Sold to

[email protected]

Guide to the Intune Best Practices Checklist

Alex Fields, ITProMentor.com
Updated: April 2020

This is intended to be used as a baseline for provisioning new Microsoft 365 tenants according to best
practices. The checklist is setup sequentially (i.e. the recommended implementation order). Note: I have
also provided a script via GitHub which will make importing the described policy set much quicker and
easier.

Table of Contents
Guide to the Intune Best Practices Checklist ................................................................................................ 1
☐ Create security groups for Intune deployment rings ........................................................................... 2
☐ Setup Windows 10 Software Update Rings ......................................................................................... 3
☐ Setup Office 365 app deployments for Windows 10 ........................................................................... 5
☐ Setup App protection policies (MAM) ................................................................................................. 8
☐ Customize the Company Portal.......................................................................................................... 12
☐ Create the Company terms and conditions ....................................................................................... 13
☐ Configure Device enrollment restrictions .......................................................................................... 15
☐ Configure Windows 10 automatic enrollment................................................................................... 17
☐ Configure Windows Hello for Business .............................................................................................. 18
☐ Configure Windows Enrollment status page ..................................................................................... 19
☐ Configure Apple MDM push certificate ............................................................................................. 20
☐ Configure Device cleanup .................................................................................................................. 22
☐ Configure the default Compliance policy settings ............................................................................. 23
☐ Configure Device compliance notifications ....................................................................................... 24
☐ Configure Device compliance policies ............................................................................................... 25
☐ Enroll devices ..................................................................................................................................... 27
☐ Verify compliance status of enrolled devices .................................................................................... 32
☐ Enable Conditional Access ................................................................................................................. 33
☐ Setup Device Configuration profiles .................................................................................................. 35
☐ Control the OneDrive for Business experience ................................. Error! Bookmark not defined.
☐ Windows 10 Device Restrictions & Endpoint Protection settings .... Error! Bookmark not defined.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 1

☐ Create security groups for Intune deployment rings
Before you get started, setup your pilot group, and any additional rings you want to have. Example of a
common / typical small business deployment:

Group Name User base included in group Excluded from group

Pilot Group Champions, power users N/A
Broad Group (or All users) Most of the user population Pilot and Sensitive groups
Sensitive Group Critical users, get new features last N/A

Whenever you create a policy or configuration profile that you want to test, you can target the
appropriate rings starting with the pilot group. Your needs may be different than this, for instance some
small orgs only do a pilot and then straight to production (All users). But consider an additional group for
“sensitive” users who should get policy changes and software updates last, after everyone else.

You may also create different pilot groups for different platforms or purposes (e.g. Intune-MacOS-Pilot
or Intune-Android-Pilot to test settings changes first on these device types).

Go to Azure AD > Groups > New group to create security groups appropriate to your situation.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 2

☐ Setup Windows 10 Software Update Rings
Navigate to Devices > Windows 10 Update Rings and click Create.

I recommend creating at least two update rings. Three if you have sensitive groups within the
organization. Here is an example of the most typical deployment rings for a small business:

Adoption ring Servicing channel Defer feature updates Defer quality updates
Pilot group Semi-Annual 0 days 0 days
Broad group Semi-Annual 30-60 days 7-14 days
Sensitive group Semi-Annual 120 days 30 days

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 3

After you have constructed the rings, make your assignments. Click into any of the defined rings and
choose Assignments from the left menu. Example of recommended assignments:

Adoption ring Include groups Exclude groups

Pilot group Intune-Pilot None
Broad group All users Intune-Pilot, Intune-Sensitive
Sensitive group Intune-Sensitive None

This way, any potential issues with updates can be discovered and hopefully remediated via earlier
adoption rings, and before critical or sensitive users get them. The pilot group is always your canary in

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 4

the coal mine—having at least one such group in front of the broad group is a recommended best
practice and will help you surface issues before they have wide-spread impact.

☐ Setup Office 365 app deployments for Windows 10

It is possible to push software packages to managed devices via Intune. Setup a policy that will
automatically install the Office 365 desktop applications to newly enrolled devices.

Go to Apps > All apps. Click + Add. Under App type, choose Office 365 Suite > Windows 10.

Leave the selection on Configuration designer. On the first blade, App suite information, give it a name
and description similar to the below:

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 5

In the next blade, Configure App Suite, choose the applications you wish to include in the deployment.
Notice that the good/useable version of OneNote (2016) is not included by default—so select that if you
require it.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 6

The App Suite Settings blade is where you will configure the frequency of updates, and some other
options. Remember that “targeted” releases always come ahead of non-targeted. You may wish to keep
your broad ring on a more conservative release cycle. Example of recommended update rings:

Org’s change tolerance Pilot ring Broad ring

Higher (creative, tech-savvy) Monthly (Targeted) Monthly
Mixed (both types present) Monthly Semi-Annual Channel
Lower (sensitive, critical) Semi-Annual Channel (Targeted) Semi-Annual Channel

Recommended settings for a typical deployment:

• Architecture: 64-bit (use 32-bit for compatibility with legacy plug-ins/add-ons)

• Update channel: select according to change tolerance
• Version to install: Latest (in the selected channel)
• Remove other versions of Office (MSI) from end user devices: Yes
• Automatically accept the app end user license agreement: Yes
• Use Shared Computer Activation: Select Yes if multiple users log in to the same machine
• Languages: Follows OS language by default, add other languages if needed

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 7

When you are done creating this deployment, go to Assignments and click Add group. Your assignment
type should be Required. Then pick your Included and Excluded groups as needed. Example:

Adoption ring Include groups Exclude groups

Pilot group Intune-Win10-Pilot None
Broad group All users Intune-Win10-Pilot, Intune-
Win10-Sensitive
Sensitive group Intune-Win10-Sensitive None

☐ Setup App protection policies (MAM)

Microsoft recommends using MAM policies for iOS and Android to protect managed applications, with
or without MDM in place. MAM is a good way of enabling BYOD scenarios, without actually managing
the devices themselves. But it still provides value when the device is fully managed, too, by giving you
greater control over the application and the movement of data both to and from the application. Find
MAM policies in the Device management portal, under Apps > App protection policies.

Note: You can also configure these via the Microsoft 365 Admin center from Devices > Policies.

It is much quicker and easier to setup policies using the Microsoft 365 admin center; however, you can
go into more granular detail and see additional selections from the Device Management / Intune portal.
I will describe the latter (Intune) as it allows us the most flexibility in policy design.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 8

Choose Create policy if one does not yet exist. Give it a descriptive name such as Android app
protection, selecting Android as the Platform, and then choose the Apps to which you want the
protections to apply (e.g. Outlook, OneDrive, OneNote, Teams, etc.).

After selecting apps, choose Settings and then Data protection; make selections similar to the following
for a good baseline, or manipulate as needed.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 9

Data protection > Encryption and Functionality settings:

Next, configure Access requirements, similar to the following (recommended):

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 10

Last, configure the Conditional launch settings:

You can repeat this process, choosing nearly identical settings for iOS.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 11

☐ Customize the Company Portal
As I have mentioned in other places, Microsoft has apparently not yet figured out how to make one
central place for branding that applies to all areas in Microsoft 365. So, if you have previously setup
branding on your Azure AD sign-in page—that’s not enough. You must do it again for the Intune
Company Portal app/website (and again for several other services in 365 besides). Hopefully Microsoft
will unify the branding experience someday.

Until then, find these options under Tenant administration > Branding and Customization.

If you choose to complete this step, you will want at least your company name and a privacy statement
that you can point users toward. Also, it is a good idea to include contact information for support. Down
below you can upload a logo and customize the color schemes.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 12

☐ Create the Company terms and conditions
When users enroll devices using the Company portal app, they will be prompted with the Company
terms and conditions that you specify. You may also choose to use the Terms of Use feature in Azure AD
Security > Conditional access > Terms of Use, instead of configuring it via Intune (which may be
preferred). This alternative method is described in the Azure AD Best practices guide.

Navigate to: Tenant administration > Terms and conditions.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 13

Sample text for the terms:

I acknowledge that by enrolling my device, COMPANY administrators will have certain

types of control. This includes visibility to corporate app inventory, email usage and
device risk. I further agree to keep company resources and information safe to the best
of my ability and to inform COMPANY administrators as soon as I believe my device to
be lost or stolen.

The above is taken from Microsoft’s example, but you can make the terms your own.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 14

☐ Configure Device enrollment restrictions
Navigate to Devices > Enrollment restrictions.

For Device limit restrictions, I prefer setting this value to no more than 5 devices per individual. When a
user retires a device, it should be deleted from Intune so that they can enroll a different one.

For Device type restrictions, you will want to edit the default or create new restrictions. Use this to
block any platforms (and versions) that you do not intend to support. Example depicted below:

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 15

If you choose to block personally owned devices of any type, that means you will need to tell Intune
which devices are corporate owned. You can do this from Corporate device identifiers.

Here you can add devices via CSV in bulk or manually, by IMEI or serial number.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 16

☐ Configure Windows 10 automatic enrollment
Windows 10 devices have the ability to join Azure AD. When Azure AD join is performed, they can also
be automatically enrolled into Intune for management.

Navigate to Devices > Enroll devices > Windows enrollment and choose Automatic enrollment.
According to Microsoft, the best practice to set the MDM User scope to All (which should be the
default), but flip the MAM User scope to None (which is not the default). This helps auto-enrollment go
smoothly, as MAM takes precedence over MDM and can lead to issues.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 17

☐ Configure Windows Hello for Business
Windows Hello is a form of 2-factor authentication for signing into the local device, which is intended to
replace traditional passwords. When enabled, users must choose a PIN for their device. Additionally,
some devices offer the option to configure a biometric alternative such as a fingerprint or facial
recognition (but PIN is still required also).

I recommend disabling this feature as part of the enrollment settings, and configuring it separately using
a Device configuration profile, so that you can deploy this feature in a more targeted, monitored and
controlled way. Navigate to Devices > Enroll devices > Windows enrollment > Windows Hello. Move
these settings to Not configured.

To configure a profile to replace these settings (which allows you to target specific groups and monitor
the deployment), navigate to Devices > Configuration profiles. Create a new profile and choose
Windows 10 and later as the Platform, Identity protection as the Profile type.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 18

Move the selection Configure Windows Hello for Business to Enabled and then pick your desired
options.

NOTE: If you have a hybrid environment where devices are joined to a

traditional domain then you need to implement Hybrid Azure AD Join as well as
Hybrid Key Trust for Hello. If you are not prepared to do that then you should
disable the feature rather than enable it with this policy.

If you intend to support hardware security keys for sign-in (e.g. Yubikey), Enable the Use security keys
for sign-in setting here, and complete the additional steps which are required to complete this process.

☐ Configure Windows Enrollment Status Page

Back under Windows enrollment again, you will find Enrollment Status Page. You can use these settings
to block the use of Windows devices until enrollment is completed, including apps and profiles.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 19

If you do configure these settings, it is strongly recommended that you also enable the option titled
Only show page to devices provisioned by out-of-box-experience (OOBE). This prevents a known issue
where shared computers can exhibit inordinately long wait times (in hours) when a second user signs
into the same PC that has already been enrolled during OOBE.

☐ Configure Apple MDM push certificate

Navigate to Devices > Enroll devices > Apple enrollment and pick Apple MDM Push certificate.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 20

Simply follow the process laid out on this page—basically you just need to download the Certificate
Signing Request from Microsoft, then hop over to the Apple portal, logging in with an Apple ID that is
registered to an admin account at your organization. If you need to register a corporate email account
with Apple and create a new ID, see this article from Apple.

Upload the CSR to Apple, and then download the certificate that Apple provides you with. You will
return to the Microsoft 365 Device management portal and upload the certificate, and you’re done.
Well, until next year when you need to renew it. Set yourself a reminder for this!

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 21

☐ Configure Device cleanup
Devices that have not checked in for 60 days or more are probably no longer valid devices. While you
should have a retirement process in place, in case there are any devices missed, this rule will help you to
clear out stale objects automatically (from Intune, but not Azure AD).

Go to Devices > Device cleanup rules.

• Delete devices based on last check-in date: Yes

• Delete devices that haven’t checked in for this many days: 60-90

The impact of this setting is that devices which are deleted, if they still exist, would need to be re-
enrolled if they were required to be re-initiated into the system.

Note: Also see this article for advice on how to clean up stale devices in Azure AD. This would include
devices enrolled into Intune, and others that are merely “registered” against Azure AD (unmanaged).

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 22

☐ Configure the default Compliance policy settings
Before you manipulate compliance settings, be sure that you do not have any device-based conditional
access policies enabled. Review Devices > Conditional access. If you find any conditional access policies
enabled which “Require the device to be marked as compliant” under the Access controls section, then
disable them first. The reason being, you could accidentally lock out existing users/devices while
manipulating live settings.

See this article for more details on the proper order for implementing device-based conditional access:
https://www.itpromentor.com/device-ca-framework/

When you are ready to proceed, navigate to Devices > Compliance policies > Compliance policy
settings. Review the default selections.

• Mark devices with no compliance policy assigned as - This setting means that an enrolled
device must be evaluated by a compliance policy or it will be marked as not compliant. If
you leave this option on Compliant that means any enrolled device is considered compliant
when there is no compliance policy assigned. If your goal is end-to-end coverage with device
compliance and conditional access, you will want this set to Not Compliant.
• Enhanced jailbreak detection: This setting uses location services and can drain battery life
more quickly. I normally leave this Disabled.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 23

 • Compliance status validity period (days): Decreasing the value will require the device to
report its compliance status more frequently, and if it is unable to then it will fall out of
compliance more quickly.

☐ Configure Device compliance notifications

Before you create your compliance polices, you may want to create at least one notification, for
noncompliant devices. Navigate to Notifications and choose Create notification.

Fill in the notification that will be delivered to end users when devices become noncompliant.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 24

☐ Configure Device compliance policies
You will need to create one compliance policy for each platform that you intend to support and manage.
Go to Devices > Compliance policies and Create Policy.

Create a Windows 10 policy. You can choose your own compliance settings but be aware that these are
going to be requirements for access once you have Conditional Access enabled (so make sure your
devices can meet the requirements)! For example, to require a minimum OS version go to Device
Properties:

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 25

You may choose other compliance settings as required by your unique policies.

Under the Actions for noncompliance, consider increasing the grace period. If a machine falls out of
compliance, the grace period will allow the user time to get the device remediated before losing access.

And you can also Add a new action, to alert the end user when their device has fallen out of compliance.
Select the notification you created earlier.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 26

Click OK on your selections and then Save the policy.

Repeat this process to configure compliance policies for each device platform you intend to support in
your environment. You do not need to create policies for platforms you do not intend to support.

☐ Enroll devices
The most common method for enrolling personal devices (of all types) is the Company Portal app.
Simply go the app store on your device of choice and search for Company Portal app. Once you have the
app installed, sign into the app using your Microsoft/Office 365 credentials to complete enrollment
steps.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 27

I will not go through all of the screens involved, but a fair warning: there are many prompts that the user
must step through to enroll the device, always selecting options in the affirmative such as Continue,
Trust, Enroll, Accept, Install, etc. Not fun. In iOS the user is even directed at one point to go into their
Settings app, find the management certificate and click install there, then come back to the app. Yuck.
Just one more reason to stick with MAM for mobile devices by default.

Windows 10 Enrollment options

There are many ways to enroll a Windows 10 device. And yes, the Company Portal app also works here
for personally owned Windows 10 devices.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 28

Enroll the device from Settings > Accounts
Another option if your device is part of an existing domain or workgroup, you can join the device easily
from Settings > Accounts > Access work or school. Just choose Connect and sign-in using your corporate
Microsoft 365 credentials.

If the device is not domain-joined yet (still in a workgroup) then you can choose the option to Join Azure
Active Directory instead, as shown (Azure AD Joined is the preferred configuration for corporate owned
devices):

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 29

Group policy (hybrid)
If you have an existing on-premises AD, and assuming you’re not able to get off of it, then you can use a
Group policy (see this link) to initiate enrollment also. Note: This requires Azure AD Connect to be in
place, with Hybrid Azure AD Join configured. Follow the steps in one of these two articles, depending on
your infrastructure:

• Federated (AD FS) domains

• Non-Federated domains

Out-of-Box Experience (OOBE) setup (preferred/recommended)

When a user gets a new device (or resets an old one), they can simply choose work or school when they
set it up for the first time. Using their corporate credentials will join the device to Azure AD, and it will
be enrolled into Intune. Any software assigned to the device will come down, etc.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 30

Windows 10 Autopilot
The only differences between the OOBE option I just described, and Autopilot are as follows:

1. Autopilot can tell the device to skip past some of the first run experience screens (privacy)
2. You have the option to enforce Standard user, rather than letting the user be local admin

And that’s about it.

Note: Autopilot is available for hybrid environments as well, however, a

Microsoft engineer who works on this feature said to the audience at a recent
presentation, “For the love of God or whatever you believe is Holy, do not
deploy Hybrid Join—prove to me that you cannot do Azure AD Join first.”

To configure Autopilot requires that you get unique device identifiers imported into Intune in advance.
You’d want to get these from the OEM, but they can also be exported via PowerShell from the device.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 31

You can basically create profiles, and then assign the imported devices (from CSV) to the profiles that
have been created. To do this from the Microsoft 365 admin center is trivial (Devices > Autopilot). To do
this from the Intune portal, just follow this Microsoft article.

☐ Verify compliance status of enrolled devices

It is only necessary to complete this step before the very first time you go to enable device-based
Conditional access (in other words, any Conditional access policy using the control Require device to be
marked as compliant). Devices joining subsequently will be required to meet the compliance before
gaining access for the first time.

This is easy to do; simply go to Devices > Monitor and find reports under Compliance.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 32

Identify any devices which do not meet compliance. If you click on one of the devices then, you can pick
Device compliance again under Monitor, and drill in to see which policies are failing or passing for that
specific device. Remediate the issues on the devices before enabling Conditional access.

☐ Enable Conditional Access

I have written an entire guide on this topic, with an associated policy design.

Refer to that resource for more details on how to set up a more comprehensive baseline. Here is a
summary of the relevant policies with regard to devices and client apps managed by Intune:

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 33

 Policy Assignments* Conditions Access controls
Windows 10 client o Users > All users o Device platforms: o Require device to be
access o Cloud apps > Office Windows; marked as compliant
(MDM or Hybrid Azure 365 Exchange Online, o Client apps: Mobile o Require Hybrid Azure
AD Join is required) & Office 365 apps & desktop clients AD joined device
SharePoint Online and Modern o Require one of the
authentication clients selected controls
Personal mobile device same as above o Device platforms: o Require device to be
access Android and iOS marked as compliant
(MDM is optional) o Client apps: same o Require approved
selections as above client app
o Require one of the
selected controls
Corporate mobile same as above o Device platforms: o Require device to be
device access Android and iOS marked as compliant
(MDM is required) o Client apps: same o Require approved
selections as above client app
o Require all the
selected controls
Block legacy protocols same as above o Client apps > Mobile o Block access
apps & desktop clients,
Other clients
Block Exchange o Users > All users o Client apps > Mobile o Block access
ActiveSync o Cloud apps > Office apps & desktop clients,
365 Exchange Online Exchange ActiveSync

*Always exclude your emergency access account(s).

These can be configured under Devices > Conditional access.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 34

☐ Setup Device Configuration profiles
Whereas compliance policies are linked with Conditional access, device configuration profiles are not—
they have no bearing on whether a device is considered “compliant.” Therefore, they cannot be used as
a bar to entry. However, once devices have been enrolled and brought under compliance, then you can
use Device configuration to apply settings, similar to how a domain-joined PC in the past would have
received policy settings via Group Policy. Find these under Devices > Configuration profiles.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 35

For each platform, there exist multiple profile types (e.g. WiFi, VPN, Device restrictions, etc.) and many
settings. The profiles you would typically build are almost entirely dictated by the needs of the
organization. Do you require corporate WiFi keys to be pushed down to the client? Should end users be
able to access the app store, or save to iCloud? Every environment is different, and it is hard to say there
is any single “best practice.”

Nevertheless, I have published set of Windows 10 settings that I would recommend most small and mid-
sized businesses at least review when implementing Intune for the first time, and those are available in
the repository on GitHub by running the Setup-Intune.ps1 script.

Additionally, I have The Windows 10 Business Secure Configuration Framework available on Gumroad.
You can also find deployment scripts for the security profiles on GitHub under Windows 10.

Last, take a look at this article, for configuration of the OneDrive for Business client: a popular ask when
replacing legacy technologies such as redirected folders and mapped drives.

© Copyright 2019-2020, ITProMentor.com, LLC ITPROMENTOR.COM 36