cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Cheat sheet

RanRan
Copper Contributor

‎Nov 10 2020 08:20 AM - edited ‎Nov 10 2020 08:20 AM

‎Nov 10 2020 08:20 AM - edited ‎Nov 10 2020 08:20 AM

Cheat sheet

Hello,

I'm new to the Endpoint/Intune/Autopilot space.  I know there is a ton of documentation on these Azure products, but I wanted to know if you had any cheat sheets that condense things such as the difference between Azure AD registered, Azure AD joined, hybrid, co-managed, co-location, and the differences between retire, wipe, fresh start, autopilot reset.  

 

Also, what are some best practices for colleges? 

6,658 Views
0 Likes
5 Replies
Reply
5 Replies
jabbrwcky

‎Nov 10 2020 08:24 AM

‎Nov 10 2020 08:24 AM

Re: Cheat sheet

@RanRanI’d be VERY interested to see some collated best practices also.  We’ve been figuring a lot of things out ourselves over time, particularly around the best ways of securing and restricting devices.

1 Like
Reply
best response confirmed by RanRan (Copper Contributor)
Liz_Cox

‎Nov 10 2020 08:44 AM

‎Nov 10 2020 08:44 AM

Solution

Re: Cheat sheet

@RanRan hey there! Here's some guides/getting started docs:

 

Autopilot:

https://docs.microsoft.com/en-us/mem/autopilot/deployment-process

 

retire vs. wipe vs. fresh start vs. Autopilot reset: Retire or wipe devices using Microsoft Intune - Azure | Microsoft Docs

Reset Windows 10 devices with Microsoft Intune - Azure | Microsoft Docs

 

and the short answer is retire is often used for personal devices that you want to remove from Intune management because it keeps the personal data on the device. Autopilot reset is for devices you want to repurpose or re-assign because it removes all personal data and settings but retains enrollment with Intune and will get all the Intune managed settings. A wipe will return a device back to factory settings but you can choose to keep personal data on there. Fresh start is used to remove any extra apps an OEM may have put on a device. 

 

Some info about AAD registered vs. joined vs. hybrid: https://jairocadena.com/2016/01/18/setting-up-windows-10-devices-for-work-domain-join-azure-ad-join-... 

 

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register

 

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join

 

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid

 

AAD registered is usually for personal devices that need some management while AAD joined would be for school owned devices and hybrid is if you have some existing on premise identity and want to link that to the cloud. 

 

Here's a couple docs on comanagement: https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-q...

https://techcommunity.microsoft.com/t5/device-management-in-microsoft/co-management-at-microsoft/ba-...

https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview

comanagement is for when you are already managing devices on premise via configuration manager and want to take advantage of some cloud capabilities from Intune as well.  

 

 

1 Like
Reply
Liz_Cox

‎Nov 10 2020 08:46 AM

‎Nov 10 2020 08:46 AM

Re: Cheat sheet

@Liz_Cox @RanRan  we also have this video on comanagement: https://www.youtube.com/watch?v=71Cn1AKkU48 

 

and if you're just looking for getting started content I do recommend the Intune for Education workshop video series aka.ms/i4eworkshopvideos which we will continue to add to! 

0 Likes
Reply
Liz_Cox

‎Nov 10 2020 08:49 AM

‎Nov 10 2020 08:49 AM

Re: Cheat sheet

@jabbrwcky we have a new video series at aka.ms/i4eworkshopvideos 

which we will continue to add to so let us know if there are any specific topics you'd like to see covered. When you say securing and restricting devices, would something like security baselines help: https://docs.microsoft.com/en-us/mem/intune/protect/security-baselines 

0 Likes
Reply
jabbrwcky

‎Nov 10 2020 08:52 AM

‎Nov 10 2020 08:52 AM

Re: Cheat sheet

@Liz_Cox I'm particularly interested in best practices around securing student devices.  For example, there is a policy in Intune Edu called "Block installing apps from places other than the Microsoft Store for Education" but it doesn't work.  It relies on Smartscreen checking the Store at the point in time that an app is run, so all the student needs to do is switch their wifi off and they can run any app they have previously downloaded.  They're not local admins on our machines of course, but that doesn't stop them from creating merry chaos!  We had hoped that we could set a policy to easily restrict students to just the Edu Store apps but have now had to go down the road of AppLocker which is much more complex to set up and maintain and still doesn't do a great job of meeting this need, i.e. allow students to install any Edu Store app but nothing else.  Is there an easy solution to this?  What are the best practices generally for restricting student devices?

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by RanRan (Copper Contributor)
Liz_Cox

‎Nov 10 2020 08:44 AM

‎Nov 10 2020 08:44 AM

Solution

Re: Cheat sheet

@RanRan hey there! Here's some guides/getting started docs:

 

Autopilot:

https://docs.microsoft.com/en-us/mem/autopilot/deployment-process

 

retire vs. wipe vs. fresh start vs. Autopilot reset: Retire or wipe devices using Microsoft Intune - Azure | Microsoft Docs

Reset Windows 10 devices with Microsoft Intune - Azure | Microsoft Docs

 

and the short answer is retire is often used for personal devices that you want to remove from Intune management because it keeps the personal data on the device. Autopilot reset is for devices you want to repurpose or re-assign because it removes all personal data and settings but retains enrollment with Intune and will get all the Intune managed settings. A wipe will return a device back to factory settings but you can choose to keep personal data on there. Fresh start is used to remove any extra apps an OEM may have put on a device. 

 

Some info about AAD registered vs. joined vs. hybrid: https://jairocadena.com/2016/01/18/setting-up-windows-10-devices-for-work-domain-join-azure-ad-join-... 

 

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register

 

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join

 

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid

 

AAD registered is usually for personal devices that need some management while AAD joined would be for school owned devices and hybrid is if you have some existing on premise identity and want to link that to the cloud. 

 

Here's a couple docs on comanagement: https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-q...

https://techcommunity.microsoft.com/t5/device-management-in-microsoft/co-management-at-microsoft/ba-...

https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview

comanagement is for when you are already managing devices on premise via configuration manager and want to take advantage of some cloud capabilities from Intune as well.  

 

 

View solution in original post

1 Like
Reply