Manage Windows IoT Enterprise with Microsoft Endpoint Manager (Intune)

Tech

Note:

For start, if you have more questions about IoT, I think you might like to join TechCommunity, post your questions in “Ask the expert”.
https://techcommunity.microsoft.com/t5/learn-iot/ask-the-iot-expert-windows-10-iot-enterprise/m-p/1578999#M12

Windows 10 IoT Enterprise is a full version of Windows 10. It uses the same familiar development and management tools as normal PCs and laptops, deliver the same enterprise manageability and security support as Windows 10 Pro to IoT solutions, often we use it to create dedicated devices, which locked down to a specific set of applications and peripheral. Example ATM machines, medical devices, digital signage, kiosks, etc.

Windows 10 IoT Enterprise offers two servicing channels: Long-term Servicing Channel (LTSC) and Semi-Annual Channel (SAC). I have been testing these two versions of Windows 10 IoT Enterprise, and we have some very interesting results to share.

Let’s talk about these two channels

For my understanding, Windows 10 IoT Enterprise builds on Windows 10 Pro, added Granular UX Control and Security Feature.

Granular UX Control includes: Unified Write Filter, Embedded Logon, Assigned Access, Shell Launcher, Embedded Boot Experience, Unbranded Screens, AppLocker, MDM & Group Policies
Security Feature includes: Credential Guard, Device Guard

  • Windows 10 IoT Enterprise LTSC 2019
    OperatingSystemSku is 125. It builds on Windows 10 Pro, version 1809, this release includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. This release doesn’t include any UWP apps, no Microsoft Store, or Cortana or Microsoft Edge. Windows 10 IoT Enterprise LTSC 2019 is the same as Windows 10 Enterprise LTSC 2019, there are no real differences between them, it is just more or less marketing spin. More about LTSC can read from here

  • Windows 10 IoT Enterprise, version 2004
    OperatingSystemSku is 188. The current newest Semi-Annual Channel (SAC) release is built on Windows 10 Pro, version 2004, it gets feature upgrade just like other SAC Windows version. This release includes built-in apps, for example Microsoft Store, Edge etc.

Intune MDM management

Windows 10 IoT EnterpriseĀ is supported by Intune, see this list. How ever, it was a bit more complicated than I thought.

Test one: Windows 10 IoT Enterprise, version 2004

There are lots of settings that cannot be applied, for example Device Restriction, Update policy, Security baseline, Attack Surface Reduction rules, Account Protection, Bitlocker, Administration Template, etc.

Security baseline
Microsoft Defender Firewall
Account Protection
App and browser isolation

Only “Endpoint Security” -> “Antivirus” works a bit better, there are four settings that cannot be applied, the rest of the settings seems ok.

We also found this Microsoft document https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise , which listed what Policy CSP is supported for IoT enterprise. But our test results tell different. Take Update Policy, for example, documentation list only 4 Update policies are supported, our test shows all Update Policy works just fine. Also, the Bitlocker Policy works fine too.

Windows Update
Bitlocker

Test two: Windows 10 IoT Enterprise LTSC 2019

Intune UI configured policies works in Windows 10 IoT Enterprise LTSC 2019, so this is good news. There are some settings that cannot apply due to the feature itself isn’t supported. Not all custom OMA-URI works from the Microsoft documentation list. I opened an issue in their GitHub if you like to follow it.

Windows Autopilot

Note: In official Autopilot document, IoT Enterprise is not listed as supported OS

Test one: Windows 10 IoT Enterprise, version 2004

Autopilot works. I used Enrollment status page with tracking the Company Portal online app and Microsoft Edge. User ESP was failed. I use Michael Niehaus’s Get-AutopilotStatus script for troubleshooting, apparently, Company Portal online app was not installed.

Test two: Windows 10 IoT Enterprise LTSC 2019

Autopilot doesn’t work. Not surprise, as it wasn’t listed as supported OS in the first place.

Summary

These are all that I have tested so far, I am sure there are lots of other things we can still test. Let me know if you have anything in your mind, or if you would like to add your test results.

4 thoughts on “Manage Windows IoT Enterprise with Microsoft Endpoint Manager (Intune)

    1. I think it should be able to enroll in Intune. I am not sure about hybrid scenarios, didn’t test that.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.