Intune Settings Rundown - 2410
Continuing my new regular feature to document interesting new or updated Intune policy settings and UI changes in an easily digestible format!
Note: UI changes can sometimes take time so may not be visible immediately in your tenant.
Android
App Configuration
App Config for Android Enterprise can now override the following permissions:
- Access background location
- Bluetooth (connect)
Minimum OS Version - Android 10
As documented in What's New in Intune:
Beginning in October 2024, Android 10 and later is the minimum Android OS version that is supported for user-based management methods, which includes:
* Android Enterprise personally-owned work profile
* Android Enterprise corporate owned work profile
* Android Enterprise fully managed
* Android Open Source Project (AOSP) user-based
* Android device administrator
* App protection policies (APP)
* App configuration policies (ACP) for managed apps
For enrolled devices on unsupported OS versions (Android 9 and lower)
* Intune technical support is not provided.
* Intune won't make changes to address bugs or issues.
* New and existing features aren't guaranteed to work.
While Intune doesn't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.
Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices are not affected by this change.
Windows 11 24H2
A number of Win11 24H2-specific policies has been changed from being from "Windows Insiders Only" to a minimumSupportedVersion of 10.0.26100:
ConfigureSearchOnTaskbarMode
| Policy Name | Configure Search On Taskbar Mode |
| Policy Location | Search |
| Policy Tooltip | Configures search on the taskbar. If you disable this policy setting or do not configure it, users can see and change this setting. |
| Available Settings | 0 - Hide 1 - Search icon only 2 - Search icon and label 3 (Default) - Search box |
| Policy Scopes | (Device) |
Remember - Setting a policy means a user can't change the setting, and don't assume you know how your users like to work ;)
AutomaticDataCollection
| Policy Name | Automatic Data Collection |
| Policy Location | Smart Screen/Enhanced Phishing Protection |
| Policy Tooltip | Automatically collect website or app content when additional analysis is needed to help identify security threats. |
| Available Settings | Enabled / Disabled |
| Policy Scopes | (Device) |
Two new WUfB settings. Note these are not currently applied by a WUfB/Autopatch ring, and are not applicable to devices not already on 24H2.
ConfigureDeadlineNoAutoRebootForFeatureUpdates
| Policy Name | Configure Deadline No Auto Reboot For Feature Updates |
| Policy Location | Windows Update For Business |
| Policy Tooltip | When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for feature updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForFeatureUpdates is configured. |
| Available Settings | Enabled / Disabled |
| Policy Scopes | (Device) |
ConfigureDeadlineNoAutoRebootForQualityUpdates
| Policy Name | Configure Deadline No Auto Reboot For Quality Updates |
| Policy Location | Windows Update For Business |
| Policy Tooltip | When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for quality updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates is configured. |
| Available Settings | Enabled / Disabled |
| Policy Scopes | (Device) |
User Rights
The following User Rights CSP settings are now applicable to Win11 24H2 and above:
- Bypass Traverse Checking
- Change Time Zone
- Deny Log On As Batch Job
- Increase Process Working Set
- Log On As Batch Job
- Log On As Service
- Profile System Performance
- Replace Process Level Token
- Shut Down The System
Wi-Fi
There's been some wording changes to the policy description for
"Allow Manual Wi Fi Configuration"
The tooltip used to read:
Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. Most restricted value is 0. Note Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted.
But has been changed to (bold to highlight changes):
Allow or block connections to Wi-Fi outside of MDM server-installed networks. If you change this setting to Block, you must deploy enterprise Wi-Fi profiles to the device using the Wi-Fi CSP before you apply this setting. Otherwise, the device will go offline since it won't be able to connect to Wi-Fi. Note that choosing to block Wi-Fi connections will delete any previously installed user-configured Wi-Fi profiles from the device, though not all non-MDM profiles will be deleted.
Definitely improved wording to show potential impact of the setting.
Microsoft Edge
One new setting from Edge v128:
ApplicationBoundEncryptionEnabled
| Policy Name | Enable Application Bound Encryption |
| Policy Location | Microsoft Edge |
| Policy Tooltip | Enabling this policy or leaving it unset binds the encryption keys used for local data storage to Microsoft Edge whenever possible. Disabling this policy has a detrimental effect on Microsoft Edge's security because unknown and potentially hostile apps can retrieve the encryption keys used to secure data. Only turn off this policy if there are compatibility issues, such as scenarios where other applications need legitimate access to Microsoft Edge's data. Encrypted user data is expected to be fully portable between different computers or the integrity and location of Microsoft Edge's executable files isn’t consistent. |
| Available Settings | Enabled / Disabled |
| Policy Scopes | (Device) and (User) |
That's it for this month!
Massive thanks to Tom Plant in making these blogs far easier for me to write up!😊
And as always, thanks for reading!
Comments ()