Microsoft Intune Best Practices for IT Directors

As modern workspaces continue to evolve, managing and securing corporate resources across multiple devices has become a challenge for directors of IT at B2B organizations. Microsoft Intune, a part of Microsoft’s Enterprise Mobility + Security (EMS) suite, offers a robust solution for mobile device management (MDM) and mobile application management (MAM). Leveraging Intune effectively ensures that your organization’s devices and data stay secure while affording employees the flexibility they need to remain productive.

In this blog post, we’ll explore an array of best practices tailored specifically for IT directors seeking to maximize the potential of Microsoft Intune within their organizations. To do this, we reached out the Chuck Edgar, M365 Engineer, here at R3 to get his list of best practices for getting the most out of Intune.

Setting Up Intune: The Foundation

1. Establish Clear Device Enrollment Policies and Device Compliance
   Create straightforward policies for enrolling company and employee-owned devices into Intune. Define the types of devices permitted and the terms of usage clearly to avoid ambiguities and enforce compliance.

   Device Compliance: Intune lets you assign configuration policy and security settings to your corporate devices. Unfortunately, Intune does not verify if these settings are configured. That is where Compliance policies come in. Compliance policies should align with device configuration and security policies to verify that they take effect. The built in Windows 10 and later, macOS, Android, iOS/ ipadOS compliance policies can verify settings like device encryption, operating system version, Microsoft Defender machine risk score, etc.

   Custom Compliance: On Windows 10 and later you can make a custom compliance policy for settings that fall outside the built in compliance policies. For example, verifying if certain software is installed.

2. Set Up Enrollment Restrictions
   Protect organizational resources by setting up conditional access policies that control when and how users can access company data based on their compliance status, device platform, location, and risk level.

   Intune can be restricted by the number of devices a user has registered or by platform. This helps ensure that only the devices you want are enrolled. You can set Min and Max versions of the operating system, block personally owned devices, or even entire platforms. For Android devices you can also block by maker of the device.

3. Reprovisioning Existing Workstations
   Once enrolled in Intune, workstations can be reprovisioned to either deploy to another end user or to resolve an issue quickly and remotely with Windows.
4. Application Deployment in Intune
   Applications can be deployed from Intune in several methods.  The Microsoft Store is the preferred method of deployment. The manufacturer of the software will provide updates and the workstations will update automatically. If the application is not available in the store then Win32 is the next best method. Applications can be deployed using exe, MSI, CMD or PowerShell. One can also include other resources as required by the application. 

Using Intune: Daily Management

6. Leverage Automated Compliance Policies
   Automate compliance checks to continually evaluate devices against the organization’s security benchmarks and take remedial actions or notify IT personnel if any device falls out of compliance.
7. Mobile Application Management (MAM)
   Develop a Bring Your Own Device (BYOD) strategy that employs application protection policies in Intune, thus keeping organizational data secure in personal devices without intruding on the users’ private information.
8. Utilize Intune’s Reporting Features
   Regularly review Intune’s built-in reporting features to gain insights into the health, compliance, and usage patterns of the managed devices within your organization, enabling proactive management and decision-making.

Collaborating in Intune: Enhancing Teamwork

9. Integrate with Azure Active Directory
   Synchronize Microsoft Intune with Azure AD for a seamless identity management experience across all devices, facilitating better control and collaboration among the IT team.
10. Align with the Microsoft 365 Ecosystem
    Foster collaboration by integrating Intune with other Microsoft 365 apps and tools. Utilize MAM capabilities to manage and secure data within Office 365 applications across all devices.
11. Conduct Regular Training Sessions
    Ensure that your IT support team is proficient with Intune by conducting regular training and knowledge transfer sessions. A well-informed team is key to sustaining an effective and secure environment.

Other Essential Best Practices

12. Configure Microsoft Autopilot
    A subset of Intune is Autopilot which is extremely useful for Windows 10 and later endpoint provisioning. At the time of purchase the vendor enrolls the device into Autopilot and ships the computer to the end user. When the end user receives the device, they unbox it and connect it to the internet. Once connected the user logs in with their email address and password. Autopilot enrolls the device in Entra ID and Intune. Intune will then provision the device name, configurations, applications, etc, providing a near zero touch deployment.
13. Keep Policies and Apps Updated
    Consistently monitor and update your Intune policies and managed applications to stay aligned with the latest security threats and software updates.
14. Utilize Group Targeting
    Apply policies and deploy applications selectively using group targeting to ensure that the right users have the necessary tools and configurations based on their specific needs.
15. Prepare for Incident Response
    Develop a robust incident response plan that includes steps for utilizing Intune’s capabilities for remotely locating, locking, or wiping compromised devices to mitigate data loss or theft.

    Microsoft Defender: Intune makes it very easy to link Intune to Microsoft Defender for Endpoint to onboard and protect endpoints. Once configured the onboarding script stays up to date and needs very little maintenance. The other methods of enrollment are much more difficult and are for limited device enrollment.

16. Set Up Reporting Dashboards
    Intune has a limited but useful set of built in reports. For example, there is a Cloud PC overview report that shows latency and utilization of the Windows 365 Cloud PCs in your tenant. You can use this data to determine if your Windows 365 licensing is actually being used. Another useful report is Device compliance. After defining custom device compliance policies, you can use the report to verify what devices need your attention.
17. Use App Discovery to Identify Existing Apps
    Found within Apps – Monitor – Discovered apps, one can easily search for applications and receive a list of endpoints it is installed on. This allows you to verify that an application does not exist in your environment.
18. Filters vs Dynamic Groups
    Filters are a relatively new feature of Intune. Previously one had to make dynamic groups in Entra ID. This reduced performance because Intune had to talk to another platform to determine if the device was assigned to policy. With filters performance is increased because it is native to Intune.
19. Local Administrator Password Solution (LAPS)
    LAPS is not an Intune only solution. However, it is relatively easy to deploy and retrieve the password from Intune. The previous way of managing local administrators was creating a single local admin and password and then applying it to every computer. If that account was ever compromised then it was trying to update on all computers. With LAPS every computer has a unique password. If that password ever needs shared with a user you can easily retrieve the password from with Intune and then rotate the password after the issue has been resolved.
20. Remediations for Issue Detection
    Remediations is an extremely powerful feature of Intune. Unfortunately, it also requires a Microsoft 365 E5 license. However, once the licensing requirement is met remediations is unlocked in Intune. Remediations allows you to use PowerShell to not only detect an issue but also remediate the issue. An example would be verifying that the LAPS account is on all computers. If it is not then the remediation script will create it.
21. Local Group Membership
    Combined with LAPS, Local Group Membership found within Endpoint security can be a powerful tool. Once configured the policy dictates who is a local administrator on the computer and removes any account not listed in the policy.

Conclusion

Intune plays a pivotal role in ensuring that company resources remain secure, especially in distributed work environments. As an IT director, by adhering to these best practices, you are not only facilitating a secure and manageable MDM and MAM deployment but also upholding the productivity and efficiency of your workforce.

Embrace these practices as part of your mobile device and application management strategy and place your B2B organization in a strong posture to face the diverse challenges of today’s digital workspace. Your due diligence in setting up, using, and collaborating within Microsoft Intune is your first defense against the complexities of modern IT management.