Friday, November 3, 2017

Microsoft 365 Windows 10 Device configuration mappings

Microsoft 365 Business allows you to configure Windows 10 devices that are connected. This management is typically done by Intune at the back end while Microsoft 365 Business provides a simplified interface over these settings. However, what settings in Microsoft 365 map to Intune?

The best place to start to understand this mapping is the following document from Microsoft:

How do protection features in Microsoft 365 Business map to Intune settings

image

Start by navigating to the Admin center in your Microsoft 365 for Business tenant.

image

Locate the Device policies tile and select it.

image

You may see a number of policies here but one should be named Windows 10 device configuration as shown above. Select this.

image

You should be taken to the Edit policy dialog as shown above.

Select the Edit hyperlink at the right of the Windows 10 protection line (the second option from the top).

image

If you expand the display you should see a list of all the options and their status as shown above.

The question now is, how do these map to settings in Intune?

To view the settings in Intune you’ll need to login to the Azure portal for that tenant and then navigate to the Intune option.

image

The easiest way to find the Intune settings is to do a search in the top right and then select Intune from the results.

image

You should see the Intune console displayed as shown above.

image

From the available options, select Device Configuration. From the blade that appears then select Policies. You should then see a policy that matches the one in the Microsoft 365 for Business console (here Windows 10 device configuration).

Select the policy name.

image

From the new blade that appears select Properties.

image

This should open another blade like shown above. The last option on this blade should be Settings. Select this.

image

This will open a Device restrictions blade with lots of different settings as you can see above. This is where most the mapped settings from Microsoft 365 are.

clip_image001[5]

Working from the top, the Help protect PCs from web-based threats using Windows Defender Antivirus maps to Windows Defender Antivirus as shown.

image

However, only 3 of the 28 options are set and they are:

clip_image001[7]

clip_image001[9]

clip_image001[11]

Next in Microsoft 365 Business is Help protect PCs from web-based threats in Microsoft Edge,

clip_image001[13]

This maps to SmartScreen for Microsoft Edge in Windows Defender Smart Screen.

clip_image001[15]

image

The next option is Turn off device screen when idle for:

clip_image001[17]which maps to Maximum minutes of inactivity until screen locks in Password.

clip_image001[19]

The option Allow users to download apps from Windows store maps to a Custom URI that I haven’t been able to locate in Intune.

image

I’m still researching what that actually maps to. More soon.

Next is Allow users to access Cortana

clip_image001[21]maps to Cortana in General in Intune.

image

image

Next, Allow users to receive Windows tips and advertisements from Microsoft.

clip_image001[23]which maps to Windows spotlight in Intune.

image

Finally, Keep Windows 10 devices up to date automatically

image

is actually configured from the Software updates option in Intune.

clip_image001[29]

From the main Intune blade select Software updates. From the blade that then appears select Windows 10 Update rings. Then form the new blade select Update policy for Windows 10 devices.

clip_image001[31]

Select the policy and then Properties from the blade that appears.

At the bottom of the Properties page select Settings. This should then show a blade like that shown above.

clip_image001[33]

If the Microsoft 365 Business setting is ON the Service Branch will be set to Semi-Annual Channel (Targeted) like so:

clip_image001[35]

If the Microsoft 365 Business setting is OFF, the Service Branch will be set to Semi-Annual like so:

clip_image001[37]

You can review these update channels here:

Assign devices to servicing channels for Windows 10 updates

So making any changes in the Microsoft 365 Business console will be reflected in the Intune console. However, if you change these settings in Intune and then try and update them you seem to get an error like so

image

I would have thought that I could change the settings in any console but that doesn’t appear to be the case. I currently can’t find any confirmation of this but I will publish anything I find. So for now the guidance is – only make changes in the Microsoft 365 Business Admin Center.

There are a number of other policies in Microsoft 365 Business that I’ll cover in upcoming posts.