentials. So, online licenses can't be evaluated.
For more information, see Distribute offline apps.
Applications
Add store app : Add an app from the Microsoft Store for Business. If you don't have any
apps listed, then you can get apps, and add them to Intune. For example, you can add Kiosk
Browser, Excel, OneNote, and more.
Add Win32 App : A Win32 app is a traditional desktop app, such as Visual Studio Code or
Google Chrome. Enter the following properties:
Application name : Required. Enter a name for the application.
Local path to app executable file : Required. Enter the path to the executable, such as
C:\Program Files (x86)\Microsoft VS Code\Code.exe or
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe .
Application user model ID (AUMID) for the Win32 app : Enter the Application user
model ID (AUMID) of the Win32 app. This setting determines the start layout of the tile
on the desktop. To get this ID, see Get-StartApps.
Add by AUMID : Use this option to add inbox Windows apps, such as Notepad or
Calculator. Enter the following properties:
Application user model ID (AUMID) : Required. Enter the Application user model ID
(AUMID) of the Windows app. To get this ID, see find the Application User Model ID of an
installed app.
AutoLaunch : Optional. After you add your apps and browser, select one app or browser to
automatically open when the user signs in. Only a single app or browser can be
autolaunched.
Tile size : Required. After you add your apps, select a Small, Medium, Wide, or Large app
tile size.
TIP
After you add all the apps, you can change the display order by clicking-and-dragging the apps in the list.
Use alternative Star t layout : Select Yes to enter an XML file that describes how the apps appear on the
start menu, including the order of the apps. Use this option if you require more customization in your
start menu. Customize and export Start layout has some guidance, and sample XML.
Windows Taskbar : Choose to Show or hide the taskbar. By default, the taskbar isn't shown. Icons, such
as the Wi-Fi icon, are shown, but the settings can't be changed by end users.
Allow Access to Downloads Folder : Choose Yes to allow users to access the Downloads folder in
Windows Explorer. By default, access to the Downloads folder is disabled. This feature is commonly used
for end users to access items downloaded from a browser.
Specify Maintenance Window for App Restar ts : Some apps require a restart to complete the app
installation, or complete the installation of updates. Require creates a maintenance window. If apps
require a restart, then they're restarted during this window.
Also enter:
Maintenance Window Star t Time : Select the date and time of day to begin checking clients for
any app updates that require restart. The default start time is midnight, or zero minutes. If blank,
then apps restart at an unscheduled time 3 days after an app update is installed.
Maintenance Window Recurrence : Default is daily. Select how often Maintenance windows for
app updates take place. To avoid unscheduled app restarts, the recommendation is Daily .
ApplicationManagement/ScheduleForceRestartForUpdateFailures CSP
Next steps
You can also create kiosk profiles for Android, Android Enterprise, and Windows Holographic for Business
devices.
Also see set up a single-app kiosk or set up a multi-app kiosk in the Windows guidance.
Configure the Take a Test app on Windows 10
devices using Intune
NOTE
The Take a Test app lets you securely administer online tests on your classroom's Windows 10 devices. To set up
the Take a Test app, you'll need to create a device configuration profile in Intune and configure the secure
assessment settings. This article describes some of the settings you'll find for the Take a Test app.
After you've configured the profile, assign and deploy it to your students.
Take a Test app in Intune provides more information on this feature.
Before you begin

Create a Windows 10 secure assessment education device configuration profile.
Take a test settings

Account type : Choose how users sign in to the test. Your options:
Azure AD account
Domain account
Local account
Local guest account: Only available on devices running Windows 10, version 1903 and later.
Account user name : Enter the user name of the account used with the Take a Test app. You can enter
accounts in the following format:
user@contoso.com
domain\username
user@contoso.com
computerName\username
Account name : To set up a local guest account type, enter the name of the account used with the Take a Test
app. The account name will appear as a tile on the sign-in screen. Students click the tile to launch the test.
Assessment URL : Enter the URL of the test you want users to take. For more information on getting the
URL, see the Take a Test documentation.
Printer connection : Require only allows access to the Take a Test app from devices that are connected to a
printer. This setting also makes the app's print button available to test-takers. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS may allow students to access the
app from devices that aren't connected to a printer.
Screen monitoring : Allow monitors the screen activity while users are taking a test. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS may prevent you from
monitoring the screen during the test.
Text suggestions : Choose Allow so test takers can see text suggestions. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS may block text suggestions while
users are taking a test.
Next steps
Learn more about the Take a Test app.
Windows 10 and newer settings to manage shared
devices using Intune
NOTE
Windows 10 and newer devices, such as the Microsoft Surface, can be used by many users. Devices that have
multiple users are called shared devices, and are a part of mobile device management (MDM) solutions.
Using Microsoft Intune, end-users can sign in to these shared devices with a guest account. As they use the
device, they only get access to features you allow. As the Intune administrator, you configure access, choose
when accounts are deleted, control power management settings, and more for your shared Windows 10
devices.
This article describes some of the settings you can configure in a device configuration profile. When the profile
is created in Intune, you deploy or assign the profile to device groups in your organization. You can also assign
this profile to device groups with mixed device types and Windows OS versions.
For more information on this feature in Intune, see Control access, accounts, and power features on shared PC
or multi-user devices. For more information on the Windows CSP, see SharedPC CSP.
Before your begin

Create a Windows 10 shared multi-user device configuration profile.
Shared multi-user device settings

These settings use the SharedPC CSP.
Shared PC mode : Enable turns on shared PC mode. In this mode, only one user signs in to the device
at a time. Another user can't sign in until the first user signs out. When set to Not configured (default),
Guest account : Choose to create a Guest option on the sign-in screen. Guest accounts don't require any
user credentials or authentication. This setting creates a new local account each time it's used. Your
options:
Guest : Only allows a local guest account to sign in to the device.
Domain : Only allows an Azure Active Directory (AD) domain account to sign in to the device.
Guest and domain : Allows a local guest account, or an Azure Active Directory (AD) domain account
to sign in to the device.
Account management : Choose if accounts are automatically deleted. Your options:
Enabled : Accounts created by guests, and accounts in AD and Azure AD are automatically deleted
from the devices. When a user signs off the device, or when system maintenance runs, these
accounts are removed from the devices.
Also enter:
Account Deletion : Choose when accounts are deleted:
At storage space threshold
At storage space threshold and inactive threshold
Immediately after log-out
Also enter:
Star t delete threshold(%) : Enter a percentage (0-100) of disk space. When the total
disk/storage space drops below the value you enter, the cached accounts are deleted. It
continuously deletes accounts to reclaim disk space. Accounts that are inactive the longest are
deleted first.
Stop delete threshold(%) : Enter a percentage (0-100) of disk space. When the total
disk/storage space meets the value you enter, the deleting stops.
Inactive account threshold : Enter the number of consecutive days before deleting the
account that hasn't signed in, from 0-60 days.
Disabled : The local, AD, and Azure AD accounts created by guests stay on the device, and aren't
deleted.
Local Storage : With local storage, users can save and view files on the device's hard drive. Your options:
Enabled : Allows users to see and save files locally using File Explorer.
Disabled : Prevents users from saving and viewing files on the device's hard drive.
Power Policies : Allow or prevent users from changing the power settings. Your options:
Enabled : Users can hibernate the device, can close the lid to sleep the device, and change the power
settings.
Disabled : Users can't turn off hibernate, can't override all sleep actions (such as closing the lid), and
can't change the power settings.
Sleep time out (in seconds) : Enter the number of inactive seconds (0-18000) before the device goes
into sleep mode. 0 means the device never sleeps. If you don't set a time, the device goes to sleep after
3600 seconds (60 minutes).
Sign-in when PC wakes : Choose if users must sign in after the device comes out of sleep mode. Your
options:
Enabled : Requires users to sign in with a password when device comes out of sleep mode.
Disabled : Users don't have to enter their username and password.
Maintenance star t time (in minutes from midnight) : Enter the time in minutes (0-1440) when
automatic maintenance tasks, such as Windows Update, run. The default start time is midnight, or zero (
0 ) minutes. Change the start time by entering a start time in minutes from midnight. For example, if you
want maintenance to begin at 2 AM, enter 120 . If you want maintenance to begin at 8 PM, enter 1200 .
Education policies : Choose if policies for education environment are enabled. Your options:
Enabled : Uses the recommended settings for devices used in schools, which are more restrictive.
Disabled : The default and recommended education policies aren't used.
For more information on what the education policies do, see Windows 10 configuration
recommendations for education customers.
TIP
Set up a shared or guest PC (opens another docs web site) is a great resource on this Windows 10 feature, including
concepts and group policies that can be set in shared mode.
Next steps
See the settings for Windows Holographic for Business.
Windows 10 and Windows Holographic device
settings to add VPN connections using Intune
NOTE
You can add and configure VPN connections for devices using Microsoft Intune. This article describes some of
the settings and features you can configure when creating virtual private networks (VPNs). These VPN settings
are used in device configuration profiles, and then pushed or deployed to devices.
As part of your mobile device management (MDM) solution, use these settings to allow or disable features,
including using a specific VPN vendor, enabling always on, using DNS, adding a proxy, and more.
These settings apply to devices running:
Windows 10
Before you begin

Deploy your VPN app, and create a Windows 10 VPN device configuration profile. The available settings
depend on the VPN client you choose. Some settings are only available for specific VPN clients.
These settings use the VPNv2 CSP.
Base VPN
device for the list of available VPN connections.
Ser vers : Add one or more VPN servers that devices connect to. When you add a server, you enter the
following information:
Description : Enter a descriptive name for the server, such as Contoso VPN ser ver .
IP address or FQDN : Enter the IP address or fully qualified domain name (FQDN) of the VPN server
that devices connect to, such as 192.168.1.1 or vpn.contoso.com .
Default ser ver : Enables this server as the default server that devices use to establish the connection.
Set only one server as the default.
Impor t : Browse to a comma-separated file that includes a list of servers in the format: description, IP
address or FQDN, Default server. Choose OK to import these servers into the Ser vers list.
Expor t : Exports the list of servers to a comma-separated-values (csv) file.
Register IP addresses with internal DNS : Select Enable to configure the Windows 10 VPN profile to
dynamically register the IP addresses assigned to the VPN interface with the internal DNS. Select Disable
to not dynamically register the IP addresses.
Connection type : Select the VPN connection type from the following list of vendors:
Cisco AnyConnect
Pulse Secure
F5 Access
Citrix
Automatic
IKEv2
L2TP
PPTP
When you choose a VPN connection type, you may also be asked for the following settings:
Always On : Enable automatically connects to the VPN connection when the following events
happen:
Users sign into their devices
The network on the device changes
The screen on the device turns back on after being turned off
To use device tunnel connections, such as IKEv2, Enable this setting.
Authentication method : Select how you want users to authenticate to the VPN server. Your
options:
Username and password : Require users to enter their domain username and password
to authenticate, such as user@contoso.com , or contoso\user .
Cer tificates : Select an existing user client certificate profile to authenticate the user. This
option provides enhanced features, such as zero-touch experience, on-demand VPN, and
per-app VPN.
To create certificate profiles in Intune, see Use certificates for authentication.
credential issuer is configured, Intune prompts you to add one. For more information, see
Use derived credentials in Intune.
Machine cer tificates (IKEv2 only): Select an existing device client certificate profile to
authenticate the device.
If you use device tunnel connections, you must select this option.
To create certificate profiles in Intune, see Use certificates for authentication.
EAP (IKEv2 only): Select an existing Extensible Authentication Protocol (EAP) client
certificate profile to authenticate. Enter the authentication parameters in the EAP XML
setting.
Remember credentials at each logon : Choose to cache the authentication credentials.
Custom XML : Enter any custom XML commands that configure the VPN connection.
EAP XML : Enter any EAP XML commands that configure the VPN connection. For more
information, see EAP configuration.
Device tunnel (IKEv2 only): Enable connects the device to the VPN automatically without any
user interaction or sign in. This setting applies to PCs joined to Azure Active Directory (AD).
To use this feature, the following are required:
Connection type setting is set to IKEv2 .
Always On setting is set to Enable .
Authentication method setting is set to Machine cer tificates .
Only assign one profile per device with Device Tunnel enabled.
IKE Security Association Parameters (IKEv2 only): These cryptography settings are used during IKE
security association negotiations (also known as main mode or phase 1 ) for IKEv2 connections. These
settings must match the VPN server settings. If the settings don't match, the VPN profile won't connect.
Encr yption algorithm : Select the encryption algorithm used on the VPN server. For example, if
your VPN server uses AES 128 bit, then select AES-128 from the list.
Integrity check algorithm : Select the integrity algorithm used on the VPN server. For example, if
your VPN server uses SHA1-96, then select SHA1-96 from the list.
Diffie-Hellman group : Select the Diffie-Hellman computation group used on the VPN server. For
example, if your VPN server uses Group2 (1024 bits), then select 2 from the list.
Child Security Association Parameters (IKEv2 only): These cryptography settings are used during
child security association negotiations (also known as quick mode or phase 2 ) for IKEv2 connections.
These settings must match the VPN server settings. If the settings don't match, the VPN profile won't
connect.
Cipher transform algorithm : Select the algorithm used on the VPN server. For example, if your
VPN server uses AES-CBC 128 bit, then select CBC-AES-128 from the list.
Authentication transform algorithm : Select the algorithm used on the VPN server. For
example, if your VPN server uses AES-GCM 128 bit, then select GCM-AES-128 from the list.
Perfect for ward secrecy (PFS) group : Select the Diffie-Hellman computation group used for
perfect forward secrecy (PFS) on the VPN server. For example, if your VPN server uses Group2
(1024 bits), then select 2 from the list.
Pulse Secure example
<pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>
F5 Edge Client example
<f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>
SonicWALL Mobile Connect example

Login group or domain : This property can't be set in the VPN profile. Instead, Mobile Connect parses this
value when the user name and domain are entered in the username@domain or DOMAIN\username formats.
Example:
<MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging>
<packetCapture>False</packetCapture></MobileConnect>
CheckPoint Mobile VPN example
<CheckPointVPN port="443" name="CheckPointSelfhost" sso="true" debug="3" />
Writing custom XML

For more information about writing custom XML commands, see each manufacturer's VPN documentation.
For more information about creating custom EAP XML, see EAP configuration.
Apps and Traffic Rules

Associate WIP or apps with this VPN : Enable this setting if you only want some apps to use the VPN
connection. Your options:
Associate a WIP with this connection : All apps in the Windows Identity Protection domain
automatically use the VPN connection.
WIP domain for this connection : Enter a Windows Identity Protection (WIP) domain. For
example, enter contoso.com .
Associate apps with this connection : The apps you enter automatically use the VPN connection.
Restrict VPN connection to these apps : Disable (default) allows all apps to use the
VPN connection. Enable restricts the VPN connection to the apps you enter (per-app VPN).
Traffic rules for the apps you add are automatically added to the Network traffic rules
for this VPN connection setting.
When you select Enable , the app identifier list becomes read-only. Before you enable this
setting, add your associated apps.
Associated Apps : Select Impor t to import a .csv file with your list of apps. Your .csv
looks similar to the following file:
%windir%\system32\notepad.exe,desktop
Microsoft.Office.OneNote_8wekyb3d8bbwe,universal
The type of app determines the app identifier. For a universal app, enter the package family
name, such as Microsoft.Office.OneNote_8wekyb3d8bbwe . For a desktop app, enter the file
path of the app, such as %windir%\system32\notepad.exe .
To get the package family name, you can use the Get-AppxPackage Windows PowerShell
cmdlet. For example, to get the OneNote package family name, open Windows PowerShell,
and enter Get-AppxPackage *OneNote . For more information, see Find a PFN for an app that's
installed on a Windows 10 computer and Get-AppxPackage cmdlet.
IMPORTANT
We recommend that you secure all app lists created for per-app VPNs. If an unauthorized user changes this list,
and you import it into the per-app VPN app list, then you potentially authorize VPN access to apps that shouldn't
have access. One way you can secure app lists is using an access control list (ACL).
Network traffic rules for this VPN connection : Select the protocols, and the local & remote port and
address ranges, are enabled for the VPN connection. If you don't create a network traffic rule, then all
protocols, ports, and address ranges are enabled. After you create a rule, the VPN connection uses only
the protocols, ports, and address ranges that you enter in that rule.
Conditional Access
Conditional Access for this VPN connection : Enables device compliance flow from the client. When
enabled, the VPN client communicates with Azure Active Directory (AD) to get a certificate to use for
authentication. The VPN should be set up to use certificate authentication, and the VPN server must trust
the server returned by Azure AD.
Single sign-on (SSO) with alternate cer tificate : For device compliance, use a certificate different
from the VPN authentication certificate for Kerberos authentication. Enter the certificate with the
following settings:
Name : Name for extended key usage (EKU)
Object Identifier : Object identifier for EKU
Issuer hash : Thumbprint for SSO certificate
DNS Settings
DNS suffix search list : In DNS suffixes , enter a DNS suffix, and Add . You can add many suffixes.
When using DNS suffixes, you can search for a network resource using its short name, instead of the fully
qualified domain name (FQDN). When searching using the short name, the suffix is automatically
determined by the DNS server. For example, utah.contoso.com is in the DNS suffix list. You ping
DEV-comp . In this scenario, it resolves to DEV-comp.utah.contoso.com .
DNS suffixes are resolved in the order listed, and the order can be changed. For example,
colorado.contoso.com and utah.contoso.com are in the DNS suffix list, and both have a resource called
DEV-comp . Since colorado.contoso.com is first in the list, it resolves as DEV-comp.colorado.contoso.com .
To change the order, select the dots to the left of the DNS suffix, and then drag the suffix to the top:
Name Resolution Policy table (NRPT) rules : Name Resolution Policy table (NRPT) rules define how
DNS resolves names when connected to the VPN. After the VPN connection is established, you choose
which DNS servers the VPN connection uses.
You can add rules that include the domain, DNS server, proxy, and other details. These rules resolve the
domain you enter. The VPN connection uses these rules when users connect to the domains you enter.
Select Add to add a new rule. For each server, enter:
Domain : Enter the fully qualified domain name (FQDN) or a DNS suffix to apply the rule. You can also
enter a period (.) at the beginning for a DNS suffix. For example, enter contoso.com or
.allcontososubdomains.com .
DNS ser vers : Enter the IP address or DNS server that resolves the domain. For example, enter
10.0.0.3 or vpn.contoso.com .
Proxy : Enter the web proxy server that resolves the domain. For example, enter http://proxy.com .
Automatically connect : When Enabled , the device automatically connects to the VPN when a
device connects to a domain you enter, such as contoso.com . When Not configured (default), the
device doesn't automatically connect to the VPN
Persistent : When set to Enabled , the rule stays in the Name Resolution Policy table (NRPT) until the
rule is manually removed from the device, even after the VPN disconnects. When set to Not
configured (default), NRPT rules in the VPN profile are removed from the device when the VPN
disconnects.
Proxy
Por t number : Enter the port number used by your proxy server. For example, enter 8080 .
Bypass proxy for local addresses : This setting applies if your VPN server requires a proxy server for the
connection. If you don't want to use a proxy server for local addresses, then choose Enable .
Split Tunneling
Split tunneling : Enable or Disable to let devices decide which connection to use depending on the traffic.
For example, a user in a hotel uses the VPN connection to access work files, but uses the hotel's standard
network for regular web browsing.
Split tunneling routes for this VPN connection : Add optional routes for third-party VPN providers.
Enter a destination prefix, and a prefix size for each connection.
Trusted Network Detection

Trusted network DNS suffixes : When users are already connected to a trusted network, you can prevent
devices from automatically connecting to other VPN connections.
In DNS suffixes , enter a DNS suffix that you want to trust, such as contoso.com, and select Add . You can add as
many suffixes as you want.
If a user is connected to a DNS suffix in the list, then the user won't automatically connect to another VPN
connection. The user continues to use the trusted list of DNS suffixes you enter. The trusted network is still used,
even if any autotriggers are set.
For example, if the user is already connected to a trusted DNS suffix, then the following autotriggers are ignored.
Specifically, the DNS suffixes in the list cancel all other connection autotriggers, including:
Always on
App-based trigger
DNS autotrigger
Next steps
The profile is created, but may not be doing anything yet. Be sure to assign the profile, and monitor its status.
Configure VPN settings on Android, iOS/iPadOS, and macOS devices.
Add Wi-Fi settings for Windows 10 and newer
devices in Intune
NOTE
You can create a profile with specific WiFi settings. Then, deploy this profile to your Windows 10 and newer
devices. Microsoft Intune offers many features, including authenticating to your network, using a pre-shared
key, and more.
This article describes some of these settings.
Before you begin

Create a Windows 10 Wi-Fi device configuration profile.
These settings use the Wi-Fi CSP.
Basic profile
Basic or personal profiles use WPA/WPA2 to secure the Wi-Fi connection on devices. Typically, WPA/WPA2 is
used on home networks or personal networks. You can also add a pre-shared key to authenticate the
connection.
Wi-Fi name (SSID) : Short for service set identifier. This value is the real name of the wireless network
that devices connect to. However, users only see the Connection name you configure when they choose
the connection.
Connection name : Enter a user-friendly name for this Wi-Fi connection. The text you enter is the name
users see when they browse the available connections on their device. For example, enter ContosoWiFi .
Connect automatically when in range : When Yes , devices connect automatically when they're in
range of this network. When No , devices don't automatically connect.
Connect to more preferred network if available : If the devices are in range of a more
preferred network, then select Yes to use the preferred network. Select No to use the Wi-Fi
network in this configuration profile.
For example, you create a ContosoCorp Wi-Fi network, and use ContosoCorp within this
configuration profile. You also have a ContosoGuest Wi-Fi network within range. When your
corporate devices are within range, you want them to automatically connect to ContosoCorp . In
this scenario, set the Connect to more preferred network if available property to No .
Connect to this network , even when it is not broadcasting its SSID : Select Yes to
automatically connect to your network, even when the network is hidden. Meaning, its service set
identifier (SSID) isn't broadcast publicly. Select No if you don't want this configuration profile to
connect to your hidden network.
Metered Connection Limit : An administrator can choose how the network's traffic is metered.
Applications can then adjust their network traffic behavior based on this setting. Your options:
Unrestricted : Default. The connection isn't metered and there are no restrictions on traffic.
Fixed : Use this option if the network is configured with fixed limit for network traffic. After this limit is
reached, network access is prohibited.
Variable : Used this option if network traffic is charged per byte (cost per byte).
Wireless Security Type : Enter the security protocol used to authenticate devices on your network. Your
options are:
WPA/WPA2-Personal : A more secure option, and is commonly used for Wi-Fi connectivity. For
more security, you can also enter a pre-shared key password or network key.
Pre-shared key (PSK): Optional. Shown when you choose WPA/WPA2-Personal as the
security type. When your organization's network is set up or configured, a password or
network key is also configured. Enter this password or network key for the PSK value. Enter
a string between 8-64 characters. If your password or network key is 64 characters, enter
hexadecimal characters.
IMPORTANT
The PSK is the same for all devices you target the profile to. If the key is compromised, it can be
used by any device to connect to the Wi-Fi network. Keep your PSKs secure to avoid unauthorized
access.
Company proxy settings : Select to use the proxy settings within your organization. Your options:
Manually configure : Enter the Proxy ser ver IP address and its Por t number .
Automatically configure : Enter the URL pointing to a proxy autoconfiguration (PAC) script. For
example, enter http://proxy.contoso.com/proxy.pac .
site).
Enterprise profile
Enterprise profiles use Extensible Authentication Protocol (EAP) to authenticate Wi-Fi connections. EAP is often
used by enterprises, as you can use certificates to authenticate and secure connections. And, configure more
security options.
Wi-Fi name (SSID) : Short for service set identifier. This value is the real name of the wireless network
that devices connect to. However, users only see the Connection name you configure when they choose
the connection.
Connection name : Enter a user-friendly name for this Wi-Fi connection. The text you enter is the name
users see when they browse the available connections on their device. For example, enter ContosoWiFi .
Connect automatically when in range : When Yes , devices connect automatically when they're in
range of this network. When No , devices don't automatically connect.
Connect to more preferred network if available : If the devices are in range of a more
preferred network, then select Yes to use the preferred network. Select No to use the Wi-Fi
network in this configuration profile.
For example, you create a ContosoCorp Wi-Fi network, and use ContosoCorp within this
configuration profile. You also have a ContosoGuest Wi-Fi network within range. When your
corporate devices are within range, you want them to automatically connect to ContosoCorp . In
this scenario, set the Connect to more preferred network if available property to No .
Connect to this network , even when it is not broadcasting its SSID : Select Yes for the
configuration profile to automatically connect to your network, even when the network is hidden
(meaning, its SSID isn't broadcast publicly). Select No if you don't want this configuration profile to
connect to your hidden network.
Metered Connection Limit : An administrator can choose how the network's traffic is metered.
Applications can then adjust their network traffic behavior based on this setting. Your options:
Unrestricted : Default. The connection isn't metered and there are no restrictions on traffic.
Fixed : Use this option if the network is configured with fixed limit for network traffic. After this limit is
reached, network access is prohibited.
Variable : Use this option if network traffic is costed per byte.
Authentication mode : Select how the Wi-Fi profile authenticates with the Wi-Fi server. Your options:
Not configured : Intune doesn't change or update this setting. By default, User or machine
authentication is used.
User : The user account signed in to the device authenticates to the Wi-Fi network.
Machine : Device credentials authenticate to the Wi-Fi network.
User or machine : When a user is signed in to the device, user credentials authenticate to the Wi-Fi
network. When no users are signed in, then device credentials authenticate.
Guest : No credentials are associated with the Wi-Fi network. Authentication is either open, or handled
externally, such as through a web page.
Remember credentials at each logon : Select to cache user credentials, or if users must enter them
every time when connecting to Wi-Fi. Your options:
Not configured : Intune doesn't change or update this setting. By default, the OS might enable this
feature, and cache the credentials.
Enable : Caches user credentials when entered the first time users connect to the Wi-Fi network.
Cached credentials are used for future connections, and users don't need to reenter them.
Disable : User credentials aren't remembered or cached. When connecting to Wi-Fi, users must enter
their credentials every time.
Authentication period : Enter the number of seconds devices must wait after trying to authenticate,
from 1-3600. If the device doesn't connect in the time you enter, then authentication fails. If you leave this
value empty or blank, then 18 seconds is used.
Authentication retr y delay period : Enter the number of seconds between a failed authentication
attempt and the next authentication attempt, from 1-3600. If you leave this value empty or blank, then 1
second is used.
Star t period : Enter the number of seconds to wait before sending an EAPOL-Start message, from 1-
3600. If you leave this value empty or blank, then 5 seconds is used.
Maximum EAPOL-star t : Enter the number of EAPOL-Start messages, from 1 and 100. If you leave this
value empty or blank, then a maximum of 3 messages are sent.
Maximum authentication failures : Enter the maximum number of authentication failures for this set
of credentials to authenticate, from 1-100. If you leave this value empty or blank, then 1 attempt is used.
Single sign-on (SSO) : Allows you to configure single sign-on (SSO), where credentials are shared for
computer and Wi-Fi network sign-in. Your options:
Disable : Disables SSO behavior. The user needs to authenticate to the network separately.
Enable before user signs into device : Use SSO to authenticate to the network just before the user
sign-in process.
Enable after user signs into device : Use SSO to authenticate to the network immediately after the
user sign-in process completes.
Maximum time to authenticate before timeout : Enter the maximum number of seconds to wait
before authenticating to the network, from 1-120 seconds.
Allow Windows to prompt user for additional authentication credentials : Yes allows the
Windows system to prompt the user for more credentials, if the authentication method requires it.
Select No to hide these prompts.
Enable pair wise master key (PMK) caching : Select Yes to cache the PMK used in authentication. This
caching typically allows authentication to the network to complete faster. Select No to force the
authentication handshake when connecting to the Wi-Fi network every time.
Maximum time a PMK is stored in cache : Enter the number of minutes a pairwise master key
(PMK) is stored in the cache, from 5-1440 minutes.
Maximum number of PMKs stored in cache : Enter the number of keys stored in cache, from 1-
255.
Enable pre-authentication : Pre-authentication allows the profile to authenticate to all access points
for the network in the profile before connecting. When moving between access points, pre-
authentication reconnects the user or devices more quickly. Select Yes for the profile to authenticate to
all access points for this network that are within range. Select No to require the user or device to
authenticate to each access point separately.
Maximum pre-authentication attempts : Enter the number of tries to preauthenticate, from 1-16.
EAP type : Select the Extensible Authentication Protocol (EAP) type to authenticate secured wireless
EAP-SIM
Cer tificate ser ver names : Enter one or more common names used in the certificates
issued by your trusted certificate authority (CA). If you enter this information, you can
bypass the dynamic trust dialog shown on user devices when they connect to this Wi-Fi
network.
Root cer tificates for ser ver validation : Select the trusted root certificate profile used to
Your options:
SCEP cer tificate : Select the SCEP client certificate profile that is also deployed to the
device. This certificate is the identity presented by the device to the server to
PKCS cer tificate : Select the PKCS client cer tificate profile and trusted root
cer tificate that are also deployed to the device. The client certificate is the identity
presented by the device to the server to authenticate the connection.
Derived credential : Use a certificate that's derived from a user's smart card. For more
network.
Root cer tificates for ser ver validation : Select the trusted root certificate profile used to
Your options:
Wi-Fi network.
(CHAP) , Microsoft CHAP (MS-CHAP) , and Microsoft CHAP Version 2
(MS-CHAP v2)
Identity privacy (outer identity) : Enter the text sent in response to an EAP
identity request. This text can be any value. During authentication, this
anonymous identity is initially sent, and then followed by the real
SCEP cer tificate : Select the SCEP client certificate profile that is also deployed to
anonymous identity is initially sent, and then followed by the real identification
sent in a secure tunnel.
Protected EAP (PEAP) : Also enter:
network.
Root cer tificate for ser ver validation : Select the trusted root certificate profile used to
Perform ser ver validation : When set to Yes , in PEAP negotiation phase 1, devices
validate the certificate, and verify the server. Select No to block or prevent this validation.
If you select Yes , also configure:
Disable user prompts for ser ver validation : When set to Yes , in PEAP negotiation
phase 1, user prompts asking to authorize new PEAP servers for trusted certification
authorities aren't shown. Select No to show the prompts. When set to Not configured ,
Require cr yptographic binding : Yes prevents connections to PEAP servers that don't use
cryptobinding during the PEAP negotiation. No doesn't require cryptobinding. When set to
Not configured , Intune doesn't change or update this setting.
Your options:
SCEP cer tificate : Select the SCEP client cer tificate profile that is also deployed to
Company Proxy settings : Select to use the proxy settings within your organization. Your options:
Manually configure : Enter the Proxy ser ver IP address and its Por t number .
Automatically configure : Enter the URL pointing to a proxy auto configuration (PAC) script. For
example, enter http://proxy.contoso.com/proxy.pac .
site).
Force Wi-Fi profile to be compliant with the Federal Information Processing Standard (FIPS) :
Select Yes when validating against the FIPS 140-2 standard. This standard is required for all US federal
government agencies that use cryptography-based security systems to protect sensitive but unclassified
information stored digitally. Select No to not be FIPS-compliant.
Use an imported settings file

For any settings not available in Intune, you can export Wi-Fi settings from another Windows device. This export
creates an XML file with all the settings. Then, import this file in to Intune, and use it as the Wi-Fi profile. See
Export and import Wi-Fi settings for Windows devices.
Next steps
The profile is created, but may not be doing anything. Be sure to assign the profile, and monitor its status.
More resources
Windows 8.1 Wi-Fi settings
Wi-Fi settings overview, including other platforms
Use custom settings for Windows Holographic for
Business devices in Intune
Using Microsoft Intune, you can add or create custom settings for your Windows Holographic for Business
devices using "custom profiles". Custom profiles are a feature in Intune. They're designed to add device settings
and features that aren't built in to Intune.
Windows Holographic for Business custom profiles use Open Mobile Alliance Uniform Resource Identifier
(OMA-URI) settings to configure different features. These settings are typically used by mobile device
manufacturers to control features on the device.
Windows Holographic for Business makes many configuration service providers (CSPs) settings available. For a
CSP overview, see Introduction to configuration service providers (CSPs) for IT pros. For specific CSPs
supported by Windows Holographic, see CSPs supported in Windows Holographic.
If you're looking for a specific setting, remember that the Windows Holographic for Business device restriction
profile includes many built-in settings. So, you may not need to enter custom values.
This article shows you how to create a custom profile for Windows Holographic for Business devices. It also
includes a list of the recommended OMA-URI settings.
Before you begin

Create a Windows 10 custom profile.
Custom OMA-URI Settings

Add : Enter the following settings:
Description : Enter a description that gives an overview of the setting, and any other important details.
String
String (XML file)
Date and time
Integer
Floating point
Boolean
Base64 (file)
Value : Enter the data value you want to associate with the OMA-URI you entered. The value depends on
the data type you selected. For example, if you select Date and time , select the value from a date picker.
Recommended custom settings
The following settings are useful for devices running Windows Holographic for Business:
AllowFastReconnect
O M A - URI DATA T Y P E
./Vendor/MSFT/Policy/Config/Authentication/AllowFastRecon Integer
nect 0 - not allowed
1 - allowed (default)
AllowUpdateService
./Vendor/MSFT/Policy/Config/Update/AllowUpdateService Integer
0 – Update service is not allowed
1 – Update service is allowed (default).
AllowVPN
./Vendor/MSFT/Policy/Config/Settings/AllowVPN Integer
0 - not allowed
1 - allowed (default)
RequireUpdateApproval
./Vendor/MSFT/Policy/Config/Update/RequireUpdateApprova This setting is available in RS5 (build 17763) and earlier.

l Starting with 19H1 (build 18362), use Windows Update for
Business.
Integer
0 – Not configured. The device installs all applicable updates.
1 – The device only installs updates that are both applicable
and on the Approved Updates list. Set this policy to 1 if IT
wants to control the deployment of updates on devices,
such as when testing is required prior to deployment.
ScheduledInstallTime
./Vendor/MSFT/Policy/Config/Update/ScheduledInstallTime Integer 0-23, where 0=12AM and 23=11PM

Default value is 3.
UpdateServiceURL
./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl This setting is available in RS5 (build 17763) and earlier.

Starting with 19H1 (build 18362), use Windows Update for
Business.
String
URL - the device checks for updates from the WSUS server
at the specified URL.
Not configured - The device checks for updates from
Microsoft Update.
ApprovedUpdates
./Vendor/MSFT/Update/ApprovedUpdates/GUID Node for update approvals and EULA acceptance on behalf

of the end user.
Impor tant
You must read and accept the update EULAs on behalf of For more information, see Update CSP.
your end users. Failure to do so is a breach of legal or
contractual obligations.
ApplicationLaunchRestrictions
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Gr String
ouping/ApplicationType/Policy For more information, see AppLocker CSP.
Impor tant
The AppLocker CSP article uses escaped XML examples. To
configure the settings with Intune custom profiles, you must
use plain XML.
DeletionPolicy
./Vendor/MSFT/AccountManagement/UserProfileManageme Integer
nt/DeletionPolicy 0 - delete immediately when the device returns to a state
with no currently active users
1 - delete at storage capacity threshold (default)
2 - delete at both storage capacity threshold and profile
inactivity threshold
EnableProfileManager
./Vendor/MSFT/AccountManagement/UserProfileManageme Boolean
nt/EnableProfileManager True - enable
False - disable (default)
ProfileInactivityThreshold
nt/ProfileInactivityThreshold Default value is 30.
StorageCapacityStartDeletion
nt/StorageCapacityStartDeletion Default value is 25.
StorageCapacityStopDeletion
nt/StorageCapacityStopDeletion Default value is 50.
Find the policies you can configure

You can find a complete list of all configuration service providers (CSPs) that Windows Holographic supports in
CSPs supported in Windows Holographic. Not all settings are compatible with all Windows Holographic
versions. The table in CSPs supported in Windows Holographic lists the supported versions for each CSP.
Additionally, Intune doesn't support all of the settings listed in CSPs supported in Windows Holographic. To find
out if Intune supports the setting you want, open the article for that setting. Each setting page shows its
supported operation. To work with Intune, the setting must support the Add or Replace operations.
Next steps
Create a custom profile on Windows 10 devices.
Windows Holographic for Business device settings
to allow or restrict features using Intune
This article describes the different settings you can control on Windows Holographic for Business devices, such
as Microsoft Hololens. As part of your mobile device management (MDM) solution, use these settings to allow
or disable features, control security, and more.
Before you begin

Create a Windows 10 device restrictions configuration profile.
When you create a Windows 10 device restrictions configuration profile, there are more settings than what's
listed in this article. The settings in this article are supported on Windows Holographic for Business devices.
App Store
Auto-update apps from store : Block prevents updates from being automatically installed from the
Microsoft Store. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow apps installed from the Microsoft Store to be automatically updated.
ApplicationManagement/AllowAppStoreAutoUpdate CSP
Trusted app installation : Choose if non-Microsoft Store apps can be installed, also known as
sideloading. Sideloading is installing, and then running or testing an app that isn't certified by the
Microsoft Store. For example, an app that is internal to your company only. Your options:
Block : Prevents sideloading. Non-Microsoft Store apps can't be installed.
Allow : Allows sideloading. Non-Microsoft Store apps can be installed.
ApplicationManagement/AllowAllTrustedApps CSP
Developer unlock : Allow Windows developer settings, such as allowing sideloaded apps to be modified
by users. Your options:
Block : Prevents developer mode and sideloading apps.
Allow : Allows developer mode and sideloading apps.
ApplicationManagement/AllowDeveloperUnlock CSP

Bluetooth : Block prevents users from enabling Bluetooth. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow Bluetooth on the device.
Connectivity/AllowBluetooth CSP
Bluetooth discoverability : Block prevents the device from being discoverable by other Bluetooth-
enabled devices. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow other Bluetooth-enabled devices, such as a headset, to discover the device.
Bluetooth/AllowDiscoverableMode CSP
Bluetooth adver tising : Block prevents the device from sending out Bluetooth advertisements. When
allow the device to send out Bluetooth advertisements.
Bluetooth/AllowAdvertising CSP
Cloud and Storage

Microsoft account : Block prevents users from associating a Microsoft account with the device. When
allow adding and using a Microsoft account.
Accounts/AllowMicrosoftAccountConnection CSP
Control Panel and Settings

System time modification : Block prevents users from changing the date and time settings on the
the OS might allow users to change these settings.
Settings/AllowDateTime CSP
General
Manual unenrollment : Block prevents users from deleting the workplace account using the workplace
control panel on the device. When set to Not configured (default), Intune doesn't change or update this
setting.
Experience/AllowManualMDMUnenrollment CSP
Geolocation : Block prevents users from turning on location services on the device. When set to Not
Experience/AllowFindMyDevice CSP
Cor tana : Block disables the Cortana voice assistant on the device. When Cortana is off, users can still
search to find items on the device. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow Cortana.
Experience/AllowCortana CSP
Microsoft Edge Browser

Star t experience > Allow pop-ups : Yes (default) allows pop-ups in the web browser. No prevents
pop-up windows in the browser.
Browser/AllowPopups CSP
Favorites and search > Show search suggestions : Yes (default) allows your search engine to
suggest sites as you type search phrases in the address bar. No prevents this feature.
Browser/AllowSearchSuggestionsinAddressBar CSP
Privacy and security > Allow Password Manager : Yes (default) allows Microsoft Edge to
automatically use Password Manager, which allows users to save and manage passwords on the device.
No prevents Microsoft Edge from using Password Manager.
Browser/AllowPasswordManager CSP
Privacy and security > Cookies : Choose how cookies are handled in the web browser. Your options:
Allow : Cookies are stored on the device.
Block all cookies : Cookies aren't stored on the device.
Block only third par ty cookies : Third party or partner cookies aren't stored on the device.
Browser/AllowCookies CSP
Privacy and security > Send do-not-track headers : Yes sends do-not-track headers to websites
requesting tracking info (recommended). No (default) doesn't send headers that allow websites to track
the user. Users can configure this setting.
Browser/AllowDoNotTrack CSP
Microsoft Defender SmartScreen

Smar tScreen for Microsoft Edge : Require turns on Microsoft Defender SmartScreen, and prevents
users from turning it off. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might turn on SmartScreen, and allow users to turn it on and off.
Browser/AllowSmartScreen CSP
Password
Password : Require forces users to enter a password to access the device. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might allow access to devices
without a password. Applies to local accounts only. Domain account passwords remain configured by
Active Directory (AD) and Azure AD.
DeviceLock/DevicePasswordEnabled CSP
Require password when device returns from idle state : Require forces users to enter a password
to unlock the device after being idle. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might not require a PIN or password after being idle.
DeviceLock/AllowIdleReturnWithoutPassword CSP
Reporting and Telemetry

Share usage data : Choose the level of diagnostic data that's submitted. Your options:
choose the level that's submitted. By default, the OS might not share any data.
Security : Information that's required to help keep Windows more secure, including data about the
Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool,
and Microsoft Defender
Basic : Basic device information, including quality-related data, app compatibility, app usage data, and
data from the Security level
Enhanced : Additional insights, including how Windows, Windows Server, System Center, and apps
are used, how they perform, advanced reliability data, and data from both the Basic and the Security
levels
Full : All data necessary to identify and help to fix problems, plus data from the Security, Basic, and
Enhanced level.
System/AllowTelemetry CSP
Search
Search location : Block prevents Windows Search from using the location. When set to Not
feature.
Search/AllowSearchToUseLocation CSP
Next steps
Upgrade HoloLens (1st gen) devices running
Windows Holographic to Windows Holographic for
Business
Microsoft Intune includes many settings to help manage and protect your devices. This article lists and describes
the settings to upgrade HoloLens (1st gen) devices running Windows Holographic to Windows Holographic for
Business.
This article applies to:
Microsoft HoloLens (1st gen) devices
IMPORTANT
HoloLens (1st gen) devices can run Windows Holographic and Windows Holographic for Business. All HoloLens 2 devices
use Windows Holographic for Business. You don't need to update the edition of any HoloLens 2 device, regardless of the
device SKU.
As part of your mobile device management (MDM) solution, use these settings to upgrade your HoloLens (1st
gen) Windows Holographic devices. For the Microsoft HoloLens (1st gen), you can purchase the Commercial
Suite to get the required license for the upgrade. For more information, see Unlock Windows Holographic for
Business features.
For more information on this feature, see Upgrade Windows 10 editions or enable S mode.
Before you begin

Create a Windows 10 edition upgrade and mode switch device configuration profile.
When you create a Windows 10 edition upgrade and mode switch device configuration profile, there are more
settings than what's listed in this article. The settings in this article are supported on Windows Holographic for
Business devices.
Edition upgrade
Edition to upgrade to : Select Windows 10 Holographic for Business .
License File : Browse to and select the XML license file that was provided to you.
Next steps
You can also create edition upgrade profiles for Windows 10 and later devices.
Windows Holographic for Business device settings
to run as a kiosk in Intune
On Windows Holographic for Business devices, you can configure these devices to run in single-app kiosk
mode, or multi-app kiosk mode. Some features aren't supported on Windows Holographic for Business.
This article describes the different settings you can control on Windows Holographic for Business devices. As
part of your mobile device management (MDM) solution, use these settings to configure your Windows
Holographic for Business devices to run in kiosk mode.
To learn more about the Windows kiosk feature in Intune, see configure kiosk settings.
Before you begin

Create a Windows 10 kiosk device configuration profile.
When you create a Windows 10 kiosk device configuration profile, there are more settings than what's
listed in this article. The settings in this article are supported on Windows Holographic for Business
devices.
This kiosk profile is directly related to the device restrictions profile you create using the Microsoft Edge
kiosk settings. To summarize:
1. Create this kiosk profile to run the device in kiosk mode.
2. Create the device restrictions profile, and configure specific features and settings allowed in Microsoft
Edge.
IMPORTANT
Be sure to assign this kiosk profile to the same devices as your Microsoft Edge profile.
Single app, full-screen kiosk

Runs only one app on the device. When the user signs in, a specific app starts. This mode also restricts the user
from opening new apps, or changing the running app.
User logon type : Select the account type that runs the app. Your options:
Auto logon (Windows 10 version 1803 and newer) : Not supported on Windows
Holographic for Business.
Local user account : Enter the local (to the device) user account. Or, enter a Microsoft Account
(MSA) account associated with the kiosk app. The account you enter signs in to the kiosk.
For kiosks in public-facing environments, a user type with the least privilege should be used.
Application type : Select Add Store app .
App to run in kiosk mode : Select an app from the list.
Don't have any apps listed? Add some using the steps at Client Apps.
Multi-app kiosk
Apps in this mode are available on the start menu. These apps are the only apps the user can open. If an app has
a dependency on another app, both must be included in the allowed apps list.
Target Windows 10 in S mode devices : Select No . S mode isn't supported on Windows Holographic
for Business.
User logon type : Add one or more user accounts that can use the apps you add. Your options:
Auto logon (Windows 10 version 1803 and newer) : Not supported on Windows Holographic
for Business.
Local user accounts : Add the local (to the device) user account. The account you enter signs in to
the kiosk.
Azure AD user or group (Windows 10, version 1803 and later) : Requires user credentials to
sign in to the device. Select Add to choose Azure AD users or groups from the list. You can select
multiple users and groups. Choose Select to save your changes.
HoloLens visitor : The visitor account is a guest account that doesn't require any user credentials or
authentication, as described in shared PC mode concepts.
Browser and Applications : Add the apps to run on the kiosk device. Remember, you can add several
apps.
Browsers
Add Microsoft Edge : Microsoft Edge is added to the app grid, and all applications can run
on this kiosk. Select the Microsoft Edge kiosk mode type:
Normal mode (full version of Microsoft Edge) : Runs a full-version of Microsoft
Edge with all browsing features. User data and state are saved between sessions.
Public browsing (InPrivate) : Runs a multi-tab version of Microsoft Edge InPrivate
with a tailored experience for kiosks that run in full-screen mode.
NOTE
This setting enables the Microsoft Edge browser on the device. To configure Microsoft Edge-
specific settings, create a device restrictions profile (Devices > Configuration profiles > Create
profile > Windows 10 for platform > Device Restrictions > Microsoft Edge Browser ).
Microsoft Edge browser describes the available Holographic for Business settings.
Add Kiosk browser : Not supported on Windows Holographic for Business.

Applications
Add store app : Select an existing app you added or deployed to Intune as Client Apps,
including LOB apps. If you don't have any apps listed, Intune supports many app types that
you add to Intune.
Add Win32 app : Not supported on Windows Holographic for Business.
Add by AUMID : Use this option to add inbox Windows apps, such as Notepad or
Calculator. Enter the following properties:
Application user model ID (AUMID) : Required. Enter the Application user model ID
(AUMID) of the Windows app. To get this ID, see find the Application User Model ID of an
installed app.
AutoLaunch : Optional. After you add your apps and browser, select one app or browser to
automatically open when the user signs in. Only a single app or browser can be
autolaunched.
Tile size : Required. After you add your apps, select a Small, Medium, Wide, or Large app
tile size.
Use alternative Star t layout : Select Yes to enter an XML file that describes how the apps appear on the
start menu, including the order of the apps. Use this option if you require more customization in your
start menu. Customize and export start layout provides some guidance, and includes a specific XML file
for Windows Holographic for Business devices.
Windows Taskbar : Not supported on Windows Holographic for Business.
Allow Access to Downloads Folder : Not supported on Windows Holographic for Business.
Specify Maintenance Window for App Restar ts : Not supported on Windows Holographic for
Business.
Next steps
You can also create kiosk profiles for Android, Android Enterprise, and Windows 10 and later devices.
Windows Holographic for Business settings to
manage shared devices using Intune
Windows Holographic for Business devices, such as the Microsoft HoloLens, can be used by multiple users.
Devices that have multiple users are called shared devices, and are a part of mobile device management (MDM)
solutions.
Using Microsoft Intune, users can sign in to these shared devices with a guest account. As they use the device,
they only get access to features you allow.
This article describes the settings you use in a Windows Holographic for Business device configuration profile.
When the profile is created in Intune, you then deploy or assign the profile to device groups in your
organization. You can also assign this profile to a device group with mixed device types and OS versions.
For more information on this feature in Intune, see Control access, accounts, and power features on shared PC
or multi-user devices. For more information on the Windows CSP, see AccountManagement CSP.
Before your begin

Create a Windows 10 shared multi-user device configuration profile.
When you create a Windows 10 shared user device configuration profile, there are more settings than what's
listed in this article. The settings in this article are supported on Windows Holographic for Business devices.
Shared multi-user device settings

NOTE
Devices that run Windows Holographic for Business, including the Microsoft HoloLens, only support the Account
management settings. If you configure any of the other settings shown in Intune, including Shared PC mode , it has
no impact on these devices.
Account management : Choose if accounts are automatically deleted. Your options:

Not configured (default): Automatically deletes local accounts created by guests, and accounts in
AD and Azure AD. When a user signs off the device, or when system maintenance runs, these
accounts are deleted.
Also enter:
Account Deletion : Choose when accounts are deleted:
At storage space threshold
At storage space threshold and inactive threshold
Immediately after log-out
Also enter:
Star t delete threshold(%) : Enter a percentage (0-100) of disk space. When the total
disk/storage space drops below the value you enter, the cached accounts are deleted. It
continuously deletes accounts to reclaim disk space. Accounts that are inactive the longest are
deleted first.
Stop delete threshold(%) : Enter a percentage (0-100) of disk space. When the total
disk/storage space meets the value you enter, the deleting stops.
Disable : The local, AD, and Azure AD accounts created by guests stay on the device, and aren't
deleted.
Next steps
See the shared user device settings for Windows 10 and newer.
Microsoft Intune Windows 8.1 device restriction
settings
This article shows you the Microsoft Intune device restrictions settings that you can configure for devices
running Windows 8.1.
Before you begin

Create a Windows 8.1 device restrictions configuration profile.
General
Share usage data : Block prevents devices from submitting diagnostic and usage telemetry information to
Microsoft. When set to Not configured (default), Intune doesn't change or update this setting.
Firewall : Require the Windows Firewall be turned on. When set to Not configured (default), Intune
User Account Control : Configures User Account Control (UAC). Choose how users are notified of changes
on devices. Your options:
Always notify
Notify on app changes
Notify on app changes, but don't dim the desktop
Never notify
Password
Required password type : Choose if user must enter a password to access the device. Your options:
example, enter 6 to require at least six numbers or characters in the password length.
before the device is wiped, from 1-14.
Maximum minutes of inactivity until screen locks (in minutes) : Enter the length of time a device
must be idle before the screen is automatically locked, from 1-60 minutes. For example, enter 5 Minutes
to lock the device after 5 minutes of being idle. When set to Not configured , Intune doesn't change or
changed, from 1-255. For example, enter 90 to expire the password after 90 days. When the value is
Prevent reuse of previous passwords : Enter the number of previously used passwords that can't be
used, from 1-24. For example, enter 5 so users can't set a new password to their current password or
any of their previous four passwords. When the value is blank, Intune doesn't change or update this
setting.
Picture password and PIN : A picture password lets the user sign in with gestures on a picture. A PIN
lets users quickly sign in with a four-digit code.
Block prevents using a picture or PIN as the password. When set to Not configured (default), Intune
Encr yption : Require encryption on devices, including files. Not all devices support encryption. When
set to Not configured , Intune doesn't change or update this setting.
To configure this setting, and correctly report compliance, also configure:
Required password type : Set to at least Numeric .
Minimum password length : Set to at least 6 .
To enforce encryption on devices that run Windows 8.1, you must install the December 2014 MDM client
update for Windows on each device.
If you enable this setting for Windows 8.1 devices, all users of the device must have a Microsoft account.
For encryption to work, devices must meet the Microsoft InstantGo hardware certification requirements.
When you enforce encryption on a device, the recovery key is only accessible from the user's Microsoft
account, which is accessed from their OneDrive account. You can't recover this key for a user.
Browser
Autofill : Block prevents users from changing autocomplete settings in the browser, and from populating
form fields automatically. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow Autofill.
Fraud warnings : Require shows fraud warnings in the browser for potential fraudulent websites. When
Smar tScreen for Microsoft Edge : Block turns off Microsoft Defender SmartScreen. SmartScreen look
for potential phishing scams and malicious software when accessing sites and file downloads. When set
to Not configured (default), Intune doesn't change or update this setting. By default, the OS might turn
on SmartScreen.
Allow JavaScript : Block prevents scripts, such as JavaScript, to run in the browser. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow
JavaScript.
Pop-ups : Block turns on Pop-up Blocker to prevent pop-ups in the web browser. When set to Not
Do-not-track headers : Block prevents devices from sending do-not-track headers to websites
requesting tracking info. When set to Not configured (default), Intune doesn't change or update this
setting.
Plugins : Block prevents users from adding plug-ins in Internet Explorer. When set to Not configured
Single word entr y on intranet site : Single word entry lets users go to an intranet site by entering a
single word, such as hr or benefits . Block prevents this feature. When set to Not configured
Auto detect of intranet site : Block prevents the browser from automatically detecting intranet sites.
Intranet mapping rules are blocked. When set to Not configured (default), Intune doesn't change or
Internet security level : Sets the security level for Internet sites. Your options:
High
Medium-high
Medium
Intranet security level : Sets the security level for intranet sites. Your options:
Low
Medium-low
Medium
Medium-high
High
Trusted sites security level : Configures the security level for the trusted sites zone. Your options:
Low
Medium-low
Medium
Medium-high
High
High security for restricted sites : Configures the security level for the restricted sites zone.
Configured enforces high security for restricted sites. When set to Not configured (default), Intune
Enterprise mode menu access : Block prevents users from accessing the Enterprise Mode menu
options in Internet Explorer. When set to Not configured (default), Intune doesn't change or update this
setting.
When set to Not configured , also enter:
Logging repor t location URL : Enter a URL location where to get reports that show the websites
with Enterprise Mode access turned on.
Enterprise mode site list location (Desktop only) : Enter the location of the list of websites that can
be opened in Enterprise Mode.
Cellular
Data roaming : Block prevents data roaming when devices are on a cellular network. When set to Not
Cloud and Storage

Work folders URL : Enter the URL of the work folder to allow documents to be synchronized across devices.
When set to Not configured (default) or left blank, Intune doesn't change or update this setting.
Access to Windows Mail app without a Microsoft account : Block prevents access to the Windows
Mail application without a Microsoft account. When set to Not configured (default), Intune doesn't change
Next steps
Create a device restrictions profile on Windows 10 and newer.
Add VPN settings on Windows 8.1 devices in
Microsoft Intune
This article shows you the Intune settings you can use to configure VPN connections on devices running
Windows 8.1.
Before you begin

Create a Windows 8.1 VPN device configuration profile.
Base VPN settings

Connection name : Enter a name for this connection. Users see this name when they browse their device
for the list of available VPN connections. For example, enter Contoso VPN .
Ser vers : Add one or more VPN servers that devices connect to. When you add a server, you enter the
following information:
Description : Enter a descriptive name for the server, such as Contoso VPN ser ver .
IP address or FQDN : Enter the IP address or fully qualified domain name (FQDN) of the VPN server
that devices connect to. For example, enter 192.168.1.1 or vpn.contoso.com .
Default ser ver : True sets this server as the default server that devices use to establish the
connection. Set only one server as the default.
Impor t : Browse to a comma-separated file with the list of servers in the format: description, IP
address or FQDN, Default server. Choose OK to import these servers into the Ser vers list.
F5 Access
Pulse Secure
Login group or domain (SonicWall Mobile Connect only): Enter the name of the login group or domain
you want to connect to.
Role (Pulse Secure only): Enter the name of the user role that can access this connection. A user role
defines personal settings and options, and it enables or disables certain access features.
Realm (Pulse Secure only): Enter the name of the authentication realm you want to use. An
authentication realm is a grouping of authentication resources that the Pulse Secure connection type
uses.
Custom XML : Enter any custom XML commands that configure the VPN connection.
Pulse Secure example :
CheckPoint Mobile VPN example :
SonicWall Mobile Connect example :
F5 Edge Client example :
For more information on writing custom XML commands, see the manufacturer's VPN documentation.
Split tunneling : Enable lets devices decide which connection to use depending on the traffic. For
example, a user in a hotel uses the VPN connection to access work files, but use the hotel's standard
network for regular web browsing. If you want all traffic to use the VPN tunnel when the VPN connection
is active, then set to Disable .
Proxy
Automatically detect proxy settings : If your VPN server requires a proxy server for the connection,
choose if you want devices to automatically detect the connection settings. Your options:
Enable : Automatically detects the connection settings.
Disable : Doesn't automatically detect the connection settings.
Bypass proxy for local addresses : Choose to use the proxy server for local addresses. Your options:
Enable : Don't use a proxy server for local addresses.
Disable : Use a proxy server for local addresses.
Next steps
Use custom settings for Windows Phone 8.1 devices
in Intune
IMPORTANT
Windows 10 Mobile and Windows Phone 8.1 support has ended. Windows 10 Mobile and Windows Phone 8.1
enrollments will fail and related apps can no longer be added to Intune. These profile types are being removed from the
Intune UI. Devices currently enrolled will stop syncing with the Intune service.
Existing policies and profiles on these platforms are becoming read-only, and can't be changed. You can remove
assignments, and then delete the policies and profiles.
If Windows Phone 8.1 or Windows 10 Mobile are being used, we recommend moving to Windows 10 devices. Windows
10 has built-in security and device features that have a first class integration with Microsoft Intune.
Using Microsoft Intune, you can add or create custom settings for your Windows Phone 8.1 devices using
"custom profiles". Custom profiles are a feature in Intune. They're designed to add device settings and features
that aren't built in to Intune.
Windows Phone 8.1 custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings
to configure different features. These settings are typically used by mobile device manufacturers to control
features on the device. Windows Phone 8.1 MDM protocol documentation lists the settings.
This article shows you how to create a custom profile for Windows Phone 8.1 devices.
Before you begin

Create a Windows Phone 8.1 custom profile.
Custom OMA-URI settings

OMA-URI Settings : Add the following settings:
information to help you locate the profile.
String
String (XML file)
Date and time
Integer
Floating point
Boolean
Base64 (file)
from a date picker.
Example
In the following example, Windows 8.1 phone devices are prevented from changing cellular networks when
traveling outside the carrier coverage area.
Name : Allow Cellular Data Roaming
Description : Allow or disallow cellular data roaming
OMA-URI (case sensitive): ./Vendor/MSFT/PolicyManager/My/Connectivity/AllowCellularDataRoaming
Data type : Integer
Value : 0
Next steps
Create a custom profile on Windows 10 devices.
Microsoft Intune Windows Phone 8.1 device
restriction settings
IMPORTANT
This article shows you the Microsoft Intune device restrictions settings that you can configure for devices
running Windows Phone 8.1.
Before you begin

Create a Windows Phone 8.1 device restrictions profile.
General
Camera : Block prevents access to the device camera. When set to Not configured (default), Intune
Copy and paste : Block prevents using copy-and-paste between apps on the device. When set to Not
Removable storage : Block prevents using external storage devices on devices, such as SD cards. When
Geolocation : Block prevents turning on location services on devices. When set to Not configured
Microsoft account : Block prevents users from associating a Microsoft account with the device. When
Screen capture : Block prevents getting screenshots on devices. When set to Not configured (default),
Diagnostic data submission : Block blocks devices from sending diagnostic and usage telemetry data
to Microsoft. When set to Not configured (default), Intune doesn't change or update this setting.
Custom email accounts sync : Block prevents devices from connecting to non-Microsoft email
accounts. When set to Not configured (default), Intune doesn't change or update this setting.
Password
Password : Require forces users to enter a password to access devices. When set to Not configured
(default), Intune doesn't change or update this setting. Applies to local accounts only. Domain account
passwords remain configured by Active Directory (AD) and Azure AD.
Required password type : Choose the type of password. Your options:
Device default : Password can include numbers and letters.
example, enter 6 to require at least six characters in the password length.
Simple passwords : Block prevents users from creating simple passwords, such as 1234 or 1111 .
allowed before devices are wiped.
Maximum minutes of inactivity until screen locks : Enter the length of time a device must be idle
before the screen is automatically locked. For example, enter 5 to lock devices after 5 minutes of
being idle. When set to Not configured or left blank, Intune doesn't change or update this setting.
changed, from 1-255. For example, enter 90 to expire the password after 90 days. When the value is
Prevent reuse of previous passwords : Enter the number of previously used passwords that can't
be used, from 1-24. For example, enter 5 so users can't set a new password to their current password
or any of their previous four passwords. When the value is blank, Intune doesn't change or update this
setting.
Encr yption : Require encryption on device, including files. Not all devices support encryption. When set to
Not configured (default), Intune doesn't change or update this setting. To configure this setting, and
correctly report compliance, also configure:
Require password : Set to Require .
Required password type : Set to at least Numeric .
Minimum password length : Set to at least 4 .
App Store
App store : Block prevents users from accessing the app store. When set to Not configured (default),
Restricted apps
In the restricted apps list, you can configure one of the following lists:
Blocked apps : List the apps (not managed by Intune) that users are not allowed to install and run.
Allowed apps : List the apps that users are allowed to install. Apps that are managed by Intune are
automatically allowed.
To configure the list, click Add , then specify a name of your choice, optionally the app publisher, and the URL to
the app in the app store.
How to specify the URL to an app in the store
To specify an app URL in the allowed and blocked apps list, use the following format:
From the Windows Phone Store page, search for the app that you want to use.
Open the app's page, and copy the URL to the clipboard. You can now use this URL as the URL in either the
allowed or blocked apps list.
Example: Search the store for the Skype app. The URL you use is
http://www.windowsphone.com/store/app/skype/c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51 .
Additional options
You can also click Impor t to populate the list from a csv file in the format <app url>, <app name>, <app
publisher>, or click Expor t to create a csv file containing the contents of the restricted apps list in the same
format.
Browser
Web browser : Block turns off the built-in web browser on devices. When set to Not configured (default),

Wi-Fi : Block disables the Wi-Fi functionality on devices. When set to Not configured (default), Intune
Wi-Fi tethering : Block prevents using Wi-Fi tethering on devices. When set to Not configured (default),
Automatically connect to Wi-Fi hotspots : Enables devices to automatically connect to free Wi-Fi
hotspots and automatically accept any terms of use.
Wi-Fi hotspot repor ting : Block prevents devices from sending Wi-Fi hotspot connection information.
NFC : Block disables operations that use near field communication (NFC) on devices that support it. When
Bluetooth : Block prevents users from enabling Bluetooth. When set to Not configured (default), Intune
Next steps
For a general overview of the device restrictions profile, see Configure device restriction settings in Microsoft
Intune.
Email profile settings in Microsoft Intune for devices
running Windows Phone 8.1
IMPORTANT
This article shows you the email profile settings you can configure for your devices running Windows Phone 8.1.
IMPORTANT
Windows Phone 8.1 email profiles are also applied to Windows 10 devices.
Before you begin

Create a Windows Phone 8.1 email profile.
Email settings
devices.
(AAD). Intune dynamically generates the username that's used by this profile. Your options:
Primar y SMTP address : Gets the name in email address format, such as user1@contoso.com .
User domain name source : Your options:
AAD (Azure Active Directory): Enter User domain name attribute from AAD . Choose
to get the Full domain name or the NetBIOS name attribute of the user.
Custom : Enter Custom domain name to use . Enter a value that Intune uses for the
domain name, such as contoso.com or contoso .
Email address attribute from AAD : Intune gets this attribute from Azure Active Directory (AAD).
Choose how the email address for the user is generated. Your options:
User principal name : Uses the full principal name as the email address, such as user1@contoso.com
or user1 .
Primar y SMTP address : Uses the primary SMTP address to sign in to Exchange, such as
user1@contoso.com .
Security settings
communicating with the Exchange server. Disable doesn't require SSL.
Synchronization settings
Amount of email to synchronize : Choose the number of days of email that you want to synchronize.
When set to Not configured (default), Intune doesn't change or update this setting. Select Unlimited to
synchronize all available email.
Sync schedule : Select the schedule for devices to synchronize data from the Exchange server. You can also
select As Messages arrive , which synchronizes data as soon as it arrives. Or, select Manual so the device
user starts the synchronization.
Content sync settings

Content type to sync : Select the content types that you want to synchronize to devices:
Contacts : On syncs the contacts. Off doesn't automatically sync the contacts. Users manually sync.
Calendar : On syncs the calendar. Off doesn't automatically sync the contacts. Users manually sync.
Tasks : On syncs the tasks. Off doesn't automatically sync the tasks. Users manually sync.
Next steps
You can also configure the email settings on Android, Android Enterprise, iOS/iPadOS, and Windows 10.
Configure email settings in Intune.
Add VPN settings on Windows Phone 8.1 devices in
Microsoft Intune
IMPORTANT
This article shows you the Intune settings you can use to configure VPN connections on devices running
Windows Phone 8.1.
IMPORTANT
Windows Phone 8.1 VPN profiles are also applied to Windows 10 devices.
Before you begin

Create a VPN device configuration profile.
Base VPN settings

Connection name : Enter a name for this connection. Users see this name when they browse their device
for the list of available VPN connections.
Authentication method : Choose how devices authenticate to the VPN server from:
Cer tificates : Under Authentication cer tificate , Choose a SCEP or PKCS certificate profile you
previously created to authenticate the connection. For more information about certificate profiles, see
How to configure certificates.
Username and password : End users must supply a username and password to log into the VPN
server.
Ser vers : Add one or more VPN servers that devices connect to.
Add : Opens the Add Row blade where you can specify the following information:
Description : Specify a descriptive name for the server like Contoso VPN ser ver .
IP address or FQDN : Provide the IP address or fully qualified domain name of the VPN
server that devices connect to. Examples: 192.168.1.1 , vpn.contoso.com .
Default ser ver : Enables this server as the default server that devices use to establish the
connection. Make sure to set only one server as the default.
Impor t : Browse to a comma-separated file with a list of servers in the format description, IP address
or FQDN, Default server. Choose OK to import these servers into the Ser vers list.
Bypass VPN on company Wi-Fi network : Enable this option to specify that the VPN connections
aren't used when the device is connected to the company Wi-Fi network.
Bypass VPN on home Wi-Fi network : Enable this option to specify that the VPN connection isn't used
when the device is connected to a home Wi-Fi network.
F5 Edge Client
Pulse Secure
Login group or domain (SonicWall Mobile Connect only): Specify the name of the login group or
domain that you want to connect to.
Role (Pulse Secure only): Specify the name of the user role that has access to this connection. A user role
defines personal settings and options, and it enables or disables certain access features.
Realm (Pulse Secure only): Specify the name of the authentication realm that you want to use. An
authentication realm is a grouping of authentication resources that the Pulse Secure connection type
uses.
DNS suffix search list : Add one or more DNS suffices. Each DNS suffix that you specify is searched
when connecting to a website by using a short name. For example, specify the DNS suffixes
domain1.contoso.com and domain2.contoso.com , visit the URL http://mywebsite , and the URLs
http://mywebsite.domain1.contoso.com and http://mywebsite.domain2.contoso.com is searched.
Custom XML : Specify any custom XML commands that configure the VPN connection.
Pulse Secure example :
CheckPoint Mobile VPN example :
SonicWall Mobile Connect example :
F5 Edge Client example :
For more information on writing custom XML commands, see the manufacturer's VPN documentation.
Split tunneling : Enable lets devices decide which connection to use depending on the traffic. For
example, a user in a hotel uses the VPN connection to access work files, but use the hotel's standard
network for regular web browsing. If you want all traffic to use the VPN tunnel when the VPN connection
is active, then set to Disable .
Proxy settings
Automatically detect proxy settings : If your VPN server requires a proxy server for the connection,
specify whether you want devices to automatically detect the connection settings.
Automatic configuration script : Use a file to configure the proxy server. Enter the Proxy ser ver URL (for
example http://proxy.contoso.com ) which contains the configuration file.
Use proxy ser ver : Enable this option if you want to manually enter the proxy server settings.
Address : Enter the proxy server address (as an IP address).
Por t number : Enter the port number associated with the proxy server.
Bypass proxy for local addresses : If your VPN server requires a proxy server for the connection, and you
don't want to use the proxy server for local addresses you enter, then select this option.
Next steps

Configuration Policies MDE

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuration Policies MDE

Uploaded by

Copyright:

Available Formats

Contents

Configure device settings

Administrative templates and Group policy

Device firmware configuration interface

Edition upgrade and mode switch

eSIM cellular - Public preview

Microsoft Defender for Endpoint

Shared multi-user device

Windows health monitoring

Zebra Mobility Extensions (MX)

Manage and troubleshoot

Create an iOS/iPadOS email profile

3. Enter the following properties:

On an on-premises Active Directory domain controller (DC):

Open the Endpoint Manager admin center

Create groups, and add users

Create a template in Intune

8. In search, enter download . Notice the policy settings are filtered:

Open Group Policy Management

Compare a Microsoft Edge policy

Add settings to the Students admin template

Assign your template

Create a OneDrive template

Optional: Create a policy using PowerShell and Graph API

c. Enter Y to change it.

4. In your web browser, go to https://github.com/Microsoft/Intune-PowerShell-SDK/releases, and select the

5. On the View tab, check File name extensions :

7. In your Windows PowerShell app, enter:

Enter R if prompted to run from the untrusted publisher.

b. Enter: Connect-MSGraph -AdminConsent

$configuration = Invoke-MSGraphRequest -Url

$settingDefinitions = Invoke-MSGraphRequest -Url

$desiredSettingDefinition = $settingDefinitions.value | ? {$_.DisplayName -Match "Silently sign in

12. Configure a setting. Enter:

$configuredSetting = Invoke-MSGraphRequest -Url

See your policy

Policy best practices

Set-ExecutionPolicy -ExecutionPolicy Restricted

Create the profile

Refresh cycle times

Create the policy

When you select the minus:

Find some settings

Reporting and conflicts

Settings catalog vs. templates

Create the profile

$package1 = Get-AppxPackage -name *<applicationname>*

For example, enter:

$package1 = Get-AppxPackage -name Microsoft.MicrosoftEdge

Next, confirm the package has application attributes:

You'll see attributes similar to the following app details:

$rule = New-CIPolicyRule -Package $package1 -Deny

$rule += New-CIPolicyRule -Package $package<2..n> -Deny

For example, enter:

$package2 = Get-AppxPackage -name *windowsstore*

5. Convert the WDAC policy to newPolicy.xml :

To target all versions of an app, in newPolicy.xml, be sure PackageVersion="65535.65535.65535.65535" is in

<Deny ID="ID_DENY_D_1" FriendlyName="Microsoft.WindowsStore_8wekyb3d8bbwe FileRule"

For PackageFamilyNameRules , you can use the following versions:

Set-RuleOption -o 3 -Delete .\mergedPolicy.xml

8. Enable the InvalidateEAs on a reboot rule in mergedPolicy.xml :

ConvertFrom-CIPolicy .\mergedPolicy.xml .\compiledPolicy.bin

10. Create the custom device configuration profile in Intune:

$package1 = Get-AppxPackage -name <applicationname>

$package2 = Get-AppxPackage -name windowsstore