A practical introduction to setting up Microsoft Intune within an Enterprise environment
Traditionally, configuring devices within an enterprise environment is done by creating group policies and distributing them using Active Directory. Microsoft Intune provides an alternative way to configure devices within Microsoft Azure.
Before you begin, configure Intune
Enrolling devices is best done on the Azure portal under Microsoft Intune > Device Enrolment > Windows Enrolment.
Configuration can also be done via the Microsoft Endpoint Website, however many of the menu options are only available on the Azure portal (Quick Start, troubleshooting, etc.)
Auto-enrolment is the easiest way to add devices, so long as you sign into the device with an account which is within the Azure Active Directory forest.
Note: users will need Intune licenses applying to their account before they can enrol a device. See Assign licenses to users so they can enrol devices in Intune.
Find the easiest way to change the setting you want to implement
The first stage is to work out which policy needs to be configured. Policies can configure devices in lots of different ways. To list a few, Intune can:
- Modify the registry of target devices
- Creating local or global group policy objects
- Change control panel settings
- Create scheduled tasks
- Modify files and permissions
As with many things in Azure, there are multiple ways to achieve the same goal. Microsoft recently updated Intune with a range of new prebuilt policies making it easier to change device settings.
These are split into three categories:
- Device Compliance Policies – these are used for flagging devices as non-compliant if they don’t match certain criteria. This can be combined with Conditional Access rules to prevent devices from accessing organization resources or can be used for reporting.
- Device Configuration Policies – provides a way to enable or disable settings and features in a variety of different ways. Compliance Policies take precedence over the settings in the Configuration Policies.
- Device Security Policies – provides Microsoft recommended baselines for devices that run Windows 10 or later. These are regularly updated and allow you to guarantee that should Microsoft publish new recommendations for device hardening, device configurations can be updated immediately.
It’s worth spending time reviewing all the options as policy options are updated frequently
The complete list of available settings is provided by Microsoft, see Create a device profile in Microsoft Intune.
If you can’t find the settings you need to change, custom PowerShell scripts can be executed on devices.
Create a custom OMA-URI profile
Azure now supports custom ADMX-backed policies enabling much greater flexibility when configuring device settings. Configuration Service Provider (CSP) policies can be used to audit, enforce or delete settings on a device.
Again, Microsoft provides a full list of these on their website. See Configuration Service Provider reference
To create your custom profile, go to Device Configuration > Profile > Create a profile, then select custom in the profile option. From here, follow the step and define the custom OMRI setting.
The OMRI isn’t a specific value, instead, it’s defined dependent on how you want to apply the setting:
- ./User/Vendor/MSFT/Policy/Config/ – Read/Write to change a configuration setting
- ./User/Vendor/MSFT/Policy/Result/ – Read a configuration setting
- ./Device/Vendor/MSFT/Policy/Config/ – Read/Write to change a configuration setting
- ./Device/Vendor/MSFT/Policy/Result/ – Read a configuration settings
Take the prefix listed above, then add the policy name. For example, enforcing the firewall to be on can be done with a boolean type using the OMRI:
Some policies require a special SyncML format to enable or disable. These require a custom ADMX policy to apply. Templates for some of these, such as for Microsoft Office, can be found online, and some can be found on Windows 10 devices themselves in “C:\Windows\PolicyDefinitions”
Sometimes, policies don’t always take effect, and debugging can often be more challenging and time consuming than the initial setup. Here’s some places you may want to check:
- Check the policy has applied to the devices you’re testing on. If this is a group policy, open CMD prompt and run rsop to return the resultant policies being applied to the device.
- Force a sync of Intune, this will make sure the latest policy has been applied
- Force a reboot. This is a really quick way of determining whether Intune is successfully communicating and managing the device, and also removes any potential system locks that may have been preventing files from being updated.