Intro to Microsoft InTune

Questions and Answers

What is the primary purpose of Microsoft InTune?

• Managing a company's finances.
• Operating system development.
• Managing the security of devices centrally. (correct)
• Creating new software applications.

For what types of devices can Microsoft InTune be used?

• Only Windows PCs.
• Only Windows and macOS devices.
• Windows, macOS, iOS, and Android devices. (correct)
• Only company owned laptops.

How do you typically access Microsoft InTune?

• By calling tech support.
• Via a dedicated InTune desktop application.
• By directly accessing the device's settings.
• Through the Microsoft 365 portal as an admin. (correct)

What is the default device enrollment limit per user in Microsoft InTune?

Five devices. (D)

How can you enroll a company-owned Windows device into InTune?

By going to 'Settings' > 'Accounts' > 'Setup for work or school'. (C)

What happens if you block personally owned devices from joining InTune?

Enrolling via 'Setup for work or school' will fail. (B)

What should you check on a device to verify it is connected to Entra ID?

The 'Access work or school' settings. (A)

Which service works closely with Microsoft InTune for managing users and security?

Microsoft Entra ID. (A)

What is the purpose of creating Entra groups in relation to Microsoft InTune?

To apply InTune policies to users and devices. (D)

What type of group automatically assigns devices based on certain criteria?

Dynamic device group. (C)

What is Defender for Business?

An endpoint security solution integrated with InTune. (A)

Where is Defender for Business managed once set up?

From the InTune portal. (B)

What is the primary function of device compliance policies in InTune?

To ensure devices meet specific security standards. (C)

Where can you find the option to create configuration policies in InTune?

Under 'Devices > Configuration'. (D)

What are the two methods you can use to create configuration policies?

Using pre-set templates or via the settings catalog. (D)

Where can you find the application deployment options within the InTune portal?

Under 'Apps'. (C)

Flashcards

Microsoft InTune

A cloud-based system for centrally managing the security of devices.

InTune's Purpose

Paid service offering centralized security for Windows, macOS, iOS, and Android devices.

InTune Licensing

InTune Plan 1, InTune Plan 2, and InTune Suite, where Plan 1 is bundled in Microsoft 365 Business Premium.

Device Enrollment

Enroll company-owned devices for full configuration and security; handle personal devices accessing company resources differently.

Accessing Microsoft InTune

By accessing the Microsoft 365 portal as an admin.

Blocking Personally Owned Devices

Prevents personally owned devices from directly joining InTune and being enrolled

Allowing Personally Owned Devices

Option to 'Allow' personally owned devices enabling enrollment via 'Setup for work or school'.

Device platform restrictions

Assists in controlling which platforms can enroll into InTune.

Entra Groups

Used to apply InTune policies to users and devices.

Dynamic Device Groups

Automatically include devices based on defined criteria e.g all windows 11 devices.

Defender for Business

An endpoint security solution integrated with InTune.

Endpoint Security policies

Create policies for antivirus, disk encryption and firewall.

Security baselines

Microsoft's recommended settings that can be located under Endpoint security.

Device Compliance Policies

They ensure devices meet security standards.

Creating a Compliance Policy

Define compliance settings related to device health, properties and system security.

Configuration Policies

Centralized management of device settings via InTune.

Installing Microsoft Office Applications

Install and exclude Microsoft Office apps by assigning the app to devices or user groups.

App Protection Policies

Manages and encrypts business applications on personal devices.

Configuring Data Protection Settings

Restrict data transfer, enforce encryption and control printing of organizational data.

Conditional Access for App Protection

Enforce app protection policies by creating a policy that targets all users, and cloud apps.

Study Notes

Introduction to Microsoft InTune

• Microsoft InTune is a cloud-based system for centrally managing the security of devices.
• Intended for individuals starting in Microsoft 365 or as a refresher.
• Suitable for businesses with diverse IT setups needing centralized management.

What is Microsoft InTune

• Recommended for managing and securing devices in companies.
• Used to manage devices such as Windows, macOS, iOS, and Android.

Common IT setup for Small Businesses

• Mix of Windows desktop PCs and laptops.
• Executive iPhones owned by the company.
• Employees accessing Outlook and Teams on personal iPhones.
• Data storage in OneDrive and SharePoint.
• Use of Microsoft Office apps and bespoke line-of-business applications.

Microsoft InTune Licensing

• InTune is a paid service with different plans: InTune Plan 1, InTune Plan 2, and InTune Suite.
• InTune Suite has add-ons like InTune Remote Help.
• InTune Plan 1 is $8 per user per month.
• Bundled with Microsoft 365 Business Premium, which offers a full package for small businesses.
• Microsoft 365 Business Premium includes InTune Plan 1.

Device Enrollment Recommendations

• Enroll only company-owned devices in InTune for configuration and security.
• Handle personally owned smartphones accessing company resources differently.

Accessing Microsoft InTune

• Access via the Microsoft 365 portal as an admin.
• The InTune admin center manages devices.
• The Microsoft Entra admin Center (Identity) works with InTune for users, authentication, and security.

Device Enrollment Options

• Device limit restrictions: Set the number of devices each user can enroll. The default is five devices.
• Device platform restrictions: Control which platforms can enroll.

Enrolling a Company-Owned Windows Device

• Go to "Setup for work or school" on the device.
• Enter Microsoft 365 username and password.
• Complete MFA.
• The easiest way to enroll a device into Entra ID, then it will come through to InTune.

Device Enrollment Settings

• Blocking Personally Owned Devices: Prevents personally owned devices from joining InTune directly.
• If blocking is enabled, enrolling via "Setup for work or school" will fail.

Alternative Enrollment Method

• Autopilot is an alternative method but is outside the scope of this video.

Allowing Personally Owned Devices

• Setting "Allow" for personally owned devices enables enrollment via "Setup for work or school".

Verifying Enrollment

• Check the device's "Access work or school" settings to confirm connection to Entra ID.
• In Entra ID, the device will be listed under "Devices."
• The device will appear in the InTune admin center after syncing.

Enrolling Existing Devices

• Existing devices can be enrolled by adding a work or school account in settings.

Enrolling Apple and Android Devices

• InTune supports Apple and Android devices.
• Specific setup details for these platforms are available in other videos.

Microsoft Entra Integration

• Microsoft Entra works closely with Microsoft InTune

Creating Entra Groups

• Create Entra groups to apply InTune policies to users and devices.
• Create dynamic device groups for automatic device assignment based on criteria.
• Create dynamic user groups based on user attributes such as department.

Creating a Dynamic Device Group

• all windows 11 devices is the name of the group.
• Sets membership type to dynamic device group.
• Add self as owner of the group.
• Defines a dynamic query to include Windows 11 devices automatically using the syntax "10.0.2".

Creating a Dynamic User Group

• Executive users is the name of the group
• Sets membership type to dynamic user group.
• Add self as owner of the group.
• Defines a query to include users in the "Executive" department automatically.

Securing Devices with Defender for Business

• Defender for Business is an endpoint security solution integrated with InTune.
• Manage Defender for Business from the InTune portal.

Setting up Defender for Business

• Initial setup required via the Microsoft 365 admin Center.
• Grant appropriate user access, such as security admin.
• Configure notifications for incidents and vulnerabilities.
• Choose to manage security settings using InTune.
• Establish the connection between Defender for Business and InTune.
• Enable the connection status "Connect Windows devices to Defender for Endpoint."
• Once enabled, devices will onboard to Defender for Endpoint.

Configuring Endpoint Security Policies

• Create policies for antivirus, disk encryption, firewall, and attack surface reduction.
• Microsoft provides default recommendations for each setting.
• Policies can be assigned to different groups for tailored security.
• Security baselines offer pre-configured settings for quick setup.

Creating an Antivirus Policy

• Go to Endpoint security > Antivirus and select 'Create policy.'
• Choose Windows as the platform and name the policy descriptively.
• Configure settings such as "Allow archive scanning," referring to Microsoft's default recommendations.

Security Baselines

• Security baselines are Microsoft's recommended security configurations.
• Located under Endpoint security > Security baselines.
• Include settings for Defender, Firewall, and Edge policies.
• A quick way to get started if your knowledge is limited.

Device Compliance Policies

• InTune feature to ensure devices meet security standards.
• Judge devices based on security configurations like firewall and antivirus status.
• Non-compliant devices are those that do not meet the set standards.

Compliance Policy Settings

• Found under Endpoint security > Device compliance.
• Option to mark devices with no compliance policy as compliant or not.

Creating a Compliance Policy

• Choose Windows 10 or later as the platform.
• Define compliance settings related to device health (e.g., BitLocker), device properties (e.g., minimum OS version), and system security (e.g., firewall, antivirus).

Actions for Non-Compliance

• Mark device as non-compliant immediately.
• Send an email to the user with additional recipients (e.g., IT admin group).
• Add the device to the retire list.
• Policies should be created for all device types (iOS, macOS).

Configuration Policies

• Centralized management of device settings via InTune.
• Manage settings such as date and time or OneDrive configurations centrally.

Accessing Configuration Policies

• Go to Devices > Configuration.
• Can be created from templates or via the settings catalog.

Using Templates

• Templates provide pre-configured settings for common configurations.
• Example: Device restrictions template to block access to settings app or control panel.

Using the Settings Catalog

• The settings catalog allows manual configuration of individual settings.
• Example: Create a OneDrive configuration policy to manage OneDrive settings.
• Settings include blocking file downloads, configuring team site libraries to sync automatically, and using OneDrive Files on Demand.

Application Deployment via InTune

• Install applications to company devices via InTune.
• Located under Apps in the InTune portal.

Installing Microsoft Office Applications

• Create a new app and select Microsoft 365 Apps for Windows 10 and later.
• Configure the app suite by selecting which Office apps to install or exclude.
• Can also deploy Project and Visio.
• Choose update channel and configure options for removing other Office versions.
• Assign the app to devices or user groups.

App Installation Status

• The device install status may not immediately reflect changes.
• Verify installation by checking the installed apps on the device.

Other App Types

• Web links: for certain websites.
• Windows app (Win32): for custom line-of-business applications.

App Protection Policies

• Manages and encrypts business applications on personal devices.
• Ideal middle ground for securing data without fully managing personal phones.
• Control and encrypt applications via app protection policies, and those can be removed if a user leaves the company.
• Use for personally owned iPhones where end users install Outlok, Teams, and OneDrive.

Creating an App Protection Policy

• Go to Apps > App protection policies.
• The option to create policies for iOS/iPadOS & Android.
• Select targeted apps (Microsoft apps or core apps).
• Configure data protection settings (e.g., prevent backups to iTunes/iCloud, restrict data transfer to other apps).
• Enforce encryption and control printing of organizational data.
• Configure access requirements such as PIN for access and Touch ID.
• Set app conditions for maximum failed attempts and offline grace periods.
• Assign the policies to user accounts

Conditional Access for App Protection

• Enforce app protection policies using conditional access.
• This is configured in Microsoft Entra ID (Identity protection > Conditional access.)
• Create a policy that targets all users, cloud apps, and iOS devices.
• Grant access but require the app protection policy to be in place.
• Enable the policy to ensure compliance.