What are Intune Configuration Profiles?
- Gareth Oxendine
- May 18, 2024
- 4 min read
Updated: May 15
Introduction
Intune configuration profiles allow you to configure specific settings and then deploy them to all or some of your devices. You can configure a wide range of settings, including, but not limited to, personalization and security. Think of configuration profiles as a way to use the Intune portal to create a "settings package" you can then deploy to whichever devices you choose. You can create configuration profiles for iOS/iPadOS, macOS, Windows, and Android devices.
In this article, I'll review what configuration profiles are, how to create them, and when devices receive them. I'll also go a little deeper into configuration profiles specifically for Windows devices. Let's take a closer look below!
Table of Contents
Creating Configuration Profiles
Configuration Profiles are available for all main device operating systems, including Windows, macOS, iOS/iPadOS, Android, and Linux. You can either manage each operating system's config profiles separately under the By platform section, or you can manage all of them together under the Manage devices section (see below):
Configuration Profile Types
When creating a configuration profile, you are presented with two profile types (see below):
Settings Catalog: allows you to select one or multiple individual settings to configure and deploy for that OS; use this type to build out a custom policy
Templates: allows you to select from a list of templates, each containing a preselected group of related settings
Configuration Profiles for Windows Devices
Configuration Profiles for Windows devices are comparable to Group Policy Objects deployed through the Group Policy Management Console in an AD DS environment. If you are familiar with GPOs, you will feel right at home with configuration profiles. Intune automatically provides most group policies from the Windows ADMX files; Intune also allows you to import third-party ADMX files.
It is important to note that Intune does not use group policies as the legacy Group Policy Editor did; Intune uses the MDM alternative to the Group Policy framework, which is the Configuration Service Provider (CSP) framework. A mapping is created between the group policies in ADMX files and the policies in the CSP framework; Intune can target settings within CSP policies using an OMA-URI. To learn more about CSPs, OMA-URIs, and how Intune converts ADMX files, click the link below:
NOTE: |
You can migrate (export and import) existing, on-premises GPOs to Intune and convert them to configuration profiles. Click here for more information. |
What are Administrative Templates?
Administrative templates represent the Windows group policies (settings) in the Windows ADMX files.
To view the Administrative Templates available to configure, select Settings Catalog as the profile type.
Creating administrative template-based configuration profiles in Intune is similar to creating GPOs in the Group Policy Editor. There are settings scoped to the computer and settings scoped to the user, similar to GPOs (see below):
What are Imported Administrative templates (Preview)?
Imported Administrative templates (Preview) represent the group policies (settings) in the imported, third-party ADMX files. To view the Administrative Templates available to configure, select Templates as the profile type. To learn more about importing third-party ADMX files, click the link below:
What are Windows Custom Configuration Profiles?
Intune provides a very friendly user interface for creating configuration profiles. This online platform provides many "built-in" templates and settings you can easily select and configure. Intune's platform, however, does not have every setting available for you to configure. This is where custom configuration profiles come in.
When you create a custom configuration profile, you tell Intune exactly which setting to configure by specifying an OMA-URI, the setting's value type, and the value itself (see screenshot below). Once ready, Intune will deploy this custom configuration profile to the assigned users/devices. The protocol used to transport this custom configuration profile is the OMA-DM protocol which uses SyncML files to deliver the configuration profile. Once a device receives the profile, the targeted CSP will implement/enforce it. To learn more about CSPs and OMA-URIs, click the link below:
Custom Configuration Profile Example
For example, if we wanted to use a custom configuration profile to set the desktop image on our computers, we would do the following:
Launch the Intune portal.
Navigate to Devices > Windows > Configuration.
Select +Create and then +New Policy
Platform: Windows 10 and later
Profile Type: Templates
Template Name: Custom
Configuration Settings
OMA-URI: ./Vendor/MSFT/Personalization/DesktopImageUrl
Data Type: String
Value: the file or HTTP/HTTPS path to an image file
When do Devices Receive Configuration Profiles from Intune?
After you create the configuration profile, Intune will attempt to notify the assigned devices to check in. If the first notification fails, Intune will try three more times. If unsuccessful, the device will receive the configuration profile the next time it checks in with Intune (remember that devices check in with Intune every 8 hours). See the quote from Microsoft below:
Intune notifies the device to check in with the Intune service... If a device doesn't check in to get the policy or profile after the first notification, Intune makes three more attempts.
Cover Picture provided by Freepik
