IntuneDeviceConfigurationPolicyAndroidDeviceOwner

Parameters

Parameter Attribute DataType Description Allowed Values
DeviceMode Write String
Name Write String
RuleType Write String
Name Write String
OSEditionTypes Write StringArray[]
RuleType Write String
MaxOSVersion Write String
MinOSVersion Write String
Name Write String
RuleType Write String
Intent Write String
Source Write String
SourceId Write String
Target Write Instance
DeviceAndAppManagementAssignmentFilterId Write String
DeviceAndAppManagementAssignmentFilterType Write String
CompliantDeviceCount Write UInt32
ConflictDeviceCount Write UInt32
ErrorDeviceCount Write UInt32
InstancePath Write String
NonCompliantDeviceCount Write UInt32
NotApplicableDeviceCount Write UInt32
RemediatedDeviceCount Write UInt32
SettingName Write String
UnknownDeviceCount Write UInt32
ComplianceGracePeriodExpirationDateTime Write String
DeviceDisplayName Write String
DeviceModel Write String
LastReportedDateTime Write String
Platform Write UInt32
Status Write String
UserName Write String
UserPrincipalName Write String
ConfigurationVersion Write UInt32
ConflictCount Write UInt32
ErrorCount Write UInt32
FailedCount Write UInt32
LastUpdateDateTime Write String
NotApplicableCount Write UInt32
NotApplicablePlatformCount Write UInt32
PendingCount Write UInt32
SuccessCount Write UInt32
DeviceConfiguration Write Instance
ExcludeGroup Write Boolean
TargetGroupId Write String
Assignments Write InstanceArray[]
CreatedDateTime Write String
Description Write String
DeviceManagementApplicabilityRuleDeviceMode Write Instance
DeviceManagementApplicabilityRuleOSEdition Write Instance
DeviceManagementApplicabilityRuleOSVersion Write Instance
DeviceSettingStateSummaries Write InstanceArray[]
DeviceStatusOverview Write Instance
DeviceStatuses Write InstanceArray[]
DisplayName Write String
GroupAssignments Write InstanceArray[]
LastModifiedDateTime Write String
RoleScopeTagIds Write StringArray[]
SupportsScopeTags Write Boolean
UserStatusOverview Write Instance
UserStatuses Write InstanceArray[]
Version Write UInt32
DevicesCount Write UInt32
LastReportedDateTime Write String
Status Write String
UserDisplayName Write String
UserPrincipalName Write String
ConfigurationVersion Write UInt32
ConflictCount Write UInt32
ErrorCount Write UInt32
FailedCount Write UInt32
LastUpdateDateTime Write String
NotApplicableCount Write UInt32
PendingCount Write UInt32
SuccessCount Write UInt32
Id Write String
Description Write String
DeviceManagementApplicabilityRuleDeviceMode Write Instance
DeviceManagementApplicabilityRuleOsEdition Write Instance
DeviceManagementApplicabilityRuleOsVersion Write Instance
DisplayName Write String
RoleScopeTagIds Write StringArray[]
SupportsScopeTags Write Boolean
Version Write UInt32
AccountsBlockModification Write Boolean
AppsAllowInstallFromUnknownSources Write Boolean
AppsAutoUpdatePolicy Write String
AppsDefaultPermissionPolicy Write String
AppsRecommendSkippingFirstUseHints Write Boolean
AzureAdSharedDeviceDataClearApps Write String
BluetoothBlockConfiguration Write Boolean
BluetoothBlockContactSharing Write Boolean
CameraBlocked Write Boolean
CellularBlockWiFiTethering Write Boolean
CertificateCredentialConfigurationDisabled Write Boolean
CrossProfilePoliciesAllowCopyPaste Write Boolean
CrossProfilePoliciesAllowDataSharing Write String
CrossProfilePoliciesShowWorkContactsInPersonalProfile Write Boolean
DataRoamingBlocked Write Boolean
DateTimeConfigurationBlocked Write Boolean
EnrollmentProfile Write String
FactoryResetBlocked Write Boolean
FactoryResetDeviceAdministratorEmails Write String
GlobalProxy Write String
GoogleAccountsBlocked Write Boolean
KioskCustomizationDeviceSettingsBlocked Write Boolean
KioskCustomizationPowerButtonActionsBlocked Write Boolean
KioskCustomizationStatusBar Write String
KioskCustomizationSystemErrorWarnings Write Boolean
KioskCustomizationSystemNavigation Write String
KioskModeAppOrderEnabled Write Boolean
KioskModeAppPositions Write String
KioskModeApps Write String
KioskModeAppsInFolderOrderedByName Write Boolean
KioskModeBluetoothConfigurationEnabled Write Boolean
KioskModeDebugMenuEasyAccessEnabled Write Boolean
KioskModeExitCode Write String
KioskModeFlashlightConfigurationEnabled Write Boolean
KioskModeFolderIcon Write String
KioskModeGridHeight Write UInt32
KioskModeGridWidth Write UInt32
KioskModeIconSize Write String
KioskModeLockHomeScreen Write Boolean
KioskModeManagedFolders Write String
KioskModeManagedHomeScreenAutoSignout Write Boolean
KioskModeManagedHomeScreenInactiveSignOutDelayInSeconds Write UInt32
KioskModeManagedHomeScreenInactiveSignOutNoticeInSeconds Write UInt32
KioskModeManagedHomeScreenPinComplexity Write String
KioskModeManagedHomeScreenPinRequired Write Boolean
KioskModeManagedHomeScreenPinRequiredToResume Write Boolean
KioskModeManagedHomeScreenSignInBackground Write String
KioskModeManagedHomeScreenSignInBrandingLogo Write String
KioskModeManagedHomeScreenSignInEnabled Write Boolean
KioskModeManagedSettingsEntryDisabled Write Boolean
KioskModeMediaVolumeConfigurationEnabled Write Boolean
KioskModeScreenOrientation Write String
KioskModeScreenSaverConfigurationEnabled Write Boolean
KioskModeScreenSaverDetectMediaDisabled Write Boolean
KioskModeScreenSaverDisplayTimeInSeconds Write UInt32
KioskModeScreenSaverImageUrl Write String
KioskModeScreenSaverStartDelayInSeconds Write UInt32
KioskModeShowAppNotificationBadge Write Boolean
KioskModeShowDeviceInfo Write Boolean
KioskModeVirtualHomeButtonEnabled Write Boolean
KioskModeVirtualHomeButtonType Write String
KioskModeWallpaperUrl Write String
KioskModeWifiAllowedSsids Write String
KioskModeWiFiConfigurationEnabled Write Boolean
MicrophoneForceMute Write Boolean
MicrosoftLauncherConfigurationEnabled Write Boolean
MicrosoftLauncherCustomWallpaperAllowUserModification Write Boolean
MicrosoftLauncherCustomWallpaperEnabled Write Boolean
MicrosoftLauncherCustomWallpaperImageUrl Write String
MicrosoftLauncherDockPresenceAllowUserModification Write Boolean
MicrosoftLauncherDockPresenceConfiguration Write String
MicrosoftLauncherFeedAllowUserModification Write Boolean
MicrosoftLauncherFeedEnabled Write Boolean
MicrosoftLauncherSearchBarPlacementConfiguration Write String
NetworkEscapeHatchAllowed Write Boolean
NfcBlockOutgoingBeam Write Boolean
PasswordBlockKeyguard Write Boolean
PasswordBlockKeyguardFeatures Write String
PasswordExpirationDays Write UInt32
PasswordMinimumLength Write UInt32
PasswordMinimumLetterCharacters Write UInt32
PasswordMinimumLowerCaseCharacters Write UInt32
PasswordMinimumNonLetterCharacters Write UInt32
PasswordMinimumNumericCharacters Write UInt32
PasswordMinimumSymbolCharacters Write UInt32
PasswordMinimumUpperCaseCharacters Write UInt32
PasswordMinutesOfInactivityBeforeScreenTimeout Write UInt32
PasswordPreviousPasswordCountToBlock Write UInt32
PasswordRequiredType Write String
PasswordSignInFailureCountBeforeFactoryReset Write UInt32
PersonalProfileAppsAllowInstallFromUnknownSources Write Boolean
PersonalProfileCameraBlocked Write Boolean
PersonalProfilePersonalApplications Write String
PersonalProfilePlayStoreMode Write String
PersonalProfileScreenCaptureBlocked Write Boolean
PlayStoreMode Write String
ScreenCaptureBlocked Write Boolean
SecurityDeveloperSettingsEnabled Write Boolean
SecurityRequireVerifyApps Write Boolean
StatusBarBlocked Write Boolean
StayOnModes Write String
StorageAllowUsb Write Boolean
StorageBlockExternalMedia Write Boolean
StorageBlockUsbFileTransfer Write Boolean
SystemUpdateFreezePeriods Write String
SystemUpdateInstallType Write String
SystemUpdateWindowEndMinutesAfterMidnight Write UInt32
SystemUpdateWindowStartMinutesAfterMidnight Write UInt32
SystemWindowsBlocked Write Boolean
UsersBlockAdd Write Boolean
UsersBlockRemove Write Boolean
VolumeBlockAdjustment Write Boolean
VpnAlwaysOnLockdownMode Write Boolean
VpnAlwaysOnPackageIdentifier Write String
WifiBlockEditConfigurations Write Boolean
WifiBlockEditPolicyDefinedConfigurations Write Boolean
WorkProfilePasswordExpirationDays Write UInt32
WorkProfilePasswordMinimumLength Write UInt32
WorkProfilePasswordMinimumLetterCharacters Write UInt32
WorkProfilePasswordMinimumLowerCaseCharacters Write UInt32
WorkProfilePasswordMinimumNonLetterCharacters Write UInt32
WorkProfilePasswordMinimumNumericCharacters Write UInt32
WorkProfilePasswordMinimumSymbolCharacters Write UInt32
WorkProfilePasswordMinimumUpperCaseCharacters Write UInt32
WorkProfilePasswordPreviousPasswordCountToBlock Write UInt32
WorkProfilePasswordRequiredType Write String
WorkProfilePasswordSignInFailureCountBeforeFactoryReset Write UInt32
Assignments Write InstanceArray[]
DeviceSettingStateSummaries Write InstanceArray[]
DeviceStatuses Write InstanceArray[]
DeviceStatusOverview Write Instance
GroupAssignments Write InstanceArray[]
UserStatuses Write InstanceArray[]
UserStatusOverview Write Instance
Ensure Write String Present ensures the policy exists, absent ensures it is removed. Present, Absent
Credential Write PSCredential Credentials of the Intune Admin
ApplicationId Write String Id of the Azure Active Directory application to authenticate with.
TenantId Write String Id of the Azure Active Directory tenant used for authentication.
ApplicationSecret Write String Secret of the Azure Active Directory tenant used for authentication.
CertificateThumbprint Write String Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.

IntuneDeviceConfigurationPolicyAndroidDeviceOwner

Description

This resource configures the settings of Android WorkProfile Device policies in your cloud-based organization.

Permissions Needed

To authenticate via Azure Active Directory, this resource requires the following Delegated permissions:

  • Automate
  • DeviceManagementConfiguration.ReadWrite.All (Delegated)
  • Export
  • DeviceManagementConfiguration.Read.All (Delegated)

NOTE: All permisions listed above require admin consent.

Parameters

Device Health

Windows Health Attestation Service evaluation rules

  • Require BitLocker: Windows BitLocker Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker uses the Trusted Platform Module (TPM) to help protect the Windows operating system and user data. It also helps confirm that a computer isn't tampered with, even if its left unattended, lost, or stolen. If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys can't be accessed until the TPM verifies the state of the computer.
  • Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
  • Require - The device can protect data that's stored on the drive from unauthorized access when the system is off, or hibernates.

Device HealthAttestation CSP - BitLockerStatus

  • Require Secure Boot to be enabled on the device:
  • Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
  • Require - The system is forced to boot to a factory trusted state. The core components that are used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies the signature before it lets the machine start. If any files are tampered with, which breaks their signature, the system doesn't boot.

Device Properties

Operating System Version

To discover build versions for all Windows 10 Feature Updates and Cumulative Updates (to be used in some of the fields below), see Windows 10 release information. Be sure to include the 10.0. prefix before the build numbers, as the following examples illustrate.

  • Minimum OS version: Enter the minimum allowed version in the major.minor.build.revision number format. To get the correct value, open a command prompt, and type ver. The ver command returns the version in the following format:

Microsoft Windows [Version 10.0.17134.1]

When a device has an earlier version than the OS version you enter, it's reported as noncompliant. A link with information on how to upgrade is shown. The end user can choose to upgrade their device. After they upgrade, they can access company resources.

  • Maximum OS version: Enter the maximum allowed version, in the major.minor.build.revision number format. To get the correct value, open a command prompt, and type ver. The ver command returns the version in the following format:

Microsoft Windows [Version 10.0.17134.1]

When a device is using an OS version later than the version entered, access to organization resources is blocked. The end user is asked to contact their IT administrator. The device can't access organization resources until the rule is changed to allow the OS version.

  • Minimum OS required for mobile devices: Enter the minimum allowed version, in the major.minor.build number format.

When a device has an earlier version that the OS version you enter, it's reported as noncompliant. A link with information on how to upgrade is shown. The end user can choose to upgrade their device. After they upgrade, they can access company resources.

  • Maximum OS required for mobile devices: Enter the maximum allowed version, in the major.minor.build number.

When a device is using an OS version later than the version entered, access to organization resources is blocked. The end user is asked to contact their IT administrator. The device can't access organization resources until the rule is changed to allow the OS version.

  • Valid operating system builds: Specify a list of minimum and maximum operating system builds. Valid operating system builds provides additional flexibility when compared against minimum and maximum OS versions. Consider a scenario where minimum OS version is set to 10.0.18362.xxx (Windows 10 1903) and maximum OS version is set to 10.0.18363.xxx (Windows 10 1909). This configuration can allow a Windows 10 1903 device that doesn't have recent cumulative updates installed to be identified as compliant. Minimum and maximum OS versions might be suitable if you have standardized on a single Windows 10 release, but might not address your requirements if you need to use multiple builds, each with specific patch levels. In such a case, consider leveraging valid operating system builds instead, which allows multiple builds to be specified as per the following example.

Example: The following table is an example of a range for the acceptable operating systems versions for different Windows 10 releases. In this example, three different Feature Updates have been allowed (1809, 1909 and 2004). Specifically, only those versions of Windows and which have applied cumulative updates from June to September 2020 will be considered to be compliant. This is sample data only. The table includes a first column that includes any text you want to describe the entry, followed by the minimum and maximum OS version for that entry. The second and third columns must adhere to valid OS build versions in the major.minor.build.revision number format. After you define one or more entries, you can Export the list as a comma-separated values (CSV) file.

Description Minimum OS version Maximum OS version
Win 10 2004 (Jun-Sept 2020) 10.0.19041.329 10.0.19041.508
Win 10 1909 (Jun-Sept 2020) 10.0.18363.900 10.0.18363.1110
Win 10 1809 (Jun-Sept 2020) 10.0.17763.1282 10.0.17763.1490

Configuration Manager Compliance

Applies only to co-managed devices running Windows 10 and later. Intune-only devices return a not available status.

  • Require device compliance from Configuration Manager:
  • Not configured (default) - Intune doesn't check for any of the Configuration Manager settings for compliance.
  • Require - Require all settings (configuration items) in Configuration Manager to be compliant.

System Security

Password

  • Require a password to unlock mobile devices:
  • Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
  • Require - Users must enter a password before they can access their device.

  • Simple passwords:

  • Not configured (default) - Users can create simple passwords, such as 1234 or 1111.
  • Block - Users can't create simple passwords, such as 1234 or 1111.

  • Password type: Choose the type of password or PIN required. Your options:

  • Device (default) - Require a password, numeric PIN, or alphanumeric PIN
  • Numeric - Require a password or numeric PIN
  • Alphanumeric - Require a password, or alphanumeric PIN. When set to Alphanumeric, the following settings are available:

  • Password complexity: Your options:

    • Require digits and lowercase letters (default)
    • Require digits, lowercase letters, and uppercase letters
    • Require digits, lowercase letters, uppercase letters, and special characters
  • Minimum password length: Enter the minimum number of digits or characters that the password must have.

  • Maximum minutes of inactivity before password is required: Enter the idle time before the user must reenter their password.

  • Password expiration (days): Enter the number of days before the password expires, and they must create a new one, from 1-730.

  • Number of previous passwords to prevent reuse: Enter the number of previously used passwords that can't be used.

  • Require password when device returns from idle state (Mobile and Holographic):

    • Not configured (default)
    • Require - Require device users to enter the password every time the device returns from an idle state.

Important When the password requirement is changed on a Windows desktop, users are impacted the next time they sign in, as that's when the device goes from idle to active. Users with passwords that meet the requirement are still prompted to change their passwords.

Encryption

  • Encryption of data storage on a device: This setting applies to all drives on a device.
  • Not configured (default)
  • Require - Use Require to encrypt data storage on your devices.

Note The Encryption of data storage on a device setting generically checks for the presence of encryption on the device, more specifically at the OS drive level. Currently, Intune supports only the encryption check with BitLocker. For a more robust encryption setting, consider using Require BitLocker, which leverages Windows Device Health Attestation to validate Bitlocker status at the TPM level.

Device Security

  • Firewall:
  • Not configured (default) - Intune doesn't control the Microsoft Defender Firewall, nor change existing settings.
  • Require - Turn on the Microsoft Defender Firewall, and prevent users from turning it off.

Note If the device immediately syncs after a reboot, or immediately syncs waking from sleep, then this setting may report as an Error. This scenario might not affect the overall device compliance status. To re-evaluate the compliance status, manually sync the device.

  • Trusted Platform Module (TPM):
  • Not configured (default) - Intune doesn't check the device for a TPM chip version.
  • Require - Intune checks the TPM chip version for compliance. The device is compliant if the TPM chip version is greater than 0 (zero). The device isn't compliant if there isn't a TPM version on the device.

  • Antivirus:

  • Not configured (default) - Intune doesn't check for any antivirus solutions installed on the device.
  • Require - Check compliance using antivirus solutions that are registered with Windows Security Center, such as Symantec and Microsoft Defender.

  • Antispyware:

  • Not configured (default) - Intune doesn't check for any antispyware solutions installed on the device.
  • Require - Check compliance using antispyware solutions that are registered with Windows Security Center, such as Symantec and Microsoft Defender.

Defender

The following compliance settings are supported with Windows 10 Desktop.

  • Microsoft Defender Antimalware:
  • Not configured (default) - Intune doesn't control the service, nor change existing settings.
  • Require - Turn on the Microsoft Defender anti-malware service, and prevent users from turning it off.

  • Microsoft Defender Antimalware minimum version: Enter the minimum allowed version of Microsoft Defender anti-malware service. For example, enter 4.11.0.0. When left blank, any version of the Microsoft Defender anti-malware service can be used.

By (default), no version is configured.

  • Microsoft Defender Antimalware security intelligence up-to-date: Controls the Windows Security virus and threat protection updates on the devices.
  • Not configured (default) - Intune doesn't enforce any requirements.
  • Require - Force the Microsoft Defender security intelligence be up-to-date.

  • Real-time protection:

  • Not configured ((default)) - Intune doesn't control this feature, nor change existing settings.
  • Require - Turn on real-time protection, which scans for malware, spyware, and other unwanted software.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint rules

For additional information on Microsoft Defender for Endpoint integration in conditional access scenarios, see Configure Conditional Access in Microsoft Defender for Endpoint.

  • Require the device to be at or under the machine risk score: Use this setting to take the risk assessment from your defense threat services as a condition for compliance. Choose the maximum allowed threat level:
  • Not configured ((default))
  • Clear -This option is the most secure, as the device can't have any threats. If the device is detected as having any level of threats, it's evaluated as non-compliant.
  • Low - The device is evaluated as compliant if only low-level threats are present. Anything higher puts the device in a non-compliant status.
  • Medium - The device is evaluated as compliant if existing threats on the device are low or medium level. If the device is detected to have high-level threats, it's determined to be non-compliant.
  • High - This option is the least secure, and allows all threat levels. It may be useful if you're using this solution only for reporting purposes.

Windows Holographic for Business

Windows Holographic for Business uses the Windows 10 and later platform. Windows Holographic for Business supports the following setting:

System Security > Encryption > Encryption of data storage on device. To verify device encryption on the Microsoft HoloLens, see Verify device encryption.

Surface Hub

Surface Hub uses the Windows 10 and later platform. Surface Hubs are supported for both compliance and Conditional Access. To enable these features on Surface Hubs, we recommend you enable Windows 10 automatic enrollment in Intune (requires Azure Active Directory (Azure AD)), and target the Surface Hub devices as device groups. Surface Hubs are required to be Azure AD joined for compliance and Conditional Access to work.

For guidance, see set up enrollment for Windows devices.

Special consideration for Surface Hubs running Windows 10 Team OS: Surface Hubs that run Windows 10 Team OS do not support the Microsoft Defender for Endpoint and Password compliance policies at this time. Therefore, for Surface Hubs that run Windows 10 Team OS set the following two settings to their (default) of Not configured: * In the category Password, set Require a password to unlock mobile devices to the (default) of Not configured. * In the category Microsoft Defender for Endpoint, set Require the device to be at or under the machine risk score to the (default) of Not configured.

Example

        IntuneDeviceCompliancePolicyWindows10 MyCustomWindows10Policy
        {
            DisplayName                                 = "Windows 10 DSC Policy";
            Description                                 = "Test policy";
            PasswordRequired                            = $False;
            PasswordBlockSimple                         = $False;
            PasswordRequiredToUnlockFromIdle            = $True;
            PasswordMinutesOfInactivityBeforeLock       = 15;
            PasswordExpirationDays                      = 365;
            PasswordMinimumLength                       = 6;
            PasswordMinutesOfInactivityBeforeLock       = 5;
            PasswordPreviousPasswordBlockCount          = 13;
            PasswordMinimumCharacterSetCount            = 1;
            PasswordRequiredType                        = "Devicedefault";
            RequireHealthyDeviceReport                  = $True;
            OsMinimumVersion                            = 10;
            OsMaximumVersion                            = 10.19;
            MobileOsMinimumVersion                      = 10;
            MobileOsMaximumVersion                      = 10.19;
            EarlyLaunchAntiMalwareDriverEnabled         = $False;
            BitLockerEnabled                            = $False;
            SecureBootEnabled                           = $True;
            CodeIntegrityEnabled                        = $True;
            StorageRequireEncryption                    = $True;
            ActiveFirewallRequired                      = $True;
            DefenderEnabled                             = $True;
            DefenderVersion                             = "";
            SignatureOutOfDate                          = $True;
            RtpEnabled                                  = $True;
            AntivirusRequired                           = $True;
            AntiSpywareRequired                         = $True;
            DeviceThreatProtectionEnabled               = $True;
            DeviceThreatProtectionRequiredSecurityLevel = "Medium";
            ConfigurationManagerComplianceRequired      = $False;
            TPMRequired                                 = $False;
            deviceCompliancePolicyScript                = $null;
            ValidOperatingSystemBuildRanges             = [];
            Ensure                                      = 'Present';
            Credential                          = $Credential;
        }