To have your Intune enrollment up and running is a nice thing. Now we start the next chapter – Configuration and Compliance within Microsoft Intune. There are almost endless possibilities of configuring devices enrolled with Intune and Windows Autopilot. In this post I explain every category and show you some of my best practices.
Configuration
Overview
Options
Administrative templates
Everyone knows them from local windows server environments, ADMX-Templates to create Group-Policies. Similar to local domain controllers, some ADMX-Files are already built-in.
You can use them after creating a configuration profile here.
Select “Windows 10 and later” and “Templates” > Now you select “Administrative Templates”
After naming the policy you can select and configure the needed setting like you are used to doing it in group policy editor.
Keep in mind to use a naming convention for policies.
Example: EMD-CFP-EdgeSettings
Explanation: Endpoint Management Device Configuration Profile for Edge Settings
Custom
An OMA-URI (Open Mobile Alliance Uniform Resource Identifier) is a path that specifies the setting to be managed on a device. Each OMA-URI corresponds to a particular setting available through a CSP (Windows Configuration Service Providers). To use these settings, you can create custom configuration profiles in Intune. This involves specifying the OMA-URI for the setting you want to configure and providing the appropriate value.
You can use them after creating a configuration profile here.
Select “Windows 10 and later” and “Templates” > “Custom”
After naming the policy you can select and configure the needed setting.
Example
To set the “Reset Password” Link in Lockscreen to the Selfservice Password Reset Page you’ll need to create the following custom Configuration Profile:
Property | Value |
Name | Enable SSPR Option |
Description | Shows “Reset Password” on Lockscreen with SSPR Link |
OMA-URI | ./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset |
Data type | Integer |
Value | 1 |
Delivery optimization
Delivery Optimization in Windows 10 and Windows 11, managed through Microsoft Intune, optimizes the way Windows updates, apps, and other Microsoft products are delivered to devices, using peer-to-peer technology to reduce bandwidth consumption. This can be particularly beneficial in environments with multiple devices because it allows devices to share the download workload, thus reducing the amount of bandwidth required from the external network.
Select “Windows 10 and later” and “Templates” > Now you select “Delivery optimization”
After naming the policy you can select and configure the needed settings.
There is an excellent post from Oliver with all the best practices.
Device firmware configuration interface
DFCI offers a secure channel for Intune to issue commands directly to the device’s Unified Extensible Firmware Interface (UEFI), allowing for robust control over BIOS configurations. This capability is crucial for enhancing security, as firmware-level settings offer stronger protection against malicious activities. It effectively restricts user access to BIOS settings, providing an added layer of security in scenarios where a device might be compromised.
Select “Windows 10 and later” and “Templates” > Now you select “Device firmware configuration interface”
After naming the policy you can select and configure the needed settings.
Other Settings like Cameras, Microphones and Speakers, Radios, Ports, Wake Settings are device specific. Please check first if your device supports these settings. To use different “Device Firmware Configuration Interface” Policies for different device types you can use filters. More on that in a future post.
Device restrictions
Intune provides a suite of device restriction capabilities aimed at securing Windows devices within an organization. These features enable admins to fine-tune device settings and functionalities, including the enforcement of password policies such as defining a minimum password length and prohibiting easily guessable passwords.
Select “Windows 10 and later” and “Templates” > Now you select “Device restrictions”
After naming the policy you can select and configure the needed settings.
Domain join
If you use a hybrid deployment of Intune you can configure the automatic domain join with this policy.
Select “Windows 10 and later” and “Templates” > Now you select “Domain Join”
After naming the policy you can select and set the Computer name prefix, Domain name and Organizational unit.
Default OU is Computers.
Edition upgrade and mode switch
To upgrade or switch Windows versions you can use this policy. This could include upgrading Windows 10/11 Pro devices to Enterprise edition, or switching out of S mode on applicable devices.
Select “Windows 10 and later” and “Templates” > Now you select “Edition upgrade and mode switch”
After naming the policy you can select and configure the needed settings.
Configure an email server and SSL communication or set other built-in email settings.
It’s also possible to automaticaly set an Entra ID attribute as username and emailadress.
On top you can configure which type of contents is the user allowed to sync.
Select “Windows 10 and later” and “Templates” > Now you select “Email”
After naming the policy you can select and configure the needed settings.
Endpoint protection
Template to configure some of the settings to secure your devices.
Select “Windows 10 and later” and “Templates” > Now you select “Endpoint protection”
There are some useful settings to secure your local accounts, disable guest accounts and Xbox services and much more.
If you plan to use Microsoft Defender for Endpoint, please use the Endpoint security section in Intune to configure policies.
Identity protection
Template to configure Windows Hello. But please configure it in Endpoint Security section.
Imported Administrative templates (Preview)
Here you’ll find all of your own imported ADMX-Files. To import an ADMX-File you start here in Intune Device Configuration and select “Import ADMX”.
With a click on “Import” you can upload ADMX and ADML file.
After a few minutes you continue with the following steps.
Select “Windows 10 and later” and “Templates” > Now you select “Imported Administrative templates (Preview)”
Now you’ll see the previously imported ADMX-File and every setting, like in group policy editor.
Kiosk
You can configure Windows devices to operate in kiosk mode, also referred to as dedicated device mode. In this setup, devices can be limited to operating a single app or multiple apps based on your requirements. You have the flexibility to personalize the start menu, incorporate various applications, including Win32 apps, set a designated homepage in a web browser, among other customizations. This functionality is supported in Windows 10 and subsequent versions, as well as Windows Holographic for Business.
Select “Windows 10 and later” and “Templates” > Now you select “Kiosk”
Example
Configuring a device to only open edge browser with url https://racetocloud.com and autologon into Windows.
Microsoft Defender for Endpoint
Template to configure Microsoft Defender for Endpoint. But please configure it in Endpoint Security section.
Network boundary
This enables you to specify trusted network domains, IPv4 and IPv6 ranges, proxy servers, and additional elements within your network perimeter. Everything within this boundary is considered trusted by your organization.
Certificates
Certificates in Microsoft Intune, when used with configuration profiles, play a crucial role in managing device and user authentication, securing data in transit, and ensuring secure access to corporate resources.
Types of Certificates in Intune
- SCEP (Simple Certificate Enrollment Protocol) Certificates: SCEP certificates facilitate the secure issuance of certificates to devices. This protocol automates the process of certificate enrollment, making it easier for devices to obtain certificates without manual intervention. SCEP profiles in Intune are used to define the settings and policies for issuing these certificates to devices.
- PKCS (Public Key Cryptography Standards) Certificates: PKCS certificates, particularly PKCS #12, are used to securely exchange information. In Intune, PKCS profiles can be created to deploy these types of certificates to user devices. This is especially useful for Wi-Fi and VPN settings, where authentication is required.
- Trusted Certificate Profiles: These profiles are used to deploy trusted root certificates to devices. This is necessary for devices to trust certificates issued by your organization’s internal CA (Certificate Authority) or a third-party CA. Trusted certificates are crucial for establishing secure connections and ensuring that devices can authenticate servers or services securely.
Select “Windows 10 and later” and “Templates” > Now you select one of these templates
- PKCS certificate
- PKCS imported certificate
- SCEP certificate
- Trusted certificate
More on that topic (it’s huge I promise) in a future post!
Secure assessment (Education)
Education profiles in Intune allow students to take tests or exams on their devices. They include the Take a Test app and options to set a test URL, select how users log in to the test, and more. The Take a Test app opens automatically with the specified test when the user logs in. The device can only run this app while the test is ongoing.
Select “Windows 10 and later” and “Templates” > “Secure assessment (Education)”
After naming the policy you can select and configure the needed setting.
Example
Shared multi-user device
Microsoft Intune allows for the customization of shared devices—used by multiple users—across platforms like Windows 10 Professional and newer, including HoloLens. In educational settings, it enables the activation of Shared PC mode to limit devices to a single user at a time and delete all user-specific settings upon logout.
Select “Windows 10 and later” and “Templates” > “Shared multi-user device”
After naming the policy you can select and configure the needed settings.
Example
Shared PC with local guest and domain accounts enabled which get deleted immediately after logout, including local storage and basic power policies.
VPN
With this template you can configure a vpn connection to your local network.
You can choose between these connection types:
- Check Point Capsule VPN
- Cisco AnyConnect
- Citrix
- F5 Access
- Palo Alto Networks GlobalProtect
- Pulse Secure
- SonicWall Mobile Connect
- Automatic (Native type)
- IKEv2 (Native type)
- L2TP (Native type)
- PPTP (Native type)
To get to this policy template, select “Windows 10 and later” and “Templates” > “VPN”
Example
Here is a sample VPN configuration (Cisco Any Connect) that enables “Always On VPN” and saves the credentials for each logon.
Wi-Fi
This template allows you to setup a Wi-Fi connection for your company. Combined with uploaded certificates or the Cloud PKI from Intune Suite (more on that in a future post) you can enable cert-based authentication to Wi-Fi-networks.
To get to this policy template, select “Windows 10 and later” and “Templates” > “Wi-Fi”
Windows health monitoring
Intune can collect event data, and provide recommendations to improve performance on your Windows devices. Endpoint Analytics analyzes this data, and can recommend software, help improve startup performance, and fix common support issues.
In this template you decide if and which type of data is beeing collected.
To get to this policy template, select “Windows 10 and later” and “Templates” > “Windows health monitoring”
Example
This policy enables Windows health monitoring and sets the scope to Windows Updates and Endpoint analytics.
Wired network
If your wired network needs any type of authentication of the devices it’s possible to set it up in with this template.
To get to this policy template, select “Windows 10 and later” and “Templates” > “Wired network”
Sandbox
Settings Catalog
The settings catalog is basically a library of all settings available in Microsoft Intune.
You’ll find it here in configuration profiles.
After naming the policy you’ll get something like a sandbox to pick and configure the settings you want.
Click on “Add settings”, search for your setting and select it.
Then close settings picker and configure your policy. It’s possible to add more settings at anytime. To do that just open settings picker again.
Example
Disable First Run Animation for Windows setup.
Compliance
Overview
You can set whatever you want, but it’s necessary to check the devices if they really applied all the settings. Intune uses Compliance-Reports for that. Every device will get checked if it applied all the things you set in your compliance policy. If that’s not the case, devices will fall into a grace period. It’s possible to set a specific time for grace period (default is 30 days). Event messages to the user to fix the problem could be sent. After this period device will be non-compliant. With a default Intune-setup nothing happens so far.
But why is it necessary then you might ask? For basic Intune environments it’s a good tool to see device health and update behavior. The interesting part starts with Conditional Access. You can block Non-Compliant devices for specific ressources or the whole company network / data.
More about that in a future post. Stay tuned!
Options
Default Template
The default compliance policy can be configured here. Just click on “Create policy”, name it and get started.
After doing that you have different sections to configure.
- Device Health
- Device Properties
- (Configuration Manager Compliance)
- System Security
- Microsoft Defender for Endpoint
Example Compliance Policy
Device Health:
- Require BitLocker, Secure Boot, and Code integrity for Windows 10 and 11 devices
Device Properties:
- Set a minimum OS version of 10.0.19045.0 for both desktop and mobile devices
- Maximum OS version is not configured for either desktop or mobile devices
- No specific valid operating system builds are configured
System Security:
- Require a password to unlock mobile devices
- Block simple passwords
- Set the password type to alphanumeric
- Passwords must include digits, lowercase, uppercase, and special characters
- Set minimum password length to 8 characters
- Require re-authentication after 15 minutes of inactivity
- Password expiration set to 360 days
- Remember the last 5 passwords to prevent reuse
- Require password when the device returns from idle state on mobile and holographic devices
- Require encryption of data storage on the device
- Require a firewall
- Require a Trusted Platform Module (TPM)
- Require antivirus and antispyware software
- Require Microsoft Defender Antimalware
- Require real-time protection
- Require the Microsoft Defender Antimalware security intelligence to be up-to-date
Microsoft Defender for Endpoint:
- Require the device risk score to be at or under the medium threshold.
Custom Scripts
To check a specific thing or setting you can upload custom compliance scripts. You’ll need a powershell “Discovery” script which returns your custom data. This data will be compared to a JSON-file with your custom compliance settings.
There is no better description than the post of Peter.
Notifications
Compliance notifications are a feature that allows Admins to automatically notify users if their devices are not compliant with the organization’s policies. You can customize the notifications sent to users, including the message content and the frequency of the notifications.
To start go to Intune Admin Center and then click on “Compliance”
After naming the notification-policy you definde email header and footer.
To be more efficient please configure company branding and every information in there first. These informations will be used for your notification.
Last step is to define the message itself.
That’s it
Now you know everything about every type of configuration profile and about compliance policies. Your devices are configured and checked now. But wait, do you need to deploy applications as well? No worries, in the next post of the “Get started Series” you’ll find a detailled guide about packaging.