Event banner
Event details
192 Comments
Related but different question: Does MS recommend using the https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-mdm-all?source=recommendations&pivots=mdm-november-2021 over the https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines, or both, or something else moving forward? If there is a place that suggest pros and cons of each that would be helpful.
It appears the Intune Security Baseline is updated much less frequently (last update in 2021) so is that not the preferred approach?
JaminAlmondMicrosoft
Hello Aakash, I recommend adopting the approach that aligns most effectively with your repeatable business processes. On a related note, I'd like to inform you that the Intune Security Baselines will receive updates more frequently moving forward. This change aims to enhance our security measures and ensure you have the latest protections.- Thanks - when is this expected to begin, i.e. when will an update be provided to the Intune Security Baselines and be updated moving more frequently moving forward?
- It is possible to remove all policies from a device without having to reset/wipe the computer. We have issues where policies "tattoo" onto the device and refuse to be removed. Would be useful when Admin sign into a student laptop that needs access to an area a student has been blocked from gaining access.
- JaminAlmondHello Derek, When you remove a device from the targeted group, it should automatically be disassociated from the applicable policies. If you notice that certain policies are still being applied to the device—a situation often referred to as 'tattooing'—please initiate a support case. We'll investigate and resolve the issue.
- I understand that we've encountered situations where policies are pushed to the student signed in. The admin, who hasn't had policies pushed to them, signs in afterward to make minor changes but finds themselves unable to do so due to the student policies taking precedence. While removing the device from the group to eliminate the policies might resolve the issue, it appears to be an unnecessary step for the admin to make minor adjustments.
- Would love the same RBAC settings carry over from Intune to defender.
- Mike-DanoskiThe RBAC rights are set per graph API. Can I interpret your question as the Defender writes required to manage the same settings and endpoint security are different than the device configuration and endpoint security roles in Intune?
We're halfway through the AMA: Windows management with Intune! Keep your questions coming. Thanks!
- Is there a way to easily see the differences between the Intune Security Baseline at https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-mdm-all?source=recommendations&pivots=mdm-november-2021 and the MS Security Baseline at https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines? Thanks.
- Mike-DanoskiDuring the upgrade process you can export a copy of your baseline for offline records and to compare to other baselines. By the end of the month you will see that there is a new version of the baseline available that is based on the latest published window security baseline for Windows 11.
- Are there any plans to have the Windows driver updates through Intune respect the active hours for the devices? or is there a hidden setting somewhere I might be missing
- When bitlocker is enabled silently via Intune does the recovery information automatically get saved in Azure?
Require device to back up recovery information to Azure AD
It's in BitLocker - OS Drive Settings in Endpoint Security - Disk Encryption
Thanks for participating in today's session of AMA: Windows management with Intune! For reference, the panel covered this topic at around 41:30.
- Is there a recommended method for interactive Win32 application installs through Intune?
- Joe_Lurie
BethWiese There's no way today to allow a user to interact with the app installer when deployed through Intune. It's feedback we've heard before; can you please upvote 👍the feedback at https://aka.ms/IntuneFeedback?
- Is there any additional work being done on speeding up policy refresh on all device types? This is the single largest pain point for managing devices with Intune, there are times that policies and configurations take hours to update on devices. Also, offboarding users, we've seen many situations where a personal mobile device is registered and managed by Intune, but it will take up to an hour, and even longer, for data to be removed from the devices. I realize that much of this depends on Exchange and Sharepoint access tokens, but there are times, especially in a security incident, that we need to immediately remove data. Is there a way to ensure immediate data removal on personal devices?
- Mike-DanoskiThank you for the feedback. We are always looking to improve our performance especially in certain key areas as you highlight above. I don't have anything to share at the moment or any specific improvements to highlight but I do want to note that we are looking at this across the board.
- Can I give this 100 likes?
- What is the best practice for Application Deployment to User groups. If app is required to a user group, will it get installed on any machineswhere the user logs in? (shared machines, or helpdesk users logging in for helping a user. The user logging in is not a primary user of the machine for this case scenario) BTW, I love primary user concept in Config Manager 🙂
- I would like to know the answer to this as well, because we have many users who will log into different machines at times, we assign apps per device rather than per user, as we don't want apps installing on devices that are not required. Curious what the best practice is for this.
- Mike-DanoskiSome people really like targeting devices and some people really like targeting users and there are good cases for either approach. Targeting a device ensures that that device has that policy no matter who uses it and targeting a user ensures that those settings or apps or resources follow that user no matter which device they interact with. For large general policies that impact security I recommend targeting devices and using filters to avoid applying that policy where it should not apply. For personalization settings or application installations I like to target users because those are more in line with a single user's experience or a job role. If that job role or user's persona requires special security handling that's when I will again target additional security settings to that user or user group. More info here https://techcommunity.microsoft.com/t5/intune-customer-success/intune-grouping-targeting-and-filtering-recommendations-for-best/ba-p/2983058
