It wasn't implied that your BitLocker deployment method works for all scenarios...
If you need to configure a Startup PIN (or pass, etc.) due to lack of a TPM then sure, you may still be SOL.
But anyway regardless, BL will self-activate on 1803 now *with standard users* which is the major improvement in this space that 1803 on AutoPilot brings. Very likely many folks are not aware of this.
As one of the previous complainants on this topic, I do want to post an update.
With the upgrade to Windows 10 1803, BitLocker will self-activate if it's configured to do so in Intune. I am not positive if it's due to the Device Restrictions configuration profile or the Endpoint Protection profile but either way, it's working now.
We anticipated this since it was an advancement our organization was looking to get from improvements to the AutoPilot process on 1803, and it is panning out.
Granted, I don't think we can manage the BitLocker configuration yet (e.g., require Startup PIN and so on, but I haven't re-tested since we moved to 1803) but that is of much lesser importance than the simple ability to activate BitLocker, which may now work for many of you if you move to 1803.
BitLocker on 1803 is now self-activating, many of you may find the same thing.
Agreed. I don't see why you cannot control this on Pro.
You can deploy AirPrint settings for Mac and iOS – https://docs.microsoft.com/en-us/intune/air-print-settings-ios-macos
You can configure some printer settings under device restrictions for Windows 10 – https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10
But I’m hearing from a few people that this still doesn’t really help users get to local printers, and that seems the original intent. (@Henrik, if you’re getting this, please weigh in!)
We won’t call this one complete. I’m switching this to “noted”, meaning we know you want it. Thanks again for the feedback!
Does using "Add-Printer" solve the issue of a print driver being missing on the machine? I'm finding that most drivers are not available as MSI installers, so we don't yet have a good way of pushing drivers to a system if they're not already included in Windows.
If there's a simple way to knock all of this out in a centralized way (Intune), any examples please? :)
The PMs involved have been talking about how best to give you a way to disable the “remove device” action. They think rather than focusing on platform enrollment types (iOS, Android, Windows), they could allow you to disable based on corporate vs personal ownership. I said I’d ask if that would work for you. :-)
Would that get you want you need?
While you may not be able to prevent a user from unenrolling his device (at least not without a vendor enrollment program like DEP), you can make the window of exposure smaller by reducing the "Compliance status validity period" (in Compliance policy settings) to a shorter amount of time before marking a device as non-compliant. It's far from perfect, but it's better to have a 1- or 2-day exposure than a 30-day exposure. If you require Compliance via Conditional Access, you should be able to automatically block the unenrolled devices once that amount of time has passed.
As of the March 26 updates, after a compliance or configuration policy is applied to an iOS device, users are prompted to set a PIN every 15 minutes. Users are continually prompted until a PIN is set. So, not forcing exactly, but nagging, a lot – is that close?
Not using a vote here, although I do agree it would be good to have this capability.
However make sure you're aware of the ramifications of forcing that on for your Android users.
Agreed. Nougat's "Direct Boot" is something Intune should support. Otherwise if a user's device reboots overnight (for example, for updates) they can miss calendar and e-mail notifications, alarm clock alerts, etc.
Intune seems to consider the device "not encrypted" if Require PIN on Startup is disabled. Intune should be able to distinguish between the two, so we can still mark a device compliant while having user data encrypted and have the device remain bootable without entering a PIN. There is no such problem on iOS, which I'm assuming works the same way -- the operating system can load without requiring an unlock PIN just to boot the device.
4 votesJB shared this idea ·
Can't you already do this? It's working on a couple machines I have tested; domain-joined to AD, but also enrolled to our Azure MDM channel.
Make sure you are doing the "Enroll in mobile device management" under Accounts as a user with admin privs; this is NOT the same as the Workplace Join that a standard user account can do.
Enrolling in MDM will make the device accept policies from Intune on Azure.