We recently posted a message center post to a handful of EDU customers. In this blog post, we’ll share screen shots and additional information on these cases that came through support.
For context, last March, Microsoft enabled a new policy wizard in the Microsoft 365 admin center to help administrators setup and configure their M365 device management services. This customer-requested wizard simplifies device management setup, but it can cause conflicts for organizations who already had settings configured. Administrators in your organization may have inadvertently deployed device configuration and app protection policies to all users after completing a guided workflow in the Microsoft 365 Admin portal. This could cause an unexpected user/device experience.
Here's screen shots of the new guided workflow which is very useful to get started with M365:
Below are some examples of the potential impact depending on the options selected during the “Protect data & devices” step of the guided workflow (Step 3) or if you selected “Create Policy” on a subsequent Protect mobile device tile under the View Recommendation option:
Below are policies that may have been created and assigned to All Users:
Impacted Platform |
Policy Type |
Policy Name |
Guided workflow option selection |
Windows |
EndPoint Protection (Device Configuration) |
Endpoint Protection policy for Windows 10 devices |
Secure Windows 10 devices |
Windows |
Device restrictions (Device Configuration) |
Device policy for Windows 10 |
Secure Windows 10 devices |
Android |
App protection policies (Client apps) |
Application policy for Android |
Protect work files when devices are lost or stolen
Manage how users access Office files on mobile devices |
iOS |
App protection policies (Client apps) |
Application policy for iOS |
Protect work files when devices are lost or stolen
Manage how users access Office files on mobile devices |
Windows |
App protection policies (Client apps) |
Application policy for Windows 10 (with enrollment) |
Protect work files when devices are lost or stolen
Manage how users access Office files on mobile devices |
Windows |
App protection policies (Client apps) |
Application policy for Windows 10 (without enrollment) |
Protect work files when devices are lost or stolen
Manage how users access Office files on mobile devices |
Android |
App protection policies (Client apps) |
Default Mobile App Policy for Android devices |
View Recommendations: Protect files on mobile apps |
iOS |
App protection policies (Client apps) |
Default Mobile App Policy for iOS devices |
View Recommendations: Protect files on mobile apps |
Please Note: Some policies may or may not exist depending on the options selected during or right after the guided workflow in the M365 Admin console.
So what did we have customers look for?
If you didn’t actually want all users to have device or app protection policies, you can follow the remediation steps described below provided you’re a global admin, Intune admin, or have delegations/permissions to make changes to policies for the all users group.
3. Once devices are confirmed to be remediated, you can then proceed to delete any of the impacting policies.
While we’d always advocate for device and app policies, we also understand you may have intended a tiered access setup with your various education audiences (teachers, students, IT admins, etc.). Let us know by commenting back on this post if you have any other questions.
One final note (not completely related, but EDU specific) we did hear from a few of you through this blog and social media that you or your Partner of Record setup the Intune environment with a general Intune SKU, then moved to an EDU license. Several folks mentioned they got the EDU policies applied even after setting up policies in Intune. As of last sprint, we have reverted that behavior. If you start with an EDU SKU, you’ll get the general policies that come pre-set for EDU. If you move from Intune -> EDU, we’ll keep what you had and not apply the EDU SKU policies.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.