Use the settings catalog to configure settings on Windows and macOS devices - preview

Settings catalog lists all the settings you can configure, and all in one place. This feature simplifies how you create a policy, and how you see all the available settings. More settings are continually being added. If you prefer to configure settings at a granular level, similar to on-premises GPO, then the settings catalog is a natural transition.

When you create the policy, you start from scratch. You add only the settings you want to control and manage. For example, you can use the settings catalog to create a BitLocker policy with all BitLocker settings, and all in one place in Intune.

Use the settings catalog as part of your mobile device management (MDM) solution to manage and secure devices in your organization.

This feature applies to:

  • macOS

    • Configure device settings. Device settings that are directly generated from Apple Profile-Specific Payload Keys are continually being added. To learn more about these keys, see, Profile-Specific Payload Keys (opens Apple's website).
    • Configure Microsoft Edge version 77 and newer. Previously, you had to use a property list (plist) file (opens another Microsoft website). For a list of the settings you can configure, see Microsoft Edge - Policies (opens another Microsoft website). Be sure macOS is listed as a supported platform. If some settings aren't available in the settings catalog, then it's recommended to continue using the preference file.
    • Configure Microsoft Defender for Endpoint. Previously, you had to use a property list (plist) file (opens another Microsoft website). For a list of the settings you can configure, see Set preferences for Microsoft Defender for Endpoint on macOS (opens another Microsoft website). Be sure macOS is listed as a supported platform. If some settings aren't available in the settings catalog, then it's recommended to continue using the preference file.
  • Windows 10/11

    There are thousands of settings to choose, including settings that haven't been available before. These settings are directly generated from the Windows configuration service providers (CSPs). You can also configure Administrative Templates, and have more Administrative Template settings available. As Windows adds or exposes more settings to MDM providers, these settings are added quicker to Microsoft Intune for you to configure.

Tip

To see the Microsoft Edge policies you have configured, open Microsoft Edge, and go to edge://policy.

This article lists the steps to create a policy, and shows how to search and filter the settings in Intune. When you create the policy, it creates a device configuration profile. You can then assign or deploy this profile to devices in your organization.

Create the policy

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Devices > Configuration profiles > Create profile.

  3. Enter the following properties:

    • Platform: Select macOS, or select Windows 10 and later.
    • Profile: Select Settings catalog (preview).
  4. Select Create.

  5. In Basics, enter the following properties:

    • Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is macOS: MSFT Edge v77 settings or Win10: BitLocker settings for all Win10 devices.
    • Description: Enter a description for the profile. This setting is optional, but recommended.
  6. Select Next.

  7. In Configuration settings, select Add settings. In the settings picker, select a category to see all the available settings.

    For example, choose Windows 10 and later, then select Authentication to see all the settings in this category:

    In Settings Catalog, select Windows and select Authentication in Microsoft Intune and Endpoint Manager admin center.

    For example, choose macOS. The Microsoft Edge - All category lists all the settings you can configure, including any new settings. The other categories include settings that are obsolete, or settings that apply to older versions:

    In Settings Catalog, select macOS, and select a feature or category in Microsoft Intune and Endpoint Manager admin center.

    Tip

    • On macOS, the categories are temporarily removed. To find a specific setting, use the Microsoft Edge - All category, or search for the setting name. For a list of the setting names, go to Microsoft Edge - Policies.

    • Use the Learn more link in the tooltip to see if a setting is obsolete, and to see the supported versions.

  8. Select any setting you want to configure. Or, choose Select all these settings:

    In Settings Catalog, select all these settings in Microsoft Intune and Endpoint Manager admin center.

    After you add your settings, close the settings picker. All the settings are shown, and configured with a default value, such as Block or Allow. These defaults values are the same default values in the OS. If you don't want to configure a setting, then select the minus:

    In Settings Catalog, the default value in Microsoft Intune and Endpoint Manager admin center is the same as the OS default value.

    When you select the minus:

    • Intune doesn't change or update this setting. The minus is the same as Not configured. When set to Not configured, the setting is no longer managed.
    • The setting is removed from the policy. The next time you open your policy, the setting isn't shown. You can add it again.
    • The next time devices check in, the setting is no longer locked. It can be changed by another policy or by the device user.

    Tip

    In the Windows setting tooltips, Learn more links to the CSP.

  9. Select Next.

  10. In Assignments, select the users or groups that will receive your profile. For more information on assigning profiles, see Assign user and device profiles.

    Select Next.

  11. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. For more information about scope tags, see Use RBAC roles and scope tags for distributed IT.

    Select Next.

  12. In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.

The next time the device checks for configuration updates, the settings you configured are applied.

Find some settings

There are thousands of settings available in the settings catalog. To make it easier to find specific settings, use the built-in features:

  • In your policy, use Add settings > Search to find specific settings. You can search by category, such as browser, search for a keyword, such as office or google, and search for specific settings.

    For example, search for internet explorer. All the settings with internet explorer are shown. Select a category to see the available settings:

    In Settings Catalog, search for Internet Explorer to see all the settings in Microsoft Intune and Endpoint Manager admin center.

  • In your policy, use Add settings > Add filter. Select the key, operator, and value. In value, you can filter to only show the settings that apply to Holographic for Business, Windows Enterprise, and other editions:

    In Settings Catalog, filter the settings list by Windows edition in Microsoft Intune and Endpoint Manager admin center.

    Note

    For the Edge, Office, and OneDrive settings, the OS version or edition doesn't determine if the settings apply. So, if you filter to a specific edition, like Windows Professional, then the Edge, Office, and OneDrive settings aren't shown.

Duplicate a profile

Select Duplicate to create a copy of an existing profile. Duplicating is useful when you need a profile that's similar yet distinct from the original one. The copy contains the same setting configurations and scope tags as the original profile, but doesn't have assignments attached to it. After you give the new profile a name, you can edit it to adjust the settings and add assignments.

  1. Go to Devices > Configuration profiles.
  2. Locate the profile that you want to copy in the table. Right-click the profile or select the ellipses context menu () that's in the same row.
  3. Select Duplicate.
  4. Enter a new name for the policy, and optionally, a description.
  5. Select Save.

Reporting and conflicts

You create the policy, and assign it to your groups. In the Endpoint Manager admin center, you can check the status of your policy. The data refreshes automatically, and operates in near real time.

  1. In the Endpoint Manager admin center, select Devices > Device configuration profiles. In the list, select the policy you created using the Settings Catalog. The Profile type column shows Settings Catalog:

    In Microsoft Intune and Endpoint Manager admin center, the profile type shows Settings Catalog.

  2. When you select the policy, the device status shows. It shows a summary of your policy state and the policy properties. You can also change or update your policy in the Configuration settings section:

    Select the settings catalog policy to see the device status, policy state, and properties in Microsoft Intune and Endpoint Manager admin center.

  3. Select View report. The report shows detailed information, including the device name, the policy status, and more. You can also filter on the deployment status, and Export the report to a .csv file:

    See detailed report information in Microsoft Intune and Endpoint Manager admin center, including device name, policy status, and more.

  4. You can also look at the states of each setting using the per-setting status. This status shows the total number of devices affected by each setting in the policy.

    You can:

    • See the number of devices with the setting successfully applied, in conflict, or in error.
    • Select the number of devices in compliance, conflict, or error. And, see a list of users or devices in that state.
    • Search, sort, filter, export, and go to the next and previous pages.
  5. In the admin center, select Devices > Monitor > Assignment failures. If your Settings Catalog policy failed to deploy because of an error or conflict, it will show in this list. You can also Export to a .csv file.

  6. Select the policy to see the devices. Then, select a specific device to see the setting that failed, and a possible error code.

Tip

Intune reports is a great resource, and describes all the reporting features you can use.

Conflicts

Conflicts happen when the same setting is updated to different values. Conflicts can also happen with policies configured using the settings catalog. For more information on conflict resolution, see:

Settings catalog vs. templates

When you create the policy, you have two policy types: Settings catalog and Templates:

When you create a Windows or macOS policy, select settings catalog or templates in Microsoft Intune and Endpoint Manager admin center.

The Templates include a logical group of settings, such as device restrictions, kiosk, and more. Use this option if you want to use these groupings to configure your settings.

The Settings catalog lists all the available settings. If you want to see all the available Firewall settings, or all the available BitLocker settings, then use this option. Also, use this option if you're looking for specific settings.

Device scope vs. user scope settings

When you select a setting, some settings have a (User) tag or (Device) tag in the setting name, such as Allow EAP Cert SSO (User) or Grouping (Device). When you see these tags, the policy only affects the user scope or the device scope.

For more information on user scope and device scope, see the Policy CSP.

Device and user groups are used when you assign your policies. Device and user scopes describe how a policy is enforced.

When deploying policy from Intune, you can assign user scope or device scope to any type of target group. Behavior of the policy per user depends on the scope of the setting:

  • User scoped policy writes to HKEY_CURRENT_USER (HKCU).
  • Device scoped policy writes to HKEY_LOCAL_MACHINE (HKLM).

When a device checks in to Intune, the device always presents a deviceID. The device may or may not present a userID, depending on the check-in timing and if a user is signed in.

The following list includes some possible combinations of scope, assignment, and the expected behavior:

  • If a device scope policy is assigned to a device, then all users on that device have that setting applied.
  • If a user scope policy is assigned to a device, then all users on that device have that setting applied. This behavior is like a loopback set to merge.
  • If a user scoped policy is assigned to a user, then only that user has that setting applied.
  • If a device scoped policy is assigned to a user, once that user signs in and an Intune sync occurs, then the device scope settings apply to all users on the device.

If there isn't a user hive during initial check-ins, then you may see some user scope settings marked as not applicable. This behavior happens in the early moments of a device before a user is present.

Next steps