Recently Microsoft released a couple of blog posts about The Path to Modernizing Windows Management and about Clear & Simple Guidance: When ConfigMgr and Intune should be used with Windows 10, which should be really helpful with deciding how to managing the Windows 10 devices within an organization. I would really recommend everybody to read those posts. This blog post will not be directly related, but will continue on a more detailed level about the options for conditional access and Windows 10 devices.
In this blog post I will provide nice tables of the different compliance rules, for Windows 10 devices, that are currently available for Microsoft Intune standalone and Microsoft Intune hybrid. In those tables I’ll show the different management scenarios and the currently available applicable compliance rules.
Overview
Before I’ll start with the overview, it’s good to provide a short explanation about the distinction between the conditional access policy and the compliance policy.
The conditional access policy is a required configuration to enable conditional access on a particular service and to help secure access to that particular service. In the conditional access policy, the targeted platforms and the targeted users of devices are configured. Also, important for Windows 10 devices, in the conditional access policy it is possible to determine if Windows 10 devices must be compliant or domain joined.
The compliance policies, on the other hand, are optional additional rules that can evaluate settings like PIN and encryption. The devices of targeted users must be compliant to those additional rules. When there are no compliance policies deployed, the device will automatically be evaluated as compliant.
Microsoft Intune standalone
Now let’s start with the overview of available compliance rules in Microsoft Intune standalone. In Microsoft Intune standalone, a Windows 10 device can be managed by the Microsoft Intune client and it can be enrolled as a mobile device. Those two options will be mentioned in the following overview table. Spoiler, there are no compliance rules available for the Microsoft Intune client. That makes being domain joined the only additional configuration for those devices.
| Intune client | MDM | |
| Allow simple passwords | N/A | Yes (Mobile only) |
| Maximum Windows Phone or Windows 10 Mobile version | N/A | Yes (Mobile only) |
| Maximum Windows version | N/A | Yes (Desktop only) |
| Minutes of inactivity before password is required | N/A | Yes |
| Minimum password length | N/A | Yes |
| Minimum Windows Phone or Windows 10 Mobile version | N/A | Yes (Mobile only) |
| Minimum Windows version | N/A | Yes (Desktop only) |
| Require a password to unlock an idle device | N/A | Yes (Mobile only) |
| Password expiration | N/A | Yes |
| Remember password history – Prevent reuse of previous passwords | N/A | Yes |
| Required password type – Minimum number of character sets | N/A | Yes |
| Require a password to unlock mobile devices | N/A | Yes (Mobile only) |
| Require devices to be reported as healthy | N/A | Yes |
| Require encryption on mobile device | N/A | Yes |
Microsoft Intune hybrid
Let’s continue with the overview of available compliance rules in Microsoft Intune hybrid. In Microsoft Intune hybrid, a Windows 10 device can be managed by the Microsoft Intune client, the ConfigMgr client and it can be enrolled as a mobile device. Those three options will be mentioned in the following overview table. Spoiler, there are no compliance rules available for the Microsoft Intune client. That makes being domain joined the only additional configuration for those devices.
| Intune client | ConfigMgr client | MDM | |
| All required updates installed with a deadline older than X days | N/A | Yes | N/A |
| Allow simple passwords | N/A | N/A | Yes (Mobile only) |
| File encryption on mobile device | N/A | N/A | Yes |
| Maximum operating system version | N/a | N/A | Yes |
| Minimum classification of required updates | N/A | N/A | Yes |
| Minimum operating system version | N/A | N/A | Yes |
| Minimum password length | N/A | N/A | Yes |
| Minutes of inactivity before password is required | N/A | N/A | Yes |
| Require a password to unlock an idle device | N/A | N/A | Yes (Mobile only) |
| Reported as healthy by Health Attestation Service | N/A | N/A | Yes |
| Require Antimalware | N/A | Yes | N/A |
| Require BitLocker drive encryption | N/A | Yes | N/A |
| Require password settings on mobile devices | N/A | N/A | Yes |
| Require registration in Azure Active Directory | N/A | Yes | N/A |
More information
For information about about conditional for Windows 10 devices with Microsoft Intune standalone or Microsoft Intune hybrid, please refer to:
- Manage device compliance policies in System Center Configuration Manager: https://technet.microsoft.com/en-us/library/mt629503.aspx
- Manage device compliance policies for Microsoft Intune: https://technet.microsoft.com/en-us/library/dn705843.aspx
- Manage access to O365 services for PCs managed by System Center Configuration Manager: https://technet.microsoft.com/en-us/library/mt691743
- Manage access to services in System Center Configuration Manager: https://technet.microsoft.com/en-us/library/mt628518.aspx
- Manage access to email and SharePoint with Microsoft Intune: https://technet.microsoft.com/en-us/library/dn818907.aspx
Hello Peter,
currently I am having PIN issues with my Windows 10 Mobile devices which have been enrolled in Intune Hybrid current branch. Every user needs to enter a 6-digit password, not a 4-digit PIN lock code (which is set via baseline). Any ideas? Thanks
Hi Mike,
Could it be that you’re using different requirements in the Compliance Policy?
Regards,
Peter
Hi Peter,
thanks for your response.
No Compliance policy states the same!
I found out that the issue may be caused by the new feature Windows Hello for Business – which is configured on the Intune Subscription.
Regards,
Mike
That sounds familiar to behavior I’ve seen recently.
Have you tried the settings under Admin/Mobile Device Management/Windows/Passport for Work ?
This will overwrite all the “policy settings” if the device is enrolled into Azure AD or a domain and has a default of 6 numbers.
Thank you for the information Andreas. Yes, I’ve recently seen the same behavior.
Hi Peter,
Wanneer je je (stand-alone) Windows 10 laptops dus beheerd door de Intune client te installeren, is er geen mogelijkheid om deze compliant te krijgen en dus de nieuwe Conditional Access policies te gebruiken (vanuit de Azure Portal onder Azure AD)? Of je moet alleen genoegen nemen met MFA.
Bedankt,
Peter
Hi Peter,
Dat is correct. Die intelligentie kun je alleen via MDM en/of ConfigMgr krijgen.
Peter