You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: intune/intune-service/configuration/device-profiles.md
+4-6Lines changed: 4 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Device features and settings in Microsoft Intune
3
3
description: Overview of the different Microsoft Intune device profiles. Get info on GPO, features, restrictions, email, wifi, VPN, education, certificates, upgrade Windows 10/11, BitLocker and Microsoft Defender, and custom device configuration settings in the Microsoft Intune admin center. Use these profiles to manage and protect data and devices in your company.
4
4
author: MandiOhlinger
5
5
ms.author: mandia
6
-
ms.date: 04/16/2025
6
+
ms.date: 10/14/2025
7
7
ms.topic: overview
8
8
ms.reviewer: mikedano
9
9
ms.collection:
@@ -206,13 +206,11 @@ This feature supports:
206
206
207
207
This feature supports:
208
208
209
-
- Windows 11 (single app kiosk only)
210
-
- Windows 10
209
+
- Windows
211
210
212
-
Kiosk settings also available as device restrictions for [Android](device-restrictions-android.md#kiosk), [Android Enterprise](device-restrictions-android-for-work.md) (Device experience), and [iOS/iPadOS](device-restrictions-ios.md#kiosk).
Kiosk settings also available as device restrictions for [Android](device-restrictions-android.md#kiosk), [Android Enterprise](device-restrictions-android-for-work.md) (Device experience), and [iOS/iPadOS](device-restrictions-ios.md#kiosk).
Copy file name to clipboardExpand all lines: intune/intune-service/configuration/device-restrictions-configure.md
+1-12Lines changed: 1 addition & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Restrict devices features using policy in Microsoft Intune
3
3
description: Add a device configuration profile to restrict features on Android device administrator, Android Enterprise, AOSP, macOS, iOS, iPadOS, and Windows 10/11 client devices in Microsoft Intune.
4
4
author: MandiOhlinger
5
5
ms.author: mandia
6
-
ms.date: 08/19/2024
6
+
ms.date: 10/14/2025
7
7
ms.topic: how-to
8
8
ms.reviewer: mikedano
9
9
ms.collection:
@@ -13,8 +13,6 @@ ms.collection:
13
13
14
14
# Configure device restriction settings in Microsoft Intune
Intune includes device restriction policies that help administrators control Android, iOS/iPadOS, macOS, and Windows devices. These restrictions let you control a wide range of settings and features to protect your organization's resources. For example, admins can:
@@ -52,15 +50,9 @@ This article shows you how to create a device restrictions profile. You can also
-[Windows Holographic for Business](device-restrictions-windows-holographic.md)
81
70
82
71
8. Select **Next**.
83
72
9. In **Scope tags** (optional), assign a tag to filter the profile to specific IT groups, like `US-NC IT Team` or `JohnGlenn_ITDepartment`. For information about scope tags, go to [Use RBAC and scope tags for distributed IT](../fundamentals/scope-tags.md).
Copy file name to clipboardExpand all lines: intune/intune-service/configuration/device-restrictions-windows-10-teams.md
+5-6Lines changed: 5 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,26 +3,25 @@ title: Surface Hub Windows 10 Team device restrictions in Microsoft Intune
3
3
description: Add or configure Surface Hub devices settings running Windows 10 Team. Add a wake-up screen, create a maintenance window, use Miracast, and more in Microsoft Intune.
4
4
author: MandiOhlinger
5
5
ms.author: mandia
6
-
ms.date: 04/15/2024
6
+
ms.date: 10/14/2025
7
7
ms.topic: reference
8
8
ms.reviewer: mikedano
9
+
ROBOTS: NOINDEX, NOFOLLOW
9
10
ms.collection:
10
11
- M365-identity-device-management
11
12
---
12
13
13
14
# Windows 10 Team settings to allow or restrict features on Surface Hub devices using Intune
This article describes some of the Microsoft Intune device restrictions settings that you can configure for Surface Hub devices running [Windows 10 Team](/surface-hub/differences-between-surface-hub-and-windows-10-enterprise).
This article describes some of the Microsoft Intune device restrictions settings that you can configure for Surface Hub devices running [Windows 10 Team](/surface-hub/differences-between-surface-hub-and-windows-10-enterprise).
20
+
23
21
## Before you begin
24
22
25
23
- Create a [Windows 10 Teams device restrictions configuration profile](device-restrictions-configure.md#create-the-profile).
Copy file name to clipboardExpand all lines: intune/intune-service/configuration/device-restrictions-windows-10.md
+7-8Lines changed: 7 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Device restriction settings for Windows devices in Microsoft Intune
3
3
description: See a list of all the settings and their descriptions for creating device restrictions on Windows 10/11 client devices. Use these settings in a configuration profile to control screenshots, password requirements, kiosk settings, apps in the store, Microsoft Edge browser, Microsoft Defender, access to the cloud, start menu, and more in Microsoft Intune.
4
4
author: MandiOhlinger
5
5
ms.author: mandia
6
-
ms.date: 11/16/2023
6
+
ms.date: 10/14/2025
7
7
ms.topic: reference
8
8
ms.reviewer: mikedano
9
9
ms.collection:
@@ -202,7 +202,7 @@ These settings use the [EnterpriseCloudPrint policy CSP](/windows/client-managem
202
202
-**Gaming**: When set to **Block**, this setting:
203
203
204
204
- Prevents access to the **Settings** app > **Gaming** area on the device.
205
-
- On Windows 11 22H2 and later, it hides the **Settings** app > **System** > **Notifications** area on the device. Specifically, it adds the `ms-settings:quietmomentsgame` page to the [Settings/PageVisibilityList CSP](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist).
205
+
- On Windows 11, it hides the **Settings** app > **System** > **Notifications** area on the device. Specifically, it adds the `ms-settings:quietmomentsgame` page to the [Settings/PageVisibilityList CSP](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist).
206
206
207
207
When set to **Not configured** (default), Intune doesn't change or update this setting.
208
208
@@ -387,7 +387,7 @@ This device restrictions profile is directly related to the kiosk profile you cr
387
387
-**Hide Home button**: Hides the home button
388
388
-**Allow users to change home button**: **Yes** lets users change the home button. User changes override any administrator settings to the home button. **No** (default) blocks users from changing how the administrator configured the home button.
389
389
-**Show First Run Experience page (Mobile only)**: **Yes** (default) shows the first use introduction page in Microsoft Edge. **No** stops the introduction page from showing the first time you run Microsoft Edge. This feature allows enterprises, such as organizations enrolled in zero emissions configurations, to block this page.
390
-
-**First Run Experience URL list location** (Windows 10 Mobile only): Enter the URL that points to the XML file containing the first run page URL(s). For example, enter `https://www.contoso.com/sites.xml`.
390
+
-**First Run Experience URL list location**: Enter the URL that points to the XML file containing the first run page URL(s). For example, enter `https://www.contoso.com/sites.xml`.
391
391
392
392
-**Refresh browser after idle time**: Enter the number of idle minutes until the browser is refreshed, from 0-1440 minutes. Default is `5` minutes. When set to `0` (zero), the browser doesn't refresh after being idle.
393
393
@@ -662,10 +662,10 @@ For information about recent changes for Windows Telemetry, see [Changes to Wind
662
662
663
663
-**Share usage data**: Choose the level of diagnostic data that's submitted. Your options:
664
664
-**Not configured**: (default): Intune doesn't change or update this setting. No setting is forced. Users choose the level that's submitted. By default, the OS might not share any data.
665
-
-**Diagnostic data off**: (Not recommended). Review the *CSP System/AllowTelemetry* for details about this setting.
665
+
-**Diagnostic data off**: Not recommended.
666
666
-**Required**: Sends basic device information, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date.
667
-
-**Enhanced (1903 and earlier)**: Additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from the *Required* level. When this option is deployed to a device that runs Windows 1909 and later, the device is set to *Required*.
668
-
-**Optional**: All data necessary to identify and help to fix problems, plus data from the *Required* and *Enhanced* level.
667
+
-**Enhanced (1903 and earlier)**: Additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from the **Required** level. For newer OS versions, the device is set to **Required**.
668
+
-**Optional**: All data necessary to identify and help to fix problems, plus data from the **Required** and **Enhanced** level.
@@ -732,8 +732,7 @@ These settings use the [search policy CSP](/windows/client-management/mdm/policy
732
732
733
733
These settings use the [start policy CSP](/windows/client-management/mdm/policy-csp-start), which also lists the supported Windows editions.
734
734
735
-
> [!NOTE]
736
-
> Management capabilities to deliver customized Start and Taskbar experiences are currently limited on Windows 11. For more information, see [Supported configuration service provider (CSP) policies for Windows 11 Start menu](/windows/configuration/supported-csp-start-menu-layout-windows).
735
+
To learn more about the Windows CSPs available for the Start and Taskbar experiences, see [Supported configuration service provider (CSP) policies for Windows Start menu](/windows/configuration/supported-csp-start-menu-layout-windows).
737
736
738
737
-**Start menu layout**: Upload an XML file that includes your customizations, including the order the apps are listed, and more. The XML file overrides the default start layout. Users can't change the start menu layout you enter.
Copy file name to clipboardExpand all lines: intune/intune-service/configuration/esim-device-configuration-download-server.md
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,7 @@ ms.collection:
14
14
15
15
The identity of a cellular-enabled device, such as a Windows Connected PC, is typically encapsulated in a device called SIM (Subscriber Identity Module), and packaged as a discrete SIM card. Management of SIM cards for many devices can be costly and time-consuming. Therefore, Windows supports eSIM (embedded Subscriber Identity Module) technology as a digital alternative to discrete SIM cards.
16
16
17
-
Windows 11 provides more capabilities for the deployment and management of eSIM content using Mobile Device Management (MDM) services, like Microsoft Intune.
17
+
Windows provides more capabilities for the deployment and management of eSIM content using Mobile Device Management (MDM) services, like Microsoft Intune.
18
18
19
19
This feature applies to:
20
20
@@ -24,14 +24,11 @@ In Intune, you can bulk activate eSIM codes using the following options:
24
24
25
25
| Option | Platform support | Description |
26
26
| --- | --- | --- |
27
-
|**eSIM download server <br/>(this article)**|✅ Windows 11 (**recommended**) <br/><br/>❌ Windows 10 - Use [import activation codes using a CSV file](esim-device-configuration.md). | In a settings catalog policy, add your mobile operator's download server FQDN. The device contacts the download server, authenticates, and receives eSIM connection info. <br/><br/>No individual activation codes needed. |
28
-
|**[Import activation codes using a CSV file](esim-device-configuration.md)**|✅ Windows 11 (**supported, but not recommended**) - Use an eSIM download server instead<br/> <br/>✅ Windows 10 <br/>| In an eSIM policy, import one-time-use activation codes. The eSIM hardware uses the activation codes to contact the mobile operator, download the eSIM policy, and configure cellular activation. <br/><br/>Requires individual activation codes. |
27
+
|**eSIM download server <br/>(this article)**|:::image type="icon" source="../../media/icons/tables/check.svg" border="false"::: Windows 11 (**recommended**) <br/><br/>:::image type="icon" source="../../media/icons/tables/error.svg" border="false"::: Windows 10 - Use [import activation codes using a CSV file](esim-device-configuration.md). | In a settings catalog policy, add your mobile operator's download server FQDN. The device contacts the download server, authenticates, and receives eSIM connection info. <br/><br/>No individual activation codes needed. |
28
+
|**[Import activation codes using a CSV file](esim-device-configuration.md)**|:::image type="icon" source="../../media/icons/tables/check.svg" border="false"::: Windows 11 (**supported, but not recommended**) - Use an eSIM download server instead<br/> <br/>:::image type="icon" source="../../media/icons/tables/check.svg" border="false"::: Windows 10 <br/>| In an eSIM policy, import one-time-use activation codes. The eSIM hardware uses the activation codes to contact the mobile operator, download the eSIM policy, and configure cellular activation. <br/><br/>Requires individual activation codes. |
29
29
30
30
Using an Intune [settings catalog](settings-catalog.md) policy, you can add eSIM to your supported devices using an eSIM download server. This article gives more information about eSIM, describes the process, lists the prerequisites, and lists the steps to configure eSIM using the settings catalog.
eSIM technology created a worldwide ecosystem of cellular devices and mobile operators. It's based on a common specification from the Global System for Mobile Communications Association (GSMA). The adoption of eSIM technology continues to grow due to its incorporation in popular smart phones. Windows supports eSIM for PCs, and has supported eSIM since 2017.
@@ -56,7 +53,10 @@ Within Windows, the [eUICCs Configuration Service Provider (CSP)](/windows/clien
56
53
57
54
To deploy eSIM to your devices using Intune, you need the following prerequisites:
58
55
59
-
-**Windows 11** version 22H2 (Build 22621) or higher devices that are enrolled and MDM managed by Intune
56
+
-**Windows** devices that are enrolled and MDM managed by Intune. For information on the enrollment options for Windows devices, go to [Windows enrollment guide for Microsoft Intune](../fundamentals/deployment-guide-enrollment-windows.md).
Copy file name to clipboardExpand all lines: intune/intune-service/configuration/esim-device-configuration.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,8 +25,8 @@ In Intune, you can bulk activate eSIM codes using the following options:
25
25
26
26
| Option | Platform support | Description |
27
27
| --- | --- | --- |
28
-
|**Import activation codes using a CSV file <br/> (this article)**|✅ Windows 11 (**supported, but not recommended**) - [Use an eSIM download server](esim-device-configuration-download-server.md) instead<br/> <br/>✅ Windows 10 <br/>| In an eSIM policy, import one-time-use activation codes. The eSIM hardware uses the activation codes to contact the mobile operator, download the eSIM policy, and configure cellular activation. <br/><br/>Requires individual activation codes given to you by the mobile operator. |
29
-
|**[eSIM download server](esim-device-configuration-download-server.md)**|✅ Windows 11 (**recommended**) <br/><br/>❌ Windows 10 | In a settings catalog policy, add your mobile operator's download server FQDN. The device contacts the download server, authenticates, and receives eSIM connection info. <br/><br/>No individual activation codes needed. |
28
+
|**Import activation codes using a CSV file <br/> (this article)**|:::image type="icon" source="../../media/icons/tables/check.svg" border="false"::: Windows 11 (**supported, but not recommended**) - [Use an eSIM download server](esim-device-configuration-download-server.md) instead<br/> <br/>:::image type="icon" source="../../media/icons/tables/check.svg" border="false"::: Windows 10 <br/>| In an eSIM policy, import one-time-use activation codes. The eSIM hardware uses the activation codes to contact the mobile operator, download the eSIM policy, and configure cellular activation. <br/><br/>Requires individual activation codes given to you by the mobile operator. |
29
+
|**[eSIM download server](esim-device-configuration-download-server.md)**|:::image type="icon" source="../../media/icons/tables/check.svg" border="false"::: Windows 11 (**recommended**) <br/><br/>:::image type="icon" source="../../media/icons/tables/error.svg" border="false"::: Windows 10 | In a settings catalog policy, add your mobile operator's download server FQDN. The device contacts the download server, authenticates, and receives eSIM connection info. <br/><br/>No individual activation codes needed. |
30
30
31
31
This article describes how to import the activation codes in bulk, and then deploy these codes to your eSIM-capable devices. This feature is in [public preview](../fundamentals/public-preview.md).
32
32
@@ -35,16 +35,16 @@ This article describes how to import the activation codes in bulk, and then depl
35
35
36
36
## Prerequisites
37
37
38
-
To deploy eSIM to your devices using Intune, the following are needed:
38
+
To deploy eSIM to your devices using Intune, you need the following prerequisites:
39
39
40
-
-**eSIM capable devices**, like the Surface LTE. To determine if your Windows device supports eSIM, go to [Use an eSIM to get a cellular data connection on your Windows PC](https://support.microsoft.com/help/4020763/windows-10-use-esim-for-cellular-data). If you're unsure if your devices support eSIM, then you can also contact your device manufacturer.
41
-
- A Windows device
40
+
-**Windows** devices that are enrolled and MDM managed by Intune. For information on the enrollment options for Windows devices, go to [Windows enrollment guide for Microsoft Intune](../fundamentals/deployment-guide-enrollment-windows.md).
-**eSIM capable devices**, like the Surface LTE. To determine if your Windows device supports eSIM, go to [Use an eSIM to get a cellular data connection on your Windows PC](https://support.microsoft.com/help/4020763/windows-10-use-esim-for-cellular-data). If you're unsure if your devices support eSIM, then you can also contact your device manufacturer.
46
+
46
47
-**Activation codes** provided by your mobile operator. These one time-use activation codes are added to Intune, and deployed to your eSIM capable devices. Contact your mobile operator to acquire eSIM activation codes.
47
-
- The device must be enrolled and MDM managed by Intune. For information on the enrollment options for Windows devices, go to [Windows enrollment guide for Microsoft Intune](../fundamentals/deployment-guide-enrollment-windows.md).
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments