Monday, June 21, 2021

Intune Support Tip: Managing Compliance on HoloLens 2 with Microsoft Endpoint Manager

By Per Larsen – Sr. Program Manager | Microsoft Endpoint Manager - Intune

 

How to manage compliance policies on HoloLens devices is one of the most common questions we get from customers as they start to manage their HoloLens fleet with Microsoft Endpoint Manager.

 

Compliance policies are used to mark the device compliant or non-compliant, which can be used in conjunction with Azure Active Directory (Azure AD) Conditional Access to allow or block access to corporate data.

 

Microsoft Intune as a capability of Endpoint Manager, uses Configuration Service Providers (CSPs) to control and verify many of the settings in the compliance policy, so those CSP’s need to be supported on the HoloLens. You can find out more about supported CSPs in the Policies in Policy CSP supported by HoloLens 2 document.

 

Note:

 

Configuration Manager Compliance is not supported with Hololens devices. The ConfigMgr agent is a Win32 app, and Win32 apps cannot run on a HoloLens device.

 

HoloLens 2 runs the Windows Holographic Operating System, which is not the same as Windows 10 Desktop, and therefore some capabilities (like win32 apps) do not exist in this platform.

 

The same compliance policy is used for Windows 10 desktop and HoloLens in Microsoft Intune, however some settings supported for Windows 10 are not available for HoloLens. This is similar to how BitLocker and HoloLens work.

 

HoloLens 2 has BitLocker Device Encryption enabled automatically on the operating system and fixed data volumes and cannot be turned off - even by IT administrators - so that the device is always protected.

 

Settings available for HoloLens:

 

Can you use the profile?

Device Health

 

Require BitLocker

Not applicable

Require Secure Boot to be enabled on the device

Not applicable

Require code integrity

Not applicable

Device Properties

 

Operating System Version

Yes

Minimum OS version

Yes

Maximum OS version

Yes

Minimum OS version for mobile devices

Not applicable

Maximum OS version for mobile devices

Not applicable

Valid operating system builds

Yes

Configuration Manager Compliance

 

Require device compliance from Configuration Manager

Not applicable

System Security

 

Password

 

Require a password to unlock mobile devices

Yes

Simple passwords

Yes

Password type

Yes

Minimum password length

Yes

Maximum minutes of inactivity before password is required

Not applicable

Password expiration (days)

Yes

Number of previous passwords to prevent reuse

Yes

Require password when device returns from idle state (Mobile and Holographic)

Yes

Require encryption of data storage on device.

Not applicable

Device Security

 

Firewall

*

Trusted Platform Module (TPM)

Yes

Antivirus

Not applicable

Antispyware

Not applicable

Defender

 

Microsoft Defender Antimalware

*

Microsoft Defender Antimalware minimum version

*

Microsoft Defender Antimalware security intelligence up-to-date

*

Real-time protection

*

Microsoft Defender for Endpoint

 

Microsoft Defender for Endpoint rules

 

Require the device to be at or under the machine risk score

*

 

Can you use the profile?

Yes = The settings will work on HoloLens

Not applicable = Will show as Not applicable in the compliance status

* = Settings are not included in the supported list of CSP for Windows Holographic for Business

 

How to deploy a compliance policy to HoloLens

Scenarios drive whether you deploy your compliance policy to users in user groups or devices in device groups. When a compliance policy is deployed to a user, all the user's devices are checked for compliance.

 

Example Scenario 1

Let’s take a HoloLens device that is enrolled into Intune by the Windows Autopilot self-deploying mode process and automatically put in KIOSK mode. When onboarded with Autopilot the device is enrolled . In this case, we recommend deploying your compliance policy to a device group. This can be done with an Azure AD static or dynamic group. You can populate a dynamic group with HoloLens devices by using a device attribute where “Model” is “HoloLens 2” or by a Group Tag set on the Autopilot object.

 

Example Scenario 2

You have a group of users that use both Windows 10 Desktop devices and HoloLens 2 devices. In this case, the same Intune compliance policy will be applicable to both devices. It therefore makes sense to deploy your compliance policy to a user group. Any setting that is not applicable on the HoloLens 2 can mark the device non-complaint.

 

Create the compliance policy

First, create a Filter to include or exclude HoloLens 2 devices when using user-based targeting:

  1. Navigate to Tenant admin > Filters (preview) > Create, choose a Filter name.
  2. From the Platform dropdown field, select “Windows 10” and click Next.

    HoloLens2-Blog-1.png

  3. Complete the Rules section as follows, then click Next.
    • Property = Model
    • Operator = Equals
    • Value = HoloLens 2

      HoloLens2-Blog-2.png

  4. Lastly, assign Scope tags if required, review your configuration, and then click Create.

 

Note:

 

Read more about assignment filters in our Create filters in Microsoft Intune documentation.

 

Next, create the associated compliance policy:

  1. Navigate to Devices > Windows > Compliance policies and select Create Policy.
  2. Start by creating a simple compliance policy for your HoloLens devices, such as the following example:

    HoloLens2-Blog-3.png


Note that there is no primary user when a HoloLens 2 device is onboarded with Autopilot for HoloLens, as shown in the following image:

 

HoloLens2-Blog-4.png

 

If a primary user is not identified, no one will receive an email if the compliance state of the device changes from compliant to non-compliant. You can change this by setting a primary user on the device so that Intune can send an email notification:

  1. Navigate Devices > Windows and find the device you want to assign a primary user to.
  2. Select Properties, click on Change Primary user, and then select the relevant user that will receive the non-compliant notification emails.

    HoloLens2-Blog-5.png

Conclusion

As new device types like HoloLens enter your endpoint estate, it’s critical that these devices are compliant with your corporate security policies to protect organizational data. Use these policies with Conditional Access to allow or block access to company resources for HoloLens 2 devices.

 

More info and feedback

For further resources on this subject, please see the links below.

Manage and use different device management features on Windows Holographic and HoloLens devices with Intune

Enroll HoloLens in MDM

Windows Autopilot for HoloLens 2

 

Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam  on Twitter. 

Posted at https://sl.advdat.com/3gNANGB