software deployment on autopilot devices

%3CLINGO-SUB%20id%3D%22lingo-sub-1726820%22%20slang%3D%22en-US%22%3Esoftware%20deployment%20on%20autopilot%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1726820%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%3C%2FP%3E%3CP%3Ejust%20like%20to%20ask%20this%20question%20and%20find%20out%20what%20is%20the%20best%20practice%20from%20the%20experts.%20we%20have%20started%20auto%20piloting%20and%20hybrid%20joining%20devices%20via%20VPN%20for%20users%20who%20is%20at%20home.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ1-%20currently%20we%20have%20few%20security%20groups%20to%20achieve%20this%20first%20we%20add%20device%20to%20Hybrid%20Azure%20AD%20join%20group%20that%20will%20autopilot%20device%20and%20enroll%20device%20to%20Intune%20and%20same%20time%20deploy%20our%20remote%20management%20software%20and%20VPN%20client.%20then%20we%20add%20device%20to%20separate%20security%20groups%20to%20install%20Office%2C%20setup%20OneDrive%20and%20last%20we%20add%20another%20group%20to%20onboard%20device%20to%20DATP%20and%20deploy%20security%20baselines%20is%20this%20the%20best%20practice%20or%20can%20we%20create%20a%20one%20dynamical%20security%20group%20that%20will%20have%20device%20tag%20when%20vendor%20upload%20the%20deice%20ID%20to%20tenant%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ2-%20we%20are%20utilizing%20security%20baselines%20that%20is%20provided%20in%20endpoint%20security%20as%20a%20start%20should%20we%20deploy%20baseline%20to%20device%20or%20to%20users%20what%20is%20the%20best%20practice.%20we%20know%20that%20we%20will%20have%20number%20of%20users%20that%20will%20need%20less%20secure%20polices%20than%20baseline%20should%20we%20manage%20this%20via%20user%20policy%20or%20device%20policy%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ3-%20once%20we%20apply%20a%20baseline%20policy%20to%20user%20or%20a%20device%20and%20if%20we%20need%20to%20loose%20the%20policy%20what%20is%20the%20best%20way%20to%20achieve%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1726820%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1727084%22%20slang%3D%22en-US%22%3ERe%3A%20software%20deployment%20on%20autopilot%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1727084%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F757848%22%20target%3D%22_blank%22%3E%40Krishanthad%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ1%20-%20Endpoint%20Managers%20group%20tag%20field%20maps%20to%20the%20OrderID%20attribute%20on%20Azure%20AD%20devices.%20To%20create%20a%20group%20that%20includes%20all%20Autopilot%20devices%20with%20a%20specific%20group%20tag%20(the%20Azure%20AD%20device%20OrderID)%2C%20type%3A%20(device.devicePhysicalIds%20-any%20(_%20-eq%20%22%5BOrderID%5D%3A%3CGROUPTAG%3E%22))%3C%2FGROUPTAG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ2%20-%20Use%20Intune's%20security%20baselines%20to%20help%20you%20secure%20and%20protect%20your%20users%20and%20devices.%20You%20deploy%20security%20baselines%20to%20groups%20of%20users%20or%20devices%20in%20Intune%2C%20and%20the%20settings%20apply%20to%20devices%20that%20run%20Windows%2010%20or%20later.%20For%20example%2C%20the%20MDM%20Security%20Baseline%20automatically%20enables%20BitLocker%20for%20removable%20drives%2C%20automatically%20requires%20a%20password%20to%20unlock%20a%20device%2C%20automatically%20disables%20basic%20authentication%2C%20and%20more.%20When%20a%20default%20value%20doesn't%20work%20for%20your%20environment%2C%20customize%20the%20baseline%20to%20apply%20the%20settings%20you%20need.%20Separate%20baseline%20types%20can%20include%20the%20same%20settings%20but%20use%20different%20default%20values%20for%20those%20settings.%20It's%20important%20to%20understand%20the%20defaults%20in%20the%20baselines%20you%20choose%20to%20use%2C%20and%20to%20then%20modify%20each%20baseline%20to%20fit%20your%20organizational%20needs.%3C%2FP%3E%3CP%3EYou%20can%20use%20one%20or%20more%20of%20the%20available%20baselines%20in%20your%20Intune%20environment%20at%20the%20same%20time.%20You%20can%20also%20use%20multiple%20instances%20of%20the%20same%20security%20baselines%20that%20have%20different%20customizations.%20When%20you%20use%20multiple%20security%20baselines%2C%20review%20the%20settings%20in%20each%20one%20to%20identify%20when%20your%20different%20baseline%20configurations%20introduce%20conflicting%20values%20for%20the%20same%20setting.%20Because%20you%20can%20deploy%20security%20baselines%20that%20are%20designed%20for%20different%20intents%2C%20and%20deploy%20multiple%20instances%20of%20the%20same%20baseline%20that%20includes%20customized%20settings%2C%20you%20might%20create%20configuration%20conflicts%20for%20devices%20that%20must%20be%20investigated%20and%20resolved.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ3%20-%20When%20a%20security%20baseline%20setting%20no%20longer%20applies%20to%20a%20device%2C%20or%20settings%20in%20a%20baseline%20are%20set%20to%20Not%20configured%2C%20those%20settings%20on%20a%20device%20don't%20revert%20to%20a%20pre-managed%20configuration.%20Instead%2C%20the%20previously%20managed%20settings%20on%20the%20device%20keep%20their%20last%20configurations%20as%20received%20from%20the%20baseline%20until%20some%20other%20process%20updates%20those%20settings%20on%20the%20device.%20Other%20processes%20that%20might%20later%20change%20settings%20on%20the%20device%20include%20a%20different%20or%20new%20security%20baseline%2C%20device%20configuration%20profile%2C%20Group%20Policy%20configurations%2C%20or%20manual%20edit%20of%20the%20setting%20on%20the%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20want%20to%20apply%20settings%20on%20a%20device%2C%20regardless%20of%20who%E2%80%99s%20signed%20in%2C%20then%20assign%20your%20profiles%20to%20a%20devices%20group.%20Settings%20applied%20to%20device%20groups%20always%20go%20with%20the%20device%2C%20not%20the%20user.%20Use%20device%20groups%20when%20you%20don%E2%80%99t%20care%20who%E2%80%99s%20signed%20in%20on%20the%20device%2C%20or%20if%20anyone%20is%20signed%20in.%20You%20want%20your%20settings%20to%20always%20be%20on%20the%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUse%20user%20groups%20when%20you%20want%20your%20settings%20and%20rules%20to%20always%20go%20with%20the%20user%2C%20whatever%20device%20they%20use.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

hi

just like to ask this question and find out what is the best practice from the experts. we have started auto piloting and hybrid joining devices via VPN for users who is at home.

 

Q1- currently we have few security groups to achieve this first we add device to Hybrid Azure AD join group that will autopilot device and enroll device to Intune and same time deploy our remote management software and VPN client. then we add device to separate security groups to install Office, setup OneDrive and last we add another group to onboard device to DATP and deploy security baselines is this the best practice or can we create a one dynamical security group that will have device tag when vendor upload the deice ID to tenant?

 

Q2- we are utilizing security baselines that is provided in endpoint security as a start should we deploy baseline to device or to users what is the best practice. we know that we will have number of users that will need less secure polices than baseline should we manage this via user policy or device policy ?

 

Q3- once we apply a baseline policy to user or a device and if we need to loose the policy what is the best way to achieve this?

2 Replies
Highlighted

@Krishanthad 

A1 - Endpoint Managers group tag field maps to the OrderID attribute on Azure AD devices. To create a group that includes all Autopilot devices with a specific group tag (the Azure AD device OrderID), type: (device.devicePhysicalIds -any (_ -eq "[OrderID]:<grouptag>"))

 

A2 - Use Intune's security baselines to help you secure and protect your users and devices. You deploy security baselines to groups of users or devices in Intune, and the settings apply to devices that run Windows 10 or later. For example, the MDM Security Baseline automatically enables BitLocker for removable drives, automatically requires a password to unlock a device, automatically disables basic authentication, and more. When a default value doesn't work for your environment, customize the baseline to apply the settings you need. Separate baseline types can include the same settings but use different default values for those settings. It's important to understand the defaults in the baselines you choose to use, and to then modify each baseline to fit your organizational needs. You can use one or more of the available baselines in your Intune environment at the same time. You can also use multiple instances of the same security baselines that have different customizations. When you use multiple security baselines, review the settings in each one to identify when your different baseline configurations introduce conflicting values for the same setting. Because you can deploy security baselines that are designed for different intents, and deploy multiple instances of the same baseline that includes customized settings, you might create configuration conflicts for devices that must be investigated and resolved.

 

A3 - When a security baseline setting no longer applies to a device, or settings in a baseline are set to Not configured, those settings on a device don't revert to a pre-managed configuration. Instead, the previously managed settings on the device keep their last configurations as received from the baseline until some other process updates those settings on the device. Other processes that might later change settings on the device include a different or new security baseline, device configuration profile, Group Policy configurations, or manual edit of the setting on the device.

 

If you want to apply settings on a device, regardless of who’s signed in, then assign your profiles to a devices group. Settings applied to device groups always go with the device, not the user. Use device groups when you don’t care who’s signed in on the device, or if anyone is signed in. You want your settings to always be on the device.

 

Use user groups when you want your settings and rules to always go with the user, whatever device they use.

Highlighted

@Krishanthad 

Endpoint Managers group tag field maps to the OrderID attribute on Azure AD devices. To create a group that includes all Autopilot devices with a specific group tag (the Azure AD device OrderID), type: (device.devicePhysicalIds -any (_ -eq "[OrderID]:<grouptag>"))

 

Use Intune's security baselines to help you secure and protect your users and devices. You deploy security baselines to groups of users or devices in Intune, and the settings apply to devices that run Windows 10 or later. For example, the MDM Security Baseline automatically enables BitLocker for removable drives, automatically requires a password to unlock a device, automatically disables basic authentication, and more. When a default value doesn't work for your environment, customize the baseline to apply the settings you need. Separate baseline types can include the same settings but use different default values for those settings. It's important to understand the defaults in the baselines you choose to use, and to then modify each baseline to fit your organizational needs.

 

You can use one or more of the available baselines in your Intune environment at the same time. You can also use multiple instances of the same security baselines that have different customizations. When you use multiple security baselines, review the settings in each one to identify when your different baseline configurations introduce conflicting values for the same setting. Because you can deploy security baselines that are designed for different intents, and deploy multiple instances of the same baseline that includes customized settings, you might create configuration conflicts for devices that must be investigated and resolved. When a security baseline setting no longer applies to a device, or settings in a baseline are set to Not configured, those settings on a device don't revert to a pre-managed configuration. Instead, the previously managed settings on the device keep their last configurations as received from the baseline until some other process updates those settings on the device. Other processes that might later change settings on the device include a different or new security baseline, device configuration profile, Group Policy configurations, or manual edit of the setting on the device.

 

If you want to apply settings on a device, regardless of who’s signed in, then assign your profiles to a devices group. Settings applied to device groups always go with the device, not the user. Use device groups when you don’t care who’s signed in on the device, or if anyone is signed in. You want your settings to always be on the device.

 

Use user groups when you want your settings and rules to always go with the user, whatever device they use.