Support tip: Windows device configuration policies migrating to unified settings platform in Intune

By: Julia Idaewor – Product Manager II | Microsoft Intune

As we update and simplify creating and managing configuration settings in Microsoft Intune, we’re also migrating policies and settings to the unified settings platform. This platform is the foundation of the settings catalog, which provides quick access to policy and settings. Additionally, it provides consistency across naming, tooltips, available values, and standardizes the “not configured” value for policy settings regardless of where you interact with the policy.

We previously migrated endpoint security policies and baselines to the unified settings platform. Starting on July 15 or soon after, we will begin migrating device configuration templates to the new, unified settings platform. Specifically, these are the profiles created by navigating to Devices > Configuration > Create new policy > Windows 10 and later > Templates in the Microsoft Intune admin center.

During the migration, you may see the message stating, "Some device configuration templates created before July 15 will be migrated. For others, you’ll notice a new policy editing experience. Learn more about this migration here.”

A screenshot of the message an IT Pro will see in the Devices > Configuration profiles pane before migration begins.

The option to create new Windows device configuration templates will be discontinued for the subset of templates listed below. However, all settings will remain accessible for configuration in the settings catalog. We strongly recommend utilizing the settings catalog for all your managed device configuration needs.

Following the migration, certain templates as listed below will become exclusively configurable within the settings catalog moving forward. For the other templates listed, the next time the upgraded policy is edited, you will also notice a new policy editing experience, improved reporting and handling for setting values to "not configured".

Please see below for details on each template’s migration experience and note that these are subject to change as migration efforts develop. We’ll provide updates to this post as needed:

• Delivery optimization: This template can still be configured in the same location.
• Identity protection (Account protection): This template will be moving to the Endpoint security blade.
• Microsoft Defender for Endpoint (EDR): This template can still be configured in the same location.
• Device restrictions (Windows 10 Team): This template can still be configured in the same location.
•  Network boundary: This template will no longer be available. Settings in this template can be configured via settings catalog only. Migrated policies will show ‘Settings catalog’ as the policy type.
• Device restrictions: This template will no longer be available. Settings in this template be configured via settings catalog only. Migrated policies will show ‘Settings catalog’ as the policy type.
• Administrative templates: This template will no longer be available. Settings in this template can be configured via settings catalog only. Migrated policies will show ‘Settings catalog’ as the policy type. Expected with Intune's December (2412) release, these profiles will be marked as "deprecated" in the Intune admin center and you'll not be able to create new Administrative template profiles.
• Kiosk: This template can still be configured in the same location.
• Custom OMA-URI: This template will still be available, but only settings that do not exist in the settings catalog can be configured via custom OMA URI. This change will happen in a phased approach starting in mid-August by blocking the least used settings and in mid-September slowly expand to the remaining settings available in settings catalog.
• Domain join: To be determined.
• Edition upgrade and mode switch: To be determined.

If you see a device configuration template in the UI that’s not listed above, there will be no changes to the current experience and the template will remain as-is.

If you’re interacting with device configuration profiles via the: 'deviceManagement/deviceConfigurations' Microsoft Graph API, you’ll be able to continue creating new policies, but they’ll be migrated at a later date. Once migrated, the new policies will have new PolicyIDs and are created with the 'deviceManagement/configurationPolicies' API. We recommend switching to the new graph endpoints for policy creation as soon as possible.

Note: You may see a slight change in reporting numbers when these policies are migrated. Similar to when a policy is edited, reporting records of devices that have previously applied policy and reported the results but are no longer managed or checking in, will not appear in the new reports until they check in again.

What to do to prepare:
If you are using Microsoft Graph API for device configuration policies, we recommend updating to the new graph endpoints. Otherwise, no action is required, only awareness.

Key takeaways:
Keep the following in mind, as we migrate Device configuration policies to the unified settings platform:

• Use Security baselines to deploy the recommended settings and values for common scenarios. This is a great place to start, if you’re new to Intune.
• If you’re coming from on-premises, Active Directory, start with Group policy analytics to analyze your on-premises Group Policy objects (GPOs) and to help you determine how your existing policy translates in the cloud.
• For greater control, we recommend using the settings catalog, where you can browse the catalog of all available policy settings and create a custom policy from scratch that meets your needs.  You can use the settings catalog to create a policy by searching and adding only those settings that you specify. For a full list of available settings in the catalog, see aka.ms/catalogedsettings.

Let us know if you have any questions by replying to this post or reaching out to @IntuneSuppTeam on X. We’ll continue to provide updates to the migration status of these templates.

Updates

07/19/2024: Template migration list updated to include custom OMA-URI.

11/04/2024: After a brief pause, we've resumed the migration for endpoint security policies and it is still in progress. New Administrative Templates will not be allowed starting in the 2412 release.