Device features and settings in Microsoft Intune (2023)

  • Article
  • 10 minutes to read

Important

On October 22, 2022, Microsoft Intune is ending support for devices running Windows 8.1. After that date, technical assistance and automatic updates on these devices won't be available. For more information, go to Plan for Change: Ending support for Windows 8.1.

If you currently use Windows 8.1, then we recommend moving to Windows 10/11 devices. Microsoft Intune has built-in security and device features that manage Windows 10/11 client devices. For more information, go to End of support for Windows 7 and Windows 8.1.

Microsoft Intune includes settings and features you can enable or disable on different devices within your organization. These settings and features are added to "configuration profiles". You can create profiles for different devices and different platforms, including iOS/iPadOS, Android device administrator, Android Enterprise, and Windows. Then, use Intune to apply or "assign" the profile to the devices.

As part of your mobile device management (MDM) solution, use these configuration profiles to complete different tasks. Intune has many templates that include groups of settings that are specific to a feature, such as certificates, VPN, email, and more.

Some profile examples include:

  • On Windows 10/11 devices, use a profile template that blocks ActiveX controls in Internet Explorer.
  • On iOS/iPadOS and macOS devices, allow users to use AirPrint printers in your organization.
  • Allow or prevent access to bluetooth on the device.
  • Create a WiFi or VPN profile that gives different devices access to your corporate network.
  • Manage software updates, including when they're installed.
  • Run an Android device as dedicated kiosk device that can run one app, or run many apps.

This article gives an overview of the different types of profiles you can create. Use these profiles to allow or prevent some features on the devices.

Administrative templates and Group policy

Administrative templates include hundreds of settings that you can configure for Internet Explorer, Microsoft Edge, OneDrive, remote desktop, Word, Excel, and other Office programs. These templates give administrators a simplified view of settings similar to group policy, and they're 100% cloud-based.

Group Policy analytics analyzes your on-premises GPOs, and shows which policy settings are supported, deprecated, and more.

This feature supports:

  • Windows 11
  • Windows 10

Certificates

Certificates configure trusted, SCEP, and PKCS certificates that are assigned to devices. These certificates authenticate WiFi, VPN, and email profiles.

This feature supports:

  • Android device administrator
  • Android (AOSP)
  • Android Enterprise
  • iOS/iPadOS
  • macOS
  • Windows 11
  • Windows 10
  • Windows 8.1

Custom profile

Custom settings let administrators assign device settings that aren't built in to Intune. On Android devices, you can enter OMA-URI values. For iOS/iPadOS devices, you can import a configuration file you created in the Apple Configurator.

This feature supports:

(Video) Microsoft Intune The Top 5 Management Hacks you need to know!

  • Android device administrator
  • Android Enterprise
  • iOS/iPadOS
  • macOS
  • Windows 11
  • Windows 10

Delivery optimization

Delivery optimization provides a better experience to delivery software updates. These settings are replacing the Software Updates > Windows 10 update ring settings.

Use these settings to control how software updates are downloaded to devices in your organization. For example, you can let users get their own updates, or get updates using the delivery optimization cloud services in a device profile.

This feature supports:

  • Windows 11
  • Windows 10

Derived credential

Derived credentials are certificates on smart cards that can authenticate, sign, and encrypt. In Intune, you can create profiles with these credentials to use in apps, email profiles, connecting to VPN, S/MIME, and Wi-Fi.

This feature supports:

  • Android Enterprise
  • iOS/iPadOS

Device features

Device features controls features on iOS/iPadOS and macOS devices, such as AirPrint, notifications, and lock screen messages.

This feature supports:

  • iOS/iPadOS
  • macOS

Device firmware configuration interface

Device firmware configuration interface (DFCI) allows administrators to enable or disable UEFI (BIOS) settings using Intune. Use these settings to enhance security at the firmware-level, which is typically more resilient to malicious attacks.

This feature supports:

  • Windows 11 on supported firmware
  • Windows 10 1809 and newer on supported firmware

Device restrictions

Device restrictions controls security, hardware, data sharing, and more settings on the devices. For example, create a device restriction profile that prevents iOS/iPadOS device users from using the device camera.

This feature supports:

  • Android device administrator
  • Android (AOSP)
  • Android Enterprise
  • iOS/iPadOS
  • macOS
  • Windows 11
  • Windows 10
  • Windows 10 Team

Domain join

Domain join configures on-premises Active Directory domain information. This information is deployed to hybrid Azure AD joined devices when provisioned using Windows Autopilot and Intune. This profile tells devices which domain and OU to join.

This feature supports:

  • Windows 11
  • Windows 10

Edition upgrade and mode switch

Windows 10/11 edition upgrades automatically upgrades devices that run some versions of Windows client to a newer edition.

This feature supports:

  • Windows 11
  • Windows 10

Education

Education settings - Windows 10 configure options for the Windows Take a Test app. When you configure these options, no other apps can run on the device until the test is complete.

Education settings - iOS/iPadOS uses the iOS/iPadOS Classroom app to guide learning, and control student devices in the classroom. You can configure iPad devices so many students can share a single device.

(Video) iOS Device Features-Microsoft Intune

Email

Email settings creates, assigns, and monitors Exchange ActiveSync email settings on the devices. Email profiles help with consistency, reduce support calls, and let end-users access company email on their personal devices, without any required setup on their part.

This feature supports:

  • Android device administrator
  • Android Enterprise
  • iOS/iPadOS
  • Windows 11
  • Windows 10

Endpoint protection

Endpoint protection configures BitLocker and Microsoft Defender settings for Windows client devices. On macOS devices, you can also configure the firewall, gateway, and other resources.

To onboard Microsoft Defender for Endpoint with Microsoft Intune, see Configure endpoints using Mobile Device Management (MDM) tools.

This feature supports:

  • macOS
  • Windows 11
  • Windows 10

eSIM cellular - Public preview

eSIM cellular profiles lets administrators configure cellular data plans on your managed devices for internet and data access. After getting activation codes from your mobile operator, use Intune to import these activation codes, and then assign to your eSIM capable devices.

This feature supports:

  • Windows 11
  • Windows 10 Fall Creators Update and newer

Extensions

macOS system extensions and kernel extensions allows administrators to add features or programs that extend the native capabilities of the operating system. Configure these settings to trust all extensions from a specific developer or partner, or allow specific extensions.

This feature supports:

  • macOS

Identity protection

Identity protection controls the Windows Hello for Business experience on Windows client devices. Configure these settings to make Windows Hello for Business available to users and devices, and to specify requirements for device PINs and gestures.

This feature supports:

  • Windows 11
  • Windows 10
  • Windows Holographic for Business

Kiosk

Kiosk settings profile configures a device to run one app, or run many apps. You can also customize other features on your kiosk, including a start menu and a web browser.

This feature supports:

  • Windows 11 (single app kiosk only)
  • Windows 10

Kiosk settings also available as device restrictions for Android, Android Enterprise, and iOS/iPadOS.

MX profile (Zebra)

Mobility extensions (MX) expand on the built-in Intune settings to customize or add more settings specific to Zebra devices. Zebra devices are commonly used on factory floors, and retail environments. If you have hundreds or thousands of Zebra devices, you can use Intune to configure and manage these devices.

This feature supports:

  • Android device administrator

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint integrates with Intune to monitor and help protect devices. You set risk levels, and determine what happens if devices exceed that level. When combined with conditional access, you can help prevent malicious activity in your organization.

(Video) Managing Corporate Devices in Microsoft Endpoint Manager Intune

This feature supports:

  • Windows 11
  • Windows 10

Network boundary

Network boundary creates a list of sites that are trusted by your organization. This feature is used with Microsoft Defender Application Guard and Microsoft Edge to help protect your devices.

This feature supports:

  • Windows 11
  • Windows 10

OEMConfig

On Android Enterprise devices, OEMConfig is a standard. It allows OEMs (original equipment manufacturers) and EMMs (enterprise mobility management) to build and support OEM-specific features in a standardized way. With OEMConfig, an OEM creates a schema that defines OEM-specific management features, and embeds it in an app uploaded to Google Play. Intune reads the schema from the app, and allows Intune administrators to configure the settings in the schema.

This feature supports:

  • Android Enterprise (OEMConfig)

PowerShell scripts

PowerShell scripts use the Intune Management Extension to upload your PowerShell scripts in Intune, and then run these scripts on your devices. Also see what's required to use the extension, how to add them to Intune, and other important information.

This feature supports:

  • Windows 11
  • Windows 10

Preference file

Preference files on macOS devices include information about apps. For example, you can use preference files to control web browser settings, customize apps, and more.

This feature supports:

  • macOS

Tip

macOS settings are continually being added to the settings catalog. Some of these settings can replace preference files. For more information, go to Tasks you can complete using the Settings Catalog in Intune.

Settings catalog

The settings catalog lists the settings you can configure. It's not template, or a logical grouping of settings.

On Windows, there are thousands of settings available, including many settings not found in the templates. When you want a complete list of all the settings, use the settings catalog to create your policy. If you want to use a logical grouping of settings, then continue to use the templates.

On macOS, you can configure Microsoft Edge version 77 and newer using the settings catalog. In your policy, you configure individual settings. It doesn't require a preference file.

This feature supports:

  • iOS/iPadOS
  • macOS
  • Windows 11
  • Windows 10

Windows 10/11 and Windows Holographic for Business includes settings to manage devices with multiple users. These devices are known as shared devices, or shared PCs. When a user signs in to the device, you choose if the user can change the sleep options, or save files on the device. In another example, to save space, you can create a profile that deletes inactive credentials from Windows HoloLens devices.

(Video) The 7 Top Microsoft Intune Features

These shared multi-user device settings allow administrators to control some of the device features, and manage these shared devices using Intune.

This feature supports:

  • Windows 11
  • Windows 10
  • Windows Holographic for Business

Update policies

iOS/iPadOS update policies shows you how to create and assign iOS/iPadOS policies to install software updates on your iOS/iPadOS devices. You can also review the installation status.

For update policies on Windows devices, see Delivery optimization.

This feature supports:

  • iOS/iPadOS

VPN

VPN settings assigns VPN profiles to users and devices in your organization, so they can easily and securely connect to the network.

Virtual private networks (VPNs) give users secure remote access to your company network. Devices use a VPN connection profile to start a connection with your VPN server.

This feature supports:

  • Android device administrator
  • Android Enterprise
  • iOS/iPadOS
  • macOS
  • Windows 11
  • Windows 10
  • Windows 8.1

Wi-Fi

Wi-Fi settings assigns wireless network settings to users and devices. When you assign a WiFi profile, users get access to your corporate WiFi without having to configure it themselves.

This feature supports:

  • Android device administrator
  • Android (AOSP)
  • Android Enterprise
  • iOS/iPadOS
  • macOS
  • Windows 11
  • Windows 10
  • Windows 8.1 (import only)

Windows health monitoring

Windows health monitoring lets your data event be collected, and then analyzed by Endpoint Analytics. You can use this data to get insights on your Windows devices, including software updates and startup performance.

This feature supports:

  • Windows 11
  • Windows 10

Wired networks

Wired networks let you create and manage 802.1x wired connections for macOS and Windows desktop computers and devices. In your profile, you choose the network interface, select the accepted EAP types, and enter the server trust settings, including PKCS and SCEP certificates.

When you assign the profile, users get access to your corporate wired network without having to configure it themselves.

This feature supports:

  • macOS
  • Windows 11
  • Windows 10

Zebra Mobility Extensions (MX)

Zebra Mobility Extensions (MX) allows administrators to use and manage Zebra devices in Intune. You create StageNow profiles with your settings, and then use Intune to assign and deploy these profiles to your Zebra devices. The StageNow logs and common issues is a great resource to troubleshoot profiles, and see some potential issues when using StageNow.

This feature supports:

(Video) Device configuration Profiles Create iOS Device features Device configuration profile - Intune No#54

  • Android device administrator (Mobility Extensions)

Manage and troubleshoot

Manage your profiles to check the status of devices, and the profiles assigned. Also help resolve conflicts by seeing the settings that cause a conflict, and the profiles that include these settings. Common issues and resolutions helps administrators work with profiles. It describes what happens when deleting a profile, what causes notifications to be sent to devices, and more.

Next steps

Choose a profile, and get started.

FAQs

What are the features of Microsoft Intune? ›

Intune simplifies app management with a built-in app experience, including app deployment, updates, and removal. You can connect to and distribute apps from your private app stores, enable Microsoft 365 apps, deploy Win32 apps, create app protection policies, and manage access to apps and their data.

How are the settings that you assign to devices and apps contained within Intune? ›

Microsoft Intune includes settings and features you can enable or disable on different devices within your organization. These settings and features are added to "configuration profiles" and then you can use Intune to apply or "assign" the profile to the devices.

What can be managed in device settings? ›

Devices is the second section listed in the Settings app, and it's the place to manage all your connected devices, including printers, Bluetooth, mice, and keyboards.

How many devices can Intune manage? ›

The Azure Maximum number of devices per user setting is set to 3. The Intune Device limit setting is set to 5.

How does Intune communicate with devices? ›

Users "enroll" their devices, and use certificates to communicate with Intune. As an IT administrator, you push apps on devices, restrict devices to a specific operating system, block personal devices, and more. If a device is ever lost or stolen, you can also remove all data from the device.

Where is device restriction settings in Intune? ›

Profile: Select Device restrictions. Or, select Templates > Device restrictions. To create a device restrictions profile for Windows 10 Team devices, such as Surface Hub, then choose Device restrictions (Windows 10 Team).

What are the 4 things a user can do using Device Manager? ›

Once Device Manager is open, you can view device status, update device drivers, enable or disable devices or do hardware management.

What can device management See? ›

MDM software collects various hardware and software information on devices, which helps companies monitor and track company-owned and BYOD devices. You can, for example, view ownership information, installed configurations and applications, warranty and security status, and current location, among other data.

What are the 3 types of profiles? ›

Profile Type Comparisons: Mandatory, Local, & Roaming.

What happens if a device is not compliant in Intune? ›

The result of this default is when Intune detects a device isn't compliant, Intune immediately marks the device as noncompliant. After a device is marked as noncompliance, Azure Active Directory (AD) Conditional Access can block the device.

How often do Devices check into Intune? ›

By default, Intune devices check in every 8 hours. If Last check in is more than 24 hours, there may be an issue with the device. A device that can't check in can't receive your policies from Intune.

Can Intune track devices? ›

Your organization can't see your personal information when you enroll a device in Microsoft Intune. Enrolling your device makes certain information, such as device model and serial number, visible to IT administrators and support people with administrator access.

Is Intune license per user or device? ›

Device-only licenses

Microsoft Intune offers a device-only subscription service that helps organizations manage devices that aren't affiliated with specific users. You can purchase device licenses based on your estimated usage.

How do you sync all devices on Intune? ›

Sign in to the Microsoft Endpoint Manager admin center. Select Devices > All devices. In the list of devices you manage, select a device to open its Overview pane, and then select Sync. To confirm, select Yes.

How do you check if your device are MDM? ›

You can see if you have them on your Android phone by navigating to Settings -> General and scroll down to Profiles & Device Management. On a Samsung phone, navigate to Settings > Biometrics & Security > Other Security Settings > Device Admin Apps.

Can Intune track phone location? ›

Intune admins can't see phone call history, web surfing history, location information (except for iOS 9.3 and later devices when the device is in Lost Mode), email and text messages, contacts, passwords, calendar, and cameral roll.

What are device restrictions? ›

A device restrictions setting includes its name and description, and the applications, content settings, security and privacy settings, device functionality settings, iCloud settings, and game center settings that will be enabled or disabled on the provisioned device.

Can Intune access Internet history? ›

Intune doesn't collect nor allow an Admin to see the following data: An end users' calling or web browsing history. Personal email. Text messages.

Can Intune detect whether a device is jailbroken? ›

Intune can't guarantee that each significant location change results in a jailbreak detection check, as the check depends on a device's network connection at the time.

Can Intune see what apps are installed? ›

Intune discovered apps is a list of detected apps on the Intune enrolled devices in your tenant. It acts as a software inventory for your tenant. Discovered apps is a separate report from the app installation reports. For personal devices, Intune never collects information on applications that are unmanaged.

What is device setting? ›

The primary purpose of the Device Settings section is to configure the devices based on existing business rules.

Where are the device settings? ›

Android 12 & higher

To open your device's Settings app, swipe down twice from the top of the screen.

How do I find out what devices are in my settings? ›

Check your phone's settings

Go to the Settings or Options menu, scroll to the bottom of the list, and check 'About phone', 'About device' or similar. The device name and model number should be listed.

Can my manager see my computer activity? ›

Conclusion: Your Boss Can Legally Monitor Any Activity on a Work Computer or a Work Network. As you now know, your boss can monitor almost anything you do during the day - whether you're working remotely or have returned to the office.

Can MDM profile see browsing history? ›

Can MDM track browsing history? No, not generally. Most MDM solutions only track and monitor the apps installed on a device, not its web browsing history.

Can an MDM see my messages? ›

Your technology team will not have access to your texts, emails or any other personal messages. Some MDMs will collect general inventory information, such as number of contacts, number of messages, etc., but this will depend on the solution and on your organization.

What is the role of Intune? ›

Intune Role Administrator: Manages custom Intune roles and adds assignments for built-in Intune roles. It's the only Intune role that can assign permissions to Administrators. Cloud PC Administrator: A Cloud PC Administrator has read and write access to all Cloud PC features located within the Cloud PC blade.

What is the purpose of the Intune company portal? ›

Microsoft Intune helps organizations manage access to their internal apps, data, and resources. Intune Company Portal is the app that lets you, as an employee or student in your organization, securely access those resources. The app is available for desktop (Windows and macOS) and mobile (Android and iOS) devices.

Can Intune see my browsing history? ›

Intune doesn't collect nor allow an Admin to see the following data: An end users' calling or web browsing history. Personal email. Text messages.

What is the difference between Azure and Intune? ›

Azure Active Directory (Azure AD) is a universal identity management platform that incorporates user credentials and strong authentication policies to safeguard your company's data, while Microsoft Intune provides cloud-based mobile device management (MDM) and mobile application management (MAM).

Which two tasks can be performed by using Intune? ›

Microsoft Intune, a cloud-based tool, part of Microsoft's Enterprise Mobility + Security Suite (EMS), performs Mobile Device Management (MDM) as well as Mobile Application Management (MAM) to protect data on mobile devices.

Can Intune track your location? ›

Location. Corporate-owned device: Your organization can view the location of a lost device. Personal device: Your organization can't view the location of a personal device.

Can Intune wipe a personal device? ›

Wiping a device

Sign in to the Microsoft Endpoint Manager admin center. Select Devices > All devices. Select the name of the device that you want to wipe. In the pane that shows the device name, select Wipe.

Can my company see what I do on my personal phone? ›

If you have a cell phone that your company issued, your employer may have the right to monitor those text messages. However, in general, the law does not allow an employer to monitor text conversations on an employee's personal cell phone.

Does Intune track user activity? ›

Microsoft Azure portal for Intune provide you the information about user sign-in activities (includes usage of managed applications) and Audit Logs (information about users ,group management ,your managed applications and directory activities) through reporting.

Does Intune use VPN? ›

You can add and configure VPN connections for devices using Microsoft Intune. This article describes some of the settings and features you can configure when creating virtual private networks (VPNs). These VPN settings are used in device configuration profiles, and then pushed or deployed to devices.

What replaced Microsoft Intune? ›

Microsoft Intune still exists -- both in name and product -- and is now part of MEM. Even as part of Microsoft Endpoint Manager, IT administrators can still use Intune as a separate management platform for mobile device management (MDM) and unified endpoint management (UEM).

Can Intune work without Azure AD? ›

@lalajee No, if you want to use intune, it is needed to connect to Azure AD.

Videos

1. Microsoft Intune | Device Configuration Policies | Administrative Templates
(Concepts Work)
2. Device Enrollment & Profile Configuration - Intune - Microsoft Endpoint Manager
(Jobskillshare Community)
3. Microsoft Intune Security features
(Alex de Jong)
4. Microsoft Intune Tutorial
(Technocraft)
5. S02E26 - First Look at the Microsoft Intune Settings Catalog (Preview) w/ Mike Danoski - (I.T)
(Intune Training)
6. What Is Microsoft Intune? (Microsoft Endpoint Manager)
(Harry Lowton)
Top Articles
Latest Posts
Article information

Author: Nathanael Baumbach

Last Updated: 10/29/2022

Views: 6270

Rating: 4.4 / 5 (75 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Nathanael Baumbach

Birthday: 1998-12-02

Address: Apt. 829 751 Glover View, West Orlando, IN 22436

Phone: +901025288581

Job: Internal IT Coordinator

Hobby: Gunsmithing, Motor sports, Flying, Skiing, Hooping, Lego building, Ice skating

Introduction: My name is Nathanael Baumbach, I am a fantastic, nice, victorious, brave, healthy, cute, glorious person who loves writing and wants to share my knowledge and understanding with you.