Deploying a basic device restrictions configuration profile
Aim: Understanding how to deploy a basic device restrictions configuration profile for Windows devices using Microsoft Intune
Intune configuration profiles contain groups of policy settings, organized by functionality. These settings allow administrators to control a wide range of Windows user and device settings such as:
- Allow or block the device camera.
- Control access to app store and device settings.
- Allow or prevent backing up files to cloud and storage accounts.
- Set a minimum password length, and block simple passwords.
- Configuring the task bar and Start menu layout.
Windows device and user settings can be deployed from Intune in a few different ways. The simplest method is to use the wizard-based configuration profiles based on templates for common settings.
To deploy a configuration profile, choose the appropriate platform and select a template (for example “device restrictions”) then configure the appropriate settings (such as blocking simple passwords) and finally assign the profile to a security group. Windows devices that are members of that security group will pick up the settings the next time the device syncs with Intune. Note that some settings are irreversible once downloaded to the device, so you are advised to test the combination of settings you want to apply to a given device before releasing those changes into production. If the combination of settings produces unwanted behaviour on your test devices, simply change the settings in Intune, reinstall Windows on those test devices and re-enrol them for further testing.
Intune configuration profiles such as device restrictions profiles are deployed to Windows using the new Configuration Service Provider (CSP) model. Intune payloads based on the CSP model are similar to Group Policy client-side extensions (CSE) but unfortunately there is not a one-to-one correlation between CSP and CSE settings, which means you can’t “lift and shift” your existing settings from Group Policy Objects directly to Intune.