Monday, June 21, 2021

Intune Support Tip: Managing Compliance on HoloLens 2 with Microsoft Endpoint Manager

By Per Larsen – Sr. Program Manager | Microsoft Endpoint Manager - Intune


How to manage compliance policies on HoloLens devices is one of the most common questions we get from customers as they start to manage their HoloLens fleet with Microsoft Endpoint Manager.


Compliance policies are used to mark the device compliant or non-compliant, which can be used in conjunction with Azure Active Directory (Azure AD) Conditional Access to allow or block access to corporate data.


Microsoft Intune as a capability of Endpoint Manager, uses Configuration Service Providers (CSPs) to control and verify many of the settings in the compliance policy, so those CSP’s need to be supported on the HoloLens. You can find out more about supported CSPs in the Policies in Policy CSP supported by HoloLens 2 document.




Configuration Manager Compliance is not supported with Hololens devices. The ConfigMgr agent is a Win32 app, and Win32 apps cannot run on a HoloLens device.


HoloLens 2 runs the Windows Holographic Operating System, which is not the same as Windows 10 Desktop, and therefore some capabilities (like win32 apps) do not exist in this platform.


The same compliance policy is used for Windows 10 desktop and HoloLens in Microsoft Intune, however some settings supported for Windows 10 are not available for HoloLens. This is similar to how BitLocker and HoloLens work.


HoloLens 2 has BitLocker Device Encryption enabled automatically on the operating system and fixed data volumes and cannot be turned off - even by IT administrators - so that the device is always protected.


Settings available for HoloLens:


Can you use the profile?

Device Health


Require BitLocker

Not applicable

Require Secure Boot to be enabled on the device

Not applicable

Require code integrity

Not applicable

Device Properties


Operating System Version


Minimum OS version


Maximum OS version


Minimum OS version for mobile devices

Not applicable

Maximum OS version for mobile devices

Not applicable

Valid operating system builds


Configuration Manager Compliance


Require device compliance from Configuration Manager

Not applicable

System Security




Require a password to unlock mobile devices


Simple passwords


Password type


Minimum password length


Maximum minutes of inactivity before password is required

Not applicable

Password expiration (days)


Number of previous passwords to prevent reuse


Require password when device returns from idle state (Mobile and Holographic)


Require encryption of data storage on device.

Not applicable

Device Security




Trusted Platform Module (TPM)



Not applicable


Not applicable



Microsoft Defender Antimalware


Microsoft Defender Antimalware minimum version


Microsoft Defender Antimalware security intelligence up-to-date


Real-time protection


Microsoft Defender for Endpoint


Microsoft Defender for Endpoint rules


Require the device to be at or under the machine risk score



Can you use the profile?

Yes = The settings will work on HoloLens

Not applicable = Will show as Not applicable in the compliance status

* = Settings are not included in the supported list of CSP for Windows Holographic for Business


How to deploy a compliance policy to HoloLens

Scenarios drive whether you deploy your compliance policy to users in user groups or devices in device groups. When a compliance policy is deployed to a user, all the user's devices are checked for compliance.


Example Scenario 1

Let’s take a HoloLens device that is enrolled into Intune by the Windows Autopilot self-deploying mode process and automatically put in KIOSK mode. When onboarded with Autopilot the device is enrolled . In this case, we recommend deploying your compliance policy to a device group. This can be done with an Azure AD static or dynamic group. You can populate a dynamic group with HoloLens devices by using a device attribute where “Model” is “HoloLens 2” or by a Group Tag set on the Autopilot object.


Example Scenario 2

You have a group of users that use both Windows 10 Desktop devices and HoloLens 2 devices. In this case, the same Intune compliance policy will be applicable to both devices. It therefore makes sense to deploy your compliance policy to a user group. Any setting that is not applicable on the HoloLens 2 can mark the device non-complaint.


Create the compliance policy

First, create a Filter to include or exclude HoloLens 2 devices when using user-based targeting:

  1. Navigate to Tenant admin > Filters (preview) > Create, choose a Filter name.
  2. From the Platform dropdown field, select “Windows 10” and click Next.


  3. Complete the Rules section as follows, then click Next.
    • Property = Model
    • Operator = Equals
    • Value = HoloLens 2


  4. Lastly, assign Scope tags if required, review your configuration, and then click Create.




Read more about assignment filters in our Create filters in Microsoft Intune documentation.


Next, create the associated compliance policy:

  1. Navigate to Devices > Windows > Compliance policies and select Create Policy.
  2. Start by creating a simple compliance policy for your HoloLens devices, such as the following example:


Note that there is no primary user when a HoloLens 2 device is onboarded with Autopilot for HoloLens, as shown in the following image:




If a primary user is not identified, no one will receive an email if the compliance state of the device changes from compliant to non-compliant. You can change this by setting a primary user on the device so that Intune can send an email notification:

  1. Navigate Devices > Windows and find the device you want to assign a primary user to.
  2. Select Properties, click on Change Primary user, and then select the relevant user that will receive the non-compliant notification emails.



As new device types like HoloLens enter your endpoint estate, it’s critical that these devices are compliant with your corporate security policies to protect organizational data. Use these policies with Conditional Access to allow or block access to company resources for HoloLens 2 devices.


More info and feedback

For further resources on this subject, please see the links below.

Manage and use different device management features on Windows Holographic and HoloLens devices with Intune

Enroll HoloLens in MDM

Windows Autopilot for HoloLens 2


Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam  on Twitter. 

Posted at