All configuration profiles and conditional access rules are deployed during the onboarding project and are targeted to specific user and device groups to allow granular onboarding and different security levels.
Users that do not have a dedicated Windows or MAC device that can be managed, should not be onboarded to this baseline. Standard protection with MFA is applied.
Users will sign-in with their Microsoft 365 account on Windows after onboarding, this requires their old profiles to be converted with the tool ProfWiz.
Windows Professional is required at minimum.
- The first step is to prepare an xml file with user objects, required for profile conversion. Run the following PowerShell script and sign-in with a global admin of the client.
PowerShell/Save-AzureADUser.ps1 at master · ForensiT/PowerShell · GitHub - Browser passwords will not be saved during the conversion. It is best to sync credentials in Chrome or Edge. Alternatively, it’s possible to export the passwords and re-import them.
- Create a local admin account
- Remove any biometric currently set-up in sign-in options, such as fingerprint or camera sign in
- Verify the current user’s profile path
- Enroll the user’s computer to Entra ID, which automatically enables Intune MDM Device Management.
Howto: Enroll your Computer – Prof-IT Services - Add the computer to the security group “Baseline – Modern Workplace Devices”
(not always required, group is usually dynamic) - Ensure the Intune enrollment process has completely finished and all policies have applied. This is important, as rebooting during this process can corrupt Windows. Manual sync Intune, monitor the sync status and watch task manager for high CPU, process omadmclient.exe. Do not proceed until this has finished.
- Reboot, sign in with the local admin account
- Create a folder C:\ProgramData\ProfWiz, download & install ProfWiz User Profile Wizard, and store the XML created in step 1 in the same directory.
- Start the extracted exe, and follow the instructions of ProfWiz to convert the old user profile to the M365 account of the user.
- The computer will auto-reboot after completion.
- Sign in with the new M365 account
- Configure Windows Hello For Business, and set-up MFA (PIN+FingerPrint, PIN+Camera, PIN+Bluetooth Phone or Camera+Bluetooth)
- Delete the old user account after verifying the new user works ok
- Ensure the device is compliant in Intune
Prof-IT Intune Device Compliance – Prof-IT Services - Add the user to the “Baseline – Modern Workplace Users” security group.
- This will apply further security to the user account, requiring compliant devices
- App Protection Policies will be applied to mobile devices, inform the user of the extra security, and request to reboot the phone, and manually start all Microsoft applications.
- Microsoft Applications will only be allowed, native iOS and Android mail apps will not work, Intune enrollment is required.
- More information about policies can be found here: Prof-IT Baseline Service Description – Prof-IT Services