Microsoft 365 Device Management / Intune best practices checklistAlex Fields
Update: Downloadable, printable copies of the Microsoft 365 Best practices checklists and guides are now available. Thanks for your support!
Similar to the checklist for Azure AD which I recently published, this resource is designed to get you up and running quickly with what I consider to be a good “baseline” for most small and mid-sized organizations. I have also updated the Azure AD checklist with this release, based on reader feedback, and to standardize the format for each guide.
When it comes to Device management, the vast majority of settings and policies are optional, but the idea here is to create an environment that enables users to be productive, while keeping them safe at the same time. Note: I have previously shared some compliance policies and device profiles that can be imported from JSON via PowerShell.
The most important thing we’re going to do is configure device compliance. This becomes extremely powerful when it is combined with device-based Conditional access, which we covered in our Azure AD best practices checklist. That’s because the device literally becomes part of your identity, and its compliance status can become a factor in granting or denying access to resources.
Summary of the checklist with links to Microsoft sources:
- Create security groups for Intune deployment rings
- Configure Windows 10 software update rings
- Setup Office 365 apps deployment for Windows 10
- Setup App protection policies
- Create Company terms and conditions
- Customize Company Portal branding
- Configure device cleanup rules
- Set device enrollment restrictions
- Configure Windows 10 automatic enrollment
- Configure Windows Hello for Business
- Configure Apple MDM push certificate
- Configure default Compliance policy settings
- Configure Device compliance policies
- Enroll devices
- Verify compliance status for enrolled devices
- Enable Conditional Access
- Setup Device Configuration profiles
I’ve been devouring all your excellent posts on MDM/MAM. Thank you SO much for sharing your work!
In the accompanying script: “Install-BYODMobileDeviceProfiles.ps1”, I noticed you have a compliance policy for Android, iOS, and MacOS but not for Windows. What do you recommend for a baseline Windows 10/11 compliance policy for SMB?
There is a separate script for Windows that includes the option to deploy many types of policies, beyond just compliance.