Configuring CleanBrowsing on Windows Devices Using Intune

Deploy CleanBrowsing DNS filtering across your Windows device fleet using Microsoft Intune. Enforce consistent content filtering on all laptops, desktops, and tablets regardless of network location.

Learn About Pricing

Step 1: Overview

Microsoft Intune (part of Microsoft Endpoint Manager) lets you push DNS configuration to all managed Windows 10/11 devices. This ensures CleanBrowsing filtering stays active whether devices are on the corporate network, at home, or on public Wi-Fi.


How It Works

  • You create a custom OMA-URI configuration profile in Intune that sets the DNS servers.
  • Intune automatically reapplies the enforced settings at regular check-ins, preventing users from manually changing DNS.
  • For paid CleanBrowsing plans, a PowerShell script keeps your dynamic IP updated so filtering rules apply correctly.

Requirements

  • Microsoft Intune subscription (part of Microsoft 365 Business Premium, E3, E5, or standalone)
  • Windows 10 or Windows 11 devices enrolled in Intune
  • CleanBrowsing account (free filters or paid plan)

Step 2: Create a Custom OMA-URI Profile

  1. Sign in to the Microsoft Intune admin center.
  2. Navigate to Devices > Configuration profiles.
  3. Click + Create profile.
  4. Set Platform to Windows 10 and later.
  5. Set Profile type to Templates, then select Custom.
  6. Click Create.
  7. Give it a name like CleanBrowsing DNS Policy and click Next.

Step 3: Configure DNS Values

In the Configuration settings step, click Add to create a new OMA-URI setting:

FieldValue
NameCleanBrowsing DNS Servers
OMA-URI./Device/Vendor/MSFT/Policy/Config/Networking/DNSClient
Data typeString
ValueSee filter table below

Free Filter DNS Values

FilterIPv4 ValueIPv6 Value (optional)
Family185.228.168.168,185.228.169.1682a0d:2a00:1::,2a0d:2a00:2::
Adult185.228.168.10,185.228.169.112a0d:2a00:1::1,2a0d:2a00:2::1
Security185.228.168.9,185.228.169.92a0d:2a00:1::2,2a0d:2a00:2::2

Enter the IPv4 values (comma-separated, no spaces) in the Value field. To include IPv6, add them after the IPv4 values.

See our Setup Guide for details on what each filter blocks.

Step 4: Assign the Policy

  1. Click Next to reach the Assignments step.
  2. Under Included groups, click Add groups and select the Azure AD groups containing the devices or users you want to target.
  3. Click Next through the remaining steps (Applicability Rules and Review + create).
  4. Click Create to deploy the policy.

Intune pushes the policy at the next device check-in (typically within 15 minutes to 8 hours, or immediately if the user syncs manually from Company Portal).

Step 5: Paid Plan — Dynamic IP Updates

Paid CleanBrowsing subscriptions require your public IP to be registered in the dashboard. Since managed devices move between networks, you need a script to keep the IP updated automatically.


PowerShell Script

Create a PowerShell script (Update-CleanBrowsingIP.ps1):

# Update-CleanBrowsingIP.ps1
# Updates CleanBrowsing with the device's current public IP
$DynIPUrl = "https://my.cleanbrowsing.org/dynip/YOUR_CODE"

try {
    $response = Invoke-WebRequest -Uri $DynIPUrl -UseBasicParsing -TimeoutSec 30
    Write-Output "CleanBrowsing IP updated: $($response.StatusCode)"
} catch {
    Write-Output "Failed to update CleanBrowsing IP: $($_.Exception.Message)"
}

Replace YOUR_CODE with the dynamic IP code from your CleanBrowsing dashboard.


Deploy via Intune

  1. In the Intune admin center, navigate to Devices > Scripts.
  2. Click + Add and select Windows 10 and later.
  3. Upload the Update-CleanBrowsingIP.ps1 script.
  4. Set Run this script using the logged-on credentials to No (run as SYSTEM).
  5. Set Run script in 64-bit PowerShell host to Yes.
  6. Assign to the same device groups as your DNS policy.

Schedule Recurring Updates

To run the IP update every 15 minutes, create a Scheduled Task via Intune using a second PowerShell script:

# Create-CBScheduledTask.ps1
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" `
    -Argument '-ExecutionPolicy Bypass -File "C:\ProgramData\CleanBrowsing\Update-CleanBrowsingIP.ps1"'
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 15) `
    -RepetitionDuration (New-TimeSpan -Days 365) -At "12:00AM" -Once
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries

Register-ScheduledTask -TaskName "CleanBrowsing IP Update" `
    -Action $Action -Trigger $Trigger -Settings $Settings `
    -User "SYSTEM" -RunLevel Highest -Force

Deploy both scripts through Intune's script management. The first script performs the update; the second creates the recurring schedule.

Step 6: Verify Deployment

After the policy syncs to a device, verify it's working:


Check DNS Settings

# PowerShell — show current DNS servers
Get-DnsClientServerAddress -InterfaceAlias "Wi-Fi" -AddressFamily IPv4
Get-DnsClientServerAddress -InterfaceAlias "Ethernet" -AddressFamily IPv4

You should see the CleanBrowsing IP addresses in the output.


Test Filtering

# Verify CleanBrowsing is responding
Resolve-DnsName -Name debug.test.cleanbrowsing.org -Type TXT -Server 185.228.168.168

# Test a domain that should be blocked (Family filter)
Resolve-DnsName -Name pornhub.com -Server 185.228.168.168

Check Intune Policy Status

  1. In the Intune admin center, go to Devices > Configuration profiles.
  2. Click on your CleanBrowsing DNS Policy.
  3. Check the Device status tab for deployment results.

A status of Succeeded confirms the DNS policy was applied to the device.

Related Guides

Active Directory Integration
Google Workspace Chrome DoH
IT Admin Deployment Guide
Device vs Router Deployment