Locating lost or stolen Windows 10 devices

This week is all about a small new feature for Windows 10 devices that was introduced with the latest service release of Microsoft Intune. That new feature is the ability to find lost or stolen Windows 10 devices. Starting with the 2104 service release of Microsoft Intune, the Locate device remote device action – already available for supervised iOS and iPadOs device – also becomes available for Windows 10 devices. That enables IT administrators to find lost or stolen Windows 10 devices. This post will start by going through the information about the new remote action, including the implications, followed with the steps for configuring the privacy settings. This post will end by showing the IT administrator and user experience.

Introduction to the location service and privacy

The location service in Windows 10 is used for providing apps, features and services with information about where the device is and where the device has been. Access to that information is desirable – and sometimes even required – for the full functionality of some apps and services. That access can be used for something simple as localized commercials, or something more fancy with maps to the closest stores. Even certain Windows features – like Find my device and the automatic time zone configuration – rely on access to that information to function properly. Providing that access to that information is something that is manually configured by the user, or something that is automatically enforced by the IT administrator. The location information itself is stored on the device for only a limited time of 24 hours.

The location service uses a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address, to determine the location of the device. The accuracy of that location depends on the available capabilities of the device. The location information is also shared with Microsoft to improve the location service. In that case the location information is first de-identified (i.e. the personal identifiable information is removed). Besides access of Windows to the location information, it’s also possible to allow third-party apps with access to that information. That, however, is only applicable when those apps are available via the Microsoft Store, or when the app was developed with respect to the Windows location settings. It’s still possible for a third-party developer to create an app that doesn’t rely on the information of the location service. The developer could use other signals – like Bluetooth and Wi-Fi – to determine their own location. In that case, the configuration of the device location settings has no impact on that app.

Configuring the settings catalog profile to enable access to the location service on Windows 10 devices

The usage of the location service requires that apps are allowed access to the location data. By installation default, that is configurable by the user. That can be configured by the user during the out-of-the-box experience, or later via the Settings app (via Privacy > Location). Besides that it’s also possible for the IT administrator to enforce the required configuration on Windows devices. The required setting is available via the Privacy CSP as an ADMX-backed policy. That means that it can be configured by using a custom configuration profile, or by using the new settings catalog. The settings catalog is the preferred route, as it contains the same setting and it’s configurable via the UI. The following eight steps walk through the creation of that profile with the required setting.

Important: Before applying this configuration, make sure that this configuration is compliant with the local privacy laws and regulations.

1. Open the Microsoft Endpoint Manager admin center portal and navigate to Devices > Windows > Configuration profiles
2. On the Windows | Configuration profiles blade, click Create profile
3. On the Create a profile blade, provide the following information and click Create

• Platform: Select Windows 10 and later to create a profile for Windows 10 devices
• Profile: Select Settings catalog to select the required setting from the catalog

1. On the Basics page, provide the following information and click Next

• Name: Provide a name for the profile to distinguish it from other similar profiles
• Description: (Optional) Provide a description for the profile to further differentiate profiles
• Platform: (Pre-selected) Windows 10 and later

1. On the Configuration settings page, as shown below in Figure 1, perform the following actions

• Click Add settings and perform the following in Settings picker
  • Select the Privacy category
  • Select the Let Apps Access Location setting
• Select Force allow as value with the Let Apps Access Location setting and click Next

• Figure 1: Enable location access for apps

1. On the Scope tags page, configure the required scope tags and click Next
2. On the Assignments page, configure the assignment and click Next
3. On the Review + create page, verify the configuration and click Create

Performing the remote action to locate Windows 10 devices

Once the access to the location of the device is enable, it’s possible for the IT administrator to actually locate that device. That can be achieved by using a remote action. The following three steps walk through triggering the remote action to locate the Windows device.

Important: Before locating the device, make sure that this action is compliant with the local privacy laws and regulations.

1. Open the Microsoft Endpoint Manager admin center portal and navigate to Devices > Windows > Windows devices
2. Select the Windows device to locate and in the Overview click Locate device

• Figure 2: Perform the locate device action

1. On the Locate device dialog box, read the message “Before you continue, make sure you’re following local laws and regulations around receiving location data. Once received, the location data is visible in Intune for 24 hours. Request device location?” and click Yes to actually locate the device

Experience with locating Windows 10 devices

The experience with locating Windows 10 devices is interesting to look at. Both, the user experience and the IT administrator experience. Once the provided configuration is applied, the user will receive the information and behavior as shown below on the left in Figure 3. The access to the location information of the device is turned on and the user can’t adjust it anymore. Once the IT administrator triggers the remote action to locate the device, the user will receive a message about that action. That message simply states that the organization accessed the location of the device and is shown below on the right in Figure 3.

• Figure 3: User experience after enabling location access and triggering the locate device action

The information that the device action was performed is also store in Microsoft Intune and is available in the Device actions status overview of the device. Besides that, the information that the device action was performed is also stored in the Audit logs. That means that it’s always possible to find out who triggered the device action. After the IT administrator triggered the remote action to locate the missing or stolen device, a nice Bing map will be shown in the Microsoft Endpoint Manager admin center. An example is shown below in Figure 4. That Bing map can be viewed in Road (i.e. a standard road map), in Aerial (i.e. a detailed look from above), or in Bird’s eye (i.e. a better angle of aerial photography) and it’s possible to zoom in or out.

• Figure 4: Administrator experience after retrieving the device location

Note: This example was not completely accurate, but the at least the correct city was shown.

More information

For more information about (configuring) exploit protection, refer to the following docs.