Merge pull request #18942 from MicrosoftDocs/main

[AutoPublish] main to live - 10/14 19:52 PDT | 10/15 08:22 IST

Author: m365-skilling-repo-management[bot]

intune/intune-service/configuration/device-profiles.md

@@ -3,7 +3,7 @@ title: Device features and settings in Microsoft Intune
 description: Overview of the different Microsoft Intune device profiles. Get info on GPO, features, restrictions, email, wifi, VPN, education, certificates, upgrade Windows 10/11, BitLocker and Microsoft Defender, and custom device configuration settings in the Microsoft Intune admin center. Use these profiles to manage and protect data and devices in your company.
 author: MandiOhlinger
 ms.author: mandia
-ms.date: 04/16/2025
+ms.date: 10/14/2025
 ms.topic: overview
 ms.reviewer: mikedano
 ms.collection:
@@ -206,13 +206,11 @@ This feature supports:
 
 This feature supports:
 
-- Windows 11 (single app kiosk only)
-- Windows 10
+- Windows
 
-Kiosk settings also available as device restrictions for [Android](device-restrictions-android.md#kiosk), [Android Enterprise](device-restrictions-android-for-work.md) (Device experience), and [iOS/iPadOS](device-restrictions-ios.md#kiosk).
+  Windows 11 supports single app kiosk only.
 
-> [!IMPORTANT]
-> [!INCLUDE [windows-10-support](../includes/windows-10-support.md)]
+Kiosk settings also available as device restrictions for [Android](device-restrictions-android.md#kiosk), [Android Enterprise](device-restrictions-android-for-work.md) (Device experience), and [iOS/iPadOS](device-restrictions-ios.md#kiosk).
 
 ## MX profile (Zebra)
 

intune/intune-service/configuration/device-restrictions-configure.md

@@ -3,7 +3,7 @@ title: Restrict devices features using policy in Microsoft Intune
 description: Add a device configuration profile to restrict features on Android device administrator, Android Enterprise, AOSP, macOS, iOS, iPadOS, and Windows 10/11 client devices in Microsoft Intune.
 author: MandiOhlinger
 ms.author: mandia
-ms.date: 08/19/2024
+ms.date: 10/14/2025
 ms.topic: how-to
 ms.reviewer: mikedano
 ms.collection:
@@ -13,8 +13,6 @@ ms.collection:
 
 # Configure device restriction settings in Microsoft Intune
 
-[!INCLUDE [windows-phone-81-windows-10-mobile-support](../includes/windows-phone-81-windows-10-mobile-support.md)]
-
 [!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
 
 Intune includes device restriction policies that help administrators control Android, iOS/iPadOS, macOS, and Windows devices. These restrictions let you control a wide range of settings and features to protect your organization's resources. For example, admins can:
@@ -52,15 +50,9 @@ This article shows you how to create a device restrictions profile. You can also
         - **iOS/iPadOS**
         - **macOS**
         - **Windows 10 and later**
-        - **Windows 8.1 and later**
 
     - **Profile type**: Select **Device restrictions**. Or, select **Templates** > **Device restrictions**.
 
-      To create a device restrictions profile for Windows Team devices, like Surface Hub, then select **Device restrictions (Windows 10 Team)**.
-
-      > [!IMPORTANT]
-      > [!INCLUDE [windows-10-support](../includes/windows-10-support.md)]
-
 4. Select **Create**.
 5. In **Basics**, enter the following properties:
 
@@ -74,10 +66,7 @@ This article shows you how to create a device restrictions profile. You can also
     - [Android](device-restrictions-android-for-work.md)
     - [iOS/iPadOS](device-restrictions-ios.md)
     - [macOS](device-restrictions-macos.md)
-    - [Windows 8.1](device-restrictions-windows-8-1.md)
     - [Windows](device-restrictions-windows-10.md)
-    - [Windows 10 Team](device-restrictions-windows-10-teams.md)
-    - [Windows Holographic for Business](device-restrictions-windows-holographic.md)
 
 8. Select **Next**.
 9. In **Scope tags** (optional), assign a tag to filter the profile to specific IT groups, like `US-NC IT Team` or `JohnGlenn_ITDepartment`. For information about scope tags, go to [Use RBAC and scope tags for distributed IT](../fundamentals/scope-tags.md).

intune/intune-service/configuration/device-restrictions-windows-10-teams.md

@@ -3,26 +3,25 @@ title: Surface Hub Windows 10 Team device restrictions in Microsoft Intune
 description: Add or configure Surface Hub devices settings running Windows 10 Team. Add a wake-up screen, create a maintenance window, use Miracast, and more in Microsoft Intune.
 author: MandiOhlinger
 ms.author: mandia
-ms.date: 04/15/2024
+ms.date: 10/14/2025
 ms.topic: reference
 ms.reviewer: mikedano
+ROBOTS: NOINDEX, NOFOLLOW
 ms.collection:
 - M365-identity-device-management
 ---
 
 # Windows 10 Team settings to allow or restrict features on Surface Hub devices using Intune
 
-> [!NOTE]
-> [!INCLUDE [not-all-settings-are-documented](../includes/not-all-settings-are-documented.md)]
-
-This article describes some of the Microsoft Intune device restrictions settings that you can configure for Surface Hub devices running [Windows 10 Team](/surface-hub/differences-between-surface-hub-and-windows-10-enterprise).
-
 > [!IMPORTANT]
 > [!INCLUDE [windows-10-support](../includes/windows-10-support.md)]
 
+This article describes some of the Microsoft Intune device restrictions settings that you can configure for Surface Hub devices running [Windows 10 Team](/surface-hub/differences-between-surface-hub-and-windows-10-enterprise).
+
 ## Before you begin
 
 - Create a [Windows 10 Teams device restrictions configuration profile](device-restrictions-configure.md#create-the-profile).
+- [!INCLUDE [not-all-settings-are-documented](../includes/not-all-settings-are-documented.md)]
 
 ## Apps and experience
 

intune/intune-service/configuration/device-restrictions-windows-10.md

@@ -3,7 +3,7 @@ title: Device restriction settings for Windows devices in Microsoft Intune
 description: See a list of all the settings and their descriptions for creating device restrictions on Windows 10/11 client devices. Use these settings in a configuration profile to control screenshots, password requirements, kiosk settings, apps in the store, Microsoft Edge browser, Microsoft Defender, access to the cloud, start menu, and more in Microsoft Intune.
 author: MandiOhlinger
 ms.author: mandia
-ms.date: 11/16/2023
+ms.date: 10/14/2025
 ms.topic: reference
 ms.reviewer: mikedano
 ms.collection:
@@ -202,7 +202,7 @@ These settings use the [EnterpriseCloudPrint policy CSP](/windows/client-managem
   - **Gaming**: When set to **Block**, this setting:
 
     - Prevents access to the **Settings** app > **Gaming** area on the device.
-    - On Windows 11 22H2 and later, it hides the **Settings** app > **System** > **Notifications** area on the device. Specifically, it adds the `ms-settings:quietmomentsgame` page to the [Settings/PageVisibilityList CSP](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist).
+    - On Windows 11, it hides the **Settings** app > **System** > **Notifications** area on the device. Specifically, it adds the `ms-settings:quietmomentsgame` page to the [Settings/PageVisibilityList CSP](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist).
 
     When set to **Not configured** (default), Intune doesn't change or update this setting.
 
@@ -387,7 +387,7 @@ This device restrictions profile is directly related to the kiosk profile you cr
   - **Hide Home button**: Hides the home button
 - **Allow users to change home button**: **Yes** lets users change the home button. User changes override any administrator settings to the home button.​ **No** (default) blocks users from changing how the administrator configured the home button.
 - **Show First Run Experience page (Mobile only)**: **Yes** (default) shows the first use introduction page in Microsoft Edge. **No** stops the introduction page from showing the first time you run Microsoft Edge. This feature allows enterprises, such as organizations enrolled in zero emissions configurations, to block this page.
-- **First Run Experience URL list location** (Windows 10 Mobile only): Enter the URL that points to the XML file containing the first run page URL(s). For example, enter `https://www.contoso.com/sites.xml`.
+- **First Run Experience URL list location**: Enter the URL that points to the XML file containing the first run page URL(s). For example, enter `https://www.contoso.com/sites.xml`.
 
 - **Refresh browser after idle time**: Enter the number of idle minutes until the browser is refreshed, from 0-1440 minutes. Default is `5` minutes. When set to `0` (zero), the browser doesn't refresh after being idle.
 
@@ -662,10 +662,10 @@ For information about recent changes for Windows Telemetry, see [Changes to Wind
 
 - **Share usage data**: Choose the level of diagnostic data that's submitted. Your options:
   - **Not configured**: (default): Intune doesn't change or update this setting. No setting is forced. Users choose the level that's submitted. By default, the OS might not share any data.
-  - **Diagnostic data off**: (Not recommended). Review the *CSP System/AllowTelemetry* for details about this setting.
+  - **Diagnostic data off**: Not recommended.
   - **Required**: Sends basic device information, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date.
-  - **Enhanced (1903 and earlier)**: Additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from the *Required* level. When this option is deployed to a device that runs Windows 1909 and later, the device is set to *Required*.
-  - **Optional**: All data necessary to identify and help to fix problems, plus data from the *Required* and *Enhanced* level.
+  - **Enhanced (1903 and earlier)**: Additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from the **Required** level. For newer OS versions, the device is set to **Required**.
+  - **Optional**: All data necessary to identify and help to fix problems, plus data from the **Required** and **Enhanced** level.
 
   [System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
 
@@ -732,8 +732,7 @@ These settings use the [search policy CSP](/windows/client-management/mdm/policy
 
 These settings use the [start policy CSP](/windows/client-management/mdm/policy-csp-start), which also lists the supported Windows editions.
 
-> [!NOTE]
-> Management capabilities to deliver customized Start and Taskbar experiences are currently limited on Windows 11. For more information, see [Supported configuration service provider (CSP) policies for Windows 11 Start menu](/windows/configuration/supported-csp-start-menu-layout-windows).
+To learn more about the Windows CSPs available for the Start and Taskbar experiences, see [Supported configuration service provider (CSP) policies for Windows Start menu](/windows/configuration/supported-csp-start-menu-layout-windows).
 
 - **Start menu layout**: Upload an XML file that includes your customizations, including the order the apps are listed, and more. The XML file overrides the default start layout. Users can't change the start menu layout you enter.
 

intune/intune-service/configuration/esim-device-configuration-download-server.md

@@ -14,7 +14,7 @@ ms.collection:
 
 The identity of a cellular-enabled device, such as a Windows Connected PC, is typically encapsulated in a device called SIM (Subscriber Identity Module), and packaged as a discrete SIM card. Management of SIM cards for many devices can be costly and time-consuming. Therefore, Windows supports eSIM (embedded Subscriber Identity Module) technology as a digital alternative to discrete SIM cards.
 
-Windows 11 provides more capabilities for the deployment and management of eSIM content using Mobile Device Management (MDM) services, like Microsoft Intune.
+Windows provides more capabilities for the deployment and management of eSIM content using Mobile Device Management (MDM) services, like Microsoft Intune.
 
 This feature applies to:
 
@@ -24,14 +24,11 @@ In Intune, you can bulk activate eSIM codes using the following options:
 
 | Option | Platform support | Description |
 | --- | --- | --- |
-| **eSIM download server <br/>(this article)** | ✅ Windows 11 (**recommended**) <br/><br/>❌  Windows 10 - Use [import activation codes using a CSV file](esim-device-configuration.md). | In a settings catalog policy, add your mobile operator's download server FQDN. The device contacts the download server, authenticates, and receives eSIM connection info. <br/><br/>No individual activation codes needed. |
-| **[Import activation codes using a CSV file](esim-device-configuration.md)** | ✅ Windows 11 (**supported, but not recommended**) - Use an eSIM download server instead<br/> <br/>✅ Windows 10 <br/>| In an eSIM policy, import one-time-use activation codes. The eSIM hardware uses the activation codes to contact the mobile operator, download the eSIM policy, and configure cellular activation. <br/><br/>Requires individual activation codes. |
+| **eSIM download server <br/>(this article)** | :::image type="icon" source="../../media/icons/tables/check.svg" border="false"::: Windows 11 (**recommended**) <br/><br/>:::image type="icon" source="../../media/icons/tables/error.svg" border="false":::  Windows 10 - Use [import activation codes using a CSV file](esim-device-configuration.md). | In a settings catalog policy, add your mobile operator's download server FQDN. The device contacts the download server, authenticates, and receives eSIM connection info. <br/><br/>No individual activation codes needed. |
+| **[Import activation codes using a CSV file](esim-device-configuration.md)** | :::image type="icon" source="../../media/icons/tables/check.svg" border="false"::: Windows 11 (**supported, but not recommended**) - Use an eSIM download server instead<br/> <br/>:::image type="icon" source="../../media/icons/tables/check.svg" border="false"::: Windows 10 <br/>| In an eSIM policy, import one-time-use activation codes. The eSIM hardware uses the activation codes to contact the mobile operator, download the eSIM policy, and configure cellular activation. <br/><br/>Requires individual activation codes. |
 
 Using an Intune [settings catalog](settings-catalog.md) policy, you can add eSIM to your supported devices using an eSIM download server. This article gives more information about eSIM, describes the process, lists the prerequisites, and lists the steps to configure eSIM using the settings catalog.
 
-> [!IMPORTANT]
-> [!INCLUDE [windows-10-support](../includes/windows-10-support.md)]
-
 ## About eSIM technology
 
 eSIM technology created a worldwide ecosystem of cellular devices and mobile operators. It's based on a common specification from the Global System for Mobile Communications Association (GSMA). The adoption of eSIM technology continues to grow due to its incorporation in popular smart phones. Windows supports eSIM for PCs, and has supported eSIM since 2017.
@@ -56,7 +53,10 @@ Within Windows, the [eUICCs Configuration Service Provider (CSP)](/windows/clien
 
 To deploy eSIM to your devices using Intune, you need the following prerequisites:
 
-- **Windows 11** version 22H2 (Build 22621) or higher devices that are enrolled and MDM managed by Intune
+- **Windows** devices that are enrolled and MDM managed by Intune. For information on the enrollment options for Windows devices, go to [Windows enrollment guide for Microsoft Intune](../fundamentals/deployment-guide-enrollment-windows.md).
+
+  > [!IMPORTANT]
+  > [!INCLUDE [windows-10-support](../includes/windows-10-support.md)]
 
 - **eSIM capable devices**, like the [Surface Pro 9 with 5G](https://www.microsoft.com/surface/business/surface-pro-9)
 
@@ -78,6 +78,8 @@ To deploy eSIM to your devices using Intune, you need the following prerequisite
 
   You don't need the individual activation codes.
 
+- [!INCLUDE [minimum-rbac-role-policy-profile-manager](../includes/minimum-rbac-role-policy-profile-manager.md)]
+
 ## Process flow
 
 :::image type="content" source="./media/esim-device-configuration/esim-download-server-process.png" alt-text="Process flow for eSIM bulk activation via download server.":::

intune/intune-service/configuration/esim-device-configuration.md

@@ -25,8 +25,8 @@ In Intune, you can bulk activate eSIM codes using the following options:
 
 | Option | Platform support | Description |
 | --- | --- | --- |
-| **Import activation codes using a CSV file <br/> (this article)** | ✅ Windows 11 (**supported, but not recommended**) - [Use an eSIM download server](esim-device-configuration-download-server.md) instead<br/> <br/>✅ Windows 10 <br/>| In an eSIM policy, import one-time-use activation codes. The eSIM hardware uses the activation codes to contact the mobile operator, download the eSIM policy, and configure cellular activation. <br/><br/>Requires individual activation codes given to you by the mobile operator. |
-| **[eSIM download server](esim-device-configuration-download-server.md)** | ✅ Windows 11 (**recommended**) <br/><br/>❌  Windows 10 | In a settings catalog policy, add your mobile operator's download server FQDN. The device contacts the download server, authenticates, and receives eSIM connection info. <br/><br/>No individual activation codes needed. |
+| **Import activation codes using a CSV file <br/> (this article)** | :::image type="icon" source="../../media/icons/tables/check.svg" border="false"::: Windows 11 (**supported, but not recommended**) - [Use an eSIM download server](esim-device-configuration-download-server.md) instead<br/> <br/>:::image type="icon" source="../../media/icons/tables/check.svg" border="false"::: Windows 10 <br/>| In an eSIM policy, import one-time-use activation codes. The eSIM hardware uses the activation codes to contact the mobile operator, download the eSIM policy, and configure cellular activation. <br/><br/>Requires individual activation codes given to you by the mobile operator. |
+| **[eSIM download server](esim-device-configuration-download-server.md)** | :::image type="icon" source="../../media/icons/tables/check.svg" border="false"::: Windows 11 (**recommended**) <br/><br/>:::image type="icon" source="../../media/icons/tables/error.svg" border="false":::  Windows 10 | In a settings catalog policy, add your mobile operator's download server FQDN. The device contacts the download server, authenticates, and receives eSIM connection info. <br/><br/>No individual activation codes needed. |
 
 This article describes how to import the activation codes in bulk, and then deploy these codes to your eSIM-capable devices. This feature is in [public preview](../fundamentals/public-preview.md).
 
@@ -35,16 +35,16 @@ This article describes how to import the activation codes in bulk, and then depl
 
 ## Prerequisites
 
-To deploy eSIM to your devices using Intune, the following are needed:
+To deploy eSIM to your devices using Intune, you need the following prerequisites:
 
-- **eSIM capable devices**, like the Surface LTE. To determine if your Windows device supports eSIM, go to [Use an eSIM to get a cellular data connection on your Windows PC](https://support.microsoft.com/help/4020763/windows-10-use-esim-for-cellular-data). If you're unsure if your devices support eSIM, then you can also contact your device manufacturer.
-- A Windows device
+- **Windows** devices that are enrolled and MDM managed by Intune. For information on the enrollment options for Windows devices, go to [Windows enrollment guide for Microsoft Intune](../fundamentals/deployment-guide-enrollment-windows.md).
 
   > [!IMPORTANT]
   > [!INCLUDE [windows-10-support](../includes/windows-10-support.md)]
 
+- **eSIM capable devices**, like the Surface LTE. To determine if your Windows device supports eSIM, go to [Use an eSIM to get a cellular data connection on your Windows PC](https://support.microsoft.com/help/4020763/windows-10-use-esim-for-cellular-data). If you're unsure if your devices support eSIM, then you can also contact your device manufacturer.
+
 - **Activation codes** provided by your mobile operator. These one time-use activation codes are added to Intune, and deployed to your eSIM capable devices. Contact your mobile operator to acquire eSIM activation codes.
-- The device must be enrolled and MDM managed by Intune. For information on the enrollment options for Windows devices, go to [Windows enrollment guide for Microsoft Intune](../fundamentals/deployment-guide-enrollment-windows.md).
 - [!INCLUDE [minimum-rbac-role-policy-profile-manager](../includes/minimum-rbac-role-policy-profile-manager.md)]
 
 ## Deploy eSIM to devices - overview