Ultimate MEM Tour Part 1: Microsoft Intune Devices

Enrollment status

• Overview of how many devices have been enrolled per platform and how often the enrollment process was successful or how often errors occurred.

Enrollment alerts

• Overview of the Autopilot devices. You can see here for example if you have device hashes without profile assignment.

Compliance status

• Overview of how many devices conform to the guidelines defined in compliance rules and how many are not compliant.

Configuration status

• Overview of the configuration policies status how often which policy is successfully or not successfully applied.

Software update status

• Overview of the software update installation. Count of successfully or failed update installations.

Assignment status

• Overview of the configuration policies status how often which policy is successfully or not successfully applied. You can also see what type of policy it is.

Assignment failures (preview)

• Here you can see the policies that have an assignment error. If you select a policy you can also see which devices are affected.

Devices with restricted apps

• This report shows devices that have apps installed that are prevented by device restrictions.

Encryption report

• This report gives you an overview of the disk encryption status of the devices. The report is valid for Windows and Mac OS devices.

Certificates

• Overview of certificate deployment. You can see which certificate is on which device.

Noncompliant devices

• Here you can see devices that do not meet the compliance policies. For example, this could be a defined minimum OS version or an encrypted disk.

Devices without compliance policy

• Devices for which no compliance policies are applied or defined.

Setting compliance

• Here you can see the individual attributes of the policy that are defined and how often they are compliant and how often they are not. 

Policy compliance

• A list of all compliance policies with an evaluation of how many devices are compliant and how many are not. You can also see how often there was an error when applying the policy.

Noncompliant policies (preview)

• Here you can see the compliant policies that have an error or are not compliant.

Windows health attestation report

• This report gives you an overview of the security relevant elements like e.g. Code Integrity, Secure Boot and BitLocker Encryption.

Autopilot deployments (preview)

• This report provides an overview of past device enrollments. You can see which method was used to enroll the devices and the status of the enrollment.

Enrollment failures

• You can see the failed enrollments. You have the choice to search for a specific user or to select All User.

Incomplete user enrollments

• The report shows how many enrollments were not completed and at which step they were aborted.

Per update ring deployment state

• An overview of the deployment status of update rings. How often was this successful or how often was there an error.

Installation failures for iOS devices

• Here you can see failed software updates under IOS. Here you can see under which OS version the error occurred.

Feature update failures (Preview)

• In this table you can see which feature updates failed how often.

Windows Expedited update failures (Preview)

• This report shows failed expedited updates (updates installation as quickly as possible).

Device actions

• Overview of status triggered device actions like a wipe. 

Windows enrollment

• Here are the settings needed to configure Windows autopilot. You have an overview of the devices registered in your tenant, can configure settings for windows hello for business, can add a CName and can set up and manage an Active Directory to Intune connector. You can also create the ESP and the different deployment profiles. I have already explained how this works in setup a windows autopilot test lab.

Apple enrollment

• In this section you will find all settings that are required for an Apple enrollment. The prerequisite you can add here is the Apple MDM Push certificate. Once this is uploaded you can configure a bulk enrollment via Apple Configurator or via the Apple Business Manager. You can also configure enrollment targeting. With this option you can configure a user or device enrollment.

Android enrollment

• This option is similar to the Apple section but for Android. The prerequisite to configure an Android enrollment is a managed Google Play account. Once this link is established you can configure the device enrollment. You have 4 options (Personally-owned devices with work profile, Corporate-owned dedicated devices, Corporate-owned, fully managed user devices, Corporate-owned devices with work profile). I will explain what is behind this in a future blog. Be curious.

Enrollment restrictions

• In this section you can configure enrollment restrictions and enrollment limitations.
• Enrollment restrictions is an option to exclude certain devices. You can e.g. only allow devices from a certain OS version or exclude a certain OS completely, ban manufacturers or block personal owned. 
• Enrollment limitation is an area where you can configure the maximum number of devices each user can enroll.

Corporate device identifiers

• You can configure an IMEI or serial number to mark devices as corporate owned. The following platforms are supported: iOS/iPadOS, macOS, Android Device Administrator, pre Android v10, Android Enterprise Personal Work Profile, pre Android v12.

Device enrollment managers

• As a device enrollment manager you can specify an Microsoft Entra ID account, which is used to set up the mobile devices and prepare them for the user. It is possible to register up to 1000 devices with this account.

Policies

• Define new compliance policies and an overview of existing ones. Here you can also see which policies are assigned and which are not.

Notifications

• Here you can define mail notifications if a device is not compliant. Mail templates can be created in different languages.

Retire Noncompliant Devices

• Decommissioning devices after they have been non-compliant for some time. This action removes the device from Intune management and removes all corporate data from the device.

Locations

• In this menu, locations can be defined based on network information.

Compliance policy settings

• Further options for compliance policies can be found here like the default state if no policy is defined, an enhanced jailbreak detection can be enabled and the days of the compliance status validity period can be defined.

Policies

• In this section the Conditional Access policies can be defined. There is the possibility to create policies as report only to get only an overview or to activate the policies actively. How to configure a Conditional Access is explained very well in the blog of peter van der woude.

Insights and reporting

• Here CA data can be sent to an Azure Log Analytics Workspace to get an advanced reporting dashboard.

Diagnose and solve problems

• Help and troubleshooting instructions.

Named locations

• Here, trusted locations / company networks can be defined on the basis of IP information. This data can then be used for CA policies.

Custom controls (Preview)

• Custom CA controls can be defined here based on a JSON. To satisfy this control, a user’s browser is redirected to the external service, performs the required authentication, and is then redirected back to Microsoft Entra ID. Microsoft Entra ID checks the response, and if the user is successfully authenticated or validated, the user continues with the conditional access flow.

Terms of use

• Here the terms of use can be defined in different languages. If the terms of use are defined and enforced via CA, a page opens where you have to accept them.

VPN connectivity

• In this option, a certificate for an always on VPN connection can be created. More information about the always on VPN with CA can be found the Microsoft documentation.

Authentication context (Preview)

• With authentication context, applications can trigger policy enforcement when a user accesses sensitive data or actions. How to configure this you can find this guide.

Classic policies

• Tool for migration of old CA policies not created in Azure portal to new framework.

Virtual assistant (Preview)

• Chatbot for Microsoft Entra ID Topics.

New support request

• Wizard to open Microsoft Entra ID tickets or get existing solutions.

Administrative templates

• For creating ADMX policies. The administrative templates contain thousands of settings that control, for example, Microsoft Edge, Microsoft Office, OneDrive, and more.
• Use the MDM channel to deliver old-school group policy settings
• Platform:
  • Windows 10 and later

Security Baselines

• Creation of preconfigured security settings.
• Can be found in the Endpoint Security menu. More about this in the third part of the series.
• Platform:
  • Windows 10 and later

Settings catalog 

• List of all the available settings categorized into the different areas like BitLocker, Defender, OneDrive and many more in one location.
• Platform:
  • Windows 10 and later
  • macOS (Only for configure MS Edge)

Templates

• Grouping of settings such as VPN, email, kiosk devices, and more. Also here are masses of settings available.
• Platform:
  • Android
  • iOS/iPadOS
  • macOS
  • Windows 10 and later