question

karthikpalani-9530 avatar image
0 Votes"
karthikpalani-9530 asked saldana-msft edited

Intune - Policies

Hi All,

I need some advice on how to acheive below

  • I created a conditional access policy to block windows & mac devices. So i created condition under "filter by devices" as include Azure AD joined devices as equal with allow access. it allowed both personal and Azure AD joined. but we need to block personal devices

so i tried condition under "filter by devices" as include Azure AD joined devices as not equal with block access. it blocked personal and azure ad joined devices. Please suggest how to allow azure AD join devices and block personal devices

  • Is there a way to block the network share on windows 10 using Intune policy

  • I created password complexity device restriction policy - i have set as "Password complexity
    Numbers, lowercase, uppercase and special characters required" but it failed. Is it not supported on Windows 10 desktop/laptop

  • We have set password threshold as 5, i tested attempting the wrong password after 5 which worked fine. But in admin.microsoft.com - under active user - user name - the unblock option is not enabled (it shows only block - normally it should show unlock or unblock right)

Please provide your suggestions



azure-active-directorymem-intune-generalmem-intune-device-configurationsmem-intune-enrollmentmem-intune-admin-center
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered karthikpalani-9530 commented

@karthikpalani-9530, For your questions, here are my suggestions:
1. To block personal device in conditional policy, we can set "deviceOwnership" Equals Personal to block.
185051-image.png
2. To block network share, based on my research, there's no built policy Intune to do this. But I find maybe we can use Powershell to disable file and printer sharing to accomplish this. Here is a link for the reference:
https://www.c-sharpcorner.com/article/how-to-enable-or-disable-file-and-printer-sharing-in-windows-102/
Note: Non-Microsoft link, just for the reference.

We can test the command on device manually to see if it can work. If yes, then we can deploy Powershell Script via Intune to do it in a batch.

  1. For the password complexity policy, the support value is as below. Please check if our situation is met.
    185062-image.png
    https://docs.microsoft.com/en-gb/windows/client-management/mdm/policy-csp-devicelock?WT.mc_id=Portal-fx#devicelock-mindevicepasswordcomplexcharacters


For the password threshold, to know it better, could you let us know where we configure the setting?

Please check the above information, if there's any update, feel free to let us know.


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (29.1 KiB)
image.png (27.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Crystal,

I tried the above conditional access logic, its not blocking unenrolled or BYOD devices. It works only if we change the device ownership as corporate or personal. Any other logics you can suggest please

0 Votes 0 ·
karthikpalani-9530 avatar image
0 Votes"
karthikpalani-9530 answered Crystal-MSFT commented

Hi Crystal,

Appreciate your support as usual

The password threshold set under Azure Active directory - Security - Authentication - Password protection - "Lockout threshold"

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@karthikpalani-9530, Thanks for the reply.. From your description, I find the setting is in Azure AD. As I am not familiar with it, I have added "azure-active-directory" tag to see if any Azure AD support can be involved. As another option, you can also open a new thread to only add this tag to find the support.

Thanks for your understanding.

0 Votes 0 ·

Thanks, so the point no - 3, seems like "Numbers, lowercase, uppercase and special characters required" is not supported for desktop/laptop.

Is there any other way we can enforce this "Numbers, lowercase, uppercase and special characters required"

0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT karthikpalani-9530 ·

@karthikpalani-9530, After researching, I didn't find other method in Intune. Maybe you can feedback to uservoice to see if we can get it supported in the future.
https://feedbackportal.microsoft.com/feedback/forum/ef1d6d38-fd1b-ec11-b6e7-0022481f8472

Thanks for the understanding and have a nice day!

0 Votes 0 ·
sikumars avatar image
0 Votes"
sikumars answered sikumars edited

The setting that you were referring above was Azure AD Smart lockout which must work for the devices that are Azure AD join when device has internet connection however if device is offline then Azure AD Smart lockout policy won't take effect and user may continue to login Windows Sign-in using cache. Hope this helps.

Note: while testing make sure you try with three different password each attempt because Azure AD smart lockout is not traditional AD lockout so to get attempt marked as 3 bad passwords, you need to try three different password each attempt. if you repeat same password multiple times. it won't increase the count.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.