Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to:
- Windows
This article lists and describes all Windows device settings in Intune for Education.
Apply settings
Apply group settings to establish access and security boundaries on the devices in your school. You can assign the same settings across all groups in your school, or you can customize the classroom experience and apply settings to individual groups.
Configuration options
Many settings in Intune for Education are configured to Block or Allow. For some settings, Not configured is an option. When toggled to Not configured, the device either:
Uses the default setting.
Allows the device user (student or teacher) to customize the setting from their device.
Note
User, app, and device settings differ from tenant settings. Tenant settings address the subscription and management settings for your organization.
Accounts and sign-in
Configure how users sign in to school devices.
Accounts
| Setting | Description |
|---|---|
| Block adding and signing in with personal Microsoft accounts | Block users from signing in with their Microsoft account. |
| Block adding and signing in with non-Microsoft accounts | Block users from adding any account other than their Microsoft account. Use this setting if you want to force users to only use their Microsoft accounts for email. |
| Configure preferred Microsoft Entra tenant domain | Enables users to sign in to Windows without typing the domain name. If you configure this setting, the tenant domain name prepopulates, but is still editable. |
Local admin management
Select the users or user groups you want to grant local administrator rights on devices in this group. Select Add users to add users or groups that don't already appear in the list.
Apps
Configure how users install and access apps on their devices.
| Setting | Description |
|---|---|
| Remove built-in Windows apps | Uninstall certain built-in Windows apps. For more information, see Shared devices. |
| Block access to administrative apps | Block students from opening apps that require administrative privileges. If you configure this setting, Command prompt (cmd.exe), PowerShell (powershell.exe and powershell.ise), and Registry Tools (reg.exe and regedit.exe) are blocked by default, but you can remove them from the block list. |
| Block installing apps from the Microsoft Store for Education | Block users from installing apps from unauthorized locations. |
| Require Microsoft Store for Education apps to be installed from the private store | Only allow users to install apps from the Microsoft Store for Education that your organization set up. This setting isn't supported on Windows 10/11 Pro editions, including Windows 10/11 Pro Education. |
| Trusted apps | Allow or block users from installing trusted apps that have signed certificates from Microsoft. |
| Untrusted apps | Allow or block users from installing apps with certificates that are unsigned, or signed by sources not trusted by Microsoft. |
| Block installing apps from places other than the Microsoft Store for Education | Block users from installing apps from other sources and app stores. |
| Block automatic updates for Microsoft Store for Education apps | Block Microsoft Store for Education apps from being updated automatically. |
| Enable students on shared devices to share app data | Enable students using the same app on the same device to share data. |
Enrollment
Configure Intune for Education device enrollment settings.
Manual controls
| Setting | Description |
|---|---|
| Block manual unenrollment | Block users from manually unenrolling devices from management. |
| Block adding provisioning packages | Block users from adding new provisioning packages that have device settings. |
| Block removing provisioning packages | Block users from removing provisioning packages that have device settings. |
Windows Autopilot
Configure Enable local Autopilot Reset to allow users with administrative rights to press CTRL + Win + R on the device lock screen to trigger Autopilot Reset. Autopilot Reset removes all user data, including user-installed apps and personal settings, and keeps the device enrolled in Intune. As a result, the device is kept up-to-date with all of the latest apps, policies, and settings.
Browser
Configure browser settings and user data for Microsoft Edge and Google Chrome.
Browser customization
| Setting | Description |
|---|---|
| Configure homepages | Choose what page opens every time someone begins a new Microsoft Edge browser session. |
| Configure new tab page | Choose what page opens every time someone opens a new tab in Microsoft Edge. |
| Configure home button behavior | Select what page appears when users select the home button in Microsoft Edge. You can also hide the home button. |
| Default search engine | Select Bing, Yahoo, or Google as the default search engine for Microsoft Edge. |
| Configure blocked URLs list | Configure this setting to build a list of sites that your users can't load. |
Browser restrictions
| Setting | Description |
|---|---|
| Block editing favorites | Block users from adding, importing, sorting, or editing the Favorites list. |
| Block browser extensions | Block users from using extensions to customize Microsoft Edge with added functionality from Microsoft and other sources. |
| Block untrusted browser extensions | Block users from sideloading extensions to their Microsoft Edge browser. These extensions are installed from untrusted sources–not the Microsoft Store–and could be malware. |
| Block search suggestions | Block Microsoft Edge from suggesting possible websites as you type a URL or search term. |
| Require SafeSearch | Require a filtered search for Bing and Google. Not applicable for Microsoft Edge version 45 and earlier. |
| Require YouTube restricted mode | Require YouTube restricted mode, which screens out potentially mature content on YouTube. Not applicable for Microsoft Edge, version 45 and earlier. |
| Block InPrivate browsing | Block users from using InPrivate browsing, which stops Microsoft Edge from saving data like browsing history and cookies. |
| Block Developer Tools | Block users from accessing Developer Tools. Microsoft Edge Developer Tools enable users to build and debug webpages |
| Block access to about:flags page | Block access to the about:flags page, which contains experimental settings and features. |
| Block printing from browser | Block users from printing browser content. |
| Block First Run page | Block users from seeing the First Run page. Microsoft Edge First Run page appears when a user opens Microsoft Edge for the first time and after browser updates. |
| Block pop-ups | Block websites from opening new windows. |
| Block overriding security warnings | Block users from proceeding to sites that show an SSL/TLS certificate error. |
| Block password manager | Block users from using the password manager to save passwords. |
| Block automatically filling form entries | Block saving data entered in a form field online. |
| Require intranet sites to be viewed in Internet Explorer | When set to Don't require, internal traffic is sent to Microsoft Edge instead of Internet Explorer. Only enable this setting if there are known compatibility issues with Edge. |
| Enable faster start-up for Microsoft Edge | Microsoft Edge Start-up boost and Microsoft Edge Prelaunch improves the performance of Edge, but also causes Edge to always be running, potentially making a device noncompliant for secure assessments. |
| Enable translation | Enable this feature to integrate translation functionality in the browser. Not applicable for Microsoft Edge, version 45 and earlier. |
User data
| Setting | Description |
|---|---|
| Sync favorites between browsers | Sync all favorites from Microsoft Edge to Internet Explorer. |
| Clear browsing data upon exit | Automatically erase history, cookies, and cached files after closing Microsoft Edge. |
| Use cookies | Select to Allow, Block all cookies, or Block only third party cookies. Cookies can store website settings or track user’s browsing behavior. |
Network and connectivity
Configure network and connectivity settings for school devices.
Bluetooth
| Setting | Description |
|---|---|
| Block Bluetooth | Block devices from using Bluetooth. |
| Block Bluetooth discoverability | Block devices from being set as discoverable using Bluetooth. |
| Block receiving advertisements over Bluetooth | Block devices from receiving marketing messages and advertisements over Bluetooth. |
| Block Bluetooth Swift Pair notifications | Block users from getting notifications about Bluetooth device pairing. Swift Pair lets users know when Bluetooth devices are nearby and able to connect to Windows. |
Internet connectivity restrictions
| Setting | Description |
|---|---|
| Block Internet Connection Sharing | Block users from using Internet Connection Sharing to share the device’s Internet connection with other devices. |
| Block using Wi-Fi Sense to automatically connect to open hotspots | Choose if you want to block devices from automatically connecting to Wi-Fi hotspots. |
| Block cellular data while roaming | Block the use of cellular data when device is roaming. |
Proxy
| Setting | Description |
|---|---|
| Block automatic detection of proxy settings | If you set up a proxy to handle device network traffic, choose whether devices automatically detect the proxy settings when connected. |
| Use proxy script | Enable the use of a proxy script for your devices. If you Configure this setting, you need to provide a Setup script address. |
| Use manual proxy server configuration | If you set up a manual proxy, define settings for it here. If you Configure this setting, you need to provide the Proxy server address, Proxy exceptions, and whether to enable Use proxy server for local (intranet) connections. |
Wi-Fi profiles
Select Windows Wi-Fi profiles to assign to your group. For step-by-step instructions to create and assign a Windows Wi-Fi profile, see Add a Wi-Fi profile.
A list of Wi-Fi profiles that you created appears within this section and is ready to assign. Visible details include the Profile name, Network name (SSID), Security type, and Description.
Select Assign a new (Windows) Wi-Fi profile to create a profile. For a description of each field, see Add a Wi-Fi profile.
Note
Configure a WPA-2 Enterprise Wi-Fi network by using the full Wi-Fi profile management experience in Intune. You can also use Intune to set up SCEP and PKI integration.
OneDrive and Storage
Configure Microsoft OneDrive and storage settings.
| Setting | Description |
|---|---|
| Silently move Windows Known Folders to OneDrive | Moves and redirects Windows known folders (Documents, Desktop, and Pictures) to Microsoft OneDrive. The move happens without any user interaction. When enabled, you also have the option to notify users that their files were moved. This setting is automatically enabled on devices running Windows 11 SE. |
| Silently sign-in users to OneDrive sync | Use to silently configure user accounts when deploying the OneDrive sync app (OneDrive.exe) to Windows computers. Lets users signed in on a PC that's joined to Microsoft Entra ID set up the sync app without entering their account credentials. The primary user of the device is signed in, so this setting works best on devices that are used by a single user. |
| Prevent users from redirecting their Known Folders to their PC | Forces users to keep their known folders directed to OneDrive. |
| Use OneDrive files On-Demand | Lets users get to all of their files in OneDrive or SharePoint Online, without having to download it all and use storage space on the device. |
| Days files remain unopened before file becomes online only (0-365) | Turns on Storage Sense, a silent assistant that works with OneDrive to automatically free up space. Any files not used within the set period of time are set to online-only when the device runs low on free space. When connected to the Internet, users can continue using their online-only files just like any other file. |
| Block OneDrive file sync | Block the device from syncing files to OneDrive. |
Power and sleep
Manage how and when devices power off and go to sleep.
| Setting | Description |
|---|---|
| Turn off device display after | Choose how many minutes of inactivity before the device display turns off. This setting applies to devices that are plugged in and on battery. |
| Put device to sleep after | Choose how many minutes of inactivity before the device transitions to sleep. This setting applies to devices that are plugged in and on battery. |
| Put device in hibernation after | Choose how many minutes of inactivity before the device transitions to hibernate. This setting applies to devices that are plugged in and on battery. |
| Power button action | Select what happens when someone pushes the power button. |
| Lid close action | Select what happens when someone closes the device lid. |
| Block changing power and sleep settings | Block users from changing power and sleep settings. |
Printer
Configure printer access for school devices.
| Setting | Description |
|---|---|
| Printer list | Create a list of printers that you want to make available to student devices. Enter the printer hostname. An example of a formatted hostname is printer1.contososd.edu. |
| Specify default printer | Make a printer available as the default printer option on devices. Enter the printer hostname as it appears in your Printer list. |
| Block adding new printers | Block groups from connecting new printers to their devices. |
Security
Configure Windows Defender, Windows Encryption, and Windows SmartScreen settings for school devices.
Windows Defender
Note
Some Windows Defender settings are available only at the tenant level and don't appear in the portal.
| Setting | Description |
|---|---|
| Block user access to Windows Defender settings | Block users from modifying Microsoft Defender Antivirus settings on the device. |
| Enable real-time monitoring | Enable always-on scanning for malware, spyware, and other threats. |
| Enable behavior monitoring | Enable Microsoft Defender Antivirus to check for certain known patterns of suspicious activity. |
| Prompt users to submit suspicious files to Microsoft | Choose to automatically send files to Microsoft for further analysis. |
| Type of system scan to perform | Choose if Microsoft Defender Antivirus does a quick scan, a full scan, or no scan of devices. |
| Daily quick scan time | Choose what hour of the day Microsoft Defender Antivirus runs a daily quick scan. |
| Scan all downloaded files | Automatically scan all downloaded files for malware. |
| Scan scripts run in Microsoft web browsers | Scan all scripts a website attempts to run in Microsoft Edge and Internet Explorer. |
| Scan removable drives during full scan | Include removable drives, such as USB sticks, during full scans. |
| Scan files opened over the network | Scan all files that users open from websites while using the network. |
| Scan remote folders during full scan | Scan any folders on remote locations during full scans. |
| Scan archive files | Scan archive files, like .zip or .rar. |
| Scan incoming emails | Scan all emails received over the network. |
| Scan for malware when files or programs are opened | Scan for malware when a file or program opens and alert users about suspicious activity. |
| Days before quarantined malware is deleted (0-90) | Set the number of days an affected file is saved. After this number of days, the file is deleted. For example, if set to 0, the file is immediately deleted. |
| Set anti-malware update frequency | Select how frequently Microsoft Defender Antivirus should check for and download anti-malware updates. |
| Potentially unwanted applications protection | Microsoft Defender Antivirus alerts the user, and blocks potentially unwanted software that attempts to install itself on devices. |
| Block suspicious files | If you configure this setting, Microsoft Defender Antivirus is more aggressive about identifying suspicious files to block and scan. When you don't configure it, the antivirus blocks and scans less frequently. You can select Not configured, High, High plus, and Zero tolerance. High aggressively blocks unknown files while minimizing impact to device performance. High plus aggressively blocks unknown files, but might negatively impact device performance. Zero tolerance blocks all unknown files from running. |
| Enable cloud-delivered protection | Get real-time protection when Microsoft Defender Antivirus sends info to Microsoft about potential security threats. This feature works best with Prompt users to submit suspicious files to Microsoft set to automatically send files. |
| Actions on detected malware threats | Microsoft Defender Antivirus automatically quarantines detected malware. |
| Enable Network Inspection Service | Helps protect devices against network-based exploits. Uses the signatures of known vulnerabilities from the Microsoft Endpoint Protection Center to help detect and block malicious traffic. |
| Exclude files with these extensions from scans and real-time protection | Define the types of files that users can open without scanning for security threats. |
| Exclude processes from scans and real-time protection | Define the types of processes that users can run without scanning for security threats. |
| Exclude directories from scans and real-time protection | Define the file locations that users can access without scanning for security threats. |
Windows Encryption
Turn on the switch to Enable Windows Encryption on devices.
Windows SmartScreen
| Setting | Description |
|---|---|
| Block users from overriding SmartScreen warnings about websites | Block users from ignoring and accessing websites blocked by the SmartScreen Filter. |
| Block users from overriding SmartScreen warnings about downloads from the web | Block users from ignoring and downloading unverified files that the SmartScreen Filter warns about. |
| Enable SmartScreen to check for unrecognized apps and files | Enable SmartScreen to protect devices by checking for unrecognized apps. |
| Block users from overriding SmartScreen warnings about apps and files | Block users from dismissing SmartScreen warnings about potentially malicious files and apps. |
Shared devices
Configure how teachers and students share devices.
| Setting | Description |
|---|---|
| Optimize devices for shared use | Configures recommended settings for shared devices, such as power and update management. Allows multiple students or teachers to sign in to the same device. |
| Block guest users | This option is only available when you enable Optimize devices for shared use. Block guest users from signing in to shared devices. When blocked, only domain users can sign in. |
| Block access to local storage | This option is only available when you enable Optimize devices for shared use. Block users from saving files to the device. When blocked, users can only save to the cloud. |
| Block fast user switching | Allow users to quickly switch between user accounts from the Start menu. |
When you select to optimize devices for shared use, these apps are removed from teacher and student computers:
- Mixed Reality Viewer
- Weather
- Desktop App Installer
- Tips
- My Office
- Solitaire Collection
- Mobile Plans
- Windows Feedback Hub
- Xbox
- Groove Music
- Calendar
- Skype
Optimizing devices for shared use also enables Remove built-in Windows apps (under Apps) and Block access to local storage (under Shared devices). You can disable either of those settings without affecting the other shared use settings.
Take a Test profiles
Assign Take a Test profiles to this group. You see a list of profiles that you created within this section, and are ready to assign. Visible details include the Profile name, Account name, Assessment URL, and Description.
Select Assign new Take a Test profile to create a profile. For a description of each field and step-by-step setup instructions, see Take a Test profiles.
Updates and upgrade
Configure Windows updates and edition upgrades for school devices.
Updates
| Setting | Description |
|---|---|
| Stay on a version of Windows 10 | If you configure this policy, devices stay on the version of Windows 10 you specify until that version of Windows 10 reaches end of service or until you remove or reconfigure this policy. You can't use this policy to downgrade a device. |
| Configure how and when updates are installed | Set the updates and maintenance period for the installation of updates. |
| Days to defer feature updates after they become available (0-365) | Set how many days to wait to apply a feature update after it becomes available. For example, if you set the value to 0 days, a feature update that's just become available is immediately applied to your devices. |
| Days to defer quality updates after they become available (0-30) | Set how many days to wait to apply a quality update after it becomes available. For example, if you set the value to 0 days, a quality update that's just become available is immediately applied to your devices. |
| Days before deleting uninstall files (2-60) | After installing feature updates, Windows keeps the files necessary to uninstall the new build and revert to your previous one. Set how many days to wait to uninstall these files. |
| Windows Update notifications | Choose the type of notifications shown when an update becomes available. |
| Block manual Windows Update | Block users from initiating an update on their own. |
| Block user from pausing Windows Update | Block user access to the Pause updates feature. |
| Allow students to see Windows pre-release features | Choose if students can see pre-release features for settings, pre-release features for settings and experimentation, or no pre-release features. |
| Delivery Optimization mode | Select how you want to deliver updates to devices. Delivery Optimization reduces the bandwidth needed to download Windows updates and apps by sharing the work of downloading packages among multiple devices. |
| Pause feature updates for 35 days | Paused Updates resume automatically 35 days after the specified start date. Change the value of this setting to Not configured to resume updates manually. |
| Pause quality updates for 35 days | Paused Updates resume automatically 35 days after the specified start date. Change the value of this setting to Not configured to resume updates manually. |
Edition upgrade
Select Assign new Edition Upgrade profile to configure and assign a new profile that's not already listed.
| Setting | Description |
|---|---|
| Profile name | Enter a name for the profile. Example: Contoso School edition upgrade |
| Windows Edition to upgrade to | Upgrade the devices in this group to a different edition of Windows. Select an edition and enter the Product key. This setting isn't supported on devices running Windows 11 SE. |
| Switch devices out of S Mode | This setting lets users switch their devices out of S Mode. Keep in S Mode prevents them from making the switch. When in S mode, teachers and students can only browse with Microsoft Edge, and download apps from Microsoft Store. |
Select Create and assign profile to save profile changes.
User experience
Configure the user experience on school devices.
Device restrictions
| Setting | Description |
|---|---|
| Block camera | Block use of the device camera. |
| Block removable storage | Block the use of removable storage such as USB drives, SD cards, and external hard drives. |
| Block Cortana | Block Cortana, the digital assistant built into Windows that can answer questions and perform tasks. |
| Block location services | Block apps from using location services to access the device's location. |
| Block ending tasks in Task Manager | Block users from using Task Manager to force a program, process, or task to close. |
| Configure time zone | Choose what time zone to apply to devices. |
| Block changing date and time settings | Block users from changing the device date and time settings. |
| Block changing language settings | Block users from changing the device language. |
| Block changing device region settings | Block users from changing settings, such as country/region and language. |
| Send diagnostic data | Select how much diagnostic data devices send to Microsoft. User-defined lets the device user choose their own setting. None sends no data. Basic sends only the minimum data required to keep Windows secure and up to date. Enhanced sends additional data about how Windows and apps are used. Full sends all Basic and Enhanced data, plus additional diagnostics that help Microsoft identify and fix problems. |
Lock screen and desktop
| Setting | Description |
|---|---|
| Set custom lock screen image | Configure a custom background image on the sign-in screen. You can choose a .jpg or .png less than 20 MB in size. |
| Set custom desktop image | Configure a custom background image on the desktop. You can choose a .jpg or .png less than 20 MB in size. |
| Configure desktop shortcuts for website and web apps | To configure desktop shortcuts, enter the URL for each website or web app. Each website you list appears as a desktop shortcut and in the app list in the start menu. If a website has progressive web app (PWA) capabilities, this setting installs the progressive web app. This setting applies to Microsoft Edge version 77 and later. |
| Block Windows Spotlight | Block all Windows Spotlight features on these devices. |
| Block notifications on lock screen | Block notifications from appearing on the screen of a locked device. |
| Block Cortana on lock screen | Prevent users from accessing Cortana from the lock screen. |
Settings app
| Setting | Description |
|---|---|
| Block access to the Settings app | Block user access to the entire Settings app. To block only parts of the app, select from the other settings in this section. |
| System settings | Block display, notifications, apps, power settings. |
| Devices | Block Bluetooth, printers, and more. |
| Network & Internet | Block Wi-Fi, airplane mode, and VPN. |
| Personalization | Block background, lock screen, and color modifications. |
| Accounts | Block user accounts, email, sync, work, and other people. |
| Time & language | Block size, region, and date. |
| Ease of Access | Block Narrator, magnifier, and high contrast. |
| Privacy | Block location and camera. |
| Update & security | Block Windows Update, recovery, and backup. |
| Apps | Block uninstall, defaults, and optional features. |
| Gaming | Block game bar, DVR, broadcasting, and Game Mode. |
Start menu
| Setting | Description |
|---|---|
| Force Start menu size | Control the size of the Start menu. Not configured leaves the Start menu at its default size. Force full screen expands the Start menu to fill the entire screen. Force non-full screen keeps the Start menu at its default, non-full-screen size. |
| Block Jump Lists in Start menu from showing recently opened programs | Block Jump Lists from appearing on the Start menu, and disable the corresponding toggle in the Settings app. You can access a Jump List by right-selecting any program in the Start menu. |
| Block showing recently added apps in Start menu | Block recently added apps from showing in the Start menu. |
| Block showing the most used apps in Start menu | Block the most used apps from showing in the Start menu. |
| Block app list in Start menu | Block the list of all apps on the device from showing in the Start menu. |
| Block power menu in Start menu | Block the power menu (for example, Restart, Shut down) from showing in the Start menu. |
| Block user tile in Start menu | Block the current user’s information from being shown in the Start menu. |
| Block options from appearing on the user tile in Start menu | Configure this setting to block Change account settings, Lock, or Sign out options. |
| Choose folders that appear in Start menu | You can choose File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, Home Group, Network, and Personal Folder. |
| Apply custom Start menu layout | Apply a custom Start menu layout using an XML file. You can upload an .xml file less than 2 MB in size. This setting isn't supported on devices running Windows 11 SE. To change the default pinned apps for Windows 11 SE, customize the layout using the ConfigureStartPins policy in Microsoft Intune. |
| Pin websites as tiles in Start menu | Pin websites as tiles in the Start menu using an XML file. You can upload an .xml file less than 2 MB in size. |
Next steps
- Configure Windows group settings to apply policies across your school.
- Understand settings inheritance when groups are organized in a hierarchy.
- Review reports to pinpoint and troubleshoot setting conflicts.
- Assign group admins to help manage device settings across your school.
- For a faster setup, use Express Configuration to apply Microsoft-recommended settings to a group.
- Find out more about the full Windows settings management experience available in Intune.