We recently posted a message center post to a handful of EDU customers. In this blog post, we’ll share screen shots and additional information on these cases that came through support.
For context, last March, Microsoft enabled a new policy wizard in the Microsoft 365 admin center to help administrators setup and configure their M365 device management services. This customer-requested wizard simplifies device management setup, but it can cause conflicts for organizations who already had settings configured. Administrators in your organization may have inadvertently deployed device configuration and app protection policies to all users after completing a guided workflow in the Microsoft 365 Admin portal. This could cause an unexpected user/device experience.
Here's screen shots of the new guided workflow which is very useful to get started with M365:
Below are some examples of the potential impact depending on the options selected during the “Protect data & devices” step of the guided workflow (Step 3) or if you selected “Create Policy” on a subsequent Protect mobile device tile under the View Recommendation option:
- BitLocker: Users may receive a notification to encrypt their devices when they sign into their Windows 10 devices with the following message: “Encryption Needed: Your work or school requires this device to be encrypted. Select this notification to encrypt this device.”
- This notification will be presented to Standard and Local Admin User on all versions of Windows 10 prior to 1809.
- Standard Users would need elevated privileges to proceed with enabling this on a Windows 10 device.
- For Windows 10 1809 and 1903, this encryption notification will only be presented to Local Admin accounts.
- This notification will be presented to Standard and Local Admin User on all versions of Windows 10 prior to 1809.
- Additional device restrictions policies may be applied to Windows devices.
- Policy conflicts with existing device configuration and app protection policies that are currently deployed in your environment.
- Additional restrictions may be enforced when accessing applications that can process app protections policies such as Word, Excel, PowerPoint, and Outlook on Android and iOS.
- Additional restrictions may be enforced when accessing Office 365 online resources such as Word, Excel, PowerPoint, and Outlook on Windows devices.
Below are policies that may have been created and assigned to All Users:
|
Impacted Platform |
Policy Type |
Policy Name |
Guided workflow option selection |
|
Windows |
EndPoint Protection (Device Configuration) |
Endpoint Protection policy for Windows 10 devices |
Secure Windows 10 devices |
|
Windows |
Device restrictions (Device Configuration) |
Device policy for Windows 10 |
Secure Windows 10 devices |
|
Android |
App protection policies (Client apps) |
Application policy for Android |
Protect work files when devices are lost or stolen
Manage how users access Office files on mobile devices |
|
iOS |
App protection policies (Client apps) |
Application policy for iOS |
Protect work files when devices are lost or stolen
Manage how users access Office files on mobile devices |
|
Windows |
App protection policies (Client apps) |
Application policy for Windows 10 (with enrollment) |
Protect work files when devices are lost or stolen
Manage how users access Office files on mobile devices |
|
Windows |
App protection policies (Client apps) |
Application policy for Windows 10 (without enrollment) |
Protect work files when devices are lost or stolen
Manage how users access Office files on mobile devices |
|
Android |
App protection policies (Client apps) |
Default Mobile App Policy for Android devices |
View Recommendations: Protect files on mobile apps |
|
iOS |
App protection policies (Client apps) |
Default Mobile App Policy for iOS devices |
View Recommendations: Protect files on mobile apps |
Please Note: Some policies may or may not exist depending on the options selected during or right after the guided workflow in the M365 Admin console.
So what did we have customers look for?
If you didn’t actually want all users to have device or app protection policies, you can follow the remediation steps described below provided you’re a global admin, Intune admin, or have delegations/permissions to make changes to policies for the all users group.
- Navigate to any of the impacting policies listed above in the Intune Admin Portal (https://devicemanagement.microsoft.com) – Device Configuration -> Profiles or Client Apps -> App Protection policies
- Under Assignments remove the All Users assignment for each of the impacting policies and select Save.
3. Once devices are confirmed to be remediated, you can then proceed to delete any of the impacting policies.
While we’d always advocate for device and app policies, we also understand you may have intended a tiered access setup with your various education audiences (teachers, students, IT admins, etc.). Let us know by commenting back on this post if you have any other questions.
One final note (not completely related, but EDU specific) we did hear from a few of you through this blog and social media that you or your Partner of Record setup the Intune environment with a general Intune SKU, then moved to an EDU license. Several folks mentioned they got the EDU policies applied even after setting up policies in Intune. As of last sprint, we have reverted that behavior. If you start with an EDU SKU, you’ll get the general policies that come pre-set for EDU. If you move from Intune -> EDU, we’ll keep what you had and not apply the EDU SKU policies.