This week is all about a small new feature for Windows 10 devices that was introduced with the latest service release of Microsoft Intune. That new feature is the ability to find lost or stolen Windows 10 devices. Starting with the 2104 service release of Microsoft Intune, the Locate device remote device action – already available for supervised iOS and iPadOs device – also becomes available for Windows 10 devices. That enables IT administrators to find lost or stolen Windows 10 devices. This post will start by going through the information about the new remote action, including the implications, followed with the steps for configuring the privacy settings. This post will end by showing the IT administrator and user experience.
Introduction to the location service and privacy
The location service in Windows 10 is used for providing apps, features and services with information about where the device is and where the device has been. Access to that information is desirable – and sometimes even required – for the full functionality of some apps and services. That access can be used for something simple as localized commercials, or something more fancy with maps to the closest stores. Even certain Windows features – like Find my device and the automatic time zone configuration – rely on access to that information to function properly. Providing that access to that information is something that is manually configured by the user, or something that is automatically enforced by the IT administrator. The location information itself is stored on the device for only a limited time of 24 hours.
The location service uses a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address, to determine the location of the device. The accuracy of that location depends on the available capabilities of the device. The location information is also shared with Microsoft to improve the location service. In that case the location information is first de-identified (i.e. the personal identifiable information is removed). Besides access of Windows to the location information, it’s also possible to allow third-party apps with access to that information. That, however, is only applicable when those apps are available via the Microsoft Store, or when the app was developed with respect to the Windows location settings. It’s still possible for a third-party developer to create an app that doesn’t rely on the information of the location service. The developer could use other signals – like Bluetooth and Wi-Fi – to determine their own location. In that case, the configuration of the device location settings has no impact on that app.
Configuring the settings catalog profile to enable access to the location service on Windows 10 devices
The usage of the location service requires that apps are allowed access to the location data. By installation default, that is configurable by the user. That can be configured by the user during the out-of-the-box experience, or later via the Settings app (via Privacy > Location). Besides that it’s also possible for the IT administrator to enforce the required configuration on Windows devices. The required setting is available via the Privacy CSP as an ADMX-backed policy. That means that it can be configured by using a custom configuration profile, or by using the new settings catalog. The settings catalog is the preferred route, as it contains the same setting and it’s configurable via the UI. The following eight steps walk through the creation of that profile with the required setting.
Important: Before applying this configuration, make sure that this configuration is compliant with the local privacy laws and regulations.
- Open the Microsoft Endpoint Manager admin center portal and navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create profile
- On the Create a profile blade, provide the following information and click Create
- Platform: Select Windows 10 and later to create a profile for Windows 10 devices
- Profile: Select Settings catalog to select the required setting from the catalog
- On the Basics page, provide the following information and click Next
- Name: Provide a name for the profile to distinguish it from other similar profiles
- Description: (Optional) Provide a description for the profile to further differentiate profiles
- Platform: (Pre-selected) Windows 10 and later
- On the Configuration settings page, as shown below in Figure 1, perform the following actions
- Click Add settings and perform the following in Settings picker
- Select the Privacy category
- Select the Let Apps Access Location setting
- Select Force allow as value with the Let Apps Access Location setting and click Next
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment and click Next
- On the Review + create page, verify the configuration and click Create
Performing the remote action to locate Windows 10 devices
Once the access to the location of the device is enable, it’s possible for the IT administrator to actually locate that device. That can be achieved by using a remote action. The following three steps walk through triggering the remote action to locate the Windows device.
Important: Before locating the device, make sure that this action is compliant with the local privacy laws and regulations.
- Open the Microsoft Endpoint Manager admin center portal and navigate to Devices > Windows > Windows devices
- Select the Windows device to locate and in the Overview click Locate device
- On the Locate device dialog box, read the message “Before you continue, make sure you’re following local laws and regulations around receiving location data. Once received, the location data is visible in Intune for 24 hours. Request device location?” and click Yes to actually locate the device
Experience with locating Windows 10 devices
The experience with locating Windows 10 devices is interesting to look at. Both, the user experience and the IT administrator experience. Once the provided configuration is applied, the user will receive the information and behavior as shown below on the left in Figure 3. The access to the location information of the device is turned on and the user can’t adjust it anymore. Once the IT administrator triggers the remote action to locate the device, the user will receive a message about that action. That message simply states that the organization accessed the location of the device and is shown below on the right in Figure 3.
The information that the device action was performed is also store in Microsoft Intune and is available in the Device actions status overview of the device. Besides that, the information that the device action was performed is also stored in the Audit logs. That means that it’s always possible to find out who triggered the device action. After the IT administrator triggered the remote action to locate the missing or stolen device, a nice Bing map will be shown in the Microsoft Endpoint Manager admin center. An example is shown below in Figure 4. That Bing map can be viewed in Road (i.e. a standard road map), in Aerial (i.e. a detailed look from above), or in Bird’s eye (i.e. a better angle of aerial photography) and it’s possible to zoom in or out.
Note: This example was not completely accurate, but the at least the correct city was shown.
For more information about (configuring) exploit protection, refer to the following docs.
16 thoughts on “Locating lost or stolen Windows 10 devices”
My personal experience was off by a few hundred miles! Clearly misled by the network setup of the ISP. Hopefully it will be modified to use the precise location in the future…
The accuracy does depend on the available signals on the device. With my test devices (without GPS, or LTE) I was at least in the correct city at about 5km of the exact location.
So I am looking at my Endpoint and the configuration settings and I do not see ‘Privacy’ as an option in either Computer or User. Searching for “Let Apps Access Location” returns no items. Is there a specific license level you have to be at for this to work?
Could it be that a configuration profile is in place that removes the Privacy settings from the Settings app?
Could this also be used to set the TimeZone based on the device location?
What exactly are you referring to with “this”?
Since right now its seems like there isnt a way to set the timezone based on the users location outside of using Azure Maps and a PowerShell script. If all of the employees were in the same timezone this wouldnt be an issue with just setting it to Eastern, Central etc. But now with employees all over the globe setting the timezone automatically based on location doesnt yet seem to be a feature within Inutune. So I was curious if using this locate feature to also apply it to setting the devices timezone?
Correct, but when you skip the privacy settings page in during Autopilot it will be off by default.
It would be nicer to be more granular and use “Let Apps Access Location Force Allow These Apps” instead. Any idea which app would need to be added?
Not sure. I don’t know if it’s even an app that you can exclude like that..
I test it in a few laptops but all of them returns in Ednpoint “not applicable”, do you know what would be the mistake? the laptops are W10 and are enroled by Autopilot.
In the case of “non autopilot” laptops is working fine, without configuring anything in Endpoint.
Are the location services enabled on those devices?
With the setting “Let Apps Access Location” on Force Allow, can any app on the device access the location?
It’s about Windows apps. Besides that, if needed, you can also deny or allow specific apps.
This is my problem with this. There doesn’t seem to be a way to just enable it for us with just the Locate function in Intune for example. It seems to be all or nothing. You can do specific app allows and denies afterwards, but if a user installs a new app after the setting is in place, that app will have access to location services.