Microsoft Intune Cookbook

1. Getting Started with Microsoft Intune

2. Configuring Your New Tenant for Windows Device
3. Securing Your Windows Devices with Security Policies
4. Setting Up Enrollment and Updates for Windows
5. Android Device Management
6. iOS Device Management
7. macOS Device Management
8. Setting Up Your Compliance Policies
9. Monitoring Your New Environment
10.Looking at Reporting
11. Packaging your windows Applications
12. Powershell Scripting across Intune
13. Tenant Administration
14. Looking at Intune Suite
https://github.com/PacktPublishing/Microsoft-Intune-Cookbook/blob/main/blogs-
linkscommunities.md
Chapter 1, Getting Started with Microsoft Intune, is an introduction to Intune. It takes a look at
licensing requirements and setting up the first tenant. It then moves onto Entra ID, covering
MDM and Mobile Application Management (MAM) enrollment scopes, the creation of both
static and dynamic groups, and then assigning roles and looking at device settings.
1. Creating a tenant
2. Creating a user
3. Assigning Entra ID roles
4. Configuring Entra ID Device settings
5. Configuring Entra ID ESR
6. Creating Entra ID static groups
7. Creating Entra ID dynamic groups
8. Configuring Entra ID MDM/MAM scopes

You can synchronize multiple Active Directory forests into a single Entra
tenant, but you cannot synchronize one on-premises AD domain/forest
into multiple Entra tenants
A tenant can be configured with a custom domain name rather than the
.onmicrosoft.com one, which is automatically configured when you create your new
tenant. Within a tenant, you can have multiple Azure subscriptions but only one
Intune configuration. There is also no built-in functionality to copy or migrate
devices and settings between tenants using Intune.

As this is an Intune book, the two main roles we are interested in initially are
Intune Administrator and Entra Joined Device Local Administrator.

As its name suggests, Intune Administrator gives full access to everything within
Intune.

Entra Joined Device Local Administrator gives users full administrative access over
all Entra joined devices. While this is useful for support teams, if licensed, it is
worth considering using privileged identity management (PIM), which you can
use for role access for a limited amount of time with full reporting.

Intune also has specific role-based access control (RBAC) to restrict access within
the Intune portal itself. https://intune.microsoft.com

The first settings we need to look at are the Device settings. This is where we can
configure what users can and cannot do with their devices. This includes setting
who can enroll devices into Intune and Entra ID, as well as the security around it.
Now, we will look at Enterprise State Roaming (ESR), which automatically
backs up some device user preferences into Azure for a more seamless experience
when moving between Windows devices.
The other device setting within Entra ID is ESR. This is similar to the older User
Experience Virtualization (UE-V), which can be found in the Microsoft Desktop
Optimization Pack (MDOP).
It backs up certain user settings within Intune and Edge and backs them up to Azure
Storage (outside the subscription and without cost).
The following Windows settings are currently backed up:
Keyboard: Turn on toggle keys (off by default)
Date, time, and region: Country/region
Date, time, and region: Region format (locale)
Language: Language profile
Keyboard: List of keyboards
Mouse: Primary mouse button
Passwords: Web credentials
Pen: Pen handedness
Touchpad: Scrolling direction
Wi-Fi: Wi-Fi profiles (only WPA)
The following settings are backed up on Edge:
Favorites
Passwords
Addresses and more (form-fill)
Collections
Settings
Extensions
Open tabs (available in Microsoft Edge version 88 or later)
History (available in Microsoft Edge version 88 or later)

To enable ESR, follow these steps:

1. Navigate to Entra ID | Devices | Overview | Device settings and click on Enterprise State Roaming.
2. Change the Users may sync settings and app data across devices setting to All or Selected. As there is no cost regarding this,
it is recommended to set it to All.
3. Then, click Save.

Creating Entra ID static groups n Creating Entra ID dynamic groups

Configuring Entra ID MDM/MAM scopes

The last thing we must do before we move on to Intune is allow our users to enroll
devices into Mobile Device Management (MDM) and, if required, Mobile
Application Management (MAM).
MDM is for enrolling your corporate-owned devices into Intune, while MAM is for
your bringyour-own devices (BYODs). MAM uses Windows Information
Protection (WIP), which is only supported on Android and iOS, but we can block
personal Windows devices within Intune so that we can still set this to everyone and
let Intune handle the rest.
Follow these steps to configure your Entra ID MDM and MAM scopes:
1. Within Microsoft Entra ID, expand Settings and click on Mobility.
2. Within the Mobility portal, click Microsoft Intune
Chapter 2, Configuring Your New Tenant for Windows Devices, looks at the policy options
available for Windows devices and how to use them to comprehensively manage your Windows
fleet.
we use policies that are equivalent to Group Policies in a traditional Active Directory configuration.
Configuring a Settings catalog policy
Configuring a Custom policy
Importing and ingesting an ADMX policy
Group policy analytics

Chapter 3, Securing Your Windows Devices with Security Policies, covers all the important
security policies available for Windows devices and how to best configure them for your
environment.
This chapter will take that knowledge and extend it into the Endpoint Security blade within Microsoft Intune
We will configure the four policies that are most critical in a new environment: Antivirus, BitLocker, Firewall, and
Advanced surface reduction (ASR). These, combined with your baseline, will give you an excellent security
footprint to build upon
Setting up a security baseline
Configuring an antivirus policy
Configuring Windows Security Experience
Configuring your BitLocker policy
Configuring Windows Firewall
Deploying ASR rules
Enrolling in Defender for Endpoint
Deploying Windows Local Admin Password Solution (LAPS)

1. Navigate to the Intune console and click Endpoint security, then Security baselines.
2. Navigate to Endpoint security in Intune, click Antivirus, and then click Create Policy
3. Navigate back to the Antivirus menu in Endpoint security and create a new policy, this time selecting Windows Security Experience.
4. Within Endpoint security, click on Disk encryption and create a policy.
5. In the portal, navigate to Endpoint security, then Firewall. Choose Create Policy
6. Endpoint security blade, click Attack surface reduction, choose to Create policy.Attack surface reduction from the list of options
7. To start, we need to navigate to Security Portal at https://security.microsoft.com.
8. First, head to Entra | Devices| Overview | Device Settings. Toward the bottom, there is the option for Local administrator settings.

Security baselines are a quick start group of settings selected by Microsoft to quickly secure your tenant. They are
available for Windows, Edge, Windows 365, and Microsoft Defender for Endpoint.

Another important thing to consider is BitLocker drive encryption. While antivirus and firewall protect the machine
when in use, this protects the data if your machine is lost or stolen. You should always use the strongest encryption
possible and make it a requirement for device compliance and conditional access

When we look at Windows Firewall, we will be introduced to the Reusable settings option. An environment will
often have multiple firewall policies for different user and device groups to allow a piece of software to run or to
further restrict a selection of devices. The idea behind Reusable Settings is that you can configure your specific
firewall rules and then apply those across policies without needing to manually add them each time.
In the portal, navigate to Endpoint security, then Firewall. Choose Create Policy.

Deploying ASR rules

There are some more well-known and documented weak points in a standard machine build that bad actors like to
target. Javascript, Office Macros, and Adobe Acrobat Reader are some examples.Fortunately, there are built-in ASR
rules that can be enabled to block these from executing. Additionally, there is the option to enable them in Audit
mode if there are concerns about the potential impact on your application.
Enrolling in Defender for Endpoint
Microsoft Defender for Endpoint gives you additional controls and monitoring on your devices

Configuring Application Control

A new feature to Intune is Application Control, which extends the Windows Defender Application Control
(WDAC) functionality but with an easier deployment.
There are two methods of deploying Application Control – via a GUI with boxes to select and using an XML file
created for WDAC.

Chapter 4, Setting Up Enrollment and Updates for Windows, looks at Windows Update and
autopatch, configuring Windows Hello for Business, before finally looking at the enrollment of
devices using Autopilot and the Enrollment Status Page (ESP).
we will look at configuring update rings manually and using Windows Update for
Business (WUfB) as well as Windows Autopatch, which you can think of as Windows Updates as a
Service, where Microsoft does the heavy lifting for you.
Building your update rings – including feature and quality updates
Configuring driver updates
Enrolling and using Autopatch
Configuring Windows Hello for Business
Setting up Windows Autopilot Enrollment Profiles
Configuring an Enrollment Status Page (ESP)
Enrolling your Windows device

Before building the rings, navigate to the Entra ID portal and create some Entra ID (static) groups.
We will populate these with devices to assign to each of the rings.
Create four groups:
1 for Preview devices.
1 for Pilot devices.
1 for VIP devices.
1 for everything else (broad ring). This could be a dynamic group to save on admin overhead.
Once you have created these groups, navigate to the Intune portal; we will be using the Update Rings, Feature
updates, and Quality updates options.

Enrolling and using Autopatch

If you have Windows Enterprise Licensing (Microsoft 365 E3, E5, or Windows E3), instead of
manually configuring and populating your Windows update rings, you can use Windows Autopatch
from Microsoft. This is a semi-managed service that automates updates for Windows, Microsoft Office,
Microsoft Teams, Edge, Drivers, SQL ODBC, and .NET. When using Autopatch, Microsoft can also
centrally pause updates so that if it notices a particular update is causing issues, it can block it before it
is installed on your devices and then automatically resume it when the issue has been resolved

Configuring at the tenant level

Follow these steps:
1. Navigate to Devices, then Enrollment, and click on the Windows tab. Then, click on Windows Hello for Business

Setting up Windows Autopilot Enrollment Profiles

Now that we have our policies in place to manage devices, we can start configuring the policies so that we can enroll
and provision them. The first of these is the Windows Autopilot Enrollment Profile, which tells the device what to
do when it hits the Autopilot service during the Out of Box Experience (OOBE).
Configuring an ESP
The final step before we can deploy a Windows device using Autopilot is to configure our ESP. This is the screen
that users see after entering their credentials during OOBE and displays the progress of their device configuration
and onboarding. It also has the potential to be where you will experience most of your issues, so be sure to check out
the There’s more… section for some troubleshooting tips.

Enrolling a Windows device

We now have everything in place and can enroll our first Windows device into Intune using Autopilot. This recipe
will run through the different options for adding the hardware hash into Autopilot and then provisioning a new
machine.

Chapter 5, Android Device Management, covers the management of your Android devices
using Google Play. It runs through the full end-to-end process of configuring your managed
Google Play account, connecting it to Intune, and using it to deploy applications. After
configuring the connections, the chapter will run through configuring your enrollment profiles
for different use cases and then move on to the policies themselves, including looking at
Original Equipment Manufacturer (OEM)
specific policies. Finally, it will cover the use of app protection policies for Bring your Own
Device (BYOD) scenarios.

Chapter 6, Apple iOS Device Management, looks at the management of both iOS and macOS
devices from Apple, with devices managed by Apple Business Manager and Apple Volume
Purchase Program for applications. After running through configuring Apple Business
Manager, the chapter then demonstrates how to connect it to Intune, add the required
certificates, and set up enrollment profile tokens. Once the basic environment is configured, it
moves on to configuring policies and deploying (and protecting) applications from the app store
for iOS.

Chapter 7, macOS Device Management, continues the Apple journey with macOS devices. It
covers configuring your first policy and then deploying scripts and applications to your devices,
before finally looking at keeping your macOS up to date.

Chapter 8, Setting Up Your Compliance Policies, explores the very important, but often
overlooked, area of compliance. When tied to Conditional access, it is the best way to secure
your environment against risky/infected machines. The chapter covers configuring compliance
policies for all currently supported operating systems and the various settings available for each.
For Windows devices, it also dives into the more complex but powerful custom compliance
policies. Finally, it demonstrates how to link your compliance policies to a Conditional access
policy.

Chapter 9, Monitoring Your New Environment, runs through the monitoring options available
within Intune. It looks at monitoring your applications (both installed and detected) and your
critical app protection policies and then moves on to the devices. In device monitoring, you can
learn how to review the success of your configuration profiles, device compliance, and device
enrollment successes and failures. The chapter will then look at checking your device update
status and, finally, review any admin tasks within the portal itself, including device actions and
audit logs for policy/app changes. important security enrollment of devices

Chapter 10, Looking at Reporting, covers all of the available reports within Intune initially,
including security and Endpoint analytics. It then moves beyond Intune, covering connecting
PowerBI to the Intune Data Warehouse and deploying Windows Update for Business Reports
within an Azure Log Analytics Workspace. Finally, it will cover how to export your diagnostics
events to Azure for further alerting or management.

Chapter 11, Packaging Your Windows Applications, examines application packaging and
deployment, which can be a blocker to many. The chapter runs through deploying all Windows
applications, starting with your straightforward Microsoft Store apps and then covering
packaging in the MSIX or Win32 format, using the official Microsoft tools. It also covers
application dependencies and supersedence for Win32 applications.

Chapter 12, PowerShell Scripting across Intune, looks at all of the available scripts inside
Intune, starting with the basic device scripts. It will then move on to the very useful proactive
remediations before looking at how they can be used when deploying apps – in particular,
during detection and requirement checking.

Chapter 13, Tenant Administration, runs through the options within the Tenant
Administrative menu within Intune, including your day-to-day admin tasks (monitoring
connectors, troubleshooting, and version checking). It also covers the more set-once options
such as terms and conditions, setting roles, and customizing. Finally, it covers using filters to
manage assignments, sending organizational messages, and looking at multi-admin approval.

Chapter 14, Looking at Intune Suite, looks at the additional licensed features currently included
in the Intune Suite. We will look at Remote Help, Microsoft Tunnel for Android/iOS, device
anomalies, and Endpoint Privilege Management.