In this video, Pete Zerger demonstrates a few of the compliance and configuration policy options available in Microsoft Intune (standalone), and discusses how Microsoft Intune enhances conditional access in Azure Active Directory Premium.
- Microsoft Intune is a cloud based service with myriad features. And while exhaustive coverage of Intune is not in scope for this course, I want to share some info on Intune standalone features and more specifically, how you can better manage and secure a Windows 10 given the security focus of this course. I'm logged in to the Azure portal, where I can now find Intune on the left navigation pane. Now here on the new portal, I can browse and create policies to manage my Windows 10 devices.
Let's start by looking at a compliant policy, which allows me to establish a baseline, for what a compliant device means in Windows 10. So I'll open a policy that's already been configured and we'll see a few basic properties here. So I can require devices to be reported as healthy by windows device Health Attestation Service, which is a new feature in Windows 10 that can check for settings like boot attributes like TPM chips and Bitlocker to better protect our internal network from outside computers that don't meet corporate standards.
And from a security perspective, I may want to require a minimum version of Windows 10 for example. And before I'm finished, I may want to set a state of how long compliant last before we require that device to be reevaluated as healthy and compliant. Once a device has been evaluated, you'll notice here that right there in the home screen I see, a Compliance report, I can see for example that this particular device is compliant and who its primary user is.
Intune's integration with Azure AD Identity also enables us to enhance our control of the user's access based on more granular definitions of device compliance than we can with Azure AD only in conditional access. In conditional access in Intune enables us to further secure based on the state with that deeper criteria, as well as using app-based conditional access and mobile application management that adds an additional layer of security, by making sure only mobile apps that support Intune app protection policies can access, exchange online.
Now certainly deploying software updates and even OS upgrades are possible with Intune. For example, upgrading Windows 10 pro to Windows 10 enterprise, device configuration policies in Intune allow us to configure a variety of OS settings and device restriction settings in particular fit very well into a security centric discussion. So I will click on create a configuration policy. I'll opt to create a profile and for platform, I'll select Windows 10 and later, and for the profile type, I'll pick device restrictions.
And here we'll find a variety of settings related to the security of the device allowing or blocking a particular feature such as the camera, screen capture. We'll notice more than 20 edge browser settings for example. As well as settings related to cloud and storage. So Intune devise management for Windows 10, extends our region establishing acceptable conditions for access and a more secure state for the desktops in our enterprise.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups