Forum Discussion

Krishanthad's avatar
Krishanthad
Copper Contributor
Sep 29, 2020

software deployment on autopilot devices

hi just like to ask this question and find out what is the best practice from the experts. we have started auto piloting and hybrid joining devices via VPN for users who is at home.   Q1- currentl...
Intune
mobile device management (mdm)
alexandertuvstrom's avatar
alexandertuvstrom
Brass Contributor
Sep 29, 2020

Krishanthad 

A1 - Endpoint Managers group tag field maps to the OrderID attribute on Azure AD devices. To create a group that includes all Autopilot devices with a specific group tag (the Azure AD device OrderID), type: (device.devicePhysicalIds -any (_ -eq "[OrderID]:<grouptag>"))

 

A2 - Use Intune's security baselines to help you secure and protect your users and devices. You deploy security baselines to groups of users or devices in Intune, and the settings apply to devices that run Windows 10 or later. For example, the MDM Security Baseline automatically enables BitLocker for removable drives, automatically requires a password to unlock a device, automatically disables basic authentication, and more. When a default value doesn't work for your environment, customize the baseline to apply the settings you need. Separate baseline types can include the same settings but use different default values for those settings. It's important to understand the defaults in the baselines you choose to use, and to then modify each baseline to fit your organizational needs. You can use one or more of the available baselines in your Intune environment at the same time. You can also use multiple instances of the same security baselines that have different customizations. When you use multiple security baselines, review the settings in each one to identify when your different baseline configurations introduce conflicting values for the same setting. Because you can deploy security baselines that are designed for different intents, and deploy multiple instances of the same baseline that includes customized settings, you might create configuration conflicts for devices that must be investigated and resolved.

 

A3 - When a security baseline setting no longer applies to a device, or settings in a baseline are set to Not configured, those settings on a device don't revert to a pre-managed configuration. Instead, the previously managed settings on the device keep their last configurations as received from the baseline until some other process updates those settings on the device. Other processes that might later change settings on the device include a different or new security baseline, device configuration profile, Group Policy configurations, or manual edit of the setting on the device.

 

If you want to apply settings on a device, regardless of who’s signed in, then assign your profiles to a devices group. Settings applied to device groups always go with the device, not the user. Use device groups when you don’t care who’s signed in on the device, or if anyone is signed in. You want your settings to always be on the device.

 

Use user groups when you want your settings and rules to always go with the user, whatever device they use.

Resources