This is a new feature that will be released in the next service update of Microsoft Intune in January 2016.

I have been playing around with this feature for a couple of months in my test tenant and at a customer in Denmark.

The reason for I’m so excited for this feature, is that we had 300 new Windows 10 devices that would be Azure AD joined. The users was from the age of 6 – 10 years old, and when the devices was AzureAD joined as part of the OOBE, the Windows 10 Device will automatic enable PIN login instead of password login. That is a cool feature – but when PIN login is enabled AzureAD requires a phone number from the user to be able reset the PIN at another point.

PINlogin

This feature is called Two-step validation – and is not the same as Multi Factor validation in AzureAD premium. See White Paper by Microsoft Azure-AD-Windows-10-better-together

The Azure Authenticator allows you to secure your account with two-step verification. With two-step verification, you sign in using something you know (your password) and something you have (your mobile device).


Passport for Work Settings

“Passport for Work” can be found in the Microsoft Intune console http://manage.microsoft.com

Under Administration -> Mobile Device Management -> Windows -> Passport for Work

1

When my “Passport for Work” was enabled none was selected and I was not able to AzureAd join a Windows 10 device. I was fixed by “Disable Passport for Work on enrolled devices”

2

This setting is tenant wide – and in my tenant cannot be enabled or disable by user/device groups.

 

Passport  for Work “Enable Passport for Work on enrolled devices”

Now you can make the settings as it fits your organization needs.

3


 

Use a Trusted Platform Module (TPM)

Can be preferred or required

TPM

TPM1


Has to be a minimum PIN of 4 characters.

PIN

PIN1


 

Has a maximum PIN length of 127 characters.

PIN3

PIN4


 

Lowercase

Lowercase1


 

Uppercase

Uppercase2


 

Special

Special1


 

Biometric

Biometric1

This blogpost will be updated when this feature goes GA.