Forum Discussion
Solved
Cheat sheet
Hello,
I'm new to the Endpoint/Intune/Autopilot space. I know there is a ton of documentation on these Azure products, but I wanted to know if you had any cheat sheets that condense things such as the difference between Azure AD registered, Azure AD joined, hybrid, co-managed, co-location, and the differences between retire, wipe, fresh start, autopilot reset.
Also, what are some best practices for colleges?
RanRan hey there! Here's some guides/getting started docs:
Autopilot:
https://docs.microsoft.com/en-us/mem/autopilot/deployment-process
retire vs. wipe vs. fresh start vs. Autopilot reset: Retire or wipe devices using Microsoft Intune - Azure | Microsoft Docs
Reset Windows 10 devices with Microsoft Intune - Azure | Microsoft Docs
and the short answer is retire is often used for personal devices that you want to remove from Intune management because it keeps the personal data on the device. Autopilot reset is for devices you want to repurpose or re-assign because it removes all personal data and settings but retains enrollment with Intune and will get all the Intune managed settings. A wipe will return a device back to factory settings but you can choose to keep personal data on there. Fresh start is used to remove any extra apps an OEM may have put on a device.
Some info about AAD registered vs. joined vs. hybrid: https://jairocadena.com/2016/01/18/setting-up-windows-10-devices-for-work-domain-join-azure-ad-join-and-add-work-or-school-account/
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid
AAD registered is usually for personal devices that need some management while AAD joined would be for school owned devices and hybrid is if you have some existing on premise identity and want to link that to the cloud.
Here's a couple docs on comanagement: https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664
https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview
comanagement is for when you are already managing devices on premise via configuration manager and want to take advantage of some cloud capabilities from Intune as well.
- Liz_Cox
Microsoft
RanRan hey there! Here's some guides/getting started docs:
Autopilot:
https://docs.microsoft.com/en-us/mem/autopilot/deployment-process
retire vs. wipe vs. fresh start vs. Autopilot reset: Retire or wipe devices using Microsoft Intune - Azure | Microsoft Docs
Reset Windows 10 devices with Microsoft Intune - Azure | Microsoft Docs
and the short answer is retire is often used for personal devices that you want to remove from Intune management because it keeps the personal data on the device. Autopilot reset is for devices you want to repurpose or re-assign because it removes all personal data and settings but retains enrollment with Intune and will get all the Intune managed settings. A wipe will return a device back to factory settings but you can choose to keep personal data on there. Fresh start is used to remove any extra apps an OEM may have put on a device.
Some info about AAD registered vs. joined vs. hybrid: https://jairocadena.com/2016/01/18/setting-up-windows-10-devices-for-work-domain-join-azure-ad-join-and-add-work-or-school-account/
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid
AAD registered is usually for personal devices that need some management while AAD joined would be for school owned devices and hybrid is if you have some existing on premise identity and want to link that to the cloud.
Here's a couple docs on comanagement: https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664
https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview
comanagement is for when you are already managing devices on premise via configuration manager and want to take advantage of some cloud capabilities from Intune as well.
Liz_Cox I'm particularly interested in best practices around securing student devices. For example, there is a policy in Intune Edu called "Block installing apps from places other than the Microsoft Store for Education" but it doesn't work. It relies on Smartscreen checking the Store at the point in time that an app is run, so all the student needs to do is switch their wifi off and they can run any app they have previously downloaded. They're not local admins on our machines of course, but that doesn't stop them from creating merry chaos! We had hoped that we could set a policy to easily restrict students to just the Edu Store apps but have now had to go down the road of AppLocker which is much more complex to set up and maintain and still doesn't do a great job of meeting this need, i.e. allow students to install any Edu Store app but nothing else. Is there an easy solution to this? What are the best practices generally for restricting student devices?
- Liz_Cox
Liz_Cox RanRan we also have this video on comanagement: https://www.youtube.com/watch?v=71Cn1AKkU48
and if you're just looking for getting started content I do recommend the Intune for Education workshop video series aka.ms/i4eworkshopvideos which we will continue to add to!
- Liz_Cox
jabbrwcky we have a new video series at aka.ms/i4eworkshopvideos
which we will continue to add to so let us know if there are any specific topics you'd like to see covered. When you say securing and restricting devices, would something like security baselines help: https://docs.microsoft.com/en-us/mem/intune/protect/security-baselines
