Scribd
Upload
6 views

Module 05 - MW11D Intune - Profile Management

The document provides an overview of profile management in Microsoft Intune, detailing the management architecture, configuration service providers (CSPs), and device configuration profiles. It covers various profile types, including device restrictions, email configurations, and security policies, along with instructions for creating, monitoring, and deploying these profiles. Additionally, it discusses the use of Group Policy Analytics for migration and the assignment of settings to devices.

Uploaded by

jaysla2009
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
6 views

Module 05 - MW11D Intune - Profile Management

The document provides an overview of profile management in Microsoft Intune, detailing the management architecture, configuration service providers (CSPs), and device configuration profiles. It covers various profile types, including device restrictions, email configurations, and security policies, along with instructions for creating, monitoring, and deploying these profiles. Additionally, it discusses the use of Group Policy Analytics for migration and the assignment of settings to devices.

Uploaded by

jaysla2009
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 32

Profile Management

Microsoft
Version 2306
Services
Module Overview
• Lesson 1: Management Architecture and
Configuration Service Providers (CSPs)
• Lesson 2: Device Configuration Profiles
Lesson 1: Management Architecture
and
Configuration Service Providers (CSPs)
• Understand the Management Architecture
• Understand CSPs
Windows 10/11 – Management Architecture

Service MDM (Intune) Provisioning Active Sync ConfigMgr

Device Provisioning
MDM Client EAS Client WMI Bridge
Engine

Common Device Configurator

WMI Providers MDM Configuration Service Providers (CSP’s)


Windows 10/11 – OMA-DM
Communication
CSP – Configuration Service
Provider
is an interface to read, set,
modify, or delete configuration
settings on the device
SyncML - File with all
information to configure CSP
SyncML

Configurator
MDM Client

Common
Device
MDM Configuration
MDM (Intune) Service Providers
(CSP’s)
CSP Setting translated to Intune GUI

Each CSP provides access to specific settings – example Cellular


CSP
CSP

Intune UI

Valu
e Setting
0 Don’t roam
1 Don’t roam (or
Domestic roaming if
applicable)+
Policy CSP (ADMX Backed Policy) Group Policy conflicts
can be controlled via
MDMWinsOverGP CSP
(applies only to Policy
CSP‘s)
• The Policy CSP enables the
enterprise to configure
group policy settings

• Policy settings can be set


using the Group Policy
Administrative Templates
The native „Administrative
Template“ and „Settings Catalog“
are using this CSP (discussed
later).
Policy Schedule
• Schedule
• The policy is checked every 3 minutes for 15 minutes, then every 15
minutes for 2 hours and then every 8 hours.
• Policy conflicts
• Compliance policy settings always have
precedence over configuration profile
settings.
• The most restrictive compliance policy
setting applies.
• If a configuration policy setting conflicts
with a setting in another configuration
policy, this conflict is shown in Intune.
Manually resolve these conflicts.
Group Policy Analytics
• Tool to analyze on-premises GPOs
• Helps translating to cloud settings
• Import saved XML GPO report
• Get a migration readiness report
Group Policy Migration
• GPAnalytics allows the automatic
migration from GPOs to
ConfigProfiles
Lesson 2: Device Configuration Profiles

• Understand how to create Device Configuration


Profiles
• Understand how to monitor Device
Configuration Profiles
Configuration Profile Types
• Intune separates
configuration
policies for each device
platform
• Platform is selected prior creating profiles

• Templates
• Grouped / Moderated by profile types,
e.g. Wifi profile, VPN profile, Certificate
profile, …

• Settings Catalog
Example: Device Restriction Profile
• Settings are
grouped in
configuration
categories

• Selected
values are
highlighted
Demo
Configuratio
n Policies
Administrative Templates
• Group Policy style configuration

Search
Email Profiles
• Configure built-in
mail client to access
corporate email
• Configurations
• How many emails to
synchronize
• How often to synchronize
• SSL settings
• What content type to
synchronize
Certificate Profiles (Trusted root, SCEP,
PKCS)
• Certificate profiles work with
Active Directory Certificate
Services (AD CS)
• Intune Certificate Connector required for PKCS and
SCEP
• NDES Role required for SCEP
• 3rd party connectors available
• Automatic certificate request and
installation
• Automatic configuration of Wi-Fi,
VPN or E-Mail profile for certificate
usage
VPN Profiles
• Minimize the end-user
effort required to
connect to resources
on the company
network
• Custom VPN app may
be necessary
Wi-Fi Profiles
• Allows creating,
deploying, and
monitoring wireless
network settings to
devices

• Minimizes user effort to


connect to corporate
wireless networks
Wired Network Profiles
• Create specific wired
network settings to
connect to the
company network
• Authentication and
SCEP Certificate can
be enforced
Windows 10/11 Edition Upgrades
• Windows 10/11
subscription activation in
Azure
• Deploy the Windows 10/11 OS must be qualified
license to convert and activate for Enterprise upgrade
Windows 10/11 Enterprise

• Change Windows 10/11


Edition
• Select the desired Edition
(Education, Pro, Enterprise, …)
• Configure Product Key
• Provide own activation
procedure
Custom Profile CSP Reference
on Microsoft
• Configure general CSPs Docs
when there is no UI
available in Intune
• Regular CSPs
• Special Policy CSP for ADMX
backed policy method
Settings Catalog You can configure settings
that GPO also support -
there is almost parity in
• Configurable settings all in settings.

one place
• Generated from Windows 10/11 CSPs
• Reduces the need for custom profile
• Quickly add new Windows settings

Adjust settings:
- add, modify, delete
Preview
Import custom and 3rd party ADMX EN Language
only

• Natively integrate 3rd party ADMX


• admx and adml file is required
• After import, an Imported
Administrative Template profile can
be created and deployed
Security related Policies
• Consider
• Using Endpoint security profiles or a
security baseline profile to configure
your common endpoint protection
security features

• Endpoint security profiles provide a


concise, curated set of security
templates including Firewall, BitLocker,
Antivirus and more

• Security baseline profiles are templates


with pre-configured settings values
recommended by security experts
Policy Sets
• Bundle of references to existing management
entities
• Group objects that need to be assigned together
• Assign your organization’s minimum configuration requirements on all
managed devices
• Assign commonly used or relevant apps to all usersobjects include:
Management

Apps
App configuration policies
App protection policies
Device configuration profiles
Device compliance policies
Device type restrictions
Windows autopilot deployment
profiles
Enrollment status page
Applicability Rules / Filters for
assignment
• Use applicability rules / filters if needed
Apply (reusable)
Filters over
Applicability rules:

Assignment only for


specific:
OS Version
OS Edition
Check Status and Settings in Intune
• Overview pages for
• Overall status
• Device, App status
• Tenant status

• Detailed reports
• Per category
Profile Assignment and Monitoring
• Assign settings, verify deployment
Assignment options:
• Specific AAD Groups
• Generic Groups (All Users, All
Devices)
• Exclude AAD Groups
Upload and Deploy a Powershell Script
Script Size <= 200
KB

Decide if the script


should run in user or
system context

Decide if script has to


be signed

• Upload your Powershell script


• Configure settings Decide the runtime
environment
• Assign to group
• Can be managed by multi admin approval policies
• Depends on Management extension schedule (hourly)
• Output is accessible via MS Graph
Lab: Device
Configuration Profiles
and PowerShell scripts
© 2023 Microsoft Corporation. All rights reserved.

You might also like