BlogFirst lesson
Sign Up

How to manage devices using Intune

Managing devices using Intune is typically done through configuration policies. Configuration policies are like group policies but more. If you don't know group policy, don't worry, I'll explain without the example.

Configuration policies allow you to configure the Intune connected devices. You can set all sorts of things. For example, you can require a password on the device. Configure BitLocker on Windows 10 devices and a whole lot more. Since Microsoft makes Windows (and Windows is more complicated than Android and iOS devices), there's more you can do with Windows devices than other manufacturers. So let's dig into managing Windows 10 devices Intune.

Create a Windows 10 Device Configuration profile to set Telemetry data

So let's start off easy. Let's say your boss (or a question on the MS-500) wants you to disable telemetry data from being sent to Microsoft. How do you do it? With a device configuration profile that has device restrictions configured! Let's jump in.

1. Go to Microsoft Endpoint Manager admin center > Devices > Windows > Configuration profiles. Click Create profile. Set the platform to Windows 10 and later. Set the profile type to templates. Select Device restriction under Template name. Click Create.

Create a configuration profile

2. Name the profile "Disable telemetry" Click Next.

Name the configuration profile

3. Scroll down and expand Reporting and telemetry. Set Share usage data to Diagnostic data off. Click Next.

Disable Telemetry on Windows 10 through Intune

4. For Assignments click Add all users. (don't worry, I'll explain this section next.). Click Next.

Set the assignments in Intune

5. Click Next > Create.

That's it. Now you just need to wait until your devices check-in and the policy will be applied.

Understanding assignments in Intune

Device restrictions assignments

Assigning policies and profiles in Intune is important and can be a bit tricky so let's break it down. First is "included groups". Included groups are who or what machines are included in the role out of the profile. For example, in the telemetry profile above we set it to All Users. So that profile will apply to every user that logs onto a Windows 10 computer that checks into Intune. Why is it Windows 10 and later? Because when we created the profile we set "Windows 10 and later" as the platform. That profile won't affect Android, iOS, or Macs regardless of the users.

Now, you may have noticed in the assignments section there's an area for Excluded groups. Excluded groups take precedence over included groups. So if you select "All Users" in the included groups and then select "Accountants" in the excluded groups the profile will apply to All Users with the exception of the users in the "Accountants" group.

One last thing, you may have noticed you can assign policies (include or exclude) to users or device groups. What's the difference? Well, if you assign a profile to a device it doesn't matter who logs onto the device the profile will get applied. If you assign the profile to a user then any device (that meets the profile limits) that the user logs onto will get the profile.

Now, what happens when you mix the two? Let's take an example. If you assign a profile to the All Users users group but exclude an Accounts Devices device group. In this mixed group app assignment, All users get the profile. The exclusion does not apply. So Microsoft, and I recommend not mixing the two. Either assign and exclude users or assign and exclude devices, but don't try and mix and match.

File obfuscation by using the registry

Lastly, you can obscure files by using the registry. Simply create the following registry dword on the computer or save the following 3 lines to a file named Obfuscate.reg and then run the file on the computer.

Windows Registry Editor Version 5.00



How to enable SmartScreen

So now that we've configured a basic configuration profile let's talk about Endpoint security. As you saw under the template name when creating the device configuration profile there are a ton of options available in the Device Configuration profiles section. Surprisingly, that's not the only place to perform device configuration. There are even more settings! So now let's enable SmartScreen.

1. Go to Microsoft Endpoint Manager admin center > Endpoint security > Attack surface reduction. Click Create Policy. Set the Platform to Windows 10 and later. Set the Profile to Application control. Click Create.

Create an Attack surface reduction policy

2. Name the policy "Enable SmartScreen". Click Next.

3. Set App locker application control to Enforce Components, Store Apps, and Smartlocker. Set Turn on Windows SmartScreen to Yes. Click Next.

Enable SmartScreen

4. Click Next on the scope tags page. On the Assignments page set the Included groups to whatever group you want, for example, Intune Endpoint Protection. Set the excluded groups to whatever groups you want, for example, Intune Help Desk Operators. Click Next.

Now with that policy configured every user that is a member of the Included group above that is not a member of the Excluded group will have SmartScreen turned on. So in the example above every user that is a member of the Intune Endpoint Protection group that isn't a member of the Intune Help Desk Operators group will have SmartScreen enabled. Lastly, we configured SmartScreen to only warn users. The users can still bypass SmartScreen.

How to enable Windows Defender Exploit Guard

Windows Defender Exploit Guard is another great way to reduce the attack surface of your Windows 10 devices. Let's enable Windows Defender Exploit Guard using an Endpoint protection device configuration.

1. Go to Microsoft Endpoint Manager admin center > Devices > Windows > Configuration profiles. Click Create profile. Set Platform to Windows 10 and later. Set Profile type to Templates. Set the Template name to Endpoint protection. Click Create.

Create an endpoint protection profile in Intune

2. Name the profile "Enable Windows Defender Exploit Guard". Click Next.

3. Set all the policies under Microsoft Defender Exploit Guard > Attack Surface Reduction to either Enable or Block.

Enable Attack Surface Reduction Policies

4. Set the following to Enable: Microsoft Defender Exploit Guard > Controlled folder access > Folder protection.

Enable Folder Protection

5. Set the following to Enable: Microsoft Defender Exploit Guard > Network filtering > Network protection.

Enable Network protection

6. On the Assignments page click Add all users or select the user group you want to enable it for. Click Next. On the Applicability Rules page click Next. Click Create.

Notes about Bitlocker

Enabling and configuring Bitlocker is possible with Intune. In short, you can encrypt a computer using Intune / Bitlocker and the user won't even know it's happening. Unfortunately, configuring Bitlocker would make this article too long but you may experience some questions about Bitlocker on the MS-500 so I'll answer those questions quickly below:

  • Bitlocker to Go is Bitlocker for removable media. It is possible to encrypt removable media with Intune. You don't even need TPM on the Windows device. In short, you use Intune to protect removable media and then configure Bitlocker to require a passcode.
  • Bitlocker auto-unlock is also available through Intune. Bitlocker auto-unlock will automatically unlock data drives (for example a D: drive) when the OS drive (for example a C: drive) is unlocked. Bitlocker auto-unlock does not require TPM but it does require the OS drive to be encrypted.