This post will show how you can set device configurations for MDM enrolled Windows 10 machines in the Intune preview in the Azure portal. This is using Intune standalone and not Intune hybrid. The device configurations I will deploy includes setting a wallpaper on a Windows 10 1703 Enterprise machine, and setting password restrictions. After configuring the Device configuration policy in Intune, it will also show the user experience in Windows 10.
In the Intune blade, select Device Configuration
Select Profiles, then select Create Profile
Type in a Name for the profile, for the Platform select Windows 10 and later, and for Profile type, select Device Restrictions
For this post, I will create password restrictions. I have selected Password as the category and configured some settings on the right hand side.
I will also set the desktop background picture in the Personalization category, by pasting in a URL to where I have uploaded the wallpaper. Note this CSP was only added in Windows 1703, and supported on Enterprise. See https://msdn.microsoft.com/en-gb/windows/hardware/commercialize/customize/mdm/personalization-csp
Now I will click on Assignments to assign the device configuration policy to my Intune group I created in Azure AD.
Select the group and click Save.
Now on my Windows 10 Enterprise 1703 machine I am prompted to change my password
And the custom wallpaper has been set
This post will show how you can create a compliance policy in the Intune preview portal to require Device Encryption (BitLocker) for a Windows 10 1703 Pro or Enterprise machine. It will also show the user experience. I will be testing this on a Hyper-V Gen 2 machine with the TPM enabled.
In portal.azure.com select Intune, then select Device compliance
Select Create Policy
Enter in the name for the policy, and select Windows 10 and later for the Platform. Then select System Security, and select Require under Encryption.
Save the policy and click on Assignments to deploy the policy to a user group.
On my test Hyper-V Gen 2 machine, I have shut the machine down. Right click on the VM and click Settings, then select Security, and check the box Enable Trusted Platform Module so we can test BitLocker.
You can see that there is a notification now on the Windows 10 1703 Pro/Enterprise machine that Encryption is needed. The user needs to click on it.
If you open up the Company Portal, you can also see there is a policy issue. If you click on View, you can see that the device requires encryption.
When clicking on the notification that the device needs encryption (clicking the notification in the earlier screenshot, or clicking the notification in the bottom right corner) the user needs to go through the encryption wizard process.
You can choose where to save the key.
If you chose the option to save the BitLocker key to the cloud, you can view the BitLocker key in the Azure portal (portal.azure.com) by going to Azure Active Directory > Users and groups > All Users > select the user > Devices > Select the Device >
This post will show how you can deploy an .MSI to an MDM enrolled Windows 10 machine in the Intune preview in the Azure portal. As noted, the device is enrolled in Intune, and does not have the Intune client installed.
This post will use 7Zip .msi as an example and it will be deployed as “Available” in the Company Portal app for a Windows 10 1703 device.
In the Azure portal (portal.azure.com), click on More Services, then search for Intune and select it.
Click on Mobile apps
In the Apps section under Manage, click on Add
Select Line-of-business app
Click on the blue browse button and select your MSI (allowed file extensions are ipa, apk, msi, xap, appx, appxbundle.)
Fill in the required details. For my example I have filled in the Name, Description, Publisher, and also selected an icon.
The .msi will begin to upload and you will get a notification when the .msi has been uploaded. Once it has been uploaded, you can assign the application to a group.
Next step is to assign the application to a group. This can be done under Assignments. In my example I have made it as Available to my user group called Intune. You can see the the other options below in the screenshot.
Now I will open the Company Portal app on my Windows 10 machine and install 7Zip.