This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 17%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENE%3C/text%3E%3C/svg%3E)
Looking to move away from windows 10 with S Mode now that it is no longer supported with windows 11 Education. Would it be possible to add a WDAC base policy to an image sysprep it, deploy the image and from there update the policy from Intune using supplemental policies? Or is it best to have a standard image and apply the policy using Intune from the beginning?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
It depends on your requirement and you may do both.
For example, in case you have static policies with fewer changes and you want to have all policies in place the moment user is using their device, then you may deploy it during imaging. However, in case you are changing and modifying policy and it is fine to deploy policies later, then you may deploy it using Intune.
It also depends on the usage of the system , for example in case it is personal device connecting to Intune for a while, then you should relay on Intune policy.