By Per Larsen – Sr. Program Manager | Microsoft Endpoint Manager - Intune
How to manage compliance policies on HoloLens devices is one of the most common questions we get from customers as they start to manage their HoloLens fleet with Microsoft Endpoint Manager.
Compliance policies are used to mark the device compliant or non-compliant, which can be used in conjunction with Azure Active Directory (Azure AD) Conditional Access to allow or block access to corporate data.
Configuration Manager Compliance is not supported with Hololens devices. The ConfigMgr agent is a Win32 app, and Win32 apps cannot run on a HoloLens device.
HoloLens 2 runs the Windows Holographic Operating System, which is not the same as Windows 10 Desktop, and therefore some capabilities (like win32 apps) do not exist in this platform.
The same compliance policy is used for Windows 10 desktop and HoloLens in Microsoft Intune, however some settings supported for Windows 10 are not available for HoloLens. This is similar to how BitLocker and HoloLens work.
HoloLens 2 has BitLocker Device Encryption enabled automatically on the operating system and fixed data volumes and cannot be turned off - even by IT administrators - so that the device is always protected.
Settings available for HoloLens:
Can you use the profile?
Require Secure Boot to be enabled on the device
Require code integrity
Operating System Version
Minimum OS version
Maximum OS version
Minimum OS version for mobile devices
Maximum OS version for mobile devices
Valid operating system builds
Configuration Manager Compliance
Require device compliance from Configuration Manager
Require a password to unlock mobile devices
Minimum password length
Maximum minutes of inactivity before password is required
Password expiration (days)
Number of previous passwords to prevent reuse
Require password when device returns from idle state (Mobile and Holographic)
Require encryption of data storage on device.
Trusted Platform Module (TPM)
Microsoft Defender Antimalware
Microsoft Defender Antimalware minimum version
Microsoft Defender Antimalware security intelligence up-to-date
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint rules
Require the device to be at or under the machine risk score
Can you use the profile?
Yes = The settings will work on HoloLens
Not applicable = Will show as Not applicable in the compliance status
* = Settings are not included in the supported list of CSP for Windows Holographic for Business
How to deploy a compliance policy to HoloLens
Scenarios drive whether you deploy your compliance policy to users in user groups or devices in device groups. When a compliance policy is deployed to a user, all the user's devices are checked for compliance.
Example Scenario 1
Let’s take a HoloLens device that is enrolled into Intune by the Windows Autopilot self-deploying mode process and automatically put in KIOSK mode. When onboarded with Autopilot the device is enrolled . In this case, we recommend deploying your compliance policy to a device group. This can be done with an Azure AD static or dynamic group. You can populate a dynamic group with HoloLens devices by using a device attribute where “Model” is “HoloLens 2” or by a Group Tag set on the Autopilot object.
Example Scenario 2
You have a group of users that use both Windows 10 Desktop devices and HoloLens 2 devices. In this case, the same Intune compliance policy will be applicable to both devices. It therefore makes sense to deploy your compliance policy to a user group. Any setting that is not applicable on the HoloLens 2 can mark the device non-complaint.
Create the compliance policy
First, create a Filter to include or exclude HoloLens 2 devices when using user-based targeting:
Navigate to Tenant admin > Filters (preview) > Create, choose a Filter name.
From the Platform dropdown field, select “Windows 10” and click Next.
Complete the Rules section as follows, then click Next.
Property = Model
Operator = Equals
Value = HoloLens 2
Lastly, assign Scope tags if required, review your configuration, and then click Create.
Navigate to Devices > Windows > Compliance policies and select Create Policy.
Start by creating a simple compliance policy for your HoloLens devices, such as the following example:
Note that there is no primary user when a HoloLens 2 device is onboarded with Autopilot for HoloLens, as shown in the following image:
If a primary user is not identified, no one will receive an email if the compliance state of the device changes from compliant to non-compliant. You can change this by setting a primary user on the device so that Intune can send an email notification:
Navigate Devices > Windows and find the device you want to assign a primary user to.
Select Properties, click on Change Primary user, and then select the relevant user that will receive the non-compliant notification emails.
As new device types like HoloLens enter your endpoint estate, it’s critical that these devices are compliant with your corporate security policies to protect organizational data. Use these policies with Conditional Access to allow or block access to company resources for HoloLens 2 devices.
More info and feedback
For further resources on this subject, please see the links below.