Introduction
Microsoft Intune is a cloud-based service that allows organizations to manage and secure their devices, including Windows PCs, Macs, iOS, Android, and more. Device restrictions in Microsoft Intune refer to the policies and settings that can be configured to control and manage the behavior and security of devices enrolled in an organization's Intune environment. These restrictions can be applied to a wide range of settings to ensure compliance with the organization's security and usage policies.
Intune uses "configuration profiles" to create and customize these settings for an organization's needs. After adding these features to a profile, you can then push or deploy the profile to devices in your organization.
First, you have to create a profile including all administrative settings in the configuration profile and then push or deploy the profile to devices in your organization.
Prerequisites
- Microsoft 365 Business Premium
- Microsoft 365 Enterprise E3 and E5
- Enterprise Mobility + Security (EMS) E3 and E5
- Intune for Education
- Intune standalone license
Method
Step 1. Log into 365 Admin Center à Endpoint Manager with an Administrator account.
![Active users]()
Step 2. Direct to Devices à Configuration Profiles
![Admin center]()
Step 3. Click Create Profile
![Devices]()
Step 4. First, Select a platform. Here I’m going to deploy device restrictions to all the devices with Windows 10 and later.
![Create profile]()
Step 5. Select profile type as Templates and Select Device restrictions
![Templates]()
Step 6. Enter basic details
- Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. Ex: Device Restriction Policy
- Description: Enter a description for the policy. (Optional)
![Device restriction]()
Step 7. Enable or Disable settings accordingly
In this blog, I’m going to restrict the following category settings. You can restrict any setting on devices according to company rules.
Cellular and Connectivity
- Data and Wi-Fi Settings
- Use of VPN restriction
- NFC disable
- Bluetooth restrictions (However, you can allow Bluetooth services manually)
![Connectivity]()
![Bluetooth]()
General
- Block users from manually enrolling
- Block the use of removable storage
- Restrict Internet Sharing
- Disable the USB connection on the device
![General]()
Password
- Require a password to access the device
- Password type (Complexity)
- Block entering simple passwords
![Password]()
Step 8. In assignments, select user or device groups to deploy the policy.
Under Included Groups or Excluded Groups, choose Add Groups to select one or more Azure AD groups. If you intend to deploy the policy broadly to all applicable devices, select Add all users or Add all devices.
![Assignments]()
Step 9. You can apply some specific rules to your given group or user (Optional)
![Rules]()
Step 10. Click Review + Create to review your settings. When you select Create, your changes are saved, and the profile is assigned.
Note. Created profiles are shown under Profiles in Configuration profiles. You can edit settings in each profile by clicking each and deploying changed policies.
![Profile]()