Part 3 – Configure Microsoft Intune – Device compliance and configuration

Previous blog posts:

https://albertneef.wordpress.com/2018/05/02/part-1-how-to-create-a-new-azure-tenant-with-ems-subscription/

https://albertneef.wordpress.com/2018/05/02/part-2-how-to-configure-microsoft-intune-windows-hello-and-mobility-mdm-and-mam/

We continue with configuring Microsoft Intune. In this blog post we are going to make some compliance policies and device configuration policies.

We have already enrolled a Windows 10 device. For these steps we can use the same device to test the policies.

So, go back to the Intune portal and go to Device compliance -> Compliance. There we have to create new compliancy policy for our Windows 10 device.

Click on the button Create Policy

You have to give the policy a name and you have to choose the correct platform. After you click on Settings then you will get a new menu.

I have just only configured System Security. This one is most important and usable for testing purpose. The ones in purple are changed. So, I have enabled a lot for compliancy and I knew already that my device will not be compliant because of the missing TPM/Bit locker. But, that’s not a problem, is nice example how it works. Click on the Ok button twice and then click on the create button to create the policy.

To use this policy, you have to assign the policy to a specific user group. First, we have to make a new user group. Go to Azure Active Directory -> Groups. Click on the button New Group.

You have to give the group a name. Group Type is Security and Membership type is assigned. Then you have to assign a member. This member must be the user which you have used to enroll the device into MS Intune in the previous part. Select the member and after that click on the Create button.

Go back to Device Compliance -> Intune -> Device Compliance -> Policies

Click on the new created policy. You will get more options.

Click Assignments

Click Select groups to include

Search for the new created group, select the group and click on the select button.

The group has been added and click on the Save button.

Now we have to wait. The policy will be pushed to the device in few minutes.

I got this message

This means that the compliance policy is applied on the device. Now we have to wait for few minutes to get more information from the MS Intune portal.

Go to the MS Intune portal – Device compliance -> Device compliance.

You will see that the status of compliance has changed into Not compliant. Click on the device for more information.

This is global information about the device. Go to Device Compliance for more information about the compliancy.

You see that status of the new created policy is Error. This means that something is not compliant on the device. Click on the policy for more information.

What I have said, my device is not compliant because of Encryption of data storage on device. The others are compliant, so that’s good. I have no TPM on my device I must change the compliance, otherwise I can’t go further with the configuring and testing MS Intune. But this is only for testing purpose. In production I recommend having a TPM on each device to encrypt your OS and Data drive.

I have disabled “Encryption required” and now the device is complaint again.

It’s time to do some device configurations. Go to MS Intune portal -> Device configuration -> Profiles

Click on the Create Profile button.

Give the profile a name and choose the platform and profile type. In my example I use Device restrictions for Password.

 

Change the settings which you like and click on the Ok button (twice).

Then you have to create the profile by clicking the create button.

The profile has to be assigned to a group. You can use the previous created group to assign this profile to the user.

Go to Assignment in the menu and click on Select groups to include. Search for your user group and click Select.

Click on the save button to save the configuration. Now you have to wait some few minutes. The policy will be deployed on your Windows 10 device after few minutes. To check the status of the assignment, go to Devices -> All Devices.

Click on your device and then on Device Configuration.

Here you will see the status of the policy/profile.

After few minutes it will change to Succeeded or something else. The configuration is now applied on your device.

Recap:

What we did is making a new compliance policy for the Windows 10 device. By this policy you can make the device compliant or not. That is useful later if you want to work with Conditional Access. Based on compliancy you can give the user access to Azure resources or like deploying apps to the device.

We have made a device configuration. This one was a device restriction based on password. But there are more. Like blocking camera, OneDrive sync and so on. Device restriction is one of the device configuration types. In the next blog post I will write more about the other device configuration types.

 

 

Advertisements

2 thoughts on “Part 3 – Configure Microsoft Intune – Device compliance and configuration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.