Overview
With the release of Windows 11, version 25H2, Microsoft delivered day-zero support in Microsoft Intune by adding 36 new settings to the Settings Catalog. These settings allow IT administrators to configure and enforce policies against the latest Windows 11 features — from AI controls for Recall and Copilot to Start menu layout, power management, privacy, and backup — from the moment devices are deployed in test or production environments.
This article breaks down all 36 new settings by category, explains what each one does, and shows you how to build a configuration profile to apply them.
💡 Day-Zero Support
The 25H2 settings shipped with the Intune October 2025 (2510) service release. Settings previously marked as “Windows Insiders only” were promoted to general availability on October 23, 2025. All 36 settings are now available in all tenants.
The 25H2 settings shipped with the Intune October 2025 (2510) service release. Settings previously marked as “Windows Insiders only” were promoted to general availability on October 23, 2025. All 36 settings are now available in all tenants.
What’s New in Windows 11 25H2
Windows 11 25H2 is delivered as an enablement package on top of the Windows 11 24H2 servicing branch — meaning the features were already present in 24H2 monthly updates in a dormant state and are activated by the 25H2 update. Key new capabilities include expanded AI features (Recall, Copilot hardware key, Click to Do, Image Creator, Cocreator, Generative Fill), a redesigned Start menu with category view, Human Presence detection improvements, Energy Saver policy enforcement, Windows Backup and Restore, and refinements to the Widgets board and lock screen.
Prerequisites
- Microsoft Intune license (P1 or P2)
- Devices running Windows 11, version 25H2 (build 26200+), enrolled in Intune
- Intune Administrator or Policy and Profile Manager role
- Target Entra ID / Azure AD device group
New Settings by Category
Windows AI (14 settings)
The largest category by far. These settings give administrators granular control over every major AI feature shipping in Windows 11 25H2.
| Setting Name | Scope | What It Controls |
|---|---|---|
| Allow Recall Enablement | Device | Controls whether users can enable the Recall feature. Block to prevent Recall from being turned on across the tenant. |
| Set Maximum Storage Space For Recall Snapshots | Device | Caps the local disk space Recall can use for snapshots (e.g. 10 GB). Useful for pilot deployments where you want to allow Recall but limit storage impact. |
| Set Maximum Storage Space For Recall Snapshots (User) | User | User-scoped version of the storage cap policy above. |
| Set Deny App List For Recall | Device | Specifies a list of applications whose content Recall is not permitted to snapshot or index. |
| Set Deny App List For Recall (User) | User | User-scoped app exclusion list for Recall. |
| Set Deny URI List For Recall | Device | Specifies URLs that Recall must not snapshot when browsing — useful for preventing capture of sensitive web applications. |
| Set Deny URI List For Recall (User) | User | User-scoped URL exclusion list for Recall. |
| Disable Settings Agent | Device | Disables the AI-powered Settings agent that allows natural language configuration of Windows settings. |
| Disable Click To Do | Device | Blocks the Click To Do AI action overlay feature in Windows. |
| Disable Click To Do (User) | User | User-scoped version of the Click To Do disable policy. |
| Disable Image Creator | Device | Prevents users from accessing the AI Image Creator feature within Windows apps such as Paint and Photos. |
| Disable Cocreator | Device | Disables the AI-assisted Cocreator drawing feature in Paint. |
| Disable Generative Fill | Device | Disables the AI-powered Generative Fill feature in the Photos app. |
| Set Copilot Hardware Key (User) | User | Controls the behavior of the dedicated Copilot key on Copilot+ PCs, allowing admins to remap or disable it. |
⚠️ Recall Migration Note
If you previously configured Recall controls using a custom OMA-URI path (e.g.
If you previously configured Recall controls using a custom OMA-URI path (e.g.
./Device/Vendor/MSFT/Policy/Config/WindowsAI/AllowRecallEnablement), migrate to the Settings Catalog entries. Microsoft is gradually deprecating the manual CSP-based path in favor of the catalog entries.Privacy (1 setting)
| Setting Name | What It Controls |
|---|---|
| Let Apps Access System AI Models | Controls whether applications can access Windows system-level AI models (on-device neural processing). Block to prevent apps from leveraging the NPU-accelerated models built into Copilot+ PC hardware. |
Start Menu (6 settings)
| Setting Name | Scope | What It Controls |
|---|---|---|
| Configure Start Pins | Device | Deploys a JSON layout defining which apps are pinned to the Start menu by default. |
| Configure Start Pins (User) | User | User-scoped Start pin layout. Setting applyOnce: true applies the layout only on first sign-in, allowing users to customize afterwards. |
| Hide Category View | Device | Hides the new category-based app grouping view in the Start menu, enforcing a standard app list layout. |
| Hide Category View (User) | User | User-scoped version of the category view hide policy. |
| Turn Off Abbreviated Date Time Format (User) | User | Reverts the Start menu and taskbar clock to the full date/time display format instead of the shortened 25H2 default. |
| Always Show Notification Icon (User) | User | Keeps the Action Centre notification icon always visible in the taskbar, ensuring users see system and policy notifications. |
News and Interests / Widgets (2 settings)
| Setting Name | What It Controls |
|---|---|
| Disable Widgets Board | Removes the Widgets board entirely from the taskbar and keyboard shortcut access. |
| Disable Widgets On Lock Screen | Prevents widget content (weather, news, calendar) from appearing on the Windows lock screen. |
Human Presence (2 settings)
| Setting Name | What It Controls |
|---|---|
| Force Onlooker Detection | Enables mandatory onlooker detection on supported Copilot+ PC hardware — alerts the user when someone is looking over their shoulder. |
| Force Onlooker Detection Action | Specifies the system action to take when an onlooker is detected (e.g. dim screen, blur content, or show a warning). |
Power (1 setting)
| Setting Name | What It Controls |
|---|---|
| Enable Energy Saver | Enforces Energy Saver mode on managed devices. Particularly useful for large fleet deployments where energy optimisation reduces costs and supports sustainability targets. |
Backup and Restore (2 settings)
| Setting Name | Category | What It Controls |
|---|---|---|
| Enable Windows Backup | Administrative Templates | Controls whether the Windows Backup feature (sync of settings, apps, and credentials to the user’s Microsoft account) is enabled. |
| Enable Windows Restore | Windows Backup And Restore | Controls whether Windows Restore (device recovery from a backup) is available to users. |
Remaining Settings
| Category | Setting Name | What It Controls |
|---|---|---|
| App Package Deployment | Remove Default Microsoft Store Packages | Removes select preinstalled Microsoft Store apps on Windows 11 Enterprise and Education — without custom imaging or scripts. |
| Microsoft App Store | Configure MSIX Authentication Authorized Domains | Specifies which domains are authorized for MSIX package authentication, improving enterprise app deployment control. |
| Auditing | Account Logon Logoff Audit Group Membership | Enables auditing of group membership information in logon tokens, useful for compliance and privileged access monitoring. |
| Printers | Require IPPS Policy | Enforces Internet Printing Protocol over HTTPS (IPPS) for all print connections, part of the Windows Protected Print initiative. |
| System | Allow OOBE Updates | Controls whether Windows can install updates during the Out-of-Box Experience (OOBE) setup phase. |
| Display | Configure Multiple Display Mode (User) | Configures default behaviour when a second display is connected — extend, duplicate, or second screen only. |
| Sync Your Settings | Enable Windows Backup (Admin Template) | Administrative Templates path for controlling Windows settings sync to a Microsoft account. |
How to Create a 25H2 Settings Catalog Profile
- Sign in to the Microsoft Intune admin center.
- Go to Devices → Configuration → + Create → New Policy.
- Set Platform to Windows 10 and later and Profile type to Settings catalog.
- Give the profile a descriptive name — for example,
WIN-AI-25H2-Baseline. - On the Configuration settings tab, click + Add settings and search for each setting by its friendly name (e.g. “Allow Recall Enablement”).
- Configure each setting as required, then proceed through Scope tags and Assignments.
- Click Review + create → Create.
💡 Tip — Pilot First
Assign the profile to a pilot device group before rolling out to your full fleet. After the first Intune sync cycle, verify the profile status shows Succeeded under Devices → Select device → Device configuration. It can take one to two sync cycles for settings to appear as applied on the device.
Assign the profile to a pilot device group before rolling out to your full fleet. After the first Intune sync cycle, verify the profile status shows Succeeded under Devices → Select device → Device configuration. It can take one to two sync cycles for settings to appear as applied on the device.
Recommended AI Baseline for Enterprise
For most enterprise environments, the following Windows AI settings represent a sensible starting baseline while Recall and related features mature:
| Setting | Recommended Value | Rationale |
|---|---|---|
| Allow Recall Enablement | Block | Prevent users from enabling screen capture at rest until your org has assessed DLP and compliance implications |
| Let Apps Access System AI Models | Block | Prevent third-party apps from accessing on-device NPU models until you’ve reviewed which apps require this |
| Disable Settings Agent | Enabled | Prevent AI-driven Settings changes that could bypass standard configuration policy |
| Disable Widgets On Lock Screen | Enabled | Avoid displaying news or personal data on shared or unattended devices |
| Remove Default Microsoft Store Packages | Enabled | Deliver a cleaner, managed Start menu without consumer bloatware |
Summary
The 36 new settings added to the Intune Settings Catalog for Windows 11 25H2 give enterprise administrators the controls needed to manage the most significant feature area in this release — Windows AI — along with meaningful improvements to Start menu governance, power policy, auditing, and backup. With day-zero support delivered via the October 2025 Intune service release, organizations can assess and configure these settings before users encounter them, rather than reacting after deployment.
Related Articles
- Microsoft Intune Settings Catalog Updated to Support Windows 11, version 25H2 – Microsoft Tech Community
- Create a policy using the Settings Catalog in Microsoft Intune – Microsoft Learn
- An IT Pro’s Guide to Windows 11, version 25H2 – Windows IT Pro Blog
- What’s new in Microsoft Intune – Microsoft Learn
