Postponed: Upcoming Security Enhancements in the Intune Service – your action is required!


By Murali Krishna Hosabettu Kamalesha | Sr. PM, Tyler Castaldo | PM & Owen Yen | Sr. PM

Updated 11/28 - Based on your feedback, we're going to postpone this change while we develop a friendlier end user experience. We will continue to keep this blog post updated on this topic and will also post a targeted communication with updated screenshots in the Office Message Center if action or changes are required.

Updated 10/17 to include a section for customers using Mobile Device Management for O365. Updated 10/19 to add new screenshot for O365 customers. Updated 11/1 to include new section on users exempt from CA. Updated 11/7 with additional information on new report. Updated 11/14 with end user screen shots, reporting, and updated timeline.

We’re introducing some security enhancements, based on your feedback, in the Intune service in November. Depending on how your compliance policies are configured, you may need to take action to avoid loss of email access for your end users. Read along!

If you have used compliance policies with Conditional Access (CA) in Intune, you may have noticed that devices without a compliance policy assigned to them are considered compliant and end users are allowed access to email. Starting the last week in November 2017 and into the first week in December, we'll introduce a change so that devices with no compliance policy assigned to them will be treated as “not compliant”. These devices will be blocked by CA and end users associated with them will lose access to email.

How should I prepare for this change?

We’ve launched a new report in Intune on Azure, called “Devices without compliance policy”. This report will help you identify all the devices in your environment that do not have a compliance policy assigned. Please review your compliance policy deployments and ensure that all your devices have at least one compliance policy assigned to them by mid- to end- of November.

Here’s a screenshot of what the report looks like. If the count of devices in your report is non-zero, then you have devices in your environment without a compliance policy which will be marked as not compliant towards the end of November. Click on the report, review the list of devices and users, and assign a compliance policy where necessary. See Get started with Intune device compliance policies and follow links for directions to assign policies to different platforms.

devices without compliance policy

Update
The report has gone live with the October service release which finished up early November. We’ve reviewed the deployment schedule and plan to make changes through the schedule below. NOTE - To know what scale unit you are on, login to the Intune on Azure console, and then select the help and support blade. The scale unit you are on shows up in the top part of the blade under Tenant Location.

Postponed!

Planned Schedule:
11/2-11/27 – Preproduction validation
11/28 – Start with Scale Unit North America 06
11/28 – 11/30 – Provided no alerts from North America 06, expand changes to Asia Pacific 03 and North America 05

The rest of the scale units will then be updated as the service updates to the December service release. These exact dates are scheduled to be completed by mid-December, but exact dates do shift, so sharing those dates now would be premature.

How will I know if an end-user is impacted?

Here's a screen shot of what the end user will see. Please note, this is a screen shot from testing and from a real device; the white line in the image is the overhead lights.

How do I assign a compliance policy to “All Users”?

In November, to make things easier, we’ll add a new feature to the Intune on Azure Portal that allows you to assign compliance policies to “All Users”.

What if I only care about enrollment and don't need compliance?

To allow access for enrolled devices without any additional security checks, create a blank compliance policy with no settings configured and assign it to your users.

What if I have users exempted from CA that aren’t targeted by a compliance policy?
If you have users in your environment that are exempt from CA requirements, their devices will still be reported as not compliant if they’re not targeted by at least one compliance policy. However, this will not impact their access to company resources such as email.

What if I am a Configuration Manager customer using hybrid mobile device management (MDM)?

If you’re using a hybrid MDM configuration, this change applies to you, too. Towards the end of November, devices not covered by compliance policy will be marked “not compliant,” and if you have CA configured, these devices will lose access to company resources such as email. You’ll need to prepare for that by first determining which users’ devices are impacted. To do this in hybrid, you can run the following SQL query in your Configuration Manager database. Note that this query does not make any changes, but only returns information about the impacted devices.

SELECT UMR.UniqueUserName AS UserName, CDR.Name AS DeviceName, CDR.DeviceOS, CDR.SiteCode, CDR.LastActiveTime, CDR.ManagementAuthority, CDR.SMSID, CDR.SerialNumber, CDR.IMEI

FROM vSMS_CombinedDeviceResources CDR LEFT JOIN v_UserMachineRelationship UMR ON CDR.MachineID = UMR.MachineResourceID

WHERE CDR.ClientType = 3 AND CDR.ArchitectureKey = 5 AND CDR.MachineID NOT IN

(SELECT DISTINCT MachineResourceID FROM v_UserMachineRelationship WHERE UniqueUserName IN (SELECT DISTINCT SMSID FROM vCollectionMembers WHERE CollectionID IN (SELECT DISTINCT TargetCollectionID FROM vCI_CIAssignments WHERE AssignmentType = 8)))

You can also create a custom report using this query. See the instructions here. Once you’ve identified the impacted users and devices, you should ensure that they are targeted with a compliance policy.

What if I am an Office 365 customer using Mobile Device Management for Office 365?

If you are using Mobile Device Management for Office 365, this change applies to you, too. Towards the end of November, devices that previously have been targeted with a policy to “Allow access even if the device does not meet the requirements of the policy” (see screenshot) will be marked “not compliant”, and if you have CA configured, these devices will lose access to company resources such as email and SharePoint.

 

 

 

You’ll need to prepare for this by first determining which users’ devices are impacted. To do this you need to identify all users that currently have policies (as described above) targeted. Once you have these users identified, you can mitigate the impact of this change in one of two ways.

  1. You can change your existing device policies in Mobile Device Management for Office 365 by replacing each existing policy with a new one, leaving all the settings the same with the exception of changing the above to “Block access and report violation”. OR
  2. You can simply create a blank policy and target the policy to all existing users who have a policy targeted, and make sure the policy is set to “Block access and report violation”.

By doing either of the above, you can ensure that your existing devices that are currently targeted with policies can remain in “compliant” state and continue to access your corporate assets in Exchange Online and SharePoint Online.

Comments (27)

  1. Mahesh says:

    What if I only care about enrollment and don’t need compliance?

    To allow access for enrolled devices without any additional security checks, create a blank compliance policy with no settings configured and assign it to your users.

    Do I need to create policy for empty policy for all the platforms?

    1. Hi Mahesh. Yes, you do need to create one blank/empty policy for each platform.

  2. Steven says:

    I have 2 questions –
    1- We have Conditional Access setup for both Exchange and Sharepoint. For windows platforms we have windows must meet the following requirements set to device must be domain joined or compliant. Will this change affect the domain joined computers who are device registered into Azure but are managed by SCCM and are not compliant as the compliance policy is not applied to them. They are also not appearing in the output list from the query.

    2. I have a list of a number of devices that the query has produced. I have checked the devices in Azure and all the devices are shown as compliant. I can not see why these devices are in the output from the query. I believe that these users are targeted by the compliance policy and therefore should not be in the output from the query. How can I find out why they have been included in the output.

    1. Hi, Steven – since it sounds like you are hybrid we went and talked with Tyler and here’s his comments back! With the setup described above, the Windows devices will still be able to access resources under conditional access. Now, for the second part, we did test the query but if it’s not providing the correct information, we’ll likely need to figure out what’s going on in the environment. Please contact support with the device details so we can investigate the issue. Thank you!!!

  3. Lisa Pratt says:

    We are using Intune App Protection Policies only (MAM only). Does this affect us in any way? Will our users continue to be able to access email via Outlook if we do nothing?

    1. Lisa, MAM will be unaffected by this change, so you will not need to take any action. Only MDM enrolled devices are impacted.

  4. M says:

    Does this affect MAM policies or just device compliance policies?

    1. This impacts device compliance policies for MDM enrolled devices only, so MAM policies will not be affected.

  5. Joe says:

    Any further update on when this new report might be released?
    Just a little concerned that its the start of November and we don’t seem to have it yet?

    1. Hi, Joe – the October service release is not fully out yet. While typically the release is completed by the end of the month, from time to time there’s delays. If we run into any incidents, or have any unhealthy runners, we’ll hold all updates to ensure everything’s working great (and there’s no customer impact) before updating. Last we heard the change was set to start rolling out the very last week in November, but we’ll update this blog post if anything changes to that timeline. Hope this helps!

      1. Joe says:

        Thanks, that’s fair enough.
        Was just getting concerned that we would not have time to properly test and complete any changes we needed to make as a result.

  6. Owen says:

    I gather from this, if I have no Conditional Access policies, no action is needed?

    If I did want to create a blank compliance policy (per platform) and assign it to “All Users”, and I have pre-existing assigned compliance polices – would the most restrictive apply?

    1. Yes you’re right, Owen, no action is needed if you have no Conditional Access policies set up. For your second question, the most restrictive policies would indeed apply.

  7. Mahesh says:

    We have Device compliance policies through Classic Intune Portal. Will this changes affect us ? Do we need to consider to move the device compliance policies from Classic portal to Azure portal for this changes?

    1. Brad says:

      This is critical for our environment too. In the new Azure portal we are showing as 0 for devices without compliance policy just like the screenshot in this article. However all of our devices in the new Azure portal do show no compliance policy. I have confirmed the CP is still working via Silverlight however. To the original requestors point, are we still required to create a new CP in the new Azure portal? Or will we be ok with the existing that is applied in the Silverlight.

    2. Hi Mahesh, this change does affect compliance policies in the classic portal. Any users who are not assigned a compliance policy will be considered not compliant. An admin can use the Intune on Azure portal to determine which devices will become non-compliant when the enforcement rolls out. However, this only affects you if you have an Azure AD Conditional Access (CA) policy defined that requires devices to be compliant. If there are no CA policies that require device compliance, there will be no other change other than device status seen in the admin console. Hope this helps!

      1. Brad says:

        If I understand you correctly, if we never brought over our CA policy into the new Azure portal, the old CA policy in the Silverlight portal coupled with the Compliance policy will remain intact and not impact our users. If we were ever to bring the CA Policy for Exch/Sharepoint to the new Azure portal, then you are saying we would have a problem.

        So the only change we will see is all devices will be marked as non compliant however nothing will be impacted because our CA policy and Compliance policy are still in the old Silverlight Portal?

        Are you recommending we migrate the existing CA policy and Compliance to the new Azure Portal though?

        1. Existing CA policies in Intune Silverlight Portal or ‘classic policies’ should be migrated to the Azure AD Conditional Access portal as discussed in the documentation here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-migration
          You are not required to migrate compliance policies, but you can choose to.

      2. Mahesh says:

        We have Conditional Access on Azure Portal , marked as a device to be compliant. compliances policies are picking up from the Classic Intune Portal. The report “Device without compliance policy” is null, does this change will affect us?

        1. This change affects Conditional Access that’s configured to require devices to be compliant. If all your devices have at least one compliance policy assigned to them, the report will show as null. No further action is required on your part for this change.

  8. PhilippeD says:

    I have big concern over this incomming changes as we use CA with all our IOS and Android devices, compliance policies are deployed in INTUNE, the device without compliancy report shows ALL our devices being without policies even though they are compliant while drilling down the devices, users and report.

    What part of the compliance is required, the Azure AD compliance or the device compliance?
    Can we get intouch with the product group, i would have more details to provide.

    While trying to export the devices affected the report fails generating, housands of errors:

    { “error”: { “code”: “”, “message”: “The query specified in the URI is not valid. Query option ‘SkipToken’ is not allowed. To allow it, set the ‘AllowedQueryOptions’ property on EnableQueryAttribute or QueryValidationSettings.”,

    1. ABQ_Dev says:

      PhilippeD,

      Make sure that the compliance policies are assigned to dynamic user groups, not to dynamic device groups.

      The confusing thing is that you can assign a compliance policy to device groups and the policy will still be evaluated on each device, with the results displayed under each device’s ‘Device compliance’ pane in the Azure Intune portal as usual. However, if you login to the Company Portal app on any of the targeted devices, you’ll see the message displayed in the blog post stating that no compliance policies have been assigned. Also, if a device is only targeted for a compliance policy through a device group, you will see that the overall compliance status in the ‘Devices’->’All Devices’ pane and the ‘Device compliance’->’Device compliance’ pane does not include the results of said policies when calculating overall compliance status of a device. These policies also do not apply for conditional access, which is why your devices are showing up in the ‘Devices without compliance policy’ report. Basically, Intune is happy to evaluate those policies for you, but they have no effect on actual overall device compliance. Fun, right?

      That said, I would very much like to see this change, as I have scenarios where device group based targeting would make more sense. For instance, let’s take a user that has two Windows 10 machines – an old desktop without a TPM that’s in a secure office and locked to a desk and a Surface Pro that travels with the user outside of the office. I want to use conditional access with policy to enforce hardware-backed BitLocker encryption on the Surface Pro, which is not available on the old desktop PC, but any compliance policy applied to that user that requires encryption on Windows 10 devices will mark the old desktop PC as non-compliant and deny access to company resources. Therefore, I must remove the encryption requirement for all of that user’s devices, putting the data on the Surface Pro at risk. Not ideal. I also imagine this being a real headache for organizations that use a couple of device enrollment managers to enroll all of their devices with device-based licensing.

  9. RichardP says:

    Where the setting “all existing users who have a policy targeted” to be found?

    1. There is no setting currently in the O365 portal for all users who have a policy targeted. You can follow these steps to find out which users have a policy targeted:
      1. Look at each policy to see if the policy is set as “Allow access even is the device does not meet the requirements of the policy” and which group(s) the policy is targeted to.
      2. Look at membership of each of the groups identified in the step above to identify which users are impacted. You can mitigate impact for these users by following the guidance in the blog post.

  10. NARESH DOSHI says:

    HELLO THIS IS NARESH I AM CLOUD PARTNER AND I HAVE PROBLAMES THAT I CAN NOT SEE ANY OF THE MY CLIENT WHO HAS
    INTUNE IN THEIR AZURE PORTAL
    BUT I CAN SEE THEN IN CLASSIC PORTAL BUT NOT IN AZURE PORTAL WHAT SHOULD I DO AND HOW TO DO PLEASE ADVICE OR IF ANY ONE CALL ME AND WALK ME THROUGH ONE CLIENT THEN I CAN DO ALL OTHER I APPRICIATED

  11. Betsy Getreu says:

    As suggested, I created a blank compliance policy and assigned it to All Users. I do not have any CA policies. However, although I am a member of All Users, none of my devices (all compliant) have received the compliance policy. I have a license to EMS Intune and AD Premium. I can’t figure out what I am doing wrong. Any help you can provide would be appreciated.

    1. Betsy, we suggest contacting support for this. That would help to diagnose and resolve the issue.

Skip to main content