Allow or Block Windows 10 versions accessing corporate data

Standard

With this blogpost I want to focus on controlling which Windows 10 versions can access corporate date and which versions will be blocked when accessing corporate date. To achieve this I’m using AzureAD Conditional Access together with Compliance Policies configured in Microsoft Intune. In this blogpost I want to focus on the scenario to only allow Windows 10 versions which are receiving updates and are supported by Microsoft. The second scenario is about allowing your users to run Insider Builds for testing purposes but block them to connect to corporate services and data.

To control which version of Windows 10 is able to access corporate data we can use both AzureAD Conditional Access and Intune Compliance policies. In AzureAD a compliance policy is only allowing compliant devices to access the data and within Microsoft Intune a device compliance policy is checking if the device is compliant. Within this Compliance Policy we can configure the minimal and maximal version of the allowed operating systems. The values which need to be entered are the OS version and Build numbers from the winver.exe command. In the first scenario we focus on only allowing Windows 10 versions later then 1511 and therefore we configure a device compliance policy to allow only Windows 10 version later then 1511. As you can see on this link from 10 October 2017 Windows 10 1511 will not receive updates anymore. So from that date you probably won’t allow that Windows 10 version to connect to corporate data. Let’s start with configuring the policy:

  1. Let’s go to https://portal.azure.com and open the Intune section:
  2. Go to Compliance Policies > Policies and click on Create Policy.
  3. Give the policy a name and description and select Windows 10 and later ad platform type. Go to the Device Properties

  4. Since we want to block the Windows 10 – 1511 versions we need to allow the first Windows 10 – 1607 version and configure this as Minimum OS version on this policy. I used this page as reference for build/version numbers. Based on this page 10.0.14393 is the Windows 10 – 1607 version to allow. Let’s configure this version:

  5. Create and Group with your users and assign this group to the policy:

  6. Save the policy and you’re done!

Now let’s check how the user experience is from a Windows 10 – 1511 machine. And let’s check if we still have access on a 1607 version:

Windows 10 -1511 (Build 10586.104)

I was not able to download the first release of Windows 10 – 1511, this was the oldest version I could find. When opening mail the following message was given:

When opening the company portal the following message was shown:

When clicking on View the reason of being not compliant was shown:


When checking my other Windows 10 machines I was still able to open my mail on those. So I was able to block the Windows 10 – 1511 versions. Now the next step is this blogpost is to not allow Windows Insider builds to connect to our corporate data. So the maximum allowed build number is the build number of Windows 10 – 1703 (Creator’s Update) à 15063. The build number of the current Windows Insider builds are 16257. Let’s change the policy we’ve just created to block the Windows Insider build:

  1. Open the policy created earlier in this blogpost and go to the Settings of the policy:

  2. Let’s change the value of the Maximum OS version to the value of Windows 10 – 1703:

  3. Save the policy and you’re done!

Now let’s check how the user experience is from a Windows 10 Insider machine:

Windows 10 Insider (Build 16257.1)

When opening the company portal the following message was shown:

When clicking on View the reason of being not compliant was shown:

Based on above results we are able to control which version of Windows 10 can use corporate data based on Device Based Conditional Access in AzureAD and the Compliance Policy in Intune. A great simple feature to use to control which version of your supported operating systems can access services protected by AzureAD Conditional Access. This functionality is also available for Windows 8.1, Android, iOS and MacOS.

One thought on “Allow or Block Windows 10 versions accessing corporate data

  1. Jaap

    You mention you use AzureAD Conditional Access but I don’t see you configure any, you are only configuring an Intune compliance policy.

Leave a Reply