How to create a custom policy in Microsoft Intune

Microsoft Intune is a cloud-based service that helps organizations manage and secure their mobile devices, apps, and data. An important feature of Microsoft Intune is device configuration policies, which allow administrators to set and enforce settings on devices enrolled in Intune. Device configuration policies can help organizations meet their compliance, security, and productivity needs.

There are several types of device configuration policies in Intune, depending on the platform and the scenario. Some of the common types are:

• Device restrictions: These policies let administrators control the features and settings of devices, such as camera, Bluetooth, password, encryption, and so on. Device restrictions are available for Windows 10, iOS/iPadOS, Android, and macOS devices.
• Device features: These policies let administrators enable or disable specific features of devices, such as Windows Hello, BitLocker, Firewall, and so on. Device features are available for Windows 10 devices.
• Endpoint protection: These policies let administrators configure the security settings of devices, such as antivirus, Firewall, exploit protection, and so on. Endpoint protection policies are available for Windows 10 devices.
• Custom: These policies let administrators create and deploy custom settings for devices, using OMA-URI, XML, or ADMX files. Custom policies are available for Windows 10, iOS/iPadOS, Android, and macOS devices.

Currently, the two types of policies for Windows devices most often used, are Settings Catalog policies and custom policies .

Settings Catalog policies are policies that cover a wide range of settings and scenarios, e.g., endpoint protection and device configuration.

Custom policies are policies that you create from scratch using the custom OMA-URI settings. OMA-URI stands for Open Mobile Alliance Uniform Resource Identifier, and it is a standard that defines how to access and configure device settings. Custom policies let you configure settings not available in the Settings Catalog or fine-tune those available.

Before you create a custom policy, you should always check if the setting that you want to configure is available in the Settings Catalog. The Settings Catalog is constantly updated with new settings and features, and it is easier and faster to use than custom policies.

However, there are some use cases where a custom policy might fit your needs better, such as:

• You want to configure a setting that is not available in the Settings Catalog, or that is only available for certain editions or versions of Windows.
• You want to configure a setting that is available in the Settings Catalog, but you want to use a different value or option than the ones provided by Microsoft Intune.
• You want to configure a setting dependent on a setting not available in the Settings Catalog or combining settings in a single policy that is otherwise not possible.

In this blog post, I will show you how to create a custom Windows policy in Microsoft Intune and provide some examples of use cases for custom policies, and you can find more information in these links:

• Configuration service providers for IT pros
• Use custom settings for Windows 10/11 client devices in Microsoft Intune
• Deploy OMA-URIs to target a CSP through Intune, and a comparison to on-premises

How to create a custom policy in Microsoft Intune

Before you can create a Windows custom policy in Microsoft Intune, you need to determine the required information for setting up a Windows custom policy in Microsoft Intune.

Besides the name and the description for your custom policy, the information that you need depends on the type of setting that you want to configure, you need the following information for every OMA-URI setting you want to configure:

Name. A unique name for the OMA-URI setting to help you identify it in the list of settings.

Description. A description that gives an overview of the setting, and any other key details.

OMA-URI (case sensitive). The OMA-URI you want to use as a setting. This is a unique identifier that specifies the location and name of the setting in the device management tree. You can find the OMA-URI of the setting from the Windows documentation, the Group Policy Editor, or the Registry Editor. For example, the OMA-URI of the Windows Spotlight setting is ./Vendor/MSFT/Policy/Config/CloudContent/ConfigureWindowsSpotlight.

Data type. The data type you will use for this OMA-URI setting. Your options:

• Base64 (file)
• Boolean -String (XML file)
• Date and time
• String
• Floating point
• Integer

Value. The data value you want to associate with the OMA-URI you entered. The value depends on the data type you selected.

Once you have this information, you are ready to create a Windows custom policy in Microsoft Intune by following these steps:

1. Sign in to the Microsoft Intune admin center .
2. Go to Devices > Configuration profiles > Create profile.
3. Enter a name and description for the profile and select Windows 10 and later as the platform.
4. Select Custom as the profile type.
5. Click Add to add a custom OMA-URI setting.
6. Enter a name and description for the setting and select the data type that matches the setting value.
7. Enter the OMA-URI for the setting that you want to configure. You can find the OMA-URI for a setting in the Windows MDM documentation .
8. Enter the value for the setting that you want to apply. The value must match the data type and the format that the setting expects.
9. Click OK to save the setting and repeat steps 5 to 8 to add more settings if needed.
10. Click Next to review the settings and click Create to create the profile.
11. Assign the profile to the groups of devices that you want to apply the custom policy to.

After you create and assign the custom policy, you can monitor its status and compliance in the Microsoft Endpoint Manager admin center. You can also use the Intune Management Extension log on the device to troubleshoot any issues with the custom policy.

Use cases for custom policies

Here are some examples of use cases for custom policies that you might encounter as an IT admin:

• Windows Spotlight is a feature that displays curated images and content on the lock screen, and also provides tips and suggestions for using Windows 10 and you want to configure the related settings in your Windows devices. However, Windows Spotlight is currently not available in the Settings Catalog, and it requires a custom policy to enable or disable it. You can use the OMA-URI ./Vendor/MSFT/Policy/Config/CloudContent/ConfigureWindowsSpotlight and set the value to 1 to enable Windows Spotlight, or 0 to disable it.
• You want to configure the default browser on Windows devices. The default browser is the app that opens when you click on a link or a web shortcut. You can use the Settings Catalog to configure the default browser, but the options are limited to Microsoft Edge. If you want to use a different browser, such as Chrome or Firefox, you need to create a custom policy. You can use the OMA-URI ./Device/Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration and set the value to the path of an XML file that contains the associations for the file types and protocols that you want to open with the default browser.

These are just some of the use cases for custom policies that you might encounter as an IT admin. There might be more settings and scenarios that you can configure with custom policies, depending on your organization’s needs and preferences. However, you should always check if the setting that you want to configure is available in the Settings Catalog first and use custom policies only when necessary.

I hope this blog post was helpful for you to understand how to create a custom Windows policy in Microsoft Intune, and what are some of the use cases for custom policies.

Happy building.

–Jesper

Header image attribution: Created using Adobe Firefly