Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune[3], IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client.
Windows 11 built-in management features include:
- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server
- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT
Config Refresh
With traditional group policy, a PC refreshes policy settings when a user signs in and every 90 minutes by default. Administrators can adjust that timing to be shorter to ensure that the policy settings comply with the management settings set by IT.
By contrast, with a device management solution like Microsoft Intune[3], policies refresh when a user signs in and then at eight-hour intervals by default. As policy settings migrate from GPO to a device management solution, one remaining gap is the longer period between the reapplication of a changed policy.
Config Refresh resets settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to the value the administrator intended every 90 minutes by default. You can configure it to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that you traditionally set with group policy and now set through Mobile Device Management (MDM) protocols.
You can pause Config Refresh for a configurable period of time, after which it re-enables. This feature supports scenarios where a helpdesk technician might need to reconfigure a device for troubleshooting purposes. An administrator can also resume it at any time.
Learn more
Kiosk mode
Windows lets you restrict functionality to specific applications by using built-in features. This restriction makes Windows ideal for public-facing or shared devices like kiosks. You can set up Windows as a kiosk either locally on the device or through a cloud-based device management solution like Microsoft Intune[3]. You can configure kiosk mode to run a single app, multiple apps, or a full-screen web browser. You can also configure the device to automatically sign in and launch the designated kiosk app at startup.
Learn more