- Local password manager with Bitwarden unified - Mon, Feb 6 2023
- Prepare AD synchronization with Azure Active Directory using IdFix - Tue, Jan 31 2023
- Manage Windows security and optimization features with Microsoft’s free PC Manager - Mon, Jan 23 2023
The Microsoft Intune configuration policies include various settings and configuration features that can either be enabled or disabled on client devices. Microsoft allows IT admins to create profiles that target different types of devices. These include IOS/iPadOS, Android, Android Enterprise, and Windows. Once an administrator creates a policy, it can be assigned to the respective device.
Microsoft has included several built-in templates for various use cases to quickly apply specific settings to the target device in the Intune configuration policies. Below, you can see the various templates available by default in the Intune configuration profiles.
Manage security settings with Intune
Let's look at a few scenarios for managing security settings with Intune. These include the following:
- Block USB and removable storage
- Implement a Windows security baseline
- Create a compliance policy
All three have similar workflows for creation and configuration, including setting up profiles and applying them to specific devices.
Block USB and removable storage
A common task for administrators to help bolster the security of end user devices is controlling and blocking USB and other removable storage. Navigate to the Devices > Configuration profiles blade. Click Create profile.
Next, create a profile. This includes selecting the operating system you are targeting, a profile type, and the template name you want to include. Click Create.
The Create profile wizard launches. The first step is naming the profile.
Next, on the Configuration settings screen, search for the term "prevent installation of devices" to find the setting Prevent installation of devices not described by other policy settings. Select this configuration setting.
Once you click this configuration setting, click Enabled on the Settings blade.
Using scope tags, you can specify a more granular application for the device policy.
On the Assignments screen, you can add your specific groups for scoping the policy. For example, here I am assigning the policy to the Windows10Computers group.
Finally, on the Review + create screen, click Create.
The Configuration profiles screen now shows the newly created configuration profile.
The Intune configuration profiles are an effective way to disable access to removable drives, including USB disks. If organizations need to allow specific devices, admins can also add the GUIDs of the device classes that need to be allowed. Microsoft publishes a list of GUIDs for specific device classes here. Add the GUIDs of the device classes you want to allow in the policy setting Allow installation of devices using drivers that match these device setup classes.
Subscribe to 4sysops newsletter!
Conclusion
Microsoft Intune can be used to block the installation of unapproved devices on Windows PCs if they are joined to Azure AD, either directly or via a hybrid environment. The tool utilizes profiles for this purpose. They are very easy to use, and they offer similar options to the corresponding settings in Group Policy.