Currently devices on the Windows Server platform don’t support mobile device management (MDM) and can’t enroll in Microsoft Intune. With the Microsoft Defender for Endpoint (MDE) Security Management feature, Windows Servers can receive security management policies from Intune as outlined in: Manage endpoint security policies on devices onboarded to MDE.
Today, Windows Servers are labeled as “Windows” for the attributes that refer to its operating system (OS) platform. This non-specific label makes it difficult to manage these devices when it comes to granular visibility and targeting. Keep reading to see how we’re making improvements and what actions you may need to take.
How this works
Beginning in June, you can expect Windows Server devices that currently display as “Windows” to update to “Windows Server” as the OS platform for Windows Server devices managed by Defender for Endpoint.
This allows customers to view and filter against Windows Servers in reporting as well as create groups of devices that contain only Windows Servers or exclusively Windows clients for targeting.
What changes can you expect?
Windows Server devices will show up as “Windows Server” rather than “Windows” for the OS platform attribute for Windows Server devices managed by Defender for Endpoint. This change applies to Microsoft Defender for Endpoint (MDE) and Azure Active Directory (Azure AD). In Intune, the devices will still show as Windows but be treated as a Windows Server endpoint and honor dynamic groups that specify Windows Server endpoints for Windows Server devices managed by Defender for Endpoint.
For example, the All Devices list in Azure AD:
In addition to the existing “Windows” deviceOSType, a new value “Windows Server” will be introduced for deviceOSType.
This will apply to the following device platforms:
Windows:
- Windows 10 Professional/Enterprise (with KB5006738).
- Windows 11 Professional/Enterprise.
Windows Server:
- Windows Server 2012 R2 with Microsoft Defender for Down-Level Devices
- Windows Server 2016 with Microsoft Defender for Down-Level Devices
- Windows Server 2019 (with KB5006744)
- Windows Server 2022 (with KB5006745)
What should customers do to prepare for the change?
If you have Windows Server devices configured in your tenant, expect the OS platform to update to “Windows Server” in your reporting views for Azure AD and MDE device lists. In Intune, the OS platform will show up as ‘Windows’ in the All devices list and the hardware details found on the device object page will show up as blank to represent Windows Servers.
If you have any custom scripts that refer specifically to the Windows platform, they will not include the new “Windows Server” value for the deviceOSType and will need to be updated.
If you’re using Azure AD dynamic device groups with specified rules that reference “Windows,” this will now exclude Windows Servers. Look to update the dynamic group rules to include Windows Servers specifically. For example, if you have rules that use the “equals” or “not equals” operator, then you must explicitly update the rule to reference “Windows Server.” If you have rules that use the “contains” or “like” operator, then the rule won’t be impacted.
Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.
Post updates:
05/25/23: Updated post to include clarity on the behavior between the Intune, Azure AD and Defender for Endpoint portals.
08/11/23: Updated post to clarify these updates pertain to Microsoft Defender for Endpoint (MDE) attached devices.
02/01/24: Fixed deviceType to reflect deviceOSType.