Step 2. Select the policy you want to configure, and whether to use the
recommended settings or custom settings. For some policies, only the custom settings are available. Click Create Policy.
Step 3. Enter a name and, optionally, a description for the policy.
Step 4. Configure the required settings and then click Save Policy.
Step 5. In the dialog box that appears, choose Yes to deploy the policy immediately, or No to create the policy without deploying. You can deploy the policy later.
After you have created the policy, you can deploy it by selecting the policy and choosing the Manage Deployment link, displaying the dialog box shown in Figure 13-18. You can select from your configured user groups or device groups. A mix of groups is allowed, so you can choose groups from one category or both.
Figure 13-18. Managing Policy Deployment
When a policy is deployed, Intune begins to try notifying the device that it should check in with Intune for policy updates. If the device does not check in, Intune makes three more attempts to contact the device. The device gets its policy updates on the next check-in with Intune.
Note
For details about the Microsoft Intune configuration policies that you can set and the devices they apply to, see the “Microsoft Intune Configuration Policy Reference” at https://docs.microsoft.com/en-us/intune/deploy-use/microsoft- intune-policy-reference.
To configure compliance policies, select Compliance Policies from the menu, click the Add link, then give your compliance policy a name. You can toggle various settings off and on for the compliance settings you want to enforce. Some of the important compliance policies that you can set are listed in Table 13-2.
Table 13-2. Microsoft Intune Compliance Property Settings
Category Setting Description
System Security
Require a password to
unlock mobile devices Set to yes or no.
System
Security Allow simple passwords Set to yes or no.
System Security
Minimum password
length Can be set between 4 and 14.
System
Security Required password type Set to alphanumeric or numeric.
System Security
Minutes of inactivity before a password is required
Causes the screen to lock after the time you set. Set to 1 minute, 5 minutes, 15 minutes, or 1 hour.
Requires encryption to be enabled on
System Security
Encryption the device. Applies to Windows Phone, Android, and Samsung KNOX.
Device Health
Require devices to be reported as healthy
Applies to Windows 10 Desktop and Mobile.
Device Health
Require that devices prevent installation of apps from unknown sources
Applies to Android only.
Device Health
Device must not be
jailbroken or rooted Applies to iOS and Android.
Device Properties
Minimum Windows
Version Specify a minimum Windows version.
Device Properties
Minimum Windows Phone or Windows 10 Mobile version
Specify a minimum version for Windows Phone or Windows 10 Mobile devices.
Deploying Software Updates
You can use Microsoft Intune to manage updates for the Windows computers enrolled with Microsoft Intune. Using Intune for managing updates is similar to using an on-premises Windows Server Update Services (WSUS) server to manage updates for your Windows PCs.
After you have at least one device enrolled as a Computer device type in Intune, updates will be available in the Intune portal. Selecting the Updates menu item will display a large list of updates available, as shown in Figure
13-19. Updates are available for Windows versions back to Windows XP and are categorized in groups, such as Critical Updates, Security Updates, Service Packs, and so on.
Figure 13-19. Windows Updates for Deployment in Microsoft Intune
You can modify the updates you see in the Intune console so that you see updates only for the products you care about. For instance, if you do not have any Windows XP computers to manage, and only use one version of Office across all of your computers, you can hide those updates that do not apply to you. You can accomplish this from the Updates section of the Admin menu.
You can select from the product categories, such as Windows, Works, Office, developer tools, and others. You can also select which updates to see based on the update classification, which includes security updates, tools, service packs, and other classifications.
From this section you can also set up what are called Automatic Approval Rules for your updates. Click the New button in the Automatic Approval Rules section to create a rule. For the rule, you select the product categories, update classifications, and the user and device deployments groups for your rule. Any updates that show up in Intune that apply to the rule you configure will automatically be approved for deployment to your computers.
For instance, you might want to make sure that any critical updates are not held up waiting for your approval, so you can create a rule that all Windows updates classified as critical will automatically be approved for your All Computers group. These updates will then be approved and deployed as soon as they are available.
Updates that do not fall into the automatic approval rules you set will need to
be manually approved before they are deployed to your Windows devices.
You can make those decisions by viewing the properties of the update, testing it on your reference computers, and approve the update for deployment when you decide it’s ready for production. From the Updates menu, shown in
Figure 13-19, select any update and then click the Properties link to view the details of the update. This will display details of the update, the operating system or software it applies, and includes links to the KB article for the update and whether the update has been superseded by any subsequent updates. The Properties page also includes links to approve or decline the update.
From the Updates section of Intune, you can use the Filters drop-down at the top of the list to see just the updates you care about. For instance, select New Updates to Approve to see the updates that are waiting for your approval.
You can also view updates by classification using the menu selections on the left.
Use the following steps to approve an update:
Step 1. Select the Approve link either from the list or the Properties page for the update.
Step 2. Select the user groups and device groups where you want the update to be deployed. You can select any combination of user and device groups.
Click the Next button.
Step 3. In the Approval Setting page, select the approval type. The options are Required Install or Available Install.
Step 4. Choose the deadline for the update. The options are None (the update will be installed on a normal Windows update scheduler), As Soon as
Possible, One Week, Two Weeks, One Month, or Custom. The Custom
option allows you to select a specific date and time by which the update must be installed.
Step 5. Click Finish to complete the approval process.
Updates that have deadlines and require restarts will cause a forced restart at the time of the deadline, regardless of when the update was actually installed.
This is the same behavior as the update deadline used in WSUS.
Third-Party Updates
You can include third-party updates and manage them in Microsoft Intune just like you do Windows updates. From the Updates menu, select the Overview section and click the Add Updates button. This launches the Microsoft Intune Software Publisher app, as shown in Figure 13-20. If the software is not installed on your computer, it will be downloaded and installed.
Figure 13-20. Using the Microsoft Intune Software Publisher
Use the following procedure to upload your update file:
Step 1. Click the Browse button to locate the update, and then click the Upload button. You can upload an MSI, MSP, or EXE file. Click Next.
Step 2. Enter the publisher name, the app name, the classification, and a description. The classification can be Critical, Security, Update Rollups, or Service Packs. Click Next.
Step 3. On the Requirements page, select the architecture (32-bit or 64-bit),
and the operating system. Only Windows operating systems are supported.
Choose Any if the update applies to any Windows version. Click Next.
Step 4. Choose from either default detection rules or add your own detection rule. You can add a rule based on whether a specific file exists, a Registry key, or an MSI product code. Click Next.
Step 5. On the Prerequisites page, you can specify any other software that your update is dependent on. It can be other software managed in Intune, or you can specify a rule. The rules offer the same options as the detection rules in Step 4. If your update has no dependencies, select None. Click Next.
Step 6. The next page gives you an option to provide command-line
arguments for your update installer. Enter any arguments needed or select No. Click Next.
Step 7. The next page allows you to select return codes to determine whether the update was successful. Enter any return codes you want Intune to evaluate during the installation, or select No and then click Next.