Learning Path 3:

Configure profiles for

users and devices
MD-102 Microsoft 365 Endpoint Administrator

© Copyright Microsoft Corporation. All rights reserved.

Learning Path Agenda

• Execute device profiles

• Oversee device profiles
• Maintain user profiles

© Copyright Microsoft Corporation. All rights reserved.

Module 1: Execute
device profiles

© Copyright Microsoft Corporation. All rights reserved.

Module 1: Execute device profiles

• Explore Intune device profiles

• Create device profiles

• Create a custom device profile

© Copyright Microsoft Corporation. All rights reserved.

Explore Intune device profiles

Microsoft Intune includes settings and features that you can enable or disable
on different devices within your organization

Administrative templates Endpoint protection

Certificates Identity protection
Device features – iOS and macOS Kiosk
Device restrictions VPN
Edition upgrade and mode switch Wi-Fi
Email Custom profile

© Copyright Microsoft Corporation. All rights reserved.

Create device profiles

• The platform and profile type determines the options available

• A profile must be assigned to have any effect on a device

• You can assign it to the following Azure AD (Entra ID) groups:

– Selected Groups

– All Users & All Devices

– All Devices

– All Users

• You can exclude groups from the assignment

• Applicability Rules allow further restriction of the profile assignment or exclusion

specific OS versions or editions
• Review + Create
© Copyright Microsoft Corporation. All rights reserved.
Create a custom device profile
You can create a custom device profile for Windows 10 and later, Android and iOS devices.
• Custom settings are configured differently for each platform.

Create a custom profile for Windows 10 and later devices

• Use the Microsoft Intune custom profile for Windows 11 and later to deploy Open Mobile Alliance Uniform
Resource Identifier (OMA-URI) values.
• These settings are used to control features on devices. Windows makes many Configuration Service
Provider (CSP) settings available, such as Policy CSP

Create a custom profile for Android devices

• Like Windows, Android Enterprise custom profiles use OMA-URI settings to control features on Android
Enterprise devices.
• The steps for creating a custom Android profile are identical to creating a Windows custom profile,
except the profile is created under the Android platform.

Create a custom profile for Apple devices

• Use the Microsoft Intune iOS/iPadOS or macOS custom profile to assign settings that you created by
using the Apple Configurator tool to Apple devices.

© Copyright Microsoft Corporation. All rights reserved.

Knowledge Check

Test your knowledge by answering the Knowledge

Check questions at the end of this Learn module

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Module 2: Oversee
device profiles

© Copyright Microsoft Corporation. All rights reserved.

Module 1: Monitor device profiles

• Monitor device profiles in Intune

• Manage device sync in Intune

• Manage devices in Intune using scripts

© Copyright Microsoft Corporation. All rights reserved.

Monitor device profiles in Intune

View existing profiles,

details, and charts
• Check the status of a
profile
• See device assignments
and status
• View users related to
profile
• View per-setting status
View Conflicts
• Shows profile names
that are creating conflict

© Copyright Microsoft Corporation. All rights reserved.

Manage device sync in Intune

• Manage settings and features on your devices with Intune policies

– Groups of settings that control features on mobile devices and computers
– Create policies using templates that include recommended or custom settings
– You deploy them to device or user groups
• Intune policies fall into the following categories
– Configuration policies
– Device compliance policies
– Conditional access policies
– Corporate device enrollment policies
• When a device checks in, it receives any pending assigned actions or policies
– Check-in frequency depends on platform and enrollment time
– The Sync device action forces the selected device to immediately check in with Intune

© Copyright Microsoft Corporation. All rights reserved.

Manage devices in Intune using scripts

• The Intune management extension lets you upload PowerShell scripts for Windows
devices and shell scripts for macOS devices into Intune.
• Create a PowerShell script policy for Windows
1. In the Microsoft Intune admin center, select Devices.

2. In the Policy section, select Scripts and select Add, then select Windows 10 and later.

3. In Script settings, specify the relevant properties.

• Create a shell script policy for macOS

1. Adding a script for the macOS uses the same steps creating a PowerShell script policy,
selecting macOS after choosing Add.
2. In Script settings, the macOS script settings will be slightly different.

© Copyright Microsoft Corporation. All rights reserved.

Knowledge Check

Test your knowledge by answering the Knowledge

Check questions at the end of this Learn module

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Module 3:
Maintain user
profiles

© Copyright Microsoft Corporation. All rights reserved.

Module 3: Manage user profiles

• Examine user profile

• Explore user profile types

• Examine options for minimizing user profile size

• Deploy and configure folder redirection

• Sync user state with Enterprise State Roaming

• Configure Enterprise State Roaming in Azure

© Copyright Microsoft Corporation. All rights reserved.

Examine user profile

• Every user has a user profile that is:

– Created when the user signs in for the first time

– Based on a default profile

– Stored in the C:\Users folder

– Unique for each user and not accessible by other users

• A user profile:
– Contains user registry and environment settings, application data, and user data

– Is user-specific and personal

– Is persistent between user sessions

– Is not computer-specific

© Copyright Microsoft Corporation. All rights reserved.

Explore user profile types

Local user profile Roaming user profile Mandatory user profile Temporary user profile
Only available locally and Copy an entire profile to a User changes are not When issues prevent
do not roam between network location and back persistent between user profile from loading
devices Windows 10 and later add sign-in attempts
the .V6 extension to Local copy of the profile
roaming folder used if network is not
Local copy of the profile available
used if network is not
available
Incompatible between
different versions of
Windows

© Copyright Microsoft Corporation. All rights reserved.

Examine options for minimizing user profile size

Profiles contain user data files:

• Size can increase rapidly when users store large files

Administrators can limit profile sizes by:

• Using quotas for user profiles

• Redirecting folders out of user profiles

• Using the Limit user profile size Group Policy setting

Store data files outside of user profiles:

• Dedicated shared folders

• Home folders

© Copyright Microsoft Corporation. All rights reserved.

Deploy and configure folder redirection
Redirects user profile folders to a network location:
• Can be used with all user profile types

• Content does not copy locally when users sign in

• Offline Files provide access without network connectivity

Folder Redirection is configured by Group Policy:

• Only predefined folders can be redirected

• Redirection can be based on group membership

Folder Redirection benefits:

• Available from any network computer

• Centrally maintained and backed up

• Can set quotas and different permissions

• Transparent and always available for users

© Copyright Microsoft Corporation. All rights reserved.
Sync user state with Enterprise State Roaming

Use Enterprise State Roaming (ESR) together with Microsoft OneDrive to

enable users to effortlessly transfer settings and access their data from any
device.
• Seamlessly synchronize user data and settings between the client device and the
cloud.
– Azure AD (Entra ID) Premium required

– Windows device must be Azure AD-joined (Entra Joined)

• Syncs Windows 10 and later settings, Universal Windows Platform (UWP) Apps

• Does not sync Desktop App or Microsoft Edge data

– Use Microsoft Edge sync to sync Edge data

© Copyright Microsoft Corporation. All rights reserved.

 Configure Enterprise State Roaming in Azure (Entra
•ID)
ESR includes free, limited-use license for Azure Rights Management protection from
Azure Information Protection
– Limited to encrypting and decrypting enterprise settings and application data

• To use ESR, the device must authenticate using an Azure AD (Entra ID) identity
• Data that roams:
– Windows settings – Generally, personalization settings

– Application data – If supported by UWP app

• Data location is region based

• Data retained until manually deleted or determined to be stale
– Data that hasn't been accessed for one year will be treated as stale and may be deleted

– Data retention policy is not configurable and deleted data is not recoverable

– Data is only deleted from the Microsoft cloud, not from the device

© Copyright Microsoft Corporation. All rights reserved.

Knowledge Check

Test your knowledge by answering the Knowledge

Check questions at the end of this Learn module

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Practice Labs

• Creating and Deploying Configuration Profiles

• Using a Configuration Profile to configure Kiosk
mode
• Using a Configuration Profile to configure iOS and
iPadOS Wi-Fi settings
• Using Group Policy Analytics to validate GPO
support in Intune
• Monitor device and user activity in Intune

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Learning Path Recap
In this learning path, we learned to:

• Execute device profiles

• Oversee device profiles
• Maintain user profiles

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.