Microsoft Intune and Intune for Education can configure privacy settings for Windows. This article summarizes the configurations that are most commonly used for student and teacher devices.
Important
The settings in this article configure user privacy. These settings should only be deployed after careful consideration.
Note
This is an optional policy.
To learn more, see Use the settings catalog to configure settings on Windows, iOS/iPadOS, and macOS devices
Tip
When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
| Category |
Name |
Value |
Notes |
CSP |
| Privacy |
Let Apps Access Location |
Force allow. |
Windows apps are allowed to access location. You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting. |
Privacy/LetAppsAccessLocation |
| System |
Allow Location |
Force Location On. All Location Privacy settings are toggled on and grayed out. Users can't change the settings and all consent permissions will be automatically suppressed. |
Required to invoke Locate device action on Windows devices in Intune. |
System/AllowLocation |
Use Graph to create the settings catalog policy in your tenant without assignments or scope tags.
This will create a policy in your tenant with the name _MSLearn_Example_CommonEDU - Windows - Privacy.
POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
Content-Type: application/json
{"name":"_MSLearn_Example_CommonEDU - Windows - Privacy","description":"https://aka.ms/ManageEduDevices","platforms":"windows10","technologies":"mdm","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_privacy_letappsaccesslocation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_privacy_letappsaccesslocation_1","children":[]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_system_allowlocation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_system_allowlocation_2","children":[]}}}]}
Click Try it to open Graph Explorer.
Once Graph Explorer is open, select the 
user icon in the top right to sign-in and sign in with your Intune administrator organizational account.
Click Run query to create the policy in your tenant.
Tip
If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires DeviceManagementConfiguration.ReadWrite.All permissions. You can grant the required permissions by selecting modify permissions and then selecting Consent.
The policy is created in your tenant and can be edited to meet your requirements before assigning to groups.
Note
As of July 31 2025, Microsoft Graph replaced use of the DeviceManagementConfiguration.ReadWrite.All permission with DeviceManagementScripts.ReadWrite.All for the following API calls:
- ~/deviceManagement/deviceShellScripts
- ~/deviceManagement/deviceHealthScripts
- ~/deviceManagement/deviceComplianceScripts
- ~/deviceManagement/deviceCustomAttributeShellScripts
- ~/deviceManagement/deviceManagementScripts 
Create policy using Graph Explorer