- Article
- 10 minutes to read
Important
On October 22, 2022, Microsoft Intune is ending support for devices running Windows 8.1. After that date, technical assistance and automatic updates on these devices won't be available. For more information, go to Plan for Change: Ending support for Windows 8.1.
If you currently use Windows 8.1, then we recommend moving to Windows 10/11 devices. Microsoft Intune has built-in security and device features that manage Windows 10/11 client devices. For more information, go to End of support for Windows 7 and Windows 8.1.
Microsoft Intune includes settings and features you can enable or disable on different devices within your organization. These settings and features are added to "configuration profiles". You can create profiles for different devices and different platforms, including iOS/iPadOS, Android device administrator, Android Enterprise, and Windows. Then, use Intune to apply or "assign" the profile to the devices.
As part of your mobile device management (MDM) solution, use these configuration profiles to complete different tasks. Intune has many templates that include groups of settings that are specific to a feature, such as certificates, VPN, email, and more.
Some profile examples include:
- On Windows 10/11 devices, use a profile template that blocks ActiveX controls in Internet Explorer.
- On iOS/iPadOS and macOS devices, allow users to use AirPrint printers in your organization.
- Allow or prevent access to bluetooth on the device.
- Create a WiFi or VPN profile that gives different devices access to your corporate network.
- Manage software updates, including when they're installed.
- Run an Android device as dedicated kiosk device that can run one app, or run many apps.
This article gives an overview of the different types of profiles you can create. Use these profiles to allow or prevent some features on the devices.
Administrative templates and Group policy
Administrative templates include hundreds of settings that you can configure for Internet Explorer, Microsoft Edge, OneDrive, remote desktop, Word, Excel, and other Office programs. These templates give administrators a simplified view of settings similar to group policy, and they're 100% cloud-based.
Group Policy analytics analyzes your on-premises GPOs, and shows which policy settings are supported, deprecated, and more.
This feature supports:
- Windows 11
- Windows 10
Certificates
Certificates configure trusted, SCEP, and PKCS certificates that are assigned to devices. These certificates authenticate WiFi, VPN, and email profiles.
This feature supports:
- Android device administrator
- Android (AOSP)
- Android Enterprise
- iOS/iPadOS
- macOS
- Windows 11
- Windows 10
- Windows 8.1
Custom profile
Custom settings let administrators assign device settings that aren't built in to Intune. On Android devices, you can enter OMA-URI values. For iOS/iPadOS devices, you can import a configuration file you created in the Apple Configurator.
This feature supports:
- Android device administrator
- Android Enterprise
- iOS/iPadOS
- macOS
- Windows 11
- Windows 10
Delivery optimization
Delivery optimization provides a better experience to delivery software updates. These settings are replacing the Software Updates > Windows 10 update ring settings.
Use these settings to control how software updates are downloaded to devices in your organization. For example, you can let users get their own updates, or get updates using the delivery optimization cloud services in a device profile.
This feature supports:
- Windows 11
- Windows 10
Derived credential
Derived credentials are certificates on smart cards that can authenticate, sign, and encrypt. In Intune, you can create profiles with these credentials to use in apps, email profiles, connecting to VPN, S/MIME, and Wi-Fi.
This feature supports:
- Android Enterprise
- iOS/iPadOS
Device features
Device features controls features on iOS/iPadOS and macOS devices, such as AirPrint, notifications, and lock screen messages.
This feature supports:
- iOS/iPadOS
- macOS
Device firmware configuration interface
Device firmware configuration interface (DFCI) allows administrators to enable or disable UEFI (BIOS) settings using Intune. Use these settings to enhance security at the firmware-level, which is typically more resilient to malicious attacks.
This feature supports:
- Windows 11 on supported firmware
- Windows 10 1809 and newer on supported firmware
Device restrictions
Device restrictions controls security, hardware, data sharing, and more settings on the devices. For example, create a device restriction profile that prevents iOS/iPadOS device users from using the device camera.
This feature supports:
- Android device administrator
- Android (AOSP)
- Android Enterprise
- iOS/iPadOS
- macOS
- Windows 11
- Windows 10
- Windows 10 Team
Domain join
Domain join configures on-premises Active Directory domain information. This information is deployed to hybrid Azure AD joined devices when provisioned using Windows Autopilot and Intune. This profile tells devices which domain and OU to join.
This feature supports:
- Windows 11
- Windows 10
Edition upgrade and mode switch
Windows 10/11 edition upgrades automatically upgrades devices that run some versions of Windows client to a newer edition.
This feature supports:
- Windows 11
- Windows 10
Education
Education settings - Windows 10 configure options for the Windows Take a Test app. When you configure these options, no other apps can run on the device until the test is complete.
Education settings - iOS/iPadOS uses the iOS/iPadOS Classroom app to guide learning, and control student devices in the classroom. You can configure iPad devices so many students can share a single device.
Email settings creates, assigns, and monitors Exchange ActiveSync email settings on the devices. Email profiles help with consistency, reduce support calls, and let end-users access company email on their personal devices, without any required setup on their part.
This feature supports:
- Android device administrator
- Android Enterprise
- iOS/iPadOS
- Windows 11
- Windows 10
Endpoint protection
Endpoint protection configures BitLocker and Microsoft Defender settings for Windows client devices. On macOS devices, you can also configure the firewall, gateway, and other resources.
To onboard Microsoft Defender for Endpoint with Microsoft Intune, see Configure endpoints using Mobile Device Management (MDM) tools.
This feature supports:
- macOS
- Windows 11
- Windows 10
eSIM cellular - Public preview
eSIM cellular profiles lets administrators configure cellular data plans on your managed devices for internet and data access. After getting activation codes from your mobile operator, use Intune to import these activation codes, and then assign to your eSIM capable devices.
This feature supports:
- Windows 11
- Windows 10 Fall Creators Update and newer
Extensions
macOS system extensions and kernel extensions allows administrators to add features or programs that extend the native capabilities of the operating system. Configure these settings to trust all extensions from a specific developer or partner, or allow specific extensions.
This feature supports:
- macOS
Identity protection
Identity protection controls the Windows Hello for Business experience on Windows client devices. Configure these settings to make Windows Hello for Business available to users and devices, and to specify requirements for device PINs and gestures.
This feature supports:
- Windows 11
- Windows 10
- Windows Holographic for Business
Kiosk
Kiosk settings profile configures a device to run one app, or run many apps. You can also customize other features on your kiosk, including a start menu and a web browser.
This feature supports:
- Windows 11 (single app kiosk only)
- Windows 10
Kiosk settings also available as device restrictions for Android, Android Enterprise, and iOS/iPadOS.
MX profile (Zebra)
Mobility extensions (MX) expand on the built-in Intune settings to customize or add more settings specific to Zebra devices. Zebra devices are commonly used on factory floors, and retail environments. If you have hundreds or thousands of Zebra devices, you can use Intune to configure and manage these devices.
This feature supports:
- Android device administrator
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint integrates with Intune to monitor and help protect devices. You set risk levels, and determine what happens if devices exceed that level. When combined with conditional access, you can help prevent malicious activity in your organization.
This feature supports:
- Windows 11
- Windows 10
Network boundary
Network boundary creates a list of sites that are trusted by your organization. This feature is used with Microsoft Defender Application Guard and Microsoft Edge to help protect your devices.
This feature supports:
- Windows 11
- Windows 10
OEMConfig
On Android Enterprise devices, OEMConfig is a standard. It allows OEMs (original equipment manufacturers) and EMMs (enterprise mobility management) to build and support OEM-specific features in a standardized way. With OEMConfig, an OEM creates a schema that defines OEM-specific management features, and embeds it in an app uploaded to Google Play. Intune reads the schema from the app, and allows Intune administrators to configure the settings in the schema.
This feature supports:
- Android Enterprise (OEMConfig)
PowerShell scripts
PowerShell scripts use the Intune Management Extension to upload your PowerShell scripts in Intune, and then run these scripts on your devices. Also see what's required to use the extension, how to add them to Intune, and other important information.
This feature supports:
- Windows 11
- Windows 10
Preference file
Preference files on macOS devices include information about apps. For example, you can use preference files to control web browser settings, customize apps, and more.
This feature supports:
- macOS
Tip
macOS settings are continually being added to the settings catalog. Some of these settings can replace preference files. For more information, go to Tasks you can complete using the Settings Catalog in Intune.
Settings catalog
The settings catalog lists the settings you can configure. It's not template, or a logical grouping of settings.
On Windows, there are thousands of settings available, including many settings not found in the templates. When you want a complete list of all the settings, use the settings catalog to create your policy. If you want to use a logical grouping of settings, then continue to use the templates.
On macOS, you can configure Microsoft Edge version 77 and newer using the settings catalog. In your policy, you configure individual settings. It doesn't require a preference file.
This feature supports:
- iOS/iPadOS
- macOS
- Windows 11
- Windows 10
Windows 10/11 and Windows Holographic for Business includes settings to manage devices with multiple users. These devices are known as shared devices, or shared PCs. When a user signs in to the device, you choose if the user can change the sleep options, or save files on the device. In another example, to save space, you can create a profile that deletes inactive credentials from Windows HoloLens devices.
These shared multi-user device settings allow administrators to control some of the device features, and manage these shared devices using Intune.
This feature supports:
- Windows 11
- Windows 10
- Windows Holographic for Business
Update policies
iOS/iPadOS update policies shows you how to create and assign iOS/iPadOS policies to install software updates on your iOS/iPadOS devices. You can also review the installation status.
For update policies on Windows devices, see Delivery optimization.
This feature supports:
- iOS/iPadOS
VPN
VPN settings assigns VPN profiles to users and devices in your organization, so they can easily and securely connect to the network.
Virtual private networks (VPNs) give users secure remote access to your company network. Devices use a VPN connection profile to start a connection with your VPN server.
This feature supports:
- Android device administrator
- Android Enterprise
- iOS/iPadOS
- macOS
- Windows 11
- Windows 10
- Windows 8.1
Wi-Fi
Wi-Fi settings assigns wireless network settings to users and devices. When you assign a WiFi profile, users get access to your corporate WiFi without having to configure it themselves.
This feature supports:
- Android device administrator
- Android (AOSP)
- Android Enterprise
- iOS/iPadOS
- macOS
- Windows 11
- Windows 10
- Windows 8.1 (import only)
Windows health monitoring
Windows health monitoring lets your data event be collected, and then analyzed by Endpoint Analytics. You can use this data to get insights on your Windows devices, including software updates and startup performance.
This feature supports:
- Windows 11
- Windows 10
Wired networks
Wired networks let you create and manage 802.1x wired connections for macOS and Windows desktop computers and devices. In your profile, you choose the network interface, select the accepted EAP types, and enter the server trust settings, including PKCS and SCEP certificates.
When you assign the profile, users get access to your corporate wired network without having to configure it themselves.
This feature supports:
- macOS
- Windows 11
- Windows 10
Zebra Mobility Extensions (MX)
Zebra Mobility Extensions (MX) allows administrators to use and manage Zebra devices in Intune. You create StageNow profiles with your settings, and then use Intune to assign and deploy these profiles to your Zebra devices. The StageNow logs and common issues is a great resource to troubleshoot profiles, and see some potential issues when using StageNow.
This feature supports:
- Android device administrator (Mobility Extensions)
Manage and troubleshoot
Manage your profiles to check the status of devices, and the profiles assigned. Also help resolve conflicts by seeing the settings that cause a conflict, and the profiles that include these settings. Common issues and resolutions helps administrators work with profiles. It describes what happens when deleting a profile, what causes notifications to be sent to devices, and more.
Next steps
Choose a profile, and get started.
FAQs
What are the features of Microsoft Intune? ›
Intune simplifies app management with a built-in app experience, including app deployment, updates, and removal. You can connect to and distribute apps from your private app stores, enable Microsoft 365 apps, deploy Win32 apps, create app protection policies, and manage access to apps and their data.
How are the settings that you assign to devices and apps contained within Intune? ›Microsoft Intune includes settings and features you can enable or disable on different devices within your organization. These settings and features are added to "configuration profiles" and then you can use Intune to apply or "assign" the profile to the devices.
What can be managed in device settings? ›Devices is the second section listed in the Settings app, and it's the place to manage all your connected devices, including printers, Bluetooth, mice, and keyboards.
How many devices can Intune manage? ›The Azure Maximum number of devices per user setting is set to 3. The Intune Device limit setting is set to 5.
How does Intune communicate with devices? ›Users "enroll" their devices, and use certificates to communicate with Intune. As an IT administrator, you push apps on devices, restrict devices to a specific operating system, block personal devices, and more. If a device is ever lost or stolen, you can also remove all data from the device.
How do I verify device settings Intune? ›- Open the Company Portal app for Android on your device.
- Tap Devices and then select your device.
- Under Device Settings Status, tap Check device settings. ...
- After the check, your device settings status will either read, In Compliance or Not in Compliance.
Use device groups when you don't care who's signed in on the device, or if anyone is signed in. You want your settings to always be on the device. For users: Profile settings applied to user groups always go with the user, and go with the user when signed in to their many devices.
Where is device restriction settings in Intune? ›Profile: Select Device restrictions. Or, select Templates > Device restrictions. To create a device restrictions profile for Windows 10 Team devices, such as Surface Hub, then choose Device restrictions (Windows 10 Team).
What is the role of Intune? ›Intune Role Administrator: Manages custom Intune roles and adds assignments for built-in Intune roles. It's the only Intune role that can assign permissions to Administrators. Cloud PC Administrator: A Cloud PC Administrator has read and write access to all Cloud PC features located within the Cloud PC blade.
What is the purpose of the Intune company portal? ›Microsoft Intune helps organizations manage access to their internal apps, data, and resources. Intune Company Portal is the app that lets you, as an employee or student in your organization, securely access those resources. The app is available for desktop (Windows and macOS) and mobile (Android and iOS) devices.
Can Intune see my browsing history? ›
Intune doesn't collect nor allow an Admin to see the following data: An end users' calling or web browsing history. Personal email. Text messages.
What is the difference between Azure and Intune? ›Azure Active Directory (Azure AD) is a universal identity management platform that incorporates user credentials and strong authentication policies to safeguard your company's data, while Microsoft Intune provides cloud-based mobile device management (MDM) and mobile application management (MAM).