Take control of your unmanaged PCs with Intune
IT epidemic caused by pandemic and supply chain disruption
In March 2020, governments around the world instituted “stay-at-home” orders in response to the COVID-19 pandemic. City centers and bustling cities suddenly emptied out. And businesses scrambled to adapt to the new situation: remote work.
Meanwhile, supply chains across all industries and around the world have failed to keep up. But in the IT sector, one of the hardest hit areas has been laptop distribution. Disruptions further diminished supply as the situation in China worsened with lockdowns. Gartner recently noted that the pandemic has led to “the strongest demand for consumer PCs in 10 years.”
For many IT professionals, the established system for preparing devices was site-dependent. But when you’re not working from an on-site location, that’s simply not possible. Laptops were often shipped directly to users without any configuration. And they were actually no more controlled than BYOD devices. It was as if the user had just picked up a brand-new laptop from the store.
To properly secure, trust, and manage these devices, administrators must regain control. There are several options for transitioning unmanaged devices to a managed state. This article will focus on native Microsoft 365 tools, leveraging several existing Windows 10 device scenarios.
First, you’ll learn how to take control of these devices. Then, we’ll examine best practices for the devices you currently manage. This will help you prepare for scalable deployments that comply with company policy, ideally without on-premises dependencies.
Explore our options
For unmanaged devices in use, we first bring them back under Microsoft 365 control. The remote end user can perform 2 methods, without the need to recover the devices:
- Intune Enrollment from Windows 10 Settings
- Intune enrollment with a provisioning package
Microsoft recommends using enrollment from Windows 10 Settings, so provisioning packages are covered in this article at a high level only. Provisioning packages involve executable distribution (which we really want to avoid) and other security issues. Only administrators should use them. Windows 10 Settings, on the other hand, is ideal for end-user enrollment.
Overview of device management in Microsoft 365
Conceptually, Microsoft 365 environments have a device state. At a high level, this refers to whether the device can be managed from the tenant. At a lower level, device state can refer to the management method.
Configuration Manager
The traditional tool in a Microsoft ecosystem for managed devices is Active Directory (AD). When a device joins AD, it can retrieve security, compliance, and software settings. The device also sends information about itself back to AD. In large enterprises, Configuration Manager is the predominant choice for device management. It is typically domain-based.
Their reliance on on-premises infrastructure or cloud-based Infrastructure as a Service (IaaS) is essential. However, scaling challenges will arise when you take control of devices without physical access.
Looking for a more scalable, less expensive, and more flexible service, we came across Intune. Intune runs on the public internet, with Microsoft managing the infrastructure so you don’t have to. An enrolled device is considered managed if administrators can now control the device’s configuration and applications.
Intune and Azure AD
In addition to enrolling in Intune, devices must also join Azure AD. In on-premises Active Directory, domain membership and the ability to apply settings are fundamentally linked. Whereas Azure AD membership and Intune are fundamentally separate. They simply complement each other.
While it’s possible to sign up for Intune alone, there are many reasons to sign up for Azure AD as well. These include:
- a prerequisite for any silent BitLocker encryption you wish to apply,
- a prerequisite for Intune Management Extension (IME), which enables deployment of Win32 applications and PowerShell scripts.
Azure AD join alone is more viable when your devices don’t yet have management control. Therefore, devices have no way to establish connections to domain controllers. Intune enrollment is done automatically when you join Azure AD with the Azure AD Premium P1 license. Azure AD mobility settings define the scope of Intune.
Although the device joins Azure AD, the local user account still exists. The initial advantage is that the risk of data loss is low. There is no need to move applications and documents to a new profile.
However, you should plan to remove the user from the local account as soon as possible. This can be done by reprovisioning the devices to eliminate any security issues that may remain on the device. We’ll cover this in more detail later in the article.
Sign up from Windows 10 Settings
This self-enrollment method allows your users to enter their Azure AD credentials into Windows 10 Settings! They are joined to Azure AD and managed by Intune. The specific settings page is located in Settings > Accounts > Work or school access:
The user then chooses to connect and join this device to Azure Active Directory:
Authentication is performed using the Azure AD modern sign-on window, which allows you to enforce conditional access and MFA. The user is prompted to confirm their participation, after which the device is ready to use:
The device is now joined to Azure AD and enrolled in Intune, but there are a few important things to consider. Intune will consider workgroup devices enrolled only with this method as personal devices. And it will mark them as such under the Intune ownership attribute.
Therefore, you should configure Intune enrollment restrictions to allow personal Windows 10 devices. The risk is that users could also enroll PCs that you don’t want them to. And if they are assigned policies, you’re forcing them to use a device you’d rather not have.
We can work around this by creating a second registration restriction with higher priority, reserved for users who need to do so:
Registration with a provisioning package
Provisioning packages are created by administrators using Windows Configuration Designer (WCD). They offer a one-click executable that can perform multiple provisioning tasks. In our case, we can easily join Azure AD and enroll Intune without having to navigate through various settings.
Additionally, the package is authorized to perform this action with a bulk enrollment token. This eliminates the need for user authentication, further speeding up the process. Intune considers all devices enrolled with provisioning packages to be corporate devices, so you don’t need to change your enrollment restrictions if you block personal PCs. Devices can also be renamed according to your convention, which is useful for dynamic group membership.
For the reasons outlined above, there are certainly security risks associated with distributing provisioning packages. You allow users to enroll any device without authentication or control. Therefore, your best option is to use Windows 10 Settings enrollment.
Summary of non-disruptive approaches for existing devices
For a more comprehensive review of the two approaches, the following matrix explains how they differ in various respects:
Quick earnings after registration
Local administrators
With both methods, the user remains a local administrator, which we know isn’t ideal. However, with Intune, we can fix this. For Windows 20H2 or later, we can replace local administrators with a list of named users (or SIDs) using the LocalUsersAndGroups parameter. Or, for earlier versions, we can use the ConfigureGroupMembership parameter. The advantage of the first method is that we can update it without replacing it. With the second method, the policy is “tattooed” and cannot be changed.
During an Azure AD join, the local administrators group includes Azure AD administrators and local administrators of the joined devices. Using policies, we can limit it to only them, removing all other local users. Unfortunately, there is no first-party LAPS for Azure AD joined devices yet.
Deployment policies
To further secure and control devices, you should consider deploying BitLocker policies to silently encrypt the device. The device object in Azure AD will store the recovery key. Additionally, you’ll leverage application deployments and PowerShell scripts to deploy your security software to supported endpoints.
You’ll also want to configure a Windows Update for Business policy to update devices as soon as possible. Because up until this point, we know the device was unmanaged and is likely dangerously outdated. A second benefit of this is enabling more features, such as the LocalUsersAndGroups setting. The latter will apply when outdated computers reach Windows 10 version 20H2 or later.
Remember that all settings and applications must associate with Azure AD groups. Consider how you will create these groups, ideally based on dynamic queries.
Another benefit of Intune-managed devices is the Discovered Apps report. This is powered by the deployed Intune management extension. This is where you’ll find the Discovered Apps page on the device inventory software. Ideally, you should start from scratch and ensure that only the apps you deploy appear there.
Longer-term planning
Autopilot
You must secure these devices in accordance with current standards. You must ensure that all inappropriate software is inoperative. Users now authenticate with their Azure AD accounts.
The above concern leads us to provision, or reprovision, Windows 10 devices with Autopilot. Autopilot can be defined as a bootstrapping solution. While it doesn’t create a device image, it does initiate automatic device provisioning.
On first boot, the user authenticates with the tenant to which the device belongs. Autopilot applies the automation settings you specified (domain join type, MDM enrollment, language and region, acceptance of terms and conditions, etc.):
Autopilot then hands over to the Intune MDM solution, which presents the user with an Enrollment Status Page (ESP), which tracks the progress of deployed apps and settings. The desktop is then displayed, and the user can now get to work:
To put your devices on Autopilot, they need to be registered with the tenant. This is a unique identifier for the device, based on the various serial numbers of its hardware components. When Windows 10 boots into the out-of-box experience (OOBE) for the very first time, it connects to the cloud. Then it checks for an Autopilot profile in the tenant, retrieves it, and is now ready for provisioning.
Hardware hashes work best when the provider injects them directly into your tenant. You purchase devices, they register as Autopilot devices, and then you can distribute them directly to users.
Existing devices
But what about all those existing devices you just took over? Well, you can generate and upload a CSV of the required information with PowerShell. But that doesn’t scale particularly well. For Windows 10 PCs enrolled in Intune, you can easily register them as Autopilot devices. A simple checkbox in the deployment profile and Autopilot takes care of it:
For your existing, now-managed devices, there are two services to consider that will make life easier for users during a migration: Edge Sync and OneDrive for Business. With Edge, you can deploy policies from Intune to sync user accounts to the cloud. So, when a system changes, they’ll have access to important resources like bookmarks and history.
OneDrive for Business offers a similar solution called Known Folder Move (KFM). KFM, (sometimes called folder backup), syncs your Documents, Desktop, and Pictures libraries to the cloud. This provides protection against data loss.
If you’re remotely wiping a device from Intune, you can now really take advantage of Autopilot. With a well-implemented Autopilot system, you could be in a great position to quickly deploy new devices. Or you could redeploy devices, ensuring they never end up in an unmanaged state.
For your Intune devices, you’ll support the reprovisioning plan with communication campaigns for your users. You’ll need to detail the “what,” “why,” and “when.” You’ll also need to include KFM and Edge synchronization by requiring users to log in to these services. Once the user’s device returns to the OOBE screen, it’s ready for use.
Conclusion
This article can help you regain control of these devices with Intune. However, you need to consider how you’ll protect yourself against this type of unprecedented situation. As unsettling as the idea may be, there’s no way to know if another pandemic could happen again. So, make sure you’re prepared to deploy in accordance with company policy.
