Intune configuration restriction policies are very important in modern device management strategy. Intune device restriction policy is the security settings which are applied on your Windows 10 CYOD device. As part of your organization’s security policies you may need to lock down mobile devices or Windows devices which have access to corporate data and app. yes, Intune configuration restriction policies are to help you to lock down Windows devices as per your organizations security requirements.
Create Intune Device Restriction Policy for Windows 10 Devices
You can create Intune device restriction policy for Windows 10 from Microsoft Intune – Device Configuration – Profiles – Create New Profile. I selected Windows 10 as the platform and Selection of platform in very important. Also, you need to select the profile type while creating Intune Configuration Restriction policy, in my scenario, it’s Device restriction policy. Name of the policy is “Windows 10 CYOD Restrictions”.
Windows platform Intune device restriction policy out of box Settings are segregated in to 16 sections as you can see below. This list is very comprehensive and we can lock down Windows 10 machines as per the requirement. Is this Intune device restriction policy a replacement for group policies? No, it’s still not a replacement for AD group policies.
- General
- Password
- Personalization
- Locked screen experience
- App Store
- Edge Browser
- Search
- Cloud and Storage
- Cellular and Connectivity
- Control Panel and Settings
- Defender
- Defender Exclusions
- Network proxy
- Windows Spotlight
- Display
- Start
Deploy Windows 10 Intune Device Restriction Policy
You can deploy Windows 10 Intune Device Restriction Policy to either Windows 10 CYOD dynamic devices or Windows 10 users group. Dynamic device groups are still in preview and those typo of groups are not very stable at times. So at least for next two months I will prefer to deploy policies to user groups rather than dynamic device groups.
Windows 10 End user experience of Intune Device Restriction Policy
As you can see in the video tutorial at the top of this post or here, I’ve enabled time settings disable option as part of initial Windows 10 device restriction policy. The end user logged to Windows 10 machine can’t change time on the system. After that I have changed the windows time setting policy again and after applying the new policy, the user is able to change the time on Windows 10 system.
Windows 10 and later device restriction settings in Microsoft Intune HERE