The Cloud Device Administrator role has the ability to make modifications to device settings at a global level in Azure AD, associated with the following permission: microsoft.directory/deviceRegistrationPolicy/basic/update
Below are tips for making modifications to various settings.
Intune Admin Center - Enabling Windows Hello for Business Globally
To ensure proper configuration, this setting should remain set to Not Configured. This is so that it can be customized through IT unit-created policies.
Intune Enrollment Restriction Settings
There are enrollment restriction settings within Intune that allow for the configuration of which devices can enroll into Intune.
Additional Tenant-Wide Configurations in Company Branding
There is an additional tenant-wide configuration in the company branding section that provides the ability to customize the sign-in experience and other appearance settings. See Microsoft’s Configure your company branding article for more information.
Uncheck Allow My Organization to Manage My Device for Personally-owned Devices
Checking the box and clicking OK will register the customer’s device to Azure AD (Azure AD registered device) and possibly enroll it to MDM (Mobile Device Management), depending on what is the current state of this device and the configuration of MDM. This setting also remembers this user’s credentials on this device for other apps.
Uncheck Allow my organization to manage my device, then click OK. This will not register the customer’s device to Azure AD, but it will remember the customer’s credentials on the device for other apps.
Choose No, sign in to this app only. This will not register the customer’s device to the Azure AD, and it will only remember the customer’s credentials for this app.
Close the window by clicking on X. This will just close the notification and does nothing.