Intune for Enterprises

Intune for Enterprises

This article ‘Intune for Enterprises‘ is part of the Festive Tech Calendar 2021. An online event by the community, for the community!

superpower your azure ad tenant


1. What is this blog post all about?

Well, I already have a session where I speak about this topic. I will include the video below. This blog post will write out what I’ll propose to do so you can easily come back and look at it for use in your own (demo/test) environment.


2. Governance

  • Use naming conventions in your Intune environment to create structure
  • Use these naming conventions tenant wide:
    • In your Azure AD Groups
    • In your configuration profiles
    • In your endpoint security profiles


3. Bring Structure where there is no built in structure

There is no built-in structure for managing devices in Azure AD. I bring this with using Group Tags and creating structure with as much dynamic groups as possible.

This will make your environment future proof, you can always create more dynamic groups based on your group tags that fit your needs. Or expand your Group Tag structure.

Some query’s to use in your dynamic Groups (with the example above):

  • All Production (environment) devices: (device.devicePhysicalIds -any (_ -match “.OrderId.:.-..-.-P-*”))
  • All Belgian devices: (device.devicePhysicalIds -any (_ -match “.OrderId.:.-BE-*”))

Some explanation of the dynamic query’s:

  • . = any character
  • * = everything behind / before doesn’t matter

The options are limitless with this.


4. Use a Security Baseline

Please create a Security Baseline for your Windows 10 devices. In my opinion the built-in Security Baseline for W10 is nice, but it has it’s limitations. As some settings can only be activated with Enabled or Not Configured, it’s difficult to use this built-in baseline when you need to create some exceptions or have to disable some settings again.

Rebuilt it with Settings Catalog + fill the gap with Administrative Templates.

Put an extra layer on the W10 Security Baseline with the recommendations from NIST or CIS or …

Put your own flavor on it (built on your expertise).

Create not only a Security Baseline for W10, but also do this for the M365 Apps, for Edge.


5. The Power of the Rings

I’m pretty sure everyone in your organization is using Rings (collection of devices/users) for deploying Windows Updates (with WufB offc).

Extend this to everything! Use rings in your configuration profiles (and OK, you’ll have multiple of the same profiles, but you won’t impact production when changing something in a profile). Align everything with these rings.

For example third party app updates can also be aligned with rings when using SCAPPMAN.

Align your M365 Apps for Enterprises also with your update rings! You’ll have more time for testing.

And make your rings populate on a random query. It will give you the best result when testing and using rings in your environment.


6. Device naming

Don’t spend time on putting together naming conventions for your devices. That’s too 90’s.

Some things I do:

  • Country in device name (example: BE-%SERIAL%)
  • Year of purchase of the device (example: 2021-%SERIAL%)
  • Put the serial of your device (or a piece of it) in your device name, it’ll make your life easier looking up the Autopilot Device.


7. Join Type

Go Azure AD Join. Only use Hybrid Join for transitioning to Azure AD Join.


Happy festive holiday testing!