As workers transition to remote environments, they need to have a mobile device management (MDM) platform uninhibited by connectivity to the corporate network. Microsoft Intune is a cloud-based service that provides effective MDM and mobile application management (MAM).

MDM is one of the primary features of Microsoft's Intune platform. It allows businesses to manage a wide range of devices, including phones, tablets, laptops, and desktops. These could be corporate-owned devices, or they could be personal "bring your own device" (BYOD) allowed for use with corporate access and applications.

Intune can compartmentalize the device in the latter case so that business-critical data is protected and personal data and management are isolated from corporate data. Thus, it allows businesses to have the best of both worlds by having the end user supply their hardware while still being comfortable with corporate data security, management, and isolation.

Intune has a wide range of other features, including:

  • Setting up policies that control which data and networks the device can access
  • Authenticate apps on devices
  • Control information sharing from the managed device
  • Align the devices with specific security requirements

For managed personal devices, Intune allows administrators to:

  • See devices enrolled
  • Inventory devices accessing business resources
  • Require certain health checks and security standards for devices allowed to connect
  • Certificate management
  • Reporting capabilities, such as which devices are out of compliance
  • Delete organization data if the device is lost or stolen or the employee has left the company

MDM vs. CSP ^

You may see the terms MDM and CSP thrown around in referencing Microsoft Intune. CSP stands for Configuration Service Provider. Intune is not the CSP, but rather the MDM solution. CSP is to the Intune MDM what Client Side Extensions (CSEs) are to Group Policy. The CSP applies specific settings to Windows devices. The Windows 10 operating system contains the CSP that allows the application of the settings specified by the MDM.

Enrolling devices in Intune MDM ^

Microsoft Intune is now housed as part of the Microsoft Endpoint Manager solution. The management portal is located at https://endpoint.microsoft.com.

Microsoft Intune has moved

Microsoft Intune has moved

Enrollment in Microsoft Intune can be carried out as a user or administrator:

  • Users can self-enroll using
    • Microsoft Store Company Portal app
    • MDM-only enrollment
    • Azure Active Directory (Azure AD) join
    • Autopilot
  • Admins can configure policies to force automatic enrollment by:
    • Hybrid Azure AD join
    • Configuration Manager co-management
    • Device enrollment manager
    • Bulk enroll
    • Enrolling Windows IoT core devices

To understand the best practices and use cases for each enrollment method, look at the official Microsoft Intune enrollment method capabilities for Windows devices. Let's see how to use the Company Portal app found in the Microsoft Store to enroll a Windows 10 device in Intune.

The Company Portal app is a free application found in the Microsoft Store. Use it to onboard your workstation into Intune.

Installing the company portal from the Microsoft Store

Installing the company portal from the Microsoft Store

After installation, you will be asked to sign in. If the end user has already signed in with the organization account, the app will not need to sign in.

Note the directive to Allow my organization to manage my device.

Agree to allow your organization to manage the device

Agree to allow your organization to manage the device

The device synchronizes with your organization and applies policies, etc.

Registering your device with your organization

Registering your device with your organization

After logging in and synchronizing, the app is connected.

You will now see a message that says This device hasn't been set up for corporate use yet. Select this message to begin setup.

The device hasnt been set up for corporate use

The device hasnt been set up for corporate use

At this point, you have added a corporate account to the device. However, it still needs to be connected to work.

Begin to connect the device to work

Begin to connect the device to work

Click the Connect button.

Connect to your organization

Connect to your organization

You will be prompted to set up a work or school account. The organization account is prepopulated for you based on the account signed in to the Company Portal.

Set up a work or school account

Set up a work or school account

The device is set up after confirming the sign-in.

The device successfully connects to the work account.

Your device is now successfully connected to Intune and managed

Your device is now successfully connected to Intune and managed

The device is fully connected and is managed by the Endpoint Manager Intune MDM solution.

Managing Windows from the Intune MDM interface ^

After enrolling, you will see your device appear in Microsoft Endpoint Manager under Windows devices.

Verifying the Windows device from Intune management

Verifying the Windows device from Intune management

If you sign in to your Windows 10 workstation with the organization account first and then connect using the Company Portal app, it will be onboarded as corporate instead of personal.

Difference between corporate and personal in Intune

Difference between corporate and personal in Intune

Once a Windows 10 machine is onboarded, note the different operational controls for the remote Windows 10 management. Options include:

  • Retire
  • Wipe
  • Delete
  • Remote lock
  • Sync
  • Reset passcode
  • Restart
  • Collect diagnostics
  • Fresh start
  • Autopilot reset
  • Quick scan
  • Full scan
  • Update Windows Defender security intelligence
  • BitLocker key rotation
  • Rename device
Options available with a Windows 10 Intune managed device

Options available with a Windows 10 Intune managed device

You can also assign applications to Windows 10 PCs that are onboarded into the Intune MDM. Note below that Microsoft 365 apps for Windows 10 have been assigned to the WIN10TEST PC and are pending the install.

Microsoft 365 apps assigned and pending installation for an Intune managed device

Microsoft 365 apps assigned and pending installation for an Intune managed device

Intune Endpoint Security options ^

Microsoft Intune MDM provides a wealth of security options for IT admins to control managed devices. In the Endpoint Security dashboard, you can manage:

  • Antivirus
  • Disk encryption
  • Firewall
  • Endpoint detection and response
  • Attack surface reduction
  • Account protection
  • Device compliance
  • Conditional access

In addition, you can easily apply security baselines to remote Windows devices.

Viewing Endpoint security options with Intune

Viewing Endpoint security options with Intune

It also provides visibility into security issues. Intune's Endpoint security Firewall > Windows 10 MDM devices with firewall off recognizes the managed Windows 10 PC has the firewall turned off.

Finding managed Intune Windows devices that have the firewall disabled

Finding managed Intune Windows devices that have the firewall disabled

Let's see how to use Intune's Endpoint security policies. Using them, we can ensure that the Windows Firewall is enabled for all profiles. Click Endpoint security > Firewall > Create policy.

Create a Windows Firewall policy

Create a Windows Firewall policy

This begins the Create profile wizard. Name the new policy.

Microsoft Defender Firewall policy name and description

Microsoft Defender Firewall policy name and description

Next, under the configuration settings, we can specify the firewall settings to apply. Below, we enable the Windows Firewall for all profiles.

Choose Windows Firewall configuration settings to ensure the firewall is enabled

Choose Windows Firewall configuration settings to ensure the firewall is enabled

Additionally, you can set scope tags. Next, determine the Windows 10 PCs to which the policy applies.

Configure assignments for Windows Firewall scope tags

Configure assignments for Windows Firewall scope tags

Review the settings and create the policy.

Review and create the Windows Firewall Intune MDM policy

Review and create the Windows Firewall Intune MDM policy

After the Windows 10 PC synchronizes settings and policies with Intune, the Windows Firewall settings are remediated and turned on for all configured profiles.

Wrapping up ^

There are many options for enrolling your Windows 10 PCs in Intune. This can be accomplished from both the user side and by an administrator.

Subscribe to 4sysops newsletter!

As shown, the Company Portal app is an easy way to onboard Windows 10 clients, including BYOD. Managing your Windows 10 clients using the MDM interface is made possible by the CSP functionality in Windows 10. It allows the application of policy settings from Intune, much like settings are applied from Group Policies in on-premises Active Directory.

+2
1 Comment
  1. Andre 2 weeks ago

    hello

    is there a cost to this software/service?

    working for a non profit, and we have access to Microsoft products

    thx

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account