- Welcome to episode 371 of the Microsoft Cloud IT Pro Podcast. Recorded live on February 23rd, 2024. This is a show about Microsoft 365 and Azure from the perspective of it pros and end users where we discuss the topic or recent news and how it relates to you. Today, in part one of two, we'll be discussing Microsoft Intune one of the most powerful tools for managing your organization's devices, apps, and endpoint security.
In this episode, we'll start by exploring the three pillars of Intune devices, apps and endpoint security. Then we'll move into the devices section and what devices you can enroll, how to onboard devices, and start looking at what types of configurations are available. Saturday Night Live. Welcome to Saturday Night. No. Have you seen the one? My kids think this one's hilarious. They can't remember if I shared it with you or not. Where it's uh, Washington's dream. Yes.
, it's like five minutes. Yeah. With the units of measure. Mm-Hmm. . - Yeah. Oh, that, that is a good one - For anybody interested. We'll put a link in the show notes. We don't need to spend a bunch of time rehashing it, but it's funny if you're anywhere but the us It's funny because it totally makes fun of the US and if you're in the US it's a great way to make fun of us in our units of measure. - Oh yeah. Very, very much so. We're, we're, we're like our own little special snowflake over here.
Yes. With our whole imperial versus metric thing that we have going on - All in the name of Liberty, my son. Okay. I have not had much sleep. I'm gonna devolve quickly. - We're not as bad as some other places like the UK where you have both imperial and metric going all the time. . So we'll see.
Before we get into today's topic, I have a, like, I have one of the most first world of first world problems going on, and I just need to get this out and off my chest and have you laugh at me, if that's okay. - Oh, I am always up for first world problems that I can laugh at. Okay. - So I have a Bluetooth mouse. Yeah. I I have an MX Master three s here and - Quality Mouse I might add. Yep. I love my Bluetooth, my Logitech. Yeah. Yep. MX three s. Okay. Anyways, - So I'm right-handed.
So my mouse is on the right hand side of my keyboard over here, and I also drink an inordinate amount of coffee during the day. Right. , like I always have a cup of coffee on my desk. So I have, I I have an Ember mug, which is okay. It's a coffee mug. Well, I mean, it's, it's, it's a mug for drinking liquid that has a built-in heater in it so that my coffee is always warm.
Yeah. So the way the Ember mug works is it's a traditional mug and it has a battery in it, and you go into an app and you set the temperature for it, all that stuff. All right. Your phone, the way your phone communicates with the Ember mug is over Bluetooth to set that temperature. So, so the Ember mug is inherently a Bluetooth device as well. - I can see several ways this could be going. - Ember mug sits, uh, out and in front of my mouse. So my mouse is directly behind it.
So I have to reach over my mouse to, to get to my coffee mug. 'cause I don't want my coffee mug closer to me. Right. I might spill it on the way to my mouse or, or something like that. So I feel like, - Oh, a hundred percent I have the same setup. - Like this is a constraint that, that cannot change. I have been like, it dawned on me earlier this week, all my trouble with my mouse. Like, Hey, why is my mouse like janky and not connecting to the computer?
Like, what's going on? Like, is it disconnecting? Is it out of battery? I'm like, no, I just charged it. Like, this is kind of crazy. I think it's because I have a Bluetooth mouse and a Bluetooth coffee cup and they are totally conflicting with each other. 'cause my Bluetooth mouse is not strong enough of a Bluetooth signal to pass through my Bluetooth coffee cup - Coffee mug to - Make things work. And Ben, I can't give up either device. I'm not gonna stop drinking coffee.
I'm not gonna go back to a regular coffee mug. Like I, I can't do that and I can't give up my mouse and become left-handed. So I am living in this constant state of chaos now where I'm always putting the coffee mug down in front of my mouse and then I'll jiggle the mouse around and go, oh, it doesn't work. And then I slide the coffee cup over to the middle or further off to the right and that it works.
But then I ultimately have to bring the coffee mug back to my face to drink some coffee and then it immediately goes right back to the same place it was right in front of the mouse. Right. Like ev, every single time, I cannot just train my way out of this. Somebody's gonna write in and they're gonna go like, Hey, why don't you use the dongle that comes? See that's - What I was gonna ask. Yeah. What about the bolt connector? Yeah. Yeah. Who's the USB bolt?
- So I bought one of those. I have that as well. It's sitting right here in front of me. It's plugged into my KVM. It's maybe 16 inches away from the mouse. Does not help with what I believe to be a firm interference problem. Okay. It is the most first world, first world problems that I could have. I don't know how I ended up in this situation. I don't know how to get out of it, but I think I'm just gonna have to continue living my life this way.
Chaos. Pure chaos. - So I have something for you to try because I have done this, not because I have a Bluetooth coffee mug, but because my mouse is over here to my right as well. But my Mac studio is like four feet away over the opposite kitty corner. 'cause I'm from the north. So we say kitty corner and not catty corner. Um, and I don't use Bluetooth. I use the bolt connector and I have monitors and stuff between it. And I've had interference problems as well.
This is one thing I would say I have with the Logitech MX is it does seem to have interference problems very easily. For whatever reason, I got a USB extension cable for the bolt connector . And I literally have it run under my desk and like taped to the bottom side of my desk right underneath my mouse. This - Is what it's come to. Huh. - Or command stripped, I guess it's not taped like command stripped it or zipped tie it right to the underside
of your desk underneath your mouse. So - That thought did cross my mind. I was wondering how crazy it was going to be and going to get but may maybe that's what I need to try and do. What's what, you know, what's one more cable in my life? I , IIII don't have enough. What one more easy enough total. Totally solvable. So - I will say when I crawl underneath my desk, I'm like, man, I need to do some cable management.
I have, I, I start out, it ends up so nice and neat and I'm like, oh, I finally managed all my cables. And then inevitably I get a device or I run into something like you did where I have to move a cable or shift a device or something and then my cables slowly dissolve into a massive spaghetti. , - Same, I'm on a standing desk and every time I add a new device, I do not go to the back of the desk and pull it all the way out. Like it's on casters.
I could absolutely do this, but I don't and like run the cable nicely. So a o over time, like there's, there's this part of my desk where everything is nicely managed. It's all cable clipped up and it's ready to go. And then the rest is just a sea of cables that no person would ever want to to, to swim through. But I will, I will try, I'll try your suggestion and see you, you know, my problem now is the only USB extension cable I have is a six footer and I only need to go about mm.
Three feet. So, and, and I'm just gonna have even more cables hanging out underneath the desk that aren't gonna be properly managed - Probably. And then you at least have to make sure you zip tie it up or Velcro tied up enough. So, well, so I have the problem. I have a standing desk so I stand, but I have a bar height chair.
And my problem is if I make sure all my cables aren't up quite high enough, every once in a while I'll get my foot looped in a cable and I like stand up out of the chair and I'm caught in a cable - . You know, it's, it's good to know I'm not the only one with issues and that and that we both have our, uh, our, our, our eccentric life eccentric lifestyles going over here. Yes. I will take your suggestion to heart. Uh, I, I will try it and see how things go if I don't report back.
It's either because I got sidetracked and actually didn't try it or I've just decided that pure chaos is the best way to live my life. But anywho, you have an article up on the screen. I think you had this same article up last time when we talked about copilot and we got totally, I think I totally sidetracked think - I did and then we never actually dove into it.
And we can, we can tie in our segue, Scott, 'cause we were talking about management and chaos and all of that when it comes to cables. Maybe today we should talk about management and chaos and all of that when it comes to devices and endpoints for Microsoft 365. - This one's your show. You, you, you are the expert. But - I get to talk, - I'm gonna capitulate we're yeah, we're gonna do the one about Intune. All right.
- We'll do Intune, which was then Endpoint Management, which is now Intune again, . - You want names to say the same? You, you, you ask for so much. - Oh, names never stay the same. I have heard rumors of new names changing, other names changing, which we shall not talk about today 'cause we will stick with Intune and we're gonna stay on focus yet this has been a big one.
And I will say I have been doing a lot with this Sean, who also does a bunch of contract work for me, has also been doing a bunch of Intune. It's been a hot, hot topic, hot product. All of the above is late, at least from what we've been doing in the Microsoft 365 world. And there have been a few things that have come up that we can talk about. But I think this is one that in particular has grown and expanded and evolved quite a bit over the last several years in my opinion.
While it has its quirks, it is really good. There's a lot of stuff you can do when it comes to Microsoft Intune. So kind of where to start with this one. And as we were putting our notes together, planning it is you have Intune is this overarching product and I don't know how much we wanna get into licensing. There are several different licenses, Scott.
You have like your Intune, I think it's Plan one, plan two and then you have this Intune suite that is an add-on to, I don't think you can add it on to Plan one. I think it's an add-on to plan two. It's kind of bizarre. It's kinda like the new enterra ID governance license. - So, so I mean it was interesting to me like just kind of thinking about, uh, you know, I I I lost sight over time of how big a product Intune has become.
And, and I guess in the back of my head I I, I might even be thinking about Intune the wrong way because it's not really a product, it's a suite of products today. Like it is all of these things. Yes, it's device management, it's application management, it is endpoint security and all the things that go into there. There's remote help components that come with it. There's tunneling stuff that, that, that pops up from time to time.
Like it is an all over the place kind of suite of application and device management and actually like observability tooling, right? With some of the reporting and things that you, you can do about it, do with it depending on, on what your needs are in your environment.
So I, I guess like one of the, one of the things to me and, and I don't know if other folks encounter this is I was always hearing Intune and then like somebody would come to me and I would, and they would say like, oh endpoint security. I'd be like, yeah you mean Intune , right? Like is isn't that what we're just talking about?
It's like, oh no, you're actually talking about something maybe like Microsoft Defender, you know, for endpoints which just happens to be part of that overarching Intune suite and, and and the suite of products that exists out there underneath it. - Yeah. And here I pulled up the licensing. So wrap your head around this licensing Scott. You have Intune plan one and Intune Plan one is included with all the Microsoft 365 things.
Microsoft 365, E three, E five, F1, F three E, ems, E three EMSE five and business premium. You get Plan one if you want to, you can get an add-on to plan one, that's plan two and that offered some of that endpoint management capabilities and some additional functionality. Or you can cancel your plan two, add-on and get the Intune suite add-on, which is not an add-on to Plan two, like I said before, it's an add-on to plan one and it includes all of the plan two stuff.
So you get plan one and then you get like a choose your own path for your add-on to plan one whether you want Plan two or whether you want the Intune suite. - How much per user per month would you like to spend here? - ? Yeah. 'cause Plan one is $8 per month and this again if you're throwing it into Office 365. So most people I will say I do not see a lot of people going out and just buying Plan one.
Most people have Plan one if they're going down this route route because they've done the Microsoft 365 E 3 35 F1 small business whatever. And then that plan two add-on is $4.
But if you wanna add on Intune suite instead of plan two, it's an additional uh, and you get that Intune suite is some of that stuff you mentioned where you start getting like the remote help stuff, you get some of the endpoint privilege management, advanced analytics, enterprise application management, which is not at management. We'll get into this in a little bit. Cloud, PKI, some other stuff that you can also buy as add-on. So licensing, it's confusing.
We'll throw a link into the pricing page so you can go look at all the different options and how you want to piece this one together. But it is, there's a lot of stuff that has been included and Intune and keeps getting added to Intune over the last several years. So that's pricing. Get a lot of people that have Plan one, you can do a lot with Plan One. Even that upgrade to plan two, it gets you some VPN stuff and it gets you some management of specialty devices.
Think like virtual reality headsets, smart screen devices, conference room meeting rooms and it does firmware over the air updates. So really I think Plan one is suitable for 90, I don't know, I would say 90% of people Plan one is usually adequate. It's really those unique cases that maybe you get into where you wanna start looking at Plan two or the Suite.
- It's an interesting one. So one of the things that I saw when I was looking at licensing and trying to wrap my head around it is there's also cases where you can end up with requirements for not only Intune licensing but also intra ID like P one licenses or P two licenses. So like if you're a customer who's maybe coming over from a configuration management envi or configuration manager environment, right?
Like, like you're going down that path and you've been doing, you know, SCCM and then you want to say you, you look at something like Intune and you're like, oh I want to do uh, device enrollment that way. You know, I I I like those ideas and, and maybe you wanna do like auto enrollment or things like that. You, you can have considerations for not only Intune licensing but also Azure AD licensing enter ID licensing. So I think it's just important to maybe keep that in the back of your head.
And then there's also the device license thing, which I don't, I don't even really want to get into. But suffice to say there's also this concept of device only licenses and it just gets like, you know, weirder and weirder. The the the, the more you walk w walk down the stack - . Yeah, and I've gotten into it a little bit 'cause like I have a device right here if you're looking at my video, I don't know which way to point anyway with my fingers.
the, like the conference room devices if you want Intune managed conference room devices, you get into a whole nother can of worms. Uh, when it comes to licensing that, like you said, we're not gonna go down that route for now or go down that uh, path I would say.
Um, so diving into Intune, like we've talked about, there's this, there's that, there's all of this random stuff I guess in Intune and as we were going through this, I kind of broke it down and I would say this intro page, so there's an introduction to Intune, what is Intune? And Microsoft would tell you that Intune is designed to support hybrid and remote workforces, challenged with devices that access organizational resources as people need to work from anywhere.
And I think this is why you start to see Intune gaining more and more traction is as people work from anywhere they access different resources from anywhere, it becomes a protection thing. Like how do you protect my data? And also how do you protect these devices when they're not necessarily coming into the office? And there's a few different things to it, right? Because one is just protecting these devices.
I leave my device in a a hotel room or I leave it in the seat back of an airplane or maybe I'm just working from a coffee shop and I don't lock my device when I step away. Or there's all different scenarios you can get into with devices. So there's one aspect of Intune that is very much managing these devices and keeping my devices secure.
But also in Intune there's these additional, and we kind of call them pillars is like the application pillars is not only do I have devices, but I also wanna manage applications on these devices. Uh, and I've run into a lot with, this is one of the projects that's come up a lot I would say even in just the last four or five months is as employees are remote, the whole concept of imaging devices has come up.
Like companies used to go, let's create laptop images, let's create our gold images with all our software installed, with our applications configured the way we want to. We have our group policies pushing out configurations and these devices are connected to our network. We set up the image, we send 'em off to employees.
We've gotten a long ways away from that over the last four or five years in terms of like you Scott, I mean you have your laptop from your company, from Microsoft and have you ever been to the Microsoft office - Once in, in three years? But like that was three years in , - Right? Like you work for three years remotely on a device. And let's face it, Microsoft probably has some stuff they want to keep nice and safe.
They don't want just anybody accessing their information from anywhere as an employee. And you get a lot of companies like that. So there's the whole application protection. And then the last one I would say that differs a little bit from maybe this slide 'cause I don't see it. I mean they have some of it on here is the whole security aspect of it too, right? You're managing your devices, you're managing your applications and I would say devices is like configuration of the devices.
How do you want these devices configured? But then what you mentioned is you also start getting into endpoint security and how am I managing antivirus or dis encryption, how my monitoring these devices for potential suspicious activity and all of this management security application functionality rolls up under this Intune suite of, I don't know if it's an Intune suite of products or an intune suite of capabilities. - Yes. And yes, I I think it's both.
I I, you know, so , I like the way you broke it down. I was very confused when I went in 'cause it's, it's been a hot minute since I've looked at Intune and I was like, this is too much. 'cause I, I think if you're a regular consumer and you go to that overview page today, holy cow, good luck. Like trying to figure out what's in there. , right? Like you, you, you really like, and even that like, like the graphic that you have up right now, such an eye chart for just the things that are going on.
Like, like really I did, it was a good approach and, and good for me to like be grounded in it from talking to you to sit down and say like, oh hey, here's another pivot and another way to think about this where you can really break it into these logical buckets.
So I kind of want you to take the pillar concept forward and maybe like do it at a conference or something just so you can have like the, the pretty slides so you can go put out a PR for this one and say like, hey, like do you know what this actually is here? It's devices which need to be enrolled and onboarded and potentially configured it's applications. So what are the applications we have? How, how do we need to protect them? What's the configuration of those applications?
Office plus all the other stuff that exists out there today. And then it's endpoint security, right? Like, like we can do things like encrypt disks, we can have antivirus, maybe we need to configure local firewalls right on, on, on device.
Things like that. And that's a great way to step into it and I think approach it even like if you get into some of the other docs for Intune, like you sit down and you look at like the, like there's an article out there for the planning guide for Intune and it talks about like here's the big steps that you need to do along the way to plan for an intune deployment.
And like step one is determine your objectives, but I don't know how you can know what your objectives are without understanding like what the downstream components are and how that's coming no matter what. You have to inventory your devices and then it just kind of like skips a bunch of stuff. It literally goes from inventory your devices to determine your costs to get into your rollout plan and then just like roll it out and you're like, huh, . Like that's my plan. - yeah, - What happened?
What were all the steps in the middle and, and all the things that needed to be done. So I I really do like, like the way that you rationalized it with kind of the three pillars and if that's not your original idea, you should just claim it is and run with - It as I should. I I think it might be, we'll go with that. It is, Do you feel overwhelmed by trying to manage your Office 365 environment? Are you facing unexpected issues that disrupt your company's productivity?
Intelligent is here to help much like you take your car to the mechanic that has specialized knowledge on how to best keep your car running Intelligent helps you with your Microsoft Cloud environment because that's their expertise. Intelligent keeps up with the latest updates on the Microsoft cloud to help keep your business running smoothly and ahead of the curve.
Whether you are a small organization with just a few users up to an organization of several thousand employees they want to partner with you to implement and administer your Microsoft Cloud technology, visit them at intelligent.com/podcast. That's I-N-T-E-L-L-I-G-I-N k.com/podcast for more information or to schedule a 30 minute call to get started with them today. Remember intelligent focuses on the Microsoft cloud so you can focus on your business.
It's interesting that you brought that up because the deployment of this is something that I've had a lot of discussions with with these clients over time and usually the way these discussions go is, Hey I need Intune and I need to deploy apps and I've heard about this thing called autopilot and I need to make sure my devices are secure and they're configured in a certain way.
And it's like, it's almost like that slide where it's a whole jumble of spaghetti stuff of I've heard about all this stuff and I know it's all in Intune and I want it all right now. And I'm like, okay, let's back up. So I know they have a deployment plan. I will say from my perspective, and it does vary based on requirements like some people have very specific requirements and objectives for Intune or on what they need to do right away.
My very first step when somebody comes to me and says I need Intune and I need all of this stuff, is I ask this very question. It starts with the devices and you mentioned it, do you have your devices enrolled in Intune? I don't care about anything else. I don't care about applications, I don't care about security. Are your devices enrolled in Intune? Because maybe I need to come up with pillars and a foundation because enrollment is the foundation.
If your devices aren't enrolled in Intune, in my opinion Intune is worthless to you. . Because that enrollment is what allows you to deploy applications to push out configurations to start setting up autopilot. And there's, I also run into a lot of confusion between autopilot and Intune and what does what some people use them interchangeably. Some people think like autopilot is an imaging and we can talk some about that.
But it is literally, okay we're coming in our various first step, how are we gonna enroll your devices in Intune because we need these devices managed and frankly enrolling them in Intune doesn't affect your end users. I can go work with you and we may have to work with your users to get your devices enrolled in Intune. There might be some manual steps because this is the one, this is also the one that I would say is the hardest if devices aren't already enrolled.
And it varies some if you have a domain controller, if everything is disconnected or even if you're already Azure AD joined and didn't have Intune set up when you first joined the devices, enrollment can be tricky, but once it's enrolled the first thing you do is you start getting all the information about 'em. Like Intune will start spinning back, what applications do these people have installed? What devices do you have? What hardware are they using?
What version of Windows are these devices on it? From that perspective enrollment and Intune is a great way to do that second step you said where it's like inventory or devices because as soon as they're enrolled all this information starts getting spit back and collect it and Intune. So you can just get a level set of what are my devices, what's installed on 'em, how are they configured?
And get a lot of information that can help you actually plan for going down the rest of the path of installing software, setting up security policies, all of that. You - Do have to be a little intentional and maybe go like do the research to understand like I I I agree like en enrollment is the first step, right? Like understand it and that that's a great way to like base your inventory but you still have to know the types of devices that exist.
So like am, am I talking mobile devices like phones, tablets, what's the operating system that was run on? Because Intune like as a suite, it it's expansive for the types of operating systems that it supports when it comes down to device enrollment and like what it can control on device. So you've got coverage for Android, iOS, iPad os on the Apple side you can also do Linux, you can do Mac os, you can do Windows 10 and 11
- And Windows Mobile. Yeah, - , well let's yeah pour one out for Windows Mobile, sorry. Uh, Chrome OS is even in there, right? Like so like depending on your organization, like you might look and say oh you know, I wanna know about my Windows devices. But then it turns out like you give all your salespeople cell phones, right? And you've got Android and iPhone and all sorts of other things out there.
So like, okay now I've got those and you and you really do need to kind of be intentional with what you're gonna put out there, what you're gonna put the time into, into configuring and, and potentially understand the constraints. Like you know it's, it's one thing for me to say like, oh are you a Linux customer? But then you come in and read the documentation and you're like, oh yeah it's not all of Linux though. It's actually just um, boom two , you know?
Yeah 20 point x and and 22 x. So good luck . - Yeah and Apple, I mean you get the same thing with OS as like Apple iOS is 15.0 and lighter Mac OS is 12.0 and lighter. And even though I would say some of these like Intune supports Mac OS 12.01 later, what you can do from 12 to 13, where are we on now? 14, I forget - Where're at we're - 15 Should it's 15.
15, yeah. It varies from 12 to 13 to 14 to 15 in what you can do, like you said Windows, you can do 8.1, you can do 10 and later I have not seen much that differs between 10 and 11 but there is a big difference between stuff when if you're still doing 8.1 and enrolling those versus 10 and 11.
So it is an, the enrollment is enrollment is a challenge and I would say the biggest thing to, that you always have to figure out is what do you have if you have an on-prem, this is funny to me Scott, I'm curious your thoughts. Microsoft has been really trying to get people to get away from some of the hybrid enrollment. Um, the hybrid ad join and hybrid environments. They would love everybody to be intra only.
The easiest way to get a device enrolled in Intune is if you're in a hybrid environment because you can do it with GPO policies and your D connector synchronization where those devices that are joined your on-prem domain synchronized up have group policies deployed. You can automatically enroll those devices in Intune at any point in time with just a few configuration changes.
If you're not in that scenario, you're limited to, you can auto-enroll when a device is joined to Azure ad if a device is already joined to Azure ad there's no way to like automatically enroll them remotely. I can't go say I have all these devices joined in Azure AD automatically enroll them into Intune because of the way user permissions work and especially if a user's like a standard user on their device.
The difference between that initial Azure ad join and once it's already joined and weird under THEC stuff with Windows. So at that point in time you either have to let your users be local admins on their devices so that they can enroll themselves or you can like go create provisioning packages that are executables that you can deploy remotely using software. But if they're not enrolled in Intune, you can't deploy software remotely.
So you have to have something else which then maybe you question why you're using Intune. Maybe you're trying to migrate to Intune. Yeah, you get into a little bit of chicken and egg with provisioning packages, uh, or you can have users like double click and run it in provision Intune.
But pretty much if they're already joined to Azure Active directory or if they're standard users and you don't have an on-prem domain controller, it can be a very manual process to get people or get devices enrolled in Intune.
And that I would say is it's the first step, but it is also the biggest challenge, particularly, particularly with desktops like you mentioned, iOS, Android, those, it's a lot simpler because you don't run into same, some of the same local permission rights when it comes to those types of devices.
- It's rough too because you know, uh, like it's, it's a little bit weird 'cause like we're talking about Intune as a product when it really is a suite of products and I think it's confusing because Microsoft talks about it as a product. Andy suite of products. Like, like one of the things that got me is like I think about like some of these sub components that fall under the Intune umbrella, right? Like Defender for Endpoint is a good example.
Defender for Endpoint supports way more operating systems and endpoints than Intune does, right? So you think about like enrollment and Intune as being maybe like Linux and just Ubuntu. Oh it turns out that defender of Endpoint will totally do R and Scent and Debian and like all those things, right? It'll even do older versions of of Mac OS along the way it will do other operating systems, right?
Like you can have uh, windows server set up with Defender but then you're like looking at this list in Intune that potentially is really different , like it's not even a superset or a subset, it's a, they're, they're like two disconnected things even though they fall under the same product family. But you gotta start somewhere, right? Like so why not start with the big bucket of like rationalizing devices and bringing those in.
And then I would imagine once you have the devices, like like you said, you can do the inventory and then you can start deciding what aspects you do want to manage, right? Is it do you move onto that next pillar of applications or do you do security or both at once, right? Depending on on what your needs are and what you're trying to execute on. - That's where I tend to see again once they're enrolled, people tend to diverge a little bit based on those goals.
I think if you kinda stay on some of the device configuration is where people tend to go because a lot of, I would say a lot of companies are used to using GPOs.
They're used to pushing out certain configurations to their devices via group policy objects and whether it's configuring things like Google Chrome, because let's face it, a lot of companies still have that for their default browser pushing out like auto configuration of OneDrive pushing down corporate wifi connection information, whether it's certificates or SSIDs. Any number of those settings.
And this is one area that I've seen Intune get a lot better at lately is it used to be, and I remember having this conversation a lot where it would be back when it was Azure ad and I'm gonna say Azure AD because that's what it was, is Azure AD is not active directory. you don't have - It - Is not , right?
And a big part of it was you don't have group policies like you can use it as an identity provider but outside of that it used to be like an identity provider and now it has a whole suite of settings and it's not GPOs like I am not gonna call these, you go set up GPOs setting up configuration policies in Microsoft enterra ID or an enterra now. And those can include importing custom A DMX templates.
So you can go download the A DMX templates from Google for Chrome, import them into your configuration policies and I should pop this up and then go start configuring those settings for Chrome that you're gonna push down. This one in particular is still in public preview and it's been that way for a long time. I don't know how long it's been in public preview, it's - Been like a year plus. - But they also have a whole suite of settings that you can start pushing out wifi.
Recently I did one with OneDrive to like auto log people into OneDrive and set up the backup for their devices and documents you can set up. This is an interesting way, one I've done recently too is a VD Azure Virtual desktop environments. This is not just for endpoints but I did a VD where I enrolled it in Intune and actually set up all the FS logics settings via Intune to push out to these edger virtual desktop machines. So all of those types of settings are there.
So if you're, you've been a little bit on this fence and looking at it, I would really encourage you go look at a lot of those configuration settings and see what's there.
There's also a tool out there that does a comparison of what you have in GPO is that import GPOs here to create policies where you can go export your GPOs from your domain controller, import them into Intune, into this GPO analyzer and it'll go through all of your GPOs and match up how that relates to your configuration policies and what you can or cannot do because there is still a disparity there in some cases between configuration settings in, uh, Intune
and what's available in GPOs on prem. Yeah, - I think we've been on this path for a while though. Like, uh, at, at some point you have to imagine that it kind of makes the flip to the, uh, the just that subset of stuff that can only be done from something like Intune and a cloud configuration. Uh, I think we've seen this with like the office configuration tools, right?
And, and some of the things that come out there that are natively available within like Office 365 and M 360 fives as as a service as well. Like, you know, I used to work a whole bunch with customers who would do GPOs for office and it was like, hey, we're making the transition to the cloud, why don't we use the cloud management service? And it, and it does get a little disparate 'cause you end up potentially managing office over here in this tool.
And then maybe there's some functionality that isn't in the cloud management service where then you gotta go to Intune and and do it on that side and you're like, uhoh, now I got two of these things. Do they actually conflict? Do they, do they work together?
How does that go? But a lot of it is like, you know, I think you have to step back and maybe like do a little assessment like is the writing on the wall that like, you know, some of these things that I'm potentially trying to force from legacy environments or on-prem or whatever it happens to be like, uh, is is that the right way to do it in the modern age?
Right? And like, and I spent a bunch of time thinking about this 'cause I'm like, you, you know, IIII do, I I work for Microsoft, you know, I have to enroll my personal devices in MDM, right? Like, uh, you know, Microsoft doesn't gimme a phone so I en I enroll my personal device just so I can have like teams and email and things like that on my phone. They let me do that. Like , it's like they, they've got an environment that's like that, right?
Like that can happen. Like if Microsoft can make it happen with you know, a hundred thousand plus employees, like why can't you make it happen over here? Right? like, like yeah, you know, some of these places that I think like overindex on the security aspects of things, you know, there's so much of that too. Like it impacts not just Intune and that stack but things like Azure AD and password policies, right? Like should you make your users change their password every 30 days?
Like is that a valid thing for you to be doing anymore? No, it feels a little like old school than legacy. So I think it's always good to kind of like take the step back and reevaluate like, or if you are making these migration kinds of things of not just a street like lift and shift, like let's put it over here but let's really like shift in a direction.
So rather than like picking the thing up and moving it over, let's actually like slide through and as we slide through, like what are the transit transition items that we need to figure out along the way that potentially land us in the right place for the future. Yes. - Scott, you made one comment and it triggered a soapbox of mine. . Do you think Alex, do you think Alex Simmons listens to our podcast?
Is it Simmons or Simons? He's the enterra id - I would probably butcher the last name, but yes, you're on the right path. No, we're, we're we're lowly cogs in the machine. Nobody listens to this. Okay. - If anybody from Microsoft is listening enter id you mentioned password resets. I 100% agree I'm on the BA boat of don't do password resets and do MFA, I mean even do passwordless, all of that. I had this conversation with a client the other day and I don't know why this is still the case.
You still cannot force a password length longer than 12 characters in Microsoft enterra id and I don't even know that you can do 12, you may only be able to force eight. You used to have like basic and strong passwords which was eight or 12 characters and it had different requirements around special characters and all of that. But if you wanna force anything more than 12, assuming you can still do 12, you have to use on-prem. Like this can't be that hard.
This has to be like a dialogue box and a character counter in password reset. 'cause they support up to, I don't know, 64 256, 2 56 - In hybrid 2 56. - That's what I thought. Yeah, they support really long passwords but I can't force users to do that. And I've had clients come to me that say we don't want to do password resets but a 12 character password password crack time. That's what I was looking for I believe is like weeks, no or 12 characters.
Oh no, 12 characters is still on that bubble of 34,000 years. I think it's when you jump, jump down underneath 12, but some of them want eight characters is 22 minutes. Um, if you have an eight character password, go make it longer please. But I do have clients that want to be able to go like 14 or 16 characters.
I don't know. I mean maybe the theory is this is outside looking in is that Microsoft is going more towards the Fido and Passwordless and they figure let's not force 12 because maybe that'll encourage people to go passwordless, but you can't get a hundred percent passwordless yet and you can't do with antra ID account like you can with an MSA account and actually go in and just say delete my password. So I don't actually have a password.
- I have some thoughts just based on the way I know we've built other stuff at Microsoft about how you potentially end up in situations like that. But uh, I'm gonna keep them to myself. Not, not, not that's breaking NDAs for that one. Yes. But yeah, I I but I think those like restrictions do exist. So like in a world of, hey, I'm not gonna have my users change my passwords and there are restrictions on character length, things like that.
Like at some point you're gonna lean in and trust the operational controls, right? Like you mentioned like, hey, how long is it gonna take to crack this password? You would very much hope that the statements and you know, effectively the way the service is provisioned for Microsoft that like you're not gonna be able to execute a password spray where you can just bang that thing, you know, against the wall for 30 days or 22 hours or whatever it is. So, so there, there's other mitigations there.
Like I know it's not an equivalent right? But at some point like, you know, you gotta do that trade off and and the mental mass. Yeah. And kind of figure some of that stuff out. Let's see. You know, so observation, we're we, we tend to run longer now that we're doing this every other thing. Weak thing and, and trying to plan these out ahead of time. But let's, let's see like how can we wrap this one up? How - Can we wrap this one up? So should we wrap this up with device configuration?
Should we do Intune part one and part two? I - Know there's more there 'cause I put the notes together - With you is more . Yes. - Let's figure a good stopping point and we can do just part two as a natural follow on to this one. What - Other notes do I have? Anything else about devices? Because I would say we kind of talked about the whole device pillar, right? We talked about enrolling devices, we talked about the A DMX templates, the configuration settings.
They do have some co-management options. I have not seen anybody do this. This is essentially, if you're doing like SCCM on-prem management and you wanna do Intune management, it's available. What else do we have? Client configuration MAC best devices.
I think this is, we may be at a good stopping point here, Scott, where I think we talked like intro to Intune, we talked about the devices, enrolling them, configuring them, and I think from here we'd start moving into applications like what can you do from an app management perspective with Intune? Which that one we could absolutely go long. And then some of the endpoint security. Yeah. Great. I think we just wrap it here. - All right, let's do it. So this will be part, part one of two or or
- Part one of - Two? Part two, one of - Two. Unless we go long again and we come up with a part three. But we'll plan on part one and two. We'll figure it - Out. Yeah, part one of do. Got it. Yes. I just wanna do Microsoft Intune part two in the, in the title for the next one. In - The title. I see, I see the motivation here. Yeah, - I know well. Yeah, - In a couple weeks - We will pick this up with apps and endpoint security then as our next ones. Perfect. - Sounds good. Well thanks Scott.
Enjoy your weekend and we will be back in a couple weeks with part due. - Awesome. Thanks Ben. - If you enjoyed the podcast, go leave us a five star rating in iTunes. It helps to get the word out so more IT pros can learn about Office 365 and Azure. If you have any questions you want us to address on the show or feedback about the show, feel free to reach out via our website, Twitter, or Facebook. Thanks again for listening and have a great day.