Microsoft 365 Windows 10 Device configuration mappings

Microsoft 365 Business allows you to configure Windows 10 devices that are connected. This management is typically done by Intune at the back end while Microsoft 365 Business provides a simplified interface over these settings. However, what settings in Microsoft 365 map to Intune?

The best place to start to understand this mapping is the following document from Microsoft:

How do protection features in Microsoft 365 Business map to Intune settings


Start by navigating to the Admin center in your Microsoft 365 for Business tenant.


Locate the Device policies tile and select it.


You may see a number of policies here but one should be named Windows 10 device configuration as shown above. Select this.


You should be taken to the Edit policy dialog as shown above.

Select the Edit hyperlink at the right of the Windows 10 protection line (the second option from the top).


If you expand the display you should see a list of all the options and their status as shown above.

The question now is, how do these map to settings in Intune?

To view the settings in Intune you’ll need to login to the Azure portal for that tenant and then navigate to the Intune option.


The easiest way to find the Intune settings is to do a search in the top right and then select Intune from the results.


You should see the Intune console displayed as shown above.


From the available options, select Device Configuration. From the blade that appears then select Policies. You should then see a policy that matches the one in the Microsoft 365 for Business console (here Windows 10 device configuration).

Select the policy name.


From the new blade that appears select Properties.


This should open another blade like shown above. The last option on this blade should be Settings. Select this.


This will open a Device restrictions blade with lots of different settings as you can see above. This is where most the mapped settings from Microsoft 365 are.


Working from the top, the Help protect PCs from web-based threats using Windows Defender Antivirus maps to Windows Defender Antivirus as shown.


However, only 3 of the 28 options are set and they are:




Next in Microsoft 365 Business is Help protect PCs from web-based threats in Microsoft Edge,


This maps to SmartScreen for Microsoft Edge in Windows Defender Smart Screen.



The next option is Turn off device screen when idle for:

clip_image001[17]which maps to Maximum minutes of inactivity until screen locks in Password.


The option Allow users to download apps from Windows store maps to a Custom URI that I haven’t been able to locate in Intune.


I’m still researching what that actually maps to. More soon.

Next is Allow users to access Cortana

clip_image001[21]maps to Cortana in General in Intune.



Next, Allow users to receive Windows tips and advertisements from Microsoft.

clip_image001[23]which maps to Windows spotlight in Intune.


Finally, Keep Windows 10 devices up to date automatically


is actually configured from the Software updates option in Intune.


From the main Intune blade select Software updates. From the blade that then appears select Windows 10 Update rings. Then form the new blade select Update policy for Windows 10 devices.


Select the policy and then Properties from the blade that appears.

At the bottom of the Properties page select Settings. This should then show a blade like that shown above.


If the Microsoft 365 Business setting is ON the Service Branch will be set to Semi-Annual Channel (Targeted) like so:


If the Microsoft 365 Business setting is OFF, the Service Branch will be set to Semi-Annual like so:


You can review these update channels here:

Assign devices to servicing channels for Windows 10 updates

So making any changes in the Microsoft 365 Business console will be reflected in the Intune console. However, if you change these settings in Intune and then try and update them you seem to get an error like so


I would have thought that I could change the settings in any console but that doesn’t appear to be the case. I currently can’t find any confirmation of this but I will publish anything I find. So for now the guidance is – only make changes in the Microsoft 365 Business Admin Center.

There are a number of other policies in Microsoft 365 Business that I’ll cover in upcoming posts.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s