- Overview: Microsoft's security portfolio under the Defender brand - Tue, Jan 18 2022
- Increase IIS performance with HTTP/3 in Windows Server 2022 - Fri, Jan 14 2022
- Redirect user profile folders (documents, pictures, etc.) to OneDrive for Business - Thu, Jan 13 2022
MDM is one of the primary features of Microsoft's Intune platform. It allows businesses to manage a wide range of devices, including phones, tablets, laptops, and desktops. These could be corporate-owned devices, or they could be personal "bring your own device" (BYOD) allowed for use with corporate access and applications.
Intune can compartmentalize the device in the latter case so that business-critical data is protected and personal data and management are isolated from corporate data. Thus, it allows businesses to have the best of both worlds by having the end user supply their hardware while still being comfortable with corporate data security, management, and isolation.
Intune has a wide range of other features, including:
- Setting up policies that control which data and networks the device can access
- Authenticate apps on devices
- Control information sharing from the managed device
- Align the devices with specific security requirements
For managed personal devices, Intune allows administrators to:
- See devices enrolled
- Inventory devices accessing business resources
- Require certain health checks and security standards for devices allowed to connect
- Certificate management
- Reporting capabilities, such as which devices are out of compliance
- Delete organization data if the device is lost or stolen or the employee has left the company
MDM vs. CSP ^
You may see the terms MDM and CSP thrown around in referencing Microsoft Intune. CSP stands for Configuration Service Provider. Intune is not the CSP, but rather the MDM solution. CSP is to the Intune MDM what Client Side Extensions (CSEs) are to Group Policy. The CSP applies specific settings to Windows devices. The Windows 10 operating system contains the CSP that allows the application of the settings specified by the MDM.
Enrolling devices in Intune MDM ^
Microsoft Intune is now housed as part of the Microsoft Endpoint Manager solution. The management portal is located at https://endpoint.microsoft.com.
Microsoft Intune has moved
Enrollment in Microsoft Intune can be carried out as a user or administrator:
- Users can self-enroll using
- Microsoft Store Company Portal app
- MDM-only enrollment
- Azure Active Directory (Azure AD) join
- Autopilot
- Admins can configure policies to force automatic enrollment by:
- Hybrid Azure AD join
- Configuration Manager co-management
- Device enrollment manager
- Bulk enroll
- Enrolling Windows IoT core devices
To understand the best practices and use cases for each enrollment method, look at the official Microsoft Intune enrollment method capabilities for Windows devices. Let's see how to use the Company Portal app found in the Microsoft Store to enroll a Windows 10 device in Intune.
The Company Portal app is a free application found in the Microsoft Store. Use it to onboard your workstation into Intune.
Installing the company portal from the Microsoft Store
After installation, you will be asked to sign in. If the end user has already signed in with the organization account, the app will not need to sign in.
Note the directive to Allow my organization to manage my device.
Agree to allow your organization to manage the device
The device synchronizes with your organization and applies policies, etc.
Registering your device with your organization
After logging in and synchronizing, the app is connected.
You will now see a message that says This device hasn't been set up for corporate use yet. Select this message to begin setup.
The device hasnt been set up for corporate use
At this point, you have added a corporate account to the device. However, it still needs to be connected to work.
Begin to connect the device to work
Click the Connect button.
Connect to your organization
You will be prompted to set up a work or school account. The organization account is prepopulated for you based on the account signed in to the Company Portal.
Set up a work or school account
The device is set up after confirming the sign-in.
The device successfully connects to the work account.
Your device is now successfully connected to Intune and managed
The device is fully connected and is managed by the Endpoint Manager Intune MDM solution.
Managing Windows from the Intune MDM interface ^
After enrolling, you will see your device appear in Microsoft Endpoint Manager under Windows devices.
Verifying the Windows device from Intune management
If you sign in to your Windows 10 workstation with the organization account first and then connect using the Company Portal app, it will be onboarded as corporate instead of personal.
Difference between corporate and personal in Intune
Once a Windows 10 machine is onboarded, note the different operational controls for the remote Windows 10 management. Options include:
- Retire
- Wipe
- Delete
- Remote lock
- Sync
- Reset passcode
- Restart
- Collect diagnostics
- Fresh start
- Autopilot reset
- Quick scan
- Full scan
- Update Windows Defender security intelligence
- BitLocker key rotation
- Rename device
Options available with a Windows 10 Intune managed device
You can also assign applications to Windows 10 PCs that are onboarded into the Intune MDM. Note below that Microsoft 365 apps for Windows 10 have been assigned to the WIN10TEST PC and are pending the install.
Microsoft 365 apps assigned and pending installation for an Intune managed device
Intune Endpoint Security options ^
Microsoft Intune MDM provides a wealth of security options for IT admins to control managed devices. In the Endpoint Security dashboard, you can manage:
- Antivirus
- Disk encryption
- Firewall
- Endpoint detection and response
- Attack surface reduction
- Account protection
- Device compliance
- Conditional access
In addition, you can easily apply security baselines to remote Windows devices.
Viewing Endpoint security options with Intune
It also provides visibility into security issues. Intune's Endpoint security Firewall > Windows 10 MDM devices with firewall off recognizes the managed Windows 10 PC has the firewall turned off.
Finding managed Intune Windows devices that have the firewall disabled
Let's see how to use Intune's Endpoint security policies. Using them, we can ensure that the Windows Firewall is enabled for all profiles. Click Endpoint security > Firewall > Create policy.
Create a Windows Firewall policy
This begins the Create profile wizard. Name the new policy.
Microsoft Defender Firewall policy name and description
Next, under the configuration settings, we can specify the firewall settings to apply. Below, we enable the Windows Firewall for all profiles.
Choose Windows Firewall configuration settings to ensure the firewall is enabled
Additionally, you can set scope tags. Next, determine the Windows 10 PCs to which the policy applies.
Configure assignments for Windows Firewall scope tags
Review the settings and create the policy.
Review and create the Windows Firewall Intune MDM policy
After the Windows 10 PC synchronizes settings and policies with Intune, the Windows Firewall settings are remediated and turned on for all configured profiles.
Wrapping up ^
There are many options for enrolling your Windows 10 PCs in Intune. This can be accomplished from both the user side and by an administrator.
Subscribe to 4sysops newsletter!
As shown, the Company Portal app is an easy way to onboard Windows 10 clients, including BYOD. Managing your Windows 10 clients using the MDM interface is made possible by the CSP functionality in Windows 10. It allows the application of policy settings from Intune, much like settings are applied from Group Policies in on-premises Active Directory.
hello
is there a cost to this software/service?
working for a non profit, and we have access to Microsoft products
thx