The Intune environment is granularly configurable based on security groups. Groups are either Device or User groups, identifiable by the prefix.

The environment is to target two main groups, which allows for granular enrollment.

• Baseline – Modern Workplace Devices
  • All devices in this group are targetted with all Intune policies and applications.
  • Membership rules should be changed to dynamically include all devices after onboarding completion.
• Baseline – Modern Workplace Users
  • All users in this group are targeted with user policies, and strict conditional access rules.
  • Membership rules should dynamically include all users.
  • Dynamic rule should be set to include all active users, with values in the given and surname.
  • This allows for shared mailboxes, service accounts etc to be excluded.
    (user.accountEnabled -eq true) and (user.givenName -ne $null) and (user.surname -ne $null) and (user.displayName -notContains “azavd”)

Device Control Security Groups:

• Baseline – Devices Bitlocker TPM Excluded
  • For devices that do not support TPM. Pre-boot Bitlocker password is configurable.
  • Should not be used, replacing the device is preferable.
• Baseline – Devices Exclude Credential Provider
  • Disables legacy password based sign-in on devices.
  • Should be set to dynamically include all devices.
  • Cloud sign-in is enabled, allowing web-sign in with mfa push.
• Baseline – Devices Exclude Credential Provider Excluded
  • Can be used to temporarily exclude devices from the policy that is applied in the group above.
• Baseline – Devices Physical Hello For Business MFA Excluded
  • By default, Windows MFA is enabled, this group can be used to disable this functionality.
  • Users can sign in with two factors, such as PIN + connected Bluetooth phone, or fingerprint + camera sign-in, or a combination of both.
• Baseline – Devices Unenrollment Block Excluded
  • Unenrolling devices from Entra is blocked by default, devices can be assigned to this group to allow un-enrollment.
• Baseline – Devices Applocker *
  • Baseline – Devices Applocker script Excluded
    • Devices in this group do not have script execution restrictions
  • Baseline – Devices Applocker msi Excluded
    • Devices in this group do not have installer execution restrictions
  • Baseline – Devices Applocker exe Excluded
    • Devices in this group do not have exe execution restrictions
  • Baseline – Devices Applocker appx Excluded
    • Devices in this group do not have signed MSIX package restrictions

User Control Security Groups:

• Baseline – Users Azure AD joined device local administrator
  • Users in this group have local admin rights on all devices.
• Baseline – Users Local Admin Strip Excluded
  • Users in this group are not stripped from Local Admin rights on their devices
• Baseline – Users DeviceLock 15min / 30min
  • The default lock time is set to 5 minutes, these groups can be used to increase the period.
• Baseline – Users Web Require Strong Authentication Excluded
  • Signing into browsers from non-managed devices is only allowed with strong MFA methods.
  • Users in this group are allowed to access the environment using a browser with normal MFA.
  • By default, this group includes no users
• Baseline – Users Web Require Intune Compliance Excluded
  • Signing in from browsers is only allowed from compliant devices if users are not in this group.
  • By default, this dynamically includes all users
• Baseline – Users allow unencrypted USB
  • Users in this group are allowed to read and write to USB drives not protected by Bitlocker
• Baseline – Users Mobile Intune Excluded
  • Users in thie group are not required to enroll with Intune
  • By default, this dynamically includes all users
• Baseline – Users Mobile App Protection Less Restrictive
  • This group allows users to use Microsoft protected applications on mobile devices without storage or copy/paste restrictions
  • Requires Intune Enrollment