How-to setup Intune quickly (and strategically) in your environment
Update March 2023: Much of what is written here eventually became the basis for my SMB Guide to Threat Defense and Microsoft Defender. Which in turn is part of the Consultant’s Bundle. I encourage you to check it out!
UPDATE: I have updated the setup script to now be a single script, with the JSON files embedded within it. You do not need to download the JSON files separately, however they are provided for reference.
I have previously covered the benefits of using Microsoft Intune to manage devices in a more “modern” way than what is available to you via traditional GPO. So let’s talk about implementation and how you can get from point A to point B. I hear this kind of thing from a lot of IT admins and other consultants when I engage with them. They would love to learn the new tools… but they just don’t have the time.
You have seen that old cartoon of a guy chopping wood with a dull axe, right? Someone asks, “Hey guy, why don’t you just sharpen that axe?“
“Because I don’t have the time!” he replies. “Just look at all this wood I need to chop!“
You do have the time. This tool will pay you back bucket loads of time, if you could just start adopting it…
So here is what I have done. I wanted to make it even easier for you to get started with Intune, so I did you a solid, and created a few baseline policies (see footnote #1) in the form of JSON files, which you can import into your environment, using scripts that Microsoft provides freely on GitHub.
I collected these scripts and JSON’s into my own new GitHub repository, and included a “master” script entitled Setup-Intune.ps1
Literally, all you have to do is download
all the files Setup-Intune.ps1 from my Intune folder to a local working directory of your choice (e.g. C:\IntuneScripts or whatever you want), launch PowerShell, and run .\Setup-Intune.ps1
You will be prompted to enter your admin user name and upon sign-in, grant permissions to the Intune Graph (one time only), and then the importing is done for you (also see footnote #2).
What is the result of running this script?
I didn’t want people coming back to me all angry, saying like “Hey, I didn’t realize that MAM would require my Android and iOS users to enter a PIN in Outlook!” or “You mean this causes my Windows 10 PC’s to reboot?!” etc., etc. Plus, there is a right way and wrong way to roll out Intune–just pressing “Go” all at once is the wrong method. So, I figure the best thing is to just import the policies, and let you test, modify, deploy, etc. from there. None of the policies are assigned to any groups by default.
Implement using the typical processes to validate user experience and make adjustments as you see fit. This means:
- Deploy the policies to a test or “pilot” group first.
- Review the user experience in that small group, get feedback, etc.
- Make adjustments as needed and roll those out
- Communicate the final experience to your next deployment ring, for example “Wave 1” which might be a slightly larger group of people
- Rinse and repeat, continue with the remaining waves / deployment rings until everyone is on-boarded
Overview of what gets built
Mobile Application Management:
- iOS App Protection Policy
- Android App Protection Policy
These policies exist to enable MAM, and are located in the Intune GUI via Client Apps > App protection. These are a great alternative to fully managing BYOD mobile devices.
The policies will place controls and enforce encryption on Microsoft apps such as Outlook, OneDrive, Teams, Word, etc. I chose not to restrict the ability to copy/paste/save to personal apps, although you could modify your policies to do that, if it were important to you (I find that it isn’t for many small businesses, but there may be exceptions to that for highly regulated industries e.g. Healthcare).
When you are ready to start deploying the policies to your pilot group and other rings, then you just click on a policy, pick Assignments, and assign to groups.
Mobile Device Management:
- Compliance policies for iOS, Android, Windows and MacOS
- Configuration profiles for iOS, Android, Windows and MacOS
MDM is the other side of mobility, where you control the entire device. Often used with corporate owned devices. Some notes for each below.
If you plan to enroll iOS devices, you have to go setup a certificate with Apple. This is very easy to do, there is a wizard within Intune that will walk you through it (10-15 minutes tops). To do that, just click on Device enrollment > Apple enrollment and pick the big button for Apple MDM Push certificate. The cert must be renewed annually, so be sure to keep track of that icloud account, and set yourself reminders!
If you don’t plan to enroll iOS devices for full management (like if you go the MAM route instead), then forget about it–skip this section–and remember: just because the policies are there doesn’t mean you need to assign them to anyone.
- iOS Compliance policy: Block jail-broken iOS devices
- Android Compliance policy: Block rooted devices, require Google Play services and app integrity
- macOS Compliance policy: Require encryption and system integrity
- Windows 10 Compliance policy: Require firewall, antivirus and antispyware
I chose to keep the compliance requirements very minimal–anything you specify here becomes “the bar” that devices must meet in order to gain access to resources (only if you couple this with Conditional access–and you should). You are free to edit these policies and make your own selections however you see fit; this is just a “starting point” for you that is both low risk and low impact.
Compliance policies are found under Device Compliance > Policies.
Device configuration profiles
You could use Compliance policies to require a PIN or passcode on mobile devices, but I have chosen to enforce a PIN requirement using the Device restriction profiles instead. Just keep in mind, when you are working in Device configuration > Profiles, these policies do not have any bearing on Conditional access.
- Android Baseline Config: just a PIN requirement, 4 digits
- iOS Baseline Config: same, just PIN
- MacOS Baseline Config: just a password requirement
- macOS Endpoint Protection: enable the firewall in Stealth mode
Windows 10 configuration profiles
As with the application policies for Android and iOS, you can create device configuration profiles for Windows 10 using the Microsoft 365 admin center (Devices > policies). But you only get a limited selection of options in that portal (it is still a fine place to start–that’s where I started).
There are several notable differences with the baseline profiles you will be importing from JSON. To begin, I split the policies out by feature/function. That way, you can implement one feature at a time, and if there are any issues applying a policy, you can quickly see which devices are having trouble with which configuration settings.
Aside from an optimized config of Windows Defender Antivirus, I have also enforced the option to block all incoming traffic using the Windows Firewall, enabled Windows Defender SmartScreen and turned up the UAC settings to Always notify (don’t be afraid of it–this is critical).
We also have Application Guard in place. Did you know it is supported on Windows 10 Pro 1803 and higher (used to be restricted to Enterprise edition)?
Application Guard will isolate untrusted/non-corporate websites within Edge/Internet Explorer into a virtualization container. This means that websites which turn out to be malicious (and get past your other controls) have no access to the host operating system. This setting requires a reboot. Note however: currently there is a known bug with this Intune setting causing it not to be applied–a fix is expected soon.
Remember: whenever settings like Application Guard and Credential Guard are turned on, they rely on virtualization. At the very least this is going to require a reboot of the endpoint, and may have some performance impacts as well. Make sure your system meets the minimum hardware and software requirements for this feature. For example, you need to ensure that the endpoints have Secure Boot and TPM enabled.
A quick description of the Windows 10 Baseline policies are below. (Request: if you think you know your stuff, and you review these and find anything missing here that you feel should be included in a good baseline configuration, please let me know in the comments or via my contact page).
- Antivirus config: This policy defines behavior for Windows Defender Antivirus, and includes several important optimization settings
- Application Guard: Isolates untrusted/non-corporate websites within Edge/Internet Explorer into a virtualization container (e.g. if a website turns out to be malicious then it has no access to the host OS)
- Bitlocker: requires Bitlocker to be enabled the key to be stored in Azure AD
- Credential Guard: Isolates Windows credentials using virtualization-based security
- Defender SmartScreen: Protects against malicious content downloaded from the Internet
- Exploit Guard: A set of intrusion prevention capabilities that help to reduce attack surface; there are two versions of this policy:
- Basic: These options can be enabled via the Microsoft 365 admin center in any version of Microsoft 365 (including Business–though I’m not 100% sure Pro is licensed for all of these features)
- Enterprise: These options go further but are for sure not officially supported on the Windows 10 Pro/Business license
- Firewall config: Turns on Windows Defender Firewall in Shielded mode (deny all inbound connections)
- Passcode requirement: Sets a default 6-digit PIN requirement for Windows Hello
- Security Center: Disables non-critical notifications from the Windows Defender Security Center
- UAC: Enables User Account Control settings
Again, test the policies out in your environment. For the most part, these are safe and even recommended as a general baseline. Noticeable impacts are most likely to come from Application Guard and Exploit Guard (especially Enterprise). The rest aren’t too bad.
Note that you can customize–for example both Defender Antivirus and Defender Exploit Guard (e.g. Controlled folder access) can be modified for specific inclusions/exclusions.
Remember that you are free to modify these however you like. I don’t care. I just want to see more people adopting the modern management tools, because it helps raise the bar, so to speak, for everyone out there.
At this time, I have not included anything for Microsoft Defender ATP (only supported with Enterprise licensing). Oh, and I know some of you will ask me about Conditional access… but those polices aren’t exposed via the Graph yet, so we can’t import them from JSON. Once they are available (I’m watching–go vote it up), then I’ll get those JSON’s and scripts added here also, to enforce managed devices, managed apps, etc.
Anyway, be sure to test all this out on a pilot group first–again be aware that there is a chance that some of the features could have impacts on the endpoints and you’ll want to be prepared to communicate them to the end-users, make tweaks to your liking, etc. Seriously, it isn’t that bad–I wanted this to be an easy place to start, not overly difficult. I hope you have fun with it, and learn some stuff!
Conclusion and next steps for you
That is really it. Go download these scripts and JSON files, get them imported into your environment, and test drive them out a little bit. I am open to feedback and improvements as well. I hope this takes some of that initial “activation energy” out of playing with the new hotness and learning some of its gotcha’s.
Hardly anyone in the SMB space is out there using this stuff, so set yourself apart and get educated. This year is going to be THE year of Microsoft 365–especially in the small and mid-sized business. Don’t be a laggard, be on time to this game. You won’t be early at this point–this stuff has been much more widely adopted in the Enterprise long ago (and is picking up legs quickly in the SMB space with the growing popularity of SKU’s like EM+S and M365 Business).
Just follow the test/pilot/production strategy as I said–and you may decide to make some adjustments. Maybe you don’t like Application Guard or something–okay, whatever, disable it for now–maybe that’s next quarter for you. But soon enough you’ll have this stuff down pat. Just. Get. Moving.
Footnote #1: What about the Security baselines that Intune introduced? Well, they aren’t ready yet. Microsoft explicitly says not to use them in production. Also, without making any adjustments to the default selections on the October 2018 baselines, they follow SECCON 3, which is pretty restrictive and not a great user experience (albeit a good security baseline to aspire to). I’d like to see MS package the rest of the security configuration framework also…
I find that the policies I have included here are a great baseline for many small and mid-sized orgs. Always room for improvement, no doubt, and we have to keep an eye on the packaged baselines as they evolve. But this is enough to get you going in the right direction.
Footnote #2: By the way, the scripts save you time, EVERYtime. If you make a ton of modifications to the policies or make up your own policies, just use the export scripts from Microsoft (also included on my GitHub), and you’ll be able to modify the Setup-Intune.ps1 to pull those policies in.