3.4 Configuration Profiles and Assignment Filters
Key Takeaways
- Device configuration profiles in Intune can target Windows, Android, iOS/iPadOS, and macOS, but available profile types and settings differ by platform.
- For most platforms, Intune offers templates for common scenarios and the Settings catalog for granular settings from one searchable location.
- Windows ADMX-backed settings are commonly available through the Settings catalog; custom or third-party ADMX and ADML files can be imported when needed.
- Assignment filters refine group assignments by device or app properties and can include or exclude matching devices at policy-assignment time.
- Windows 11 Enterprise multi-session devices have a constrained Intune model: use Settings catalog filtering for Enterprise multi-session and avoid unsupported OOBE, Autopilot, ESP, and template assumptions.
Configuration profile model
A device configuration profile is how Intune pushes settings to enrolled devices. Profiles are platform-specific. A Wi-Fi profile, VPN profile, certificate profile, device restriction profile, Settings catalog policy, and custom OMA-URI profile are all configuration-profile patterns, but not every platform supports every profile type.
| Platform | Common configuration examples | Important exam distinction |
|---|---|---|
| Windows | Settings catalog, device restrictions, Wi-Fi, VPN, certificates, kiosk, delivery optimization, edition upgrade | Settings can be device scope or user scope; many Windows settings come from configuration service providers and ADMX-backed policy |
| Android Enterprise | Device restrictions, OEMConfig, Wi-Fi, VPN, certificates, custom settings | Enrollment mode matters, such as fully managed, dedicated, or corporate-owned work profile |
| iOS/iPadOS | Device restrictions, device features, Wi-Fi, VPN, certificates, Single Sign-On extensions | Apple settings often map to Apple payload keys and supervised status can affect availability |
| macOS | Settings catalog, device features, preference files, certificates, FileVault-related settings, SSO extensions | Settings catalog can replace some preference-file use cases, but app-specific plist needs may remain |
| Windows 11 Enterprise multi-session | Settings catalog and supported certificate templates | Treat as a separate OS edition for Azure Virtual Desktop multi-session hosts |
Settings catalog, templates, custom settings, and ADMX
Intune commonly asks you to choose between Templates and Settings catalog. Templates group settings around a scenario such as VPN, Wi-Fi, kiosk, certificates, or domain join. Settings catalog is broader and more granular. It is the right answer when the question says you need the broadest built-in list of Windows settings, a specific CSP-backed setting, or an ADMX-backed policy without writing a custom OMA-URI.
For Windows, the Settings catalog includes many built-in administrative template settings. If the setting is already built in to Windows and exposed through Intune, do not import the built-in ADMX just to configure it. Use Settings catalog or, when necessary, a custom profile.
Import custom ADMX and ADML files when a third-party or partner administrative template is not already available in Intune. Once imported, those settings can be used in a device configuration policy and assigned to managed Windows devices.
Use custom settings when the setting is not otherwise available in a profile type. On Windows, that often means a custom OMA-URI that targets a configuration service provider path. On Apple platforms, custom profiles can use Apple configuration files where the built-in UI does not expose the setting.
Assignment: users, devices, and filters
Profile assignment starts with Microsoft Entra user groups or device groups. Choose the group type based on what the setting controls:
- Use device groups for device-scoped settings, self-deploying Autopilot devices, kiosks, shared devices, and Windows Enterprise multi-session device-scope policies.
- Use user groups when the setting should follow the signed-in user and the platform supports user-scope management.
- Avoid assigning user-scope settings to device groups or device-scope settings to user groups when the platform reports them as not applicable.
Assignment filters do not replace groups. They refine a group assignment with device or app properties. For managed devices, filters can evaluate properties such as platform, manufacturer, model, OS version, operating system SKU, ownership, enrollment profile name, and similar inventory values. A policy can include matching devices or exclude matching devices.
Filter evaluation happens when a device enrolls, checks in, or when policy evaluation occurs. This is useful when a group is broad but a profile should apply only to a subset, such as corporate Windows devices in Marketing, iPads in Finance, or Windows 11 devices with a supported SKU.
Windows 11 Enterprise multi-session detail
Windows 11 Enterprise multi-session is an Azure Virtual Desktop edition that allows multiple concurrent user sessions. Intune can manage it, but it is not the same as a standard physical Windows client.
Use these rules for MD-102:
- Create configuration policies for multi-session hosts with the Settings catalog.
- In the settings picker, filter
OS editiontoEnterprise multi-sessionto see supported settings. - Device-based configuration targets device groups; user-based configuration targets user groups.
- Templates are not generally supported except supported certificate templates.
- OOBE enrollment, Windows Autopilot, and ESP are not supported for Windows Enterprise multi-session.
- Some remote actions and Windows update ring policies are unsupported, so use supported Settings catalog options where available.
Scenario shortcut
If the question asks for one policy assigned to a broad group but only corporate-owned Windows 11 devices should receive it, use an assignment filter. If it asks for a third-party browser ADMX not present in Intune, import custom ADMX and ADML. If it asks for the broadest first place to find Windows settings, use Settings catalog. If it asks for Windows 11 Enterprise multi-session configuration, use Settings catalog with the Enterprise multi-session filter.
You need the broadest built-in access to Windows device settings in Intune, including many ADMX-backed settings, without writing a custom OMA-URI. Which profile type should you start with?
A configuration profile is assigned to all corporate Windows devices, but it should apply only to devices whose OS version and SKU meet a pilot requirement. What should you add to the assignment?
An Azure Virtual Desktop host uses Windows 11 Enterprise multi-session and must receive supported Intune configuration settings. Which approach is correct?