Intune Device Configuration

Last Updated: October 26, 2023

Microsoft Intune is a cloud-based service that helps you manage your mobile devices and applications. It allows you to control how your devices are used and how data is protected. This article provides a comprehensive guide to configuring devices using Microsoft Intune, covering essential policies and settings.

Key Concepts in Intune Device Configuration

Before diving into specific configurations, it's important to understand some core concepts:

  • Configuration Profiles: These are sets of settings that you can deploy to your managed devices. They define how devices should be configured for Wi-Fi, VPN, email, security, and more.
  • Compliance Policies: These policies define the rules and settings that a device must meet to be considered compliant. Compliance status is used in conditional access scenarios.
  • Assignment: Profiles and policies are assigned to users or devices. You can assign them to specific groups, all users, or all devices.
  • Device Platforms: Intune supports a wide range of device platforms, including iOS/iPadOS, Android, Windows, and macOS.

Creating a New Configuration Profile

Follow these steps to create a new configuration profile in the Microsoft Endpoint Manager admin center:

  1. Navigate to Devices > Configuration > Profiles.
  2. Click Create profile.
  3. Select the Platform (e.g., Windows 10 and later).
  4. Choose the Profile type (e.g., Settings catalog, Templates, or Profile type). For most modern configurations, the Settings catalog is recommended for granular control.
  5. Click Create.
  6. On the Basics tab, provide a Name and optional Description for your profile.
  7. Click Next.

Configuring Wi-Fi Settings

You can deploy Wi-Fi profiles to devices to automatically connect them to your corporate wireless network.

Using the Settings Catalog (Recommended for Windows 10/11)

This method offers the most flexibility.


# Example of selecting settings for Wi-Fi in Settings Catalog
# This is illustrative; actual selection is done via GUI
# Search for 'Wi-Fi' and select relevant settings like:
# - Wi-Fi / Wi-Fi profile
# - Wi-Fi / SSIDs
# - Wi-Fi / Security type
# - Wi-Fi / Authentication method

Using Templates (for specific scenarios)

Intune provides pre-defined templates for common configurations.

  1. In the Profile type section, select Templates.
  2. Choose the Template name, for example, Wi-Fi.
  3. Click Create.
  4. Configure the SSID name, security type (WPA2-Personal, WPA2-Enterprise), authentication method, and credentials.
Tip: For WPA2-Enterprise, you'll typically use certificates for authentication. Ensure your Public Key Infrastructure (PKI) is correctly set up and integrated with Intune.

Configuring VPN Settings

Deploying VPN profiles allows users to securely connect to your internal network from remote locations.

VPN Profile Configuration Steps

  1. Create a new configuration profile.
  2. Select the Platform and Profile type: VPN.
  3. Configure the connection details:
    • Connection type: Select your VPN provider (e.g., Cisco AnyConnect, Microsoft VPN).
    • Connection name: A user-friendly name for the VPN connection.
    • Server address: The FQDN or IP address of your VPN server.
    • Authentication method: e.g., Username and password, Certificate.
    • Proxy settings: If applicable.
  4. Assign the profile to the desired user or device groups.
Note: For certificate-based authentication, you must deploy the user or device certificate to the managed devices prior to or concurrently with the VPN profile.

Security Baselines

Security baselines are a recommended set of Microsoft-configured security settings that help secure devices. They are updated regularly to reflect current security best practices.

Applying a Security Baseline

  1. Navigate to Endpoint security > Security baselines.
  2. Select the baseline you wish to deploy (e.g., Windows 10 and later security baseline).
  3. Click Properties and review the settings. You can override specific settings if needed.
  4. On the Assignments tab, assign the baseline to your target groups.

Best Practices for Device Configuration

  • Start with a Baseline: Leverage security baselines to ensure fundamental security is in place.
  • Use the Settings Catalog: For granular control over device settings, especially on Windows, the Settings Catalog is the most robust option.
  • Test Thoroughly: Deploy new configuration profiles to a pilot group before rolling them out to your entire organization.
  • Document Your Configurations: Keep clear records of all deployed profiles, their purpose, and assigned groups.
  • Regularly Review: Periodically review your configuration profiles and compliance policies to ensure they align with evolving security requirements and business needs.
  • Utilize Groups Effectively: Use Azure AD dynamic groups or security groups to manage assignments efficiently.
Warning: Misconfigured settings can lead to device instability or security vulnerabilities. Always understand the impact of a setting before deploying it broadly.

Conclusion

Microsoft Intune provides a powerful and flexible platform for managing and securing your organization's devices. By understanding configuration profiles, compliance policies, and best practices, you can effectively implement and maintain a secure and productive mobile environment.