This is a new feature that will be released in the next service update of Microsoft Intune in January 2016.

I have been playing around with this feature for a couple of months in my test tenant and at a customer in Denmark.

The reason for I’m so excited for this feature, is that we had 300 new Windows 10 devices that would be Azure AD joined. The users was from the age of 6 – 10 years old, and when the devices was AzureAD joined as part of the OOBE, the Windows 10 Device will automatic enable PIN login instead of password login. That is a cool feature – but when PIN login is enabled AzureAD requires a phone number from the user to be able reset the PIN at another point.

This feature is called Two-step validation – and is not the same as Multi Factor validation in AzureAD premium. See White Paper by Microsoft Azure-AD-Windows-10-better-together

The Azure Authenticator allows you to secure your account with two-step verification. With two-step verification, you sign in using something you know (your password) and something you have (your mobile device).

Passport for Work Settings

“Passport for Work” can be found in the Microsoft Intune console http://manage.microsoft.com

Under Administration -> Mobile Device Management -> Windows -> Passport for Work

When my “Passport for Work” was enabled none was selected and I was not able to AzureAd join a Windows 10 device. I was fixed by “Disable Passport for Work on enrolled devices”

This setting is tenant wide – and in my tenant cannot be enabled or disable by user/device groups.

Passport  for Work “Enable Passport for Work on enrolled devices”

Now you can make the settings as it fits your organization needs.

Use a Trusted Platform Module (TPM)

Can be preferred or required

Has to be a minimum PIN of 4 characters.

Has a maximum PIN length of 127 characters.

This blogpost will be updated when this feature goes GA.