Microsoft Intune and Intune for Education can configure privacy settings for Windows 10 and later. This article summarizes the configurations that are most commonly used for student and teacher devices.
Important
The settings in this article configure user privacy. These settings should only be deployed after careful consideration.
When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
Windows apps are allowed to access location. You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
Force Location On. All Location Privacy settings are toggled on and grayed out. Users can't change the settings and all consent permissions will be automatically suppressed.
Required to invoke Locate device action on Windows devices in Intune.
Use Graph to create the settings catalog policy in your tenant without assignments or scope tags.
This will create a policy in your tenant with the name _MSLearn_Example_CommonEDU - Windows - Privacy.
POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
Content-Type: application/json
{"name":"_MSLearn_Example_CommonEDU - Windows - Privacy","description":"https://aka.ms/ManageEduDevices","platforms":"windows10","technologies":"mdm","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_privacy_letappsaccesslocation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_privacy_letappsaccesslocation_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_system_allowlocation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_system_allowlocation_2","children":[]}}}]}
Click Try it to open Graph Explorer.
Once Graph Explorer is open, select the
user icon in the top right to sign-in and sign in with your Intune administrator organizational account.
Click Run query to create the policy in your tenant.
Tip
If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires DeviceManagementConfiguration.ReadWrite.All permissions. You can grant the required permissions by selecting modify permissions and then selecting Consent.
The policy is created in your tenant and can be edited to meet your requirements before assigning to groups.
Create policy using Graph Explorer
user icon in the top right to sign-in and sign in with your Intune administrator organizational account.