Use reusable groups of settings with Intune policies
Article
This feature is in public preview.
Intune supports reusable settings groups that you can add to configuration policies and profiles to help simplify management of common settings. A good time to use reusable groups is when you need to use the settings with the same configuration in more than a single profile.
When you edit the settings in a reusable group, the changes you make automatically apply to each profile that includes the group. When you save your changes to the reusable settings group, Intune updates the profiles with those new configurations and deploys the updated profile to devices based on the profile’s assignments.
Each reusable settings group is a single object that can include multiple settings. After configuring one or more reusable groups for use with a specific profile type, you create or edit a profile to add the groups. Profiles can support multiple groups.
To manage groups of reusable settings, in the Microsoft Intune admin center you use the Reusable settings tab that’s associated with the policy and profiles you want to use a group with. On the tab, you can create a group, edit the settings in a group, and view the count of policies that inherit settings from each group. Each reusable settings group is used with only its related profile type.
For example, the following image shows the Reusable settings tab you would use to manage reusable groups for the Windows Firewall Firewall Rules profile:
After creating reusable groups, you use an option in a profiles Configuration settings page to add groups to that profile. Profiles that include one or more reusable groups use each setting from each included group as if the settings were directly configured in the profile.
Prerequisites
The following profiles support use of reusable settings groups:
Endpoint security policy
Firewall > Windows Firewall rules:
Platforms: Windows
Windows versions: Devices must run Windows 10 20H2 or later, or Windows 11
Each reusable settings group includes a subset of settings from the full profile you’re creating the group for. Use the following links to view the settings you can configure in a settings group for each profile:
Open the Microsoft Intune admin center, navigate to the policy for which you want to create a reusable group and then select the Reusable settings (preview) tab.
Select Add to open the Configure reusable settings (preview) workflow.
On the Basics page, configure a name. The description is optional.
On the Configuration settings page, select Add and then configure settings for this group as if configuring settings directly in the supported profile.
For Device Control, when you select Add you then must choose the type of group settings to configure, and then select Edit instance to continue. If you add more than one instance, review the Match type configuration for the group.
There's a limit of 100 instances per group. Use the information text in the admin center for each setting in the reusable settings group as guidance. Follow the Learn more link for a setting to view details about the setting from that settings content source.
Tip
Carefully Name each reusable group you create to ensure you can identify it later. This is important because each reusable group that you create, for any policy type, is visible when adding reusable groups to a policy, even if the group contains settings that would not normally apply to the policy you’re configuring. For example, if you have a reusable group created for Windows Firewall rules, that group will be visible and can be selected when adding reusable groups to Device Control policies.
On the Review + Add page, select Add to save your reusable settings group.
Modify a reusable group
When you edit the configuration of a reusable group, each profile that uses that group automatically updates to apply the new configuration to devices.
Open the Microsoft Intune admin center, navigate to the policy for which you want to create a reusable group and then select the Reusable settings (preview) tab.
Select the reusable settings group you want to edit. This opens the configuration workflow that resembles the workflow for creating a new reusable group.
On the Basics page you can rename the group, and on the Configuration settings page you can reconfigure settings. On the last page, select Save to save your configuration and update the profiles that use the settings group.
Add reusable groups to a Windows firewall rule profile
Add reusable settings groups to profiles while editing or creating the profile. On the profiles Configuration settings page, use an option that supports adding one or more previously created groups.
Note
Inbound FQDN rules aren’t natively supported. However, it’s possible to use pre-hydration scripts to generate inbound IP entries for the rule. For more information, see Windows Firewall dynamic keywords in the Windows Firewall documentation.
On the Configuration settings page, select Add to add a new rule, or Edit rule to manage a previously created rule.
On the Configure instance pane for the rule, configure Action to determine how this rule manages settings like IP Addresses or FQDNs. For example, you might set Action to allow or block. This configuration applies to both the settings you add directly to this rule and to the settings that are in each reusable group that is added to this rule.
Save the rule configuration.
For the rule you saved, select Set reusable settings to open the Select reusable settings pane.
Select one or more of the available groups to add them to this rule, and then save your selections.
After adding reusable groups to a profile, save your configuration. When saved, Intune includes the settings from the reusable groups and deploys the profile to devices based on the profile’s assignments.
Add reusable groups to a Device Control profile
Add reusable settings groups to profiles while editing or creating the profile. Reusable groups for Device Control profiles support the following types of settings:
Printer device
Removable storage
On the profiles Configuration settings page, use an option that supports adding one or more previously created groups.
On the Configuration settings page, expand the Device Control category and select Add to add a new rule, or Edit Entry to manage a previously created rule.
Select Add to add more rules.
Select Edit Entry to open the Configure Entry pane to further configure use of the group.
On the Configure Entry pane, give the entry a Name, and then configure the following and then select OK to save the rule:
Type: Defines the action for the removable storage groups. When there are conflicts for Type for the same media, the first type that’s defined in the policy is applied.
Options: Defines whether to display a notification to the device user. The options available depend on the Type that is selected.
Access mask: Choose one or more from Read, Write, Execute.
Sid: Local user Sid or user Sid group or the Sid of the AD object, defines whether to apply this policy over a specific user or user group; one entry can have a maximum of one Sid and an entry without any Sid means it applies the policy over the machine.
Computer Sid: Local computer Sid or computer Sid group or the Sid of the AD object, defines whether to apply this policy over a specific machine or machine group; one entry can have a maximum of one ComputerSid and an entry without any ComputerSid means it applies the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both Sid and ComputerSid into the same Entry.
For more information about these options, see the following articles in the Microsoft Defender for Endpoint documentation:
For the rule you saved, select Set reusable settings for Included ID and Excluded ID to meet your needs. Both selections open a Select reusable settings pane.
Select one or more of the available groups to add them to this rule, and then save your selections.
The following shows a configuration with only one group selected for Excluded ID:
After adding reusable groups to a profile, complete the policy configuration. When saved, Intune includes the settings from the reusable groups and deploys the profile to devices based on the profile’s assignments. A maximum of 100 reusable groups can be added per profile.
The device settings you can manage through reusable settings groups are applied by Intune the same as settings that are directly configured in a profile. If conflicts or overlaps are introduced by settings from your reusable groups, you can use the same troubleshooting process to identify and resolve those conflicts.
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.