Recently Microsoft released a couple of blog posts about The Path to Modernizing Windows Management and about Clear & Simple Guidance: When ConfigMgr and Intune should be used with Windows 10, which should be really helpful with deciding how to managing the Windows 10 devices within an organization. I would really recommend everybody to read those posts. This blog post will not be directly related, but will continue on a more detailed level about the options for conditional access and Windows 10 devices.
In this blog post I will provide nice tables of the different compliance rules, for Windows 10 devices, that are currently available for Microsoft Intune standalone and Microsoft Intune hybrid. In those tables I’ll show the different management scenarios and the currently available applicable compliance rules.
Before I’ll start with the overview, it’s good to provide a short explanation about the distinction between the conditional access policy and the compliance policy.
The conditional access policy is a required configuration to enable conditional access on a particular service and to help secure access to that particular service. In the conditional access policy, the targeted platforms and the targeted users of devices are configured. Also, important for Windows 10 devices, in the conditional access policy it is possible to determine if Windows 10 devices must be compliant or domain joined.
The compliance policies, on the other hand, are optional additional rules that can evaluate settings like PIN and encryption. The devices of targeted users must be compliant to those additional rules. When there are no compliance policies deployed, the device will automatically be evaluated as compliant.
Microsoft Intune standalone
Now let’s start with the overview of available compliance rules in Microsoft Intune standalone. In Microsoft Intune standalone, a Windows 10 device can be managed by the Microsoft Intune client and it can be enrolled as a mobile device. Those two options will be mentioned in the following overview table. Spoiler, there are no compliance rules available for the Microsoft Intune client. That makes being domain joined the only additional configuration for those devices.
|Allow simple passwords||N/A||Yes (Mobile only)|
|Maximum Windows Phone or Windows 10 Mobile version||N/A||Yes (Mobile only)|
|Maximum Windows version||N/A||Yes (Desktop only)|
|Minutes of inactivity before password is required||N/A||Yes|
|Minimum password length||N/A||Yes|
|Minimum Windows Phone or Windows 10 Mobile version||N/A||Yes (Mobile only)|
|Minimum Windows version||N/A||Yes (Desktop only)|
|Require a password to unlock an idle device||N/A||Yes (Mobile only)|
|Remember password history – Prevent reuse of previous passwords||N/A||Yes|
|Required password type – Minimum number of character sets||N/A||Yes|
|Require a password to unlock mobile devices||N/A||Yes (Mobile only)|
|Require devices to be reported as healthy||N/A||Yes|
|Require encryption on mobile device||N/A||Yes|
Microsoft Intune hybrid
Let’s continue with the overview of available compliance rules in Microsoft Intune hybrid. In Microsoft Intune hybrid, a Windows 10 device can be managed by the Microsoft Intune client, the ConfigMgr client and it can be enrolled as a mobile device. Those three options will be mentioned in the following overview table. Spoiler, there are no compliance rules available for the Microsoft Intune client. That makes being domain joined the only additional configuration for those devices.
|Intune client||ConfigMgr client||MDM|
|All required updates installed with a deadline older than X days||N/A||Yes||N/A|
|Allow simple passwords||N/A||N/A||Yes (Mobile only)|
|File encryption on mobile device||N/A||N/A||Yes|
|Maximum operating system version||N/a||N/A||Yes|
|Minimum classification of required updates||N/A||N/A||Yes|
|Minimum operating system version||N/A||N/A||Yes|
|Minimum password length||N/A||N/A||Yes|
|Minutes of inactivity before password is required||N/A||N/A||Yes|
|Require a password to unlock an idle device||N/A||N/A||Yes (Mobile only)|
|Reported as healthy by Health Attestation Service||N/A||N/A||Yes|
|Require BitLocker drive encryption||N/A||Yes||N/A|
|Require password settings on mobile devices||N/A||N/A||Yes|
|Require registration in Azure Active Directory||N/A||Yes||N/A|
For information about about conditional for Windows 10 devices with Microsoft Intune standalone or Microsoft Intune hybrid, please refer to:
- Manage device compliance policies in System Center Configuration Manager: https://technet.microsoft.com/en-us/library/mt629503.aspx
- Manage device compliance policies for Microsoft Intune: https://technet.microsoft.com/en-us/library/dn705843.aspx
- Manage access to O365 services for PCs managed by System Center Configuration Manager: https://technet.microsoft.com/en-us/library/mt691743
- Manage access to services in System Center Configuration Manager: https://technet.microsoft.com/en-us/library/mt628518.aspx
- Manage access to email and SharePoint with Microsoft Intune: https://technet.microsoft.com/en-us/library/dn818907.aspx