Anoop is Microsoft MVP! He is a Solution Architect on enterprise client management with more than 17 years of experience (calculation done in the year 2018) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, Intune. He writes about technologies like SCCM, SCOM, Windows 10, Azure AD, Microsoft Intune, RMS, Hyper-V etc...
Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune? Android for Work Device Restriction Policies Deployment is nothing but the Security Policy for Android Devices. The security policies are important to secure the corporate data and applications in those devices.
In this post, we will how to create and deploy Security Policy for Android Devices via Intune blade in the Azure portal. Intune compliance policies are another set of policies that we need to set up for Android devices’ security.
You can create Intune device restriction policy for Android for Work from Microsoft Intune – Device Configuration – Profiles – Create New Profile. I selected Android for Work as the platform and the Selection of the platform is very important.
Also, you need to select the profile type while creating Intune Configuration Restriction policy, in my scenario, it’s the Device restriction policy. The name of the policy is Android Restriction policy as you can see in the video.
There are two categories to configure device restriction settings for Android for Work devices. Work profile settings and Device password are the two settings available. Again, I won’t suggest setting up a device password policy as part of the configuration policy when you have a compliance policy setting for the Device password.
Data sharing between work and personal profiles settings specify whether apps in the work profile can share data with apps in the personal profile. Microsoft Intune recommended value for this setting is to prevent any sharing across the boundaries.
We can block the Work profile notifications while the device is in a locked state. Default app permission is another Android for the Work security setting. I don’t recommend configuring the password settings as part of Intune configuration policies rather password settings should be part of compliance policies for Android for Work devices.
Deploy Security Policy for Android Devices
Deploying the Android for Work device restriction policy is straightforward. But it’s important to take care of some of the points before deploying Security Policy for Android devices. Click on assignment after settings up the policy and select the AAD User/Device group.
Click on the Save button and you are done. The best-recommended way is to assign policies to the Azure AD dynamic device group for Android devices. However, the AAD device groups are still in preview; we may better off using user groups for deploying device restriction policies to Android Devices.
One thing to remember is that you can’t apply Android device platform policies to Android for Work devices. You should rather use Android for Work device platform policies for A4W. Another useful option while deploying device restriction policies in Intune is EXCLUDE option.
This is very useful when you want to exclude some of the devices or users from these particular security policies. Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune?
User Experience of Security Policy for Android devices
The user experience of Android for Work devices can vary depending upon the manufacturers of the devices. As I mentioned in the previous post here, Samsung and Nexus are the best-experienced devices that I tested till now.
But I would admit the user experience of Android for Work is far better than Android devices! As Android devices have different variants, it’s better to make sure all the Security Policy for Android devices experience is nice for all the manufacturers. Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune?
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager? Intune configuration restriction policies are very important in modern device management strategy. Intune device restriction policy is the security settings applied on your Windows 10 CYOD device.
As part of your organization’s security policies, you may need to lock down mobile devices or Windows devices that have access to corporate data and app. yes, Intune configuration restriction policies help you lock down Windows devices as per your organization’s security requirements.
Create Intune Device Restriction Policy for Windows 10 Devices
You can create Intune device restriction policy for Windows 10 from Microsoft Intune – Device Configuration – Profiles – Create New Profile. I selected Windows 10 as the platform, and the Selection of the platform is very important.
Also, it would be best if you had to select the profile type while creating Intune Configuration Restriction policy. In my scenario, it’s the Device restriction policy. The name of the policy is “Windows 10 CYOD Restrictions“. Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager?
Windows platform Intune device restriction policy out of box Settings is segregated into 16 sections, as you can see below. This list is very comprehensive, and we can lock down Windows 10 machines as per the requirement.
Is this Intune device restriction policy a replacement for group policies? No, it’s still not a replacement for AD group policies. Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager?
General
Password
Personalization
Locked screen experience
App Store
Edge Browser
Search
Cloud and Storage
Cellular and Connectivity
Control Panel and Settings
Defender
Defender Exclusions
Network proxy
Windows Spotlight
Display
Start
Deploy Windows 10 Intune Device Restriction Policy
You can deploy Windows 10 Intune Device Restriction Policy to either Windows 10 CYOD dynamic devices or Windows 10 users group. Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager?
Dynamic device groups are still in preview, and those typos of groups are not stable at times. So at least for the next two months, I will prefer to deploy policies to user groups rather than dynamic device groups.
Windows 10 End-user experience of Intune Device Restriction Policy
As you can see in the video tutorial at the top of this post or here, I’ve enabled the time settings to disable the option as part of the initial Windows 10 device restriction policy. The end-user logged to Windows 10 machine can’t change the time on the system.
After that, I changed the windows time setting policy again, and after applying the new policy, the user can change the time on Windows 10 system.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web apps, Endpoint Manager? I have been testing and developing a solution for Android device management with Intune. Those Android for Work learning experience has been shared in my previous posts here.
In this post, we will see and learn how to enable Intune Company Portal Browser Access for Android devices. What is the need for enabling company portal browser access? To put it in simple words, if your organization is using Azure AD Conditional Access (CA) enabled internal web applications, then we need to enable the Company portal browser access option.
How to enable Intune Company Portal Browser Access
Open the Company Portal app.
Go to the Settings page from the ellipsis (…) or hardware menu button.
Press the Enable Browser Access button.
The above video recording gives you the same user experience when you have CA access enabled web applications and you have not enabled company portal browser access. As you can see in the video, managed browser for Android devices gives an error stating that the device is not enrolled.
Yes, the managed browser application can’t understand whether the device is already enrolled. When you perform an action like “Intune Company Portal Browser Access, ” the app will try to install the Microsoft work account certificate on an Android device. There is a known issue with the previous version of the Company Portal application on Android devices.
Microsoft Work Account Certificate installation Error
The solution to the Microsoft mentioned above “work account certificate installation” error is to update the company portal application for Android devices. Are you getting an error called ENROLL your device (as you can see in the following screen capture)? Is this error appear when you try to access Conditional Access enabled web applications through the managed browser? The web apps without CA are working fine? If so, you need to perform following the action from your Android device “Intune Company Portal Browser Access.”
End-User Experience of ENROLL device Error
Now, it’s time to update the company portal application on Android for work-enabled devices. Once the device is updated with the latest version of the company portal app, then open up the company portal app and go to settings – tap on the button “Enable Browser Settings.”
This action gives you a popup for Microsoft Work Account certificate installation; the user must select the cert and tap on the ALLOW button. This process is explained in the video tutorial at the top of this post.
Microsoft Work Account Certificate Installation
Once the managed browser has a certificate, the web applications opened in the Managed browser can use the Microsoft work account cert. This will allow the managed browser to securely open conditional access enabled internal web applications. The user doesn’t require a tap on the INSTALL button, as per my experience; rather user needs to tap on ALLOW button to complete this configuration.
End USER Experience of CA enabled Web application Access
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 or Windows 11 Devices Endpoint Manager? Microsoft Store for business apps is part of your organization’s private store apps.
Only one way to deploy Store apps using Intune is required deployment. Microsoft Store for business apps can be deployed as “Available,” “Required,” or “Uninstall” apps to Windows 10 or Windows 11 devices.
On September 15, 2023, Microsoft Store for Business and Education apps will be removed from the Intune admin center. Apps on the device will remain until intentionally removed. The Microsoft Graph API microsoftStoreForBusinessApp will no longer be available about a month later. Use New Store to Deploy New Microsoft Store Apps Type From Intune with Winget.
The logic behind NOT having an “available” deployment option is very understandable because the user doesn’t need an available deployment via Intune because the user always has private store access to install the apps manually.
Let’s check how to deploy the WhatsApp application from the Microsoft store to Windows 10/11 devices which are managed by Microsoft Endpoint Manager Intune.
Devices must be Azure AD Registered, or Azure AD joined to the same Azure AD tenant where you registered the MSfB for online app deployment.
Azure AD Global admin (or appropriate) access to create Applications to connect ConfigMgr site to Azure AD and MSfB
Decide Offline or Online Applicationsusing Intune
The MSfB supports two types of application licenses, and you should be very careful with the license type of application you want to add. For Offline apps, you don’t need devices Hybrid Azure AD registered or joined.
Online: Windows 10 devices must be Azure Active Directory (Azure AD)-joined or hybrid Azure AD-joined.
Offline: Devices don’t need to connect to the store or have a connection to the internet.
Search Store Applications from MSfB for Intune App Deployment
Let’s log in to the Microsoft Store for Business and start searching for the apps you want to add to Configuration Manager. Try to add Whatsapp to the private store and deploy it to managed Intune managed Windows 10/11 devices.
NOTE! – Microsoft Store for Business will be retiring in the first quarter of 2023.
You have already found the required app (above section) – WhatsApp. Now let’s add those to the organization’s private store.
Click on any application – WhatsApp
Select License type: Offline
Click on Get the app
Once you click on Get the app button, the WhatsApp application has been purchased and added to your Microsoft private store.
Successfully added the app WhatsApp Beta to the private store.
This app will be available in the admin console after the next MSfB sync with Intune.
Click Close to continue.
Initiate a Manual Sync between Intune Portal and Microsoft Store for Business
Let’s Initiate a Manual Sync between Intune Portal and Microsoft Store for Business. The schedule sync will happen every 24 hours if I’m not mistaken.
Login to Endpoint.Microsoft.com
Navigate to Tenant Administration – Connectors and Tokens.
Enabling Microsoft Store for Business sync lets you access volume-purchased apps with Intune. There are two options and this must be always ENABLED for this scenario.
First, you’ll need to sign up and associate your Microsoft Store for Business account with Intune Open the business store
Choose the language in which apps from the Microsoft Store for Business will be displayed in the Intune console Language:
Enable
Disable
Sync the apps you’ve purchased from the store with Intune. To reflect the newly purchased application called WhatsApp, you need to the client on the SYNC button and wait for the sync to complete.
Deploy Microsoft Store App to Windows 11/10 using Intune
Let’s check how to Deploy Microsoft Store App to Windows 11/10 using Intune. Let’s head over to Apps and check for the WhatsApp Beta application.
Open Endpoint.Microsoft.com portal.
Navigate to All Apps and Search for WhatsApp.
Click on the WhatsApp application to start the deployment process. This is the normal deployment Intune application deployment process. The application is already created automatically when you sync Intune and Microsoft Store for Business.
You can assign applications to at least one group. You can Click ‘Properties’ and then edit ‘Assignments’ to start the assignment.
I have deployed this as an available application to an Azure AD group of USERS.
Video Tutorial (Outdated one)
There are 3 sections in this post and the video tutorial here:-
Enable and Configure Windows Store for Business
Sync the applications and Deploy applications
End-User Experience of App installation on Windows 10 device
Enable and Configure Microsoft Store for Business
First, we need to sign up and associate the Microsoft Store for Business (MSfB) account with Intune. Accept the agreement and consent for Windows Store for Business.
Intune and Microsoft Store for Business Connection
To enable and configure Microsoft Store for Business, you need to open up Intune portal (Azure). Microsoft Intune – Mobile Apps- Windows Store for Business. Choose the language in which apps from the Windows Store for Business will be displayed in the Intune console.
Once signed up for the Windows store for business then, we need to set up a connection between Intune and Windows store for business. This is required to Deploy Windows Store Apps via Intune. Click on the Manage tab and select store setting.
Once you are in store settings, you could see there are three out-of-box connections already configured for deploying Windows store for business apps via MDM solutions. Airwatch, MobileIron Cloud, and Microsoft Intune are the three connections created. Click on Intune activate button to set up the connection between the store and Intune.
Sync the applications and Deploy applications via Intune
Once Intune connection is activated then, we need to shop the apps and add them to the private store for your organization. It could take 24 hours (it’s pretty fast nowadays within minutes it will be available) to reflect the newly added apps to appear in the private store. You can sync Intune to get the newly added apps into Intune.
We need to save the settings after the successful app sync.
Updated NOTE! – You can now login to the Microsoft Endpoint Manager Admin center and head over to Tenant Administration – Connectors and Tokens. You can click on the SYNC button to make the application available in Intune applications.
Login to Endpoint.Microsoft.com and Navigate to Tenant Administration – Connectors and Tokens.
After a successful connection, you would be able to see the following settings in Microsoft Store for Business.
How to Deploy Microsoft Store for Business App from Intune
Learn How to Deploy Microsoft Store for Business App from Intune. You will need to head over to Apps – Windows node in MEM Admin center portal (Intune) to search for application availability there. After the successful sync between Intune and Microsoft Store for Business, the Firefox browser app will be available in the MEM Intune portal
Now you will need to head over to Select the Windows Store apps that you want to deploy to AAD user groups. We have only two options while deploying the Windows Store app via Intune. And those are REQUIRED and UNINSTALL.
So, there is no option to deploy Windows Store app as available deployment via Intune because the users already have access to Windows Private store.
End-User Experience of App installation on Windows 10 device
The end-user experience for Windows 10 1703 users is flawless. The deployment of the Windows Store app via Intune happened in the background, and the user’s name came to know about the installation on his/her Windows 10 device.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………
SCCM Intune Facebook Community Growing Strong Microsoft Endpoint Manager Facebook? We’ve created SCCM and Intune pages/groups to share the knowledge between SCCM and Intune professionals. I have created a video as you can see above, to get a glance at activities within each FB Group and page.
Within SCCM Intune FB Community, we share information about personal experience, the latest updates, tricks, solutions, Hotfixes, and tips from community experts and Microsoft.
More than just sharing the information, it became a most efficient place for DISCUSSIONS of SCCM and Intune-related topics. This page and groups have been very helpful to me personally because I don’t want to go and look at my RSS feed now and then to get updates from the IT world.
SCCM Intune Facebook Community is always fun, and very interactive and moreover, this type of community gives a personal touch. Real persons are interacting with each other with loads of authenticity.
SCCM Intune Facebook Community groups are the virtual community group for SCCM/ConfigMgr/Intune professionals.
Intern these are the groups where we announce the “SCCM Intune User Group Event” and get feedback from the community.
Facebook groups are very interactive, and the design of the FB groups is very well suited for the IT Pro community. I’m a big fan of CLOSED groups as your posts in the closed group will be visible only to the members of that group.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained? The android operating system has several variants, and fragmentation is very high. What are the reasons for this? With the open standards, every smartphone manufacturer has the freedom and option to customize the operating system according to their preference.
So all the Android mobile device manufacturers grabbed the opportunity to push their apps and tweaked versions of Android. So, what is the biggest problem I see with Intune Android Work app’s user experience? I will see the details in this post. Also, I have explained the same in the above video.
There is no standard user experience for different mobile manufacturers like Samsung, Sony, and LetV have their way of arranging Android Work applications. Once you have enabled Android for Work support, you can enroll the Android devices into Intune for management, as I explained in the post “How to Enroll Android for Work Supported Devices into Intune“.
Intune Android Work Apps User Experience
In this post, we will see what the Intune Android for Work good user experience is and a bad user experience. I wanted to make it clear that there is nothing much Intune can do to improve the user experience because this is a necessary OS capability.
I have tested Intune Android for Work enrollment with the following devices like Nexus 6P, Sony, Samsung, etc. Intune Android Work Apps user experience is good for all the tested devices. However, the problem is the placement of badged applications on the devices.
Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained? Each Android mobile manufacturers have its way of placing badged Android Work applications. I like how a manufacturer places all the badged apps into a folder.
This is very useful for the user to switch from work applications to personal ones. If the manufacturer does not create a group for work application after Intune Android for Work enrollment, it’s not a good user experience from my testing.
Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained? As per my testing on several Android devices, I liked the Intune Android for the Work user experience of Samsung and Google Nexus the most.
Initially, Intune Android for Work enrollment experience with the company portal was not flawless. But with the latest version of Intune company portal, the enrollment process is improved a lot. Suppose you enroll the device with the latest company portal app. You don’t have to close the existing company portal app and open the company portal app for the work app (with badge/briefcase symbol) to continue the enrollment process.
This previous Android for Work Enrollment process experience has explained in the video here.
I like Samsung and Google Nexus user experience because all the Android work applications are placed or stored in a separate WORK folder. The work folder helps users segregate their apps from work apps better.
That user experience is excellent. Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained? The Android work apps user experience of Sony and LetV Android devices is not so good if you compare the UX of Samsung and Nexus.
The bad user experience is that those devices won’t create a separate folder for WORK apps. You can see the more detailed experience in the video tutorial in the first part of this project. Intune Android Work Apps User Experience Explained in the above video.
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
SCCM Configuration Manager Application Creation Deployment Installation | ConfigMgr? SCCM CB application creation is the next step after the installation of SCCM CB 1702 installation, SCCM CB AD discovery, and client installation.
The second step is SCCM CB Application Deployment, and the third step is the installation of the SCCM CB application on the clients. We will cover all the scenarios in this post. I have already documented all these steps in the video tutorial which has more details about SCCM CB application creation (upload), deployment, and installation.
Application deployment is one of the features many corporate organizations are using to cater to their business requirements. In SCCM CB, we will have the option to create packages and deploy those SCCM packages. Yes, packages are required in some of the scenarios.
Apart from that, the packages are used to deploy old school win32 apps which got migrated to the SCCM CB environment from SCCM 2003/2007/2012. I would recommend taking advantage of SCCM CB applications rather than still using standard packages.
How to create/Upload SCCM Application – SCCM Configuration Manager Application Creation Deployment Installation | ConfigMgr
SCCM CB application creation is the first step in this process. The application can be created based on several types of installation files. These installation files are ranged from win 32 MSI apps, EXE, and then the wide range of mobile (MDM) apps.
The best-preferred installation type for Windows devices is MSI, and we are going to cover MSI app creation in this post. I have already shown in the video how to create a shared folder to store the application source.
The first point we need to make sure that the SCCM CB application source should be stored in a UNC path (\\ServerShare\Sources\).
If we don’t provide the UNC path as a source location for the MSI app source, you will get an error in the wizard as you can see in the video tutorial.
SCCM CB application creation process will create metadata in the console, and it will create the related DB entries. Apart from this, this process will create a bundle of files which this MSI installation file required for the complete installation of the application.
This bundle of files will be delivered to SCCM content stores called DPs. The client will download (if in case the deployment setting is to download the content from DP) and install it. All this process is covered in the video, and we will cover it in the following sessions.
How to Deploy SCCM CB application and Content?
Once the SCCM CB application is created, and the app reference is there in the console then, we can go ahead and deploy the application content (the source files) to the content store servers (Distribution Points). The entire process is explained in the video tutorial above.
We can initiate a distributed content option to start the application source replication process to remote DPs. SCCM CB application content distribution is mandatory before we deploy the application to SCCM client devices or users.
Once the application content is distributed to the DPs then, we can deploy or schedule the application installation to the device collection or user collection. There are a couple of decisions you want to make before the start of the SCCM CB application deployment process.
The first one is to decide whether we should deploy apps to Device collections? If we are deploying it to device collection then, all the users in that device will get the application, and there could be some license implications as well. The second option is to deploy the application to user collection.
From my perspective, this should be the default deployment practice if you don’t have any specific requirements to deploy apps to devices.
The other important point in SCCM CB application deployment is the behavior of application installation. We have two options in the application installation behavior. SCCM Configuration Manager Application Creation Deployment Installation | ConfigMgr?
The first one is to empower the user experience by making the SCCM app AVAILABLE. In the available scenario, the application will be deployed to the user, and it will sit in the software center until the user initiates the installation from the software center app.
The second option is to deploy the application as REQUIRED and in this scenario, the application will automatically install on the device without any user intervention.
How to Install Application on End-User Device?
Once you deploy the application to the collection as mentioned in the video tutorial above, the SCCM client will check for the new policies at the next scheduled interval.
On the schedule, the SCCM client will download the application source download, and installation will automatically start on the Windows device as you can see in the video tutorial. The installation behavior setting is very important and depending on that behavior the actual app install will kick off.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD? In this post, I will provide you with the experience of Windows 10 1703 (RS2) Azure AD join and automatic MDM (Intune) enrollment.
As you see in the above video tutorial, the real-time experience of Windows 10 1703 Azure AD join and Intune auto-enrollment.
Windows 10 1703 is the latest version of the Windows 10 production build. This is also called as Red Stone 2(RS2) release. The Windows team has done great work to improve the Out Of Box Experience(OOBE) of Windows 10 1703. I have a previous post that explains the in-depth process of AADJ and MDM auto-enrollment, “How to Join Windows 10 1607 Machines to Domain or Azure AD“.
Sign in with Microsoft School or Work account is the first screen you will get in the Windows 10 1703 Azure AD join OOBE. There is also a note on the same screen that helps users select the account they want to use “Sign in with the username and password you use with Office 365 or business services from Microsoft”.
Yes, this is a generic kind of message. I think it would be more helpful if Microsoft could explain to the user to use their corporate account rather than using technical terms like office 365 and Business services from Microsoft.
Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD?
Windows 10 1703 OOBE screen will give the user an option to choose a traditional domain join option. This will also allow the user to create a local user account and log in with that account. The Windows 10 1703 OOBE experience is improved a lot. Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD?
It will ask to connect to a Wi-Fi network, and it allows the user to connect to web-based authenticated Wi-Fi routers (Not all? Need to test this further). Once connected to the internet, it will check for the latest software updates available and install it.
Windows 10 Azure AD Join Experience?
Windows 10 1703 Azure AD join is an almost fully automated process once users enter their user name and password in the OOBE mentioned above screen. The user input is required on one particular screen, which is the screen for privacy settings.
Once the user is done with Windows 10 1703 privacy settings, the device will get automatically logged with the user name and password. Is it a new SSO for Windows 10 1703 Azure AD join? You can confirm the AAD Join from the Settings – Accounts section in Windows 10 1703.
Windows 10 MDM Intune Auto Enrollment Experience
Once the Windows device is Azure AD joined, it should automatically get enrolled in Intune management. You should have enabled the MDM auto-enrollment option in your Azure AD to get this experience. In my experience with Windows 10 1703, I got the encryption policy popup from Intune compliance policy within a few minutes of the first login to the device.
The user can also check the Intune enrollment from School or Work Account section in Windows 10 settings menu. There is a change in the GUI of the Windows 10 MDM stack with respect to School or Work account settings. There is no manage tab in the Windows 10 work account added to the device. Don’t worry about that because that is a new design for Windows 10 1703. Windows 10 work/school account setting has only two tabs: Info and Disconnect.
How do you manually sync or check for the new Intune policies in Windows 10 1703 device? The option is to click on Settings – Accounts – Access Work or School Account – Info – Sync. This will initiate an immediate policy sync with Intune services in the cloud. And intern, the user’s Windows 10 device will receive the latest policies from Intune.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
I have covered the installation of SCCM/ConfigMgr 1702 infrastructure in the previous post here. In this post, we are going to see the following SCCM AD Discovery & SCCM Client installation.
1. How can we perform SCCM CB AD discovery – discover the devices and users from on-prem Active Directory? and
2. How can we manage the devices which are discovered from AD? Discovery Methods: Configure the methods to discover resources. Client Push installation requires that resources must first be discovered.
NOTE! – I normally use Active Directory System Discovery and Active Directory User Discovery to find the resources (users and systems) from Active Directory.
How to Perform SCCM CB AD Discovery?
We need to enable Active Directory System Discovery to discover all the devices from on Prem AD. SCCM will collect all the system records from AD and create a record in SCCM CB. SCCM will create the system record only when the SCCM server can find an IP to the DNS record of that system and is able to ping the system.
SCCM 2007 AD system discovery Flowchart here. Adsysdis.log is the log file where you can find more details about the discovery. In the video tutorial above, you can see the troubleshooting details when AD system discovery is getting failed.
SCCM AD User Discovery should be enabled when you want to deploy apps and policies to user-based collections. Adusrdis.log is the log file where you can find more details about SCCM AD User Discovery.
Another Discovery which I enabled in my SCCM LAB environment is “Active Directory Forest Discovery” to create the SCCM CB boundaries in your CB environment.
Pre Requisites Before Installing SCCM CB clients on devices?
So, now you can discover the devices, users, and AD Site Boundaries from on-prem AD. The next step is to manage these devices using SCCM infra.
The first thing I would perform is to create SCCM “Boundary Group” and add required boundaries to that particular boundary group. More details about the creation and assignment of Boundary groups are discussed in the above video tutorial.
Another important configuration that we need to take care of before trying to install SCCM CB clients on a discovered system is setting up “Network Access Account” and “Client Push Installation Account”.
SCCM Client Installation to manage AD Discovered Systems
To manage discovered systems from AD, we need to install SCCM Client software. There are loads of options to install the client on the discovered devices. You can use the AD Group policy to install SCCM CB clients; a client can be installed as part of the OSD process, Client can be installed using the Client Push method. The client push installation is explained in the above video tutorial.
The client push method has some drawbacks, and it needs Admin$ access, etc… The best option is to use the AD group policy client installation method.
Resources
More about discovery methods for SCCM ConfigMgr CB here
Client installation methods in SCCM/ConfigMgr CB here
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD? SCCM admins have to go through the AAD connect setup when they want to build Intune and SCCM hybrid lab.
AAD Connect is the app used for syncing On-Prem AD with Azure AD. AAD connect app can be installed on any of the server-class machines. AAD Connect sync operation is very critical for organizations.
If you are planning to sync the hash of your passwords to the cloud, then the configuration of the AAD connect setup is fairly straightforward. If you have specific and advanced AAD Connect setup requirements, you need to spend loads of time in the initial setup.
Introduction
AAD connect setup and configuration will install SQL Express DB and configure it. For big corporate organizations, we need to select the advanced settings. They may have custom attributes used in their sync process. These kinds of settings can be configured in advanced settings.
Also, there could be the possibility that the password hash is not synced and ADFS configuration has been used for authentication.
Azure AD AAD Connect Setup
But for my lab, I have selected “Express Settings” so that installation is very straightforward. During the configuration, you have to provide two credentials, AZURE AD and On-prem AD. To use on-premises credentials for Azure AD sign-in, UPN suffixes should match one of the verified custom domains in Azure AD.
I have changed the UPN suffixes of 4 on Prem AD users so that those On-Prem AD users will get synced with Azure AD. The high-level steps are completed in the AAD Connect setup and configuration wizard. Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD?
Install and Configure SQL Express DB
Install the synchronization engine
Configure Azure AD Connector
Configure On-Prem AD Connector
Enable Password Synchronization
Enable Auto Upgrade
Configure Azure AD Connect Health Agent for sync
Configure Synchronization services on the computer
End Results/Outcome of AAD Connect Sync
AAD Connect sync process will start after the AAD Connect setup and configuration. As you can see in the above screen capture, the configuration has been completed successfully on my On-prem AD server. To confirm whether the on-prem users/groups got synced with Azure AD, you can log in to portal.azure.com and confirm the user IDs.
All the users whose UPNs have been changed to SCCZ.Onmicrosoft.com have been replicated to Azure AD. They can use them ON Prem AD user ID and password to log in to AZURE AD, Office 365 services. You can check the user profile – Source attribute to confirm whether the user is synced via AAD Connect from the on-prem Active Directory.
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD?
You can sync on-prem user identities/attributes and passwords to Azure AD using Azure AD connect. Azure AD connect installation and configuration is very straightforward if we use (express settings 🙂 ).
I have a video tutorial here that helps you understand the AAD connect configuration, How to enable MFA for Azure AD to join Windows 10 devices and Twitter app integration with Azure AD.
In this post, I will cover two other topics related to Azure AD (AAD) Sync.
Where is the Scheduled Task used to get created for Azure AD?
How to Create a service connection point in on-premises Active Directory?
Video Tutorial – How to Sync On-Prem AD User accounts With Azure AD
Windows 10 MDM devices can write back to on-prem AD. More details are available here. AAD Connect is mandatory for the write-back feature of Windows 10 devices.
Earlier versions of Azure AD connect used Windows task scheduler to schedule the Azure AD sync of on-prem objects and attributes. The latest version of Azure AD connect has a sync engine inbuilt. Hence we won’t find a scheduled task for AAD Connect.
The new default synchronization frequency is 30 minutes. We can change the AD Sync Schedule using the PowerShell command “Get-ADSyncScheduler” and other parameters documented here. Window
I was getting trouble creating a service connection point in on-premises Active Directory. This service connection point is used to “Connect domain-joined devices to Azure AD for Windows 10 experiences”. I followed the documentation here to configure the service connection points in on-prem AD but was getting stuck with PowerShell Commands. I ran the PowerShell commands as per the above documentation, however, with no luck.
After that, I installed the appropriate version of the Windows Azure Active Directory Module for Windows PowerShell. Then I tried to run the following PowerShell commands, which worked like a champ!
PS C:\Users\anoop\Desktop> Connect-MsolService
PS C:\Users\anoop\Desktop> Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"
PS C:\Users\anoop\Desktop> Initialize-ADSyncDomainJoinedComputerSync
cmdlet Initialize-ADSyncDomainJoinedComputerSync at command pipeline position 1
Supply values for the following parameters:
AdConnectorAccount: nair\Anoop
AzureADCredentials
Initializing your Active Directory forest to sync Windows 10 domain joined computers to Azure AD.
Configuration Complete
How to Sync On-Prem AD User accounts With Azure AD
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
This post is the New SCCM Server Installation Step by Step Guide that will cover end-to-end scenarios. SCCM team recently released the latest baseline version of the current branch.
Introduction
What is the importance of the baseline version? SCCM CB baseline version is the version you can download directly from Eval Center/MSDN/VLSC and install on a new SCCM server. Also, SCCM 1702 version can be used to upgrade SCCM 2012 infra. SCCM CB versions are getting updated via in-console servicing, and it gets to the latest version of SCCM.
Pre Requisite – Server Roles and Features
Pre Requisite – Installation of SQL 2014
Pre Requisite – ADK for Windows 10P
Pre Requisite – AD Schema Extension
Install – SCCM/ConfigMgr Baseline version Standalone Primary
Prerequisites
You can’t install SCCM/ConfigMgr baseline version if your server’s OS is Windows 2008 R2 server. The minimum OS requirement for SCCM server installation is Windows Server 2012 and Later. More details here.
You need to make sure that you have a supported version of SQL installed on the server where you are planning to install the SCCM baseline version. SQL 2008 R2 SP3 is not supported, and it should have a minimum SQL 2012 R2.
IIS BITs .NET
Pre Requisite – Server Roles and Features (Video tutorial here)
I have added the following roles and Features – IIS (for MP/DP), BITs (for MP) .NET Framework 3.5, Remote Differential Compression, and AD DS and AD LDS Tools. I didn’t add WSUS because I’m planning to add the SUP role later. But I would recommend to WSUS role if you are planning to install the SUP role on the primary server itself or install the WSUS console if you are planning to install the SUP role on a remote server.
DotNET Framework 3.5 SP1 is still required? Yes! Specify an alternate path for .Net D:\Sources\sxs for installing .NET on Server 2016. Specify the location of the files that are required.
NOTE! – If you are getting this error “The request to add or remove features on the specified server failed.” Restart the server and give it a try with the alternate path “D:\Sources\sxs” and that is my experience on Windows server 2016.
Install SQL DB for SCCM Server
Pre Requisite – Installation of SQL 2014 (Video tutorial here)
I installed SQL 2014, and you don’t worry about those “.Net” warnings. As you can see in the video tutorial for SQL setup, I have selected only the following features and I think these are the required ones for SCCM CB.
I installed SQL on the default Instance, and the services configuration was done as you can in the video tutorial for ConfigMgr SCCM baseline version installation. Microsoft recommends using a separate account for each SQL Server service. However, I used the same account because this is my lab environment.
SQL Server Agent, SQL Server Database Engine, and SQL Server Reporting Services
I selected the required Collation for SCCM|ConfigMgr baseline version :- sql_latin1_general_cp1_ci_as
Install Windows ADK
Pre Requisite – ADK for Windows 10 (Video tutorial here)
Installed ADK for Windows 10 and during the installation, I selected only Deployment Tools, Windows Preinstallation Environment (Windows PE), and User State Migration Tools (USMT).
Pre Requisite – AD Schema Extension (Video tutorial here)
AD Schema Extension has to be extended if you have not done the extension for the previous versions of SCCM. AD schema extension is not mandatory but, my recommendation is to extend the schema to make SCCM management easy.
Extend AD Schema
Executed extadsch.exe from SCCM|ConfigMgr baseline version primary server. The user must have schema admin rights to complete the AD SCHEMA extension successfully. In the second part of this update, we need to Create a System Management container under systems using ADSIEDIT. The primary server should have full access to the System Management container.
Install New SCCM Server
SCCM Baseline version Installation (Video tutorial here)
The installation is straightforward once all the prerequisites are in place. Make sure you have already downloaded the pre-requisite file of the SCCM baseline version. Also, make sure you selected the online service connection point to have a better experience and automation.
References
Supported operating systems for SCCM Baseline Version servers – here
Site and site system prerequisites for SCCM Baseline Version – here
Supported OS versions for clients and devices for the SCCM Baseline version – here
Supported SQL Server versions for SCCM Baseline version – here
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Let’s see how to configure Software Update Policy Rings in Intune MEM. How to Setup Windows 10 Software Update Policy Rings in Intune Endpoint Manager Portal?
Managing software updates for Windows 10 with Intune is straightforward, but there is a catch you can’t expect the granular controls you have with SCCM/ConfigMgr. We need to configure the Windows Software update policy and deploy that policy to Windows 10 devices.
Windows 10 devices will take the software updates directly from Microsoft Update services. Unlike SCCM, no need to download the software updates, create a package, and deploy it to the devices (as you can see in this video post here).
Intune Video tutorial to help to create Software updates rings for Windows 10
We have an out of box Software Update (Automatic Update) policy as part of Intune Silverlight portal configuration policy. I have noticed that this Out of box configuration policy stopped working in the last few months. Now, there are two options to control the behavior of Windows 10 updates and Windows servicing.
The first choice is to use custom policies in Intune Silverlight portal if your Silverlight portal is not yet migrated to the MEM portal. I have a post that talks about Intune Silverlight migration blockers here.
The second choice is to control Windows Update for business via the Software Updates button in Intune blade in the MEM portal. We will cover this in this post.
Basic Test Rings for Windows 10 Software Update
We may need to create at least two Windows 10 Software Update Policy Rings for your organization as a very basic requirement. One Windows 10 Update ring is for Windows 10 machines that are in the Current Branch (CB).
The second Windows 10 update ring is for Windows 10 machines that are in the Current Branch for Business (CBB). Windows 10 update rings would evolve as you progress with the testing and development for your organization. But this is the first stage of your testing of Software update deployments.
Windows 10 CBB Update Ring - All the devices in Current BranchWindows 10 CB Update Ring - All the device in Current Branch for Business
Pilot and Production Rings for Windows 10 or Windows 11 Servicing
Another recommendation would be to create different Windows 10 Software Update Policy Rings for deferrals of Windows 10 servicing branches CB and CBB. We can put a maximum of 30 days delay in Windows 10 software update rings. These two update rings would help with the latest Windows 10 CB/CBB servicing updates (e.g. upgrade from 1607 to 1703) with some pilot devices rather than deploy servicing updates to all the devices at the same time.
During the pilot testing of CB, if you find any problem with the upgrade and you don’t want to deploy the update to the CBB ring then, you have the option to PAUSE the updates for the production ring.
Pilot Windows 10 CBB Updates Ring - Pilot Servicing Ring for CBB Production Windows 10 CBB Updates Ring - Production Servicing Ring for CBB Pilot Windows 10 CB Updates Ring - Pilot Servicing Ring for CBProduction Windows 10 CB Updates Ring - Production Servicing Ring for CB
Pilot and Production Rings for Windows 10 or Windows 11 Monthly Security Patches
I would also recommend creating different Windows 10 Software Update Policy Rings for Windows 10 CBB and Windows 10 CB quality updates (monthly security and other patches). So, Windows 10 CBB machines will have a minimum of 2 rings.
One is for the pilot machines which are on Windows 10 CBB and the second ring is for the production machines which are on Windows 10 CBB. The same applies to Windows 10 CB devices, and the CB machines should also have two rings.
Pilot Windows 10 CB Quality Updates Ring - Monthly patch pilot ringProduction Windows 10 CB Quality Updates Ring - Monthly patch production ringPilot Windows 10 CBB Quality Updates Ring - Monthly patch pilot ringProduction Windows 10 CBB Quality Updates Ring - Monthly patch production ring
How to create advanced Windows 10 Software Update Rings?
There could be other complex scenarios of Windows 10 Software Update Policy Rings. These rings could be depending purely on the requirement of each region or business group of your organization. Some of the other important options you have in Windows 10 Software Update Policy Rings are:-
Windows 10 Automatic update behavior – How do you want to perform scan, download, and install updates. Scheduling options for windows updates.
Do you want to update Windows 10 drivers as part of your patch deployment rings or not.
What kind of Delivery optimization (In build caching solution with Windows 10) that you want to use.
Deployment – Assignment of Windows 10 Software Update Rings
Windows 10 Software Update Policy Ring deployments/assignments are very critical decisions to make. I would recommend using dynamic device groups wherever possible, but at the moment this is not possible for all the scenarios. I think, in some scenarios, we need to use static device/user groups. I hope, Microsoft will come up with exclusion group options for assignments (similar to AAD Conditional Access policies).
The exclusion groups would be really useful in Software Update ring deployment scenarios. For example, you want to exclude pilot devices from the production software update ring deployments. At this point, it’s not possible without exclusion options.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
SCCM CB Nested Task Sequence PS Detection Method Configuration Manager ConfigMgr | Endpoint Manager? SCCM/ConfigMgr preview release 1704 has loads of interesting and exciting features.
I have covered all the installation steps and new features in the video embedded in this post. First of all, I could see some differences in the Updates and Servicing of SCCM CB.
ConfigMgr CB 1704 preview version was available (available to download) in the console, but it didn’t start the download of the 1704 update. I think it may start automatic download after 24 hours. But, I have not tested it.
Video tutorial to demonstrate SCCM 1704 upgrade and list of new features
As you can see in the SCCM video tutorial, I started the download of the preview version just by right-clicking on the available update in the console. You can also check the status of the download via the DMPDOWNLOADER.log file.
If you can’t see the latest update of SCCM CB in the console, you can refer to the following post to get more details and troubleshooting help here. SCCM CB Nested Task Sequence PS Detection Method Configuration Manager ConfigMgr | Endpoint Manager?
Following are the stages of the in-consoleupgrade of the SCCM CB preview:-
Available to Download Downloading Ready to Install Checking Prerequisites Installing Console Upgrade
Nested Task Sequence PS Detection Method
Most of the SCCM admins are waiting for one feature called nested Task Sequence. With the latest SCCM preview version 1704, we can create a parent-child relationship within the task sequence. This will help you to nest/call a task sequence within another task sequence.
This feature should be used very carefully; otherwise, it could become very complex. I wanted to see how complex Task Sequence troubleshooting will evolve with the introduction of nesting of TS.
I have also seen SMSTS.log logging has improved in the SCCM CB preview version. More details here. SCCM CB Nested Task Sequence PS Detection Method Configuration Manager ConfigMgr | Endpoint Manager?
PowerShell script can be used as the detection method script to deployment types with SCCM CB Preview version 1704. PowerShell Script can be used to detect the application. We have 3 script types (1. PowerShell, 2.VBScript, and 3.Java Script) for detecting the application as part of the deployment type.
Android for Work applications can be configured automatically with the JSON file upload option in SCCM/ConfigMgr CB preview version 1704. The option of Android for Work App configurations with complex properties list using JSON file is very useful for configuring A4W apps.
I have not seen this option in Intune stand-alone version, so this is very nice for hybrid customers once this comes into the production version. SCCM CB Nested Task Sequence PS Detection Method Configuration Manager ConfigMgr | Endpoint Manager?
SCCM Preview version 1704 comes with loads of new features. However, I have noticed not many changes in the MDM channel configuration policies for iOS and Android devices. Moreover, there are not many new additions in terms of compliance policies in SCCM CB Preview version 1704.
PowerShell: How to add enhanced detection methods to deployment types (1704 TP) here
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
How to Plan Design Intune Compliance Policy for Android Devices | Microsoft Endpoint Manager | Intune? This post will provide more details about planning and implementing the Intune compliance policy for Android devices. Intune compliance policies are the first step of the protection before giving access to corporate apps and data.
It’s very important to plan and design compliance policies for Android devices as Android is more vulnerable than other operating systems.
Compliance policies rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.
Update:- When you use or support Android for Work enrollment, select the platform like Android for Work in a compliance policy. Otherwise, the compliance policies will evaluate your Android devices and say this policy is not applicable for Android for Work enrolled devices.
Video
Check out the video tutorial to setup Intune compliance policies for Android – here
Intune Compliance policy setup for Windows 10 Devices here
Intune Compliance policy setup for iOS Devices here
How to setup Windows 10 Device compliance policy
1. Sign in to the Endpoint Manager portal with an account that has Intune admin access.
2. Select More services, enter Intune in the text box, and then select Enter.
3. Select Intune – Device Compliance – Compliance – Policies – and Click on the +Create policy button to create a new compliance policy and select the platform as “Android”.
4. Settings configurations are really important for compliance policy. There are some improvements in Azure portal Android compliance policies. There are three categories in Android compliance policies and those are Device Health, Device Properties, and System Security.
5. Device Health is the setting where the compliance engine will check whether Android devices are to be reported. The device health attestation service has loads of checks, including TPM 2.0, BitLocker encryption, etc.
6. Device Properties is the setting where Intune Admins define minimum and maximum versions of operating system details for the corporate application access. I would keep the minimum version as Android version 6 wherever possible.
Operating System Version
Minimum Android OS version
Maximum Android OS version
7. System Security is the setting where Intune Admins define password policies for Windows devices. There are 3 sections in these settings – Password, Encryption, and Device Security.
Password Compliance Policy for Android – I would create a complex Alphanumeric password for Android devices and all the above configurations.
Require a password to unlock mobile devices. Minimum password length Required password type Maximum minutes of inactivity before the password is required Password expiration (days) Number of previous passwords to prevent reuse
Encryption Compliance policy for Android – Encryption should be enabled as a must in your Android compliance policy for Android devices.
Encryption of data storage on the device
Device Security Compliance policy for Android – Block apps from unknown sources and Block USB debugging on Android devices policies are important and should be enabled.
Block apps from unknown sources Require threat scan on apps Block USB debugging on the device Minimum security patch level
8. Deploy Android Compliance Policy to All Android devices dynamic device group (Update Device Groups are not supported for Compliance policies – hence use user groups for Intune compliance policies). Click on Assignment and select the dynamic device group.
I would use AAD dynamic device groups to deploy compliance policies rather than AAD user groups.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
How to Setup Intune Compliance Policy for Windows 10 Devices | Microsoft Endpoint Manager | MEM Powered? In this post, we will see how to set up Intune Compliance Policy for Windows 10. Managing Windows 10 devices are very critical in modern device management.
Intune compliance policies are the first step of the protection before providing access to corporate applications.
Intune Compliance Policy for Windows 10 is to help to protect company data; the organization needs to make sure that the devices used to access company apps and data comply with certain rules. These rules might include using a password/PIN to access devices and encrypting data stored on devices.
This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.
Video
Check out the video tutorial to setup Intune compliance policies for Windows 10 – here
Intune Compliance policy setup for Android Devices here
Intune Compliance policy setup for iOS Devices here
How to set up Intune Compliance Policy for Windows 10 in the Microsoft endpoint Manager portal?
1. Sign in to the MEM portal with an account that has Intune admin access.
2. Select More services, enter Intune in the text box, and then select Enter.
3. Select Intune – Device Compliance – Compliance – Policies – and Click on the +Create policy button to create a new compliance policy and select the platform as “Windows 10”.
4. Settings configurations are really important for compliance policy. There are some improvements in Azure portal Windows 10 compliance policies.
There are 3 categories in Windows 10 compliance policies, and those are Device Health, Device Properties, and System Security.
5. Device Health is the setting where the compliance engine will check whether Windows 10 devices are reported as healthy by the Windows device Health Attestation Service (HAS). The device health attestation service has loads of checks included like TPM 2.0 (for the latest build of Windows 10 the requirement is TPM 1.0), BitLocker encryption, etc..
6. Device Properties is the setting where Intune Admins define the minimum and the maximum versions of operating system details for the corporate application access. Operating System Version Minimum OS version Maximum OS version Minimum OS version for mobile devices Maximum OS version for mobile devices
7. System Security is the setting where Intune Admins define password policies for Windows devices. There are 2 sections in these settings- Password and Encryption. Password Policy – We don’t need to set the Windows password policy here if you are already using “Windows Hello for Business.”
Require a password to unlock mobile devices Simple passwords
Password type
Device default device defaultAlphanumericNumeric
Minimum password length
Maximum minutes of inactivity before the password is required
Password expiration (days)
Number of previous passwords to prevent reuse
Require a password when the device returns from an idle state (mobile only) Encryption – If you have enabled HAS in the above policy you don’t need to enable this encryption policy.
Encryption of data storage on a device.
8. Deploy Windows 10 compliance to All Windows devices dynamic device group
(Update Device Groups are not supported for Compliance policies – hence use user groups for Intune compliance policies)
Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups to deploy compliance policies rather than AAD user groups.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…