There are many policies in Intune that can be combined to create the desired state. These policies are used to apply configuration settings to user or device groups, including device restrictions, software updates, and many more.
Device policies should be appropriately named, prefixed with the LA or School number to identify who it belongs to and what it does. They have scope tags applied so only the appropriate administrators can see and edit them.
These policies comprise of rules and settings that devices must meet to be considered compliant, such as specifying that a device must have a minimum version of an OS with the firewall and up-to-date antivirus enabled.
A compliance policy is required for every device type – Windows, iPad and Mac. Without a compliance policy, the device will also be marked as non-compliant. Non-compliant devices may have limited access to company resources, and depending on the actions set in the policy, can be locked or retired.
It is the responsibility of the local authority (or school) to decide on the requirements for compliancy and configure appropriate policies.
These policies manage features and settings on devices, including device restrictions (such as disabling access to the camera), app configurations (such as automatically moving known folders for OneDrive on Windows devices), deploying Wi-Fi connections, and many more.
It is recommended to create a new configuration profile for ‘unrelated’ settings – for example, settings for OneDrive could all go in the same profile but a setting to change the wallpaper should go in a separate one. This creates a greater flexibility when applying settings to multiple groups with different requirements.
Information
Although settings in a configuration profile are inherited there is no sense of precedence, so if a setting is applied to the same group with differing values, then a conflict will occur. Conflicts can be investigated through the Monitor menu in Intune.
In Intune for Education, device settings can be applied by going into 'Groups', selecting the target group from the hierarchy, and toggling the desired controls.
Intune for Education offers a simplified subset of settings for both Windows and iOS devices, but more comprehensive settings can be configured for new or existing policies in Intune.
Changing device setting in Intune for Education will cause inheritance to break, and the screen will show a message to indicate this. This results in a new profile being created in Intune and the group added the excluded assignment in the parent group assignment
A policy set is a grouping of policies, apps, and configuration profiles. Instead of assigning individual policies and apps to multiple device/user groups, a policy set enables you to select many different objects and assign them all once from a single place. A policy set can be amended as your needs change, adding or removing items and assignments, rather than having to update each individual policy or app. This streamlines assigning a standard set of configuration items to multiple schools, such as primary school settings, and makes it easier to review and manage the assignments.
Intune provides 3 settings to release and maintain Windows updates through the Windows Update for Business (WUfB) service, which help keep devices up-to-date and secure across the site.
Update Rings are used to control how and when Windows Updates looks for and updates the devices with any missing quality and feature updates.
You can Pause, Uninstall or Delete this policy.
Pause will prevent devices from receiving updates for up to 35 days. The policy will resume after this period or can be manually resumed at any time before then.
Uninstall will roll back the latest feature or quality update.
Delete will stop enforcement of settings from the update ring by removing the policy from Intune so it no longer applies. However, this does not modify any settings on the device that the policy has already applied to.
You can also use update rings to upgrade eligible Windows 10 devices to Windows 11 by enabling the 'Upgrade Windows 10 devices to Latest Windows 11 release' toggle. If you later decide to change this to 'No', then any device already on Windows 11 or in the process of upgrading will continue to do so. Also, a prerequisite of using this feature is having Telemetry switched on, which can be set in the Device restriction policy under Reporting and Telemetry. Make sure the 'Share usage data setting' is set to at least 'Required'.
Feature Updates are used to control which version of Windows you would like the devices to be set at to prevent it from updating to a newer release. This setting works with the Update Rings policy to ensure that devices do not receive a version that’s later than what is specified. Multiple policies can be created to target different groups of devices for purposes such as keeping devices on a previous version whilst testing a new version on another group of devices.
Devices will not install or update to a newer version of Windows past what is set in this policy. For example, if there is a 24H1 release and you have the policy set to 23H2, devices will remain at 23H2. You must amend the policy to the newer version to allowing updating.
Quality Updates are useful to quickly release security updates to your devices without having to wait for the device to check in for updates. This is independent of other update policies, ignoring any deferrals, and is useful for expediting weekly patches or critical updates for a zero-day flaw.
A quality update will only apply if the version of Windows currently installed is less than what is selected in the policy, meaning any device that already has this or a later version applied does not get the update again.
Only the last 3 quality updates are available, differentiated by date to allow you to make sure the correct release is applied. Although these updates apply to all versions of Windows 10 or later, for ease of selection, they will only install the corresponding updates for the version of Windows installed on the device. For example, if a device is on Windows 11 22H2, only quality updates for 22H2 will be applied.
Use this policy with caution as devices will be forced to install with no prior warning to end users.
These policies utilise WUfB to identify appropriate drivers for the devices they are applied to. There are two options for a driver update policy:
Manually approve and deploy driver updates – recommended drivers need to be reviewed and approved before they are installed. This must be done for any new drivers, including those superseding already approved ones.
Automatically approve all recommended driver updates – automatically installs all recommended drivers. Any newer versions of the drivers are automatically installed.
A prerequisite of using this feature is having Telemetry switched on, which can be set in the Device restriction policy under Reporting and Telemetry. Make sure the 'Share usage data setting' is set to at least 'Required'.
Apple update policies
Update policies are available for enrolled iOS/iPadOS and MacOS devices. You can create a policy to specify which updates should be installed and when (at next check-in, or during/outside of a scheduled period).
MacOS update policies These can be used to specify what action to take with each type of update, rather than which version. For instance, you could choose to install critical updates immediately (ignoring the schedule) but only download firmware so the user can install at their convenience. Manage macOS software update policies in Intune | Microsoft Learn
For devices running MacOS 14 or iPadOS 17, and later, declarative device management (DDM) can also be used to specify update settings. This allows specific update versions to be set for both MacOS and iPadOS devices, but cannot be used to automatically install the latest update (it has to be set by its version number). Managed software updates with the settings catalog | Microsoft Learn
Information
When deploying software updates to a shared iPad, it will not install until the device is plugged in to a power source and no users are signed in.
Scripts
Further configurations can be applied to devices using scripts.
For Windows, Intune can deploy Powershell scripts. Once the script has run, it’s not executed again unless there is a change in the script. If the script fails, Intune re-tries up to 3 times. Powershell scripts can also be used for remediation, which detects a specified state and re-applies the script if that state is false. Use PowerShell scripts on Windows 10/11 devices in Intune | Microsoft Learn
To set a device name by policy, you can use OMA-URI settings in a custom policy. This allows a naming template to be specified as the DNS hostname of the device, up to 63 characters.
The OMA-URI setting for this is ./DevDetail/Ext/Microsoft/DNSComputerName.
To apply the same naming template to all devices in a school, target this policy on the school devices group. Alternatively, multiple policies can be assigned to different device groups to set different naming conventions, which may be useful to distinguish teacher and student devices, for example.
There are a limited number of macros available for use in this policy to generate a device name. We recommend using %SERIAL% (which presents the device’s serial number) as it is unique. You can not specify an exact name, or anything that requires a sequence such as asset tags – these can be set manually on each device in Intune or in the devices Autopilot record.
Administrators can be easily added to the local administrators group (or any local user group) on devices through Intune > Endpoint Security > Account Protection.
We recommend using the existing Intune Admins group for local device administrators, but you can also create a new user group in the User Management Portal to add select admins.
Only one account protection policy can be applied per local user group. Assigning multiple policies does not combine the settings and will fail.
We recommend creating a policy to configure OneDrive client settings. This creates a better experience for the end user.
Recommended settings are:
silently move Windows known folders to OneDrive
silently sign in users to the OneDrive sync app with their Windows credentials
use OneDrive Files On-Demand
Microsoft 365 apps come preinstalled on Windows 11 SE and uses user-based subscription activation by default.
We recommend this is changed to leverage the device-based licensing available for Intune managed devices using the Settings Catalog:
Microsoft Office 2016 (Machine) > Use a device-based license for Office 365 Proplus = Enabled
Shared devices and devices with user affinity can take advantage of the single sign-on capability through use of the Microsoft Enterprise SSO plug-in for Apple Devices.
This relies on the Microsoft Authenticator app being installed on the device although it doesn’t have to be used. When a user logs on to an iPad with the SSO extension configured, they will then need to log into a Microsoft app once, and other apps will then log in automatically.
Logging into an iPad with an Apple Id does not automatically log into non-Apple products such as Office as these use the EntraID account, even though the username is same.
For certain scenarios, you could consider locking down your Windows devices into a 'kiosk' type mode using Assigned Access.
Assigned Access allows you to lock the device into a single app (kiosk mode) or restrict access to specified apps (user restricted experience), which can easily be configured using Intune policies.
Providing a restricted user experience can be useful in many situations, where users only need access to a limited amount of applications without having to configure complex App Locker or WDAC policies. You can also combine this with other policies, such as removing accessing to search or the OneDrive client, to further restrict the experience and lock down the device.
