What would you like to accomplish with Intune?
|Getting Started: People, Process and Technology Guidance
Discover the benefits of a modern desktop, major changes and considerations versus previous deployments and best practices to ensure a smooth transition to Windows 10 and Office 365 ProPlus.
|Step 1: Device and App Readiness
Begin your desktop deployment project with an inventory of your devices and apps, prioritize what you to move forward, test prioritized apps and devices, then remediate what’s needed to get ready for deployment.
|Step 2: Directory and Network Readiness
Cloud connected services in Office 365 ProPlus and new deployment options like Windows Autopilot require Azure Active Directory. Your network and connectivity are also important areas to plan when moving Windows images, apps, drivers and related files to your PCs. Learn how new tools and deployment options reduce and streamline network traffic.
|Step 3: Office and LOB App Delivery
Ensure your apps are packaged and ready for automated installation. Learn how Click-to-Run packaging with Office 365 ProPlus gives you new options to configure, deliver and keep your Office apps up-to-date.
|Step 4: User Files and Settings
When refreshing or replacing PCs, save time by automating user state backup and restore. New options for cloud file sync allow you to enforce per user sync of Desktop, Documents and Pictures folders to OneDrive for seamless file access from new Windows installs.
|Step 5: Security and Compliance Considerations
Windows 10 and Office 365 ProPlus provide new ways to protect your data, devices and users and quickly detect and respond to threats. Also, learn how to deal with common problems associated with disk encryption, anti-malware apps and policies when moving to Windows 10.
|Step 6: OS Deployment and Feature Updates
Task sequence-based deployment is used to automate large scale, phased deployment for bare metal installs, PC refresh and PC replacement. Upgrade task sequences will also help you stay current with major semi-annual updates. And Windows Autopilot is a recent addition that modernizes the new PC acquisition process.
|Step 7: Preparing for Windows and Office as a Service
Both Windows 10 and Office 365 ProPlus continually add new capabilities to keep bringing user experiences and security forward with the latest innovations. Learn how to stay current with semi-annual and monthly updates, how the new servicing model works and the tools and options you have.
|Step 8: User Communication and Training
Make sure your users are informed about new experiences and new ways of working as you shift your PCs to Windows 10 and Office 365 ProPlus. Learn how to take advantage of user adoption assistance with Microsoft FastTrack, training materials and communication templates, as well as new ways to monitor user acceptance and usage.
|Get your Leadership on Board: Value Discovery and Business Case
If you’ve done your deployment research, assessed app and device readiness, built your deployment plan and started piloting your deployment, but don’t have the support or resources needed from your management team to meet your deployment timelines, the Business Value Programs at Microsoft can help. Learn how to build a business case for a modern desktop and help get everyone on board.
- Mobile Device Management (MDM)
☐ Provide a self-service Company Portal for users to enroll their own devices and install corporate applications across the most popular mobile platforms (Requires System Center)
- Managing Windows 10 with Intune – The Many Ways to Enrol
☐ Deploy certificates, WiFi, VPN, and email profiles automatically once a device is enrolled, enabling users to access corporate resources with the appropriate security configurations
- How to configure Wi-Fi settings in Microsoft Intune
☐ Deliver comprehensive settings management for mobile devices, enabling the execution of remote actions such as passcode reset, device lock, data encryption, and full wipe to protect corporate data on lost or stolen devices
- Remove devices by using wipe, retire, or manually unenrolling the device
- How to wipe only corporate data from Intune-managed apps
☐ Protect corporate data by restricting access to Exchange email, Outlook email, and OneDrive for Business documents when a user tries to access resources on an unenrolled or non-compliant device based upon policies set by the administrator
- App-based conditional access with Intune
☐ Simplify enrollment of corporate devices with bulk enrollment using Apple Configurator or a single service account, enabling IT administrators to set policies and deploy applications on a large scale
- Enroll iOS devices with Apple Configurator
☐ Streamline the enrollment of iOS devices purchased directly from Apple or an authorized reseller with the Device Enrollment Program (DEP)
- Automatically enroll iOS devices with Apple’s Device Enrollment Program
☐ Enable the enforcement of more strict “lock down” policies for Supervised iOS devices, Android devices using Kiosk Mode, and Windows Phone devices using Assigned Access
Mobile Application Management (MAM)
☐ Enable your workforce to securely access corporate information using the Office mobile apps they know and love while preventing leakage of your company’s data by restricting actions such as copy/cut/paste/save in your managed app ecosystem
- Prevent data leaks on non-managed devices using Microsoft Intune
- Coding Enterprise Apps for Intune – Protected, Secured & Integrated : Build 2018
☐ Manage Office mobile apps with or without enrolling the device for management to protect corporate information without the risk of intruding on a user’s personal life
- How to Enable Intune MAM without Enrollment along with Conditional Access
☐ Apply the same management policies to your existing line-of-business (LOB) applications using the Intune App Wrapping Tool, without requiring code changes in those LOB apps
- Prepare line-of-business apps for app protection policies
- Prepare Android apps for app protection policies with the Intune App Wrapping Tool
- Prepare iOS apps for app protection policies with the Intune App Wrapping Tool
☐ Allow users to securely view content on devices within your managed app ecosystem using the Managed Browser, PDF Viewer, AV Player, and Image Viewer apps for Intune
- Manage Internet access using protected browser policies with Microsoft Intune
☐ Allow administrators and device users to protect corporate information through selective wipe of managed apps and related data when a device is unenrolled, no longer compliant, lost, stolen, or retired from use
- How to wipe only corporate data from Intune-managed apps
- PC Management
☐ Integrate your existing System Center 2012 Configuration Manager infrastructure with Intune, further enhancing your ability to manage PCs, Macs, and Unix/Linux servers, as well as mobile devices from a single management console, while building on existing investments and skills
- Co-Management is Instant and Easy With #Just4Clicks
☐ Provide real-time protection against malware threats on managed computers, keep malware definitions up-to date, and automatically scan computers to help protect against malware infections and other potentially unwanted software
- Enable Windows Defender ATP with conditional access in Intune
- Endpoint protection settings for Windows 10 (and later) in Intune
- Help secure Windows PCs with Endpoint Protection for Microsoft Intune
- Manage software updates in Intune, Windows Update for Business
☐ Collect information about hardware configurations and software installed on managed computers, allowing you to generate reports, organize groups of computers, and more effectively target software deployments
- Use the Intune Data Warehouse
☐ Simplify administration by deploying software and configuring Windows Firewall settings on computers based upon policies defined by the administrator
- Help protect Windows PCs using Windows Firewall policies in Microsoft Intune
☐ Enable administrators to push required apps automatically during enrollment and allow users to easily install corporate apps from the self-service Company Portal
- Assign apps to groups with Microsoft Intune
- How to configure the Microsoft Intune Company Portal app
- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune
☐ Provide the ability to deny specific applications or URL addresses from being accessed on mobile devices
- Manage Internet access using an Microsoft Intune policy-protected browser
What would you like to accomplish with Azure Active Directory Premium?
☐ User/group management (add/update/delete)/user-based provisioning, device registration
- Set up enrollment for Windows devices
- Azure Active Directory integration with MDM
☐ Single Sign-On (SSO)
- Azure Active Directory Seamless Single Sign-On
Azure AD Pass-through Authentication and Seamless Single Sign-on
☐ Self-service password reset/change/unlock with on-premises write-back
- Tutorial: Enabling password writeback
☐ Application proxy
- How to provide secure remote access to on-premises applications
☐ Self-Service Group and app Management/Self-Service application additions/ Dynamic Groups
- Set up Azure Active Directory for self-service group management
- How to configure self-service application assignment
☐ Multi-factor authentication (cloud and on-premises (MFA server))
- Which version of Azure MFA is right for my organization?
☐ Cloud app discovery – Allows you to run a discovery on applications that use your corporate email addresses
- Set up Cloud Discovery
☐ Connect Health – Includes ADFS, ADDS, and Directory Synchronization Health Monitoring from the cloud
- Azure Active Directory Connect Health: Monitoring the sync engine
☐ Azure Conditional Access based on group and location
Best practices for conditional access in Azure Active Directory
Conditional Access in Enterprise Mobility + Security
☐ Azure Conditional Access based on device state (Allow access from managed devices)
- How To: Require managed devices for cloud app access with conditional access
☐ Join a Windows 10 device to Azure AD, Desktop SSO, Microsoft Passport for Azure AD, Administrator Bitlocker recovery
BitLocker Management for Enterprises
☐ MDM auto-enrollment, Self-service Bitlocker recovery, additional local administrators to Windows 10 devices via Azure AD Join, Enterprise State Roaming
Please describe in some detail what your requirements are for securing your environment.
(Does not need to be elaborate and does not need to pertain to EMS)
- All the links / resources shared through the chat window”
- Regarding the co-management with Intune, this article has some more good info. https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Co-Management-is-Instant-and-Easy-With-Just4Clicks/ba-p/250539
- MDM Migration Analysis Tool (MMAT): https://github.com/WindowsDeviceManagement/MMAT
- Here is the Microsoft 365 deployment advisor, https://portal.office.com/onboarding/Microsoft365DeploymentAdvisor#/
- Found some more info for Intune/Bitlocker. Windows 10: Intune + Windows BitLocker management? = Yes. https://blogs.technet.microsoft.com/cbernier/2017/07/11/windows-10-intune-windows-bitlocker-management-yes/
- Bitlocker CSP settings references for TPM and PIN: https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp
- Policy CSP – https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions
- For the Win10 uac settings, blog article with some info. https://www.petervanderwoude.nl/post/managing-user-account-control-settings-via-windows-10-mdm/
- This blog post uses the LocalPoliciesSecurityOptions area of the Policy configuration service provider (CSP), to manage User Account Control (UAC) settings on Windows 10 devices.
- 1. Deployment requirements
- 2. Planning guide
- 3. Deployment guide
- 4. Great blog, https://jairocadena.com/2018/04/02/windows-hello-for-business-registration-and-authentication-with-azuread/
For the GPO to Intune CSP migration. MMAT-MDM Migration Analysis Tool
- For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see Security baseline (DRAFT) for Windows 10 v1809 and Windows Server 2019.