This is the second chapter on policy management in this book. You will learn about the different policy options available to customize and secure the Windows 10 and Windows 11 Enterprise desktops in your environment. This chapter will be very broad in terms of content and topics related to Windows OS customizations, Microsoft 365 apps (Office, OneDrive, and so on), and Group Policy management.

We will cover different scenarios – some partial scenarios and some end-to-end scenarios. The most important part of this chapter is about the different policy options that exist in Microsoft Intune, and when and how you can leverage the different policy types in the best way to accomplish the task you need for your enterprise.

In this chapter, we’ll be covering the following topics:

• Configuring a policy from the Microsoft Intune Security blade
• Configuring your Endpoint security profile
• Windows unhealthy endpoints
...

Using Microsoft Intune to manage your Windows 10 or 11 Enterprise desktops is all about standardizing and simplifying the management layer of your environment. In Chapter 9, Understanding Policy Management, we covered the basics of how MDM policies work on the client side. We also learned how to get started with MDM policy management either from scratch or with Group Policy analytics.

In this chapter, we will look at different ways to configure settings within Microsoft Intune. We will start with security baselines as those are best practices for securing your desktops.

Configuring a policy from the Microsoft Intune Security blade

You should start with a security baseline if your organization is ready for it. Let’s say that your organization is already leveraging a Microsoft security baseline such as Center for Internet Security (CIS) Benchmarks. With GPOs today, you already know the impact that a security baseline can have on your Windows production...

You can import custom and/or third-party ADMX and Administrative Template Language (ADML) templates into the Microsoft Intune admin center. Once imported, you can create a device configuration policy using these settings, and then assign the policy to your managed Windows devices.

A good source to get the Group Policy Administrative Templates Catalog is https://admx.help/.

There are also some product-specific links here:

• The ADMX templates for Firefox are available for download here: https://github.com/mozilla/policy-templates/releases
• Download the Chrome browser for your enterprise: https://chromeenterprise.google/browser/download/#windows-tab
• Zoom policy templates: https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0065466#h_4028bb63-77cc-4eec-ad1e-6311ec3f1b59

Limitations:

• 20 ADMX files is the maximum number that can be uploaded to Intune. Each file must be 1 MB or smaller.
• For each ADMX...

Administrative templates include thousands of settings that control features in Microsoft Edge version 77 and later, Internet Explorer, Microsoft Office, Remote Desktop, OneDrive, passwords, PINs, and more. These settings allow IT pro administrators to manage group policies using Microsoft Intune in the cloud.

The Windows settings are GPO settings that you already know about from Active Directory (AD). These settings, which are built into Windows, are ADMX-backed settings that use XML. The Office and Microsoft Edge settings are ADMX-ingested and use the ADMX settings in Office administrative template files and Microsoft Edge administrative template files.

Not all ADMX policies are whitelisted in all Windows versions, so it is a good idea to keep your version of Windows as current as possible in your organization. To verify what ADMX policies are supported on the Windows build you are running, check the Windows policy CSP documentation:...

One of the main key releases customers have been waiting for has been the ability to exclude files, folders, and extensions from syncing. This is something I will explain in more depth in this section, plus some more tips and tricks for the use of OneDrive.

This setting lets you enter keywords to prevent uploading certain files to OneDrive. You can enter complete names, such as setup.exe, or use the asterisk (*) as a wildcard character to represent a series of characters.

In this example, it is .lnk files that will be excluded from syncing to OneDrive for Business.

Figure 10.48: Exclude specific kinds of files from being uploaded

If you enable this setting, the sync app doesn’t upload new files that match the keywords you specified. No errors appear for the skipped files, and the files remain in the local OneDrive folder. The OneDrive sync app must be restarted after this setting is enabled for the...

Templates contain groups of settings, organized by functionality. You should use a template when you don’t want to build policies manually or want to configure devices to access corporate networks, such as configuring Wi-Fi or VPN.

We will show some examples, along with use cases, in this section.

The first example is Device Firmware Configuration Interface. Here, it is recommended that if you have devices that support Device Firmware Configuration Interface (DFCI), bear in mind that it requires that the device is registered through the Autopilot service from the CSP or OEM process. Read more about that in Chapter 7. DFCI enables Windows to pass management commands from Intune to Unified Extensible Firmware Interface (UEFI). In Intune, use this feature to control BIOS settings. Typically, firmware is more resilient to malicious attacks. It limits end users’ control over the BIOS, which is good in a compromised situation...

Config Refresh is a feature that allows you to set a cadence for Windows devices to reapply previously received policy settings. This ensures that your settings are retained the way you configured them. The feature can be used to configure a refresh cadence in which the already received configuration policies will be refreshed, no matter whether the device is online or offline. The default Config Refresh cadence is every 90 minutes if the policy is configured and deployed to devices, but it can be set to every 30 minutes if desired.

The normal policy refresh cycle is 8 hours as that is the MDM sync interval.

To create a profile that enables Config Refresh, open the Microsoft Intune admin center:

Go to Home | Devices | Windows | Configuration profiles | Create New policy and apply the following:

• Platform: Select Windows 10 and later
• Profile type: Select Settings catalog
• Search for Config Refresh in the settings picker:

If there is no policy for the configuration change that you need to make on your corporate devices, you can leverage PowerShell scripts in Microsoft Intune. This is also a good way of publishing one-time installations or custom-scripted actions to both your physical and cloud endpoints. In this scenario, we will configure Set time zone automatically to On. It also requires location services to be turned on. Take a look at Chapter 16 to see how to enable location services on your devices.

Figure 10.57: Set time zone automatically is set to Off

We can leverage a PowerShell script option to configure the registry value that changes it to On as there is currently no Windows policy to configure it:

1. In the Microsoft Intune admin center, browse to Home | Devices | Windows | Scripts | Platform scripts and click Add:

Figure 10.58: PowerShell scripts

2. Click Select a file to upload...

For PowerShell scripts, you can also leverage a multi admin approval workflow in Microsoft Intune so that an IT admin cannot deploy PowerShell scripts to devices without another IT admin having approved it:

1. In the Microsoft Intune admin center, browse to Home | Tenant administration | Multi Admin Approval | Access policies and click Create:

Figure 10.61: Multi Admin Approval

2. Then you need to give the access policy a name and keep the default profile type as Script.
3. A script policy will limit actions on a script, such as PowerShell scripts or remediation scripts. These could include create, edit, assign, and delete.
4. You need to select a group of approvers:

Figure 10.62: Multi Admin Approval Approvers

When you create a new PowerShell script, you do not have the Assign step in the workflow but you will need to add a business justification:

Figure 10.63: Business justification

In the Multi...

Microsoft Intune can set a compliance state on a device. There are two possible outcomes for a device: compliant or noncompliant.

In Microsoft Intune, you can define the rules and settings that users and devices must meet to be compliant. If Conditional Access has been configured, then users and devices that are noncompliant can be blocked from accessing resources that contain corporate data.

If you are using Conditional Access to block noncompliant devices that are not Intune-managed, it also requires an Entra ID Premium license.

There are two types of compliance policies in Microsoft Intune:

• Compliance policy settings: Tenant-wide settings that act like a built-in compliance policy that every device receives. The compliance policy settings set a baseline for how the compliance policy will work in your Microsoft Intune environment.

These settings configure the way the compliance service treats devices. Each device evaluates these...

In this chapter, you’ve learned about the different policy types and looked at scenarios for configuring Windows in a more modern way via Microsoft Intune for both physical and cloud endpoints. We have looked at some scenarios and policy configurations that you can leverage. In the policy management area, you need to figure out what kind of approach you want to take in your enterprise environment. When looking at pure cloud-managed devices and policies, it would be the perfect time to look forward and not backward. As examples, start by deploying policies that have a positive security impact, such as the Edge security baseline, Windows Defender policies, and so on. Then, look at deploying policies that will help your end users be more productive, such as configuring OneDrive Known Folder Move, policies that help end users start working in their apps better, such as autoconfiguring Microsoft Edge, removing prompts from applications, and so on. After testing with your...

1. What is DFCI?
   1. A service to optimize the performance of your SSD.
   2. A service with a sense of humor.
   3. Device Firmware Configuration Interface.
   4. A way to configure UEFI on devices that support it.
2. What is the recommended option to start configuring settings on your Windows endpoints?
   1. Settings catalog
   2. Administrative templates
   3. Security baseline
   4. Device restriction profile
3. What policy type can you use to configure Microsoft Edge?
   1. Shared multi-user device
   2. Administrative templates
   3. Kiosk profile
   4. Device restriction profile

1. (c)
2. (a)
3. (b)

If you want to learn more after reading this chapter, please take a look at the following free online resources:

• Device compliance policies in Microsoft Intune – Azure | Microsoft Docs: https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
• Use templates for Windows 10 devices in Microsoft Intune – Azure | Microsoft Docs: https://docs.microsoft.com/en-us/mem/intune/configuration/administrative-templates-windows
• Restrict device features using policies in Microsoft Intune – Azure | Microsoft Docs: https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-configure

Learn more on Discord

To join the Discord community for this book – where you can share feedback, ask questions to the author, and learn about new releases – follow the QR code below:

https://packt.link/SecNet